GitHub introduced an automated alert mechanism to allow developers to address vulnerabilities in open source components that their code uses.
According to GitHub, the new feature called Dependabot Alert for Vulnerable Actions on GitHubwill make it easier for developers to stay up-to-date and fix security vulnerabilities using their action workflows.
Vulnerabilities like Log4j have shed light on the weakness of open source security, and US President Joe Biden has made software security a national priority. His executive order on cybersecurity requires that only companies that use secure software development lifecycle practices and meet specific federal security guidelines can sell to the federal government.
The strength of open source code is that external code modules can be pulled into a project from a public repository like GitHub. This makes it easy for developers to include functionality without having to write all the code themselves. Open source modules are supported by third-party developers.
However, as Computer Weekly previously reported, if a security risk is found in an open-source module, projects that depend on that module are also at risk. In many cases, developers whose code requires such modules may be unaware that the open source code they have included in their own project poses a security risk.
This is the situation that GitHub hopes to address with Dependabot warnings about vulnerable GitHub actions.
In a blog post discussing Dependabot GitHub Vulnerability Alerts, Kate Catlin, senior product manager at GitHub, and Brittany O’Shea, author of the GitHub Blog, said the alerts will be powered by GitHub’s advisory database.
“When an actionable security vulnerability is reported, our team of security researchers will create an advisory to document the vulnerability, which will trigger an alert to affected repositories,” they wrote.
At the time of writing, the GitHub tips database has 8,543 reviewed tips, 1,560 of which are classified as “critical”. But to demonstrate the scale of the problem facing the open source community, the database shows that there are over 173,000 vulnerabilities on GitHub that have not been reviewed.
There is a general consensus that global cooperation is needed to keep open source code secure. In January of this year, a number of major technology firms, including Google and IBM, participated in the Open Source Software Security Summit at the White House.
To coincide with the summit, Kent Walker, president of global affairs at Google and Alphabet, published a blog discussing the need to effectively secure open source code.
“The growing reliance on open source means it’s time for industry and government to come together to establish baseline standards for security, maintainability, provenance and testing—to ensure that the nation’s infrastructure and other critical systems can rely on projects with open source,” he wrote.
Jamie Thomas, executive director of enterprise security at IBM, who also attended the meeting, said: “Today’s meeting clearly demonstrated that government and industry can work together to improve open source security practices. We can start by promoting the widespread adoption of open and commonsense security standards, identifying critical open source assets that must meet the most stringent security requirements, and promoting collaborative national efforts to expand skills training and education in open source security and rewarding developers who are making important strides in the field.”
Potentially, Dependabot alerts for vulnerable actions can be tied into continuous integration and deployment (CI/CD) processes to enable development teams to prioritize development work and address security issues faster.