Code scanning is now available!
Now available, code scanning is a developer-first, GitHub-native approach to easily find security vulnerabilities before they reach production.
Category
Security
Phishing Resistant SMS Autofill
We recently shipped support for the origin-bound draft standard for security codes delivered via SMS. This standard ensures security codes are entered in a phishing-resistant manner. It accomplishes this by binding an SMS with…
Lightning Q&A: DevSecOps in five with Maya Kaczorowski
In this interview, we dig deeper with Maya Kaczorowski on what DevSecOps is, and how to apply it. It’s a mindset shift in how development teams think about security. DevSecOps is about making all parties who are part of the application development lifecycle accountable for security of the application.
How we threat model
At GitHub, we spend a lot of time thinking about and building secure products—and one key facet of that is threat modeling. This practice involves bringing security and engineering teams…
Secure at every step: What is software supply chain security and why does it matter?
The most important way to protect supply chain threats? Scan code for security vulnerabilities, learn how to find vulnerabilities in code, and quickly patch them with dynamic code analysis tools.
Secure at every step: Putting DevSecOps into practice with code scanning
Integrating static analysis security testing into the developer workflow is hard. We discuss the challenges and how to overcome them
Secure at every step: A guide to DevSecOps, shifting left, and GitOps
When developers share the responsibility of security, perform security testing earlier in your development lifecycle, and use Git as a source of truth, you can help your development teams find and remediate security issues faster.
Secure at every step: How GitHub’s dependency graph is generated
GitHub’s dependency graph identifies all upstream dependencies and public downstream dependents of a repository or package by parsing manifest files, so that you can better manage the security and compliance of your dependencies.
GitHub joins the Open Source Security Foundation
We are happy to announce that GitHub is joining the Open Source Security Foundation (OpenSSF) as a founding member, alongside Google, IBM, JPMorgan Chase, Microsoft, NCC Group, OWASP Foundation, Red Hat, and others.
Token authentication requirements for API and Git operations
As previously announced, beginning November 13th, 2020, we will no longer accept account passwords when authenticating with the REST API and will require the use of token-based authentication (e.g., a…
How to secure your GitHub organization and enterprise account
Protect your team’s code with secure software development best practices like setting up SAML/SCIM integrations, enforcing policies to avoid code leakage, and more.
Secure at every step: Show your dependencies some love with updates
Keep dependencies up to date, to make sure you can quickly apply a patch when it really matters - when there’s a critical security vulnerability.
Hardening your GitHub Enterprise Server
GitHub stores your source code, releases, and a vast amount of invaluable information in issues and pull requests. While GitHub Enterprise Server (GHES), our self hosted solution, provides great security by default, administrators can take additional steps to further harden their appliance. This post will guide you through the most important settings.
Securing your open source dependencies with GitHub dependency insights
GitHub dependency insights helps both developers and security teams manage their open source security with confidence—automatically compiling relevant CVE information, aiding in OSS license compliance, and helping them better understand their OSS dependency versions.
How organizations can tackle securing the world’s code
We all play a role in securing the world’s code. No one company can solve things alone, including GitHub, which is why it is critical to combine the energies of…