GitHub wants to help protect the open-source ecosystem with the announcement of the GitHub Security Lab. The lab is designed to bring together security researchers, maintainers and companies who are dedicated to open-source security. 

In addition, the company will provide tools, resource bounties ,and hours of security research. 

“We all share a collective responsibility to keep open source software secure—none of us can do it alone,” Jamie Cool, VP of product for security at GitHub, wrote in a post

Top considerations for DevSecOps to reduce security risk
Going to school on open-source security

As part of the announcement, GitHub revealed CodeQL is now freely available for open-source software. CodeQL is an open-source security tool that helps users find vulnerabilities in open-source code, the company explained. “CodeQL is a tool many security research teams around the world use to perform semantic analysis of code, and we’ve used it ourselves to find over 100 reported CVEs in some of the most popular open source projects,” Cool wrote.

The GitHub Advisory Database is also being launched to provide a public database of advisories on GitHub as well as additional data curated and mapped to packages. 

As part of the lab’s launch, F5, Google, HackerOone, Intel, LinkedIn, Microsoft Mozilla, Oracle, Uber, VMWare and more are donating time and expertise to open-source security. 

Other ways GitHub is helping protect open-source software is through automated security updates and token scanning.   

“Securing the world’s open source software is a daunting task. First, there’s scale: the JavaScript ecosystem alone has over one million open source packages. Then there’s the shortage of security expertise: security professionals are outnumbered 500 to one by developers. Finally there’s coordination: the world’s security experts are spread across thousands of companies. GitHub Security Lab and CodeQL will help level the playing field,” Cool wrote.