GitHub warns developers about vulnerabilities in their projects.

A developer platform launched a feature called Dependency Graph, which alerts developers when their code contains known vulnerabilities. The system analyzes dependencies and modules used in the project, and displays information about the security errors contained in them. The initiative aims to increase the security of open source projects.

Currently, only programming languages ​​JavaScript and Ruby are supported, but soon the creators of GitHub promise to add Python.
')
Automatic notifications will be received by project administrators on GitHub, which can then notify individual teams or specific developers. The alert text will contain the name of the dependency with the vulnerability and recommendations for updating it. The alert mechanism uses machine learning technology.



Alerts will focus mainly on vulnerabilities that have been assigned CVE identifiers, however, according to GitHub representatives, that in some cases data on publicly disclosed vulnerabilities without an assigned CVE will be displayed.

There are other tools to identify vulnerabilities in the code of software products. For example, the free cloud scanner PT BlackBox Scanner allows you to find security bugs on websites. In addition, for analyzing vulnerabilities, effective analyzers for the source code of applications are effective - for example, PT Application Inspector works with many platforms and languages, including PHP, Java, .NET, HTML and SQL, as well as all types of application vulnerabilities, including SQLi, XSS and XXE.