Justin Hutchings
Director of Product Management for supply chain security. I manage the team that's behind Dependabot, the Advisory Database, and the dependency graph. Twitter: https://twitter.com/jhutchings0
Supply chain attacks exploit our implicit trust of open source to hurt developers and our customers. Read our proposal for how npm will significantly reduce supply chain attacks by signing packages with Sigstore.
As stewards of the npm registry, we take the security of npm seriously and have continued to introduce a number of changes to improve the security and trustworthiness of the registry. We’ve announced a number of changes over the last several months to improve the security of npm, like requiring two-factor authentication, streamlined login, and enhanced signing of artifacts. These changes help protect open source consumers from software supply chain attacks; in other words, when malicious users try to spread malware by breaching a maintainer’s account and adding malicious software to open source dependencies that many developers use.
Today, we’re opening a new request for comments (RFC), which discusses linking a package with its source repository and its build environment. When package maintainers opt-in to this system, consumers of their packages can have more confidence that the contents of the package match the contents of the linked repository.
Historically, linking packages back to the source code has been difficult because it required individual projects to register and manage their own cryptographic keys. A recent project from the Linux Foundation and Open Source Security Foundation (OpenSSF) called Sigstore has made this process easier and more secure than past methods by not requiring developers to manage long-lived cryptographic keys. The project has seen some early adoption with other package manager ecosystems. With today’s RFC, we are proposing to add support for end-to-end signing of npm packages using Sigstore. This process would include generating attestations about where, when, and how the package was authored, so that it can be verified later.
Securing the software supply chain is one of the biggest security challenges our industry faces right now. This proposal is an important next step, but truly solving this challenge will require commitment and investment across the community. We’re excited to hear your feedback and look forward to going on this journey together!
Learn about browser extension security and secure your extensions with the help of CodeQL.
As we wrap up Cybersecurity Awareness Month, the GitHub Bug Bounty team is excited to feature another spotlight on a talented security researcher who participates in the GitHub Security Bug Bounty Program—@adrianoapj!
Vulnerability data has grown in volume and complexity over the past decade, but open source and programs like the Github Security Lab have helped supply chain security keep pace.