Avoiding npm substitution attacks
Supply chain attacks are a reality in modern software development. Thankfully, you can reduce the attack surface by taking precautions and being thoughtful about how you manage your dependencies. We…
Category
Security
Using CWE and CVSS scores to get more context on a security advisory
Security vulnerabilities can be unpleasant to address, and that only gets worse the more you have. When you’re dealing with a large volume of vulnerabilities, you need to be able…
GitHub security features: highlights from 2020
We’ve made huge advances in our security features at GitHub in 2020, with launches for code scanning, secret scanning, Dependabot version updates, dependency review, and more.
Let’s talk about securing open source projects
In celebrating GitHub Security Lab’s one-year anniversary, we explained that we’re expanding our research focus. Why did we make this decision? The decision stemmed from our work with the Open…
Happy anniversary GitHub Security Lab!
Last year at GitHub Universe, we introduced the GitHub Security Lab, which is committed to contributing resources, tooling, bounties, and security research to secure the open source ecosystem. We know…
Shifting supply chain security left with dependency review
Dependency review allows you to easily understand your dependencies before you introduce them to your environment. As part of a pull request, you can see what dependencies you’re introducing, changing, or removing, and information about their vulnerabilities, age, usage, and license.
Token authentication requirements for Git operations
In July 2020, we announced our intent to require the use of token-based authentication (for example, a personal access, OAuth, or GitHub App installation token) for all authenticated Git operations.…
Applying DevSecOps to your software supply chain
To best apply DevSecOps principles to improve the security of your supply chain, you should ask your developers to declare your dependencies in code; and in turn provide your developers with maintained ‘golden’ artifacts and automated downstream actions so they can focus on code.
Code Scanning a GitHub Repository using GitHub Advanced Security within an Azure DevOps Pipeline
In this blog post we demonstrate how to integrate the GitHub Advanced Security code scanning capability into our Azure DevOps Pipelines. We provide code snippets and examples that can guide you or your developers working to integrate Code Scanning into any 3rd Party CI tool.
Announcing third-party code scanning tools: infrastructure as code and container scanning
Last week we launched code scanning out of beta and have since announced integrations with static analysis and developer security training solutions. By expanding our GitHub security ecosystem, developers can…
Announcing third-party code scanning tools: static analysis & developer security training
Last week, we launched code scanning for all open source and enterprise developers, and we promised we’d share more on our extensibility capabilities and the GitHub security ecosystem. Today, we’re…
Code scanning is now available!
Now available, code scanning is a developer-first, GitHub-native approach to easily find security vulnerabilities before they reach production.
Phishing Resistant SMS Autofill
We recently shipped support for the origin-bound draft standard for security codes delivered via SMS. This standard ensures security codes are entered in a phishing-resistant manner. It accomplishes this by binding an SMS with…
Lightning Q&A: DevSecOps in five with Maya Kaczorowski
In this interview, we dig deeper with Maya Kaczorowski on what DevSecOps is, and how to apply it. It’s a mindset shift in how development teams think about security. DevSecOps is about making all parties who are part of the application development lifecycle accountable for security of the application.
How we threat model
At GitHub, we spend a lot of time thinking about and building secure products—and one key facet of that is threat modeling. This practice involves bringing security and engineering teams…