GitHub now sends Dependabot alerts for vulnerable Actions

GitHub now sends Dependabot alerts for vulnerable Actions
Ryan is a senior editor at TechForge Media with over a decade of experience covering the latest technology and interviewing leading industry figures. He can often be sighted at tech conferences with a strong coffee in one hand and a laptop in the other. If it's geeky, he’s probably into it. Find him on Twitter: @Gadget_Ry

GitHub has announced that it will begin sending Dependabot alerts when it detects vulnerable GitHub Actions.

GitHub Actions makes it easy for developers to automate their workflows. Dependabot, meanwhile, automatically updates dependencies to keep your projects secure.

When an Action vulnerability is discovered, GitHub’s team of security researchers will create an advisory to document it. Following the creation of an advisory, Dependabot alerts will be sent to impacted repositories.

“Improvements like these strengthen GitHub and our users’ security posture, which is why we continue to invest in tightening connection points between GitHub’s supply chain security solutions and GitHub Actions to improve the security of our builds,” explained GitHub in a blog post.

Anyone already using Dependabot will start receiving the new alerts. If you’re yet to start using the feature, you can enable Dependabot by selecting ‘Enable all’ under the ‘Code security and analysis’ tab.

If you own a GitHub Action and have discovered a vulnerability, an advisory can be created from the security tab in your repo. GitHub’s team will review the advisory and then issue it globally if required.

(Photo by Marcel Eberle on Unsplash)

Looking to revamp your digital transformation strategy? Learn more about Digital Transformation Week taking place in Amsterdam, California, and London, and discover key strategies for making your digital efforts a success.

Tags: , , , , , ,

View Comments
Leave a comment

Leave a Reply

Your email address will not be published.