Free, Pro, & Team

English

Code security

Build security into your GitHub workflow with features to keep secrets and vulnerabilities out of your codebase, and to maintain your software supply chain.

Overview

Guides

View all

Securing your repository

You can use a number of GitHub features to help keep your repository secure.

Securing your organization

You can use a number of GitHub features to help keep your organization secure.

Creating a security advisory

You can create a draft security advisory to privately discuss and fix a security vulnerability in your open source project.

What's new

View all

Advisory Database now includes an Unreviewed Advisories section

December 16

Secret scanning permissions can now be configured as part of custom repository roles

December 13

Improvements to the code scanning API

December 10

Code examples

Search code examples:

CodeQL code scanning at Microsoft

Example code scanning workflow for the CodeQL action from the Microsoft Open Source repository.

CodeQLCode scanningGitHub Actions

Adversarial Robustness Toolbox (ART) CodeQL code scanning

Example code scanning workflow for the CodeQL action from the Trusted AI repository.

CodeQLCode scanningGitHub Actions

Microsoft security policy

Example security policy

Security policy

Electron security policy

Example security policy

Security policy

Security advisory for Rails

Security advisory published by Rails for CVE-2020-15169.

Security advisory

Enable Dependabot alerts and security updates automatically

Sample scripts for enabling Dependabot alerts and security updates across an entire organization.

DependabotAlertsSecurity updatesOrganizationScripts

Guides

Configuring Dependabot security updates

You can use Dependabot security updates or manual pull requests to easily update vulnerable dependencies.

Enabling and disabling Dependabot version updates

You can configure your repository so that Dependabot automatically updates the packages you use.

Setting up code scanning for a repository

You can set up code scanning by adding a workflow to your repository.

Explore guides

All Code security docs

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

Or, learn how to contribute.

Still need help?

Ask the GitHub community

Contact support

Nov	DEC	Jan
	26
2020	2021	2022

Code security

Guides

Securing your repository

Securing your organization

Creating a security advisory

Popular

About alerts for vulnerable dependencies

About coordinated disclosure of security vulnerabilities

Keeping your actions up to date with Dependabot

Configuration options for dependency updates

Managing encrypted secrets for Dependabot

Troubleshooting the detection of vulnerable dependencies

What's new

Advisory Database now includes an Unreviewed Advisories section

Secret scanning permissions can now be configured as part of custom repository roles

Improvements to the code scanning API

Code examples

CodeQL code scanning at Microsoft

Adversarial Robustness Toolbox (ART) CodeQL code scanning

Microsoft security policy

Electron security policy

Security advisory for Rails

Enable Dependabot alerts and security updates automatically

Guides

Configuring Dependabot security updates

Enabling and disabling Dependabot version updates

Setting up code scanning for a repository

All Code security docs

Getting started with code security

Keeping secrets secure with secret scanning

Finding security vulnerabilities and errors in your code with code scanning

Managing security advisories for vulnerabilities in your project

Securing your software supply chain

Viewing security alerts for repositories in your organization

Did this doc help you?

Help us make these docs great!

Still need help?