Software Supply Chain Chalks Up a Security Win With New Crypto Effort
GitHub, the owner of the Node Package Manager (npm), proposes cryptographically linking source code and JavaScript packages in an effort to shore up supply chain security.
Stay informed about the latest Github infosec updates, security breaches, and protection strategies with our comprehensive information security news.
Search across headline titles and summaries.
Background for this topic.
GitHub is a hosted software-development platform built around Git repositories. It supports public and private source-code hosting, change review through pull requests, issue tracking, automated workflows, and package distribution. Its repositories and automation are important security assets because they can contain proprietary code, deployment instructions, credentials, and the components used to build released software.
Material risks include accidentally committing secrets, exposing private repositories through misconfigured permissions, and allowing compromised dependencies or workflow actions to run in trusted build environments. Pull requests from untrusted contributors can also become an execution path when workflows handle them unsafely. Security practice includes least-privilege access, strong authentication, protected branches and required reviews, secret scanning and rapid credential revocation, and auditing workflow permissions. Repository history, dependency metadata, and commit provenance can support vulnerability management and incident investigation, but deleting a leaked secret from the latest file does not remove it from historical commits or existing clones.
GitHub, the owner of the Node Package Manager (npm), proposes cryptographically linking source code and JavaScript packages in an effort to shore up supply chain security.
Latest episode - listen now! (Or read the transcript if you prefer.)
Developers are furious at GitHub's upcoming privacy policy changes that would allow GitHub to place tracking cookies on some of its subdomains. The Microsoft subsidiary announced this month, it would be adding "non-essential cookies" on some marketing web pages starting in September, and offered a 30-day "comment period." [...]
Cloud-based code hosting platform GitHub has announced that it will now start sending Dependabot alerts for vulnerable GitHub Actions to help developers fix security issues in CI/CD workflows