Resources
Enterprise
GitHub Security Lab is dedicated to community collaboration in order to
improve open source security at scale, so that everyone – including
enterprise organizations – benefits from a more secure open source
ecosystem.
CodeQL Wall of Fame
The CodeQL Wall of Fame is a (non-exhaustive) list of vulnerabilities found in open source projects using CodeQL.
Advisory Database
Understand and remediate potential security issues in the open source projects you use with GitHub’s free and open source vulnerability database.
Secure your GitHub Actions workflows
Introducing a new tool to monitor and control the permissions of the repository token for GitHub Actions, helping you apply the least-privilege principle by suggesting the mininum required permissions.
Combining the pull_request_target workflow trigger with an explicit checkout of an untrusted Pull Request is a dangerous practice that may lead to repository compromise.
Every GitHub Actions workflow trigger comes with a GitHub context. Some of this data might be attacker controlled and should be treated as potentially untrusted input.
By referencing an external action with the uses directive, you’re running third-party code and giving it access to computing time, secrets, and your repository token.
While implementing CodeQL support for GitHub Actions workflows, we came across new patterns of insecure workflows. Learn how to identify and mitigate them.
Latest articles
See all articlesWhile implementing CodeQL support for GitHub Actions workflows, we came across new patterns of insecure workflows. Learn how to identify and mitigate them.
Don't make me leave my development platform! Your security teams can perform security research without ever leaving GitHub: From code scanning to CVE via Codespaces and private vulnerability reporting.
In this research nominated for the 2024 Pwnie award, Man Yue Mo gains arbitrary kernel code execution and root on an Android phone even with the Memory Tagging Extension (MTE) mitigation enabled.
Presented at Black Hat USA and DEFCON 2023, this research reveals interesting attacks on mTLS authentication. Read how mTLS systems can be vulnerable to user impersonation, privilege escalation, and information leakages.
Are you happy with your security training? Try out our Secure Code Game, our hands-on and community-sourced security training, and build a secure code mindset for your developers.
Improving the code security of widely used libraries like OpenSSL has a force multiplication effect for all of us. Read on to learn about the vulnerabilities, and how to use CodeQL to eliminate variants.
Check out how we used CodeQL on NSA's Emissary open source project to find critical issues, and how the NSA leveraged GitHub code scanning and security advisories to address the issues.