Search results for: Security

In this blog post we demonstrate how to integrate the GitHub Advanced Security code scanning capability into our Azure DevOps Pipelines. We provide code snippets and examples that can guide you or your developers working to integrate Code Scanning into any 3rd Party CI tool.

In this post I’ll give details about how to exploit CVE-2020-6449, a use-after-free (UAF) in the WebAudio module of Chrome that I discovered in March 2020. I’ll give an outline of the general strategy to exploit this type of UAF to achieve a sandboxed RCE in Chrome by a single click (and perhaps a 2 minute wait) on a malicious website.

Last week, we launched code scanning for all open source and enterprise developers, and we promised we’d share more on our extensibility capabilities and the GitHub security ecosystem. Today, we’re…

Security is a complex area. One software component may break the assumptions made by another component and it is not always clear who should fix the code to remediate the security implications.

GitHub Advisory Database now contains the full corpus of security advisories from the npm security database. More complete npm security data enables us to provide better Dependabot alerts and security…

The most important way to protect supply chain threats? Scan code for security vulnerabilities, learn how to find vulnerabilities in code, and quickly patch them with dynamic code analysis tools.

We are happy to announce that GitHub is joining the Open Source Security Foundation (OpenSSF) as a founding member, alongside Google, IBM, JPMorgan Chase, Microsoft, NCC Group, OWASP Foundation, Red Hat, and others.

For customers of GitHub Advanced Security running LGTM Enterprise, we have released LGTM Enterprise v1.24.1. This release includes a number of bug fixes including: Fixed private repository support for GitHub…

You can now enable or disable the dependency graph, Dependabot alerts, Dependabot security updates, and secret scanning for all repositories in an organization with one click. You can also set…

One year ago, the security research team at Semmle launched its first Capture the Flag (CTF), as part of the Hack In The Box (HITB) Amsterdam conference. We wanted to…

For customers of GitHub Advanced security running LGTM Enterprise, we have released LGTM Enterprise v1.24.0. This release is recommended for all LGTM Enterprise customers and includes improvements to performance through…

You can now give credit, or “say thanks”, to any user who helped with a Security Advisory. Check out Giving credit for Security Advisories to learn more.

Saying thanks is now a core part of the Security Advisory workflow.

GitHub has scanned public repositories for secrets (like API keys and tokens) for several years. Secret scanning protects our partners and our customers from unauthorized use of the services protected by those…

At GitHub Satellite, we announced code scanning, part of GitHub Advanced Security. Code scanning is a developer-first static application security testing (SAST) product that is built into GitHub. Once configured, it scans…

The repository security tab now includes two new experiences to help you better understand your repository’s security at a glance. First, we have added a counter which makes it easy…

Learn more about the Bug Bounty program, including a recap of 2019’s bugs, our expanded scope, new features, and more.

Learn more about how we found ways to scale our vulnerability hunting efforts and empower others to do the same. In this post, we’ll take a deep-dive in the remediation of a security vulnerability with CERT.

Late last year, we updated Security Advisories to enable you to edit published advisories with new or updated information (like a newly-fixed version or additional impact information). Now, you can…

LGTM Enterprise is a feature of GitHub Advanced Security, and the latest release is now available for download. The 1.23.1 release includes minor feature improvements and fixes non-security bugs. Learn…

You can now edit GitHub Security Advisories after you publish them. This can be helpful if you’ve learned more about the scope or impact of the vulnerability you’re announcing, if…