Everybody loves open source software, tools, libraries for developing software. It saves costs, provides support from that community and we can get lots of help and even we can contribute to the tools we already love. I assume you are already familiar with GitHub. But let me introduce it again. After that I will explain about GitHub security alert feature and how to activate it for your repository.
What is GitHub
GitHub is a platform where anybody can host source code of their software for sharing and collaborating with other developers. It’s one of the most popular software version control platforms that use Git. You can push your source code using Git, later you can pull and commit and again push to track the changes. Other people who have access (for private repository) or if your repository is public, everybody can see the changes, they can pull → make changes → commit → push to the original repository. Also people who are using that open source software can submit issue, discuss with repository contributors and other developers worldwide.
It’s a fantastic community and collaboration platform for developers from all around the world. GitHub was founded on 2008 and in 2018 Microsoft acquired the company with $8.7 billion.
GitHub security alert for vulnerable dependencies
Everyday people are continuously facing security issues in their software that requires to be fixed as soon as the vulnerability found. Imagine, you have multiple software or tools or libraries already hosted in GitHub either as private or public. Private repository is for your own or for your business.
For public repository, anybody can use that software or tools. In this case you have a great responsibility to fix any vulnerability found in your software and it’s dependencies because other businesses or people kept their trust on you and in your software. But it’s not that simple as it sounds. When you will have multiple repositories then it’s not possible (at least for me) to check and test all the software that you built last year or in last 5 years for security vulnerability.
Why GitHub introduced security alert?
GitHub is one of the major players where millions of developer put trust with their codes. GitHub certainly realized that and made that very simple for the developers. So in November 2017 GitHub introduced automated security alert for vulnerable dependencies for every eligible repository. The main purpose is to make the life peaceful of a developer as well as to ensure all software are safe from latest security threat. If you enable this feature for your repository they will send you notification. And you need to take action as soon as possible based on the severity of the vulnerabilities.
This GitHub security alert feature won’t be activate by default (at least for now). But you can easily enable it and set your notification preference.
Activate GitHub security alert for repository
So you already realized how important this feature is for every developer who host their code on GitHub or use any software from GitHub. Now let’s talk about how to activate GitHub security alert for any repository that you have access.
Step by step instruction to activate GitHub security alert
- Go to repository dependency graph
Login in your GitHub account. Then go to repository page. Then go to Insight → Dependency Graph
- Give read-only permission to GitHub
If this is first time for this repository, GitHub will ask extended read only permission to analyze your repository & it’s dependencies. So click on Allow Access.
But remember, to enable the dependency graph, your repository must define dependencies in one of the supported manifest file types, like package.json or Gemfile. - All done! Scan started & live in peace
Now after giving GitHub permission and if you have manifest file found in your library, it’s all done. From now on GitHub will start preparing details if there is any vulnerability found in your dependencies. You will get notification via email and you can check details from repository Insight → Dependency Graph.
How GitHub detects vulnerable dependencies?
That’s it. Now you have activated GitHub security alert for your repository. Now GitHub will start scanning and it will cross match your dependencies with National Vulnerability Database to check if any of your dependency library has been vulnerable. If GitHub found they will alert you with details via email with CVE identifier and other important information. Also you can check more details from your repository dependency graph.
Fix vulnerable dependencies automatically
The more interesting information I have left to share with. In most cases GitHub will automatically fix security vulnerabilities that will be found in your dependencies. Though as of now it’s still in beta. But it’s amazing and I already fixed few of my old repositories with a single click.
To fix your vulnerable dependencies automatically, go to your repository → security → alert. See the screenshot and click on “Try it”.
As it’s a beta feature, you need to opt-in yourself by clicking on “Try it” link. After opt-in GitHub will try to fix the vulnerable dependencies in your repository. And they will send a pull request for you to merge. It’s an amazing feature I loved from the beginning. Because as a software engineer it’s our duty to protect our software, our business. Similarly other parties who will use our software.
Write a comment below if you face any issues during configuring GitHub security alert. So I can try to help you as much as I can. Live peacefully!