Over Four Million Vulnerabilities Detected by GitHub Security

GitHub security alerts significantly reduced the time it takes for developers to remove vulnerabilities from their Ruby and JavaScript projects, says GitHub.

GitHub’s security alerts notify repository admins when library vulnerabilities from the Common Vulnerabilities and Exposures (CVEs) list are detected in their repositories. CVE is a list of entries—each containing identification number, a description, and at least one public reference—for publicly known cybersecurity vulnerabilities. This gives administrators a precious “heads up” to react promptly and fix the vulnerability by removing the vulnerable dependency or moving to a secure version.

According to GitHub, nearly half of all displayed alerts are responded to within a week and the rate of vulnerabilities resolved in the first seven days has been about 30%. However, when that statistics is restricted to only repositories with recent contributions, i.e., contributions in the last 90 days, things look even brighter, GitHub says, with 98% of such repositories being patched in fewer than seven days. Overall, more than four million vulnerabilities in over 500,000 repositories have been reported.

All public repositories are scanned for vulnerabilities, while only private repositories with their dependency graph enabled are scanned. For every the vulnerability is found, the repo admin is presented not only with general information about the issue, but also with its severity level and resolution steps. If safe version of a given dependency is not known, GitHub will attempt to recommend a similar, safe dependency to use in place of the unsafe one.

Security notifications can be delivered in several ways: displaying an alert, among other notifications, or via email. In addition to being sent an email each time the vulnerability is found, GitHub has recently introduced a weekly digest email which includes a summary of up to 10 repositories vulnerability alerts.

As mentioned, security alerts are only currently supported for repositories written in Ruby or JavaScript, while support for Python is planned for 2018.