GitHub’s latest security features
github.comAs someone who regularly needs to report security vulnerabilities to projects hosted on Github, I find it incredibly annoying that I can't create one of these 'maintainer advisories' (or just a regular issue that's non-public) as an outsider.
These 'security.md' files would work for me just as well to define a security contact, but I've never come across one of these in the wild... so I end up wasting my time hunting down maintainers and their email addresses, when everyone involved would have a much easier time if it were all handled through Github by allowing everyone to create a (draft) 'maintainer advisory'.
Lots of title editorializing recently. I wonder what's up. One thing I've always liked about HN is that title editorializing isn't really viewed kindly. So why now?
100% agreed, let's not editorialize titles please.
Makes sense. Fits with adding similar support in Visual Studio at some point. Kind of like Word suggestions, but for code.
will be interesting to see what they do that goes beyond the acquisition of semmle. it is great to see how quickly they have been able to integrate that work.
Dependabot is really nice. I activated it on my repo and it create a PR with the updated dependency, showing the "crowd sourced" chance it could be integrated safely. Semmle(LGTM) could be useful on a big codebase but for a simple webapp it didn't provide anything interesting.
It's frustrating to set up OWASP scans over and over again. Anything Github or Gitlab or whomever can do to normalize audits (please, by all means check for CVEs on my dependencies, too) and static analysis, it's great. Make it something I can enable on my PR/MR workflow.
Totally agree. With GitLab you can do static and dynamic code analysis, as well as dependency and container scanning on your PR/MR out of the box.
And your security team gets an organization wide overview of the security results as well https://docs.gitlab.com/ee/user/application_security/securit...
GitLab offers free security checks for opensource projects (https://about.gitlab.com/blog/2018/06/05/gitlab-ultimate-and...). Enabling these checks is as simple as this one-liner (https://docs.gitlab.com/ee/user/application_security/sast/in...):
include: template: SAST.gitlab-ci.yml
Now do the same with Dependency Scanning, Container Scanning, DAST and License Compliance if needed.
Note that Auto-DevOps enables this automatically.
On a general note, I agree with you, Security should be available out of the box for everyone. I created last month this issue for this purpose, feel free to comment or watch it.
Please forgive my naivety but is this something that would also come to GitHub Enterprise?
It's a feature, not a market play. GitHub wants to be a default for all your most basic CI/CD uses, but they're not taking on all of software security. This is a huge market, they're implementing like 1 feature of 1 use case.
> Automatic token scanning
Nice. I hope we contributed to it in some way: https://news.ycombinator.com/item?id=13667386
How does this not copy snyk.io?
Microsoft owns Github now, and their whole MO is copying everyone else's good ideas at an impressive rate and seeing what will stick.
It leverages GitHub repositories as it's data and customer base. The integration and network effect means the crowd sourcing works for everyone using GitHub, which is used more thoroughly than snyk.io (which I've never heard of)
maybe it does, my neighborhood also has multiple groceries stores