Best Practices to Keep Your Projects Secure on GitHub

GitHub is secure in and of itself, and it gives a variety of security features to its users, which they may employ to protect the codes they host on GitHub. In addition, many users employ a variety of best practices, such as two-factor authentication and code peer review, to keep things safe. 

However, even if these GitHub projects are correctly implemented, they may accidentally leave critical information in the repositories or commits. For example, if an organization is testing their code and is using API keys, it is possible that while pushing the code to production, they also push the API keys to production. 

One needs to keep in mind plenty of things, such as not disclosing sensitive information in the commits made to the code or mentioning the pull request created to patch or modify the code. In addition, there is a possibility that some of the projects may be reliant on potentially vulnerable dependencies. Therefore, to ensure that your project on GitHub is secure, you must follow all of the best practices available at the time of creation.

Managing Dependency Security

A large variety of different projects use various dependencies, which are all different from one another. As it is impossible to perform audits on every dependency simultaneously, manual verification and dependency reviews are not feasible. If an organization attempts to do so, they will consume a significant amount of resources in the process and leave their projects vulnerable because it is not possible to perform the audit for every dependency simultaneously. 

As a result, dependency security automation is required by every business. However, it is true that not every dependency update is pushed to patch a vulnerability. 

Whenever we are working on an npm project, the dependencies used are usually collected and added to a file named packages.json. This file contains both the name of the dependency and the version of the dependency that is being used. 

There are a multitude of reasons for which a dependency can get updated. It may be, for example, that some functions have been deprecated, some functional changes are being carried out, or some new features/functions are being added that will further enhance the functionality of the dependency.

Understanding Code and Its Dependencies

An organization must track all code dependencies to determine if a vulnerable dependency is used in its codebase. GitHub provides a variety of tools, most of which are built-in and are intended to assist you in managing your dependency tree, such as the dependency graph and dependency review, among other things. 

The dependency graph for each repository indicates the dependencies, dependents, ecosystems, and packages on which each dependency is reliant. Each dependency is represented as a node in the graph. In addition, GitHub scans the package.json file to look for some of the outdated dependencies. It is straightforward to define the dependencies in package.json, which would be just a simple code snippet that looks like this:

Developers can understand all the elements of a dependency before including it in their code or package by performing a dependency review. Then, a pull request is created when they are bringing new dependencies into the code. Information about vulnerabilities, age, license, and usage of the code is displayed alongside modifications or changes that have been deleted.

Automating Vulnerability Dependency Detection

As soon as you have a real-time snapshot and analysis of your project’s dependencies, you have the power to take action and patch any security vulnerabilities that may exist in the dependency being used. This is where Mend Renovate comes into play. 

As part of the free Renovate service, a continuous process runs in the background and automatically discovers the most recent available versions of dependencies used within a particular project. Suppose a new version of a dependency being used is released. In that case, Renovate will automatically create and merge a pull request to update the dependency in the project (provided all of the conditions are met). As a result, you will always be on top of dependency security. Renovate is available as a free, open-source GitHub app and npm package.

It is effortless to install Mend Renovate on GitHub. It also has an npm package and provides plenty of other different hosting options. When you install its GitHub app, it will add a file named renovate.json in the root directory of the repository, which will have these lines of code:

You can also use the package.json file if you want, but it will be depreciated in future releases.

If Renovate detects any outdated dependencies, it creates a pull request. Changelogs, commits, and histories are all included in the pull request, allowing you to thoroughly understand the changes made. 

It has plenty of different options that can be configured to carry out the tasks as per the need. 

You can configure it to auto-merge all dependency update pull requests. Just add this rule, and it will perform auto-merge if the conditions match.

You can easily combine this auto-merge with the different types of dependencies you have within your project. For example, auto-merge will only be enabled for the devDependencies.

There are many organizations that force reviews of the pull request before they get merged. If you have such a requirement, you can also set the config option like this:

Mend Renovate also has the most comprehensive vulnerability database in the industry.  You can use the VulnerabilityAlerts configuration object to enable the vulnerability alerts in the repo.

Once a new issue is found, it will be assigned to the user mentioned in the assignees param.

You can set several options to suit your needs. Mend Renovate simplifies dependency management.

Conclusion

It is vital to keep track of all the dependencies currently being used in any application. It is impossible to keep track of them manually due to the large number of dependencies employed within a project. Moreover, a company may be involved in many distinct projects, multiplying the complexity of the task by that many. 

As a result, developers require an automated approach to alert them when an update to an existing dependency is released. With the help of tools such as Mend Renovate, you can effortlessly generate and merge pull requests relating to updating dependencies, ensuring that you don’t have to put in any additional effort and there is no need for human intervention. 

GitHub project security is something that organizations should monitor, and developers should use automated methods to be on top of it.

Guy Bar-Gil / About Author

Guy Bar-Gil is an experienced Head of Product-Led Growth and leads product-led growth at Mend. He loves engaging with people to understand and solve complex problems, with a special passion for product and company strategy. Prior to joining Mend, Guy held positions in R&D teams and served as a combat operator in the IDF.

LinkedIn