GitHub Security Alerts For Python developers

GitHub Security Alerts For Python developers

GitHub has added Python to the list of languages where you can check out security alerts. Python developers can now see problems on a dependency graph and receive security alerts whenever their repositories depend on packages with known security vulnerabilities.

GitHub security alerts were first announced last October for developers using Ruby and JavaScript packages, and GitHub says four million vulnerabilities have been identified since the launch, prompting the release of many patches.

While this sounds dramatic, what this actually means is not that GitHub has found four million new vulnerabilities. Instead, what they did was to take a list of vulnerable Ruby gems and npm JavaScript packages where vulnerabilities have already been identified and listed in MITRE’s Common Vulnerabilities and Exposures list.

This list was then compared to the dependency graphs of all public repositories for Ruby and JavaScript, and GitHub found four million vulnerabilities in over 500,000 repositories and displayed an alert to repository admins in their dependency graphs and repository home pages.

In addition to highlighting dependencies that are the source of a potential vulnerability, and their severity on a four-point scale – Low, Moderate, High, or Critical – GitHub aims to provide a solution to the problem.

The GitHub team says:

“Since the launch of security alerts last year, we’ve taken an active role in alerting project maintainers of known-vulnerable libraries in RubyGems for Ruby and npm for Javascript. In almost all cases, there’s a new, patched version of the library we can recommend in the alert.”

The dependency graph is a chart that displays the projects your code depends on and projects that depend on your code. It can be enabled by clicking Insights under your repository name then clicking Dependency graph in the left sidebar.

The newly announced Python support means Python users can now access the dependency graph and receive security alerts whenever their repositories depend on packages with known security vulnerabilities.

Python projects have to have their dependencies defined in a requirements.txt or pipfile.lock file in order to enable the dependency graph.

GitHub says the new platform has been launched with a relatively small set of recent vulnerabilities. Over the coming weeks, more historical Python vulnerabilities will be added to the database so the security alerts will become more useful.

As new vulnerabilities in Python libraries are discovered, alerts will be sent to Python repository admins whose repositories show dependencies on those libraries.

More Information