GitHub Security alerts on Vulnerabilities
Today in this article we will how to set up GitHub Security alerts on Vulnerabilities. The world of OpenSource solution and the common problem of vulnerabilities, both goes hand in hand.
GitHub has finally introduced a great new feature of discovering and notifying of new vulnerabilities.
Today in this article, we will cover below aspects,
GitHub will identify such a repository that uses vulnerable dependency and will send alerts to repository maintainer and also will provide an automated fix ( if opted).
Here is an example of a typical Security alerts notification will look like as below. This is one of my repositories which got fagged for the vulnerable node.js library.
How to Configure security alerts
Public Repository
Github will provide default alerts to all public repositories. So you get these features out of the box. Github will enable a scan of your dependencies and will update you for any vulnerabilities.
Private Repository
For GitHub private repositories security alerts can be enabled by using an opt-in feature.
You should explicitly enable this feature using the below options,
- Using the repository settings
Enabling Dependency graph
Setting Notification preferences
If you select Automated security fixes as ON, then GitHub will apply the security fixes and will send you pull request with fixes applied.
Notification alerts will list issues with severity details as below,
Once the dependency graph is enabled, Admin, teams, and individuals will start receiving security alerts in the dependency graph settings.
Automated Security Fix in GitHub
“Automated security fixes” option if opted will generate an automated fix for the vulnerable library.
Here below shows the fix that will be applied,
As shown below bot with the name “dependabot” will send you a pull request with suggested security fixes for your review.
The below suggestion is to upgrade loadash node.js library from version 4.17.11 to 4.17.14
Review the pull request and merge the changes.
Here are the code changes that will be applied. You shall be able to review these changes and changes will be merged into the target branch.
Finally, your repository will be remediated for the vulnerabilities without any hassle.
That’s All!!
References:-
Do you have any comments or ideas or any better suggestions to share?
Please sound off your comments below.
Happy Coding !!
Summary
GitHub has introduced a great new feature of discovering and notifying of new vulnerabilities. This feature is available for both public and private Repositories. GitHub will help to identify such a repository that uses vulnerable dependency and will send alerts to repository maintainer and also will provide an automated fix ( if opted).
Please bookmark this page and share it with your friends. Please Subscribe to the blog to receive notifications on freshly published(2024) best practices and guidelines for software design and development.