Keep your code safe with GitHub security alerts


Keep your code safe with GitHub security alerts

The GitHub security alerts feature introduced in November is designed to alert developers when one of their project’s dependencies has known flaws. The availability of a dependency graph allows notifying the owners of the projects when it detects a known security vulnerability in one of the dependencies and suggests known fixes from the GitHub community. The new feature analyzes vulnerable Ruby gems and JavaScript NPM packages based on MITRE’s Common Vulnerabilities and Exposures (CVE) list. Every time a new vulnerability is discovered is added to this list. All repositories use the affected version are identified and their maintainers informed. Github Users can choose to receive the alerts via the user interface or via email.

How to start using security alerts:

  • Read the CVE record to learn more about the vulnerability and its severity level.
  • Check to see how the vulnerable dependency is used in your project. If the vulnerability is in code that’s actively used in your project. You should prioritize the update. For example, if your project uses a vulnerable dependency in test cases. It may have less risk than a vulnerable dependency that your project uses to directly process user input.
  • Check the documentation for the dependency’s recommended version to confirm that the recommended version resolves the vulnerability, and to confirm that the new version is backward compatible with your project.
  • Confirm that updating the version will completely resolve the vulnerability for your project.
  • Open a pull request to update the dependency to the recommended safe version and make any changes needed for compatibility. For more information, see “Viewing and updating vulnerable dependencies in your repository.”
  • Ensure that all of your project’s tests pass and confirm that the functionality you’re updating works correctly, then merge the pull request. For more information see, “About statuses.”
  • Notify project collaborators, owners of any forks of your project, and any projects that depend on yours of the recommended version change and tell them how the previously vulnerable dependency affected your project. For more information, see “Listing the projects that depend on a repository.”

READ ALSO:-How To Hacker Password Cracking 2018


Please enter your comment!
Please enter your name here