GitHub borgs Dependabot, stiffens security posture

GitHub borgs Dependabot, stiffens security posture

GitHub has jacked up its security offerings by buying in automated dependency scan and fix tool Dependabot, and adding a trio of new features.

The Microsoft-owned Git service said it had launched a partnership with WhiteSource to broaden its “coverage of potential security vulnerabilities in open source projects.”

At the same time, it has added “dependency insights”, to give organisations “full visibility into their dependence is, including vulnerabilities and open source licenses.” Meanwhile, its token scanning feature, which was previously in beta, is now generally available, and now supports tokens from Alibaba Cloud, Mailgun, and Twilio.

While adding features is one thing, adding a whole new company is quite another. Dependabot launched in 2017, promising to keep users’ dependencies up to date, by scanning dependency files and opening individual pull requests update them. The platform supports .NET, Rust, PHP, Java, Javascript and Ruby, amongst others.

According to a blog post by Dependabot today, the service is being immediately integrated into GitHub, while its team will be doubling forthwith, meaning you can “expect lots of great improvements over the coming months.”

It added that users who’d prepaid for its service will get refunds, and that “In time, you’ll be able to configure Dependabot within GitHub, so you’ll no longer need the Dependabot dashboard.”

Funnily enough, when rival open source security scanner Gemnasium was acquired by GitLab last year, Dependabot wrote that the deal was  “a warning of what can happen to businesses in a platform ecosystem.”

“We believe Dependabot adds a lot of value over GitHub’s dependency graph, and over Gemnasium, but if GitHub were to replicate our functionality they would likely crush us. We don’t believe that’s in their interest, but are staying as close to them as possible.”

Well, it all worked out in the end, at least for Dependabot. Where that leaves other companies offering dependency scanning is an interesting question. With the might of Microsoft behind it, buying in new features – and offering them for free could become a trivial exercise for GitHub, piling pressure onto less well-funded rivals out there in the platform ecosystem.