Cloud-based code internet hosting platform GitHub has introduced that it’s going to now begin sending Dependabot alerts for weak GitHub Actions to assist builders repair safety points in CI/CD workflows.
“When a safety vulnerability is reported in an motion, our staff of safety researchers will create an advisory to doc the vulnerability, which can set off an alert to impacted repositories,” GitHub’s Brittany O’Shea and Kate Catlin stated.
GitHub Actions is a steady integration and steady supply (CI/CD) answer that permits customers to automate the software program construct, take a look at, and deployment pipeline.
Dependabot is a part of the Microsoft-owned subsidiary’s continued efforts to safe the software program provide chain by notifying customers that their supply code will depend on a bundle with a safety vulnerability and serving to hold all of the dependencies up-to-date.
The most recent transfer entails receiving alerts on GitHub Actions and vulnerabilities impacting developer code, with customers additionally having an choice to submit an advisory for a particular GitHub Motion by adhering to a constant disclosure course of.
“Enhancements like these strengthen GitHub and our customers’ safety posture, which is why we proceed to put money into tightening connection factors between GitHub’s provide chain safety options and GitHub Actions to enhance the safety of our builds,” the corporate famous.
The event arrives as GitHub, earlier this week, opened a brand new request for feedback (RFC) for an opt-in system that permits bundle maintainers to signal and confirm packages revealed to NPM in collaboration with Sigstore.