GitHub now publishes malware advisories in the GitHub Advisory Database
source link: https://github.blog/2022-06-15-github-now-publishes-malware-advisories-in-the-github-advisory-database/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
GitHub now publishes malware advisories in the GitHub Advisory Database
To combat the prevalence of malware in the open source ecosystem, GitHub now publishes malware occurrences in the GitHub Advisory Database. These advisories power Dependabot alerts and remain forever free and usable by the community.
Mistakes are the most common cause of vulnerabilities in open source software, but they are not the only cause. Bad actors also attempt to introduce malicious software, known as malware, into open source. Details about malware can be hard to keep track of because malware is typically taken down and is not eligible for the usual disclosure process where vulnerabilities are assigned a CVE and placed in the National Vulnerability Database (NVD).
GitHub discovers malware through multiple means such as automated scanning, security research, and community discovery. Starting today, after a malicious package is removed, we will also create an advisory to document the malware in the GitHub Advisory Database.
Dependabot alerts for malware advisories
Malware advisories already power Dependabot alerts for impacted GitHub users. If you already use Dependabot, you’re covered with no additional action. To receive alerts on malware advisories and vulnerabilities, you can enable Dependabot by selecting enable all under the “Code security and analysis” tab.
Learn more about GitHub supply chain security solutions
The GitHub Advisory Database publishes security advisories that power GitHub’s supply chain security capabilities, including Dependabot alerts and Dependabot security updates. The data is licensed under a Creative Commons license and has been since the database’s inception, making it forever free and usable by the community. For more information about our supply chain security capabilities, check out the following pages:
More on Dependabot
Dependabot Updates hit GA in GHES
Dependabot is generally available in GitHub Enterprise Server 3.5. Here is how to set up Dependabot on your instance.
What's new in security and user management for GitHub Enterprise
Learn how you can securely manage users with the latest ships for GitHub Enterprise.
More on Security
Introducing Entitlements: GitHub's open source Identity and Access Management solution
We're excited to announce that we're open sourcing our Identity and Access Management solution: Entitlements.
Eight years of the GitHub Security Bug Bounty program
It was another record year for our Security Bug Bounty program. We're excited to highlight some achievements we’ve made together with the bounty community from 2021!
GitHub Achieves ISO/IEC 27001:2013 Certification!
GitHub’s Information Security Management System (ISMS) has been certified against ISO 27001:2013, an internationally recognized standard for security program best practices.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK