The Linux Foundation has enhanced its free LFX Security vulnerability detection toolkit so open-source projects can secure their code and reduce non-inclusive language.
On Tuesday, the foundation said the LFX Security module now includes automatic scanning for secrets-in-code and non-inclusive language, adding to its existing comprehensive automated vulnerability detection capabilities.
The LFX platform hosts community tools for security, fundraising, community growth, project health, mentorship and more. It allows open source teams to write better, more secure code, drive engagement and grow sustainable ecosystems, the foundation says.
“The need for community-supported and freely available code scanning is clear,” the foundation said in a news release, “especially in light of recent attacks on core software projects and recent the White House Executive Order calling for improved software supply chain security.
The latest enhancements come from contributions from software security firms BluBracket and Snyk.
LFX Security is designed to make software projects of all kinds more secure and inclusive. It now includes:
●Vulnerabilities Detection: Detect vulnerabilities in open source components and dependencies and provide fixes and recommendations to those vulnerabilities. LFX tracks how many known vulnerabilities have been found in open-source projects, identifies if those vulnerabilities have been fixed in code commits and then reports on the number of fixes per project through an intuitive dashboard. Fixing known open source vulnerabilities in open source projects helps cleanse software supply chains at their source and greatly enhances the quality and security of code further downstream in development pipelines, the foundation said;
●Code Secrets: Detect secrets-in-code such as passwords, credentials, keys and access tokens, both pre- and post-commit. These secrets are used by hackers to gain entry into repositories and other important code infrastructure;
●Non-Inclusive Language: Detect non-inclusive language used in project code, which is a barrier in creating a welcoming and inclusive community.
“The enhancement of LFX Security builds on its extensive functionality in vulnerability detection to add critical support for secrets-in-code and non-inclusive language,” said Jim Zemlin, executive director of the Linux Foundation. “It’s up to all of us to secure our software supply chain.
“Securing our software supply chain has become the most critical task facing the software industry,” said Prakash Linga, CEO of BluBracket. “We believe the Linux Foundation’s LFX security project is the absolute best way for critical software projects to secure their code.”
“With fortifying our global software supply chain more crucial than ever, we’re happy to contribute our developer security expertise and continue our support of the crucial work of the Linux Foundation,” said Jill Wilkins, Snyk’s senior director of global technical alliances,. “By leveraging the LFX Community Platform, we’re proud to be part of an important effort that will help millions of developers worldwide to innovate securely.”
LFX Security will be further scaled out in 2022 to help developers of open source projects under the Open Source Security Foundation at Linux Foundation. LFX Security is free and available now at https://lfx.linuxfoundation.org/tools/security/