Story image

GitHub rolls out security alerts feature for Python

16 Jul 18

GitHub has rolled out security alerts for Python, which allows users to receive alerts whenever their code repositories depend on packages with known security vulnerabilities.

“We’ve chosen to launch the new platform offering with a few recent vulnerabilities,” GitHub says.

“Over the coming weeks, we will be adding more historical Python vulnerabilities to our database. Going forward, we will continue to monitor the NVD feed and other sources, and will send alerts on any newly disclosed vulnerabilities in Python packages.”

The development follows last year’s releases that track security vulnerabilities in both Ruby and JavaScript packages.

The company says that since the launch of those alerts, it has identified millions of vulnerabilities. The vulnerabilities are most often Common Vulnerabilities and Exposures, or CVEs.

According to a GitHub blog from November 2017, the security alert system has been highly successful, with many vulnerability alerts resulting in patches in fewer than seven days.

 “We found over four million vulnerabilities in over 500,000 repositories and displayed an alert to repository admins in their dependency graphs and repository home pages (for Ruby and Javascript),” GitHub says in a blog.

“By December 1 and shortly after we launched, over 450,000 identified vulnerabilities were resolved by repository owners either removing the dependency or changing to a secure version. Since then, our rate of vulnerabilities resolved in the first seven days of detection has been about 30%.

“Additionally, 15% of alerts are dismissed within seven days—that means nearly half of all alerts are responded to within a week. Of the remaining alerts that are unaddressed or unresolved, the majority belong to repositories that have not had a contribution in the last 90 days.”

These features are now available for Python users.

Users can make the most of Python security alerts through the following tips:

First, ensure that you have checked in a requirements.txt or Pipfile.lock file inside of repositories that have Python code.

Public repositories will automatically have your dependency graph and security alerts enabled. For private repositories, you’ll need to opt in to security alerts in your repository settings or by allow access in the dependency graph section of your repository’s “Insights” tab.

When vulnerability alerts are enabled, admins will receive security alerts by default. Admins can also add teams or individuals as recipients for security alerts by going into their repository’s settings page and navigating to the “Alerts” tab.

To configure the kind or frequency of notifications you receive, visit your profile’s notification settings page and select your preferred option.