GitHub can now block and alert you to pull requests that introduce new dependencies impacted by known supply chain vulnerabilities.
This is achieved by adding the new Dependency Review GitHub action to an existing workflow in one of your projects. You can do this through the Actions tab of your repository under Security or directly from GitHub Marketplace.
It works using an API endpoint that will help you understand the security impact of dependency changes before adding them to your repository with each pull request.
“GitHub Action automates finding and blocking vulnerabilities that are currently only shown in the rich diff of a pull request,” said Courtney Claessens, senior product manager at GitHub.
It works by analyzing pull requests for dependency changes against the GitHub advisory database (a collection of CVEs and advisories detailing security vulnerabilities in open source software) to see if any new dependencies introduce vulnerabilities.
“If they do, the action will throw an error so you can see which dependency has a vulnerability and implement the fix with the contextual intelligence provided,” Claessens added.
The dependency review is designed to provide information about:
- What dependencies were added, removed, or updated, and release dates
- How many projects use these components
- Vulnerability data for these dependencies
“By checking dependency revisions in a pull request and editing any dependencies flagged as vulnerable, you can prevent vulnerabilities from being added to your project,” says GitHub.
“Dependabot alerts will find vulnerabilities that are already in your dependencies, but it’s better to avoid introducing potential issues than to fix issues later.”
The Dependency Review action is currently in public beta and is available for all public repositories and for private repositories owned by organizations using GitHub Enterprise Cloud with a license for GitHub Advanced Security.
You can find more information about how dependency review works here. GitHub also provides detailed installation steps on entering the stock market.
GitHub also announced on Monday that it has extended the secrets scanning capabilities of its code hosting platform for GitHub Advanced Security customers to prevent accidental exposure of credentials before committing code to remote repositories.