Cutting through the noise: How to prioritize Dependabot alerts
Learn how to effectively prioritize alerts using severity (CVSS), exploitation likelihood (EPSS), and repository properties, so you can focus on the most critical vulnerabilities first.
Supply chain security
In today’s interconnected development environment, a single vulnerability in any component of the supply chain poses a threat. Find out how GitHub’s security alerts, code scanning, secret scanning, and dependency management features can help you avoid supply chain security issues. You can also check out our documentation to learn more about supply chain security on GitHub.
Featured
A maintainer’s guide to vulnerability disclosure: GitHub tools to make it simple
A step-by-step guide for open source maintainers on how to handle vulnerability reports confidently from the start.
The second half of software supply chain security on GitHub
Learn about a community-developed framework for how to think about this problem holistically and how to use GitHub, particularly, to improve the security in the second half of your software supply chain.
Configure GitHub Artifact Attestations for secure cloud-native delivery
Introducing the generally available capability of GitHub Artifact Attestations to secure your cloud-native supply chain packages and images.
Latest
Securing the open source supply chain: The essential role of CVEs
Vulnerability data has grown in volume and complexity over the past decade, but open source and programs like the Github Security Lab have helped supply chain security keep pace.
Where does your software (really) come from?
GitHub is working with the OSS community to bring new supply chain security capabilities to the platform.
Securing millions of developers through 2FA
We’ve dramatically increased 2FA adoption on GitHub as part of our responsibility to make the software ecosystem more secure. Read on to learn how we secured millions of developers and why we’re urging more organizations to join us in these efforts.
How to stay safe from repo-jacking
Repo-jacking is a specific type of supply chain attack. This blog post explains what it is, what the risk is, and what you can do to stay safe.
Do you know if all your repositories have up-to-date dependencies?
Consider deploying the GitHub Action: Evergreen so that you know each of your repositories are leveraging active dependency management with Dependabot.
3 strategies to expand your threat model and secure your supply chain
How to get the security basics right at your organization.
Four tips to keep your GitHub Actions workflows secure
Researchers from Purdue and NCSU have found a large number of command injection vulnerabilities in the workflows of projects on GitHub. Follow these four tips to keep your GitHub Actions workflows secure.
Swift support brings broader mobile application security to GitHub Advanced Security
We’ve launched the beta of code scanning support for Swift. This launch, paired with our launch of Kotlin support in November, means that CodeQL covers both IOS and Android development languages, bringing a heightened level of security to the mobile application development process.
Dependabot relieves alert fatigue from npm devDependencies
A new alert rules engine for Dependabot leverages alert metadata to identify and auto-dismiss up to 15% of alerts as false positives.
Private vulnerability reporting now generally available
Open source maintainers and security researchers embrace a new best practice to report and fix vulnerabilities.
Introducing npm package provenance
How to verifiably link npm packages to their source repository and build instructions.
Unlocking security updates for transitive dependencies with npm
How Dependabot integrated with npm to address security vulnerabilities on transitive dependencies and increase the likelihood of success for JavaScript security updates by 40%.
A smarter, quieter Dependabot
Dependabot is getting a little smarter—and, a little quieter—by reducing bot-based noise from repositories based on your interaction with Dependabot.
The importance of improving supply chain security in open source
We think a lot about a high-profile supply chain attack that might cause developers, teams, and organizations to lose trust in open source. That’s why we’re investing in new ways to protect the open source ecosystem.
Why we’re excited about the Sigstore general availability
The Sigstore GA means you can protect your software supply chain today with GitHub Actions, and will power new npm security capabilities in the near future.
The world's largest developer platform
GitHub
Build what’s next on GitHub, the place for anyone from anywhere to build anything.