
GitHub’s latest security features - Callicles
https://github.com/features/security
======
Ded7xSEoPKYNsDd
As someone who regularly needs to report security vulnerabilities to projects
hosted on Github, I find it incredibly annoying that I can't create one of
these 'maintainer advisories' (or just a regular issue that's non-public) as
an outsider.

These 'security.md' files would work for me just as well to define a security
contact, but I've never come across one of these in the wild... so I end up
wasting my time hunting down maintainers and their email addresses, when
everyone involved would have a much easier time if it were all handled through
Github by allowing everyone to create a (draft) 'maintainer advisory'.

------
dannykwells
Lots of title editorializing recently. I wonder what's up. One thing I've
always liked about HN is that title editorializing isn't really viewed kindly.
So why now?

~~~
xvector
100% agreed, let's not editorialize titles please.

------
kmfrk
Makes sense. Fits with adding similar support in Visual Studio at some point.
Kind of like Word suggestions, but for code.

~~~
ryanburk
will be interesting to see what they do that goes beyond the acquisition of
semmle. it is great to see how quickly they have been able to integrate that
work.

------
matt_LLVW
Dependabot is really nice. I activated it on my repo and it create a PR with
the updated dependency, showing the "crowd sourced" chance it could be
integrated safely. Semmle(LGTM) could be useful on a big codebase but for a
simple webapp it didn't provide anything interesting.

------
throwaway5752
It's frustrating to set up OWASP scans over and over again. Anything Github or
Gitlab or whomever can do to normalize audits (please, by all means check for
CVEs on my dependencies, too) and static analysis, it's great. Make it
something I can enable on my PR/MR workflow.

~~~
sytse
Totally agree. With GitLab you can do static and dynamic code analysis, as
well as dependency and container scanning on your PR/MR out of the box.

And your security team gets an organization wide overview of the security
results as well
[https://docs.gitlab.com/ee/user/application_security/securit...](https://docs.gitlab.com/ee/user/application_security/security_dashboard/)

------
snorrah
Please forgive my naivety but is this something that would also come to GitHub
Enterprise?

------
peterwwillis
It's a feature, not a market play. GitHub wants to be a default for all your
most basic CI/CD uses, but they're not taking on _all of software security_.
This is a huge market, they're implementing like 1 feature of 1 use case.

------
mkagenius
> Automatic token scanning

Nice. I hope we contributed to it in some way:
[https://news.ycombinator.com/item?id=13667386](https://news.ycombinator.com/item?id=13667386)

------
sarcasmatwork
How does this not copy snyk.io?

~~~
asdfman123
Microsoft owns Github now, and their whole MO is copying everyone else's good
ideas at an impressive rate and seeing what will stick.

