English
Code security
Free, Pro, & Team
English
Code security guides
Learn about the different ways that GitHub can help you improve your code's security.
Fix and disclose a security vulnerability
Using security advisories to privately fix a reported vulnerability and get a CVE.Start path- 1Overview
About coordinated disclosure of security vulnerabilities
Vulnerability disclosure is a coordinated effort between security reporters and repository maintainers. - 2How-to guide
Creating a security advisory
You can create a draft security advisory to privately discuss and fix a security vulnerability in your open source project. - 3How-to guide
Adding a collaborator to a security advisory
You can add other users or teams to collaborate on a security advisory with you. - 4How-to guide
Collaborating in a temporary private fork to resolve a security vulnerability
You can create a temporary private fork to privately collaborate on fixing a security vulnerability in your repository. - 5How-to guide
Publishing a security advisory
You can publish a security advisory to alert your community about a security vulnerability in your project. - 6How-to guide
Editing a security advisory
You can edit the metadata and description for a security advisory if you need to update details or correct errors. - 7How-to guide
Withdrawing a security advisory
You can withdraw a security advisory that you've published. - 8How-to guide
Removing a collaborator from a security advisory
When you remove a collaborator from a security advisory, they lose read and write access to the security advisory's discussion and metadata.
Code security learning paths
Get notifications for vulnerable dependencies
Set up Dependabot to alert you to new vulnerabilities in your dependencies.
Get pull requests to update your vulnerable dependencies
Set up Dependabot to create pull requests when new vulnerabilities are reported.
Keep your dependencies up-to-date
Use Dependabot to check for new releases and create pull requests to update your dependencies.
Scan for secrets
Set up secret scanning to guard against accidental check-ins of tokens, passwords, and other secrets to your repository.
Run code scanning with GitHub Actions
Check your default branch and every pull request to keep vulnerabilities and errors out of your repository.
Run CodeQL code scanning in your CI
Set up CodeQL within your existing CI and upload results to GitHub code scanning.
Integrate with code scanning
Upload code analysis results from third-party systems to GitHub using SARIF.
All Code security guides
Adding a security policy to your repository
How-to guideYou can give instructions for how to report a security vulnerability in your project by adding a security policy to your repository.
- Security policies
- Vulnerabilities
- Repositories
- Health
GitHub security features
OverviewAn overview of GitHub security features.
- Repositories
- Dependencies
- Vulnerabilities
- Advanced Security
Securing your organization
How-to guideYou can use a number of GitHub features to help keep your organization secure.
- Organizations
- Dependencies
- Vulnerabilities
- Advanced Security
Securing your repository
How-to guideYou can use a number of GitHub features to help keep your repository secure.
- Repositories
- Dependencies
- Vulnerabilities
- Advanced Security
About secret scanning
OverviewGitHub scans repositories for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally.
- Secret scanning
- Advanced Security
Configuring secret scanning for your repositories
How-to guideYou can configure how GitHub scans your repositories for secrets.
- Secret scanning
- Advanced Security
- Repositories
Managing alerts from secret scanning
How-to guideYou can view and close alerts for secrets checked in to your repository.
- Secret scanning
- Advanced Security
- Alerts
- Repositories
Tracking code scanning alerts in issues using task lists
How-to guideYou can add code scanning alerts to issues using task lists. This makes it easy to create a plan for development work that includes fixing alerts.
- Advanced Security
- Code scanning
- Alerts
- Repositories
- Issues
About code scanning
OverviewYou can use code scanning to find security vulnerabilities and errors in the code for your project on GitHub.
- Advanced Security
- Code scanning
Help us make these docs great!
All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.
Make a contribution