Skip to content

Security

Securing software, together

We all play a role in securing the world’s code—developers, maintainers, researchers, and security teams. On GitHub, development teams everywhere can work together to secure the world’s software supply chain, from fork to finish.

Join us for a live demo and discussion of our latest security features, including Semmle.

Sign up
Identify Disclose Fix Alert Update Prevent

Identify

Find vulnerabilities that other tools miss

Semmle QL is the industry’s leading semantic code analysis engine. Our revolutionary approach treats code as data to identify security vulnerabilities faster.

Security vulnerability Security vulnerability alert
Treating code as data

Treating code as data

Traditionally, vulnerabilities are discovered by security researchers, inspecting code by hand. Semmle’s semantic code analysis engine, QL, treats code as data with a powerful query engine. It identifies even the most complex semantic patterns at scale and gets smarter over time.

A revolutionary engine

A revolutionary engine

QL combines the latest research for compiler optimization with insights in database implementation to provide a declarative, object-oriented language. So security teams can find vulnerabilities at scale that evade other tools.

Community-led approach

Community-led approach

Leading security researchers express patterns in QL queries to share their expertise with the world. QL ships with thousands of queries used to power variant analysis, so developers, maintainers, and security teams can build on existing queries or create their own.

Disclose

Defining the open source security workflow

Open source powers the world’s software. GitHub provides the infrastructure security researchers and open source maintainers need to report and disclose security vulnerabilities.

Responsible vulnerability reporting

Responsible vulnerability reporting

Open source maintainers set security policies for their projects, letting their communities know the best way to responsibly report vulnerabilities.

Security policy

Organization-wide security policies

A repository’s SECURITY.MD file describes everything researchers and users need to report a potential vulnerability. Maintainers can create per-project policies or automatically apply one security policy to every repository in their organization.

Security policy
Security workspace
Security workspace comment Security workspace comment Security workspace queued changes Security workspace merge

Fix BETA

Maintainer security advisories

Open source maintainers have a secure and private space to work through vulnerabilities together. They collaborate on fixes and publish security advisories to the community of people that rely on their projects without leaving GitHub—or tipping off would-be hackers.

Private collaboration for maintainers

Private collaboration for maintainers

Before they send out public advisories, maintainers privately discuss the impact of a vulnerability in draft advisories. They collaborate in temporary private forks, and then publish advisories to alert and update the entire ecosystem.

Securing repositories and their dependents

Securing repositories and their dependents

Since the launch of security advisories in 2019, open source projects have relied on GitHub to publish security advisories and notify all dependent repositories.

Alert

Security alerts

GitHub reviews every security vulnerability to identify and alert affected repositories. We source our vulnerability information from industry experts to provide the details project owners need to understand and remediate risks.

Research-driven vulnerability data

Research-driven vulnerability data

GitHub tracks vulnerabilities in packages from supported package managers using data from security researchers, maintainers, the National Vulnerability Database, and WhiteSource — including release notes, changelog entries, and commit details.

New CVE records from GitHub

New CVE records from GitHub

Security alerts from items on the CVE list contain a link to the CVE record with more details about the vulnerability. For novel vulnerabilities, GitHub creates a new record to inform the security community.

Expert analysis on every alert

Helping everyone stay secure

GitHub continuously scans security advisories for popular languages. We send security alerts to maintainers of affected repositories with details on the severity level and a link to relevant files.

Update

Update vulnerable
dependencies, automatically

Identifying security vulnerabilities is only half the challenge—but project owners can update vulnerable dependencies faster than ever with Dependabot.

BETA

Automated pull requests for security updates

Dependabot keeps projects secure and up to date by monitoring your dependencies for new releases. Then it automatically opens pull requests to update dependencies to the minimum version that resolves the vulnerability. Compatibility scores based on community tests help maintainers merge updates with confidence.

Since launch, more than 100,000 automated fixes are merged and ready to secure.

Dependabot comment Merge Pull Request
GitHub Security

Protecting codebases from new vulnerabilities

Keeping code up to date isn’t enough to secure open source for everyone. We’re working with security researchers, maintainers, and developers to prevent new vulnerabilities from entering software projects.

Prevent

Automatic token scanning

Every developer has to manage credentials. GitHub scans for tokens that have accidentally been exposed in public repositories, then alerts the provider within seconds so they may revoke or notify the owner as appropriate.

Alert exposed token Patched exposed token Code with exposed token

Collaborating with service providers

Once the service provider validates the credential, they decide whether they should revoke the token, issue a new token, or reach out to a user directly.

Keeping GitHub tokens secret

When a valid GitHub token is pushed to a public repository, we’ll revoke it and notify the token owner within seconds.

Growing support for popular service providers

Popular provider logos

Token scanning supports tokens from Alibaba Cloud, Atlassian, AWS, Azure, Dropbox, Discord, Google Cloud, Mailgun, npm, Proctorio, Pulumi, Slack, Stripe, and Twilio, with more added all of the time.

Eradicate vulnerabilities and their variants before they become a problem

Never make the same mistake twice. Security teams leverage Semmle LGTM to build security into DevOps processes, scaling secure development to all engineers.

Vulnerability found with LGTM Deserializing user-controlled data may allow attackers to execute arbitrary code.

Find and eliminate all variants of bugs and vulnerabilities

Scan across multiple codebases at scale. By building on existing queries and automating variant analysis, teams find critical vulnerabilities and their variants faster, even in the largest codebases.

Analyze new changes to prevent mistakes from reaching production

LGTM’s continuous code analysis helps prevent vulnerabilities from reaching production by analyzing every commit and recognizing vulnerable code as soon as it’s checked in.

Secure development at every step

LGTM brings consistent analysis to every step of the development process by integrating with IDEs, issue trackers, CI/CD services, and more.

Query language for LGTM

Compare plans

Whether you’re contributing to an open source project or choosing new tools for your team, your security needs are covered. Interested in learning more about secure development in your organization?

Contact sales
Feature Free Pro Team Enterprise
Advanced vulnerability scanning Included Public repositories Included Public repositories Included Public repositories Contact us
Automated security fixes BETA Included Included Included Included Enterprise Cloud
Maintainer Security Advisories BETA Included Public repositories Included Public repositories Included Public repositories Included Public repositories Enterprise Cloud
Security alerts Included Included Included Included
Security policies Included Public repositories Included Public repositories Included Public repositories Included Public repositories Enterprise Cloud
Token scanning Included Public repositories Included Public repositories Included Public repositories Included Public repositories Enterprise Cloud
Dependency insights Not included Not included Not included Included Enterprise Cloud
Two-factor Authentication (2FA) Included Included Included Included
WebAuthn & security keys Included Included Included Included
Required 2FA for organizations Not included Not included Included Included
Delegated Account Recovery Included Included Included Not included
Git over Secure Shell (SSH) and HTTPS Included Included Included Included
Git over Secure Shell with Enterprise issued certificate authentication Not included Not included Not included Included
GPG commit-signing verification Included Included Included Included
Security audit log Not included Not included Included Included
SAML Not included Not included Not included Included
LDAP Not included Not included Not included Included
Protected branches Included Included Included Included
Required reviews Included Public repositories Included Included Included
Required status checks Included Public repositories Included Included Included

Learn more about Semmle

Semmle makes dozens of disclosures every year. Learn more about their security discoveries—or try LGTM free.

Explore recent disclosures Try LGTM free

See Semmle in action

Join us for a live demo and discussion with the Semmle and GitHub teams, October 3, 2019.

Sign up
You can’t perform that action at this time.