When you are beginning to create a repository on GitHub, one of the first things that you should be thinking about is security.
In the event that you are creating your own GitHub repository or are a common contributor to the repository, you will need to be able to know whether your code contains any vulnerabilities. Repositories vulnerabilities have caused security disasters in the past. This has been highlighted by the fact that two of the biggest data breaches in recent memory, those being of Equifax and the Heartbleed SSL Exploit started with vulnerabilities with respective open-source components. that can be exploited.
In this post, we will be exploring and analyzing four separate tools that can be used to identify threats in your GitHub repository. All four of these tools have their own fantastic features and qualities, although each has its own select key strengths and weaknesses. This article will help you to choose the correct tool for your latest open-source project.
(Photo Credit: https://github.com/apps/guardrails)
GuardRails is a freemium security application that is available on GitHub’s app marketplace. GuardRails can provide static code analysis as well as identifying vulnerable dependencies. It posts comments to pull requests with vulnerabilities.
The application itself will scan new entries to a user’s code in real-time, allowing users to quickly take action to remove vulnerabilities almost as soon as they appear. This helps to keep the repository and the code from being manipulated by malicious actors. With regards to pull requests, GuardRails will post comments on each request when they detect a security issue and with branches, this information will appear in your GuardRails dashboard.
The primary ethos of the GuardRails service is that it is comprehensive but quick to set up, with users being able to integrate GuardRails with all of their repositories in a matter of minutes. You can also integrate GuardRails with Slack, so that your notifications reach you more efficiently.
(Photo Credit: https://github.com/apps/whitesource-bolt-for-github)
WhiteSource Bolt helps GitHub users to generate scans of their repositories, allowing them to identify open source vulnerabilities that may appear in the code. It is provided by the similarly named company WhiteSource, who are specialists in the areas of security, licensing and reporting in the open-source space. They have been working in the market since 2011 and can take credit for assisting over 2.1 Million different developers.
The way their service works is that each time a GitHub push action is enacted, Bolt will launch a scan of your repository, it will also then create an issue for each vulnerability that it discovers. It will also generate issues for new vulnerabilities that have been discovered with existing components of the open-source code. In addition, it can prevent vulnerable components from getting in the code by automatically failing pull requests that contain vulnerabilities.
Bolt is also providing its users with access to WhiteSource’s own vulnerability database, which is extensive and is considered by many to be the most expensive on the open-source security market. You will receive several pieces of information on any vulnerabilities that are discovered including the CVE and CVSS data, suggested fixes, a pathway to vulnerable components, and links for reference.
Bolt currently supports over 200 different programmings including Java, Python, PHP, C#, C++ and more.
(Photo Credit: https://lgtm.com)
LGTM is a free application for open-source projects and assists users with detecting potential vulnerabilities in their code and also preventing them from appearing in the first place. Specifically, LGTM utilizes data collected from a team of security researches that are focused on finding zero-day vulnerabilities. LGTM’s services have been used by over 700,000 developers and over 135,000 open-source projects and that level of experience, shows in the quality of their services. The LGTM GitHub App is available from the GitHub marketplace.
When running on your repository, LGTM can automatically scan your code, checking for any vulnerabilities and CVEs that may have appeared. Due to LGTM’s large community of skilled developers and researchers, the insight that their services provide can be of large benefit to your repository security. This makes it even easier than logging a query and through the use of this, you can spot potential vulnerabilities before they enter the codebase.
(Photo Credit: https://www.zdnet.com)
GitHub Security Alerts is a free service provided to owners of and contributors to GitHub repositories that have dependencies. Through the use of their own in-house dependency graph, users will be able to see when there are vulnerabilities in their dependencies and will provide users with suggestions on how to fix said vulnerabilities.
When GitHub gives you a notification about a potential vulnerability, you will receive an update where GitHub will provide you a recommendation on which of your dependencies need updating. If there is a safe version of the dependency that is known, GitHub will choose one for you, using machine learning and it will be included in their recommendations.
When it comes to what information is given about each vulnerability, GitHub tells you which dependency is being affected, the range of versions that are affected, the CVE ID and any suggested fixes contained within the national vulnerability database.