GitHub has announced the general availability of security campaigns, which make it easier for developers and security teams to work together on fixing vulnerabilities in their applications.
The security campaigns feature was launched in public preview in late October 2024 and it is now generally available to all GitHub Advanced Security and GitHub Code Security customers.
GitHub has been offering tools such as CodeQL to enable developers to automate the discovery of vulnerabilities in their code, and Copilot Autofix to help them fix the identified flaws.
However, an analysis conducted by the Microsoft-owned coding platform found that only a relatively small percentage of findings are actually resolved, with the rest piling on and increasing the organization’s security debt.
Security campaigns aim to help organizations lower security debt, and their use during the public preview period showed that they led to 55% of prioritized security debt being fixed by developers, compared to 10% without the use of security campaigns.
Security campaigns are designed to streamline the remediation of vulnerabilities by making collaboration between security and development teams more efficient.
This process has three main steps. First, security teams prioritize the vulnerabilities that need to be fixed, with security campaigns providing predefined templates for common themes (for instance, the most exploited types of flaws). Campaign alerts are selected and a timeline is specified.
Then, developers impacted by the campaign are notified and the tasks related to patching vulnerabilities are brought into their workflow, enabling them to plan and manage them just like any other work.
Copilot Autofix suggests automatic remediations for all of the alerts in a campaign to make developers’ jobs easier.
“Crucially, security campaigns are not just lists of alerts. Alongside the alerts, campaigns are complemented with notifications to ensure that developers are aware of which alert they (or their team) are responsible for,” GitHub explained.
“To foster stronger collaboration between developers and the security team, campaigns also have an appointed manager to oversee the campaign progress and be on hand to assist developers. And of course: security managers have an organization-level view on GitHub to track progress and collaborate with developers as needed,” it added.
Related: 39 Million Secrets Leaked on GitHub in 2024
Related: GitHub Launches Fund to Improve Open Source Project Security
Related: Compromised SpotBugs Token Led to GitHub Actions Supply Chain Hack
