Google is releasing the deps.dev API. With it, developers can easily scan open-source code for vulnerabilities and other problems.
The API is an extension of the deps.dev program launched by Google in 2021. With this program, Google aims to provide more insight into the security data of more than 5 million open-source packages.
Developers can use the API to check whether the open-source packages used in their development projects have certain vulnerabilities. It also provides information about licensing.
The deps.dev API should make it easier for developers to use the underlying program dataset. This is done by creating automated workflows. These workflows use the data from the deps.dev dataset to more efficiently discover vulnerabilities and other potential problems.
One example is the use of a plugin that integrates deps.dev with the developers’ own code editor. This plugin detects when a developer downloads an open-source package and then automatically scans the package for vulnerabilities. Possible licensing issues are recognized in the same way.
Other functionality includes integration with CI/CD tooling and a “real dependency” graph feature that scans the code of packages and then presents a more detailed list of the components.
Furthermore, the tech giant is introducing support for hash search queries. This allows developers to more easily discover supply chain attacks. In these types of attacks, cybercriminals insert malicious code into companies’ applications.
With this new support, developers can quickly identify whether malicious code has been added via an open-source package.