GitHub Makes Private Vulnerability Reporting Generally Available, Introduces npm Package Provenance
GitHub, the world’s largest software development collaboration platform, today announced the general availability of private vulnerability reporting, a private collaboration channel that makes it easier for researchers and maintainers to report and fix vulnerabilities on public repositories.
Additionally, GitHub announced npm package provenance, meaning developers building npm projects on GitHub Actions can now publish provenance alongside their packages, giving consumers a verifiable way to link a package back to its source repository and build instructions.
Private Vulnerability Reporting
Since the public beta of Private Vulnerability Reporting last November, maintainers from 30k+ organisations enabled private vulnerability reporting on 180k+ repos and received 1k+ submissions from researchers. Through this enablement and feedback from the community, GitHub has also made a number of feature improvements including multi-repo enablement, new credit types, and increased integration and automation workflows.
“One of the biggest struggles as a researcher has been making initial contact to disclose the vulnerability to the maintainer. Private vulnerability reporting is a massive step forward”, explained Jonathan Leitschuh, GitHub Star, GitHub Security Ambassador, and Senior Open Source Security Researcher for the Open Source Security Foundation (OpenSSF) Project Alpha-Omega.
The improvements for the general availability of private vulnerability reporting include:
- Enable at scale: During the public beta, private vulnerability reporting could only be enabled on individual repos. Now, maintainers can enable private vulnerability reporting on all repos in their organisation.
- Multiple credit types: Maintainers can choose how to credit those who find and contribute to vulnerabilities and remediation.
- Integration and automation: A new repository security advisories API supports several new integration and automation workflows.
- Integration with third-party systems: Maintainers can pipe private vulnerability reports from GitHub to third-party vulnerability management systems.
- Automated submissions: Security researchers can also use the API to programmatically open a private vulnerability report on multiple repositories, a time-saving convenience when packages share a common vulnerability.
- Vulnerability alerts: Anyone can keep a close eye on critical repos by scheduling automatic pings for notifications of new vulnerability reports.
Private vulnerability reporting, together with the rest of GitHub’s security capabilities like Dependabot, code scanning, and secret scanning, is free for public repositories.
npm package provenance
As home to the largest package registry in the world, GitHub is continually looking at security improvements to ensure the npm ecosystem remains healthy. Part of that responsibility is to help build trust in the open source projects and GitHub wants to give developers the tools they need to ensure the integrity of their software supply chain. With the npm provenance package, GitHub’s goal for the npm ecosystem is to bring the same level of transparency it has with the open source code itself to the process by which that code is built and published.
With the move to make npm package provenance generally available GitHub is working on a number of additional improvements:
- Adopting version 1.0 of the SLSA provenance specification.
- Working with other cloud CI/CD providers to add support for provenance signing.
- Verifying the expected source repository and commit exist.
- New tools to manage access between your CI/CD environment and the npm registry.
GitHub is a founding member of the OpenSFF and actively participates in the working group for securing software repositories, with the goal of bringing similar capabilities to other platforms and package ecosystems.