Code security guides

Learn about the different ways that GitHub can help you improve your code's security.

Fix and disclose a security vulnerability
Using security advisories to privately fix a reported vulnerability and get a CVE.
Start path
1
Overview
About coordinated disclosure of security vulnerabilities
Vulnerability disclosure is a coordinated effort between security reporters and repository maintainers.
2
How-to guide
Creating a security advisory
You can create a draft security advisory to privately discuss and fix a security vulnerability in your open source project.
3
How-to guide
Adding a collaborator to a security advisory
You can add other users or teams to collaborate on a security advisory with you.
4
How-to guide
Collaborating in a temporary private fork to resolve a security vulnerability
You can create a temporary private fork to privately collaborate on fixing a security vulnerability in your repository.
5
How-to guide
Publishing a security advisory
You can publish a security advisory to alert your community about a security vulnerability in your project.
6
How-to guide
Editing a security advisory
You can edit the metadata and description for a security advisory if you need to update details or correct errors.
7
How-to guide
Withdrawing a security advisory
You can withdraw a security advisory that you've published.
8
How-to guide
Removing a collaborator from a security advisory
When you remove a collaborator from a security advisory, they lose read and write access to the security advisory's discussion and metadata.

Code security learning paths

Get notifications for vulnerable dependencies

Set up Dependabot to alert you to new vulnerabilities in your dependencies.

Start

Get pull requests to update your vulnerable dependencies

Set up Dependabot to create pull requests when new vulnerabilities are reported.

Start

About Dependabot security updates

Overview

Configuring Dependabot security updates

How-to guide

Configuring notifications for vulnerable dependencies

How-to guide

Managing security and analysis settings for your repository

How-to guide

Keep your dependencies up-to-date

Use Dependabot to check for new releases and create pull requests to update your dependencies.

Start

About Dependabot version updates

Overview

Enabling and disabling Dependabot version updates

How-to guide

Customizing dependency updates

How-to guide

Configuration options for dependency updates

Reference

Explore and manage security alerts

Learn where to find and resolve security alerts.

Start

About the security overview

How-to guide

Managing code scanning alerts for your repository

How-to guide

Triaging code scanning alerts in pull requests

How-to guide

Viewing and updating vulnerable dependencies in your repository

How-to guide

Scan for secrets

Set up secret scanning to guard against accidental check-ins of tokens, passwords, and other secrets to your repository.

Start

About secret scanning

Overview

Run code scanning with GitHub Actions

Check your default branch and every pull request to keep vulnerabilities and errors out of your repository.

Start

About code scanning

Overview

Setting up code scanning for a repository

How-to guide

Configuring code scanning

How-to guide

Configuring the CodeQL workflow for compiled languages

How-to guide

Run CodeQL code scanning in your CI

Set up CodeQL within your existing CI and upload results to GitHub code scanning.

Start

About CodeQL code scanning in your CI system

Installing CodeQL CLI in your CI system

How-to guide

Configuring CodeQL CLI in your CI system

How-to guide

Running CodeQL runner in your CI system

How-to guide

Integrate with code scanning

Upload code analysis results from third-party systems to GitHub using SARIF.

Start

About integration with code scanning

Overview

Uploading a SARIF file to GitHub

How-to guide

SARIF support for code scanning

Reference

Code scanning

Reference

All Code security guides

Filter the guide list using these controls

57 guides found

Dec	JAN	Feb
	25
2021	2022	2023

Fix and disclose a security vulnerability

About coordinated disclosure of security vulnerabilities

Creating a security advisory

Adding a collaborator to a security advisory

Collaborating in a temporary private fork to resolve a security vulnerability

Publishing a security advisory

Editing a security advisory

Withdrawing a security advisory

Removing a collaborator from a security advisory

About alerts for vulnerable dependencies

Managing security and analysis settings for your repository

Viewing and updating vulnerable dependencies in your repository

Configuring notifications for vulnerable dependencies

About Dependabot security updates

Configuring Dependabot security updates

Configuring notifications for vulnerable dependencies

Managing security and analysis settings for your repository

About Dependabot version updates

Enabling and disabling Dependabot version updates

Customizing dependency updates

Configuration options for dependency updates

About the security overview

Managing code scanning alerts for your repository

Triaging code scanning alerts in pull requests

Viewing and updating vulnerable dependencies in your repository

About secret scanning

About code scanning

Setting up code scanning for a repository

Configuring code scanning

Configuring the CodeQL workflow for compiled languages

About CodeQL code scanning in your CI system

Installing CodeQL CLI in your CI system

Configuring CodeQL CLI in your CI system

Running CodeQL runner in your CI system

About integration with code scanning

Uploading a SARIF file to GitHub

SARIF support for code scanning

Code scanning

Adding a security policy to your repository

GitHub security features

Securing your organization

Securing your repository

About secret scanning

Secret scanning partners

Tracking code scanning alerts in issues using task lists

About code scanning

Configuring code scanning