Microsoft’s hit code-sharing site GitHub has announced a host of new security tools for open source developers who build for enterprise, including new enterprise security alerts, automated patching, and a private zone to discuss and fix security vulnerabilities.
GitHub’s security alerts for vulnerable dependencies in a coding project have come to the enterprise, the company announced today at its 2019 Satellite conference in Berlin, Germany. These alerts have been available to users of GitHub online since 2017, but until today it was not available to enterprise customers running their own internal GitHub Enterprise server.
“Now you can connect your GitHub server to the cloud and it will use the use the dependency information from your server to send you security alerts,” said Shanku Niyogi, SVP of GitHub Product.
An update to GitHub Enterprise Server release today allows customers to receive security alerts if they use GitHub Connect, the company's cloud service.
The company also announced a security alerts partnership with security firm White Source, which tracks open source vulnerabilities. GitHub will use its collection of known vulnerabilities to determine what dependencies to issue alerts for.
GitHub highlighted today that it had provided developers with 27 million security alerts since launching the service in 2017. Niyogi said this had led to developers fixing 3.5 million vulnerabilities, which seems low, but could be because developers are concerned the fix could break their code. The alert service is an attempt to improve the speed of patching in open source projects.
Which is where GitHub’s just announced acquisition of Dependabot comes in. The formerly third-party service automated dependency updates for GitHub projects for a fee. GitHub has integrated the service and is making it available to all users for free, so long as they've signed up to security alerts.
“The thing now is we won’t just send you an alert. We’ll send you a pull request that says, here’s thee action you take," said Niyogi.
"We’re building Dependabot as a feature, so if you sign up for security alerts, we will send you the pull request with the right remediation, the patch to your code, along with the information that explains the security issue.”
The Microsoft subsidiary also launched a few features to support so-called “innersource” workflows, which borrow practices from open source development and apply them to enterprise software development that happens behind closed doors.
Historically, GitHub users could only choose between public and private repositories (repos). The public option is completely open, while the private repo required the owner to individually manage who had access to it. Now enterprise can create an an “internal repo” that allows an organization to share their project internally.
Enterprise users also get two new role and permission categories to the existing read, write and admin options. These include Triage and Maintain, allowing enterprise teams to use trusted contributors for certain jobs while preventing them from having more powerful write privileges to change code or repo settings.
Other enterprise features announced today are available here on GitHub’s blog.
Finally, the company has launched a potentially very useful that allows project maintainers to work on maintainer security advisories in private. This is available for maintainers to “privately discuss, fix, and publish information about security vulnerabilities in your repository.”
While large tech companies have teams of people working on fixing security bugs and developing appropriate security advisories, some open source projects — whose software packages other open source developers could rely on for their projects — may not have all the internal resources to developer the advisory themselves.
GitHub developers can now create a temporary private fork of a repo and add select participants who can be involved in the discussion about a fix, allowing maintainers to privately collaborate with people who have the right skills to resolve the issue.
After that’s all done and patches are ready, the project would then take the private repo public and post the CVE-identifier and the advisory to tell their community about the bug. After hitting the publish, all users of that project will be notified. GitHub itself will be handling who gets notified using tags and metadata provided by the developer.
GitHub is encouraging developers to try out the maintainer advisory service in a draft form.
Disclosure: CSO Online travelled to Satellite 2019 as a guest of GitHub.