GitHub brings its suite of supply chain security features to Go

Go is receiving a boost from GitHub with the company bringing its supply chain security features to the Google-designed language.

Go is currently the 4th most-popular programming language on GitHub. The GitHub community embraced GitHub, and now the company is returning the favour by helping them to find security vulnerabilities.

Steve Francia, Product Lead of Go Language at Google, said:

“Go was created, in part, to address the problem of managing dependencies in large-scale software. GitHub is the most popular host for open-source Go modules. The features announced today will help not just GitHub users but anyone who depends on GitHub-hosted modules. We are thrilled that GitHub is investing in improvements that benefit the entire Go ecosystem, and we look forward to more collaborations with them in the future.”

GitHub has published over 150 security advisories for the Go programming language. Module maintainers of Go modules can use these disclosures as a means to coordinate when bugs in their module are publicly revealed.

Developers can be alerted to vulnerable dependencies through GitHub’s dependency graph. To view a repository’s detected dependencies, select the Dependency graph from the sidebar on the left under the Insights tab.

Dependency graph is enabled by default in public repositories but must be manually turned on for private repos.

Depend-a-bot will alert developers if a vulnerability is found in modules they’re using and automatically issues pull requests for security updates when vulnerabilities are detected.

GitHub claims it has found that repos which automate the process of generating pull requests to update vulnerable dependencies are patched 40% faster.

GitHub’s decision to bring its supply chain security features to Go is sure to be welcomed by the community and should help to protect software developed using the language.