We spoke with Courtney Claessens, Senior Product Manager at GitHub and Mariam Sulakian, Product Manager at GitHub, about security updates in the GitHub supply chain and GitHub's products that aid in the security of developer projects.

devmio: There have been some updates regarding security in the supply chain at GitHub, including recently adding support for Dart in GitHub’s supply chain security features. Could you tell us more about what this update adds?

Courtney Claessens & Mariam Sulakian: GitHub’s supply chain features now support the Dart developer ecosystem. Dart powers apps used by millions and is a rapidly growing language on GitHub. The new support across the GitHub Advisory Database, dependency graph, and Dependabot makes it easier for developers and security teams to visualise, maintain, and secure the dependencies in the Dart software supply chain.

devmio: Where does the Dart programming language excel and when should it be used?

Courtney Claessens & Mariam Sulakian: Dart excels on both mobile devices and the web. It is optimised for UI and works especially well for developers specialising in interface creation and app development.

devmio: What is Dependabot and how does it help developers?

Courtney Claessens & Mariam Sulakian: Dependabot helps developers secure their projects by keeping on top of vulnerable dependencies. It automatically checks dependency files for outdated requirements and can open pull requests for any it finds. By alerting on vulnerable code and surfacing whether there are any vulnerable code paths, developers can prioritise and remediate alerts more effectively.

Leaked credentials are one of the most commonly exploited application security risks.

devmio: How does the GitHub Advisory Database work and what does it include?

Courtney Claessens & Mariam Sulakian: The GitHub Advisory Database is an open-source database of security advisories focused on providing high-quality, actionable vulnerability information for developers. It’s actively maintained by a dedicated team of GitHub’s professional security researchers, and aided by contributions from the open source community. We use this data to power Dependabot so that we can alert and remediate their vulnerable dependencies.

devmio: Could you explain what GitHub Advanced Security is and what it includes?

Courtney Claessens & Mariam Sulakian: GitHub Advanced Security is GitHub’s developer-focused security product that protects developers from vulnerabilities in their code, in their dependencies, and in the form of leaked secrets. We give away most of our security capabilities for free to open-source repositories, but GitHub Advanced Security is our commercial offering for private repositories and gives enterprises access to code scanning powered by our CodeQL engine, secret scanning, and some enhancements to Dependabot like vulnerable function call analysis.

devmio: What is secret scanning and how does GitHub help with it? What does the new update regarding secrets scanning include?

Courtney Claessens & Mariam Sulakian: Leaked credentials are one of the most commonly exploited application security risks. GitHub secret scanning finds them before developers deploy by using custom patterns and supporting more than 180 secret types from cloud and service providers partners. GitHub can scan for highly identifiable secrets before they leave the developer’s machine, preventing secrets from leaking altogether.

Teams and organisations each also have unique secret types that are specific to their work, and today secret scanning supports up to 500 custom patterns for each organisation or enterprise account. The latest support for dry runs ensures that security teams can easily iterate on and review patterns before they generate alerts. This eased process helps security teams prioritise the risks they care about.

We believe free and open security data is critical to empowering the industry to secure our software supply chains

devmio: How else is GitHub committed to ensuring the best security for its users? What else is your team working on, or what have you recently implemented?

Courtney Claessens & Mariam Sulakian: GitHub wants to secure the world’s software by arming the community with the tools they need to develop secure code. So much of the world’s development happens on GitHub that security is not just an opportunity for us, but a responsibility. We’ve built GitHub Advanced Security to integrate directly into the developer workflow, and are committed to continuing to make it easier for developers to build and ship securely.

We also understand that the world of open-source security is fast-moving, with new vulnerabilities and different attack vectors on the rise, and it’s going to take the community at large to help secure the world’s software. Earlier this year we announced the GitHub Advisory Database is open to community contributions. We believe free and open security data is critical to empowering the industry to secure our software supply chains, and by making it easier to contribute and consume security insights, we hope to further improve the security of all software.