Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News GitHub Security Alerts Detected over Four Million Vulnerabilities

GitHub Security Alerts Detected over Four Million Vulnerabilities

This item in japanese

Launched last October, GitHub security alerts significantly reduced the time it takes for developers to remove vulnerabilities from their Ruby and JavaScript projects, says GitHub.

GitHub’s security alerts notify repository admins when library vulnerabilities from the Common Vulnerabilities and Exposures (CVEs) list are detected in their repositories. CVE is a list of entries—each containing an identification number, a description, and at least one public reference—for publicly known cybersecurity vulnerabilities. This gives administrators a precious "heads up" to react promptly and fix the vulnerability by removing the vulnerable dependency or moving to a secure version.

According to GitHub, nearly half of all displayed alerts are responded to within a week and the rate of vulnerabilities resolved in the first seven days has been about 30%. However, when that statistics is restricted to only repositories with recent contributions, i.e., contributions in the last 90 days, things look even brighter, GitHub says, with 98% of such repositories being patched in fewer than seven days. Overall, more than four million vulnerabilities in over 500,000 repositories have been reported.

All public repositories are scanned for vulnerabilities, while only private repositories with their dependency graph enabled are scanned. For each found vulnerability, the repo admin is presented not only with general information about the issue, but also with its severity level and resolution steps. If safe version of a given dependency is not known, GitHub will attempt to recommend a similar, safe dependency to use in place of the unsafe one.

Security notifications can be delivered in several ways: displaying an alert, among other notifications, or via email. In addition to being sent an email each time a vulnerability is found, GitHub has recently introduced a weekly digest email which includes a summary of up to 10 repositories vulnerability alerts.

As mentioned, security alerts are only currently supported for repositories written in Ruby or JavaScript, while support for Python is planned for 2018.

Rate this Article