GitHub has announced that it will begin sending Dependabot alerts when it detects vulnerable GitHub Actions.
GitHub Actions makes it easy for developers to automate their workflows. Dependabot, meanwhile, automatically updates dependencies to keep your projects secure.
When an Action vulnerability is discovered, GitHub’s team of security researchers will create an advisory to document it. Following the creation of an advisory, Dependabot alerts will be sent to impacted repositories.
“Improvements like these strengthen GitHub and our users’ security posture, which is why we continue to invest in tightening connection points between GitHub’s supply chain security solutions and GitHub Actions to improve the security of our builds,” explained GitHub in a blog post.
Anyone already using Dependabot will start receiving the new alerts. If you’re yet to start using the feature, you can enable Dependabot by selecting ‘Enable all’ under the ‘Code security and analysis’ tab.
If you own a GitHub Action and have discovered a vulnerability, an advisory can be created from the security tab in your repo. GitHub’s team will review the advisory and then issue it globally if required.
(Photo by Marcel Eberle on Unsplash)
Learn more about Digital Transformation Week taking place in Amsterdam, California, and London, and discover key strategies for making your digital efforts a success.