GitHub Advanced Security integrates Endor Labs for end-to-end application security

Endor Labs today announced a critical partnership with GitHub, the platform for software developers to create and share code. In an environment where the number of Common Vulnerabilities and Exposures (CVEs) has spiked by 500% in just the past decade, the enhanced ease and precision enabled by the partnership will deliver major benefits to organizations.

“While a few supply chain attacks, like last year’s XZ Utils episode, get wide attention, they represent only a fraction of the overall threat landscape,” said Varun Badhwar, co-founder and CEO of Endor Labs. “The greatest risks instead come from unpatched vulnerabilities embedded in lesser-known open-source dependencies. Effectively responding to all of those devours developer time and resources. Endor Labs technology makes it significantly easier to identify and prioritize the most serious threats, and developers can now derive those benefits while working within GitHub. We’re proud to enter into this partnership with GitHub, and we look forward to jointly delivering many more technology advances.”

The complications associated with hidden CVEs are buried deep inside the software development lifecycle. While the typical application development project has just 10 direct dependencies, each of those might have hundreds of indirect, or transitive, dependencies. It’s estimated that up to 95% of all dangers can be found within these subsets. Developers do indeed get security alerts, but there are so many that the task of dealing with each one is overwhelming. Meanwhile, these efforts represent a massive distraction from the goal of delivering new applications and related technologies.

Endor Labs and GitHub bring significant advantages to this partnership. Endor Labs’ SCA technology helps identify and prioritize dependency vulnerabilities by their potential impact, based on factors such as reachability, exploitability, and more. For example, Endor Labs checks if the vulnerable function of a given dependency is actually reachable by a given application or is just sitting in an unused corner of a transitive dependency. Similarly, GitHub Advanced Security (GHAS)—the developer-first application security suite that brings GitHub's world-class security capabilities to public and private repositories—integrates crucial security practices directly into the workflow, offering developers a streamlined way to secure their code. It enables code scanning, secret scanning, AI autofixes, and more.

Now, with Endor Labs SCA integrated into GitHub Advanced Security, development teams can dismiss up to 92% of low-risk dependency security alerts. That allows them to focus on the vulnerabilities that matter most and the new capabilities they seek to deliver to users.

Just three months earlier, Microsoft—GitHub’s parent company—natively integrated the Endor Labs advanced SCA capabilities within Microsoft Defender for Cloud, a Cloud-Native Application Protection Platform (CNAPP), to empower organizations to consolidate their application security and cloud security programs into a single platform, securing cloud workloads and code seamlessly in one place. The partnership now allows organizations to deploy SCA and CNAPP solutions from a unified dashboard, achieving comprehensive security coverage from code to runtime.

Read more about the partnership at https://github.blog/security/from-finding-to-fixing-github-advanced-security-integrates-endor-labs-sca