GitHub has added Python to the list of languages where you can check out security alerts. Python developers can now see problems on a dependency graph and receive security alerts whenever their repositories depend on packages with known security vulnerabilities.
In addition to highlighting dependencies that are the source of a potential vulnerability, and their severity on a four-point scale – Low, Moderate, High, or Critical – GitHub aims to provide a solution to the problem.
The GitHub team says:
The dependency graph is a chart that displays the projects your code depends on and projects that depend on your code. It can be enabled by clicking Insights under your repository name then clicking Dependency graph in the left sidebar.
The newly announced Python support means Python users can now access the dependency graph and receive security alerts whenever their repositories depend on packages with known security vulnerabilities.
Python projects have to have their dependencies defined in a requirements.txt or pipfile.lock file in order to enable the dependency graph.
GitHub says the new platform has been launched with a relatively small set of recent vulnerabilities. Over the coming weeks, more historical Python vulnerabilities will be added to the database so the security alerts will become more useful.
As new vulnerabilities in Python libraries are discovered, alerts will be sent to Python repository admins whose repositories show dependencies on those libraries.
- GitHub article about security alerts for vulnerable dependencies
- GitHub instructions for listing the packages that a repository depends on