Tag Archive : GitHub

/ GitHub

After five months in beta, the GitHub Code Scanning security feature has been made generally available to all users: for free for public repositories, as a paid option for private ones.

GitHub code scanning

“So much of the world’s development happens on GitHub that security is not just an opportunity for us, but our responsibility. To secure software at scale, we need to make a base-level impact that can drive the most change; and that starts with the code,” Grey Baker, GitHub’s Senior Director of Product Management, told Help Net Security.

“Everything we’ve built previously was about responding to security incidents (dependency scanning, secret scanning, Dependabot) — reacting in real time, quickly. Our future state is about fundamentally preventing vulnerabilities from ever happening, by moving security core into the developer workflow.”

GitHub Code Scanning

The Code Scanning feature is powered by CodeQL, a powerful static analysis engine built by Semmle, which was acquired

Read More

  • With remote work a long-term reality for many companies, tools to help employees work productively from home are critical. 
  • StackShare shared which tools are most popular on its platform, while execs from companies like Facebook, GitHub, Gitlab, and Atlassian also dished on their go-to products. 
  • It’s not just about the specific tools, though, it’s about how they’re used — including to keep company culture alive. 
  • Visit Business Insider’s homepage for more stories.

Because of the pandemic, remote work has become the new normal for many tech companies. 

Firms like Facebook, Twitter, and Atlassian are allowing employees to work remotely permanently, if they wish — a practice already adopted by startups like GitLab — and adapting to new productivity products in the process. It’s not just about the tools a company uses though, but also how they use them. 

StackShare, a website for companies to share what apps they use, has

Read More

npm

Image: npm

Four JavaScript npm packages contained malicious code that collected user details and uploaded the information to a public GitHub page.

The four packages where this malicious code was identified included:

  • electorn: 255 downloads
  • lodashs: 78 downloads
  • loadyaml: 48 downloads
  • loadyml: 37 downloads

All four packages were developed by the same user (simplelive12) and uploaded on the npm portal in August. Two packages (lodashsloadyml) were removed by the author shortly after publication, but not before they infected some users.

The remainder packages, electorn and loadyaml, were removed last week, on October 1, by the npm security team following a report from Sonatype, a company that monitors public package repositories as part of its developer security operations (DevSecOps) services.

According to Sonatype security researcher Ax Sharma, the four malicious packages used a technique known as typosquatting to get

Read More