GitHub: EU copyright crackdown could hurt open source development
The massive bug-find total was reached within a month of the initiative's launch in November, when GitHub began scanning for known vulnerabilities in certain popular open-source libraries and notifying project owners that they should be using an updated version.
However, GitHub plans to expand its scan to Python dependencies later this year. Private repositories meanwhile need to opt in to the security alerts.
GitHub says it found over four million vulnerabilities in over half a million repositories, and issued security alerts to each of the projects' admins in their dependency graphs and repository home pages.
GitHub scans public repositories every time it receives a notification of newly-announced vulnerabilities in the dependencies it scans for, and then privately notifies developers.
Download now: Data classification policy
The code-hosting site says by December 1 project owners had cleaned up 450,000 of the four million vulnerabilities found by its scan, either by updating to a secure version or removing the dependency.
That figure still leaves over three million unfixed vulnerabilities. However, GitHub says that the alerts are prompting developers to resolve issues, with around 30 percent of vulnerabilities being resolved seven days after GitHub sends the security alert.
A further 15 percent of alerts are dismissed, while the remaining 55 percent of alerts are for bugs in repositories that haven't changed in the last 90 days.
Previous and related coverage
To avoid becoming the next Equifax, it could be a good idea to scan your apps for vulnerable open-source libraries.
GitHub's new service will help developers clean up vulnerable project dependencies.
Microsoft's Credential Scanner will flag when developers publish secrets that put their applications at risk.
A random selection of users for GitHub's Open Source Survey reveal a population that's 95 percent male.
The attack was carried out through the abuse of memcached instances, taking the site down multiple times.