Open source security GitHub applications you should be using

GitHub applications you should be using

Open source libraries have long become the main building blocks of software products, however, developers often lack the right tools to make informed choices.

Industry estimates are that 80% of the code base in many applications is actually open source. This doesn’t come as a surprise to developers since this is how software is being built nowadays – assembled rather than written from scratch.

The problem, however, is that developers lack the right tools to make informed choices when it comes to selecting the best and most secure open source components.

After all, if 80% of your codebase is not secure or has bugs, won’t it be reflected in the security and quality of the end product?

The good news is that four different GitHub tools were recently released to help developers detect vulnerable open source. Better yet, these tools are absolutely FREE. You can download them as apps from the GitHub Marketplace and they will alert you to any vulnerable open source components in your repositories.

I’ve downloaded and tested these tools (well actually, one comes as a default from GitHub) to find out which one is just right for you or your team.

So, let’s start with the top four GitHub applications you should be using.

1. Whitesource Bolt for GitHub

(There’s an additional version for Microsoft Azure DevOps/TFS available).

It is the newest kid on the block, yet the most comprehensive one. Since it supports over 200 programming languages, it should cover all your projects. WhiteSource allows users to scan an unlimited number of repositories but with a limit of five scans per day. The tool can scan private and public repos.

WhiteSource Bolt for GitHub

Above: WhiteSource Bolt for GitHub

Scans can be triggered via a valid GitHub push action. The app also detects newly reported vulnerabilities in all existing libraries. When it detects a vulnerable component, the app creates an issue for each detected vulnerability.

WhiteSource will then give detailed information about the library, the vulnerability and the dependency tree (if the vulnerability lies in a dependency). On top of this, and this is of importance – the tool gives a suggested fix as recommended by the open source community. (Pic. 1).

WhiteSource claims that it has the broadest coverage when it comes to vulnerability detection as it fetches its data from many databases besides the commonly used NVD.

This claim is hard to prove, however, but the tool is highly effective in securing and managing your open source components.

2. Sonatype Depshield

Sonatype offers unlimited scans for public and private repos. Once a vulnerability is detected and DepShield creates an issue and offers information on the vulnerable library, dependency and the vulnerability itself.

Sonatype Depshield

Above: Sonatype Depshield

It is noteworthy that DepShield fetches its data on vulnerabilities from Sonatype’s database but doesn’t provide full access to the database unless one pays for the premium version of the app called Sonatype Nexus. This is how Sonatype explains the coverage of the free tool and the paid version.

SonaType Nexus

Above: SonaType Nexus

Sonatype currently only supports Apache Maven and JavaScript. The company has already stated that it is planning to support Python as well, but has not given a timeline for this.

3. Synk

Like the other tools reviewed previously, Snyk has an open source security app in the GitHub marketplace. Snyk currently supports only eight programming languages: Gardle, Scala, PHP, .NET, Java, Python, Ruby and Go. The company says that it has a comprehensive vulnerability database that is continually fed with new data from diverse sources.

Snyk

Above: Snyk

The difference from other apps is that Snyk forces you to go into its website to see the vulnerability report. Though different developers might have varying opinions about this, I find that the tool is harder to use as you need to switch to a different environment to get vulnerability data. Snyk’s vulnerability report includes the vulnerability’s library name and CVE number.

Snyk also allows fixing options to be added as pull requests on GitHub’s interface so that you can patch or replace a vulnerable library directly.

4. Github Security Alerts

Unlike the previously reviewed tools, GitHub Security Alerts is not an app. It is a feature by GitHub that helps keep open source vulnerabilities out of private and public repositories. The feature currently supports only two languages – JavaScript and Ruby.

GitHub Security Alerts relies on data from the NVD only. It thus recommends that developers use at least one of the security partners in the marketplace for better vulnerability coverage. However, it says that it plans to fetch data from many other databases in the near future.

Since this tool is part of GitHub, installation is not needed. The vulnerability alerts will by default appear under the Insights tab, on the dependency graph. For private repos, you will need to enable the feature in your repo’s settings. When viewing the dependency graph under the Insights tab, you will see the vulnerable dependencies in yellow.

Clicking a vulnerability alert opens a small window with the vulnerability details, which includes the CVE number, severity level, and suggested fixes.

What’s right for you?

In this article, we have covered four security tools for enhancing the security of your open source code hosted in GitHub. From the discussed tools, WhiteSource Bolt has the most extensive language support, and a fairly good integration into GitHub.

DepShield can be your choice only if your codebase is based on Apache Maven or JavaScript. Support for Python will be available in the near future. The downside is that DepShield doesn’t rely on a database as comprehensive as other tools have, and doesn’t offer automatic fixes.

Snyk covers almost all the commonly- used languages and has a comprehensive database for libraries written in these languages.

However, unlike all other tools discussed, Snyk doesn’t create issues on GitHub, which makes it a bit harder to use while working inside GitHub. You can consider the tool if you do not mind the extra hop from GitHub to Synk’s website.

GitHub Security Alerts is the way to go if you don’t want to perform in-depth code analysis checks. Just as the name suggests, it offers alerts when something serious gets disclosed in an open-source dependency that you’re using. If you’re slightly more concerned about security, you should pair it up with another tool available in the GitHub Marketplace.

Abraham Waita, security consultant, IT Services

, , ,

Related Posts

Menu