Security News > 2022 > April > GitHub can now alert of supply-chain bugs in new dependencies

GitHub can now alert of supply-chain bugs in new dependencies
2022-04-08 18:00

GitHub can now block and alert you of pull requests that introduce new dependencies impacted by known supply chain vulnerabilities.

"The GitHub Action automates finding and blocking vulnerabilities that are currently only displayed in the rich diff of a pull request," said Courtney Claessens, a Senior Product Manager at GitHub.

It works by scanning pull requests for dependency changes against the GitHub Advisory Database to see if new dependencies introduce vulnerabilities.

"By checking the dependency reviews in a pull request, and changing any dependencies that are flagged as vulnerable, you can avoid vulnerabilities being added to your project," GitHub explains.

The Dependency Review action is currently in public beta and is available for all public repositories and for private repositories belonging to organizations using GitHub Enterprise Cloud with a license for GitHub Advanced Security.

GitHub also announced on Monday that it extended its code hosting platform's secrets scanning capabilities for GitHub Advanced Security customers to prevent accidental exposure of credentials before committing code to remote repositories.


News URL

https://www.bleepingcomputer.com/news/security/github-can-now-alert-of-supply-chain-bugs-in-new-dependencies/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Github 12 2 45 29 19 95