GitHub wants to help protect the open-source ecosystem with the announcement of the GitHub Security Lab. The lab is designed to bring together security researchers, maintainers and companies who are dedicated to open-source security.
In addition, the company will provide tools, resource bounties ,and hours of security research.
“We all share a collective responsibility to keep open source software secure—none of us can do it alone,” Jamie Cool, VP of product for security at GitHub, wrote in a post.
As part of the announcement, GitHub revealed CodeQL is now freely available for open-source software. CodeQL is an open-source security tool that helps users find vulnerabilities in open-source code, the company explained. “CodeQL is a tool many security research teams around the world use to perform semantic analysis of code, and we’ve used it ourselves to find over 100 reported CVEs in some of the most popular open source projects,” Cool wrote.
The GitHub Advisory Database is also being launched to provide a public database of advisories on GitHub as well as additional data curated and mapped to packages.
As part of the lab’s launch, F5, Google, HackerOone, Intel, LinkedIn, Microsoft Mozilla, Oracle, Uber, VMWare and more are donating time and expertise to open-source security.
Other ways GitHub is helping protect open-source software is through automated security updates and token scanning.