View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
May 29, 2019updated 20 Jul 2022 10:43am

You Can Now Auto-Update Your GitHub Repos to Avoid Code Vulnerabilities

Welcome new function comes a week after Dependabot acquisition

By CBR Staff Writer

GitHub has enabled automatic security updates for known vulnerable open source dependencies in user repositories; a feature warmly welcomed by users.

The move comes just a week after the Microsoft-owned company bought  Dependabot, which powers the functionality: integration has been rapid.

The automated fixes are available in repos that use the dependency graph.

When permissioned to do so, GitHub automatically creates a pull request in a users’ repository. Users can also manually create pull requests to upgrade dependencies only when they  choose to, in case a fix is going to break code elsewhere.

The fixes are opened by the Dependabot GitHub App, which is automatically installed on every repository where automated security fixes are enabled.

Content from our partners
The growing cybersecurity threats facing retailers
How to integrate security into IT operations
How Kodak evolved to tackle seismic changes in the print industry and embrace digital revolution

The GitHub automatic security updates come as week after the company also added WhiteSource data to its security vulnerability alerts system.

GitHub now uses MITRE’s Common Vulnerabilities and Exposures (CVE) List, code maintainer security advisories, a combination of machine learning and human review and data from WhiteSource to raise security alerts.

(WhiteSource is a New York-based open source software security specialist).

Since launching its security alerts system as a beta in 2017, GitHub sent almost 27 million security alerts for vulnerable dependencies in .NET, Java, JavaScript, Python and Ruby, the company said, adding: “Our new partnership with WhiteSource data broadens our coverage of potential security vulnerabilities in open source projects and provides increased detail to assess and remediate vulnerabilities.”

Read this: Open Source Security: Time to Look Gift Code in the Mouth?

The releases come amid growing concern about open source security, including malicious open source library “trust attacks” involving the intentional contribution of malicious code into widely used but not robustly maintained libraries.

Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy
SUBSCRIBED
THANK YOU