Security best practices for authors of GitHub Actions
Improve your GitHub Action’s security posture by securing your source repository, protecting your maintainers, and making it easy to report security incidents.
Category
Security
Introducing AI-powered application security testing with GitHub Advanced Security
Learn about how GitHub Advanced Security’s new AI-powered features can help you secure your code more efficiently than ever.
Cybersecurity spotlight on bug bounty researcher @Ammar Askar
We’re excited to highlight another top contributing researcher to GitHub’s Bug Bounty Program—@Ammar Askar!
ICYMI: improved C++ vulnerability coverage and CodeQL support for Lombok
The effectiveness of a static application security solution hinges on its ability to provide extensive vulnerability coverage and support for a wide range of languages and frameworks. Today, we’re highlighting two releases that’ll help you discover more vulnerabilities in your codebase, so you can ship more secure software.
Getting RCE in Chrome with incomplete object initialization in the Maglev compiler
In this post, I'll exploit CVE-2023-4069, a type confusion in Chrome that allows remote code execution (RCE) in the renderer sandbox of Chrome by a single visit to a malicious site.
Coordinated Disclosure: 1-Click RCE on GNOME (CVE-2023-43641)
CVE-2023-43641 is a vulnerability in libcue, which can lead to code execution by downloading a file on GNOME.
Introducing secret scanning validity checks for major cloud services
Secret scanning now performs validity checks for select AWS, Microsoft, Google, and Slack tokens.
3 strategies to expand your threat model and secure your supply chain
How to get the security basics right at your organization.
Cybersecurity spotlight on bug bounty researcher @inspector-ambitious
For this year’s Cybersecurity Awareness Month, the GitHub bug bounty team is excited to feature another spotlight on a talented security researcher who participates in the GitHub Security Bug Bounty Program—@inspector-ambitious!
Getting RCE in Chrome with incorrect side effect in the JIT compiler
In this post, I'll exploit CVE-2023-3420, a type confusion in Chrome that allows remote code execution (RCE) in the renderer sandbox of Chrome by a single visit to a malicious site.
The GitHub Security Lab’s journey to disclosing 500 CVEs in open source projects
The GitHub Security Lab audits open source projects for security vulnerabilities and helps maintainers fix them. Recently, we passed the milestone of 500 CVEs disclosed. Let’s take a trip down memory lane with a review of some noteworthy CVEs!
Passkeys are generally available
All GitHub.com users can now register a passkey to sign in without a password.
Announcing general availability of GitHub Advanced Security for Azure DevOps
GitHub Advanced Security for Azure DevOps is now generally available. Enable secret scanning, dependency scanning, and code scanning on your organization directly in Azure DevOps configuration settings.
CodeQL team uses AI to power vulnerability detection in code
Learn how GitHub’s CodeQL leveraged AI modeling and multi-repository variant analysis to discover a new CVE in Gradle.
A faster way to manage version updates with Dependabot
Now, you can group multiple version updates in a single pull request.