GitHub Boosts Supply Chain Security For Go Modules

GitHub has announced a slew of supply chain security upgrades for modules based on the Go programming language. 

On July 22, GitHub staff product manager William Bartholomew said in a blog post that Go -- also known as Golang -- is now firmly entrenched in the top 15 programming languages on the platform, and as the most popular host for Go modules, GitHub wants to help the community "discover, report, and prevent security vulnerabilities."

Introduced in 2019, Go modules were designed to improve dependency management. According to the Go Developer Survey 2020, 76% of respondents said that Go is now used in some form in the enterprise. 

In addition, Go modules adoption is increasing, with 96% of those surveyed saying that these modules are used for package management -- an increase of 7% from 2019 -- and 87% of respondents reported that only Go modules are used for this purpose. 

An overall trend in the survey appears to suggest the use of other package management tools is decreasing. 

According to GitHub, there are four main areas of improvement for supply chain security now available for Go modules. The first is GitHub's Advisory Database, an open source repository of vulnerability information which, at the time of writing, now contains over 150 Go advisories. 

The database also allows developers to request CVE IDs for newly-discovered security issues. 

"This number is growing every day as we curate existing vulnerabilities and triage newly discovered ones," Bartholomew commented. 

In addition, GitHub has now provided its dependency graph, which can be used to monitor and analyze project dependencies via go.mod -- as well as to alert users when vulnerable dependencies are detected. 

GitHub has also included Dependabot in this update, which will send developers a notification when new vulnerabilities are discovered in Go modules. Automatic pull requests can be enabled to patch vulnerable Go modules and notification settings have been upgraded for fine-tuning. 

Bartholomew says that when repositories are set to automatically generate pull requests for security updates, dependencies tend to patch up to 40% faster than those which do not. 

Developers can check GitHub's documentation for repository security here

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


RECENT NEWS

How Fintech Is Revolutionizing Traditional Banking

How fintech is revolutionizing traditional banking is a topic that is garnering positive and immense discourse within th... Read more

Blockchain And Its Impact On Fintech Industry

Blockchain and its impact on Fintech Industry has become a hot topic in the current digital era. The amalgamation of blo... Read more

The Rise Of Fintech In The Digital Era

In the heart of the digital revolution, we've observed a term termed as "fintech" creating a substantial and transformat... Read more

Role Of Fintech In Transforming Retail Banking

The role of fintech in transforming retail banking is producing significant changes in the financial services industry. ... Read more

Fintech Innovations In Asset Management

Financial technology, or FinTech, refers to the blending of financial services with technology. The importance of FinTec... Read more

Exploring The Future Of Accounting Software: Unveiling The Power Of AI

The revolutionary ignition sparked by artificial intelligence (AI) cannot be understated in contemporary business ecosys... Read more