Code security guides
了解 GitHub 可以帮助您提高代码安全性的不同方式。
Fix and disclose a security vulnerability
Using repository security advisories to privately fix a reported vulnerability and get a CVE.Start learning path- 1Overview
关于安全漏洞的协调披露
漏洞披露是安全报告者与仓库维护者之间的协调工作。 - 2Overview
About the GitHub Advisory database
The GitHub Advisory Database contains a list of known security vulnerabilities and malware, grouped in two categories: GitHub-reviewed advisories and unreviewed advisories. - 3Overview
关于全局安全公告
全局安全数据库位于 GitHub Advisory Database,其中包含影响开放源代码环境的 CVE 和 GitHub 发起的安全公告。 你可以为改进全局公告做出贡献。 - 4Overview
关于存储库安全公告
可以使用存储库安全公告来私下讨论、修复和发布有关存储库中安全漏洞的信息。 - 5How-to guide
编写存储库安全公告的最佳做法
在创建或编辑安全公告时,使用标准格式指定生态系统、包名称和受影响的版本后,更易于其他用户理解你提供的信息。 - 6How-to guide
私下报告安全漏洞
某些公共存储库配置安全公告,以便任何人都可以直接并私下向维护人员报告安全漏洞。 - 7How-to guide
管理私下报告的安全漏洞
存储库维护人员可以管理由存储库安全研究人员向其私下报告的安全漏洞,这些存储库已启用了非公开漏洞报告。 - 8How-to guide
Configuring private vulnerability reporting for a repository
Owners and administrators of public repositories can allow security researchers to report vulnerabilities securely in the repository by enabling private vulnerability reporting. - 9How-to guide
创建存储库安全公告
您可以创建安全通告草稿,以私下讨论和修复开源项目中的安全漏洞。 - 10How-to guide
将协作者添加到存储库安全通告
您可以添加其他用户或团队与您协作处理安全通告。 - 11How-to guide
在临时专用分支中协作以解决存储库安全漏洞
您可以创建临时私有复刻,以私下协作修复仓库中的安全漏洞。 - 12How-to guide
发布存储库安全公告
您可以发布安全通告,向社区提醒项目中的安全漏洞。 - 13How-to guide
编辑存储库安全通告
如果需要更新详细信息或更正错误,可以编辑存储库安全公告的元数据和说明。 - 14How-to guide
撤销存储库安全通告
你可以撤销已发布的存储库安全公告。 - 15How-to guide
删除存储库安全公告中的协作者
协作者从存储库安全公告中删除后,将失去对安全公告的讨论和元数据的读取和写入权限。
Code security learning paths
Get notifications for insecure dependencies
Set up Dependabot to alert you to new vulnerabilities or malware in your dependencies.
Get pull requests to update your vulnerable dependencies
Set up Dependabot to create pull requests when new vulnerabilities are reported.
Keep your dependencies up-to-date
Use Dependabot to check for new releases and create pull requests to update your dependencies.
Run code scanning with GitHub Actions
Check your default branch and every pull request to keep vulnerabilities and errors out of your repository.
Run CodeQL code scanning in your CI
Set up CodeQL within your existing CI and upload results to GitHub code scanning.
Integrate with code scanning
Upload code analysis results from third-party systems to GitHub using SARIF.
End-to-end supply chain
How to think about securing your user accounts, your code, and your build process.
All Code security guides
Adding a security policy to your repository
How-to guideYou can give instructions for how to report a security vulnerability in your project by adding a security policy to your repository.
- Security policies
- Vulnerabilities
- Repositories
- Health
GitHub security features
OverviewAn overview of GitHub security features.
- Repositories
- Dependencies
- Vulnerabilities
- Advanced Security
Securing your organization
How-to guideYou can use a number of GitHub features to help keep your organization secure.
- Organizations
- Dependencies
- Vulnerabilities
- Advanced Security
Securing your repository
How-to guideYou can use a number of GitHub features to help keep your repository secure.
- Repositories
- Dependencies
- Vulnerabilities
- Advanced Security
About secret scanning
OverviewGitHub scans repositories for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally.
- Secret scanning
- Advanced Security
Configuring secret scanning for your repositories
How-to guideYou can configure how GitHub scans your repositories for secrets that match advanced security patterns.
- Secret scanning
- Advanced Security
- Repositories
Defining custom patterns for secret scanning
How-to guideYou can extend secret scanning for advanced security to detect secrets beyond the default patterns.
- Advanced Security
- Secret scanning
Managing alerts from secret scanning
How-to guideYou can view and close alerts for secrets checked in to your repository.
- Secret scanning
- Advanced Security
- Alerts
- Repositories
Protecting pushes with secret scanning
How-to guideYou can use secret scanning to prevent supported secrets from being pushed into your organization or repository by enabling push protection.
- Secret scanning
- Advanced Security
- Alerts
- Repositories