Securing software, together
We all play a role in securing the world’s code—developers, maintainers, researchers, and security teams. On GitHub, development teams everywhere can work together to secure the world’s software supply chain, from fork to finish.
Ready to talk about advanced security features for GitHub Enterprise?Contact Sales
Find vulnerabilities that other tools miss
CodeQL is the industry’s leading semantic code analysis engine. Our revolutionary approach treats code as data to identify security vulnerabilities faster.
Treating code as data
Traditionally, vulnerabilities are discovered by security researchers, inspecting code by hand. Semmle’s semantic code analysis engine, CodeQL, treats code as data with a powerful query engine. It identifies even the most complex semantic patterns at scale and gets smarter over time.
A revolutionary engine
CodeQL combines the latest research for compiler optimization with insights in database implementation to provide a declarative, object-oriented language. So security teams can find vulnerabilities at scale that evade other tools.
Leading security researchers express patterns in CodeQL queries to share their expertise with the world. CodeQL ships with thousands of queries used to power variant analysis, so developers, maintainers, and security teams can build on existing queries or create their own.
Defining the open source security workflow
Open source powers the world’s software. GitHub provides the infrastructure security researchers and open source maintainers need to report and disclose security vulnerabilities.
Responsible vulnerability reporting
Open source maintainers set security policies for their projects, letting their communities know the best way to responsibly report vulnerabilities.
Organization-wide security policies
A repository’s SECURITY.MD file describes everything researchers and users need to report a potential vulnerability. Maintainers can create per-project policies or automatically apply one security policy to every repository in their organization.
GitHub Security Advisories
Open source maintainers have a secure and private space to work through vulnerabilities together. They collaborate on fixes and publish security advisories to the community of people that rely on their projects without leaving GitHub—or tipping off would-be hackers.
Private collaboration for maintainers
Before they send out public advisories, maintainers privately discuss the impact of a vulnerability in draft advisories. They collaborate in temporary private forks, and then publish advisories to alert and update the entire ecosystem.
Securing repositories and their dependents
Since the launch of security advisories in 2019, open source projects have relied on GitHub to publish security advisories and notify all dependent repositories.
CVEs issued by GitHub
GitHub can now issue CVEs for any public repository. CVEs allow anyone to reference a vulnerability and its fix anywhere, including the GitHub Advisory Database and the National Vulnerability Database.
GitHub reviews every security vulnerability to identify and alert affected repositories. We source our vulnerability information from industry experts to provide the details project owners need to understand and remediate risks.
Research-driven vulnerability data
GitHub tracks vulnerabilities in packages from supported package managers using data from security researchers, maintainers, and the National Vulnerability Database— including release notes, changelog entries, and commit details. All discoverable in the GitHub Advisory Database.
Helping everyone stay secure
GitHub continuously scans security advisories for popular languages. We send security alerts to maintainers of affected repositories with details on the severity level and a link to relevant files.
Identifying security vulnerabilities is only half the challenge—but project owners can update vulnerable dependencies faster than ever with automated security updates.
Automated pull requests for security updates
Automated security updates keep projects secure by automatically opening pull requests that update dependencies to the minimum version that resolves the vulnerability. Compatibility scores based on community tests help maintainers merge updates with confidence.
Protecting codebases from new vulnerabilities
Keeping code up to date isn’t enough to secure open source for everyone. We’re working with security researchers, maintainers, and developers to prevent new vulnerabilities from entering software projects.
Automatic token scanning
Every developer has to manage credentials. GitHub scans for tokens that have accidentally been exposed in public repositories, then alerts the provider within seconds so they may revoke or notify the owner as appropriate.
Collaborating with service providers
Once the service provider validates the credential, they decide whether they should revoke the token, issue a new token, or reach out to a user directly.
Keeping GitHub tokens secret
When a valid GitHub token is pushed to a public repository, we’ll revoke it and notify the token owner within seconds.
Growing support for popular service providers
Token scanning supports tokens from Alibaba Cloud, Atlassian, AWS, Azure, Dropbox, Discord, Google Cloud, Mailgun, npm, Proctorio, Pulumi, Slack, Stripe, and Twilio, with more added all of the time.
Eradicate vulnerabilities and their variants before they become a problem
Never make the same mistake twice. Security teams leverage Semmle LGTM to build security into DevOps processes, scaling secure development to all engineers.
Find and eliminate all variants of bugs and vulnerabilities
Scan across multiple codebases at scale. By building on existing queries and automating variant analysis, teams find critical vulnerabilities and their variants faster, even in the largest codebases.
Analyze new changes to prevent mistakes from reaching production
LGTM’s continuous code analysis helps prevent vulnerabilities from reaching production by analyzing every commit and recognizing vulnerable code as soon as it’s checked in.
Secure development at every step
LGTM brings consistent analysis to every step of the development process by integrating with IDEs, issue trackers, CI/CD services, and more.
Whether you’re contributing to an open source project or choosing new tools for your team, your security needs are covered. Interested in learning more about secure development in your organization?Contact Sales
|Advanced vulnerability scanning||Public repositories||Public repositories||Public repositories||Contact us|
|Automated security updates||Enterprise Cloud|
|GitHub Security Advisories||Public repositories||Public repositories||Public repositories||Public repositories Enterprise Cloud|
|Security policies||Public repositories||Public repositories||Public repositories||Public repositories Enterprise Cloud|
|Token scanning||Public repositories||Public repositories||Public repositories||Public repositories Enterprise Cloud|
|Dependency insights||Enterprise Cloud|
|Two-factor Authentication (2FA)|
|WebAuthn & security keys|
|Required 2FA for organizations|
|Delegated Account Recovery|
|Git over Secure Shell (SSH) and HTTPS|
|Git over Secure Shell with Enterprise issued certificate authentication|
|GPG commit-signing verification|
|Security audit log|
|Required reviews||Public repositories|
|Required status checks||Public repositories|