GitHub Updates Improve Code Security, Developer Productivity

GitHub expanded its capabilities with a series of announcements this month that improve DevOps.

Among the new capabilities is support for the Mermaid markdown language, which GitHub made available on Feb. 14. Mermaid enables DevOps teams to create diagrams and charts for development. A week later, on Feb. 22, GitHub announced updates to its Advisory Database for DevSecOps, enabling community users to contribute information to security advisories.

Rounding out the month's GitHub updates, on Feb. 23 GitHub rolled out a public beta of its prebuild codespaces capability that gives DevOps teams a new way to quickly onboard developers with all the tools and access needed to start a given project. Codespaces is a collaborative integrated development tool that GitHub first announced at the GitHub Satellite conference in May 2020.

GitHub Advisory Database Boosts DevSecOps and Code Security

GitHub Advisory Database tracks a growing list of security vulnerabilities in code. The listed information is then used to inform both manual and automated processes that help scan code hosted on GitHub for potential security risks. Now, with community contributions, the goal is to provide even more information to GitHub users.

"With community contributions, we're looking to increase both the quality and the quantity of information we have publicly available on vulnerabilities," Kate Catlin, senior product manager at GitHub, told ITPro Today.

For example, she noted that contributions can make GitHub aware of additional products that it didn't initially realize were affected by a security issue or help improve the description of how to fix a vulnerability GitHub already knew about.

Contributions from the community will be displayed in the alerts GitHub sends when it scans for vulnerabilities in a project's dependencies through the Dependabot product, according to Catlin. She added that those alerts are powered by the information in the Advisory Database, so a submission that adds structured metadata about a specific vulnerability affecting a dependency will trigger alerts for that dependency. Additionally, the community information will improve the description of a vulnerability shown to end users triaging and remediating the vulnerability.

GitHub Updates Include Codespaces Prebuilds to Accelerate DevOps Productivity

Getting developers set up quickly with all the tools needed for a particular project can be time-consuming. This is where GitHub codespaces prebuilds will make a difference.

"You can think of prebuild codespaces as a way to automate your infrastructure-as-code to further improve developer productivity by reducing the time to interact with their codebase," Tanmayee Kamath, senior product manager at GitHub, told ITPro Today.

GitHub-codespaces

Without the prebuilds, the process to set up a codespace in GitHub, although not an entirely manual activity, can take time. Kamath explained that to get developers started with a fully configured environment, you can set up a devcontainer configuration for a repository. The devcontainer config can be used to reference an image/dockerfile required to spin up the container, any scripts that need to be installed and set up, any extensions that need to be installed and so on, to ensure every developer working off that repo gets a consistent and standardized experience, she said.

"Prebuilds help prepackage the devcontainer configuration for a given repository by pre-executing all the tasks in that configuration beforehand, so that developers don't have to wait for that configuration to be built in real time when they request a codespace," Kamath said.

Prebuilds are helpful when the project being worked on is complex, Kamath said. Since all of these time-consuming tasks have already been executed beforehand, prebuilds significantly improve developer productivity by giving them access to faster codespace creations regardless of the size and complexity of their projects, she said.