GitHub Security Alerts Now Support Python Projects

GitHub is a web-based hosting service for version control using Git. It is mostly used for computer code. It offers all of the distributed version control and source code management (SCM) functionality of Git as well as adding its own features. It provides access control and several collaboration features such as bug tracking, feature requests, task management, and wikis for every project.

GitHub has updated its security alerts feature this week to support Python projects, after previously supporting JavaScript and Ruby.

The feature, which launched last November, works by analyzing a project’s dependencies and warning owners if their project is using an older version of a library that is vulnerable to known vulnerabilities.

Security alerts now available for Python projects

These security alerts are displayed by default in each GitHub project’s “Insights” tab, under the Dependency Graph option.

The graph shows a tree-like structure of all the libraries that are loaded inside a coding project based on manifest files included in each project.

Supported manifest files include package.json (for JavaScript projects) gemfiles (for Ruby projects), and requirements.txt or Pipfile.lock (for Python projects).

If users can’t be bothered with checking that page for new entries, GitHub also lets developers set different notification methods such as:

ϟ A banner in the GitHub interface

ϟ Web notifications on the GitHub domain

ϟ Email notifications for each new vulnerability

ϟ Daily or weekly email digests of new vulnerabilities

Security alerts have had a positive impact

One of the reasons GitHub has seen such a massive improvement is because the security alerts feature is enabled by default for all public projects, while maintainers of private repos have to enable it manually.

The security alerts feature is not perfect, as it relies on the CVE vulnerabilities identification system to keep track of known security bugs, meaning that if vulnerabilities have not received a CVE or their entry has not been updated on the NVD portal (from where GitHub pulls its data), the alerts system may not cover all security issues. All in all, it’s still better than nothing.

GitHub did not say what other programming language may receive notifications next, but .NET projects are a strong candidate due to the use of manifest files and the development environment’s popularity. Also, Microsoft bought GitHub, and that may also play a role in choosing the next project.