Build what's next on GitHub, the place for anyone from anywhere to build anything.
Join us October 28-29 in San Francisco or online for GitHub Universe, our flagship developer event uniting people, agents, and the world's code.
We want to take away the pain and effort of keeping your code secure, so check out how Dependabot empowers developers to keep to their projects secure.
Let’s face it: security for developers isn’t always the top priority. It’s something we know we should do, but frequently it competes with shipping deadlines, or is left until later in the development process. Unclear ownership further complicates things. And most of us don’t receive regular security training, we only get a few security pointers during a project kick-off.
At GitHub, we want to take away the pain and effort of keeping your code secure. This involves providing you with a complete, native, and automated approach—one that reduces your risk, increases your productivity, and improves your time-to-market. From helping you identify supply chain vulnerabilities before you introduce security tech debt into your codebase, to giving you an active database of known vulnerabilities—we want to make security a lot less bothersome. After all, security that is painless is also the most effective.
Security at the expense of usability comes at the expense of security.
- Avi Douglen
Over the years, we’ve seen that open source software (OSS) poses risk. When the Java-based logging tool, Log4j was exploited in late 2021—potentially compromising millions of apps—the world once again felt just how critical security is to OSS.
It’s clear we need to do a better job. Over the past 10 years, we’ve seen billions of dollars go into application security testing tools but without much success. A whopping 85% of applications still contain known vulnerabilities, 1 with 84% of security flaws happening accidentally at the application layer 2. In 2021, we witnessed software supply chain attacks increase by a terrifying 650% 3. As time goes on, our digital infrastructure will only continue to grow and we don’t expect these stats to slow. It’s anticipated that bad actors will continue to target the supply chain at an ever-increasing rate through existing and emerging tactics.
While organizations have invested countless hours and billions of dollars into application security over the past decade, writing secure software continues to be really hard.
* 85% of applications contain known vulnerabilities
* 84% of security breaches occur accidentally at the application layer
You probably feel overwhelmed with how you can keep your supply chain code secure. And with the continued pressure to ship more frequently, you don’t necessarily have the time to understand what types of vulnerabilities may affect you (and, let’s not forget that finding and fixing a vulnerability doesn’t mean you’re secure forever). You also probably don’t have the space to learn about the many security solutions being marketed to you. Or even figure out where in your workflow you need to “shift left.”
Plus, as you may know from experience, current application security solutions are difficult to embed into your developer workflow, without the dreaded, repetitive context switching from tab to tab and explanation to explanation. And even when solutions are integrated, we often find ourselves disabling them due to noise, an increase in testing failure, system performance impacts, and reduced development velocity.
We have to make securing our software simpler and less cumbersome. After all, we’re big on automating things to make people’s lives easier, so implementing something difficult that will give us more headache is the last task on our to-do list.
That’s why, here at GitHub, we’re pleased to offer comprehensive, native security scanning capabilities that are tailored for developers. These include Dependabot, code scanning with CodeQL, and secret scanning. We knew it was important for us to provide solutions that are built directly into the developer workflow—so you wouldn’t have to waste time learning a new platform or installing third-party apps.
Dependabot is GitHub’s supply chain security experience and makes it easy to find and fix vulnerable dependencies in your repository. It’s always on to alert you about vulnerabilities in the software you depend on. You can even go further by enabling Dependabot security updates, and Dependabot will automatically create pull requests to fix security alerts as they happen.
https://github.blog/wp-content/uploads/2022/03/Dependabot-short.mp4#t=0.001
Created just for you, Dependabot is:
* Customizable. You can choose how often you get notifications and what type of notifications you receive. In fact, we’ve recently updated the notification settings so you get exactly what you need and nothing more.
* Built from the community. The GitHub Advisory Database, which powers our Dependabot alerts, is the largest database of vulnerabilities in software dependencies in the world. It’s maintained by a dedicated team of full-time curators and supported by contributions from the entire GitHub community.
* Forever free. GitHub believes that free and open security data and solutions are critical to empowering the industry and to best securing our software supply chains.
In all, Dependabot gives you peace of mind. Instead of worrying about your next big security issue, you can let Dependabot do the heavy lifting—so you can focus on building great code.
To learn more about how to easily get started with Dependabot, visit our GitHub Docs page.
1Osterman Research Report, Uncovering the Presence of Vulnerable Open-Source Components in Commercial Software, _2021__
2Synopsys, _How Shifting Security Left Enables More Robust Defense Applications_, 2020
3Sonatype, State of the Software Supply Chain Report, 2021
