Image default
IT

GitHub now sends Dependabot alerts for vulnerable Actions

GitHub has announced that it will begin sending Dependabot alerts when it detects vulnerable GitHub Actions.

GitHub Actions makes it easy for developers to automate their workflows. Dependabot, meanwhile, automatically updates dependencies to keep your projects secure.

When an Action vulnerability is discovered, GitHub’s team of security researchers will create an advisory to document it. Following the creation of an advisory, Dependabot alerts will be sent to impacted repositories.

“Improvements like these strengthen GitHub and our users’ security posture, which is why we continue to invest in tightening connection points between GitHub’s supply chain security solutions and GitHub Actions to improve the security of our builds,” explained GitHub in a blog post.

Anyone already using Dependabot will start receiving the new alerts. If you’re yet to start using the feature, you can enable Dependabot by selecting ‘Enable all’ under the ‘Code security and analysis’ tab.

If you own a GitHub Action and have discovered a vulnerability, an advisory can be created from the security tab in your repo. GitHub’s team will review the advisory and then issue it globally if required.

(Photo by Marcel Eberle on Unsplash)

Learn more about Digital Transformation Week taking place in Amsterdam, California, and London, and discover key strategies for making your digital efforts a success.

Source developer-tech.com

Related posts

Apple launches GymKit Certification Assistant app

Blake Goodwin

Better app security cannot start with tools

Blake Goodwin

Xcode 14 beta practically confirms iPhone 14 Pro will get an AOD

Blake Goodwin

Leave a Comment