InfoQ Homepage News GitHub Security Alerts Detected over Four Million Vulnerabilities
GitHub Security Alerts Detected over Four Million Vulnerabilities
This item in japanese
Mar 21, 2018 1 min read
Write for InfoQ
Feed your curiosity. Help 550k+ globalsenior developers
each month stay ahead.Get in touch
Launched last October, GitHub security alerts significantly reduced the time it takes for developers to remove vulnerabilities from their Ruby and JavaScript projects, says GitHub.
GitHub’s security alerts notify repository admins when library vulnerabilities from the Common Vulnerabilities and Exposures (CVEs) list are detected in their repositories. CVE is a list of entries—each containing an identification number, a description, and at least one public reference—for publicly known cybersecurity vulnerabilities. This gives administrators a precious "heads up" to react promptly and fix the vulnerability by removing the vulnerable dependency or moving to a secure version.
According to GitHub, nearly half of all displayed alerts are responded to within a week and the rate of vulnerabilities resolved in the first seven days has been about 30%. However, when that statistics is restricted to only repositories with recent contributions, i.e., contributions in the last 90 days, things look even brighter, GitHub says, with 98% of such repositories being patched in fewer than seven days. Overall, more than four million vulnerabilities in over 500,000 repositories have been reported.
All public repositories are scanned for vulnerabilities, while only private repositories with their dependency graph enabled are scanned. For each found vulnerability, the repo admin is presented not only with general information about the issue, but also with its severity level and resolution steps. If safe version of a given dependency is not known, GitHub will attempt to recommend a similar, safe dependency to use in place of the unsafe one.
Security notifications can be delivered in several ways: displaying an alert, among other notifications, or via email. In addition to being sent an email each time a vulnerability is found, GitHub has recently introduced a weekly digest email which includes a summary of up to 10 repositories vulnerability alerts.
As mentioned, security alerts are only currently supported for repositories written in Ruby or JavaScript, while support for Python is planned for 2018.
This content is in the Open Source topic
Related Topics:
-
Related Editorial
-
Related Sponsors
-
Popular across InfoQ
-
ArrowJS Reaches 1.0, Recast as the First UI Framework for the Agentic Era
-
Anthropic Releases and Temporarily Suspends Claude Fable 5
-
Anthropic Explains How Claude Builds Its Own Execution Harnesses
-
Spring Boot 4.1 Adds gRPC Auto-Configuration, SSRF Mitigation, and Kotlin 2.3 Support
-
Increasing Users' Data Agency: From BlueSky's AT Protocol to the Local-First Software Movement
-
Coinbase Postmortem Reveals How a Localized AWS Failure Triggered a Multi-Hour Trading Outage
-
The InfoQ Newsletter
A round-up of last week’s content on InfoQ sent out every Tuesday. Join a community of over 250,000 senior developers. View an example