GitHub unveiled this week GitHub Security Lab, a new initiative that aims to improve the security of open source software.
While GitHub Security Lab helps to recognize and report security vulnerabilities, developers and maintainers can use GitHub to repair, manage and upgrade projects.
GitHub’s efforts are already funded by several technology companies, who are committed to providing tools, services and incentives, as well as security research, to help secure the open source ecosystem.
The initial partners were F5, Google, HackerOne, Facebook, IOActive, J.P. Morgan, LinkedIn, Microsoft, Mozilla, NCC Group.
As part of the announcement, GitHub said that CodeQL is freely available to security researchers looking to discover open source vulnerabilities.
The tool helps teams perform semantic code analysis so that they can analyze code as if it were data. This helps developers to write queries to find all the variants of code that trigger application vulnerabilities.
In addition, GitHub Advisory Database, a publicly accessible database of GitHub ads, was released with the Microsoft-owned open source project, which also includes data relating to packages monitored through the GitHub dependency chart.
The browser lets contributors explore the GitHub Advisory Server, directly link it to CVE recognition records in comment and programmingly access information using the Security Advisory API endpoint.
The Company notes that the Safety Advisories encourage maintainers to collaborate with researchers privately to provide fixes, apply directly from GitHub for a CVE and define standardized vulnerability information. When a consultation is ready to be released, GitHub will send updates to affected projects.
GitHub provides maintainers and developers with the opportunity to work with the project directly as part of the recently announced program, to make sure that bugs only become known when maintainers are ready and that patches and improvements are released easily and quickly.
This framework also provides automatic security updates, which help developers respond to new security vulnerabilities quickly (pull requests to update vulnerable dependencies to revised versions). All active repositories with activated security notifications now typically have automatic security updates accessible.
Four new partners have been introduced to GitHub’s network to search hard-coded tokens and credentials from 20 different cloud providers, namely GoCardless, HashiCorp, Postman and Tencent.
In line with GitHub’s announcement and after a few years of using CodeQL, Mozilla revealed today that it adds a new field to their bug bounty system to promote the use of the tool by security researchers.
Mozilla has developed special benefits “for static analytical work which finds recent or historical vulnerabilities in Firefox” and claims its bug bounties are not exclusive to GitHub, so that researchers could be compensated by both companies if they meet their criteria.
Static analytical queries from CodeQL, including newly discovered vulnerabilities, are valid. Requests that suit historical issues will also be valid even if there are no new vulnerabilities.
In a deal worth $7.5 billion in 2018, Microsoft purchased GitHub.