Security News

TikTok, GitHub, Facebook Join Open-Source Bug Bounty
2021-09-22 14:52

As more businesses rely on open-source software for mission-critical infrastructure, HackerOne, along with sponsors including Elastic, Facebook, Figma, GitHub, Shopify and TikTok, announced they are throwing a new round of resources behind an Internet Bug Bounty Program to lure threat hunters' attention to open-source supply chains. Following a spate of spectacular software supply-chain breaches, market leaders have decided to throw in some cash to fund the IBB to incentivize bug hunters to take a closer look at open-source code.

GitHub finds 7 code execution vulnerabilities in 'tar' and npm CLI
2021-09-09 03:37

The vulnerabilities affect both Windows and Unix-based users, and if left unpatched, can be exploited by attackers to achieve arbitrary code execution on a system installing untrusted npm packages. On further review of the researchers' reports, GitHub security team found some more high-severity vulnerabilities in the aforementioned packages, affecting both Windows and Unix-based systems.

GitGuardian now available on GitHub Marketplace
2021-08-19 00:00

GitGuardian announces availability on the GitHub Marketplace. GitGuardian on GitHub Marketplace makes code security accessible and easy to install.

GitHub urges users to enable 2FA after going passwordless
2021-08-18 18:00

GitHub urges its user base to toggle on two-factor authentication after deprecating password-based authentication for Git operations. "If you have not done so already, please take this moment to enable 2FA for your GitHub account," the company's Chief Security Officer Mike Hanley said.

GitHub picks Friday 13th to kill off password-based Git authentication
2021-08-12 23:20

If your Git operations start failing on Friday, August 13 with GitHub, it may well be because you're still using password authentication - and you need to change that. In December, the source-code-hosting giant warned it will end password-based authentication for Git pushes and the like.

GitHub deprecates account passwords for authenticating Git operations
2021-08-12 22:10

GitHub has announced today that account passwords will no longer be accepted for authenticating Git operations starting tomorrow. "Starting on August 13, 2021, at 09:00 PST, we will no longer accept account passwords when authenticating Git operations on," the company said.

New 'Allstar' App Enforces Security Best Practices for GitHub Projects
2021-08-12 15:16

The Open Source Security Foundation on Wednesday announced the availability of a new GitHub app that can be used to automatically and continuously enforce security best practices for GitHub projects. Allstar is a companion to Security Scorecards, an automated risk assessment tool for repositories and their dependencies that was also contributed by Google.

Allstar app helps enforce security best practices for GitHub projects
2021-08-11 12:10

Google and the Open Source Security Foundation have released Allstar, an app that allows organizations / owners of GitHub repositories to set up security policy expectations for GitHub projects and to make sure that these policies are adhered to. "Allstar works by continuously checking expected GitHub API states and repository file contents against defined security policies and applying enforcement actions when expected states do not match the policies," OpenSSF's John Mertic explained.

Potential RCE Flaw Patched in PyPI’s GitHub Repository
2021-08-02 16:53

A vulnerability in the GitHub Actions workflow for PyPI's source repository could be exploited to perform a malicious pull request and eventually execute arbitrary code on, according to a warning from a Japanese security researcher. The workflow did not verify the pull request author, anyone could create a pull request with a specific name and have the workflow to process it.

GitHub Launches 'Copilot' — AI-Powered Code Completion Tool
2021-06-30 08:46

GitHub on Tuesday launched a technical preview of a new AI-powered pair programming tool that aims to help software developers write better code across a variety of programming languages, including Python, JavaScript, TypeScript, Ruby, and Go. Copilot, as the code synthesizer is called, has been developed in collaboration with OpenAI, and leverages Codex, a new AI system that's trained on publicly available source code and natural language with the goal of translating comments and code written by a user into auto-generated code snippets. "GitHub Copilot draws context from the code you're working on, suggesting whole lines or entire functions," GitHub CEO Nat Friedman said in a blog post.