Linux Foundation LFX: secrets-in-code down, DEI-inclusivity up
The Linux Foundation has enhanced its free LFX Security offering.
This is all about being able to give open source projects more ways to secure their code.
Security comes in more than one form these days, so it’s also about reduce non-inclusive language.
The LFX platform hosts community tools for security, fundraising, community growth, project health and mentorship etc.
More than 720,000 technical contributors and 1,700 member companies have access to security metrics on the LFX platform; tens of millions of developers rely on projects hosted across the platform
It supports projects and empowers open source teams to write better, more secure code, drive engagement and grow sustainable ecosystems.
The LFX Security module now includes automatic scanning for ‘secrets-in-code’ and non-inclusive language.
LFX Security now includes tools to detect vulnerabilities in open source components and dependencies and provide fixes and recommendations to those vulnerabilities. LFX tracks how many known vulnerabilities have been found in open source projects, identifies if those vulnerabilities have been fixed in code commits and then reports on the number of fixes per project through an intuitive dashboard.
Fixing known open source vulnerabilities in open source projects helps cleanse software supply chains at their source and greatly enhances the quality and security of code further downstream in development pipelines.
Developer-centric security firm Snyk has provided this functionality for the community and helped open source software projects remediate nearly 12,000 known security vulnerabilities in their code.
It also detects secrets-in-code such as passwords, credentials, keys and access tokens both pre- and post-commit. These secrets are used by hackers to gain entry into repositories and other important code infrastructure.
Functions also exists to detect non-inclusive language used in project code, which is widely agreed to be a barrier in creating a welcoming and inclusive community.
Diversity, Equity & Inclusion (DEI)
Code security company BluBracket worked with the Inclusive Naming Initiative on this functionality.
“The enhancement of LFX Security builds on its extensive functionality in vulnerability detection to add critical support for secrets-in-code and non-inclusive language,” said Jim Zemlin, executive director of the Linux Foundation. “It’s up to all of us to secure our software supply chain, and we are grateful to Snyk and BluBracket for their significant contributions to the open source community.”
LFX Security will be further scaled out in 2022 to help solve challenges for hundreds of thousands of critical open source projects and LFX Security is free and available for use today at this link.