GitHub has made private vulnerability reporting generally available for free on public repositories, making it easier for researchers and maintainers to ensure the integrity of the open-source supply chain.
The world’s largest code sharing platform that enables software developers to collaborate has been testing the public beta of private vulnerability reporting since November 2022.
To date, maintainers from over 30,000 organisations enabled private vulnerability reporting on more than 180,000 repos and received 1k+ submissions from researchers. Through this enablement and feedback from the community, GitHub has also made a number of feature improvements including multi-repo enablement, new credit types, and increased integration and automation workflows.
“One of the biggest struggles as a researcher has been making initial contact to disclose the vulnerability to the maintainer. Private vulnerability reporting is a massive step forward."
Jonathan Leitschuh, GitHub Star, GitHub Security Ambassador, and senior open source security researcher for the Open Source Security Foundation (OpenSSF) Project Alpha-Omega
GitHub is a founding member of the OpenSSF and actively participates in the working group for securing software repositories, with the goal of bringing similar capabilities to other platforms and package ecosystems.
Before its general availability, private vulnerability reporting could only be enabled on individual repositories. Now, maintainers can enable private vulnerability reporting on all repositories in their organisation. Maintainers can also now choose how to credit people who find and contribute to fixing vulnerabilities.
Furthermore, a new repository security advisories API supports several new integration and automation workflows.
Also, maintainers can pipe private vulnerability reports from GitHub to third-party vulnerability management systems Security researchers can also use the API to programmatically open a private vulnerability report on multiple repositories, a time-saving convenience when packages share a common vulnerability.
Anyone can keep a close eye on critical repositories by scheduling automatic pings for notifications of new vulnerability reports.
npm package provenance
Additionally, GitHub announced npm package provenance, meaning developers building npm projects on GitHub Actions can now publish provenance alongside their packages, giving consumers a verifiable way to link a package back to its source repository and build instructions.
As home to the largest package registry in the world, GitHub is continually looking at security improvements to ensure the npm ecosystem remains healthy. Part of that responsibility is to help build trust in the open-source projects and GitHub wants to give developers the tools they need to ensure the integrity of their software supply chain. With the npm provenance package, GitHub’s goal for the npm ecosystem is to bring the same level of transparency it has with the open-source code itself to the process by which that code is built and published.
With the move to make npm package provenance generally available, GitHub is working on a number of additional improvements:
● Adopting version 1.0 of the SLSA provenance specification.
● Working with other cloud CI/CD providers to add support for provenance signing.
● Verifying the expected source repository and commit exist.
● New tools to manage access between your CI/CD environment and the npm registry.