GitHub Inspection Discovers 4 Million Flaws In Public Code

GitHub has revealed that its first security sweep has found over four million vulnerabilities in over 500,000 repositories.

The world’s largest code sharing platform said that it had alerted the repository admin about the flaws.

Last November GitHub said it would begin alerting developers when their code has a known vulnerability in what was described as an “important step” for open source security.

Open source security

At the moment, only the JavaScript and Ruby languages are supported at present but Python is also expected to included in the security sweep as well.

“As more developers draw from existing code libraries to build new tools, tracking changes in dependencies like security vulnerabilities has become more difficult,” blogged GitHub.

It seems that the security sweep by GitHub is being listened to by the developer community.

“By December 1 and shortly after we launched, over 450,000 identified vulnerabilities were resolved by repository owners either removing the dependency or changing to a secure version,” wrote GitHub.

“Since then, our rate of vulnerabilities resolved in the first seven days of detection has been about 30 percent,” it added. “Additionally, 15 percent of alerts are dismissed within seven days – that means nearly half of all alerts are responded to within a week. Of the remaining alerts that are unaddressed or unresolved, the majority belong to repositories that have not had a contribution in the last 90 days.”

“Security alerts are opening the door to new ways we can improve code checking and generation by combining publicly available data with GitHub’s unique data set,” it wrote. “And this is just the beginning – we’ve got more ways to help you keep code safer on the way!”

Welcomed move

GitHub’s security screening has been welcomed by some security experts.

“In general, we support initiatives like GitHub’s Security Alerts as they aim to help open source project teams produce more secure code,” explained Tim Mackey, technology evangelist at open source code security experts Black Duck by Synopsys.

“Open source is pervasive and it plays an increasingly critical role in the software ecosystem, so any measures that bolster open source security should be applauded,” he added.

It should be noted that Black Duck by Synopsys does provide a similar free service for open source project teams called CoPilot.

GitHub meanwhile was in the news earlier this month when it it was struck with one of the most powerful distributed denial-of-service attacks (DDoS) ever seen briefly.

Indeed the DDoS attack was so powerful that it briefly took down the website of GitHub, and at its peak, the cyber attack reached an incredible 1.35Tbps.

Do you know all about security? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Microsoft To Acquire Activision Blizzard For $68.7 Billion

Huge tech acquisition, as software giant seeks major expansion of its gaming credentials with purchase…

8 hours ago

Amazon Sued For Worker Death In Deadly Tornado Strike

Parents sue Amazon for wrongful death, after son was among six workers killed when Amazon…

10 hours ago

Twitter Expands Misleading Tweet Feature

Twitter has expanded its test feature to other countries that allows users to flag or…

11 hours ago

US Airline Bosses Warn Of ‘Catastrophic’ Aviation Crisis Due To 5G

US aviation 5G scare-mongering continues, as CEOs of ten US airlines warn of 'havoc' caused…

11 hours ago

Government Backs Ad Campaign Against End-To-End Encryption

Public funds to used for government-backed advertising campaign against end-to-end encryption, but security experts argue…

14 hours ago

Amazon Last Minute Extension For Visa Card Payments

UK Amazon users can continue using their Visa cards for online shopping for now, after…

15 hours ago