Microsoft’s GitHub adds dependency review to new code submitted from programmers

Microsoft subsidiary GitHub will warn programmers about vulnerable dependencies at every pull request, the source code sharing hub announced at its GitHub Universe conference Tuesday.

Modern software is typically a patchwork of third-party and newly written code. That third-party code is often dependent on even more third-party code. It can take a while for every link in a chain to even notice a problem, let alone repair it.

GitHub's new offering merges the existing dependency graph and notifications about vulnerabilities within dependencies into an advance warning that a problem may already exist.

"The longest delay when it comes to mitigating vulnerabilities is discovering vulnerabilities," Maya Kaczorowski, senior director of product management at GitHub, told SC Media. "It was great for us to be helping you after the fact, but a lot of our focus now is shifting left — letting developers detect vulnerabilities earlier on."

Kaczorowski notes that in GitHub's experience, slight automation changes have had real effects on the speed at which problems are noticed and fixed. She hopes that will happen again here.

Vulnerabilities in dependencies is a long held, industry-wide problem.

"More of the code in software is assembled than written from scratch today," said Chris Wysopal, co-founder and chief technology officer of the software vulnerability scanning service Veracode. "Veracode finds over 70 percent of applications come from open source packages. This means risk is shifting more toward dependencies, and developers need a quick and easy way of determining if they are using a vulnerable component. There is no better place to do this detection than in the developers’ workflow, where they have the ability to easily fix the problem."

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.