Security

Resources for securing your supply chain, building more secure applications, and staying up-to-date with the latest vulnerability research. Get comprehensive insights into the latest security trendsâand news from the GitHub Security Lab. You can also check out our documentation on code security on GitHub to find out how to keep your code and applications safe.

Featured

Three cartoon bugs collaboratingâone writing, one holding a wrench, and another pointing at a warning sign, representing teamwork in debugging and security.

A maintainer’s guide to vulnerability disclosure: GitHub tools to make it simple

A step-by-step guide for open source maintainers on how to handle vulnerability reports confidently from the start.

Sign in as anyone: Bypassing SAML SSO authentication with parser differentials

Critical authentication bypass vulnerabilities (CVE-2025-25291 + CVE-2025-25292) were discovered in ruby-saml up to version 1.17.0. In this blog post, we’ll shed light on how these vulnerabilities that rely on a parser differential were uncovered.

Full exposure: A practical approach to handling sensitive data leaks

Treating exposures as full and complete can help you respond more effectively to focus on what truly matters: securing systems, protecting sensitive data, and maintaining the trust of stakeholders.

How GitHub uses CodeQL to secure GitHub

How GitHubâs Product Security Engineering team manages our CodeQL implementation at scale and how you can, too.

Latest

From finding to fixing: GitHub Advanced Security integrates Endor Labs SCA

The partnership between GitHub and Endor Labs enables application security engineers and developers to drastically reduce time spent on open source vulnerabilities, and gives them the tools to go from finding to fixing.

A cartoon detective with a magnifying glass and keyboard, followed by a barcode-nosed dog sniffing the ground. The style is whimsical and cartoonish, symbolizing investigation.

Cybersecurity researchers: Digital detectives in a connected world

Discover the exciting world of cybersecurity research: what researchers do, essential skills, and actionable steps to begin your journey toward protecting the digital world.

Attacks on Maven proxy repositories

Learn how specially crafted artifacts can be used to attack Maven repository managers. This post describes PoC exploits that can lead to pre-auth remote code execution and poisoning of the local artifacts in Sonatype Nexus and JFrog Artifactory.

How to secure your GitHub Actions workflows with CodeQL

In the last few months, we secured 75+ GitHub Actions workflows in open source projects, disclosing 90+ different vulnerabilities. Out of this research we produced new support for workflows in CodeQL, empowering you to secure yours.

Announcing CodeQL Community Packs

We are excited to introduce the new CodeQL Community Packs, a comprehensive set of queries and models designed to enhance your code analysis capabilities. These packs are tailored to augment…

Uncovering GStreamer secrets

In this post, Iâll walk you through the vulnerabilities I uncovered in the GStreamer library and how I built a custom fuzzing generator to target MP4 files.

CodeQL zero to hero part 4: Gradio framework case study

Learn how I discovered 11 new vulnerabilities by writing CodeQL models for Gradio framework and how you can do it, too.

Attacking browser extensions

Learn about browser extension security and secure your extensions with the help of CodeQL.

Cybersecurity spotlight on bug bounty researcher @adrianoapj

As we wrap up Cybersecurity Awareness Month, the GitHub Bug Bounty team is excited to feature another spotlight on a talented security researcher who participates in the GitHub Security Bug Bounty Programâ@adrianoapj!

Securing the open source supply chain: The essential role of CVEs

Vulnerability data has grown in volume and complexity over the past decade, but open source and programs like the Github Security Lab have helped supply chain security keep pace.

The second half of software supply chain security on GitHub

Learn about a community-developed framework for how to think about this problem holistically and how to use GitHub, particularly, to improve the security in the second half of your software supply chain.

Cybersecurity spotlight on bug bounty researcher @imrerad

For this yearâs Cybersecurity Awareness Month, the GitHub Bug Bounty team is excited to feature another spotlight on a talented security researcher who participates in the GitHub Security Bug Bounty Programâ@imrerad!

Kicking off Cybersecurity Awareness Month: Researcher spotlights and additional incentives!

For this yearâs Cybersecurity Awareness Month, GitHubâs Bug Bounty team is excited to offer some additional incentives to security researchers!

From object transition to RCE in the Chrome renderer

In this post, I’ll exploit CVE-2024-5830, a type confusion in Chrome that allows remote code execution (RCE) in the renderer sandbox of Chrome by a single visit to a malicious site.