GitHub security alerts now support Java and .NET projects

GitHub also launches Token Scanning tool and new Security Advisory API.

Code hosting service GitHub has updated its platform this week, and among the many developer-centric changes, the company also rolled out three new security features for project owners.

The most important of these new security improvements is the expansion of the Security Alerts feature, which now also supports Java and .NET projects, on top of the original JavaScript, Ruby, and Python.

GitHub launched this feature last year, and it works by scanning a project's dependencies for outdated libraries and modules for which known vulnerabilities exist.

If GitHub's scanner finds that a developer has used an old library that's affected by a known security bug, it will show or send an alert, urging the developer to update his project's dependencies.

GitHub launched this feature to great success in November 2017 for JavaScript and Ruby projects and later expanded it to Python projects in July 2018.

Industry experts anticipated that GitHub would expand support for Java --one of the most used programming languages thanks to the success of the Android OS-- and .NET --expected move after Microsoft bought GitHub earlier this year.

By default, GitHub will scan manifest files such as package.json (for JavaScript projects), gemfiles (for Ruby projects), requirements.txt or Pipfile.lock (for Python projects), pom.xml (for Java projects), and one of the many .NET manifest files such as app.manifest, project.json, .csproj files, and .MSBuild files --so make sure your project uses one.

The security alerts feature is available for all users, and they can find it in each GitHub project's "Insights" tab, under the "Alert" option.

github-security-alert.png
Image: GitHub

In case developers manage a large number of projects and don't have the time to manually visit each project's GitHub page, GitHub also lets developers set different notification methods such as:

  • A banner in the GitHub interface
  • Web notifications on the GitHub domain
  • Email notifications for each new vulnerability
  • Daily or weekly email digests of all new vulnerabilities

GitHub's security alerts system isn't perfect, as it can only detect vulnerabilities that have received a CVE identifier and have been indexed in the DHS's NVD portal. Some vulnerabilities are expected to slip through the cracks, but GitHub's alerts system has already proven to be very effective.

In a blog post in March, GitHub said that within a month of its launch last year, developers acted on security alerts and removed 450,000 vulnerabilities from their projects.

But the expanded security alerts weren't the only security-themed updates that GitHub announced. The company also rolled out something called GitHub Token Scanning.

This new tool is still in beta. GitHub says Token Scanning will help maintainers of public code repositories. The tool works by scanning users' public source code in search of API or other authentication tokens.

These tokens are the equivalent of leaving a server password in the code, and GitHub plans to alert users if they accidentally leave one inside their projects.

Currently, GitHub Token Scanning supports token formats for services like Amazon Web Services (AWS), Azure, GitHub, Google Cloud, Slack, and Stripe.

Besides alerting the user, GitHub says this new service will also alert the provider as well, so they can invalidate or revoke the token to prevent abuse.

Last but not least, GitHub also announced the Security Advisory API. This new API will provide developers with an API that aggregates all security-related information for their accounts. This not only includes security alerts for vulnerabilities in project dependencies, but also alerts for accounts that use weak or already-compromised passwords, alerts for attempts to break into a GitHub account, and more.

The API is intended for developers that manage a large number of projects or for companies who want to make sure their projects and employee access live up to its internal security standards.

Readers who are interested in finding out more about the other changes made to the GitHub platform can read about developer and business-related updates, here.

RELATED COVERAGE: