SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewall
#
ransomware
Search
Story image
#
App development
#
APM
#
Web Development
GitHub rolls out security alerts feature for Python
Mon, 16th Jul 2018
FYI, this story is more than a year old
Author image
By Sara Barker, Copywriter and Senior News Editor
Follow us

GitHub has rolled out security alerts for Python, which allows users to receive alerts whenever their code repositories depend on packages with known security vulnerabilities.

“We've chosen to launch the new platform offering with a few recent vulnerabilities,” GitHub says.

“Over the coming weeks, we will be adding more historical Python vulnerabilities to our database. Going forward, we will continue to monitor the NVD feed and other sources, and will send alerts on any newly disclosed vulnerabilities in Python packages.

The development follows last year's releases that track security vulnerabilities in both Ruby and JavaScript packages.

The company says that since the launch of those alerts, it has identified millions of vulnerabilities. The vulnerabilities are most often Common Vulnerabilities and Exposures, or CVEs.

According to a GitHub blog from November 2017, the security alert system has been highly successful, with many vulnerability alerts resulting in patches in fewer than seven days.

 “We found over four million vulnerabilities in over 500,000 repositories and displayed an alert to repository admins in their dependency graphs and repository home pages (for Ruby and Javascript),” GitHub says in a blog.

“By December 1 and shortly after we launched, over 450,000 identified vulnerabilities were resolved by repository owners either removing the dependency or changing to a secure version. Since then, our rate of vulnerabilities resolved in the first seven days of detection has been about 30%.

“Additionally, 15% of alerts are dismissed within seven days—that means nearly half of all alerts are responded to within a week. Of the remaining alerts that are unaddressed or unresolved, the majority belong to repositories that have not had a contribution in the last 90 days.

These features are now available for Python users.

Users can make the most of Python security alerts through the following tips:

First, ensure that you have checked in a requirements.txt or Pipfile.lock file inside of repositories that have Python code.

Public repositories will automatically have your dependency graph and security alerts enabled. For private repositories, you'll need to opt in to security alerts in your repository settings or by allow access in the dependency graph section of your repository's “Insights” tab.

When vulnerability alerts are enabled, admins will receive security alerts by default. Admins can also add teams or individuals as recipients for security alerts by going into their repository's settings page and navigating to the “Alerts” tab.

To configure the kind or frequency of notifications you receive, visit your profile's notification settings page and select your preferred option.

Related stories
RiverSafe teams up with Cribl to boost IT & data security services
Avocado Consulting expands partnership with CyberArk
Appdome, Atlassian to automate secure mobile app delivery
Unstoppable Domains joins GlobalBlock for enhanced brand protection
Zombie APIs: the resident evil in too many businesses
Top stories
Fortinet recognised as Challenger in Gartner's 2024 Magic Quadrant for SSE
Coalition integrates cyber risk platform with top cloud services providers
Secolve & Asimily join forces to boost Australia's IoT security
Armis warns of major cyber-attack risk to 2024 global elections
i-PRO to support Genetec SaaS with new AI-enabled camera models