We want to take away the pain and effort of keeping your code secure, so check out how Dependabot empowers developers to keep to their projects secure.
supply chain security
Securing your projects is no easy task, but end-to-end supply chain security is more top of mind than ever. We've seen bad actors expand their focus to taking over user…
Anyone can now provide additional information to further the community’s understanding and awareness of security advisories.
Today, we’re shipping improvements to Dependabot alerts that make them easier to understand and remediate.
We’re excited to announce the V4 release of the OpenSSF’s Scorecard project in partnership with Google.
My colleague Stormy Peters and I are proud to represent GitHub at the White House’s Open Source Software Security Summit.
GitHub has partnered with the OpenSSF and Project Sigstore to add container image signing to our default “Publish Docker Container” workflow.
GitHub’s supply chain security features are now available for Go modules, which will help the Go community discover, report, and prevent security vulnerabilities.
GitHub secret scanning has been securing our users’ code by scanning for and revoking secrets since 2015. Recently, we’ve focused on scanning for package registry credentials as well—a significant and…
Dependency review allows you to easily understand your dependencies before you introduce them to your environment. As part of a pull request, you can see what dependencies you’re introducing, changing, or removing, and information about their vulnerabilities, age, usage, and license.
To best apply DevSecOps principles to improve the security of your supply chain, you should ask your developers to declare your dependencies in code; and in turn provide your developers with maintained ‘golden’ artifacts and automated downstream actions so they can focus on code.