GitHub Dependabot Now Alerts Developers On Vulnerable GitHub Actions
Aug 11, 2022
Cloud-based code hosting platform GitHub has announced that it will now start sending Dependabot alerts for vulnerable GitHub Actions to help developers fix security issues in CI/CD workflows. "When a security vulnerability is reported in an action, our team of security researchers will create an advisory to document the vulnerability, which will trigger an alert to impacted repositories," GitHub's Brittany O'Shea and Kate Catlin said . GitHub Actions is a continuous integration and continuous delivery (CI/CD) solution that enables users to automate the software build, test, and deployment pipeline. Dependabot is part of the Microsoft-owned subsidiary's continued efforts to secure the software supply chain by notifying users that their source code depends on a package with a security vulnerability and helping keep all the dependencies up-to-date. The latest move entails receiving alerts on GitHub Actions and vulnerabilities impacting deve...
