GitHub's added Python to the list of programming languages it can auto-scan for known vulnerabilities.
Your code is RUBBISH, says GitHub. Good thing we're here to save youREAD MORE
At the time, GitHub claimed those two languages alone yielded “over four million vulnerabilities in 500,000 repositories”, and said alerting the repositories' owners resulted in a 30 per cent fix-rate within a week of detection.
Now, Python developers have the same lack of excuse for fixing flawed code. In this post, GitHub quality engineer Robert Schultheis explained that “a few recent vulnerabilities” are covered in the current version of the scanner.
It's hard to work out which vulnerabilities, if they're public, have spurred GitHub to action. Python generates only light traffic in the Mitre CVE (Common Vulnerabilities and Exposures) database: four entries so far this year, and one of those is disputed.
“Over the coming weeks, we will be adding more historical Python vulnerabilities to our database,” he wrote. “Going forward, we will continue to monitor the NVD feed and other sources, and will send alerts on any newly disclosed vulnerabilities in Python packages.”
The Python scanner is enabled by default on public repositories.
Owners of private repositories need to opt into security alerts (in security settings), or by giving the dependency graph access to the repo (in the “Insights” tab). ®