We’ll be making significant updates to LFX Security, which will bring improved vulnerability detection and code secret analysis to version 2 of the tool. As part of this work, we will be configuring GitHub organizations and repositories for Linux Foundation-hosted projects to enable LFX Security GitHub Bot scanning.
Installation will take place in the next few weeks, and will be conducted by the Linux Foundation IT team. GitHub admins may see a notification once setup is complete, but no action is needed from you at this time.
What’s coming to LFX Security?
LFX Security will soon support code secrets analysis and vulnerability fixes. Through an integration with BlueBracket, Code Secrets Dashboards will let you monitor your repositories for sensitive data including passwords and API keys, which could leave your code open to exploitation. And thanks to a deeper integration with our vulnerability detection partner, Snyk, you’ll soon be able to directly submit pull requests based on fix recommendations. All this and more is coming to LFX Security as part of our version 2 release.
LFX Security GitHub Bot: What you need to know
The LFX Security GitHub Bot will enable code secrets analysis and vulnerability fixes, which are coming to LFX Security in version 2. Installing the bot will make an entry in our database and allow us to scan your repositories. It will require a minimum level of permissions to do this (e.g., add a webhook, ready repository data, review PRs, inspect commit data, etc.). You can read the full list of permissions here.
Once the bot is installed, your project will have access to new Code Secrets dashboards and additional features as they become available. By default, scanning will be turned on for all of the repositories in your GitHub org. However, this list can be edited by your Linux Foundation Project Manager or by submitting a support request.
Again, no action is required from you at this time. If you have any questions or need any help, please reach out.