supply chain security

A quick guide on the advantages of Dependabot as a GitHub Actions workflow and the benefits this unlocks, including self-hosted runner support.

Generate and verify signed attestations for anything you make with GitHub Actions.

GitHub is working with the OSS community to bring new supply chain security capabilities to the platform.

We’ve dramatically increased 2FA adoption on GitHub as part of our responsibility to make the software ecosystem more secure. Read on to learn how we secured millions of developers and why we’re urging more organizations to join us in these efforts.

Repo-jacking is a specific type of supply chain attack. This blog post explains what it is, what the risk is, and what you can do to stay safe.

How to get the security basics right at your organization.

Make quick work of alerts with preset and custom rules.

Now, you can group multiple version updates in a single pull request.

Repository rules provide an easy, flexible way to define branch protections and ensure consistency in code across repositories.

A new alert rules engine for Dependabot leverages alert metadata to identify and auto-dismiss up to 15% of alerts as false positives.

Open source maintainers and security researchers embrace a new best practice to report and fix vulnerabilities.

How to verifiably link npm packages to their source repository and build instructions.

Developers and compliance teams get a new SBOM generation tool for cloud repositories.

Explore how GitHub Advanced Security can help address several of the OWASP Top 10 vulnerabilities

How Dependabot integrated with npm to address security vulnerabilities on transitive dependencies and increase the likelihood of success for JavaScript security updates by 40%.