Best practices to keep your projects secure on GitHub
These days software is subject to an ever-changing threat landscape. Check out the many ways you can keep your projects secure on GitHub today.
Posts by
Justin Hutchings
Director of Product Management for supply chain security. I manage the team that's behind Dependabot, the Advisory Database, and the dependency graph. Twitter: https://twitter.com/jhutchings0
Dependency graph now supports GitHub Actions
The dependency graph helps developers and maintainers understand the code they depend on, and now includes GitHub Actions!
Safeguard your containers with new container signing capability in GitHub Actions
GitHub has partnered with the OpenSSF and Project Sigstore to add container image signing to our default “Publish Docker Container” workflow.
Code scanning is now available!
Now available, code scanning is a developer-first, GitHub-native approach to easily find security vulnerabilities before they reach production.
Behind the scenes: GitHub security alerts
Learn more about what’s behind the scenes with GitHub vulnerability alerts.
Dependency graph support is now available for PHP repositories with Composer dependencies
The dependency graph is rolling out for all PHP repositories with Composer dependencies. In addition to Composer, GitHub supports package managers for many other programming languages, including Maven, NPM, Yarn, and Nuget.
GitHub Token Scanning—one billion tokens identified and five new partners
Token scanning has reached a new milestone: one billion tokens identified. We’ve also added five new partners—Atlassian, Dropbox, Discord, Proctorio, and Pulumi.
Commit signing support for bots and other GitHub Apps
Commit signing is now enabled for all bots by default.
Yarn support for security alerts
Yarn now supports security alerts for public and private repositories.
Introducing new ways to keep your code secure
It’s more important than ever that every developer becomes a security developer—that they responsibly disclose vulnerabilities and patch vulnerable code quickly. Today, we’re excited to announce several new security features designed to make it easier for developers to secure their code.