Github recently announced that they would be providing security alerts for github repositories. These alerts let you know when a dependency that you’re relying on has a critical vulnerability. Given the importance of security, this is an excellent idea. Thank you Github! These alerts are turned on automatically for public repositories but they require you to opt in for your private repositories. And while this isn’t hard, Github doesn’t make it clear exactly how to set this option for your private repositories. I just spent an hour or so turning this on for all my private repositories and here’s the step by step approach:
- Go to github.
- Login if you’re not logged in.
- Navigate to your dashboard.
- Go to your repositories list by clicking on the repositories link in the header.
- Select a private repository by clicking on it.
- Select the Settings link.
- Scroll down to Data services.
- Turn on “Allow Github to perform read-only analysis of this repository”.
- Turn on Dependency graph.
- Turn on Vulnerability alerts. You should note that Github saves the status of each of these via ajax as you check them off so there’s no Save button you need to click.
Now you need to navigate back to repositories and turn this on for any other private repositories that you have. Given the number of private Rails apps I have repositories for, I’m really, really glad I turned this on.
Note: Its unclear exactly how long it takes to build the Dependency graph and for the Vulnerability alert scan to be completed. I don’t think it is immediate so you might want to keep an eye on the home page for your repos over the next few days.