Along with Semmle acquisition, GitHub has disclosed a number of improvements aimed to make it easier for maintainers and developers to fix and protect against vulnerabilities. This includes the possibility of creating a security advisory and assigning it a CVE number directly from GitHub UI.
As GitHub senior vice president Shanku Niyogi explains, when a project maintainer or anyone with admin privileges for a repository discovers a vulnerability, they can now create a draft security advisory, which provides a private area to discuss and fix the vulnerability. Security advisories are private for any kind of repository, both private and public, and enable carefully controlling which collaborators can access.
Most importantly, a security advisory enables the creation of a temporary private fork of the repo to make it possible for developers to work on a fix without the risk of making sensitive information available to external parties in advance. To enforce this guarantee, temporary private forks cannot be accessed by continuous integration tasks or other integrations.
All mentioned features are grouped under a new Security tab in GitHub UI, including creating a security advisory, creating a temporary private fork, creating a pull request, and merging it into the main branch.
Another significant workflow improvement GitHub has announced is the possibility to issue CVEs for security advisories opened on GitHub. To make this possible, GitHub has become a CVE numbering authority for open source projects. Operated by the Mitre Corporation, CVEs provide a way to uniquely reference vulnerabilities in all conversations and exchanges related to them. This makes it useful to acquire CVEs as soon as possible, even before a fix for the vulnerability is available -- and this is exactly where GitHub is trying to make things easier for developers by integrating this functionality directly in GitHub UI.
It is not the first time GitHub adds features specifically meant to help developers secure their code. A few months ago, GitHub introduced Dependabot-powered automatic security PRs, which can scan all dependencies of a project and automatically submit a PR to update any vulnerable dependencies. Previously, GitHub had introduced vulnerability alerts to warn developers about any known vulnerabilities found among their projects' dependencies. Last but not least, GitHub also supports token scanning to prevent developers from inadvertently sharing their token and cryptographic keys when pushing to a public repo.
GitHub maintainer security advisories are currently in public beta.