New application helps developers avoid vulnerable GitHub code

We reported last week on a new tool to help spot vulnerabilities present in active open source systems.

To prevent problems from being introduced into new systems, open source governance specialist Sonatype is launching a tool to enable developers to identify and avoid using open source components that have known vulnerabilities.

According to Sonatype's 2018 DevSecOps Community Survey released earlier this year, one in three organizations has suffered suspected or verified breaches due to OSS vulnerabilities. Breaches due to open source vulnerabilities are up by over 50 percent since 2017.

"The need for more secure coding practices has never been greater," says Wayne Jackson, CEO of Sonatype. "Developers live, eat, and breathe in GitHub. While developers find value in GitHub's native dependency graph, they need, and are demanding, more self-help security. With DepShield, we're enabling 28 million developers to add an initial layer of defense, to not only help protect their software projects, but the millions of enterprises, organizations and individuals who will use their code down the road."

Sonatype DepShield continuously monitors projects and auto-creates issues for security vulnerabilities. Users can view a list of known security vulnerabilities within GitHub's Issue Tracker and click on an issue to view vulnerability details including CVE and CVSS. They can also determine vulnerable version ranges on each given vulnerability.

The tool is free, serving both private and public GitHub repositories. It's available for Apache Maven today with JavaScript and Python versions coming soon.

You can find out more about DepShield on the Sonatype website.

Photo credit: McIek/Shutterstock