It's day two at GitHub Universe 2019. Today is all about security. The day two keynote included a host of announcements related to securing code including GitHub Security Lab, CodeQL, GitHub Security Advisories, automated security updates, GitHub Advisory Database, and Token scanning.
GitHub Security Lab is a community of security researchers, maintainers, and companies that have a common goal to secure open-source code. The Lab includes full-time, dedicated resources for discovering and reporting vulnerabilities in open source projects. In addition to finding vulnerabilities and collaborating within the community, the Lab offers tools such as CodeQL that allows researchers to query code as if it were data to discover all variants of a vulnerability.
GitHub Security Advisories allow maintainers to work directly with researchers on security fixes. This process remains private, and users can apply for a CVE directly from GitHub. GitHub will automatically send security alerts to affected projects when the user is ready to publish. GitHub's automated security updates allow project managers to receive vulnerability reports and fixes through programmatic notifications.
The GitHub Advisory Database is a public advisory database on GitHub. It includes supplementary data the helps curate and map packages. This data is tracked through the GitHub dependency graph.
Finally, GitHub's token scanning helps address the common mistake of hard-coding tokens or credentials into a project. Seconds after a commit is pushed to GitHub, GitHub scans for tokens from twenty different cloud providers. If a match is found, GitHub notifies the service provider so it can take action. Tune in to day two for more security information.