GitHub releases private vulnerability reporting and npm package provenance

Thursday, 20 April 2023 10:33

By David M Williams

The largest open-source software repository, GitHub, has announced two product updates to support developers, maintainers, and security researchers in ensuring the integrity of open-source projects, bolstering the security of software supply chains - private vulnerability reporting and npm package provenance.

The two new features mean researchers and maintainers have a private collaboration channel to report and fix vulnerabilities on public repositories, and npm developers can publish provenance alongside their packages so consumers have a verifiable way to link a package back to its source repository and build instructions.

Since the public beta of private vulnerability reporting last November, maintainers from over 30,000 organisations have enabled private vulnerability reporting on more than 180,000 repos and received over a thousand submissions from researchers. Through this enablement and feedback from the community, GitHub has also made a number of feature improvements including multi-repo enablement, new credit types, and increased integration and automation workflows.

“One of the biggest struggles as a researcher has been making initial contact to disclose the vulnerability to the maintainer. Private vulnerability reporting is a massive step forward”, said Open Source Security Foundation senior open source security researcher and GitHub security ambassador Jonathan Leitschuh.

The improvements for the general availability of private vulnerability reporting include:

Enable at scale: During the public beta, private vulnerability reporting could only be enabled on individual repos. Now, maintainers can enable private vulnerability reporting on all repos in their organisation.
Multiple credit types: Maintainers can choose how to credit those who find and contribute to vulnerabilities and remediation.
Integration and automation: A new repository security advisories API supports several new integration and automation workflows.
Integration with third-party systems: Maintainers can pipe private vulnerability reports from GitHub to third-party vulnerability management systems.
- Automated submissions: Security researchers can also use the API to programmatically open a private vulnerability report on multiple repositories, a time-saving convenience when packages share a common vulnerability.
- Vulnerability alerts: Anyone can keep a close eye on critical repos by scheduling automatic pings for notifications of new vulnerability reports.

Private vulnerability reporting and the rest of GitHub’s security capabilities like Dependabot, code scanning, and secret scanning are free for public repositories.

In addition, GitHub's goal for the npm ecosystem is to bring the same level of transparency it has with the open-source code itself to the process by which that code is built and published.

With the move to make npm package provenance generally available GitHub is working on a number of additional improvements:

Adopting version 1.0 of the SLSA provenance specification.
Working with other cloud CI/CD providers to add support for provenance signing.
Verifying the expected source repository and commit exists.
New tools to manage access between your CI/CD environment and the npm registry.

GitHub is a founding member of the OpenSFF and actively participates in the working group for securing software repositories, with the goal of bringing similar capabilities to other platforms and package ecosystems.

Read 348 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here
BACK TO LATEST NEWS here

GARTNER MARKET GUIDE FOR NDR 2022

You probably know that we are big believers in Network Detection and Response (NDR).

Did you realise that Gartner also recommends that security teams prioritise NDR solutions to enhance their detection and response?

Picking the right NDR for your team and process can sometimes be the biggest challenge.

If you want to try out a Network Detection and Response tool, why not start with the best?

Vectra Network Detection and Response is the industry's most advanced AI-driven attack defence for identifying and stopping malicious tactics in your network without noise or the need for decryption.

Download the 2022 Gartner Market Guide for Network Detection and Response (NDR) for recommendations on how Network Detection and Response solutions can expand deeper into existing on-premises networks, and new cloud environments.

DOWNLOAD NOW!

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!

GitHub releases private vulnerability reporting and npm package provenance