Security
Securing software, together
We all play a role in securing the world’s code—developers, maintainers, researchers, and security teams. On GitHub, teams work together to secure the world’s software at every step.
Ready to talk about advanced security features for GitHub Enterprise?
Contact SalesIdentify
Find security issues as you code
Write safer code from day one with end-to-end security. GitHub helps you address vulnerabilities earlier and ship secure applications.
Shift security left
Build securely without slowing down innovation. Automated security always works for you by scanning code as it's created.
Code as data
While fuzzing or inspecting code manually is great for finding specific vulnerabilities, this approach doesn’t scale to cover your entire codebase. CodeQL treats code as data and encodes vulnerabilities as queries—making it possible to find every instance of a bug in a codebase, a portfolio, or the entire open source software ecosystem.
Community-led approach
CodeQL ships with thousands of queries written by GitHub and the world’s leading security researchers. Code scanning queries are open source so developers, maintainers, and security teams can build on existing queries or create their own.
Disclose
Defining the open source security workflow
Open source powers the world’s software. GitHub provides the infrastructure security researchers and open source maintainers need to report and disclose security vulnerabilities.
Organization-wide security policies
A repository’s `SECURITY.MD` file describes everything researchers and users need to report a potential vulnerability. Maintainers can create per-project policies or automatically apply one security policy to every repository in their organization.
Responsible vulnerability reporting
Open source maintainers set security policies for their projects, letting their communities know the best way to responsibly report vulnerabilities.
Fix
GitHub Security Advisories
Open source maintainers have a secure and private space to work through vulnerabilities together. They collaborate on fixes and publish security advisories to the developer community that relies on their projects without leaving GitHub—or tipping off would-be hackers.
Private collaboration for maintainers
Before they send out public advisories, maintainers privately discuss the impact of a vulnerability in draft advisories. They collaborate in temporary private forks, and then publish advisories to alert and update the entire ecosystem.
Securing repositories and their dependents
The GitHub Advisory Database serves as the single source of truth for open source security issues with 1800-plus advisories reported so far. Since launching the database in 2019, open source projects have relied on GitHub to publish security advisories and notify all dependent repositories.
CVEs issued by GitHub
Common Vulnerabilities and Exposures (CVEs) allow anyone to reference a vulnerability and its fix anywhere, including the GitHub Advisory Database and the National Vulnerability Database. GitHub can now issue CVEs for any public repository, making it easier for security researchers and maintainers to create CVEs and keep our community safe.
Alert
Dependabot alerts
GitHub reviews every security vulnerability to identify and alert affected repositories. For project owners, we’ll always share the details you need to understand and remediate risks with confidence.
Rich vulnerability data
GitHub tracks vulnerabilities in packages from supported package managers using data from security researchers, maintainers, and the National Vulnerability Database— including release notes, changelog entries, and commit details. All discoverable in the GitHub Advisory Database.
Helping everyone stay secure
GitHub continuously scans security advisories for popular languages. We send Dependabot alerts to maintainers of affected repositories with details on the severity level and a link to relevant files.
Update
Update vulnerable
dependencies, automatically
Identifying security vulnerabilities is only half the challenge—but project owners can update vulnerable dependencies faster than ever with Dependabot security updates.
Automated pull requests for security updates
Dependabot security updates keep your projects secure and up to date by monitoring them for vulnerable components. If a vulnerability is found, we’ll automatically open a pull request with suggested fixes—and share compatibility scores based on community tests so you can see the impact of proposed changes before merging.
Protecting codebases from new vulnerabilities
Keeping code up to date isn’t enough to secure open source for everyone. We’re working with security researchers, maintainers, and developers to prevent new vulnerabilities from entering software projects.
Prevent
Secret scanning
Every developer has to manage credentials. Secret scanning watches public and private repositories for known secret formats and immediately notifies either the secret provider or private repository admins when secrets are found.
Collaborating with service providers
We work closely with more than 24 leading service providers to revoke or replace exposed secrets, so you can continue using secrets securely.
Keeping GitHub secrets safe
When a valid GitHub secret is pushed to a public repository, we’ll revoke it and notify the repository owner within seconds.
Growing support for popular service providers
Secret scanning supports tokens from Alibaba Cloud, Atlassian, AWS, Azure, Dropbox, Discord, Google Cloud, Mailgun, npm, Proctorio, Pulumi, Slack, Stripe, and Twilio, with more added all of the time.
Eradicate vulnerabilities and their variants before they become a problem
Never make the same mistake twice. Security teams leverage GitHub Advanced Security to build security into DevOps processes, scaling secure development to all engineers.
Find and eliminate all variants
Scan across multiple codebases at scale. By building on existing queries and automating variant analysis, teams find critical vulnerabilities and their variants faster, even in the largest codebases.
Analyze changes to prevent mistakes from reaching production
Code scanning helps prevent vulnerabilities from reaching production by analyzing every pull request, commit, and merge—recognizing vulnerable code as soon as it’s created.
Secure development at every step
Advanced Security brings consistent analysis to every step of the development process by integrating with the development workflow.
Compare plans
Whether you’re contributing to an open source project or choosing new tools for your team, your security needs are covered. Interested in learning more about secure development in your organization?
Contact Sales| Feature | Free | Pro | Team | Enterprise |
|---|---|---|---|---|
| Code scanning | Public repositories | Public repositories | Public repositories | Contact us |
| Dependabot security updates | Enterprise Cloud | |||
| GitHub Security Advisories | Public repositories | Public repositories | Public repositories | Public repositories Enterprise Cloud |
| Dependabot alerts | ||||
| Security policies | Public repositories | Public repositories | Public repositories | Public repositories Enterprise Cloud |
| Secret scanning | Public repositories | Public repositories | Public repositories | Public repositories Private repositories Beta Enterprise Cloud |
| Dependency insights | Enterprise Cloud | |||
| Two-factor Authentication (2FA) | ||||
| WebAuthn & security keys | ||||
| Required 2FA for organizations | ||||
| Delegated Account Recovery | ||||
| Git over Secure Shell (SSH) and HTTPS | ||||
| Git over Secure Shell with Enterprise issued certificate authentication | ||||
| GPG commit-signing verification | ||||
| Security audit log | ||||
| SAML | ||||
| LDAP | ||||
| IP allow list | Enterprise Cloud | |||
| Protected branches | ||||
| Required reviews | Public repositories | |||
| Required status checks | Public repositories |
Learn more about GitHub Security Lab
Security Lab makes dozens of disclosures every year. Learn more about their security discoveries.
Explore recent disclosuresSign up for GitHub Advanced Security
Get our best security tools for teams with Advanced Security, available now for GitHub Enterprise customers.
Contact Sales