Securing your projects is no easy task, but end-to-end supply chain security is more top of mind than ever. We’ve seen bad actors expand their focus to taking over user accounts, commonly used dependencies, and also build systems. Defending against these attacks is hard, because there’s no one thing you can do to protect your project end-to-end.
To help you defend against these attacks, we created new guides in our Docs that cover how to get started securing your end-to-end supply chain. These guides walk you through how to think about risk in the security of your accounts, your code, and your build processes, as well as showing how GitHub features like two-factor authentication, Dependabot, and GitHub Actions can help you start your security journey. Don’t think you have to do everything at once! Instead, use these guides to help you plan the security improvements you can make to decrease your risk of attack over time.
The guides have content for all users, whether you’re on a free plan or an enterprise administrator. Here’s a quick summary of the topics covered in each section.
Keeping ownership over your account, whether personal, organization, or enterprise is one of the biggest ways you can stay secure against bad actors. In this guide, you’ll find information on how to do the following:
💡 Learn more in our guide to Securing your accounts.
Top-of-mind for most developers is making sure the code that they’re building, using and introducing into their own project isn’t going to expose them to a huge amount of risk. From introducing vulnerabilities in your dependency tree, or leaking authentication credentials or tokens, or even personally writing in security vulnerabilities into your code, there are a lot of ways you can expose yourself to risk in your codebase. In this guide, you’ll find information on how to do the following:
💡 Learn more in our guide to Securing your code in your supply chain.
Some attacks focus on the build system—to attack your system without having to take over accounts or exploit dependencies. In this guide, we’ll share some information on how to protect yourself from these types of attacks by doing the following:
💡 Learn more in our guide to Securing your build system.
End-to-end supply chain security is a broad topic. We hope the new guides help you get started, or show new paths if you’re already on your way. Think there’s something we missed? Want more detail on a topic? Let us know here.
We’ve dramatically increased 2FA adoption on GitHub as part of our responsibility to make the software ecosystem more secure. Read on to learn how we secured millions of developers and why we’re urging more organizations to join us in these efforts.
Say goodbye to constant mouse clicking and hello to seamless navigation with GitHub shortcuts.
This blog post is an in-depth walkthrough on how we perform security research leveraging GitHub features, including code scanning, CodeQL, and Codespaces.
Zachary Steindler 
