The GitHub Security Lab audits open source projects for security vulnerabilities and helps maintainers fix them. Recently, we passed the milestone of 500 CVEs disclosed. Let’s take a trip down memory lane with a review of some noteworthy CVEs!
Securing your projects is no easy task, but end-to-end supply chain security is more top of mind than ever. We’ve seen bad actors expand their focus to taking over user accounts, commonly used dependencies, and also build systems. Defending against these attacks is hard, because there’s no one thing you can do to protect your project end-to-end.
To help you defend against these attacks, we created new guides in our Docs that cover how to get started securing your end-to-end supply chain. These guides walk you through how to think about risk in the security of your accounts, your code, and your build processes, as well as showing how GitHub features like two-factor authentication, Dependabot, and GitHub Actions can help you start your security journey. Don’t think you have to do everything at once! Instead, use these guides to help you plan the security improvements you can make to decrease your risk of attack over time.
The guides have content for all users, whether you’re on a free plan or an enterprise administrator. Here’s a quick summary of the topics covered in each section.
Keeping ownership over your account, whether personal, organization, or enterprise is one of the biggest ways you can stay secure against bad actors. In this guide, you’ll find information on how to do the following:
- Configure two-factor authentication for your personal account
- Connect to GitHub using SSH keys
- Centralize user authentication (enterprises)
- Configure two-factor authentication (organizations and enterprises)
💡 Learn more in our guide to Securing your accounts.
Top-of-mind for most developers is making sure the code that they’re building, using and introducing into their own project isn’t going to expose them to a huge amount of risk. From introducing vulnerabilities in your dependency tree, or leaking authentication credentials or tokens, or even personally writing in security vulnerabilities into your code, there are a lot of ways you can expose yourself to risk in your codebase. In this guide, you’ll find information on how to do the following:
- Create a vulnerability management program for dependencies
- Secure your communication tokens
- Keep vulnerable coding patterns out of your repository
💡 Learn more in our guide to Securing your code in your supply chain.
Some attacks focus on the build system—to attack your system without having to take over accounts or exploit dependencies. In this guide, we’ll share some information on how to protect yourself from these types of attacks by doing the following:
- Sign your builds
- Harden security for GitHub Actions
💡 Learn more in our guide to Securing your build system.
End-to-end supply chain security is a broad topic. We hope the new guides help you get started, or show new paths if you’re already on your way. Think there’s something we missed? Want more detail on a topic? Let us know here.