Using GitHub to keep your code impenetrable.
If you work in the programming field you are no stranger to version control systems and how crucial they are to successful projects. Git completely revolutionized the scene when it made its appearance in early April, 2005. In fact you'd be hard pressed to find a tech shop that's not using it as their primary version control system these days. With this sweep many
companies and individuals needed remote repositories to store their code. GitHub was quick to fill this need and became by far the most popular choice. GitHub is currently the largest of many code repository sites with more than 24 million users and 69 million repositories.
While doing some research on what to make the next blog post about I stumbled across this little article. I'll save you a click if you're feeling lazy. GitHub announces 4 million vulnerabilities patched in half a million repositories.
That sounds like a big number, but what stuck out to me wasn't the size, it's what I learned about the site.
Apparently in 2017 they released this blog post here. GitHub introduced security alerts for JavaScript and Ruby projects. This post was released Nov 16th and by Dec 1st 450,000 of the identified flaws had been resolved. That's rather impressive. The blog post also goes over how to enable these security alerts for your repository. For public repositories it's already turned on. Admins for the repositories will get alerts with the vulnerable dependencies highlighted and if there is a known fix for the vulnerability you will be alerted which version to update to. For private repositories you have to turn the dependency graph on in your settings.
Yeah but how do they find these vulnerabilities?
As for now they check for vulnerabilities with CVE ID's. That simply means they check for known issues that are logged in National Vulnerability Database. A government run site and database just for vulnerabilities.
Based on their latest blog post they seem happy with how well the community has taken to these security alerts. It seems there will be many more changes on the horizon to improve securities in your code repositories and when those come up we will be sure to cover them here.
For more resources on keeping your code safe from vulnerabilities, checkout GitHub's security marketplace.