GitHub today launched the GitHub Security Lab, an ongoing effort to protect open source code projects. The GitHub Security Lab is aimed at bringing together security researchers from partner organizations like Google, Microsoft, Mozilla, Oracle, Uber, and HackerOne.
Many open source projects form an underlying infrastructure for modern software such as programming languages like Ruby and Python, machine learning frameworks like TensorFlow, and Kubernetes for containerless apps and Microsoft’s Visual Studio Code, the most popular open source repository on GitHub.
To power the GitHub Security Lab, GitHub is open-sourcing CodeQL, variant analysis software from Semmle, a company it acquired in September to help GitHub better spot exploits in code. Semmle security software is used by companies like Google, Microsoft, and NASA. GitHub says it’s used the CodeQL semantic code analysis engine to find more than 100 vulnerabilities in popular open source projects with custom queries.
To work with maintainers in a private space and give security research a way to apply for a Common Vulnerabilities and Exposures (CVE), GitHub also launched Security Advisories. Once completed, advisories are sent to the affected project and logged in the GitHub Advisory Database and SecurityAdvisory API.
GitHub also shared today that it will now scan tokens from new partners like Tencent.
The news comes on the second day of the GitHub Universe developer conference being held at the Palace of Fine Arts in San Francisco. The code repository and programming collaboration platform is now used by more than 40 million developers worldwide and is used to store 100 million code repositories. On day one, GitHub launched a range of upgrades and an iOS mobile app. An Android mobile app will launch in 2020. CEO Nat Friedman predicts that more than half of GitHub activity will take place on a smartphone within 5 years.
GitHub also debuted the Arctic Code Vault, an initiative to preserve open source code for thousands of years in Norwegian permafrost; made Actions and Packages generally available; and made semantic code search available for Python, Go, and Ruby repositories.