GitHub for Beginners: Getting started with GitHub security

Welcome back to GitHub for Beginners, season three! So far this year, we’ve covered GitHub Issues and Projects, as well as GitHub Actions. This time around, we’re going to be talking a little bit about security, and what tools GitHub provides to help you keep your code secure. By the end of this post, you’ll understand how to fix vulnerabilities in your repository using built-in tools like secret scanning, Dependabot, code scanning, and Copilot Autofix.

Why security matters

Vulnerabilities are weaknesses in your code or the libraries you use that attackers can exploit. It’s important to realize that you inherit any risk from a library the moment you import it into your project, even though you didn’t write the vulnerable code yourself. This is why even small or brand-new projects can have vulnerabilities—almost all software relies on third-party packages.

GitHub makes finding and fixing these issues easier than ever with GitHub Advanced Security (GHAS), a suite of products that helps you improve and maintain the quality of your code. On public repositories, you have access to Dependabot, code scanning, secret scanning, and Copilot Autofix. If you want to learn even more about the different features, check out our documentation about GHAS. Or keep reading as we walk through enabling and using some of these features.

Enabling security features

The first step is making sure that GHAS is turned on.

1. Navigate to your repository.
2. Click the Settings tab at the top of the page.
3. In the left-hand bar, under the “Security” section, select Advanced Security.
4. Under “Dependabot,” enable “Dependabot alerts” and “Dependabot security updates.”
5. Scroll down to the “Code scanning” section.
6. For “CodeQL analysis,” select Set up and then select Default from the context menu.
7. A new window will appear. Select Enable CodeQL without changing any settings.
8. Scroll down to “Secret Protection” and enable it.

These tools are available to public repositories by default. If you have a private repository, you’ll need a GHAS license.

Select the Security tab at the top of the window to navigate to the security home page for this repository. Here you’ll see options for the various GHAS tools you’ve enabled. This is where you can see alerts for exposed secrets, vulnerable dependencies, and risky code paths.

Now let’s take a look at some of these tools in greater detail. To see how the various alerts look, remember that we have a video version of this blog available online.

Using secret scanning

GitHub can help you protect sensitive information with secret scanning. If you accidentally commit an API key or token, secret scanning will flag it in the security tab in the left-hand column underneath Secret scanning. When you see an alert, click the title of the specific alert to see what secret was detected and where it was found.

One of the ways to address this exposed secret is to revoke it. Revoking a secret means disabling the old key so that it can’t be used anymore. You usually do this by generating a new key on the platform where the secret came from, such as Azure or Stripe.

GitHub can’t automatically revoke the secret for you. You’ll need to do that part yourself. However, secret scanning gives you an early warning so that a leaked secret doesn’t become an exploited secret.

Once you’ve revoked the secret, you can close the secret scanning alert by doing the following:

1. Select Close as in the top-right of the window.
2. Select Revoked from the context menu.
3. Click the green Close alert button at the bottom of the context menu.

What is Dependabot?

Dependabot is a code scanning tool that helps you keep your dependencies up to date. Remember when we talked about how you inherit the vulnerabilities of every library you pull into your project? Dependabot helps to address this by alerting you if it finds vulnerabilities in the libraries your project depends on.

To find Dependabot alerts, navigate back to the Security tab in your repository. When you click on a Dependabot alert, it’ll navigate you to the pull request, so you can update your library. In the pull request, if you scroll down, you can see the specific advisory that triggered the alert by selecting See advisory in GitHub Advisory Database.

From the pull request, select the green Review security update button at the top to review the version bump. You should always review suggested changes before incorporating them. As long as everything looks good, go ahead and merge the pull request.

Dependabot automates turning GitHub security advisories into pull requests so you don’t have to manually track common vulnerabilities and exposures.

Responding to CodeQL alerts

CodeQL is the engine that scans your code and produces the code scanning alerts (which you can find under the Security tab). CodeQL is not a linter. It’s much more powerful because it understands data flow, showing where input starts and where it ends up.

As a result, code scanning alerts can cover a wide range of possible scenarios. When you select a code scanning alert, it will explain the issue and, if it can, provide additional information, such as a recommendation for fixes and examples to illustrate the problem and possible solution.

Once you have an understanding of the alert, you can use Copilot Autofix to resolve it by following these steps:

1. Select the Generate fix button at the top of the alert.
2. Copilot will suggest a patch. Review the change and verify it addresses your needs.
3. Click the green Commit to new branch button at the bottom.
4. In the new pop-up window, select the Open a pull request option, and click Commit change.
5. Treat the generated pull request as you would any other pull request: review it and merge changes. Remember that while Copilot accelerates security fixes, you stay in control the entire time.

What’s next?

Congratulations! You’ve now learned how to use GitHub Advanced Security to confidently detect and fix vulnerabilities in your code. Public repositories have access to these GHAS tools for free, so you can keep your projects safe from the start. Test your skills using GitHub Skills or the vulnerable-node repository any time.

And if you’re looking for more information, we have lots of documentation available. Here are just a few links to get your started:

• About secret scanning
• About Dependabot alerts
• About code scanning alerts

Happy coding!

Written by

Kedasha Kerr

@ladykerr

Kedasha is a Developer Advocate at GitHub where she enjoys sharing the lessons she's learned with the wider developer community. She finds joy in helping others learn about the tech industry and loves sharing her experience as a software developer. Find her online @itsthatladydev.