We all have a collective responsibility to ensure the security of open source software - none of us can do it alone. Today at Github Universe, we announced the Github Security Lab . A place where security researchers, escorts and companies across the industry come together to share our belief that open source security is important to everyone.
We are pleased to have initial partners who contribute to this goal. Together, we provide tools, resources, awards, and thousands of hours of security research to help protect the open source ecosystem.
As part of today's announcement, GitHub Security Lab makes CodeQL freely available to anyone who can find open source vulnerabilities. CodeQL is a tool that many research groups around the world use to conduct semantic code analysis, and we used it ourselves to find more than 100 registered CVEs (Common Vulnerabilities and Exposures) in some popular open source projects.
We are also launching the GitHub Advisory Database , a publicly accessible recommendation database created on GitHub, plus additional data mapped to packages tracked by the GitHub dependency graph.
GitHub's approach to security spans the entire security lifecycle of open source projects. GitHub Security Lab will help identify and report vulnerabilities in open source projects, while maintainers and developers use GitHub to create patches, coordinate the disclosure and update of dependent projects with a resolved vulnerability.
Github security lab
The mission of the GitHub Security Lab is to inspire and enable the global community of security researchers to protect code around the world. Our team will set an example, devoting ongoing resources to finding and reporting vulnerabilities in crucial open source projects. Komadna has already released over 100 CVEs for vulnerability detection.
Securing open source projects in the world is not an easy task. First, the scale: one ecosystem of JavaScript contains over a million open source packages. In addition, there is a shortage of security specialists, approximately 500 developers to one specialist. Finally, there is coordination: security experts in the world work in thousands of companies. GitHub Security lab and CodeQL will help with this.
In this work, we are joined by companies that donate their time and experience to find and report vulnerabilities in open source projects. Each pledged to contribute in his own way, and we hope that others will join us in the future.
- F5
- Hackerone
- Intel
- OIActive
- JP Morgan
- Microsoft
- Mozilla
- Ncc group
- Oracle
- Trail of bits
- Uber
- VMware
To expand our capabilities, we also make our collaborative CodeQL code analysis engine free for use in open source projects. CodeQL allows you to query the code as if it were data. If you know a coding error that led to a vulnerability, you can write a query to find all variants of this code, destroying an entire class of vulnerabilities forever. See how to get started with CodeQL .
If you are a security researcher or work in a security team, we need your help. Securing open source projects in the world will require the work of the entire community. GitHub Security Lab will host events and share best practices to help everyone participate. Follow your GHSecurityLab account on Twitter for more details.
Improving security workflow in open source
As researchers in the security world discover more and more vulnerabilities, accompanying and end users need more sophisticated tools to fix them.
Today, the process of fixing new vulnerabilities is often temporary. 40% of new vulnerabilities in open source projects do not have an identifier in CVE when they are declared, that is, they are not included in any public database. 70% of critical vulnerabilities remain unresolved 30 days after developers are notified.
We are fixing it. Maintainers and developers can now work together directly on GitHub to ensure that new vulnerabilities are disclosed only when the maintainers are ready, and developers can quickly and easily update to a fixed version.
Github security advisories
Thanks to security tips, maintainers can work with security researchers on fixes in the private space, apply for CVE directly from GitHub, and provide structured vulnerability information. Then, when they are ready to publish security recommendations, GitHub will send alerts on the affected projects.
Automatic Security Updates
Getting notified of vulnerable dependencies is useful, but getting pull pull requests with an fix is ββeven better. To help developers quickly respond to new vulnerabilities, GitHub creates automated security updates - pull request, which update the vulnerable dependency to the patched version.
Automatic security updates for the system were launched in beta on GitHub Satellite 2019 and are now mostly available and deployed for each active repository with security alerts enabled.
Token Scan
One of the most common mistakes is the hardcode of tokens or credentials in the project. Within a few seconds after sending a commit to GitHub, or switching the project to public, we scan it for formats from 20 different cloud providers. When we find a match, we notify providers and they take action, usually by canceling tokens and notifying affected users. And today we announced four new partners: GoCardless, HashiCorp, Postman and Tencent.
Github advisory database
We made all the changes that the maintainers create in the GitHub security tips, as well as additional data, and mapped to the packages monitored by the GitHub dependency graph, available for free. Explore the new GitHub Advisory database in your browser, create direct links to posts with CVE IDs in the comments, or access the data programmatically using the Security Advisory API endpoint.
