GitHub Adds Dependency Supply Chain Vulnerability Alert

GitHub has implemented a feature that can block and alert users to requests that introduce new dependencies affected by known supply chain vulnerabilities.

This can be accomplished by adding a Dependency Review GitHub Action to the project’s existing workflow. This can be done from the repository’s Actions tab under Security or directly from the GitHub Marketplace.

This is useful for understanding the security implications of dependency changes before adding them to the repository on a per-request basis.

GitHub Action automates the discovery and blocking of vulnerabilities that currently only appear in rich diffs of pull requests.

This is done by scanning pull requests for dependency changes against the GitHub Advisory Database (a collection of CVEs and advisories detailing security flaws in open source software) to see if the new dependency introduces vulnerabilities Function.

If so, the action raises an error to see which dependencies are vulnerable so that a fix can be implemented with the contextual intelligence provided

The Dependency Review action is currently in public beta and belongs to all public repositories and organizations that license GitHub Advanced Security and use the GitHub Enterprise Cloud. Available in private repositories.

More information on how Dependency Review works can be found on the official page.

https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request

Leave a Reply

Your email address will not be published.