Aug	SEP	Oct
	07
2019	2020	2021

success

fail

About this capture

COLLECTED BY

Organization: Internet Archive

Focused crawls are collections of frequently-updated webcrawl data from narrow (as opposed to broad or wide) web crawls, often focused on a single domain or subdomain.

Collection: github.com

TIMESTAMPS

The Wayback Machine - http://web.archive.org/web/20200907224326/https://github.com/features/security

Register, vote, and volunteer to make an impact during U.S. 2020 elections. Learn more. Sign up ●

Why GitHub?

Features → ●Code review ●Project management ●Integrations ●Actions ●Packages ●Security ●Team management ●Hosting ●Mobile ●Customer stories → ●Security → ● Team ● Enterprise ●

Explore

●Explore GitHub →

Learn & contribute

●Topics ●Collections ●Trending ●Learning Lab ●Open source guides

Connect with others

●Events ●Community forum ●GitHub Education ●GitHub Stars program ● Marketplace ●

Pricing

Plans → ●Compare plans ●Contact Sales ●Nonprofit → ●Education →

Sign in Sign up {{ message }}

Security

Securing software, together

We all play a role in securing the world’s code—developers, maintainers, researchers, and security teams. On GitHub, teams work together to secure the world’s software at every step.

Ready to talk about advanced security features for GitHub Enterprise? Contact Sales Identify Disclose Fix Alert Update Prevent

Identify

Find security issues as you code

Write safer code from day one with end-to-end security. GitHub helps you address vulnerabilities earlier and ship secure applications. Security vulnerability

Security vulnerability

Security vulnerability alert

Shift security left

Build securely without slowing down innovation. Automated security always works for you by scanning code as it's created.

Code as data

While fuzzing or inspecting code manually is great for finding specific vulnerabilities, this approach doesn’t scale to cover your entire codebase. CodeQL treats code as data and encodes vulnerabilities as queries—making it possible to find every instance of a bug in a codebase, a portfolio, or the entire open source software ecosystem.

Community-led approach

CodeQL ships with thousands of queries written by GitHub and the world’s leading security researchers. Code scanning queries are open source so developers, maintainers, and security teams can build on existing queries or create their own.

Disclose

Defining the open source security workflow

Open source powers the world’s software. GitHub provides the infrastructure security researchers and open source maintainers need to report and disclose security vulnerabilities.

Organization-wide security policies

A repository’s `SECURITY.MD` file describes everything researchers and users need to report a potential vulnerability. Maintainers can create per-project policies or automatically apply one security policy to every repository in their organization.

Responsible vulnerability reporting

Open source maintainers set security policies for their projects, letting their communities know the best way to responsibly report vulnerabilities. Security policy

Security policy

Security workspace

Security workspace comment

Security workspace comment

Security workspace queued changes

Security workspace merge

Fix

GitHub Security Advisories

Open source maintainers have a secure and private space to work through vulnerabilities together. They collaborate on fixes and publish security advisories to the developer community that relies on their projects without leaving GitHub—or tipping off would-be hackers.

Private collaboration for maintainers

Before they send out public advisories, maintainers privately discuss the impact of a vulnerability in draft advisories. They collaborate in temporary private forks, and then publish advisories to alert and update the entire ecosystem.

Securing repositories and their dependents

The GitHub Advisory Database serves as the single source of truth for open source security issues with 1800-plus advisories reported so far. Since launching the database in 2019, open source projects have relied on GitHub to publish security advisories and notify all dependent repositories.

CVEs issued by GitHub

Common Vulnerabilities and Exposures (CVEs) allow anyone to reference a vulnerability and its fix anywhere, including the GitHub Advisory Database and the National Vulnerability Database. GitHub can now issue CVEs for any public repository, making it easier for security researchers and maintainers to create CVEs and keep our community safe.

Alert

Dependabot alerts

GitHub reviews every security vulnerability to identify and alert affected repositories. For project owners, we’ll always share the details you need to understand and remediate risks with confidence.

Rich vulnerability data

GitHub tracks vulnerabilities in packages from supported package managers using data from security researchers, maintainers, and the National Vulnerability Database— including release notes, changelog entries, and commit details. All discoverable in the GitHub Advisory Database.

Helping everyone stay secure

GitHub continuously scans security advisories for popular languages. We send Dependabot alerts to maintainers of affected repositories with details on the severity level and a link to relevant files.

Update

Update vulnerable
dependencies, automatically

Identifying security vulnerabilities is only half the challenge—but project owners can update vulnerable dependencies faster than ever with Dependabot security updates.

Automated pull requests for security updates

Dependabot security updates keep your projects secure and up to date by monitoring them for vulnerable components. If a vulnerability is found, we’ll automatically open a pull request with suggested fixes—and share compatibility scores based on community tests so you can see the impact of proposed changes before merging. Dependabot comment

Dependabot comment

Merge Pull Request

Protecting codebases from new vulnerabilities

Keeping code up to date isn’t enough to secure open source for everyone. We’re working with security researchers, maintainers, and developers to prevent new vulnerabilities from entering software projects.

Prevent

Secret scanning

Every developer has to manage credentials. Secret scanning watches public and private repositories for known secret formats and immediately notifies either the secret provider or private repository admins when secrets are found. Alert exposed token

Alert exposed token

Patched exposed token

Code with exposed token

Collaborating with service providers

We work closely with more than 24 leading service providers to revoke or replace exposed secrets, so you can continue using secrets securely.

Keeping GitHub secrets safe

When a valid GitHub secret is pushed to a public repository, we’ll revoke it and notify the repository owner within seconds.

Growing support for popular service providers

Popular provider logos

Secret scanning supports tokens from Alibaba Cloud, Atlassian, AWS, Azure, Dropbox, Discord, Google Cloud, Mailgun, npm, Proctorio, Pulumi, Slack, Stripe, and Twilio, with more added all of the time.

Eradicate vulnerabilities and their variants before they become a problem

Never make the same mistake twice. Security teams leverage GitHub Advanced Security to build security into DevOps processes, scaling secure development to all engineers. Vulnerability found with LGTM

Vulnerability found with LGTM

Deserializing user-controlled data may allow attackers to execute arbitrary code.

Find and eliminate all variants

Scan across multiple codebases at scale. By building on existing queries and automating variant analysis, teams find critical vulnerabilities and their variants faster, even in the largest codebases.

Analyze changes to prevent mistakes from reaching production

Code scanning helps prevent vulnerabilities from reaching production by analyzing every pull request, commit, and merge—recognizing vulnerable code as soon as it’s created.

Secure development at every step

Advanced Security brings consistent analysis to every step of the development process by integrating with the development workflow. Query language for LGTM

Query language for LGTM

Compare plans

Whether you’re contributing to an open source project or choosing new tools for your team, your security needs are covered. Interested in learning more about secure development in your organization? Contact Sales

Feature	Free	Pro	Team	Enterprise
Code scanning	Public repositories	Public repositories	Public repositories	Contact us
Dependabot security updates				Enterprise Cloud
GitHub Security Advisories	Public repositories	Public repositories	Public repositories	Public repositories Enterprise Cloud
Dependabot alerts
Security policies	Public repositories	Public repositories	Public repositories	Public repositories Enterprise Cloud
Secret scanning	Public repositories	Public repositories	Public repositories	Public repositories Private repositories Beta Enterprise Cloud
Dependency insights				Enterprise Cloud
Two-factor Authentication (2FA)
WebAuthn & security keys
Required 2FA for organizations
Delegated Account Recovery
Git over Secure Shell (SSH) and HTTPS
Git over Secure Shell with Enterprise issued certificate authentication
GPG commit-signing verification
Security audit log
SAML
LDAP
IP allow list				Enterprise Cloud
Protected branches
Required reviews	Public repositories
Required status checks	Public repositories

Learn more about GitHub Security Lab

Security Lab makes dozens of disclosures every year. Learn more about their security discoveries—or join the Advanced Security Cloud beta. Explore recent disclosures

Sign up for GitHub Advanced Security

Get our best security tools for teams with Advanced Security, available now for GitHub Enterprise customers. Contact Sales

Join our beta program

Try our beta features: code scanning and secret scanning, available now as part of Advanced Security for Enterprise Cloud and free for public repositories. Sign up for the beta

Product

●Features ●Security ●Team ●Enterprise ●Customer stories ●The ReadME Project ●Pricing ●Resources ●Roadmap

Platform

●Developer API ●Partners ●Atom ●Electron ●GitHub Desktop

Support

●Help ●Community Forum ●Professional Services ●Learning Lab ●Status ●Contact GitHub

Company

●About ●Blog ●Careers ●Press ●Social Impact ●Shop ● ● ● ● ● ●© 2020 GitHub, Inc. ●Terms ●Privacy ●Site Map ●What is Git? You can’t perform that action at this time. You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.