How to use GitHub Security Overview to manage security debt

Published via GitHub Executive Insights

Developers have a lot on their plate, so fixing security vulnerabilities isn’t always their top priority. Security issues pile up, creating a backlog of known but unremediated vulnerabilities. This backlog is called “security debt.” It’s crucial to measure and track this debt to maintain a secure, compliant development environment and help prevent breaches. Failure to do so can lead to financial losses, reputational damage, and compliance penalties.

GitHub Security Overview makes it easier to monitor vulnerabilities so that you can take action on remediating them and securing your organization. This guide walks you through how to measure security debt, filter and slice data to focus on your priorities, and use Copilot Autofix to remediate vulnerabilities faster.

In this article, you will learn how to:

• Navigate and use GitHub Security Overview to monitor, track, and address vulnerabilities.
• Identify key metrics for measuring security debt.
• Recognize signs that your security debt is increasing or decreasing.
• Filter Security Overview data based on your priorities.
• Apply best practices for scaling security monitoring.
• Leverage Copilot Autofix to significantly reduce Mean Time to Remediation (MTTR).

---

Accessing Security Overview

The features you see in Security Overview depend on your GitHub plan and subscriptions.

If your organization uses GitHub Enterprise or GitHub Team, you can access the free Secret Risk Assessment, which evaluates your exposure to leaked secrets. To unlock Security Overview for private repositories, you’ll need to purchase either the Code Security or Secret Protection add-on.

Public repository data, such as Dependabot and secret scanning alerts, is always accessible in Security Overview regardless of your subscription. However, if you only have one paid add-on (e.g., Secret Protection), you’ll only see private repository data for that feature and public repository data for free services. For example:

• A subscription to Secret Protection lets you see secret scanning data for private repositories but not code scanning data unless it’s for public repositories.
• A Code Security subscription works the same way but focuses on code scanning features.

This tiered visibility helps you prioritize which services best fit your organization’s needs.

---

Key metrics for measuring security debt

To access Security Overview, go to your organization page on GitHub.com and click the Security tab. If you cannot see the Security tab, select the “...” dropdown menu, then click Security. From here you can see alerts from Dependabot, code scanning, or secret scanning for every repository in your organization.

Security Overview provides charts and metrics that make it easy to assess your team’s progress and risk posture. Many organizations use these insights in quarterly reviews, compliance reporting, and even board presentations.

Here are some common metrics you can use to track security debt:

• Total open alerts: The overall number of unresolved vulnerabilities.
• Severity levels: Alerts categorized as critical, high, medium, or low.
• Reopened alerts: Alerts that were previously closed but reopened, signaling potential policy or education gaps. This is a commonly overlooked metric.
• Age of alerts: The average age of your unresolved alerts, so you can track changes in your overall response times.
• Impact analysis table: This table highlights repositories with the highest number of unresolved alerts, offering a clear starting point for remediation efforts.

You should also keep tabs on the metrics found in the Remediation tab, which provide insights into your team's effectiveness at addressing vulnerabilities, including:

• Closed alerts over time: Tracks how many alerts your team resolves within a given period, helping you understand remediation velocity.
• Mean time to remediate (MTTR): Measures the average time taken to resolve alerts, indicating how quickly your team addresses vulnerabilities. It’s a good proxy for how efficient your team is at resolving issues.
• Net resolve rate: Compares the number of alerts closed to the number opened, showing whether your team is keeping up with incoming vulnerabilities.

Signs your security debt might be increasing:

• A declining net resolve rate, indicating that new vulnerabilities are outpacing your remediation efforts.
• Rising numbers of critical or high-severity alerts.
• An uptick in reopened alerts.
• A growing average alert age, suggesting that vulnerability fixes are slowing down.
• An increase in mean time to remediate, showing that vulnerabilities are taking longer to resolve.

Your security debt might be decreasing if:

• You see a consistent trend of alert closures outpacing new alerts, especially for high-severity issues.
• Improvements in your net resolve rate and reductions in mean time to remediate indicate your team is effectively managing and reducing security debt.

Filtering and slicing Security Overview data

Security Overview gives you the flexibility to filter and analyze data so you can focus on the information that’s most relevant to your team.

Some of the ways you can filter Security Overview data include:

• Severity: Filter alerts by critical, high, medium, or low severity.
• Repository visibility: Narrow your view based on repository type (e.g., public, private, or archived).
• Teams: Use the team qualifier to identify repositories managed by specific teams.
• Custom properties: Group repositories by custom metadata, such as business unit, product, or compliance framework.

To better understand your data, you need to apply the filters that are specific to each tool. For example:

• Dependabot alerts: To effectively prioritize remediation, combine EPSS (Exploit Prediction Scoring System) scores—which predict the likelihood of real-world exploitation—with CVSS (Common Vulnerability Scoring System) scores, which measure the severity of vulnerabilities. Using these two scores together helps you quickly identify and address vulnerabilities that are both severe and likely to be exploited. Additionally, leverage the "Most important" sort option in Security Overview to automatically surface alerts that GitHub identifies as requiring immediate attention based on factors like exploitability, severity, and dependency usage across your repositories.
• Secret scanning alerts: Filter alerts for secrets associated with your organization's most critical providers—such as cloud services, payment gateways, or identity providers as these leaks can lead directly to breaches or unauthorized access. Pay particular attention to secrets leaked publicly, as these pose immediate and significant security risks, requiring urgent remediation to prevent potential exploitation.

You can add multiple filters at once to drill into or slice the data to your choosing. For example, you can apply Severity:Critical Visibility: Public to view only critical alerts in public repositories.

Best practices for scaling

As your organization grows, so does the complexity of your security posture. Scaling your security efforts effectively requires more than just monitoring alerts, it requires organizing your repositories, maintaining consistent practices, and streamlining workflows across teams.

• Custom properties: Use consistent naming conventions or metadata to group repositories logically to make it easier to manage, search, and apply policies across related repositories. Organizations with many microservices or other small repositories can use custom properties to group repositories by microservice or product.
• Bookmark filtered views: While Security Overview doesn’t yet support saved filters, you can bookmark filter URLs for quick access to your preferred views without having to reapply filters each time.
• Export and API options: Use CSV exports or the REST API to pull filtered data into your own reporting tools, or synchronize data between tools, to add Security Overview data to your existing processes.
• Prioritize critical repos: Use the Security Campaigns feature to target vulnerabilities in high-priority repositories to make the best use of limited developer resources.

---

What about branches?

GitHub handles multiple branches in the following ways:

• Dependabot: Only scans the default branch.
• Secret scanning and code scanning: Scans the default branch, but can deduplicate alerts across branches and show a single alert with affected locations.

For teams maintaining long-lived branches, this simplifies triage and reduces duplication, ensuring that risks are clearly communicated.

---

Reducing security debt with Copilot Autofix

Copilot Autofix goes beyond notifications with automatically generated vulnerability analysis, which includes detailed alert explanations, and, most importantly, suggested fixes that help developers remediate vulnerabilities as fast as they are found. Autofix supports all CodeQL-supported languages and frameworks.

Experienced security talent is in short supply, but with Code Scanning Autofix, every developer benefits from the security expertise of Copilot whenever they need it. We’ve found that teams using Autofix remediate vulnerabilities 60% faster on average, significantly reducing Mean Time to Remediation (MTTR).

With Copilot Autofix, teams can pay down years’ worth of security debt through targeted campaigns. GitHub's Security Campaigns feature leverages Autofix by enabling security teams to create focused remediation efforts across multiple repositories. Security Campaigns allow you to group related vulnerabilities and track remediation progress centrally. By combining Security Campaigns with Autofix, you can systematically and efficiently address your organization's accumulated security debt.

Here’s how it works:

• In the pull request: When a new vulnerability is found, Copilot Autofix generates an explanation and code suggestion to help fix the problem.
• For existing alerts: Open an alert and press the “Generate fix” button.

Copilot Autofix provides explanations and code suggestions for around 90% of alert types so development and security teams can rapidly address the majority of alerts that comprise their security debt.

Final thoughts

GitHub Security Overview is a comprehensive tool for managing security debt, tracking vulnerabilities, and enabling teams to prioritize risk effectively. Whether you’re using filters, campaigns, or Autofix, the key is to focus on metrics and workflows that align with your organization’s security and compliance goals.

For more information or to get started, visit the GitHub Security Overview documentation or contact GitHub Field Services for tailored support.