SECURITY
SECURITY
SECURITY
New GitHub tools help project integrity and security of the software supply chain
Microsoft Corp.-owned GitHub today announced two new tools aimed at helping developers ensure the integrity of their projects and secure the software supply chain.
The first new tool, private vulnerability reporting, is now generally available and designed to help open-source maintainers and security researchers embrace best practices to report and fix vulnerabilities. The private collaboration channel seeks to address an issue where the open-source community lacked a standardized and secure way to report and collaborate on vulnerabilities, making it all too easy for vulnerabilities to linger unresolved or publicly leak before fixes were ready.
Private vulnerability reporting makes it easier for researchers and maintainers to report and fix vulnerabilities on public repositories with features and automation, including the ability to report multiple repos with identified issues and credit multiple researchers who contribute to vulnerabilities and remediation.
The service was first available in public beta testing in November, with maintainers from more than 30,000 organizations enabling private vulnerability reporting on more than 180,000 repos. In that time, the service received more than 1,000 submissions from researchers.
The second release, npm package provenance, allows developers who build npm projects on GitHub Actions to publish providence alongside their packages, giving consumers a verifiable way to link a package back to its source repository and build instructions. Npm is a package manager for the JavaScript programming language maintained by npm Inc. Its claim to fame is as the default package manager for the JavaScript runtime environment Node.js.
GitHub argues that developers plug npm packages into their applications daily without much thought, weakening the integrity of their software supply chain. As the stewards of the npm registry, GitHub is responsible for helping build trust in these projects and with this release, consumers of npm projects can anchor trust directly in the source code and build process.
The two new tools come after GitHub debuted Copilox X, an artificial intelligence tool powered partly by GPT-4, in March. Designed to help developers write code faster, the tool offers an enhanced version of the Copilot coding assistant that GitHub debuted in mid-2021, with features not included in the original release.
Image: GitHub
A message from John Furrier, co-founder of SiliconANGLE:
Support our open free content by sharing and engaging with our content and community.
Join theCUBE Alumni Trust Network
Where Technology Leaders Connect, Share Intelligence & Create Opportunities
11.4k+
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.
SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
