Cloud-based code hosting platform GitHub has announced that it
will now start sending Dependabot alerts for vulnerable GitHub
Actions to help developers fix security issues in CI/CD
workflows.
“When a security vulnerability is reported in an action, our
team of security researchers will create an advisory to document
the vulnerability, which will trigger an alert to impacted
repositories,” GitHub’s Brittany O’Shea and Kate Catlin said[1].
GitHub Actions[2]
is a continuous integration and continuous delivery (CI/CD)
solution that enables users to automate the software build, test,
and deployment pipeline.
Dependabot[3]
is part of the Microsoft-owned subsidiary’s continued efforts to
secure the software supply chain[4]
by notifying[5]
users that their source code depends on a package with a security
vulnerability and helping keep all the dependencies up-to-date.
The latest move entails receiving alerts on GitHub Actions and
vulnerabilities impacting developer code, with users also have an
option to submit an advisory for a specific GitHub Action by
adhering to a consistent disclosure process.
“Improvements like these strengthen GitHub and our users’
security posture, which is why we continue to invest in tightening
connection points between GitHub’s supply chain security solutions
and GitHub Actions to improve the security of our builds,” the
company noted.
The development arrives as GitHub, earlier this week, opened[6]
a new request for comments (RFC) for an opt-in system that enables
package maintainers to sign and verify packages published to NPM in
collaboration with Sigstore.
References
- ^
said
(github.blog) - ^
GitHub
Actions (github.com) - ^
Dependabot
(github.com) - ^
software
supply chain (github.com) - ^
notifying
(docs.github.com) - ^
opened
(thehackernews.com)
Read more https://thehackernews.com/2022/08/github-dependabot-now-alerts-developers.html