Story image

GitHub rolls out security alerts feature for Python

16 Jul 2018

GitHub has rolled out security alerts for Python, which allows users to receive alerts whenever their code repositories depend on packages with known security vulnerabilities.

“We’ve chosen to launch the new platform offering with a few recent vulnerabilities,” GitHub says.

“Over the coming weeks, we will be adding more historical Python vulnerabilities to our database. Going forward, we will continue to monitor the NVD feed and other sources, and will send alerts on any newly disclosed vulnerabilities in Python packages.”

The development follows last year’s releases that track security vulnerabilities in both Ruby and JavaScript packages.

The company says that since the launch of those alerts, it has identified millions of vulnerabilities. The vulnerabilities are most often Common Vulnerabilities and Exposures, or CVEs.

According to a GitHub blog from November 2017, the security alert system has been highly successful, with many vulnerability alerts resulting in patches in fewer than seven days.

 “We found over four million vulnerabilities in over 500,000 repositories and displayed an alert to repository admins in their dependency graphs and repository home pages (for Ruby and Javascript),” GitHub says in a blog.

“By December 1 and shortly after we launched, over 450,000 identified vulnerabilities were resolved by repository owners either removing the dependency or changing to a secure version. Since then, our rate of vulnerabilities resolved in the first seven days of detection has been about 30%.

“Additionally, 15% of alerts are dismissed within seven days—that means nearly half of all alerts are responded to within a week. Of the remaining alerts that are unaddressed or unresolved, the majority belong to repositories that have not had a contribution in the last 90 days.”

These features are now available for Python users.

Users can make the most of Python security alerts through the following tips:

First, ensure that you have checked in a requirements.txt or Pipfile.lock file inside of repositories that have Python code.

Public repositories will automatically have your dependency graph and security alerts enabled. For private repositories, you’ll need to opt in to security alerts in your repository settings or by allow access in the dependency graph section of your repository’s “Insights” tab.

When vulnerability alerts are enabled, admins will receive security alerts by default. Admins can also add teams or individuals as recipients for security alerts by going into their repository’s settings page and navigating to the “Alerts” tab.

To configure the kind or frequency of notifications you receive, visit your profile’s notification settings page and select your preferred option.

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.