English
No results found.

Explore by product

Code security
  • Get started
  • Account and profile
  • Authentication
  • Repositories
  • GitHub
  • Enterprise administrators
  • Billing and payments
  • Organizations
  • Code security
  • GitHub Issues
  • GitHub Actions
  • GitHub Codespaces
  • GitHub Packages
  • Search on GitHub
  • Developers
  • REST API
  • GraphQL API
  • GitHub CLI
  • GitHub Discussions
  • GitHub Sponsors
  • Building communities
  • GitHub Pages
  • Education
  • GitHub Desktop
  • Atom
  • Electron
  • CodeQL
    • English
  • English
  • 简体中文 (Simplified Chinese)
  • 日本語 (Japanese)
  • Español (Spanish)
  • Português do Brasil (Portuguese)

    • In this article

    Collaborating in a temporary private fork to resolve a security vulnerability

    You can create a temporary private fork to privately collaborate on fixing a security vulnerability in your repository.

    Prerequisites

    Before you can collaborate in a temporary private fork, you must create a draft security advisory. For more information, see "Creating a security advisory."

    Creating a temporary private fork

    Anyone with admin permissions to a security advisory can create a temporary private fork.

    To keep information about vulnerabilities secure, integrations, including CI, cannot access temporary private forks.

    1. On GitHub, navigate to the main page of the repository.
    2. Under your repository name, click Security. Security tab
    3. In the left sidebar, click Security advisories. Security advisories tab
    4. In the "Security Advisories" list, click the security advisory you'd like to create a temporary private fork in. Security advisory in list
    5. Click New temporary private fork. New temporary private fork button

    Adding collaborators to a temporary private fork

    Anyone with admin permissions to a security advisory can add additional collaborators to the security advisory, and collaborators on the security advisory can access the temporary private fork. For more information, see "Adding a collaborator to a security advisory."

    Adding changes to a temporary private fork

    Anyone with write permissions to a security advisory can add changes to a temporary private fork.

    1. On GitHub, navigate to the main page of the repository.
    2. Under your repository name, click Security. Security tab
    3. In the left sidebar, click Security advisories. Security advisories tab
    4. In the "Security Advisories" list, click the security advisory you'd like to add changes to. Security advisory in list
    5. Add your changes on GitHub or locally:
      • To add changes on GitHub, under "Add changes to this advisory", click the temporary private fork. Then, create a new branch and edit files. For more information, see "Creating and deleting branches within your repository" and "Editing files."
      • To add changes locally, follow the instructions under "Clone and create a new branch" and "Make your changes, then push." Add changes to this advisory box

    Creating a pull request from a temporary private fork

    Anyone with write permissions to a security advisory can create a pull request from a temporary private fork.

    1. On GitHub, navigate to the main page of the repository.
    2. Under your repository name, click Security. Security tab
    3. In the left sidebar, click Security advisories. Security advisories tab
    4. In the "Security Advisories" list, click the security advisory you'd like to create a pull request in. Security advisory in list
    5. To the right of your branch name, click Compare & pull request. Compare & pull request button
    6. Type a title and description for your pull request. Pull request title and description fields
    7. To create a pull request that is ready for review, click Create Pull Request. To create a draft pull request, use the drop-down and select Create Draft Pull Request, then click Draft Pull Request. For more information about draft pull requests, see "About pull requests."Create pull request button

    You cannot merge individual pull requests in a temporary private fork. Instead, you merge all open pull requests at once, in the corresponding security advisory. For more information, see "Merging changes in a security advisory."

    Merging changes in a security advisory

    Anyone with admin permissions to a security advisory can merge changes in a security advisory.

    You cannot merge individual pull requests in a temporary private fork. Instead, you merge all open pull requests at once, in the corresponding security advisory.

    Before you can merge changes in a security advisory, every open pull request in the temporary private fork must be mergeable. There can be no merge conflicts, and branch protection requirements must be satisfied. To keep information about vulnerabilities secure, status checks do not run on pull requests in temporary private forks. For more information, see "About protected branches."

    1. On GitHub, navigate to the main page of the repository.
    2. Under your repository name, click Security. Security tab
    3. In the left sidebar, click Security advisories. Security advisories tab
    4. In the "Security Advisories" list, click the security advisory with changes you'd like to merge. Security advisory in list
    5. To merge all open pull requests in the temporary private fork, click Merge pull requests. Merge pull requests button

    After you merge changes in a security advisory, you can publish the security advisory to alert your community about the security vulnerability in previous versions of your project. For more information, see "Publishing a security advisory."

    Further reading

    Did this doc help you?

    Privacy policy

    Help us make these docs great!

    All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

    Make a contribution

    Or, learn how to contribute.