Keep GitHub Dependencies Secure with Nexus Lifecycle's Automated Pull Requests - Security Boulevard

Keep GitHub Dependencies Secure with Nexus Lifecycle’s Automated Pull Requests

As organizations seek to innovate faster and build more secure applications at scale, the one trend we are seeing is the desire to automate dependency management. In fact this trend was evident in our 2019 State of the Software Supply Chain Report where we analyzed 36,203 open source components from the Central Repository to determine how effectively OSS projects update their dependencies and fix vulnerabilities. What we found was that exemplary projects are 18x faster at updating dependencies and 3.4x faster at remediating known vulnerabilities, highlighting the desire to move towards automation.

Now more and more automated dependency management solutions exist in the market to help developers fix known vulnerabilities and stay up to date. However, we have heard from our customers that these solutions often have limitations because they can produce a lot of “noise” and are then turned off. They also don’t make recommendations based on an organization’s open source policy, instead just suggesting the next non-vulnerable version.

That is why we have focused our attention on integrating Nexus Lifecycle with SCM tools and are now releasing automated pull requests to fix security vulnerabilities in GitHub. But unlike existing solutions, we leverage the precision in Nexus Intelligence to provide expert remediation guidance based on an organization’s open source policy, eliminating the noise and blind updates from other vendors.

Nexus Automated GitHub Pull RequestNow developers can easily see what version to migrate to in their GitHub pull request and trust that it meets their open source policy. They also have detailed information about the vulnerability, links to the CVE information and a detailed vulnerability report in Nexus Lifecycle, as well as links directly to the component version in the Central Repository.

And we aren’t stopping here. We have plans to enhance these automated pull requests with precise intelligence on the overall quality (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Michelle Dufty. Read the original post at: