The insights tab will display if the project has any known vulnerabilities right below the Dependency Graph Operation. The graph is a tree-like structure of all the libraries which is loaded into the project based on the configuration and manifest files.
GitHub also has a setting for the page for entries so that developers get notifications in different frequencies.
- A banner in the GitHub interface
- Web notifications on the GitHub domain
- Email notifications for each new vulnerability
- Daily or weekly email digests of new vulnerabilities
The company has seen a massive improvement in users fixing security issues since the company enabled the feature to all the public projects by default while the users of private repos have to do it manually.
The security alerts are currently relying on CVE vulnerabilities to keep track of known security bugs. If the vulnerability is in the NVD security portal it will show up in GitHub Security alerts. The company didn’t mention if other programming languages will be receiving notifications but .NET projects may be next since developers have to maintain string manifest files to run the project, furthermore Microsoft bought GitHub and that might be the likely move by the company to support its parent company.