Sign up for our newsletter
Technology / Cybersecurity

You Can Now Auto-Update Your GitHub Repos to Avoid Code Vulnerabilities

GitHub has enabled automatic security updates for known vulnerable open source dependencies in user repositories; a feature warmly welcomed by users.

The move comes just a week after the Microsoft-owned company bought  Dependabot, which powers the functionality: integration has been rapid.

github automatic security updatesThe automated fixes are available in repos that use the dependency graph.

When permissioned to do so, GitHub automatically creates a pull request in a users’ repository. Users can also manually create pull requests to upgrade dependencies only when they  choose to, in case a fix is going to break code elsewhere.

White papers from our partners

The fixes are opened by the Dependabot GitHub App, which is automatically installed on every repository where automated security fixes are enabled.

The GitHub automatic security updates come as week after the company also added WhiteSource data to its security vulnerability alerts system.

GitHub now uses MITRE’s Common Vulnerabilities and Exposures (CVE) List, code maintainer security advisories, a combination of machine learning and human review and data from WhiteSource to raise security alerts.

(WhiteSource is a New York-based open source software security specialist).

Since launching its security alerts system as a beta in 2017, GitHub sent almost 27 million security alerts for vulnerable dependencies in .NET, Java, JavaScript, Python and Ruby, the company said, adding: “Our new partnership with WhiteSource data broadens our coverage of potential security vulnerabilities in open source projects and provides increased detail to assess and remediate vulnerabilities.”

Read this: Open Source Security: Time to Look Gift Code in the Mouth?

The releases come amid growing concern about open source security, including malicious open source library “trust attacks” involving the intentional contribution of malicious code into widely used but not robustly maintained libraries.


This article is from the CBROnline archive: some formatting and images may not be present.

CBR Staff Writer

CBR Online legacy content.