I am pleased to announce that we just launched Sonatype DepShield, a free GitHub app that automatically identifies vulnerabilities within open source dependencies. Now, 28 million GitHub developers can take basic security and governance into their own hands.
Powered by Sonatype’s OSS Index, DepShield integrates known open source vulnerability data directly into GitHub private and public repositories, allowing developers to identify, and subsequently fix, potential issues immediately.
Open source governance is becoming extremely important, especially in the aftermath of the Equifax data breach. In fact, according to our recent 2018 DevSecOps Community survey, 1 in 3 organizations suspected or verified breaches due to OSS vulnerabilities -- a 55 percent increase since 2017.
As a part of DevSecOps initiatives, organizations are automating application security within their DevOps pipeline. With DepShield, we are enabling organizations to shift their security practices as far left as possible -- empowering developers to introduce open source hygiene within their GitHub repositories.
Sonatype DepShield continuously monitors projects and auto-creates issues for security vulnerabilities. With DepShield, developers can:
- View a list of known security vulnerabilities within GitHub’s Issue Tracker and click on an issue to view vulnerability details including CVE and CVSS
- Determine vulnerable version ranges on each given vulnerability
Take a quick look to see how it works and download it from the GitHub marketplace to get started.
DepShield is a great first step to get started with open source hygiene but it is based on vulnerability data from public sources and does not include any human curation and research. Organizations requiring an enterprise solution with automated open source governance and extensive remediation guidance should investigate the Nexus Platform.