Yes. We went there.
RECENT MICROSOFT ACQUISITION GitHub is continuing to plough its own furrow and has recently announced some new features to enhance security.
Initially, the tool will detect “a few, recent vulnerabilities” says Robert Schultheis, Quality Engineer at GitHub in a blog post.
“As of this week, Python users can now access the dependency graph and receive security alerts whenever their repositories depend on packages with known security vulnerabilities.”
“Over the coming weeks, we will be adding more historical Python vulnerabilities to our database. Going forward, we will continue to monitor the NVD feed and other sources, and will send alerts on any newly disclosed vulnerabilities in Python packages.”
Public repositories are already live (as long as you have a requirements.txt or Pipfile.lock file in your repository to help the system find it.
Private repositories are a bit more complex and require admins to “opt in to security alerts in your repository settings or by allowing access in the dependency graph section of your repository’s “Insights” tab”.
Additionally, if you go to the Alerts tab in settings and select who should get the alerts in the first place, as well as how often then it takes a bit of pressure of the admin, who receives them by default.
GitHub has promised to stay true to its independent, open source roots, despite taking the mighty dollar of Microsoft for $2.1bn last month. μ
Source : Inquirer