Keep your code safe with GitHub’s security alerts
Security issues are no joke, but it’s hard to stay updated with everything. Constant vigilance is tiring, you know? Keep track of your potential vulnerabilities with GitHub’s dependency graphs and security alerts.
Open source is inherently collaborative: few people code every single line by themselves. If you write any kind of software, it’s almost certain that your code relies on at least on API or open source project. This is one of the great things about open source, lowering the barrier for all kinds of developers. However, it means that your complex web of dependencies can leave you open to security threats.
While a large team of programmers might run big projects like Linux or Eclipse, that doesn’t mean it’s completely secure. In reality, those projects often depend on smaller libraries, which may be run by a few people in their spare time. Because of time constraints, security testing and general maintenance can be pushed down the to-do list. And then we get things like Heartbleed.
This is pretty normal. According to Libraries.io, an open source project that maps dependencies across different libraries and package managers, nearly 3,000 open source libraries are heavily used but lightly maintained. This is the unseen infrastructure of the internet, the “libraries that are heavily depended upon by the community but don’t receive much recognition or attention”.
And that means it’s even easier to security issues to slip through the cracks if there’s just not that many people maintaining a project. This leads to cascading effects downstream, as that one poorly secured repo might be heavily depended upon by bigger and more popular apps or libraries.
Dependency graphs and security alerts
The latest update embeds security alerts into these dependency charts. If a specific package or application is associated with a public security vulnerability, it’s flagged in your dependency chart. This makes it easier for developers to keep track of whether or not they’re at risk.
Public repositories have their dependency graphs and security alerts automatically enabled. However, owners of private repositories do need to opt in. Same with the security alerts. Public repos are automatically in, private ones need to sign up.
Let me be extremely clear: this isn’t a cure-all. Only vulnerabilities with CVE IDs (publicly disclosed vulnerabilities from the National Vulnerability Database) are included in these security alerts. Some of you have already noticed the pretty gaping flaw: not all vulnerabilities have CVE IDs. Lots of publicly disclosed vulnerabilities never even get them. So, you still have to keep a close eye on your code.
If you’re interested in learning more about the security alerts function, head on over to GitHub and see more here.