Open-source security is critical for any modern application. Some of the biggest security crises in recent years, including the Equifax breach and the HeartBleed SSL exploit, originated from vulnerable open-source components.

If you own a GitHub repository or contribute to one, you need the tools to understand if the open-source code you are using in your project contains security vulnerabilities. Recently, several vendors, as well as GitHub itself, have introduced free tools that can help.

In this article, we review four tools that can scan your GitHub repo for open-source vulnerabilities. All four are valuable, but each has its strong points, caveats, and limitations. We’ll introduce each tool and its pros and cons to help you select the most appropriate GitHub security tool for your project.

Sonatype DepShield

Product page: https://www.sonatype.com/depshield

Setup: Go to the DepShield app page on GitHub and hit Install.

Provided by: Sonatype, makers of Nexus, which provides repository management and open-source security monitoring.

How it works: Continuously monitors GitHub repositories and creates an issue in the GitHub project for each security vulnerability it finds in the code.

Info provided about vulnerabilities: Description, CVE, and CVSS data, which version ranges are vulnerable, remediation guidance.

Language support: Apache Maven and NPM

Free version limitations: Vulnerability data in the free version is based on public sources only — the free version does not provide access to their full database of 4 million vulns. Component identification is imprecise, no license information provided, time to vulnerability awareness is days vs. hours in the full solution.

WhiteSource Bolt for GitHub

Product page: https://bolt.whitesourcesoftware.com/github/

Setup: Go to the WhiteSource app page on GitHub, scroll down and click Install for free. Then, click Complete order and begin the installation, and authorize WhiteSource for use on your GitHub account.

Provided by: WhiteSource, a security, licensing, and reporting solution for open-source components. An incumbent player in the open-source security market, operating since 2011 and supporting over 2.1 million developers.

How it works: Bolt for GitHub scans your repositories every time a GitHub push action is performed and creates an issue for each vulnerability it finds. In addition, it creates issues for newly detected vulnerabilities in existing components. Bolt offers access to the WhiteSource vulnerability database, based on dozens of sources and claimed to be the industry’s most comprehensive database.

Notable feature: Before you merge a Pull Request containing new code, Bolt shows a report with all security vulnerabilities found in that code, and you can decide whether to merge the pull request or not. In addition, Bolt supports the GitHub checks API, allowing you to check for vulnerabilities programmatically along your dev/test/deploy pipeline.

Info provided about vulnerabilities: CVE and CVSS data, remediation options, dependency path to vulnerable components, severity score, reference links, suggested fixes.

Languages support: Supports over 200 programming languages.

Free version limitations: Up to 5 scans per day in private or public repos with an unlimited number of repos.

Snyk GitHub App

Product page: https://github.com/marketplace/snyk

Setup: Go to the Snyk app page on GitHub, scroll down, and click Install for free. Then, click Complete order and begin the installation, and authorize Snyk for use on your GitHub account.

Provided by: Snyk, an open-source security tool for developers. Snyk integrates with development environments and helps find, fix, and prevent open-source vulnerabilities. Snyk monitors 100,000 open-source projects and has 120,000 users.

How it works: Snyk continuously monitors for security vulnerabilities in your GitHub repos, including new vulnerabilities discovered in existing code. When it finds vulnerabilities, it alerts you within GitHub and provides a link to the Snyk web app for details. Unlike Sonatype and WhiteSource, it does not create issues directly in GitHub.

Notable feature: Snyk can automatically apply fixes for some vulnerabilities by submitting a pull request with the minimal code that can remove the vulnerability.

Info provided about vulnerabilities: Packages affected and their dependency path, CVE details, affected versions, other vulnerabilities in the same library, and fix instructions.

Languages support: Gradle, Java, JaveScript, Maven POM, Ruby, Python, Scala.

Free version limitations: Only up to 200 tests/month on private repos.

GitHub Security Alerts

Product info: https://blog.github.com/2017-11-16-introducing-security-alerts-on-github/

Setup: Provided by default for GitHub projects that have dependencies. Enable your dependency graph, and add the relevant team members in dependency graph settings to receive notifications.

Provided by: GitHub, as a basic security feature for users who don’t have other tools.

How it works: Scans repositories and notifies about security vulnerabilities, both within in the Dependency graph section of the project screen, and as email notifications. GitHub Alerts only covers vulnerabilities that have CVE IDs. GitHub recommends using a security tool from its marketplace to gain coverage of vulns that do not have a CVE ID.

Info provided about vulnerabilities: Which dependency is affected by the vulnerability, version range affected, CVE ID, link to CVE information, and suggested fixes if available in the National Vulnerability Database (NVD).

Languages support: JavaScript, Ruby, and recently released support for Python.

Summary: GitHub Security Feature Comparison

All three vendor-provided GitHub security solutions offer a valuable free solution, alongside GitHub’s basic security alerts feature.



Sonatype DepShield WhiteSource Bolt for GitHub Snyk GitHub App GitHub Security Alerts Continuous monitoring Creates issues directly in Github Security preview before merging pull requests Supports GitHub Checks API Automated fixes via pull request Language support Maven, NPM Over 200 languages Gradle, Java, JaveScript, Maven POM, Ruby, Python, Scala JavaScript, Ruby, Python Free version limitations Limited vuln coverage Up to 5 scans / repo / day Up to 200 scans/month for private repos Only CVE vulns (no paid version) Vulnerability database coverage Public sources only NVD, project issue trackers, security advisories,

GitHub issue tracker NVD and Snyk research team NVD

Sonatype DepShield has the weakest feature set, with no ability to preview pull requests, no automatic fixes, and limited vulnerability coverage.

WhiteSource shines in its broad language support and comprehensive vulnerability database, and also provides strong integration with GitHub interface and API, but is limited in the number of scans it offers in its free version.

Snyk offers a comprehensive feature set, including automated fixes via pull requests, but does not provide vulnerability information directly in the GitHub interface.

Don’t keep it theoretical! We strongly recommend installing one of the three vendor-provided tools, all of which provide considerably better security than GitHub’s default security alerts, to protect yourself against the next open-source security disaster.