Security news that informs and inspires

GitHub Brings Automated Fixes With Dependabot

By

GitHub acquired automated updated tool Dependabot just a week ago, and it has already integrated the tool into GitHub to deliver automated updates to projects.

The idea is pretty straightforward: a developer who has a project using third-party packages will see an automatically generated pull request whenever any of those packages have been updated. When the pull request is accepted, the fixed package will be merged into the project, making it easier for developers to make sure they are always working with the latest package versions.

“With the help of Dependabot, GitHub will monitor your dependencies for known security vulnerabilities and automatically open pull requests to update them to the minimum required version,” said GitHub product manager Justin Hutchings.

The feature, currently in beta, will be limited to dependencies written in Ruby, Python, Java, .NET, and JAvaScript, and is available only if the project has enabled the dependency graph. The dependency graph, initially introduced in 2017, let developers see when third-party packages they are using contain known vulnerabilities. Dependabot extended the alerts to actually update the code.

The developer will see a compatibility score before merging the package, to give an idea of how the change would affect the project. This way, if the score indicates the change will break the build, then the developer is warned and can make the appropriate changes to the code to accommodate the updated package.

"Automated security requests contain everything you need to quickly and safely review and merge a proposed fix into your project, including information about the vulnerability like release notes, changelog entries, and commit details," GitHub said.

GitHub announced several other security features during last week’s GitHub Satellite conference in Berlin, including a private workspace where project owners can discuss and fix security issues.

Called maintainer security advisories, these workspaces allow project owners to create a draft advisory to privately discuss the impact of a vulnerability with contributors and collaborate on a fix. For open source project maintainers, this means they can fix vulnerabilities without tipping off any malicious developers watching the project.

“One thing that seems to have gotten hidden from the GitHub announcements is actually THE MOST VALUABLE feature for open source maintainers: The ability to have private discussions and code review about security vulnerabilities WITHIN your repo,” software engineer Jessie Frazelle wrote on Twitter.

When Intel was coordinating with its partners on a fix for Meltdown and Spectre in the fall of 2017, eagle-eyed observers noticed a series of changes made to the Linux kernel. Comments were redacted to obfuscate the details of the flaw. That triggered a wave of speculation that forced Intel to move up the timetable for disclosing the vulnerabilities and releasing the patches. The maintainer security advisory feature, currently in beta, would let developers open private pull requests, fix the issue, and then release the fix to the main branch so that all projects can be current.

While administrator users are currently the only ones who can create these advisories, the plan is to eventually let non-administrators report issues this way, GitHub engineer Steve Richert wrote on Twitter.

Other security-focused moves include the general availability of the token scanner, which scans public repositories for credentials for Alibaba Cloud, Amazon Web Services, Azure, GitHub, Google Cloud, Slack, Mailgun, Twilio, and Stripe that have been accidentally committed. Recently, unknown attackers had taken tokens which had been exposed in public repositories in this manner in order to take over accounts at GitHub, BitBucket, and GitLab and hold them for ransom. While GitLab already had this feature, GitHub’s token scanner had been in beta.

The Dependency Insights tool gives enterprises full visibility in their dependencies to understand their exposure when a security vulnerability is announced.