The Wayback Machine - https://web.archive.org/web/20201023100150/https://www.itpro.co.uk/development/31512/github-now-warns-you-about-flaws-affecting-your-python-code
Skip to ContentSkip to Footer
News

GitHub now warns you about flaws affecting your Python code

Code repository will also offer admins fixes from the developer community

by: Joe Curtis
16 Jul 2018

Python has joined Ruby and JavaScript on GitHub's list of coding languages it scans for security vulnerabilities.

Developers using Python can now get security alerts for any new bugs the code repository platform spots, as well as some recent vulnerabilities Python has had.

They will also find Python on their project dependency graph, which tracks all the projects, packages and applications a developer's code depends on without leaving their repository.

Security alerts will notify users of any known vulnerabilities affecting the code their repository relies on, and the dependency graph also lets users know if there's a known security fix from within the wider GitHub community.

GitHub, bought by Microsoft for $7.5 billion last month, tracked more than four million vulnerabilities in 500,000 Ruby and JavaScript code repositories after it shipped support for those languages last year.

Developers typically patched known vulnerabilities affecting their projects within seven days of detection, GitHub said, suggesting a similar approach for Python-based projects would be useful to users.

"We've chosen to launch the new platform offering with a few recent vulnerabilities," GitHub quality engineer Robert Schultheis said in a blog post.

"Over the coming weeks, we will be adding more historical Python vulnerabilities to our database. Going forward, we will continue to monitor the NVD feed and other sources, and will send alerts on any newly disclosed vulnerabilities in Python packages."

To enable Python security alerts, developers must first check in a requirements.txt file or Pipfile.lock file inside their public Python code repositories. Doing so will automatically enable the dependency graph and security alerts.

Private repositories require users to opt into security alerts via their settings, or by allowing access in the dependency graph section of the repository's 'Insights' tab.

Admins will then receive security alerts by default, and can add teams or individuals to the notifications via their settings page 'Alerts' tab.

Picture: Shutterstock

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

IT services giant Sopra Steria falls victim to Ryuk ransomware
Image
Security

IT services giant Sopra Steria falls victim to Ryuk ransomware

23 Oct 2020
CMS platforms succumb to KashmirBlack botnet as businesses rush online
Image
Security

CMS platforms succumb to KashmirBlack botnet as businesses rush online

22 Oct 2020
Government agencies see misconfigured cloud services as top security threat
Image
Security

Government agencies see misconfigured cloud services as top security threat

22 Oct 2020
Lookout reveals mobile-first endpoint detection and response solution
Image
Security

Lookout reveals mobile-first endpoint detection and response solution

21 Oct 2020

Most Popular

The enemy of security is complexity
Image
Sponsored

The enemy of security is complexity

9 Oct 2020
The top 12 password-cracking techniques used by hackers
Image
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
What is a 502 bad gateway and how do you fix it?
Image
web hosting

What is a 502 bad gateway and how do you fix it?

5 Oct 2020
Skip to HeaderSkip to Content