We ask the vulnerability reporter to enter the URL of a private repository, which is where the report template will be created (as an issue), so that the details of the vulnerability can be discussed confidentially.Įvery vulnerability report is assigned a unique ID, such as GHSL-2021-1001. The issue form triggers an action that automatically generates a report template (with details such as the reporter’s name that is filled out automatically). To start this process, we created an issue form template that GitHub employees can use to report a vulnerability:Ī screenshot of an Issue template GitHub employees use to report vulnerabilities. We help them to create a vulnerability report, take care of reporting it to the project maintainer, and track the fix and the disclosure. They also use actions to automate processes related to the CodeQL bug bounty program, but I’ll focus on the vulnerability reporting here.Īny GitHub employee who discovers a vulnerability in an open source project can report it via the Security Lab. One particularly interesting way our Security Lab team uses GitHub Actions is to automate a number of processes related to reporting vulnerabilities to open source projects. And it shouldn’t surprise you to know that they’re using GitHub Actions to automate their workflows, tests, and project management processes. In short, it’s fair to say our Security Lab team is busy. Since then, we’ve been busy doing everything from giving advice on how to write secure code, to explaining vulnerabilities in important open source projects, to keeping our GitHub Advisory Database up-to-date. In 2019, we announced the creation of the GitHub Security Lab as a way to bring security researchers, open source maintainers, and companies together to secure open source software. Tracking security reports and vulnerabilities Let’s dive in.įind out how GitHub compares to other DevOps and CI/CD platforms > 1. Now, we want to share a few ways we use GitHub Actions to build GitHub. Oh, and just in case you didn’t catch it, this blog is a follow-up to my session at GitHub Universe, which you may want to check out. We’ve seen some incredible GitHub Actions from open source communities and enterprise companies alike with more than 12,000 community-built actions in the GitHub Marketplace. If you don’t already know, GitHub Actions brings platform-native automation and CI/CD that responds to any webhook event on GitHub (you can learn more in this article). From planning and tracking our work on GitHub Issues to using GitHub Discussions to gather your feedback and running our developer environments in Codespaces, we pride ourselves on using GitHub to build GitHub, and we love sharing how we use our own products in the hopes it’ll inspire new ways for you and your teams to use them.Įven before we officially released GitHub Actions in 2018, we were already using it to automate all kinds of things behind the scenes at GitHub.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |