Resources Blog Keep GitHub Dependencies Secure With Nexus Lifecycle's ...

Keep GitHub Dependencies Secure With Nexus Lifecycle's Automated Pull Requests

As organizations seek to innovate faster and build more secure applications at scale, the one trend we are seeing is the desire to automate dependency management. In fact this trend was evident in our 2019 State of the Software Supply Chain Report where we analyzed 36,203 open source components from the Central Repository to determine how effectively OSS projects update their dependencies and fix vulnerabilities. What we found was that exemplary projects are 18x faster at updating dependencies and 3.4x faster at remediating known vulnerabilities, highlighting the desire to move towards automation.

Now more and more automated dependency management solutions exist in the market to help developers fix known vulnerabilities and stay up to date. However, we have heard from our customers that these solutions often have limitations because they can produce a lot of “noise” and are then turned off. They also don’t make recommendations based on an organization's open source policy, instead just suggesting the next non-vulnerable version.

That is why we have focused our attention on integrating Nexus Lifecycle with SCM tools and are now releasing automated pull requests to fix security vulnerabilities in GitHub. But unlike existing solutions, we leverage the precision in Nexus Intelligence to provide expert remediation guidance based on an organization's open source policy, eliminating the noise and blind updates from other vendors.

Nexus Automated GitHub Pull RequestNow developers can easily see what version to migrate to in their GitHub pull request and trust that it meets their open source policy. They also have detailed information about the vulnerability, links to the CVE information and a detailed vulnerability report in Nexus Lifecycle, as well as links directly to the component version in the Central Repository.

And we aren’t stopping here. We have plans to enhance these automated pull requests with precise intelligence on the overall quality of the release, risk of any suspicious behavior by the project committer, and difficulty in upgrading based on API changes so that developers continue to trust our recommendations.

Learn more about how it works by watching this demo here:

It’s no coincidence that we are releasing this feature in time for GitHub Universe. We are excited to be attending the event this week and will be demoing this new feature as well as other new solutions that integrate with GitHub. If you are at the show, please stop by our booth to say hello. You can walk away with some free tools that now integrate with GitHub or if you are an existing Sonatype customer, learn how Nexus Lifecycle and Nexus Repository work with GitHub Actions.

If you have any questions about how these new solutions work or want to connect with your peers, join us at Enjoy!

Picture of Michelle Dufty

Written by Michelle Dufty

Michelle Dufty is the Senior Director of Product Marketing at Sonatype where she brings solutions to market that unite development, security, and operations teams to accelerate software innovation while minimizing open source risk.