GitHub’s latest security features (opens in new tab)

(github.com)

57 pointsCallicles6y ago16 comments

16 comments

As someone who regularly needs to report security vulnerabilities to projects hosted on Github, I find it incredibly annoying that I can't create one of these 'maintainer advisories' (or just a regular issue that's non-public) as an outsider.

These 'security.md' files would work for me just as well to define a security contact, but I've never come across one of these in the wild... so I end up wasting my time hunting down maintainers and their email addresses, when everyone involved would have a much easier time if it were all handled through Github by allowing everyone to create a (draft) 'maintainer advisory'.

dannykwells6y ago

Lots of title editorializing recently. I wonder what's up. One thing I've always liked about HN is that title editorializing isn't really viewed kindly. So why now?

xvector6y ago

100% agreed, let's not editorialize titles please.

kmfrk6y ago

Makes sense. Fits with adding similar support in Visual Studio at some point. Kind of like Word suggestions, but for code.

ryanburk6y ago

will be interesting to see what they do that goes beyond the acquisition of semmle. it is great to see how quickly they have been able to integrate that work.

matt_LLVW6y ago

Dependabot is really nice. I activated it on my repo and it create a PR with the updated dependency, showing the "crowd sourced" chance it could be integrated safely. Semmle(LGTM) could be useful on a big codebase but for a simple webapp it didn't provide anything interesting.

throwaway57526y ago

It's frustrating to set up OWASP scans over and over again. Anything Github or Gitlab or whomever can do to normalize audits (please, by all means check for CVEs on my dependencies, too) and static analysis, it's great. Make it something I can enable on my PR/MR workflow.

sytse6y ago

Totally agree. With GitLab you can do static and dynamic code analysis, as well as dependency and container scanning on your PR/MR out of the box.

And your security team gets an organization wide overview of the security results as well https://docs.gitlab.com/ee/user/application_security/securit...

gravis6y ago

GitLab offers free security checks for opensource projects (https://about.gitlab.com/blog/2018/06/05/gitlab-ultimate-and...). Enabling these checks is as simple as this one-liner (https://docs.gitlab.com/ee/user/application_security/sast/in...):

include: template: SAST.gitlab-ci.yml

Now do the same with Dependency Scanning, Container Scanning, DAST and License Compliance if needed.

Note that Auto-DevOps enables this automatically.

On a general note, I agree with you, Security should be available out of the box for everyone. I created last month this issue for this purpose, feel free to comment or watch it.

snorrah6y ago

Please forgive my naivety but is this something that would also come to GitHub Enterprise?

peterwwillis6y ago

It's a feature, not a market play. GitHub wants to be a default for all your most basic CI/CD uses, but they're not taking on all of software security. This is a huge market, they're implementing like 1 feature of 1 use case.

mkagenius6y ago

> Automatic token scanning

Nice. I hope we contributed to it in some way: https://news.ycombinator.com/item?id=13667386

sarcasmatwork6y ago

How does this not copy snyk.io?

asdfman1236y ago

Microsoft owns Github now, and their whole MO is copying everyone else's good ideas at an impressive rate and seeing what will stick.

alttab6y ago

It leverages GitHub repositories as it's data and customer base. The integration and network effect means the crowd sourcing works for everyone using GitHub, which is used more thoroughly than snyk.io (which I've never heard of)

rolltiide6y ago

maybe it does, my neighborhood also has multiple groceries stores

j / k navigate · click thread line to collapse