A call for feedback on our policies around exploits and malware
April 30, 2021 update: Thank you to everyone who's weighed in on the discussion so far. I've commented in the pull request to clarify a few points based on initial…
Category
Security
Implementing least privilege for secrets in GitHub Actions
GitHub Actions provide a powerful, extensible way to automate software development workflows. When access to outside resources is required, GitHub provides the ability to store encrypted secrets used by GitHub…
Behind GitHub’s new authentication token formats
We're excited to share a deep dive into how our new authentication token formats are built and how these improvements are keeping your tokens more secure. As we continue to…
GitHub Advanced Security: Introducing security overview beta and general availability of secret scanning for private repositories
GitHub Advanced Security helps you create secure applications with a community-driven, developer-first approach. Today, we are excited to announce two updates: Beta of the new security overview for organizations and…
One day short of a full chain: Real world exploit chains explained
When it comes to security research, the path from bug to vulnerability to exploit can be a long one. Security researchers often end their research journey at the “Proof of…
GitHub Capture the Flag results
Earlier this month, we challenged you to a Call to Hacktion—a CTF (Capture the Flag) competition to put your GitHub Workflow security skills to the test. Participants were invited to…
How we found and fixed a rare race condition in our session handling
On March 8, we shared that, out of an abundance of caution, we logged all users out of GitHub.com due to a rare security vulnerability. We believe that transparency is…
Using GitHub code scanning and CodeQL to detect traces of Solorigate and other backdoors
Last month, a member of the CodeQL security community contributed multiple CodeQL queries for C# codebases that can help organizations assess whether they are affected by the SolarWinds nation-state attack on various parts of critical network infrastructure around the world.
Dependabot ❤️s private dependencies
Dependabot’s mission is to keep all of your dependencies free of vulnerabilities and up-to-date, but until now, it hasn’t been able to update all of your private dependencies. That meant…
Git clone vulnerability announced
Today, the Git project released new versions to address CVE-2021-21300: a security vulnerability in the delayed checkout mechanism used by Git LFS during git clone operations affecting versions 2.15 and…
GitHub security update: A bug related to handling of authenticated sessions
Why did I get logged out of GitHub.com? On the evening of March 8, we invalidated all authenticated sessions on GitHub.com created prior to 12:03 UTC on March 8 out…
GitHub Security Lab Capture the Flag: A call to hacktion
Save the date! March 17 to 21, take your chance with the GitHub CTF “A Call to Hacktion!” What is a CTF? In software security, a Capture the Flag (CTF)…
The little bug that couldn’t: Securing OpenSSL
Software security doesn't end at the boundaries of your own code. The moment a library dependency is introduced, you're adopting other people’s code and any bugs that come with it.…
Hello from GitHub’s new Chief Security Officer
The world runs on software, and a large portion of it, especially the open source software that’s part of everything we experience, is built by millions of developers on GitHub…
Avoiding npm substitution attacks
Supply chain attacks are a reality in modern software development. Thankfully, you can reduce the attack surface by taking precautions and being thoughtful about how you manage your dependencies. We…