GitHub: Our dependency scan has found four million security flaws in public repos

The code repository site says its security alerts are moving developers to patch known vulnerabilities.
Written by Liam Tung, Contributing Writer


GitHub: EU copyright crackdown could hurt open source development

GitHub says its security scan for old vulnerabilities in JavaScript and Ruby libraries has turned up over four million bugs and sparked a major clean-up by project owners.

The massive bug-find total was reached within a month of the initiative's launch in November, when GitHub began scanning for known vulnerabilities in certain popular open-source libraries and notifying project owners that they should be using an updated version.

The scan automatically probes public repositories on GitHub for known-vulnerable libraries in RubyGems for Ruby and npm for JavaScript, so it doesn't yet cover all possible vulnerable libraries.

However, GitHub plans to expand its scan to Python dependencies later this year. Private repositories meanwhile need to opt in to the security alerts.

As Equifax's massive data breach demonstrated, vulnerable open-source software libraries can have serious security consequences.

GitHub says it found over four million vulnerabilities in over half a million repositories, and issued security alerts to each of the projects' admins in their dependency graphs and repository home pages.

GitHub scans public repositories every time it receives a notification of newly-announced vulnerabilities in the dependencies it scans for, and then privately notifies developers.

Download now: Data classification policy

The code-hosting site says by December 1 project owners had cleaned up 450,000 of the four million vulnerabilities found by its scan, either by updating to a secure version or removing the dependency.

That figure still leaves over three million unfixed vulnerabilities. However, GitHub says that the alerts are prompting developers to resolve issues, with around 30 percent of vulnerabilities being resolved seven days after GitHub sends the security alert.

A further 15 percent of alerts are dismissed, while the remaining 55 percent of alerts are for bugs in repositories that haven't changed in the last 90 days.

Previous and related coverage

Open source's big weak spot? Flawed libraries lurking in key apps

To avoid becoming the next Equifax, it could be a good idea to scan your apps for vulnerable open-source libraries.

GitHub to devs: Now you'll get security alerts on flaws in popular software libraries

GitHub's new service will help developers clean up vulnerable project dependencies.

Microsoft: Our CredScan stops GitHub gaffes from revealing Azure secrets

Microsoft's Credential Scanner will flag when developers publish secrets that put their applications at risk.

GitHub: Open source is dominated by men who just can't communicate

A random selection of users for GitHub's Open Source Survey reveal a population that's 95 percent male.

GitHub hit with massive 1.35 Tbps DDoS attack, could be world's largest(TechRepublic)

The attack was carried out through the abuse of memcached instances, taking the site down multiple times.

Editorial standards