MMS • RSS
GitHub has announced security alerts for Python, providing Python users access to the dependency graph, as well as security alerts whenever their repositories depend on packages with known security vulnerabilities.
Public vulnerabilities are tracked by GitHub in Ruby gems, NPM and Python packages on MITRE’s Common Vulnerabilities and Exposures (CVE) List. CVE is a list of entries; each entry contains an identification number, a description, and at least one public reference. It is particularly useful to enable administrators to react promptly and fix the vulnerability by removing the vulnerable dependency or moving to a secure version.
When GitHub receives a notification of a newly announced vulnerability, public repositories are scanned (private repositories that have opted in will also be scanned). When a vulnerability is found, security alerts regarding the affected repositories are sent to owners and users with admin access. By default, users will receive a weekly email summarizing security alerts for up to 10 repositories. Users also can choose to receive security alerts individually by email, in a daily digest email, web notifications, or in the GitHub user interface. Users can adjust frequency of notifications accessing notification settings page.
GitHub will attempt to suggest a fix, in some cases using machine learning, for each found vulnerability; a security alert for a vulnerable dependency includes a severity level and a link to the affected file in the project, and, when available, a link to the CVE record and a suggested fix. There are four possible levels defined in the Common Vulnerability Scoring System (CVSS), namely low, moderate, high, and critical.
According to GitHub, initially security alerts will cover recent vulnerabilities, adding more historical Python vulnerabilities over the coming weeks. In addition, GitHub never publicly discloses identified vulnerabilities for any repository.
The dependency graph lists all the dependencies of a project, and is where users can see the security alerts affecting the project. To access the dependency graph, click Insights in a project, and then on Dependency graph.
To enable the dependency graph in a Python project, it is necessary to define the dependencies of the project in a requirements.txt or pipfile.lock file. GitHub strongly recommends that users define the dependencies in a requirements.txt file.
More information is available in the GitHub documentation.