Security News

GitHub has announced that its private vulnerability reporting feature for open source repositories is now available to all project owners. The private vulnerability reporting feature provides a direct collaboration channel that allows researchers to more easily report vulnerabilities, and maintainers to easily fix them.

GitHub announced that private vulnerability reporting is now generally available and can be enabled at scale, on all repositories belonging to an organization. Since its introduction as an opt-in feature in November 2022 during the GitHub Universe 2022 global developer event, "Maintainers for more than 30k organizations have enabled private vulnerability reporting on more than 180k repositories, receiving more than 1,000 submissions from security researchers."

Developers who use GitHub Actions to build software packages for the npm registry can now add a command flag that will publish details about the code's origin. It's often used by software developers to mechanize the build process for packages distributed through the company's npm registry, which hosts more than two million of these modular libraries.

OSC&R is an open framework for understanding and evaluating software supply chain security threats. Spearheaded by OX Security, OSC&R is a MITRE-like framework designed to provide a common language and structure for understanding and analyzing the tactics, techniques, and procedures used by adversaries to compromise the security of software supply chains.

GitHub is now prompting developers and administrators who use the site to secure their accounts with two-factor authentication. The move toward two-factor authentication for all such users officially started on March 13 and will be a requirement by the end of 2023, GitHub said in a recent blog post.

Github has updated its SSH keys after accidentally publishing the private part to the world. A post on Github's security blog reveals that the company has changed its RSA SSH host keys.

Cloud-based repository hosting service GitHub said it took the step of replacing its RSA SSH host key used to secure Git operations "Out of an abundance of caution" after it was briefly exposed in a public repository. The activity, which was carried out at 05:00 UTC on March 24, 2023, is said to have been undertaken as a measure to prevent any bad actor from impersonating the service or eavesdropping on users' operations over SSH. "This key does not grant access to GitHub's infrastructure or customer data," Mike Hanley, chief security officer and SVP of engineering at GitHub, said in a post.

GitHub has rotated its private SSH key for GitHub.com after the secret was was accidentally published in a public GitHub repository. In a succinct blog post published today, GitHub acknowledged discovering this week that the RSA SSH private key for GitHub.com had been ephemerally exposed in a public GitHub repository.

Different 2FA choices, but biometrics and passkeys trump SMS. GitHub is also offering a preferred 2FA option for account login with a sudo prompt, allowing users to choose between time-based one-time passwords, SMS, security keys or GitHub Mobile. In a move toward closing loopholes to combat threat actors, GitHub expanded its secret scanning program last fall, allowing developers to track any publicly exposed secrets in their public GitHub repository.

Starting March 13, GitHub will gradually introduce the 2FA enrollment requirement to groups of developers and administrators, beginning with smaller groups. In case your account is selected for enrollment, you will receive a notification via email and see a banner on GitHub.com requesting you to enroll in 2FA. You will have a 45-day window to configure 2FA on your account, and before that date, you can continue to use GitHub as usual except for the occasional reminders.