Security

Featured

April 13, 2021

Product

Implementing least privilege for secrets in GitHub Actions

Philip Holleran

April 5, 2021

Engineering

Behind GitHub’s new authentication token formats

Heather Harvey

All "Security" posts

April 13, 2021

Implementing least privilege for secrets in GitHub Actions

GitHub Actions provide a powerful, extensible way to automate software development workflows. When access to outside resources is required, GitHub provides the ability to store encrypted secrets used by GitHub Actions to authenticate against these

Philip Holleran

April 5, 2021

Behind GitHub’s new authentication token formats

We’re excited to share a deep dive into how our new authentication token formats are built and how these improvements are keeping your tokens more secure. As we continue to focus on the security of

Heather Harvey

March 30, 2021

Security

GitHub Advanced Security: Introducing security overview beta and general availability of secret scanning for private repositories

GitHub Advanced Security helps you create secure applications with a community-driven, developer-first approach. Today, we are excited to announce two updates: Beta of the new security overview for organizations and teams, which provides a high-level

William Bartholomew

March 24, 2021

Security

One day short of a full chain: Real world exploit chains explained

When it comes to security research, the path from bug to vulnerability to exploit can be a long one. Security researchers often end their research journey at the “Proof of Concept” (PoC) stage. A PoC

Man Yue Mo

March 22, 2021

GitHub Capture the Flag results

Earlier this month, we challenged you to a Call to Hacktion—a CTF (Capture the Flag) competition to put your GitHub Workflow security skills to the test. Participants were invited to find a vulnerability in a

Bas Alberts

March 18, 2021

How we found and fixed a rare race condition in our session handling

On March 8, we shared that, out of an abundance of caution, we logged all users out of GitHub.com due to a rare security vulnerability. We believe that transparency is key in earning and keeping

Dirkjan Bussink

March 16, 2021

Using GitHub code scanning and CodeQL to detect traces of Solorigate and other backdoors

Last month, a member of the CodeQL security community contributed multiple CodeQL queries for C# codebases that can help organizations assess whether they are affected by the SolarWinds nation-state attack on various parts of critical

Bas van Schaik

March 15, 2021

Dependabot ❤️s private dependencies

Dependabot’s mission is to keep all of your dependencies free of vulnerabilities and up-to-date, but until now, it hasn’t been able to update all of your private dependencies. That meant that internal libraries, shared design

Mike McDonald

March 9, 2021

Git clone vulnerability announced

Today, the Git project released new versions to address CVE-2021-21300: a security vulnerability in the delayed checkout mechanism used by Git LFS during git clone operations affecting versions 2.15 and newer. These updates address an

Taylor Blau

March 8, 2021

GitHub security update: A bug related to handling of authenticated sessions

Why did I get logged out of GitHub.com? On the evening of March 8, we invalidated all authenticated sessions on GitHub.com created prior to 12:03 UTC on March 8 out of an abundance of caution

Mike Hanley

View more posts