At the end of 2017 GitHub announced the launch of its ‘security alerts’ feature for vulnerable Ruby and JavaScript packages. With the feature proving a huge success for GitHub, the platform has now rolled out the feature for Python. The GitHub team promised that Python would be the next language to receive the security alert feature – but with fears over a possible mass migration to GitLab, following Microsoft’s acquisition of the platform, the news couldn’t come at a better time.
How Github’s security alerts work
GitHub’s security alerts work using its dependency graph. The dependency graph allows developers to visualize the range of projects on which their code depends. Security alerts followed the release of the dependency graph for Ruby and JavaScript. With the dependency graph in place, the security alerts “track when dependencies are associated with public security vulnerabilities.”
When you enable the dependency graph GitHub will notify you if there is a possible vulnerability in one of your dependencies. It will also suggest some possible fixes as well.
Rolling security alerts out to Python projects
The Python roll out was announced on the GitHub blog by Robert Schultheis on July 12. He writes:
We’ve chosen to launch the new platform offering with a few recent vulnerabilities. Over the coming weeks, we will be adding more historical Python vulnerabilities to our database. Going forward, we will continue to monitor the NVD feed and other sources, and will send alerts on any newly disclosed vulnerabilities in Python packages.
He isn’t specific about the Python vulnerabilities. However, as noted earlier, launching support for Python has always been part of GitHub’s plan since 2017.
As The Register notes, there have only been four Python entries on the CVE database in 2018 so far “and one of those is disputed.”
According to Schultheis, Github “will be adding more Python vulnerabilities to our database.”
