GitHub Intros Dependency Graphs, Security Alerts Coming Soon

GitHub is boosting the security capabilities of its software development platform, introducing a new open source project dependency graphs and promising alerts when bad actors show up in those graphs.

The 10-year-old home of most open source software development projects used its GitHub Universe conference to make the announcements in a time when new security disasters are unveiled almost weekly.

"There are millions of open source projects on GitHub," the company said in a blog post yesterday. "If you build software, your code likely depends on at least one of those projects. Now, our data can help you manage increasingly complex dependencies and keep your code safer as you work on connected projects -- even for private repositories."

The dependency graphs list all the packages that a source code repository uses, though functionality currently is limited to Ruby and JavaScript, with Python support on tap.

Just seeing a dependency graph provides little security information, though, so GitHub is promising the upcoming ability to receive alerts about projects associated with public security vulnerabilities. Along with these notifications, the company plans to suggest fixes for these vulnerabilities, if they're available from the community.

Security Alerts in Action
[Click on image for larger, animated GIF view.] Security Alerts in Action (source: GitHub)

"Security alerts are the first in what we hope will be a robust collection of tools to keep your code safe, and we need people who build on our APIs to help us make them even better -- and to keep security data current for the community," said GitHub.

The company also announced two non-security initiatives: news feeds and a redesigned Explore experience for connecting to curated collections, topics and other resources on the platform.

Developers can see a new "Discover repositories" feed on their dashboards, recommending open source projects to explore that are customized based on followers, the repositories to which they awarded stars and popular projects.

The redesigned Explore feature allows for further discoverability of resources tailored for individual developers, letting them check out collections -- hand-picked resources from the platform and elsewhere -- and topic pages, which list projects related to tags for technologies, languages, frameworks or platforms.

Yet more changes in store include new Premium Support for GitHub Enterprise, along with an upcoming Community Forum, Marketplace trial program and team discussion tool.

Interested developers can read more about all these changes and more in this update page.

About the Author

David Ramel is an editor and writer for Converge360.