github-dependabot-now-alerts-developers-on-vulnerable-github-actions

Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

GitHub Dependabot Now Alerts Developers On Vulnerable GitHub Actions

Cloud-based code hosting platform GitHub has announced that it will now start sending Dependabot alerts for vulnerable GitHub Actions to help developers fix security issues in CI/CD workflows.

“When a security vulnerability is reported in an action, our team of security researchers will create an advisory to document the vulnerability, which will trigger an alert to impacted repositories,” GitHub’s Brittany O’Shea and Kate Catlin said.

GitHub Actions is a continuous integration and continuous delivery (CI/CD) solution that enables users to automate the software build, test, and deployment pipeline.

Dependabot is part of the Microsoft-owned subsidiary’s continued efforts to secure the software supply chain by notifying users that their source code depends on a package with a security vulnerability and helping keep all the dependencies up-to-date.

The latest move entails receiving alerts on GitHub Actions and vulnerabilities impacting developer code, with users also having an option to submit an advisory for a specific GitHub Action by adhering to a consistent disclosure process.

“Improvements like these strengthen GitHub and our users’ security posture, which is why we continue to invest in tightening connection points between GitHub’s supply chain security solutions and GitHub Actions to improve the security of our builds,” the company noted.

The development arrives as GitHub, earlier this week, opened a new request for comments (RFC) for an opt-in system that enables package maintainers to sign and verify packages published to NPM in collaboration with Sigstore.


Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related News

Hackers using USB drives to spread malware in ongoing attack

Hackers using USB drives to spread malware in ongoing attack

According to a recent post by the cybersecurity firm Mandiant, USB drives are being used to hack targets in Southeast…
AI-Powered Smart Glasses Give Deaf People the Power of Speech

AI-Powered Smart Glasses Give Deaf People the Power of Speech

In a recent example of innovative technology making a positive difference, there is now new artificial intelligence (AI) powered smart…
16,000+ Scam Domains Aimed at FIFA World Cup Fans in Qatar

16,000+ Scam Domains Aimed at FIFA World Cup Fans in Qatar

Seeing as scammers readily jump to capitalize on events with huge global interest, it comes as no surprise that Group-IB…