430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Code hosting service GitHub can now scan also for vulnerable Python code

The code hosting service GitHub added Python to the list of programming languages that it is able to auto-scan for known vulnerabilities. Good news for GitHub users, the platform added Python to the list of programming languages that it is able to auto-scan for known vulnerabilities. In March, the code hosting service GitHub confirmed that the introduction […]

GitHub bugbounty

The code hosting service GitHub added Python to the list of programming languages that it is able to auto-scan for known vulnerabilities.

Good news for GitHub users, the platform added Python to the list of programming languages that it is able to auto-scan for known vulnerabilities.

In March, the code hosting service GitHub confirmed that the introduction of GitHub security alerts in November allowed obtaining a significant reduction of vulnerable code libraries on the platform.

Github alerts warn developers when including certain flawed software libraries in their projects and provide advice on how to address the issue.

Last year GitHub first introduced the Dependency Graph, a feature that lists all the libraries used by a project. The feature supports JavaScript and Ruby, and the company announced to add the support for Python within the year.

GitHub Security Alerts

The GitHub security alerts feature introduced in November is designed to alert developers when one of their project’s dependencies has known flaws. The Dependency graph and the security alerts feature have been automatically enabled for public repositories, but they are opt-in for private repositories.

The availability of a dependency graph allows notifying the owners of the projects when it detects a known security vulnerability in one of the dependencies and suggests known fixes from the GitHub community.

An initial scan conducted by GitHub revealed more than 4 million vulnerabilities in more than 500,000 repositories. Github notified affected users by December 1, more than 450,000 of the vulnerabilities were addressed either by updating the affected library or removing it altogether.

Vulnerabilities are in a vast majority of cases addressed within a week by active developers.

With the support of a Python language, developers will have the opportunity to receive alerts also for their code written in this powerful programming language.

“We’re pleased to announce that we’ve shipped Python support. As of this week, Python users can now access the dependency graph and receive security alerts whenever their repositories depend on packages with known security vulnerabilities.” reads the announcement published by GitHub quality engineer Robert Schultheis.

“We’ve chosen to launch the new platform offering with a few recent vulnerabilities. Over the coming weeks, we will be adding more historical Python vulnerabilities to our database. Going forward, we will continue to monitor the NVD feed and other sources, and will send alerts on any newly disclosed vulnerabilities in Python packages.”

The company confirmed that the scanner is enabled by default on public repositories, while for private repositories the maintainers need to opt into security alerts, or by giving the dependency graph access to the repo from the “Insights” tab.

“Public repositories will automatically have your dependency graph and security alerts enabled. For private repositories, you’ll need to opt in to security alerts in your repository settings or by allow access in the dependency graph section of your repository’s “Insights” tab.” concludes Schultheis.

“When vulnerability alerts are enabled, admins will receive security alerts by default. Admins can also add teams or individuals as recipients for security alerts by going into their repository’s settings page and navigating to the “Alerts” tab.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – hacking, secure coding)

[adrotate banner=”5″]

[adrotate banner=”13″]