GitHub Security Alerts Now Supported For Python Projects

GitHub has added support for Python Projects in its security alerts feature this week after adding support for JavaScript and Ruby. The feature was launched last November which works by analysing the project’s code and dependencies and warns users if the project is using an older version of a library that has known vulnerabilities.

The insights tab will display if the project has any known vulnerabilities right below the Dependency Graph Operation. The graph is a tree-like structure of all the libraries which is loaded into the project based on the configuration and manifest files.

At present, the support manifest files include package.json for JavaScript projects, Gemfiles for Ruby projects, requirements.txt and Pipfile.lock for Python Projects.

GitHub also has a setting for the page for entries so that developers get notifications in different frequencies.

  • A banner in the GitHub interface
  • Web notifications on the GitHub domain
  • Email notifications for each new vulnerability
  • Daily or weekly email digests of new vulnerabilities

The company has seen a massive improvement in users fixing security issues since the company enabled the feature to all the public projects by default while the users of private repos have to do it manually.

The security alerts are currently relying on CVE vulnerabilities to keep track of known security bugs. If the vulnerability is in the NVD security portal it will show up in GitHub Security alerts. The company didn’t mention if other programming languages will be receiving notifications but .NET projects may be next since developers have to maintain string manifest files to run the project, furthermore Microsoft bought GitHub and that might be the likely move by the company to support its parent company.

You Might Also Like

Leave a Reply