beebright -

GitHub Enterprise security, monitoring tools target large orgs

Additional tools and services in GitHub Enterprise, such as security vulnerability alerts and auditing for open source dependencies, seek to satisfy the company's large customers.

GitHub has doubled down on its mission to meet the needs of enterprises, with added security enhancements to the GitHub platform and tools to track and monitor how employees use the platform.

Security vulnerability alerts on GitHub Enterprise server are now generally available. These alerts give enterprises that run GitHub Enterprise Server locally the same vulnerability alerts that GitHub gives cloud users. Vulnerability alerts notify users whenever a piece of critical software has a known exposure.

GitHub maintainer security advisories and security policy features, now in beta, give maintainers a private place to discuss, fix and publish security advisories to customers. Developers can open private pull requests, work on a fix and then release it to the main branch so all the projects can be current.

This is done without tipping off would-be hackers to get ahead of malicious code and malicious acts, said Dana Lawson, GitHub's vice president of engineering. The security policy feature lets users create one security policy for their organization and have it automatically apply to every repository.

Other new GitHub security features include Dependency Insights on GitHub Enterprise Cloud, which lets enterprises better audit and report on their open source dependencies via a dashboard, and a partnership with WhiteSource to expand the amount of vulnerability data available to GitHub developers.

Fine-grained permissions in GitHub Enterprise
Fine-grained permissions lets GitHub Enterprise users grant specific roles to access repositories.

GitHub also introduced a beta of its dependency monitoring capability with Dependabot, a technology the company acquired last week, which enables enterprises to have a developer on demand to remediate issues. Dependabot creates pull requests when it sees an issue or dependency that is out of sync or requires updating. It alerts a developer to fix the problem, rather than require a developer to manually hunt and fix issues.

Controls, insights and a package registry

Meanwhile, GitHub added several features to GitHub Enterprise. Internal repos, now in beta, enable companies to keep internal repositories accessible to employees only. This helps organizations that adopt inner source practices where developers collaborate, such as open source projects, GitHub's Lawson said.

Anyone that sells tools that touch developer pipelines, and that includes DevSecOps, now needs to consider GitHub development directions.
James GovernorAnalyst, RedMonk

Also in beta is Organization Insights, which helps users to better understand how their organization collaborates on GitHub, as well as automatic team synchronization for team membership.

Other GitHub Enterprise additions that are now GA include fine-grained permissions, which let enterprises grant specific roles to access repositories. Enterprise account type connects organizations across an enterprise and provides greater opportunity for developer collaboration.

GitHub released the features at the GitHub Satellite event last week in Berlin. They followed the recent release of the GitHub Package Registry, a package management service that facilitates the use of public or private packages next to a developer's source code. The GitHub registry supports the popular package management tools used by developers, such as npm for JavaScript, Maven for Java, RubyGems for Ruby, NuGet for .NET and Docker images.

Organization Insights in GitHub Enterprise
Organization Insights helps users track how their organization collaborates on GitHub.

GitHub development puts pedal to the metal

Collectively, these moves illustrate GitHub's rapid shift into adjacent markets, as the company moves from a stable foundation to a fast-moving platform that changes the game for partners, competitors and users, said James Governor, an analyst at RedMonk, in Portland, Maine.

For instance, GitHub Actions potentially impact every company in the CI/CD tools industry, especially Travis CI and CircleCI, he said.

"Anyone that sells tools that touch developer pipelines, and that includes DevSecOps, now needs to consider GitHub development directions," he said.

Moreover, the launch of GitHub Package Registry's package management functionality makes perfect sense for a place where users store and share code and collaborate on projects -- and happens to follow recent bad publicity around layoffs at NPM Inc., and the security breach in Docker Hub.

"In two announcements, GitHub made life harder for multiple companies," Governor said.

Dig Deeper on Software development lifecycle

Cloud Computing
App Architecture