Trending News: How we’re helping Google Play developers deliver better user experiences through improved performance insights.Cracking the code: How to wow the acceptance committee at your next tech eventHow to make your images in Markdown on GitHub adjust for dark mode and light modeAWS Weekly Roundup: Amazon EKS, Amazon OpenSearch, Amazon API Gateway, and more (April 7, 2025)AWS Weekly Roundup: Amazon S3 Express One Zone price cuts, Pixtral Large on Amazon Bedrock, Amazon Nova Sonic, and more (April 14, 2025)4 Fitbit features I’m using to become a more efficient runner“Coachella” is trending on Google Search — here’s what else people are looking for this festival season.Which AI model should I use with GitHub Copilot?College students in the U.S. are now eligible for the best of Google AI — and 2 TB storage — for freeDevelopers can now start building with Gemini 2.5 Flash.Our new C2S-Scale LLM helps researchers have conversations with cells.Beyond Lines of Code: Redefining Developer Productivity and Purpose in the Agentic AI EraAI Bites Back: Researchers Develop Model to Detect Malaria Amid Venezuelan Gold RushSpring Into Action With 11 New Games on GeForce NOWGoogle Classroom is expanding to more than 15 additional languages.How we keep Search fast and reliableGitHub Availability Report: March 2025Leaders Race to Bridge ‘AI Trust Gap’ for Wary EmployeesKaggle and the Wikimedia Foundation are partnering on open data.Isomorphic Labs Rethinks Drug Discovery With AISee how Wake Forest University redefined its cybersecurity with Google Workspace for Education Plus.Record-Breaking Growth: Data Cloud & AI Annual Recurring Revenue Reached the $900M Milestone in FY25, Proving Data Cloud’s Role as the Intelligent Activation Layer for Enterprise AIInto the Omniverse: How Digital Twins Are Scaling Industrial AIOur 2024 Ads Safety Report shows how we use AI to safeguard consumers.Math Test? No Problems: NVIDIA Team Scores Kaggle Win With Reasoning ModelEverywhere, All at Once: NVIDIA Drives the Next Phase of AI GrowthThousands of NVIDIA Grace Blackwell GPUs Now Live at CoreWeave, Propelling Development for AI PioneersGenerate videos in Gemini and Whisk with Veo 2Nothing like the last minute! Tax-related searches are spiking in the U.S.When to choose GitHub-Hosted runners or self-hosted runners with GitHub ActionsInsight vs. Instinct? Under Increased Pressure, Leaders Grapple with Data Skepticism in Decision-MakingSalesforce Redefines Business Intelligence with Tableau Next: AI Agents Transform How Businesses Turn Data into ActionHere’s an update on our use of country code top-level domains.Our first geothermal energy deal in AsiaShould You Feel Guilty Using AI Agents at Work?AWS Weekly Review: Amazon S3 Express One Zone price cuts, Pixtral Large on Amazon Bedrock, Amazon Nova Sonic, and more (April 14, 2025)Consumers Are Ready for AI Agents. Are Businesses?Automating the Mundane: How Formstack is Driving Efficiency and Case Deflection with Agentforce Celebrate World Quantum Day with this mesmerizing DoodleGitHub for Beginners: Security best practices with GitHub CopilotWhere Nature Meets AI: Salesforce’s Model for Impact InnovationNVIDIA to Manufacture American-Made AI Supercomputers in US for First TimeDolphinGemma: How Google AI is helping decode dolphin communication3 real-world problems that quantum computers could help solveIntroducing sub-issues: Enhancing issue management on GitHub9 business leaders on what’s possible with Google AIWhat the heck is MCP and why is everyone talking about it?The AI Paradox: Untangling Employee Hesitation to Unleash Agentic AIBeyond CAD: How nTop Uses AI and Accelerated Computing to Enhance Product Design6 highlights from Google Cloud Next 25Pixel 9a’s 3 big design updatesAnnouncing up to 85% price reductions for Amazon S3 Express One ZoneHow we’re making security easier for the average developerA short film program to explore AI on screenPixel 9a is available now.The Agentic Maturity Model: A 4-Step Roadmap for CIOs to Succeed in the Agentic Era(AI)ways a Cut Above: GeForce RTX 50 Series Accelerates New DaVinci Resolve 20 Studio Video Editing SoftwareMyth and Mystery Await: GeForce NOW Brings ‘South of Midnight’ to the Cloud at LaunchPixel 9a is available nowServing up tennis history with magazine archives and NotebookLMNVIDIA Celebrates Partners of the Year Advancing AI in Europe, Middle East and AfricaOur investment in AI-powered solutions for the electric gridHow to request a change to a CVE record‘Black Women in Artificial Intelligence’ Founder Talks AI Education and EmpowermentGoogle Cloud Next 25: New AI capabilities to transform your businessSalesforce Brings Agentic AI to the Field Service Sector to Tackle Scheduling, Reporting, and On-the-Job TroubleshootingHow Agentforce Automates Field Service Tasks, Easing Skilled Labor Shortage StrainTradespeople, Techs Waste Nearly a Full Day’s Work Weekly on Paperwork, 81% Think AI Agents Can HelpNVIDIA Brings Agentic AI Reasoning to Enterprises With Google CloudIronwood: The first Google TPU for the age of inferenceGoogle Cloud: the platform for scientific discoveryGoogle Workspace adds new AI tools to Docs, Sheets, Chat and more.Check out the latest features from Google Agentspace at Google Cloud Next.New video, image, speech and music generative AI tools are coming to Vertex AI.Here’s what’s new with our Google Cloud AI Hypercomputer.Google Cloud Next 25The AI magic behind Sphere’s upcoming ‘The Wizard of Oz’ experienceIntroducing Amazon Nova Sonic: Human-like voice conversations for generative AI applicationsAWS announces Pixtral Large 25.02 model in Amazon Bedrock serverlessDeep Research is now available on Gemini 2.5 Pro Experimental.We’re introducing a new way to analyze geospatial data.Found means fixed: Reduce security debt at scale with GitHub security campaigns‘Bazooka Innovation’ for Professional Services: How Certinia and Agentforce Drive Customer SuccessAdding AI to Workflows? Here’s What Indeed Has LearnedAmazon Bedrock Guardrails enhances generative AI application safety with new capabilitiesVisit Brazil’s Piratini Palace virtually on Google Arts & Culture.The AI opportunity for Europe’s climate goalsGit turns 20: A Q&A with Linus TorvaldsAmazon Nova Reel 1.1: Featuring up to 2-minutes multi-shot videosAWS Weekly Review: Amazon EKS, Amazon OpenSearch, Amazon API Gateway, and more (April 7, 2025)The Changing Role of Developers in the Age of AI Agents“Bazooka Innovation” for Professional Services: How Certinia and Agentforce are Driving Customer SuccessBringing multimodal search to AI ModeNew AI-powered experiments from Google Arts & Culture Artists in Residence5 ways to use Gemini Live with camera and screen sharingNew ways AI helps keep business information trustworthyQuantum computing education for global policy leaders25 startups using AI to transform healthcareNational Robotics Week — Latest Physical AI Research, Breakthroughs and ResourcesCopado and Agentforce: Automating Release Notes and Accelerating Production Deployments
Sat. Apr 19th, 2025
Trending News: How we’re helping Google Play developers deliver better user experiences through improved performance insights.Cracking the code: How to wow the acceptance committee at your next tech eventHow to make your images in Markdown on GitHub adjust for dark mode and light modeAWS Weekly Roundup: Amazon EKS, Amazon OpenSearch, Amazon API Gateway, and more (April 7, 2025)AWS Weekly Roundup: Amazon S3 Express One Zone price cuts, Pixtral Large on Amazon Bedrock, Amazon Nova Sonic, and more (April 14, 2025)4 Fitbit features I’m using to become a more efficient runner“Coachella” is trending on Google Search — here’s what else people are looking for this festival season.Which AI model should I use with GitHub Copilot?College students in the U.S. are now eligible for the best of Google AI — and 2 TB storage — for freeDevelopers can now start building with Gemini 2.5 Flash.Our new C2S-Scale LLM helps researchers have conversations with cells.Beyond Lines of Code: Redefining Developer Productivity and Purpose in the Agentic AI EraAI Bites Back: Researchers Develop Model to Detect Malaria Amid Venezuelan Gold RushSpring Into Action With 11 New Games on GeForce NOWGoogle Classroom is expanding to more than 15 additional languages.How we keep Search fast and reliableGitHub Availability Report: March 2025Leaders Race to Bridge ‘AI Trust Gap’ for Wary EmployeesKaggle and the Wikimedia Foundation are partnering on open data.Isomorphic Labs Rethinks Drug Discovery With AISee how Wake Forest University redefined its cybersecurity with Google Workspace for Education Plus.Record-Breaking Growth: Data Cloud & AI Annual Recurring Revenue Reached the $900M Milestone in FY25, Proving Data Cloud’s Role as the Intelligent Activation Layer for Enterprise AIInto the Omniverse: How Digital Twins Are Scaling Industrial AIOur 2024 Ads Safety Report shows how we use AI to safeguard consumers.Math Test? No Problems: NVIDIA Team Scores Kaggle Win With Reasoning ModelEverywhere, All at Once: NVIDIA Drives the Next Phase of AI GrowthThousands of NVIDIA Grace Blackwell GPUs Now Live at CoreWeave, Propelling Development for AI PioneersGenerate videos in Gemini and Whisk with Veo 2Nothing like the last minute! Tax-related searches are spiking in the U.S.When to choose GitHub-Hosted runners or self-hosted runners with GitHub ActionsInsight vs. Instinct? Under Increased Pressure, Leaders Grapple with Data Skepticism in Decision-MakingSalesforce Redefines Business Intelligence with Tableau Next: AI Agents Transform How Businesses Turn Data into ActionHere’s an update on our use of country code top-level domains.Our first geothermal energy deal in AsiaShould You Feel Guilty Using AI Agents at Work?AWS Weekly Review: Amazon S3 Express One Zone price cuts, Pixtral Large on Amazon Bedrock, Amazon Nova Sonic, and more (April 14, 2025)Consumers Are Ready for AI Agents. Are Businesses?Automating the Mundane: How Formstack is Driving Efficiency and Case Deflection with Agentforce Celebrate World Quantum Day with this mesmerizing DoodleGitHub for Beginners: Security best practices with GitHub CopilotWhere Nature Meets AI: Salesforce’s Model for Impact InnovationNVIDIA to Manufacture American-Made AI Supercomputers in US for First TimeDolphinGemma: How Google AI is helping decode dolphin communication3 real-world problems that quantum computers could help solveIntroducing sub-issues: Enhancing issue management on GitHub9 business leaders on what’s possible with Google AIWhat the heck is MCP and why is everyone talking about it?The AI Paradox: Untangling Employee Hesitation to Unleash Agentic AIBeyond CAD: How nTop Uses AI and Accelerated Computing to Enhance Product Design6 highlights from Google Cloud Next 25Pixel 9a’s 3 big design updatesAnnouncing up to 85% price reductions for Amazon S3 Express One ZoneHow we’re making security easier for the average developerA short film program to explore AI on screenPixel 9a is available now.The Agentic Maturity Model: A 4-Step Roadmap for CIOs to Succeed in the Agentic Era(AI)ways a Cut Above: GeForce RTX 50 Series Accelerates New DaVinci Resolve 20 Studio Video Editing SoftwareMyth and Mystery Await: GeForce NOW Brings ‘South of Midnight’ to the Cloud at LaunchPixel 9a is available nowServing up tennis history with magazine archives and NotebookLMNVIDIA Celebrates Partners of the Year Advancing AI in Europe, Middle East and AfricaOur investment in AI-powered solutions for the electric gridHow to request a change to a CVE record‘Black Women in Artificial Intelligence’ Founder Talks AI Education and EmpowermentGoogle Cloud Next 25: New AI capabilities to transform your businessSalesforce Brings Agentic AI to the Field Service Sector to Tackle Scheduling, Reporting, and On-the-Job TroubleshootingHow Agentforce Automates Field Service Tasks, Easing Skilled Labor Shortage StrainTradespeople, Techs Waste Nearly a Full Day’s Work Weekly on Paperwork, 81% Think AI Agents Can HelpNVIDIA Brings Agentic AI Reasoning to Enterprises With Google CloudIronwood: The first Google TPU for the age of inferenceGoogle Cloud: the platform for scientific discoveryGoogle Workspace adds new AI tools to Docs, Sheets, Chat and more.Check out the latest features from Google Agentspace at Google Cloud Next.New video, image, speech and music generative AI tools are coming to Vertex AI.Here’s what’s new with our Google Cloud AI Hypercomputer.Google Cloud Next 25The AI magic behind Sphere’s upcoming ‘The Wizard of Oz’ experienceIntroducing Amazon Nova Sonic: Human-like voice conversations for generative AI applicationsAWS announces Pixtral Large 25.02 model in Amazon Bedrock serverlessDeep Research is now available on Gemini 2.5 Pro Experimental.We’re introducing a new way to analyze geospatial data.Found means fixed: Reduce security debt at scale with GitHub security campaigns‘Bazooka Innovation’ for Professional Services: How Certinia and Agentforce Drive Customer SuccessAdding AI to Workflows? Here’s What Indeed Has LearnedAmazon Bedrock Guardrails enhances generative AI application safety with new capabilitiesVisit Brazil’s Piratini Palace virtually on Google Arts & Culture.The AI opportunity for Europe’s climate goalsGit turns 20: A Q&A with Linus TorvaldsAmazon Nova Reel 1.1: Featuring up to 2-minutes multi-shot videosAWS Weekly Review: Amazon EKS, Amazon OpenSearch, Amazon API Gateway, and more (April 7, 2025)The Changing Role of Developers in the Age of AI Agents“Bazooka Innovation” for Professional Services: How Certinia and Agentforce are Driving Customer SuccessBringing multimodal search to AI ModeNew AI-powered experiments from Google Arts & Culture Artists in Residence5 ways to use Gemini Live with camera and screen sharingNew ways AI helps keep business information trustworthyQuantum computing education for global policy leaders25 startups using AI to transform healthcareNational Robotics Week — Latest Physical AI Research, Breakthroughs and ResourcesCopado and Agentforce: Automating Release Notes and Accelerating Production Deployments
Sat. Apr 19th, 2025

From finding to fixing: GitHub Advanced Security integrates Endor Labs SCA


It’s no wonder developers are increasingly overwhelmed. The number of new CVEs published each year has increased by nearly 500% in the last decade. And the average project, with just 10 direct dependencies, can have hundreds of indirect dependencies. Put simply, developers are often buried under a mountain of security alerts and unable to prioritize which ones to remediate first.

While high-profile supply chain attacks like last year’s XZ Utils backdoor tend to capture attention, the danger they pose is just a fraction of the overall threat landscape. The bigger risk often comes from unpatched vulnerabilities in lesser-known open source dependencies.

GitHub’s partnership with Endor Labs cuts through the noise to help developers accurately identify, remediate, and fix the most critical vulnerabilities—without ever leaving GitHub.

With Endor Labs software composition analysis (SCA) integrated into GitHub Advanced Security and Dependabot, development teams can dismiss up to 92% of low-risk dependency security alerts to focus instead on the vulnerabilities that matter most.

A GitHub code scanning page shows several active vulnerabilities from GitHub’s advisory database labeled 'Critical' by Endor Labs.
Prioritize Endor Labs findings in GitHub based on function-level vulnerability reachability for both direct and transitive dependencies.

How it works

Endor Labs SCA brings context into open source vulnerability detection

Endor Labs SCA helps identify and prioritize dependency vulnerabilities by their potential impact, according to factors like reachability, exploitability, and more. For example, Endor Labs checks if the vulnerable function of a given dependency is actually reachable by your application or if it is just sitting on an unused corner of a transitive dependency. Security teams can also configure risk, licensing, and permission profiles to ensure developers are not bothered unless the risk is truly warranted.

Prioritize and fix open source vulnerabilities with GitHub

GitHub Advanced Security integrates crucial security practices directly into the development workflow, offering developers a streamlined way to secure their code. Its features are free for open source maintainers, including dependency review, secret scanning, code scanning, and Copilot Autofix.

Dependabot, available for free to all GitHub users, automates dependency updates, so you can spend more time building. Developers can remediate vulnerabilities by merging Dependabot-authored pull requests with the click of a button or by applying Endor Patches.

Secure your automated workflows

GitHub Actions makes it easy to automate all your software workflows, whether you want to build a container, deploy a web service, or welcome new users to your open source project. These actions are often updated with bug fixes and new features, which can take time to maintain.

Endor Labs automatically discovers in-use actions and their dependencies to ensure they fit your risk, licensing, and permission profiles. Dependabot automatically updates your dependencies, and code scanning helps identify existing workflow configuration vulnerabilities and prevent new ones.

Get started
Sign up with Endor Labs and learn more about getting started with the Endor Labs GitHub App.

Tags:

Written by

Mario Rodriguez

Mario Rodriguez

@mariorod

Mario Rodriguez leads the GitHub Product team as Chief Product Officer. His core identity is being a learner and his passion is creating developer tools—so much so that he has spent the last 20 years living that mission in leadership roles across Microsoft and GitHub. Mario most recently oversaw GitHub’s AI strategy and the GitHub Copilot product line, launching and growing Copilot across thousands of organizations and millions of users. Mario spends time outside of GitHub with his wife and two daughters. He also co-chairs and founded a charter school in an effort to progress education in rural regions of the United States.

Varun Badhwar

Varun Badhwar

Varun Badhwar currently serves as the Founder & CEO of Endor Labs, a startup focused on software supply chain security. Prior to starting Endor Labs, Varun was the founding GM and SVP of Prisma Cloud at Palo Alto Networks, where he built the cloud-native security business. Varun joined Palo Alto Networks through the acquisition of RedLock, a CSPM startup he founded.

Blog Article: Here

    • Ascendant Bot

    Related Posts

    Cracking the code: How to wow the acceptance committee at your next tech event
    Cracking the code: How to wow the acceptance committee at your next tech event

    Want to speak at a tech conference? These four practical tips will help your session proposal stand out—and land you on the stage.

    The post Cracking the code: How to wow the acceptance committee at your next tech event appeared first on The GitHub Blog.

    Continue reading
    How to make your images in Markdown on GitHub adjust for dark mode and light mode
    How to make your images in Markdown on GitHub adjust for dark mode and light mode

    When you want your images to look good in Markdown on GitHub, you might have to adjust for the UI around them.

    The post How to make your images in Markdown on GitHub adjust for dark mode and light mode appeared first on The GitHub Blog.

    Continue reading

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    You Missed

    Google Google Play

    How we’re helping Google Play developers deliver better user experiences through improved performance insights.

    How we’re helping Google Play developers deliver better user experiences through improved performance insights.
    Career growth Developer skills GitHub GitHub Universe

    Cracking the code: How to wow the acceptance committee at your next tech event

    Cracking the code: How to wow the acceptance committee at your next tech event
    Developer skills GitHub Markdown

    How to make your images in Markdown on GitHub adjust for dark mode and light mode

    How to make your images in Markdown on GitHub adjust for dark mode and light mode
    Amazon Amazon API Gateway Amazon Elastic Kubernetes Service Amazon Neptune Amazon OpenSearch Service Amazon Q Developer Amazon Security Lake Amazon Simple Email Service (SES) Announcements AWS Identity and Access Management (IAM) Book of News Launch Resource Access Manager (RAM) Week in Review

    AWS Weekly Roundup: Amazon EKS, Amazon OpenSearch, Amazon API Gateway, and more (April 7, 2025)

    AWS Weekly Roundup: Amazon EKS, Amazon OpenSearch, Amazon API Gateway, and more (April 7, 2025)
    Amazon Amazon Aurora Amazon Bedrock Amazon Bedrock Agents Amazon Bedrock Guardrails Amazon Bedrock Prompt Management Amazon CloudWatch Amazon Nova Amazon Personalize Amazon SageMaker Amazon Simple Storage Service (S3) Announcements AWS Step Functions Book of News Launch Week in Review

    AWS Weekly Roundup: Amazon S3 Express One Zone price cuts, Pixtral Large on Amazon Bedrock, Amazon Nova Sonic, and more (April 14, 2025)

    AWS Weekly Roundup: Amazon S3 Express One Zone price cuts, Pixtral Large on Amazon Bedrock, Amazon Nova Sonic, and more (April 14, 2025)
    Gemini App Google

    4 Fitbit features I’m using to become a more efficient runner

    4 Fitbit features I’m using to become a more efficient runner