Sonatype offers developers free security scan tool on GitHub

Sonatype helps enterprises identify and remediate vulnerabilities in open source library dependencies and release more secure code. Today, they announced a free tool called DepShield that offers a basic level of protection for GitHub developers.

The product is actually two parts. For starters, Sonatype has a database of open source dependency vulnerabilities called OSS Index. The company gathers this information from a variety of public sources, says Sonatype CEO Wayne Jackson. While it isn’t as highly curated as the company’s commercial offerings, it does offer a layer of protection that most individual developers or small shops wouldn’t normally have access to.

After a developer installs DepShield, it checks a code commit in GitHub against the known vulnerabilities in the OSS Index with recommendations on how to proceed. The company’s commercial offerings includes a policy engine to automate remediation. The free version simply lets developers know if there are issues, and they can go back and fix them if need be.

“What DepShield and OSS Index are doing is allowing the developers at the front lines to be able to see what’s happening inside their applications and fix the vulnerabilities directly,” Jackson said.

Vulnerability listed in OSS Index. Screenshot: Sonatype

As for the differences between the commercial and free products, Jackson say it’s a matter of scale. “The way you manage a single application or handful of applications as a developer is different than how you might approach it if you’re a CISO or a governance organization for thousands of applications,” he explained. The latter requires a higher level of automation than the former because of the sheer number of applications involved.

DepShield offers the 28 million developers using GitHub access to a baseline level of protection by identifying a set of known vulnerabilities in their applications before they make them public. Jackson says that GitHub’s role is evolving. Today, it’s not only a tool for committing your code, it’s also become a place to do issue tracking and code reviews, and he believes that as such, a product like DepShield is a natural fit.

Known issues list DepShield. Screenshot: Sonatype

DepShield is available starting today in the Security section of the GitHub Marketplace and developers can download and install it for free.

Sonatype, which is based in Maryland, launched in 2008 and has raised almost $75 million, according to data on Crunchbase. Its most recent funding round was in 2016 for $30 million. Microsoft acquired GitHub in June for $7.5 billion.