GitHub targets vulnerable open source components

GitHub has introduced an automated alert mechanism to enable developers to address vulnerabilities in the open source components their code uses.

According to GitHub, the new feature, called Dependabot alert for vulnerable GitHub Actions, will make it easier for developers to stay up to date and fix security vulnerabilities using their Actions workflows.

Vulnerabilities such as Log4j have shone a spotlight on the weakness of open source security, and US president Joe Biden has made software security a national priority. His executive order on cyber security requires that only companies that use secure software development lifecycle practices and meet specific federal security guidance will be able to sell to the federal government.

The strength of open source code is that external code modules can be pulled into a project from a public repository such as GitHub. This makes it easy for developers to incorporate functionality without having to write all the code themselves. The open source modules are maintained by third-party developers.

However, as Computer Weekly has previously reported, if a security risk is discovered in the open source module, projects that depend on this module are also at risk. In many cases, developers whose code requires such modules may not be aware that the open source code they have incorporated into their own project has a security risk.

This is the situation GitHub hopes to address with Dependabot alerts for vulnerable GitHub Actions.

The GitHub Advisory Database shows that there are over 173,000 vulnerabilities in GitHub that have not been reviewed

In a blog post discussing Dependabot alerts for vulnerable GitHub Actions, Kate Catlin, senior product manager at GitHub, and Brittany O’Shea, an author on the GitHub blog, said the Alerts will be powered by the GitHub Advisory Database.

“When a security vulnerability is reported in an action, our team of security researchers will create an advisory to document the vulnerability, which will trigger an alert to impacted repositories,” they wrote.

At the time of writing, the GitHub Advisory Database has 8,543 advisories that have been reviewed, 1,560 of these have been classified as “critical”. But, to demonstrate the scale of the problem facing the open source community, the database shows that there are over 173,000 vulnerabilities in GitHub that have not been reviewed. 

There is general consensus that global collaboration is needed to keep open source code secure. In January this year, a number of major tech firms, including Google and IBM, participated in the White House Open Source Software Security Summit.

To coincide with the summit, Kent Walker, president of global affairs at Google and Alphabet, posted a blog discussing the need to secure open source code effectively.

“Growing reliance on open source means it’s time for industry and government to come together to establish baseline standards for security, maintenance, provenance and testing – to ensure national infrastructure and other important systems can rely on open source projects,” he wrote.

Jamie Thomas, enterprise security executive at IBM, who also attended the summit, said: “Today’s meeting made clear that government and industry can work together to improve security practices for open source. We can start by encouraging widespread adoption of open and sensible security standards, identifying critical open source assets that should meet the most rigorous security requirements, and promoting a collaborative national effort to expand skills training and education in open source security and reward developers who make important strides in the field.”

Potentially, Dependabot alerts for vulnerable Actions can be linked into continuous integration and deployment (CI/CD) processes to enable developer teams to prioritise developer work and address security issues more quickly.