This article is more than 1 year old

GitHub debuts pedigree check for npm packages via Actions

Publishing provenance possibly prevents problems

Developers who use GitHub Actions to build software packages for the npm registry can now add a command flag that will publish details about the code's origin.

This feature is intended to further enhance the security of the open source software supply chain, which has become a common target for cyberattacks.

GitHub Actions is a continuous integration and continuous delivery (CI/CD) platform, which provides a way to automate arcane command line input and software builds. It's often used by software developers to mechanize the build process for packages distributed through the company's npm registry, which hosts more than two million of these modular libraries.

Some of the packages inside may be malicious, so GitHub is offering a way to add more visibility into how packages came to be.

"Starting today, when you build your npm projects on GitHub Actions, you can publish provenance alongside your package by including the --provenance flag," explain software engineers Brian DeHamer and Philip Harrison in a blog post provided to The Register.

"This provenance data gives consumers a verifiable way to link a package back to its source repository and the specific build instructions used to publish it."

Provenance statements are not much to look at. They're based on the Supply chain Levels for Software Artifacts, or SLSA, specification, which Google developed internally and released two years ago.

The SLSA provenance schema consists of a subject (an npm package), details about specific input materials (a source repo and commit SHA hash), and specific build steps articulated in the build configuration file. The reason for publishing this information is to provide a verifiable record of the steps that created a particular software artifact.

"In order to increase the level of trust you have in the npm packages you download from the registry you must have visibility into the process by which the source was translated into the published artifact," write DeHamer and Harrison.

Package signing involves a key managed by the maintainer, but GitHub's provenance attestation is tied to GitHub Actions. The identity of the CI environment and the job token are used to create a cryptographic signature that attests to the authenticity of the data in the provenance statement.

That statement, in summary form, then gets appended to npm package listings, in conjunction with Sigstore's Fulcio Certificate Authority and Rekor services. Thereafter, developers using npm can better understand how that package was created.

Separately, GitHub is making private vulnerability reporting, introduced last November in public beta at GitHub Universe 2022, generally available.

Available under Settings > Code Security and Analysis, private vulnerability reporting does exactly what its name suggests. It provides a way to let project maintainers know about bugs without letting the public know. The option can now be enabled for all of an organization's repos at once, rather than on a per-repo basis, which was a limitation during the beta period.

GitHub has also added a repository security advisories API to support various integration and automation workflows (eg, passing data to third-party vulnerability management systems). ®

More about


Send us news

Other stories you might like