GitHub's latest security updates aim to protect projects in their earliest stages

The GitHub sign outside its headquarters
(Image credit: Shutterstock)

GitHub has made a number of improvements to its code-hosting platform this week aimed at identifying security issues in the early stages of a project.

The Microsoft-owned company announced on Wednesday that it will be adding new functionality to Dependabot, its tool for automatically detecting security vulnerabilities in project dependencies.

Dependabot currently alerts users when security vulnerabilities are found in existing project dependencies. The platform’s new dependency review action allows users to proactively stop vulnerable dependencies from being added to projects when the pull request is first made.

“When you add the dependency review action to your repository, it will scan your pull requests for dependency changes,” said Github, in a blog post.

“Then, it will check the GitHub Advisory Database to see if any of the new dependencies have existing vulnerabilities. If they do, the action will raise an error so that you can see which dependency has a vulnerability and implement the fix with the contextual intelligence provided.”

The action is now available in beta from the GitHub Marketplace and is supported by a new API endpoint that compares the dependencies between any two revisions.

Earlier this week, GitHub also announced an upgrade to its secret-scanning functionality that checks private projects for secrets that may be leaked or exposed to bad actors.

GitHub views ‘secrets’ as things that service providers can issue that determine user privileges, like tokens and private keys. If someone with read access to a project can view these, they could access an external service using any given user’s privileges.

GitHub Advanced Security users will now be able to prevent leaks of secrets from happening at the point of making the project public. GitHub will now scan for secrets before a git push command can be executed.


How a platform approach to security monitoring initiatives adds value

Integration, orchestration, analytics, automation, and the need for speed


“To date, GitHub has detected more than 200,000 secrets across thousands of private repositories using secret scanning for GitHub Advanced Security; GitHub also scans for our partner patterns across all public repositories for free,” said GitHub in a separate blog post.

“By scanning for highly identifiable secrets before they are committed, we can, together, shift security to being proactive instead of reactive and prevent secrets from leaking altogether.”

To avoid adversely affecting developer workflows, the new push protection capability will check only for high-confidence secrets, launching with 69 patterns in total, each having a trustworthy ratio of signal-to-noise that aims to minimise the false flags the feature generates.

Enabling the secret scanning feature can be done with one click in the project's UI, or via the API.

The latest features implemented by GitHub come amid a consistent innovation drive at the company to improve the developer experience, particularly when it comes to security.

Over the past few months, GitHub has introduced a number of security improvements that aim to stamp out security vulnerabilities in open source code.

In February this year, GitHub launched a code-scanning tool specifically for JavaScript and TypeScript projects, allowing developers to scan for the most common threats affecting products written in the popular languages as early as possible.

The company also opened up its security Advisory Database, on which the new Dependabot feature relies, for submissions from independent security researchers, academics, and enthusiasts to bolster the bank of security issues developers can check their projects against.

Vulnerabilities in open source code have been a particularly prominent topic in cyber security over the past year, with recent stories around Log4Shell and Spring4Shell dominating the headlines in recent weeks.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.