The Transform Technology Summits start October 13th with Low-Code/No Code: Enabling Enterprise Agility. Register now!

GitHub today launched the GitHub Security Lab, an ongoing effort to protect open source code projects. The GitHub Security Lab is aimed at bringing together security researchers from partner organizations like Google, Microsoft, Mozilla, Oracle, Uber, and HackerOne.

Many open source projects form an underlying infrastructure for modern software such as programming languages like Ruby and Python, machine learning frameworks like TensorFlow, and Kubernetes for containerless apps and Microsoft’s Visual Studio Code, the most popular open source repository on GitHub.

To power the GitHub Security Lab, GitHub is open-sourcing CodeQL, variant analysis software from Semmle, a company it acquired in September to help GitHub better spot exploits in code. Semmle security software is used by companies like Google, Microsoft, and NASA. GitHub says it’s used the CodeQL semantic code analysis engine to find more than 100 vulnerabilities in popular open source projects with custom queries.

To work with maintainers in a private space and give security research a way to apply for a Common Vulnerabilities and Exposures (CVE), GitHub also launched Security Advisories. Once completed, advisories are sent to the affected project and logged in the GitHub Advisory Database and SecurityAdvisory API.

GitHub also shared today that it will now scan tokens from new partners like Tencent.

The news comes on the second day of the GitHub Universe developer conference being held at the Palace of Fine Arts in San Francisco. The code repository and programming collaboration platform is now used by more than 40 million developers worldwide and is used to store 100 million code repositories. On day one, GitHub launched a range of upgrades and an iOS mobile app. An Android mobile app will launch in 2020. CEO Nat Friedman predicts that more than half of GitHub activity will take place on a smartphone within 5 years.

GitHub also debuted the Arctic Code Vault, an initiative to preserve open source code for thousands of years in Norwegian permafrost; made Actions and Packages generally available; and made semantic code search available for Python, Go, and Ruby repositories.


VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact. Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:
  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more
Become a member