This article is more than 1 year old

Your code is RUBBISH, says GitHub. Good thing we're here to save you

Dependency scanner turned up 4m vulns from Oct-Dec 2017

Last year, GitHub added security scanning to its dependency graph – and this month flicked the lid off a can absolutely crawling with bugs.

The code-sharing site kicked off vulnerability scanning in late 2017, focussing on known Ruby and Javascript library vulnerabilities designated CVE numbers by MITRE.

GitHub ran the libraries through its dependency graph, announced last year, to highlight libraries with un-patched CVE holes.

When a vulnerable library was identified as a project dependency, the system raised an alert to said project's admin in their dependency graphs and repository home pages.

GitHub announced on Wednesday the first run of the security checker turned up “over four million vulnerabilities in over 500,000 repositories.”

On that first pass, GitHub's post said, 450,000 of the vulns were resolved by December 1, 2017. In the months since then, “our rate of vulnerabilities resolved in the first seven days of detection has been about 30 per cent. Additionally, 15 per cent of alerts are dismissed within seven days.”

More active projects get patched quicker, but that's not quantified in the post. GitHub's post noted that the seven-day fix metric was met by “for almost all repositories with recent contributions”.

If you're the admin of a GitHub account and want to add security alerts to your repository, the instructions explaining how to do so are here. ®

More about


Send us news

Other stories you might like