Jiya, a taron GitHub Universe don masu haɓakawa, GitHub ya sanar da cewa zai ƙaddamar da sabon shiri da nufin inganta tsaro na yanayin buɗe ido. Ana kiran sabon shirin GitHub Lab Labaran Tsaro kuma yana bawa masu bincike tsaro daga kamfanoni daban-daban damar ganowa da kuma magance fitattun ayyukan buɗe tushen abubuwa.
dukan kamfanoni masu sha'awar da kwararru kan tsaro lissafin mutum ana gayyatarku don shiga shirin zuwa wane masu binciken tsaro daga F5, Google, HackerOne, Intel, IOActive, JP Morgan, LinkedIn, Microsoft, Mozilla, NCC Group, Oracle, Trail of Bits, Uber da VMWare, waɗanda suka gano kuma suka taimaka wajen daidaita raunin 105 a cikin shekaru biyu da suka gabata a cikin ayyuka kamar Chromium, libssh2, Linux kernel, Memcached, UBoot, VLC, Apport, HHVM, Exiv2, FFmpeg, Fizz, libav, Ansible, npm, XNU, Ghostscript, Icecast, Apache Struts, ƙarfiSwan, Apache Ignite, rsyslog, Apache Geode da Hadoop.
Kamfanin ya ce "Manufar Tsaron Labarin ita ce karfafa gwiwa da kuma ba wa masu bincike na duniya damar kiyaye lambar shirin,"
Tsarin rayuwar rayuwa na tsaro na lambar da GitHub ya gabatar yana nuna cewa mahalarta GitHub Security Lab zasu gano yanayin rauni, bayan haka za a sanar da mai kula da masu ci gaba wadanda za su warware matsalolin, su amince da lokacin da za a bayyana bayanai game da batun, sannan a sanar da ayyukan da suke dogaro da bukatar shigar da sigar tare da cire yanayin rauni
An saki Microsoft CodeQL, wanda aka haɓaka don nemo rauni a cikin lambar tushe, don amfanin jama'a. Database zai dauki nauyin shaci na CodeQL don kaucewa sake bullowa da tsayayyun batutuwa a cikin lambar data gabata akan GitHub.
Bugu da ƙari, GitHub kwanan nan ya zama CVE Izinin Lambobin Izini (CNA). Wannan yana nufin cewa tana iya fitar da alamun CVE don raunin yanayi. An kara wannan fasalin zuwa wani sabon sabis da ake kira »Nasihu na Tsaro«.
Ta hanyar GitHub interface, zaka iya samun mai gano CVE don matsalar da aka gano kuma shirya rahoto, kuma GitHub zai aika da sanarwar da ake buƙata da kansa kuma ya tsara daidaitaccen gyaransu. Har ila yau, bayan gyara matsalar, GitHub zai aika aika buƙatun ta atomatik don sabunta abubuwan dogaro hade da m aikin.
da Masu gano CVE da aka ambata a cikin maganganun akan GitHub yanzu ta atomatik koma zuwa cikakken bayani game da yanayin rauni a cikin bayanan da aka ƙaddamar. Don yin aiki da kai tsaye tare da rumbun adana bayanan, ana gabatar da API daban.
GitHub Har ila yau, ya ƙunshi GitHub Advisory Database Vulnerabilities Catalog, wanda ke wallafa bayanai game da raunin da ya shafi ayyukan GitHub da bayani don bin hanyoyin fakiti da wuraren ajiya. Sunan bayanan bayanan tsaro hakan zai kasance akan GitHub zai zama GitHub Shawarwarin Bayanai.
Ya kuma ba da rahoton ɗaukaka aikin sabis na kariya daga samun bayanan sirri kamar alamun tabbatarwa da maɓallan shiga a cikin wurin ajiya mai samun damar jama'a.
Yayin tabbatarwa, na'urar daukar hotan takardu tana tabbatar da maɓallin keɓaɓɓe da sigar tsari da masu samar da gajimare 20 da sabis suke amfani da shi, gami da Alibaba Cloud API, Ayyukan Yanar gizo na Amazon (AWS), Azure, Google Cloud, Slack, da Stripe. Idan aka gano wata alama, ana aikawa da sabis ga mai ba da sabis don tabbatar da zubewar da kuma soke alamun. Tun jiya, ban da tsarin da aka tallafawa a baya, an ƙara tallafi don bayyana alamun GoCardless, HashiCorp, Postman da Tencent alamun
Don gano rashin lafiyar, an ba da kuɗin har zuwa $ 3,000, ya danganta da hatsarin matsalar da ingancin rahoton rahoton.
A cewar kamfanin, rahotannin kwaro dole ne su sami wata tambaya ta CodeQL wacce ke ba da damar kirkirar samfuran lamba mai rauni don gano kasancewar irin wannan matsalar a cikin lambar wasu ayyukan (CodeQL yana ba da damar binciken kwatankwacin lambar da samar da tambayoyi don bincika tsarin takamaiman).