We tend to avoid using github repos, but go for published packages from the usual sites; Nuget, Pypi, Npm etc, using Repository and Firewall from Sonatype to act as a proxy between us and the package repos. All packages are analyzed and tagged with various metadata by Sonatype. Firewall lets us define policies for what we can use, and will filter out everything else.
This only works for published dependencies, but based on a couple years experience it works really well. No issues with malware (so far), we don't let packages with known vulns into our codebases and we are notified if a vuln is discovered in something we use.
This only works for published dependencies, but based on a couple years experience it works really well. No issues with malware (so far), we don't let packages with known vulns into our codebases and we are notified if a vuln is discovered in something we use.