Sonatype wants to make it easier for developers to have open-source governance with the release of Sonatype DepShield. The solution is a GitHub application that integrates directly within repositories, enabling developers to identify vulnerable open-source components.
According to the company, DepShield constantly monitors projects and automatically creates issues when security vulnerabilities are detected. It offers the ability to view a list of known vulnerabilities within GitHub’s Issue Tracker and expand issues to view vulnerability details such as CVE and CVSS. It also helps developers determine vulnerable version ranges on each vulnerability.
“The need for more secure coding practices has never been greater,” said Wayne Jackson, CEO of Sonatype. “Developers live, eat, and breathe in GitHub. While developers find value in GitHub’s native dependency graph, they need, and are demanding, more self-help security. With DepShield, we’re enabling 28 million developers to add an initial layer of defense, to not only help protect their software projects, but the millions of enterprises, organizations and individuals who will use their code down the road.”
DepShield is available now for Apache Maven, but JavaScript and Python support are coming soon, Sonatype explained.
“As a part of DevSecOps initiatives, organizations are automating application security within their DevOps pipeline. With DepShield, we are enabling organizations to shift their security practices as far left as possible — empowering developers to introduce open source hygiene within their GitHub repositories,” Michelle Dufty, senior director of product marketing for Sonatype, wrote in a post.