At GitHub, we spend a lot of time thinking about and building secure products—and one key facet of that is threat modeling. This practice involves bringing security and engineering teams together to discuss systems, ultimately

A software supply chain is anything that goes into, or affects your code. Even though supply chain compromises are real, and growing in popularity, they’re still extremely rare – and so the most important thing you can do to protect your supply chain is patch your vulnerabilities. Then, to successfully secure your software supply chain, you need to understand the dependencies in your environment, know about vulnerabilities in those dependencies, and quickly patch them. For Software Composition Analysis (SCA) capabilities native to GitHub, use Dependency Graph, Dependabot alerts, and Dependabot security and version updates to automate the hard work.

Integrating static analysis security testing into the developer workflow is hard. We discuss the challenges and how to overcome them

When developers share the responsibility of security, perform security testing earlier in your development lifecycle, and use Git as a source of truth, you can help your development teams find and remediate security issues faster.

GitHub’s dependency graph identifies all upstream dependencies and public downstream dependents of a repository or package by parsing manifest files, so that you can better manage the security and compliance of your dependencies.

We are happy to announce that GitHub is joining the Open Source Security Foundation (OpenSSF) as a founding member, alongside Google, IBM, JPMorgan Chase, Microsoft, NCC Group, OWASP Foundation, Red Hat, and others.

As previously announced, beginning November 13th, 2020, we will no longer accept account passwords when authenticating with the REST API and will require the use of token-based authentication (e.g., a personal access, OAuth, or GitHub

Protect your team’s code with secure software development best practices like setting up SAML/SCIM integrations, enforcing policies to avoid code leakage, and more.

Keep dependencies up to date, to make sure you can quickly apply a patch when it really matters – when there’s a critical security vulnerability.

GitHub stores your source code, releases, and a vast amount of invaluable information in issues and pull requests. While GitHub Enterprise Server (GHES), our self hosted solution, provides great security by default, administrators can take additional steps to further harden their appliance. This post will guide you through the most important settings.