In today’s interconnected development environment, a single vulnerability in any component of the supply chain poses a threat. Find out how GitHub’s security alerts, code scanning, secret scanning, and dependency management features can help you avoid supply chain security issues. You can also check out our documentation to learn more about supply chain security on GitHub.
Addressing a surge in package registry attacks, GitHub is strengthening npm’s security with stricter authentication, granular tokens, and enhanced trusted publishing to restore trust in the open source ecosystem.
When a chat conversation is poisoned by indirect prompt injection, it can result in the exposure of GitHub tokens, confidential files, or even the execution of arbitrary code without the user’s explicit consent. In this blog post, we’ll explain which VS Code features may reduce these risks.
The GitHub dependency graph maps every direct and transitive dependency in your project, so you can identify risks, prioritize fixes, and keep your code secure.
Learn how to effectively prioritize alerts using severity (CVSS), exploitation likelihood (EPSS), and repository properties, so you can focus on the most critical vulnerabilities first.
A step-by-step guide for open source maintainers on how to handle vulnerability reports confidently from the start.
Vulnerability data has grown in volume and complexity over the past decade, but open source and programs like the Github Security Lab have helped supply chain security keep pace.
Learn about a community-developed framework for how to think about this problem holistically and how to use GitHub, particularly, to improve the security in the second half of your software supply chain.
Introducing the generally available capability of GitHub Artifact Attestations to secure your cloud-native supply chain packages and images.
GitHub is working with the OSS community to bring new supply chain security capabilities to the platform.
We’ve dramatically increased 2FA adoption on GitHub as part of our responsibility to make the software ecosystem more secure. Read on to learn how we secured millions of developers and why we’re urging more organizations to join us in these efforts.
Repo-jacking is a specific type of supply chain attack. This blog post explains what it is, what the risk is, and what you can do to stay safe.
Consider deploying the GitHub Action: Evergreen so that you know each of your repositories are leveraging active dependency management with Dependabot.
How to get the security basics right at your organization.
Researchers from Purdue and NCSU have found a large number of command injection vulnerabilities in the workflows of projects on GitHub. Follow these four tips to keep your GitHub Actions workflows secure.
We’ve launched the beta of code scanning support for Swift. This launch, paired with our launch of Kotlin support in November, means that CodeQL covers both IOS and Android development languages, bringing a heightened level of security to the mobile application development process.
A new alert rules engine for Dependabot leverages alert metadata to identify and auto-dismiss up to 15% of alerts as false positives.
Open source maintainers and security researchers embrace a new best practice to report and fix vulnerabilities.
How to verifiably link npm packages to their source repository and build instructions.
How Dependabot integrated with npm to address security vulnerabilities on transitive dependencies and increase the likelihood of success for JavaScript security updates by 40%.
Build what’s next on GitHub, the place for anyone from anywhere to build anything.
Last chance: Save $700 on your IRL pass to Universe and join us on Oct. 28-29 in San Francisco.
