GitHub Boosts Supply Chain Security For Go Modules

GitHub has announced a slew of supply chain security upgrades for modules based on the Go programming language. 

On July 22, GitHub staff product manager William Bartholomew said in a blog post that Go -- also known as Golang -- is now firmly entrenched in the top 15 programming languages on the platform, and as the most popular host for Go modules, GitHub wants to help the community "discover, report, and prevent security vulnerabilities."

Introduced in 2019, Go modules were designed to improve dependency management. According to the Go Developer Survey 2020, 76% of respondents said that Go is now used in some form in the enterprise. 

In addition, Go modules adoption is increasing, with 96% of those surveyed saying that these modules are used for package management -- an increase of 7% from 2019 -- and 87% of respondents reported that only Go modules are used for this purpose. 

An overall trend in the survey appears to suggest the use of other package management tools is decreasing. 

According to GitHub, there are four main areas of improvement for supply chain security now available for Go modules. The first is GitHub's Advisory Database, an open source repository of vulnerability information which, at the time of writing, now contains over 150 Go advisories. 

The database also allows developers to request CVE IDs for newly-discovered security issues. 

"This number is growing every day as we curate existing vulnerabilities and triage newly discovered ones," Bartholomew commented. 

In addition, GitHub has now provided its dependency graph, which can be used to monitor and analyze project dependencies via go.mod -- as well as to alert users when vulnerable dependencies are detected. 

GitHub has also included Dependabot in this update, which will send developers a notification when new vulnerabilities are discovered in Go modules. Automatic pull requests can be enabled to patch vulnerable Go modules and notification settings have been upgraded for fine-tuning. 

Bartholomew says that when repositories are set to automatically generate pull requests for security updates, dependencies tend to patch up to 40% faster than those which do not. 

Developers can check GitHub's documentation for repository security here. 

Previous and related coverage

• GitHub bug bounties: payouts surge past $1.5 million mark
  
  
• GitHub: Here's how we're changing our rules around malware and software vulnerability research
  
  
• GitHub to replace 'master' with 'main' starting next month
  
  

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0