When you start creating a repository on GitHub, one of the first things you should think about is security.
If you are creating your own GitHub repository or often contributing to the repository, you need to know if your code contains any vulnerabilities. Vulnerabilities in repositories in the past caused security issues. This was underscored by the fact that two of the biggest data leaks in recent times – Equifax and Heartbleed SSL Exploit – started with vulnerabilities with related open source components that could be exploited in the future.
In this post, we will look at and analyze four separate tools that you can use to identify vulnerabilities in your GitHub repository. Each of these four tools has its own superpowers, but each has its weaknesses. This article will help you choose the right tool for your open source project.
This article was translated with the support of EDISON Software, which gives practical advice to juniors, as well as designs software and writes TK in Russian and English.
GuardRails is a freemium security application that is available on GitHub’s marketplace. GuardRails can provide static code analysis as well as identifying vulnerable dependencies. He writes comments to the request pool with vulnerabilities.
The application itself will scan new entries in the user code in real time, which allows users to quickly take actions to eliminate vulnerabilities almost immediately after they appear. This helps protect the repository and code from intruders. Regarding the request pool, GuardRails will write comments on each request when it detects a security problem, and with the branches this information will be displayed on your GuardRails dashboard.
The guiding principle of the GuardRails service is its comprehensive and quick setup, in which users can integrate GuardRails with all their repositories in minutes. You can also integrate GuardRails with Slack so that notifications reach you more efficiently.
WhiteSource Bolt helps GitHub users create scans of their repositories, allowing them to identify open source vulnerabilities that may appear in the code. It is provided by WhiteSource, a specialist in the field of security, licensing and reporting in the field of open source. They have been operating in the market since 2011 and can count on the help of more than 2.1 million different developers.
Their service works in such a way that every time a push action occurs, Bolt starts scanning your repository, and then creates a problem for each detected vulnerability. It will also create issues for new vulnerabilities that have been discovered with existing open source code components. In addition, it can prevent vulnerable components from entering the code by automatically canceling a pool of requests that contain vulnerabilities.
Bolt also provides its users with access to its own WhiteSource vulnerability database, which is extensive and considered by many to be the most expensive open source security market. You will receive some information about any vulnerabilities discovered, including CVE and CVSS data, suggested fixes, paths to vulnerable components, and links for help.
Bolt currently supports over 200 different programs, including Java, Python, PHP, C #, C ++ and others.
LGTM is a free open source project app that helps users identify potential vulnerabilities in their code and also prevents them from occurring in the first place. In particular, LGTM uses data collected by a security research team that focuses on finding zero-day vulnerabilities. More than 700,000 developers and more than 135,000 open source projects have benefited from LGTM services, and this level of experience attests to the quality of their services. The LGTM GitHub app is available on the GitHub marketplace.
When working in your repository, LGTM can automatically scan your code, checking for vulnerabilities and CVE that could appear. Thanks to the large community of experienced LGTM developers and researchers, you understand that the services they provide can be of great benefit to the security of your repository. This makes it even easier than maintaining a query log, and with it, you can detect potential vulnerabilities before they enter the code base.
Github security alert
GitHub Security Alerts is a free service provided to owners and members of GitHub repositories with dependencies. Using their own dependency graph, users will be able to see when there are vulnerabilities in their dependencies, and will provide users with suggestions for fixing these vulnerabilities.
When GitHub notifies you of a potential vulnerability, you will receive an update in which GitHub will advise you on which of your dependencies need to be updated. If there is a known safe version of the dependency, GitHub will choose one for you using machine learning, and it will be included on the recommendation.
When it comes to information about each vulnerability, GitHub tells you which vulnerability it affects, the range of versions it affects, the CVE ID, and any proposed fixes contained in the vulnerability database.