The “private vulnerability” reports announced at GitHub Universe 2022 will allow open-source maintainers to receive private issues from the community. Maintainers will be able to receive reports and collaborate with security professionals and all other issuers to patch vulnerabilities.
Code Security in Beta
The new GitHub feature is available in beta version and thus subject to change. However, developers can try it now by going to their repo settings in the “Code security and analysis” section:
The complete documentation is already available and indicates that “Anyone with admin permissions to a public repository can enable and disable private vulnerability reporting for the repository.”
Once it’s activated, the repository gets a new button in the Advisories page:
A Step Forward for Supply Chain Security
The new feature could be a big step towards better security for the entire software supply chain, as security researchers usually struggle to find the right channel to communicate with the maintainers when they spot a vulnerability.
It often ends up in additional OSINT work to find the right social profile to contact or, even worse, a GitHub issue that discloses the vulnerability publicly. According to GitHub, maintainers will get a more consistent experience with a unique and private platform for handling reports and collaborating with security professionals to patch the code.
This should limit the risk of “being contacted publicly, or via undesired means.” Perhaps most importantly, the vulnerability will be “less likely to be in the public eye,” which is critical.
The other expected security features are:
- code vulnerability scanning for the Ruby language is now generally available
- better coverage/security overviews across multiple repositories for organizations
GitHub also recommends that dev teams monitor repositories for anomalous activities and bad practices, highlighting some of its features like secrets scanning that can spot leaked credentials or the Dependabot technology that helps teams manage security updates.
In addition, developers are strongly encouraged to do the following:
- audit the code regularly (e.g., built-in scanning features like CodeQL)
- enforce 2FA for all org members
- enforce reviews
- restrict collaboration permissions (least privilege principle)
- enable Dependabot for security updates
- secure GitHub actions that are prone to injections, as GitHub uses strings substitution (inputs must be sanitized, using encrypted environment variables, for example)
- revoke unused secrets and tokens
- remove unused dependencies
- avoid secrets whenever possible
- leverage “the continuous improvement approach,” as dev teams can’t be perfect
- share the security responsibility
GitHub is clearly sending a message to developers and security professionals, inviting them to collaborate with better tools and procedures that should reduce misunderstandings and help fix the current broken software supply chain.
These announcements seem to point in the right direction and come after several major initiatives this year to secure the software supply chain that has been the source of major cyber attacks like SolarWinds and Kaseya.