GitHub system to provide financial support to open projects. The new service provides a new form of participation in the development of projects - if the user does not have the opportunity to help in the development, then he can connect to the projects of interest as a sponsor and help through the financing of specific developers, maintainers, designers, documentation authors, testers and other participants involved in the project.
Through the sponsorship system, any GitHub user can donate a fixed amount each month to open source developers, in the service as participants who are ready to receive financial support (the number of participants is limited during the testing of the service). Sponsored Members can determine support levels and associated sponsor benefits, such as out-of-order bug fixes. The possibility of organizing financing not only for individual participants, but also for groups of developers involved in the work on the project is being considered.
Unlike other co-financing platforms, GitHub does not charge a certain percentage for mediation, and will also cover the cost of processing payments for the first year. In the future, the introduction of a fee for processing payments is not excluded. To support the service, a special GitHub Sponsors Matching Fund has been created, which will distribute financial flows.
In addition to sponsoring GitHub also a new service for project security, built on the basis of technologies obtained as a result of by Dependabot. Dependabot is now built into GitHub and available for free.
The service allows you to track dependency vulnerabilities, send warnings to repositories about dependency problems, and automatically open pull requests to fix identified vulnerabilities.
Warnings appear in the Security tab and include comprehensive information about the vulnerability and project files that are affected by the issue. The fix is ββgenerated by updating the dependency list of the minimum version to the version in which the vulnerability is fixed. Information about vulnerabilities is retrieved from databases ΠΈ , as well as based on notifications from project maintainers and the automatic commit analyzer on GitHub, followed by confirmation in the manual review system.
For project maintainers interface for publishing and posting vulnerability reports (security advisories), as well as for private discussion in a closed circle of issues related to fixing vulnerabilities.
In addition, to protect against confidential data in publicly accessible repositories is put into operation tokens and access keys. During a commit, the scanner checks common key formats and API access tokens for Alibaba Cloud, Amazon Web Services (AWS), Azure, GitHub, Google Cloud, Mailgun, Slack, Stripe, and Twilio. If a token is detected, a request is sent to the service provider to confirm the leak and revoke the compromised tokens.
Source: opennet.ru