SecurityBrief NZ – GitHub Deploys Security Alert Feature for Python

GitHub has deployed security alerts for Python, which allows users to receive alerts when their code repositories depend on packages with known security vulnerabilities.

"We chose to launch the new platform with some recent vulnerabilities," GitHub said.

"In the coming weeks, we will add more Python historical vulnerabilities to our database, and in the future we will continue to monitor the NVD and other sources and send alerts on newly revealed vulnerabilities in Python packages. "

The development follows last year's releases that track security vulnerabilities in Ruby and JavaScript packages. 19659002] The company says that since the launch of these alerts, it has identified millions of vulnerabilities. The vulnerabilities are most often Common Vulnerabilities and Exposures, or CVE.

According to a November 2017 GitHub blog, the security alert system was a great success, with many vulnerability alerts in less than seven days. "We found more than four million vulnerabilities in more than 500,000 repositories and posted an alert to repository administrators in their dependency graphs and homepages (for Ruby and Javascript)," says GitHub in a blog . we launched, more than 450,000 identified vulnerabilities were resolved by the repository owners, either by removing the dependency or by changing to a secure version. Since then, our vulnerability rate resolved in the first seven days of detection has been about 30%.

"In addition, 15% of alerts are rejected within seven days, which means that almost half of the alerts are processed in one week." Among the other unaddressed or unresolved alerts, the majority belong to repositories. who have not made a contribution in the past 90 days. "

These features are now available to Python users.

Users can get the most out of Python To get started, make sure you've archived a requirements.txt or Pipfile.lock file in repositories that contain Python code.

Your public repository will automatically have your dependency graph and security alerts enabled. For private repositories, you must enable security alerts in your repository settings or allow access in the dependency graph section of the Insights tab of your repository.

When vulnerability alerts are enabled, administrators receive security alerts. default. Administrators can also add teams or individuals as recipients of security alerts by accessing their repository settings page and accessing the "Alerts" tab.

To configure the type or frequency of notifications, go to the notification settings page. your favorite option