Github Announces New Tools to Ensure Integrity and Secure Software Supply Chain

Highlights:

• Private vulnerability reporting, the first new tool, is now generally accessible and was created to assist open-source maintainers and security researchers adopt best practices for reporting and resolving vulnerabilities.
• Npm is a widely used package manager for the JavaScript programming language and is maintained by npm Inc.

GitHub, which is owned by Microsoft Corp., announced two new tools recently to assist developers in ensuring the integrity of their projects and securing the software supply chain.

Private vulnerability reporting, the first new tool, is now generally accessible and was created to assist open-source maintainers and security researchers in adopting best practices for reporting and resolving vulnerabilities. A standardized and secure method for the open-source community to report and collaborate on vulnerabilities made it far too easy for issues to go unresolved or to become publicly known before fixes were ready. This problem is what the private collaboration channel aims to address.

Private vulnerability reporting makes the process simple for researchers and maintainers to identify and correct vulnerabilities in public repositories through various tools and automated features. This includes the capacity to report identified issues in multiple repositories and recognize contributions from multiple researchers who aid in vulnerability detection and resolution.

In November, the service entered the public beta testing phase and was made available to maintainers from over 30,000 organizations, who used it to facilitate private vulnerability reporting on over 180,000 repositories. During this time, researchers submitted more than 1,000 reports to the service.

The second release, npm package provenance, will allow programmers create npm projects on GitHub Actions which will include providence information with their packages. This enables consumers to verify the source repository and build instructions for a package. Npm is a widely used package manager for the JavaScript programming language maintained by npm Inc. Its popularity stems from being the default package manager for the Node.js JavaScript runtime environment.

GitHub states that programmers plug npm packages into their applications daily with little thought, weakening the integrity of their software supply chain. As the stewards of the npm registry, GitHub helps in building trust in these projects, and consumers of npm projects can trust the source code and build process with this release.

The two new tools come after GitHub released Copilox X in March. Copilox X is an AI tool that is partly powered by GPT-4. The tool is an enhanced version of the Copilot coding assistant, which GitHub had released in the middle of 2021. It was made to help developers write code faster and has features that weren’t in the original release.