GitHub rolls out dependency review, vulnerability alerts for pull requests

The aim is to prevent vulnerable code from being added to dependencies by accident.
Written by Charlie Osborne, Contributing Writer

GitHub will roll out dependency review, a security assessment for pull requests, in the coming weeks to developers. 

SEE: Meet the hackers who earn millions for saving the web, one bug at a time (cover story PDF) (TechRepublic)

The open source development platform said on Tuesday at the GitHub Universe conference that dependency review is a system designed to help "reviewers and contributors understand dependency changes and their security impact at every pull request" and has been developed to try and prevent vulnerable code from merging with new or updated dependencies by accident. 

Added to the GitHub roadmap this year, the new tool will give developers an overview of which dependencies are added or removed from a project, when they were updated, how many other projects lean on a dependency, and any vulnerability information associated with them. 

See also: The biggest hacks, data breaches of 2020

Dependency review is currently in beta and will become available to public repositories and Advanced Security customers on GitHub Enterprise Cloud, with a rollout expected in the "coming weeks." The feature will be made available for free to public repositories. 


Example dependency review record


GitHub's current security offerings include a vulnerability advisory database, temporary private fork features to fix bugs before public disclosure, dependabot alerts, and automated pull requests for security updates. 

In 2020, the platform logged 56 million developers and the creation of 60 million new repositories. Over 90% of projects utilize open source components and have almost 700 dependencies on average. 

According to GitHub research, vulnerabilities can go undetected for up to four years in open source software. Although the majority of bugs are the result of human error rather than malice, vulnerabilities in components that could be extensively used by third-party vendors need to be dealt with as quickly as possible -- and any means to prevent them from being added to dependencies is valuable. 

CNET: Hackers are going after COVID-19 vaccine's rollout

The organization also revealed a slew of other changes, including a new build of GitHub Enterprise Server, with release starting December 16. The new GHES 3.0 release candidate will include built-in CI/CD and automation features within GitHub Actions and Packages. 

In addition, GHES 3.0 will allow enterprise customers to automate Advanced Security, including code and secret scanning (in beta), during server deployments. 

GitHub also announced:

  • Dark mode: Available today under settings
  • Discussions: Now available for all public repositories
  • Auto-merge pull requests: Rolling out over the next few weeks, this opt-in setting allows developers to permit automatic pull request mergers once checks have been passed
  • Environments: Environments will be able to be used with specific secrets to protect apps and packages, starting later this month
  • Workflow visualization: Action workflows can now be visualized in graphs
  • Mobile support: A beta version of mobile support for GitHub Enterprise Server is in development.

TechRepublic: Top 5 reasons not to use SMS for multi-factor authentication

In addition, GitHub Sponsors has been expanded from individual funding to investment from businesses. According to the firm, GitHub Sponsors for companies will allow organizations to "invest in the open source developers and projects that they depend on" through GitHub billing. 

Companies including AWS, American Express, Daimler, and Microsoft have already signed up to financially support open source projects. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards