Public repositories automatically get the security alerts while private repositories need to opt into the security device.
The expansion of the service to Python could have a big impact. One of the most popular projects written in Python is Google’s open source deep leaning framework Tensorflow.
Within a month of launching, the service found 450,000 vulnerabilities that repository owners removed or updated.
Python is probably a good target for this program given its rapid ascent among data scientists and, according to coding community site Stackoverflow, Python is the fastest growing language used by developers.
The alert service is starting small with a “few recent vulnerabilities” however over the coming weeks older Python bugs will join the program, allowing an ever greater feed of vulnerability alerts that developers with Python dependencies can fix.
The source of the vulnerability information is from MITRE’s Comms Vulnerabilities and Exposures (CVE) List.
“When GitHub receives a notification of a newly-announced vulnerability, we identify public repositories (and private repositories that have opted in to vulnerability detection) that use the affected version of the dependency. Then, we send security alerts to owners and people with admin access to affected repositories. You can also configure security alerts for additional people or teams working in organization-owned repositories,” GitHub says.