3 New GitHub Features to Reinforce Your Code, Repo, and Dependency Security

Developers love GitHub. It’s the biggest and most powerful collaboration platform that programmers, developers, and companies use to develop and maintain their software. It’s the biggest source code host with more than 200 million repositories. And it keeps growing.

In 2021, more than 73 million developers used GitHub. It gained over 16 million new users in 2021 alone, and GitHub estimates that user numbers will increase to 100 million developers in the next five years. Furthermore, 84 percent of Fortune 100 companies use GitHub Enterprise to help develop and maintain their code.

Growth like this also brings risk. As the amount of code and repositories expand, so does the attack surface and risk of software vulnerabilities, and attackers and malicious actors will naturally take note.  Consequently, there’s potential for huge disruption by creating, finding, and exploiting these vulnerabilities in users’ code bases.

We wanted to highlight three of the latest features announced by the GitHub security team, and reiterate as we often do that dependency security is vital to safeguarding your code and data. Let’s take a look.

1. GitHub launches ‘Entitlements’, its new identity and access management solution

DevOps teams are under increased regulatory pressure to protect access to corporate resources. Identity and access management (IAM) automates the assignment and tracking of user privileges and enables granular access control and auditing of all corporate assets on premises and in the cloud.

IAM has an ever-increasing list of features — including biometrics, behavior analytics and AI, to align with the industry’s transition from firewalls to zero-trust models

GitHub has created ‘Entitlements,’ a solution that works seamlessly within its platform. It is auditable, scalable, and easy for developers to understand and use. Entitlements uses a Git repository for the source of truth, declarative authorizations, and seamless integration with GitHub.com for approvals and audits.

2. Historical NVD advisories are now listed on GitHub

GitHub has revised its Advisory Database to include all historical advisories from previous years, so you can find any historical advisory recognized by the National Vulnerability Database regardless of publication date. If you’re affected by vulnerabilities in historical advisories, you can create pull requests to update dependencies and fix vulnerabilities using the Mend Renovate open-source project.

Did you know? Mend’s security researchers and analysts identify vulnerabilities that have not been posted by other advisories. These are listed in our Vulnerability Database using a WS-prefix.

3. Enhanced secret scanning with redirect.pizza

GitHub protects users from exposing their data via data leaks and fraud. It achieves this by scanning repositories for known types of secrets. GitHub has announced a new partnership with redirect.pizza, a domain redirection service, to scan for their API tokens and help secure users of both redirect.pizza and GitHub.

Users can create, update, and delete redirects. GitHub sends API tokens found in public repositories to redirect.pizza. They notify the user by email and automatically revoke the token. GitHub Advanced Security customers can also scan for redirect.pizza API keys and block them from entering their private and public repositories via secret scanning’s push protection feature.

GitHub, security and automation 

GitHub consistently implements more automation to reduce the time developers spend on security. Security is imperative, but it takes developers’ attention away from their main task of developing great software and applications. Given the huge number of considerations and dependencies that developers face, while they’re working hard to meet production deadlines, this is an important issue. Automation makes security processes faster and more thorough than any manual approach. Therefore, these new features are welcome additions to the suite of GitHub’s tools that streamline developers’ work.

Automation is key to dependency security 

GitHub’s innovations reflect a wider move towards automation of code security and access management. Finding and identifying vulnerabilities and issues is no longer enough. Now users want to combine and accelerate detection and remediation processes. These new features help developers achieve this and quickly and easily prevent problems before they can occur. They save developers time and enable them to focus on what they do best: code.

The best practice for keeping your projects on GitHub secured is automating dependency management.

The average Java library contains over 100 individual open source libraries, and each of those calls even more transitive dependencies at build time. And because most projects use so many dependencies, if you don’t use automation to keep track of your dependency tree’s security risks, you’re probably already vulnerable. Although most security vulnerabilities result from coding errors and aren’t malicious, they open the door for malicious actors to attack your users or their data. 

To incorporate dependency automation into your workflow and secure all your projects on GitHub, install Mend Renovate. It’s free. >>