How to secure your end-to-end supply chain on GitHub
Securing your projects is no easy task, but end-to-end supply chain security is more top of mind than ever. We’ve seen bad actors expand their focus to taking over user…
Securing your projects is no easy task, but end-to-end supply chain security is more top of mind than ever. We’ve seen bad actors expand their focus to taking over user accounts, commonly used dependencies, and also build systems. Defending against these attacks is hard, because there’s no one thing you can do to protect your project end-to-end.
To help you defend against these attacks, we created new guides in our Docs that cover how to get started securing your end-to-end supply chain. These guides walk you through how to think about risk in the security of your accounts, your code, and your build processes, as well as showing how GitHub features like two-factor authentication, Dependabot, and GitHub Actions can help you start your security journey. Don’t think you have to do everything at once! Instead, use these guides to help you plan the security improvements you can make to decrease your risk of attack over time.
The guides have content for all users, whether you’re on a free plan or an enterprise administrator. Here’s a quick summary of the topics covered in each section.
Securing your accounts
Keeping ownership over your account, whether personal, organization, or enterprise is one of the biggest ways you can stay secure against bad actors. In this guide, you’ll find information on how to do the following:
- Configure two-factor authentication for your personal account
- Connect to GitHub using SSH keys
- Centralize user authentication (enterprises)
- Configure two-factor authentication (organizations and enterprises)
💡 Learn more in our guide to Securing your accounts.
Securing your code in your supply chain
Top-of-mind for most developers is making sure the code that they’re building, using and introducing into their own project isn’t going to expose them to a huge amount of risk. From introducing vulnerabilities in your dependency tree, or leaking authentication credentials or tokens, or even personally writing in security vulnerabilities into your code, there are a lot of ways you can expose yourself to risk in your codebase. In this guide, you’ll find information on how to do the following:
- Create a vulnerability management program for dependencies
- Secure your communication tokens
- Keep vulnerable coding patterns out of your repository
💡 Learn more in our guide to Securing your code in your supply chain.
Securing your build system
Some attacks focus on the build system—to attack your system without having to take over accounts or exploit dependencies. In this guide, we’ll share some information on how to protect yourself from these types of attacks by doing the following:
- Sign your builds
- Harden security for GitHub Actions
💡 Learn more in our guide to Securing your build system.
That’s a wrap!
End-to-end supply chain security is a broad topic. We hope the new guides help you get started, or show new paths if you’re already on your way. Think there’s something we missed? Want more detail on a topic? Let us know here.
Tags:
Written by
Related posts
Uncovering GStreamer secrets
In this post, I’ll walk you through the vulnerabilities I uncovered in the GStreamer library and how I built a custom fuzzing generator to target MP4 files.
CodeQL zero to hero part 4: Gradio framework case study
Learn how I discovered 11 new vulnerabilities by writing CodeQL models for Gradio framework and how you can do it, too.
Attacking browser extensions
Learn about browser extension security and secure your extensions with the help of CodeQL.