You can now programmatically view and act on repository advisories via a new REST API. New endpoints to create, view, list, and update advisories are available to all. Additionally, new webhooks have been introduced that will alert maintainers when advisories are published or when a private vulnerability report is submitted.
Current advisory permissions extend to API usage.
You can now designate different types of credits to users who contribute to GitHub security advisories.
These new credit types mirror those in the CVE 5.0 schema:
finderreporteranalystcoordinatorremediation developerremediation reviewerremediation verifiertoolsponsorotherGoing forward, GitHub will automatically apply the the reporter credit type to anyone credited after submitting a private vulnerability report and the analyst type to anyone credited after submitting an edit to the global Advisory Database. We've also retroactively applied those labels to previously credited individuals who took those actions.
Further reading:
Organization admins and security managers can now enable private vulnerability reporting for all public repositories within an organization at once.
With this enhancement, you no longer have to enable the feature for each repository individually.
Find this option under your organization's "Settings" tab under "Code security and analysis".
We've recently released a few minor user experience improvements for our GitHub Security Advisory form:
Further reading:
Dart developers will now receive Dependabot alerts for known vulnerabilities on their pubspec dependencies.
The dependency graph supports detecting pubspec.lock and pubspec.yaml files. Dependencies from these files will be displayed within the dependency graph section in the Insights tab.
The Advisory Database includes curated security advisories for vulnerabilities on pubspec packages.
Learn more about:
In February 2022, we launched a new feature called community contributions to security advisories. We've continued to iterate on this feature, and recently released more improvements:
Further reading:
The GitHub Advisory Database now includes curated security advisories for vulnerabilities on GitHub Actions. This brings the Advisory Database to ten supported ecosystems, including: Composer, Go, Hex, Maven, npm, NuGet, pip, RubyGems and Rust.
If you have a dependency on any vulnerable GitHub Actions, GitHub will send Dependabot alerts over the coming days.
On June 15th, we announced GitHub added malware advisories to the GitHub Advisory Database and will send malware alerts through Dependabot. Since shipping this change, we have received feedback that some organizations have been impacted with Dependabot alerts from these malware advisories that may be false positives.
GitHub has conducted a rapid root cause investigation and found that the majority of those alerts in question were for substitution attacks. During these types of incidents, an attacker would publish a package to the public registry with the same name as a dependency users rely on from a third party or private registry, in the hope a malicious version would be consumed. Dependabot doesn’t look at project configuration to determine if the packages are coming from a private registry, so it has been triggering an alert for packages with the same name from the public npm registry. While this does mean that your package was the target of a substitution attack it does not mean that there is an immediate action to be taken on your part as the malware has already been removed from the npm registry.
While we work to determine how to best notify customers of being the target of a substitution attack, we will be pausing all Dependabot notifications on malware advisories. For non-Enterprise-Server users, Malware advisories will still exist in the Advisory Database and send alerts on npm audit. We are not making any changes to existing alerts on github.com at this time.
For GitHub Enterprise Server users, who were the most impacted, no new advisories will come through GitHub Connect. If you are struggling with too many alerts, please reach out to support and we can share a script for you to run that will delete all malware advisories and alerts.
The GitHub Advisory Database now includes curated security advisories on Erlang [Hex], Elixir, and more. This brings the Advisory Database to nine supported ecosystems, including: Composer, Go, Maven, npm, NuGet, pip, RubyGems and Rust.
Support for this ecosystem in the dependency graph and Dependabot alerts will be available in the future.
GitHub's Advisory Database now supports listing malware advisories. You can see them by searching "type:malware" on https://github.com/advisories.
If you have enabled Dependabot alerts on your repositories, GitHub will send Dependabot alerts for malware automatically. Note that Dependabot does not send update pull requests for malware as the only resolution is to delete the package and find an alternative.
When you visit the GitHub Advisory Database, you can now search for any historical advisory recognized by the National Vulnerability Database.
Previously, we only displayed advisories from our supported ecosystems. We then expanded to have an Unreviewed category for advisories that do not belong to those ecosystems, and we've been auto-publishing new advisories to this category since.
We've now backfilled our database to include all historical advisories from prior years, so you can find any advsiory you may be searching for regardless of publication date. This brings us to over 160 thousand advisories, and counting! You can browse them by clicking the "All unreviewed" button or by searching "type:unreviewed" in the search bar.
In February 2022, we launched a new feature called community contributions to security advisories.
We have made a handful of changes to the UX based on your feedback: