Security is a shared responsibility; even small projects inherit risks from third-party dependencies. GitHub's integrated tools automate vulnerability detection and remediation, allowing developers to secure their supply chain without significant manual overhead.
Welcome back to GitHub for Beginners, season three! So far this year, we’ve covered GitHub Issues and Projects, as well as GitHub Actions. This time around, we’re going to be talking a little bit about security, and what tools GitHub provides to help you keep your code secure. By the end of this post, you’ll understand how to fix vulnerabilities in your repository using built-in tools like secret scanning, Dependabot, code scanning, and Copilot Autofix.
Vulnerabilities are weaknesses in your code or the libraries you use that attackers can exploit. It’s important to realize that you inherit any risk from a library the moment you import it into your project, even though you didn’t write the vulnerable code yourself. This is why even small or brand-new projects can have vulnerabilities—almost all software relies on third-party packages.
GitHub makes finding and fixing these issues easier than ever with GitHub Advanced Security (GHAS), a suite of products that helps you improve and maintain the quality of your code. On public repositories, you have access to Dependabot, code scanning, secret scanning, and Copilot Autofix. If you want to learn even more about the different features, check out our documentation about GHAS. Or keep reading as we walk through enabling and using some of these features.
The first step is making sure that GHAS is turned on.
These tools are available to public repositories by default. If you have a private repository, you’ll need a GHAS license.
Select the Security tab at the top of the window to navigate to the security home page for this repository. Here you’ll see options for the various GHAS tools you’ve enabled. This is where you can see alerts for exposed secrets, vulnerable dependencies, and risky code paths.
Now let’s take a look at some of these tools in greater detail. To see how the various alerts look, remember that we have a video version of this blog available online.
GitHub can help you protect sensitive information with secret scanning. If you accidentally commit an API key or token, secret scanning will flag it in the security tab in the left-hand column underneath Secret scanning. When you see an alert, click the title of the specific alert to see what secret was detected and where it was found.
One of the ways to address this exposed secret is to revoke it. Revoking a secret means disabling the old key so that it can’t be used anymore. You usually do this by generating a new key on the platform where the secret came from, such as Azure or Stripe.
GitHub can’t automatically revoke the secret for you. You’ll need to do that part yourself. However, secret scanning gives you an early warning so that a leaked secret doesn’t become an exploited secret.
Once you’ve revoked the secret, you can close the secret scanning alert by doing the following:
Dependabot is a code scanning tool that helps you keep your dependencies up to date. Remember when we talked about how you inherit the vulnerabilities of every library you pull into your project? Dependabot helps to address this by alerting you if it finds vulnerabilities in the libraries your project depends on.
To find Dependabot alerts, navigate back to the Security tab in your repository. When you click on a Dependabot alert, it’ll navigate you to the pull request, so you can update your library. In the pull request, if you scroll down, you can see the specific advisory that triggered the alert by selecting See advisory in GitHub Advisory Database.
From the pull request, select the green Review security update button at the top to review the version bump. You should always review suggested changes before incorporating them. As long as everything looks good, go ahead and merge the pull request.
Dependabot automates turning GitHub security advisories into pull requests so you don’t have to manually track common vulnerabilities and exposures.
CodeQL is the engine that scans your code and produces the code scanning alerts (which you can find under the Security tab). CodeQL is not a linter. It’s much more powerful because it understands data flow, showing where input starts and where it ends up.
As a result, code scanning alerts can cover a wide range of possible scenarios. When you select a code scanning alert, it will explain the issue and, if it can, provide additional information, such as a recommendation for fixes and examples to illustrate the problem and possible solution.
Once you have an understanding of the alert, you can use Copilot Autofix to resolve it by following these steps:
What’s next?
Congratulations! You’ve now learned how to use GitHub Advanced Security to confidently detect and fix vulnerabilities in your code. Public repositories have access to these GHAS tools for free, so you can keep your projects safe from the start. Test your skills using GitHub Skills or the vulnerable-node repository any time.
And if you’re looking for more information, we have lots of documentation available. Here are just a few links to get your started:
Happy coding!
The post GitHub for Beginners: Getting started with GitHub security appeared first on The GitHub Blog.
This incident highlights how minor sanitization failures in internal protocols can lead to critical RCE. It underscores the importance of defense-in-depth, showing how removing unused code paths and robust telemetry can mitigate risks and verify the absence of exploitation.
Circular dependencies can paralyze recovery during outages. By using eBPF and cGroups, engineers can enforce network isolation for deployment scripts without impacting production traffic, ensuring that critical infrastructure remains deployable even when primary services are offline.
Continue reading on the original blog to support the author
Read full articleLegal and policy shifts regarding copyright liability and age assurance directly impact how engineers build, share, and secure software. These updates ensure that neutral infrastructure and security research remain protected from broad regulations that could stifle open-source innovation.
