New dependency review feature offers automated DevSecOps benefits

GitHub has announced improvements to further integrate security directly into the software development workflow.

GitHub Enterprise Server (GHES) version 3.0 (currently shipping as a release candidate) will now have built-in CI/CD and automation, alongside features such as code scanning and secret scanning.

Features of the major upgrade in GitHub’s flagship DevOps platform, due to be available from December 16, were announced during the code repository provider’s ‘Universe’ virtual conference on Tuesday (December 8).

Dark matter

While GitHub’s release of a dark mode had developers chomping at the bit, the forthcoming rollout of a dependency review feature is far more important from a DevSecOps perspective.

The new tool will help developers understand the security impact of newly introduced software dependencies, such as critical open source components, at every pull request.

Vulnerability information about dependencies will be sourced from GitHub’s Advisory Database.

RELATED GitHub showcases new code-scanning security tools at virtual event

Dependency review is available for all ecosystems that dependency graph supports including npm, Maven, Python PIP, RubyGems, Yarn, Composer, and the dotnet CLI.

GitHub told The Daily Swig: “With dependency review, we’re hoping more developers catch vulnerabilities before they’re introduced to their environment, rather than remediating them after the fact.”

Knowing where to look

In response to a question about the huge telemetry set the dependency review feature will gather, GitHub said a wealth of telemetry data is already available for those who know where to look.

“GitHub aims to make it easier for developers to understand their dependencies and reduce the risks in those dependencies,” a company spokesperson told The Daily Swig.

“The dependency graph already allows a user to understand how their repository relies on open source dependencies today, including information about all dependencies and public downstream dependents.”

Catch up on the latest secure software development news

Dependency review beta was released to all public repositories and Advanced Security customers on GitHub Enterprise Cloud alongside plans to roll out out to other customers over the coming weeks.

Leom Burke, a senior web developer at PortSwigger Web Security, commented: “Since Microsoft bought GitHub they have been working hard to align their own CI/CD [offering] with the GitHub ecosystem, and this looks like another step in that direction.”

“It will be interesting to know how this will compete with something like Azure pipelines or Azure DevOps which is Microsoft's [in-house] CI offering,” he added.

A blog post offers a full run down of announcements from GitHub Universe.

RELATED DevSecOps adoption gathers pace, but record on applying security updates is patchy