No product is perfect. To minimize flaws in open-source software, this is the reason why GitHub launched Security Lab.
The initiative is to "bring together security researchers, maintainers, and companies across the industry who share our belief that the security of open source is important for everyone," the Microsoft-owned code repository platform said on its blog post.
And that is to "inspire and enable the community to secure the open source software we all depend on."
As part of the announcement, GitHub Security Lab is making CodeQL, a tool research teams can use to perform semantic analysis of code, freely available for anyone.
"Securing the world’s open source software is a daunting task," said GitHub.
From popular programming languages like Python and Ruby, to machine learning frameworks like TensorFlow, to JavaScript and many others, GitHub is at the central of the software ecosystem that forms the base of the modern web.
With Security Lab, GitHub’s initiative addresses the whole open source security lifecycle.
What this means, GitHub Security Lab wants to help identify and report vulnerabilities in open source software, while maintainers and developers use GitHub to create fixes, coordinate disclosure, and update dependent projects to a fixed version.
Initially, according to GitHub, the team has already had over 100 CVEs issued for security vulnerabilities.
Joining the company in this initiative, include professionals from various tech companies, like F5, Google, HackerOne, Intel, IOActive, J.P. Morgan, LinkedIn, Microsoft, Mozilla, NCC Group, Oracle, Trail of Bits, Uber, and VMWare.
Alongside Security Lab, GitHub is also:
- Improving the open source security workflow to help ensure new vulnerabilities are only disclosed when maintainers are ready.
- Introducing GitHub Advisory Database, a public database of advisories created on GitHub.
- Introducing automated security updates using pull requests.
- Introducing token scanning, where GitHub can scan token formats from 20 different cloud providers.
- Introducing GitHub Advisory Database, which includes data curated and mapped to packages tracked by the GitHub dependency graph.
The initiatives come not long after GitHub releases its own native mobile app for iOS, and introduced an improved code search and notifications experience, and not long after GitHub acquired Pull Panda to beef up its portfolio of code review tools, and provide developers an infrastructure to create secure software that follows the best software practices.
With all put together, GitHub should become the most comprehensive platform capable of handling all aspects in software development workflow.