Guides for code security
Learn about the different ways that GitHub can help you improve your code's security.
Code security learning paths
Fix and disclose a security vulnerability
Using repository security advisories to privately fix a reported vulnerability and get a CVE.
Start learning path- OverviewAbout coordinated disclosure of security vulnerabilities
- OverviewAbout the GitHub Advisory database
- OverviewAbout global security advisories
- OverviewAbout repository security advisories
- How-to guideBest practices for writing repository security advisories
- How-to guidePrivately reporting a security vulnerability
- How-to guideManaging privately reported security vulnerabilities
- How-to guideConfiguring private vulnerability reporting for a repository
- How-to guideConfiguring private vulnerability reporting for an organization
- How-to guideCreating a repository security advisory
- How-to guideAdding a collaborator to a repository security advisory
- How-to guideCollaborating in a temporary private fork to resolve a repository security vulnerability
- How-to guidePublishing a repository security advisory
- How-to guideEditing a repository security advisory
- How-to guideWithdrawing a repository security advisory
- How-to guideRemoving a collaborator from a repository security advisory
Get notifications for insecure dependencies
Set up Dependabot to alert you to new vulnerabilities or malware in your dependencies.
Start learning path- OverviewAbout Dependabot alerts
- How-to guideManaging security and analysis settings for your repository
- How-to guideViewing and updating Dependabot alerts
- How-to guideUsing alert rules to prioritize Dependabot alerts
- How-to guideConfiguring notifications for Dependabot alerts
- How-to guideManaging pull requests for dependency updates
- How-to guideTroubleshooting the detection of vulnerable dependencies
- How-to guideTroubleshooting Dependabot errors
Get pull requests to update your vulnerable dependencies
Set up Dependabot to create pull requests when new vulnerabilities are reported.
Start learning path- OverviewAbout Dependabot security updates
- How-to guideConfiguring Dependabot security updates
- How-to guideConfiguring notifications for Dependabot alerts
- How-to guideManaging security and analysis settings for your repository
- How-to guideManaging pull requests for dependency updates
- How-to guideTroubleshooting the detection of vulnerable dependencies
Keep your dependencies up-to-date
Use Dependabot to check for new releases and create pull requests to update your dependencies.
Start learning path- OverviewAbout Dependabot version updates
- How-to guideConfiguring Dependabot version updates
- How-to guideCustomizing dependency updates
- ReferenceConfiguration options for the dependabot.yml file
- How-to guideKeeping your actions up to date with Dependabot
- How-to guideAutomating Dependabot with GitHub Actions
- How-to guideListing dependencies configured for version updates
- How-to guideConfiguring access to private registries for Dependabot
- How-to guideManaging pull requests for dependency updates
- How-to guideTroubleshooting Dependabot errors
Scan for secrets
Set up secret scanning to guard against accidental check-ins of tokens, passwords, and other secrets to your repository.
Start learning path- OverviewAbout secret scanning
- How-to guideConfiguring secret scanning for your repositories
- How-to guideManaging alerts from secret scanning
- ReferenceSecret scanning patterns
- How-to guidePush protection for repositories and organizations
- How-to guidePush protection for users
- How-to guidePushing a branch blocked by push protection
- How-to guideTroubleshooting secret scanning
Run code scanning with GitHub Actions
Check your default branch and every pull request to keep vulnerabilities and errors out of your repository.
Start learning path- OverviewAbout code scanning
- How-to guideConfiguring default setup for code scanning
- How-to guideCustomizing your advanced setup for code scanning
- How-to guideCodeQL code scanning for compiled languages
- How-to guideRunning CodeQL code scanning in a container
- Troubleshooting code scanning
- OverviewAbout the tool status page for code scanning
Run CodeQL code scanning in your CI
Set up CodeQL within your existing CI and upload results to GitHub code scanning.
Start learning pathIntegrate with code scanning
Upload code analysis results from third-party systems to GitHub using SARIF.
Start learning path- OverviewAbout integration with code scanning
- How-to guideUploading a SARIF file to GitHub
- ReferenceSARIF support for code scanning
- Code Scanning
End-to-end supply chain
How to think about securing your user accounts, your code, and your build process.
Start learning pathAdding a security policy to your repository
How-to guideYou can give instructions for how to report a security vulnerability in your project by adding a security policy to your repository.
- Security policies
- Vulnerabilities
- Repositories
- Health
GitHub security features
OverviewAn overview of GitHub security features.
- Repositories
- Dependencies
- Vulnerabilities
- Advanced Security
Securing your organization
How-to guideYou can use a number of GitHub features to help keep your organization secure.
- Organizations
- Dependencies
- Vulnerabilities
- Advanced Security
Securing your repository
How-to guideYou can use a number of GitHub features to help keep your repository secure.
- Repositories
- Dependencies
- Vulnerabilities
- Advanced Security
Dependabot quickstart guide
QuickstartYou can use Dependabot to alert you when your repository is using a software dependency with a known vulnerability. This guide will help get you started on enabling Dependabot for a repository, and exploring reported alerts.
- Dependabot
- Alerts
- Vulnerabilities
- Repositories
- Dependencies
Auditing security alerts
OverviewGitHub provides a variety of tools you can use to audit and monitor actions taken in response to security alerts.
- Repositories
- Dependencies
- Vulnerabilities
- Security
- Advanced Security
Best practices for preventing data leaks in your organization
How-to guideLearn guidance and recommendations to help you avoid private or sensitive data present in your organization from being exposed.
- Organizations
- Vulnerabilities
- Secret scanning
- Advanced Security
About secret scanning
OverviewGitHub scans repositories for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally.
- Secret scanning
- Advanced Security
Configuring secret scanning for your repositories
How-to guideYou can configure how GitHub scans your repositories for leaked secrets and generates alerts.
- Secret scanning
- Advanced Security
- Repositories
Defining custom patterns for secret scanning
How-to guideYou can extend secret scanning to detect secrets beyond the default patterns.
- Advanced Security
- Secret scanning
Managing alerts from secret scanning
How-to guideYou can view and close alerts for secrets checked in to your repository.
- Secret scanning
- Advanced Security
- Alerts
- Repositories
Push protection for repositories and organizations
How-to guideYou can use secret scanning to prevent supported secrets from being pushed into your organization or repository by enabling push protection.
- Secret scanning
- Advanced Security
- Alerts
- Repositories
Push protection for users
How-to guideYou can use secret scanning to block commits containing secrets in any public repository by enabling push protection for yourself.
- Secret scanning
- Advanced Security
- Alerts
- User account
Pushing a branch blocked by push protection
How-to guideThe push protection feature of secret scanning proactively protects you against leaked secrets in your repositories. You can resolve blocked pushes and, once the detected secret is removed, you can push changes to your working branch from the command line or the web UI.
- Secret scanning
- Advanced Security
- Alerts
- Repositories
Secret scanning patterns
ReferenceLists of supported secrets and the partners that GitHub works with to prevent fraudulent use of secrets that were committed accidentally.
- Secret scanning
- Advanced Security
Troubleshooting secret scanning
How-to guideIf you have problems with secret scanning, you can use these tips to help resolve issues.
- Secret scanning
- Advanced Security
- Troubleshooting
Tracking code scanning alerts in issues using task lists
How-to guideYou can add code scanning alerts to issues using task lists. This makes it easy to create a plan for development work that includes fixing alerts.
- Advanced Security
- Code scanning
- Alerts
- Repositories
- Issues
About code scanning
OverviewYou can use code scanning to find security vulnerabilities and errors in the code for your project on GitHub.
- Advanced Security
- Code scanning
About code scanning alerts
OverviewLearn about the different types of code scanning alerts and the information that helps you understand the problem each alert highlights.
- Advanced Security
- Code scanning
- CodeQL
About code scanning with CodeQL
OverviewYou can use CodeQL to identify vulnerabilities and errors in your code. The results are shown as code scanning alerts in GitHub.
- Advanced Security
- Code scanning
- CodeQL
Customizing your advanced setup for code scanning
How-to guideYou can customize how your advanced setup scans the code in your project for vulnerabilities and errors.
- Advanced Security
- Code scanning
- Actions
- Repositories
- Pull requests
- JavaScript
- Python
CodeQL code scanning for compiled languages
How-to guideUnderstand the autobuild method CodeQL analysis uses to build code for compiled languages and learn how you can customize the build command if you need to.
- Advanced Security
- Code scanning
- CodeQL
- Actions
- Repositories
- C/C++
- C#
- Java
- Kotlin
Managing code scanning alerts for your repository
How-to guideFrom the security view, you can view, fix, or dismiss alerts for potential vulnerabilities or errors in your project's code.
- Advanced Security
- Code scanning
- Alerts
- Repositories
Running CodeQL code scanning in a container
How-to guideYou can run code scanning in a container by ensuring that all processes run in the same container.
- Advanced Security
- Code scanning
- CodeQL
- Actions
- Repositories
- Containers
- Java
Configuring default setup for code scanning
How-to guideYou can quickly secure code in your repository with default setup for code scanning.
- Advanced Security
- Code scanning
Configuring default setup for code scanning at scale
How-to guideYou can quickly configure code scanning for repositories across your organization using default setup.
- Advanced Security
- Code scanning
Configuring advanced setup for code scanning
How-to guideYou can configure advanced setup for a repository to find security vulnerabilities in your code using a highly customizable code scanning configuration.
- Advanced Security
- Code scanning
- Actions
- Repositories
Configuring advanced setup for code scanning with CodeQL at scale
How-to guideYou can use a script to configure advanced setup for code scanning for a specific group of repositories in your organization.
- Advanced Security
- Code scanning
Triaging code scanning alerts in pull requests
How-to guideWhen code scanning identifies a problem in a pull request, you can review the highlighted code and resolve the alert.
- Advanced Security
- Code scanning
- Pull requests
- Alerts
- Repositories
Viewing code scanning logs
You can view the output generated during code scanning analysis in GitHub.com.
- Security
About integration with code scanning
OverviewYou can perform code scanning externally and then display the results in GitHub, or configure webhooks that listen to code scanning activity in your repository.
- Advanced Security
- Code scanning
- Webhooks
- Integration
SARIF support for code scanning
ReferenceTo display results from a third-party static analysis tool in your repository on GitHub, you'll need your results stored in a SARIF file that supports a specific subset of the SARIF 2.1.0 JSON schema for code scanning. If you use the default CodeQL static analysis engine, then your results will display in your repository on GitHub automatically.
- Advanced Security
- Code scanning
- Integration
- SARIF
Uploading a SARIF file to GitHub
How-to guideYou can upload SARIF files generated outside GitHub and see code scanning alerts from third-party tools in your repository.
- Advanced Security
- Code scanning
- Integration
- Actions
- Repositories
- CI
- SARIF
About CodeQL code scanning in your CI system
You can analyze your code with CodeQL in a third-party continuous integration system and upload the results to GitHub.com. The resulting code scanning alerts are shown alongside any alerts generated within GitHub.
- Advanced Security
- Code scanning
- CodeQL
- Repositories
- Pull requests
- Integration
- CI
- SARIF
Configuring CodeQL CLI in your CI system
How-to guideYou can configure your continuous integration system to run the CodeQL CLI, perform CodeQL analysis, and upload the results to GitHub for display as code scanning alerts.
- Advanced Security
- Code scanning
- CodeQL
- Repositories
- Pull requests
- Integration
- CI
- SARIF
Installing CodeQL CLI in your CI system
How-to guideYou can install the CodeQL CLI and use it to perform CodeQL code scanning in a third-party continuous integration system.
- Advanced Security
- Code scanning
- CodeQL
- Repositories
- Pull requests
- Integration
- CI
- SARIF
Migrating from the CodeQL runner to CodeQL CLI
You can use the CodeQL CLI to complete the same tasks as with the CodeQL runner.
- Advanced Security
- Code scanning
- CodeQL
About repository security advisories
OverviewYou can use repository security advisories to privately discuss, fix, and publish information about security vulnerabilities in your repository.
- Security advisories
- Vulnerabilities
- CVEs
Configuring private vulnerability reporting for a repository
How-to guideOwners and administrators of public repositories can allow security researchers to report vulnerabilities securely in the repository by enabling private vulnerability reporting.
- Security advisories
- Vulnerabilities
Configuring private vulnerability reporting for an organization
How-to guideOrganization owners and security managers can allow security researchers to report vulnerabilities securely in repositories within the organization by enabling private vulnerability reporting for all its public repositories.
- Security advisories
- Vulnerabilities
Adding a collaborator to a repository security advisory
How-to guideYou can add other users or teams to collaborate on a security advisory with you.
- Security advisories
- Vulnerabilities
- Collaboration
Collaborating in a temporary private fork to resolve a repository security vulnerability
How-to guideYou can create a temporary private fork to privately collaborate on fixing a security vulnerability in your repository.
- Security advisories
- Vulnerabilities
- Collaboration
- Forks
Creating a repository security advisory
How-to guideYou can create a draft security advisory to privately discuss and fix a security vulnerability in your open source project.
- Security advisories
- Vulnerabilities
Editing a repository security advisory
How-to guideYou can edit the metadata and description for a repository security advisory if you need to update details or correct errors.
- Security advisories
- Vulnerabilities
Permission levels for repository security advisories
ReferenceThe actions you can take in a repository security advisory depend on whether you have admin or write permissions to the security advisory.
- Security advisories
- Vulnerabilities
- Permissions
Publishing a repository security advisory
How-to guideYou can publish a security advisory to alert your community about a security vulnerability in your project.
- Security advisories
- Vulnerabilities
- CVEs
- Repositories
Removing a collaborator from a repository security advisory
How-to guideWhen you remove a collaborator from a repository security advisory, they lose read and write access to the security advisory's discussion and metadata.
- Security advisories
- Vulnerabilities
- Collaboration
Withdrawing a repository security advisory
How-to guideYou can withdraw a repository security advisory that you've published.
- Security advisories
- Vulnerabilities
About coordinated disclosure of security vulnerabilities
OverviewVulnerability disclosure is a coordinated effort between security reporters and repository maintainers.
- Security advisories
- Vulnerabilities
Best practices for writing repository security advisories
How-to guideWhen you create or edit security advisories, the information you provide is easier for other users to understand when you specify the ecosystem, package name, and affected versions using the standard formats.
- Security advisories
- Vulnerabilities
Privately reporting a security vulnerability
How-to guideSome public repositories configure security advisories so that anyone can report security vulnerabilities directly and privately to the maintainers.
- Security advisories
- Vulnerabilities
Managing privately reported security vulnerabilities
How-to guideRepository maintainers can manage security vulnerabilities that have been privately reported to them by security reseachers for repositories where private vulnerability reporting is enabled.
- Security advisories
- Vulnerabilities
About security overview
How-to guideYou can view summaries of alerts for repositories owned by your organization and identify areas of high security risk.
- Security overview
- Advanced Security
- Alerts
- Code scanning
- Dependabot
- Organizations
- Secret scanning
- Teams
Filtering alerts in security overview
How-to guideUse filters to view specific categories of alerts
- Security overview
- Advanced Security
- Alerts
- Organizations
- Teams
Assessing your code security risk
How-to guideYou can use security overview to see which teams and repositories are affected by security alerts, and identify repositories for urgent remedial action.
- Security overview
- Advanced Security
- Alerts
- Organizations
- Teams
About Dependabot version updates
OverviewYou can use Dependabot to keep the packages you use updated to the latest versions.
- Dependabot
- Version updates
- Repositories
- Dependencies
- Pull requests
Automating Dependabot with GitHub Actions
How-to guideExamples of how you can use GitHub Actions to automate common Dependabot related tasks.
- Actions
- Dependabot
- Version updates
- Security updates
- Repositories
- Dependencies
- Pull requests
Configuration options for the dependabot.yml file
ReferenceDetailed information for all the options you can use to customize how Dependabot maintains your repositories.
- Dependabot
- Version updates
- Repositories
- Dependencies
- Pull requests
Customizing dependency updates
How-to guideYou can customize how Dependabot maintains your dependencies.
- Dependabot
- Version updates
- Security updates
- Repositories
- Dependencies
- Pull requests
- Vulnerabilities
Configuring Dependabot version updates
How-to guideYou can configure your repository so that Dependabot automatically updates the packages you use.
- Dependabot
- Version updates
- Repositories
- Dependencies
- Pull requests
Keeping your actions up to date with Dependabot
How-to guideYou can use Dependabot to keep the actions you use updated to the latest versions.
- Repositories
- Dependabot
- Version updates
- Actions
Listing dependencies configured for version updates
How-to guideYou can view the dependencies that Dependabot monitors for updates.
- Repositories
- Dependabot
- Version updates
- Dependencies
Configuring access to private registries for Dependabot
How-to guideYou can configure Dependabot to access dependencies stored in private registries. You can store authentication information, like passwords and access tokens, as encrypted secrets and then reference these in the Dependabot configuration file. You can also add Dependabot to your registries IP allow list.
- Dependabot
- Version updates
- Secret store
- Repositories
- Dependencies
Removing Dependabot access to public registries
How-to guideExamples of how you can configure Dependabot to only access private registries by removing calls to public registries.
- Dependabot
- Version updates
Managing pull requests for dependency updates
How-to guideYou manage pull requests raised by Dependabot in much the same way as other pull requests, but there are some extra options.
- Repositories
- Version updates
- Security updates
- Pull requests
- Dependencies
- Vulnerabilities
About Dependabot alerts
OverviewGitHub sends Dependabot alerts when we detect that your repository uses a vulnerable dependency or malware.
- Dependabot
- Alerts
- Vulnerabilities
- Repositories
- Dependencies
Configuring Dependabot alerts
How-to guideEnable Dependabot alerts to be generated when a new vulnerable dependency or malware is found in one of your repositories.
- Dependabot
- Security updates
- Alerts
- Dependencies
- Pull requests
- Repositories
About Dependabot security updates
OverviewDependabot can fix vulnerable dependencies for you by raising pull requests with security updates.
- Dependabot
- Security updates
- Vulnerabilities
- Repositories
- Dependencies
- Pull requests
About the GitHub Advisory database
OverviewThe GitHub Advisory Database contains a list of known security vulnerabilities and malware, grouped in two categories: GitHub-reviewed advisories and unreviewed advisories.
- Security advisories
- Alerts
- Vulnerabilities
- CVEs
About global security advisories
OverviewGlobal security advisories live in the GitHub Advisory Database, a collection of CVEs and GitHub-originated advisories affecting the open source world. You can contribute to improving global security advisories.
- Security advisories
- Alerts
- Vulnerabilities
- CVEs
Browsing security advisories in the GitHub Advisory Database
How-to guideYou can browse the GitHub Advisory Database to find advisories for security risks in open source projects that are hosted on GitHub.
- Security advisories
- Alerts
- Dependabot
- Vulnerabilities
- CVEs
Editing security advisories in the GitHub Advisory Database
How-to guideYou can submit improvements to any advisory published in the GitHub Advisory Database.
- Security advisories
- Alerts
- Dependabot
- Vulnerabilities
- CVEs
Configuring Dependabot security updates
How-to guideYou can use Dependabot security updates or manual pull requests to easily update vulnerable dependencies.
- Dependabot
- Security updates
- Alerts
- Dependencies
- Pull requests
- Repositories
Configuring notifications for Dependabot alerts
How-to guideOptimize how you receive notifications about Dependabot alerts.
- Dependabot
- Alerts
- Notifications
- Vulnerabilities
- Dependencies
- Repositories
Troubleshooting Dependabot errors
How-to guideSometimes Dependabot is unable to raise a pull request to update your dependencies. You can review the error and unblock Dependabot.
- Dependabot
- Security updates
- Version updates
- Repositories
- Pull requests
- Troubleshooting
- Errors
- Dependencies
Troubleshooting the detection of vulnerable dependencies
How-to guideIf the dependency information reported by GitHub is not what you expected, there are a number of points to consider, and various things you can check.
- Dependabot
- Alerts
- Troubleshooting
- Errors
- Security updates
- Dependencies
- Vulnerabilities
- CVEs
- Repositories
Viewing and updating Dependabot alerts
How-to guideIf GitHub discovers insecure dependencies in your project, you can view details on the Dependabot alerts tab of your repository. Then, you can update your project to resolve or dismiss the alert.
- Dependabot
- Security updates
- Alerts
- Dependencies
- Pull requests
- Repositories
Using alert rules to prioritize Dependabot alerts
How-to guideYou can use Dependabot alert rules to filter out false positive alerts or alerts you're not interested in.
- Dependabot
- Alerts
- Vulnerabilities
- Repositories
- Dependencies
About dependency review
OverviewDependency review lets you catch insecure dependencies before you introduce them to your environment, and provides information on license, dependents, and age of dependencies.
- Advanced Security
- Dependency review
- Vulnerabilities
- Dependencies
- Pull requests
About the dependency graph
OverviewYou can use the dependency graph to identify all your project's dependencies. The dependency graph supports a range of popular package ecosystems.
- Dependency graph
- Dependencies
- Repositories
Exporting a software bill of materials for your repository
How-to guideYou can export a software bill of materials or SBOM for your repository from the dependency graph. SBOMs allow transparency into your open source usage and help expose supply chain vulnerabilities, reducing supply chain risks.
- Dependency graph
- Dependencies
- Repositories
Using the Dependency submission API
You can use the Dependency submission API to submit dependencies for projects, such as the dependencies resolved when a project is built or compiled.
- API
- Dependency graph
- Dependencies
- REST
Exploring the dependencies of a repository
How-to guideYou can use the dependency graph to see the packages your project depends on and the repositories that depend on it. In addition, you can see any vulnerabilities detected in its dependencies.
- Dependency graph
- Dependencies
- Repositories