GitHub is adding several services to its popular code-sharing site to help developers manage dependencies and improve security.
GitHub dependency graph service
With the dependency graph service, GitHub will use its own data to build a dependency graph that gives developers insight into both projects their code depends on and the projects that depend on their code.
The essential features in the GitHub dependency graph service
The dependency graph relies on package managers to draw out dependencies when there are dependency manifest files. But over time, GitHub will provide the dependency graph service for projects that do not have dependency manifests. Still, GitHub recommends projects use a manifest file format to find these dependencies.
The graph also will be annotated with additional information for security and license and operational risks.
Where to get the GutHub dependence graph service
The dependency graph is available now on Github.com for public and private repos. The dependency graph will come to GitHub Enterprise, a paid service for enterprises, in early 2018. (GitHub Enterprise can be run at GitHub’s site as a cloud service or locally installed on-premises, as desired.)
GitHub security alerts service
The GitHub security alerts service is the first of a set of planned security features for GitHub.
The essential features in the GitHub security alerts service
Security alerts will associate the graph tracking dependencies with public security vulnerabilities, and providing alerts based on those connections, as well as alerts to some GitHub fixes.