Fix and disclose a security vulnerabilityUsing security advisories to privately fix a reported vulnerability and get a CVE.Start path
About coordinated disclosure of security vulnerabilitiesVulnerability disclosure is a coordinated effort between security reporters and repository maintainers.
- 2How-to guide
Creating a security advisoryYou can create a draft security advisory to privately discuss and fix a security vulnerability in your open source project.
- 3How-to guide
Adding a collaborator to a security advisoryYou can add other users or teams to collaborate on a security advisory with you.
- 4How-to guide
Collaborating in a temporary private fork to resolve a security vulnerabilityYou can create a temporary private fork to privately collaborate on fixing a security vulnerability in your repository.
- 5How-to guide
Publishing a security advisoryYou can publish a security advisory to alert your community about a security vulnerability in your project.
- 6How-to guide
Editing a security advisoryYou can edit the metadata and description for a security advisory if you need to update details or correct errors.
- 7How-to guide
Withdrawing a security advisoryYou can withdraw a security advisory that you've published.
- 8How-to guide
Removing a collaborator from a security advisoryWhen you remove a collaborator from a security advisory, they lose read and write access to the security advisory's discussion and metadata.
Set up Dependabot to alert you to new vulnerabilities in your dependencies.
Set up Dependabot to create pull requests when new vulnerabilities are reported.
Use Dependabot to check for new releases and create pull requests to update your dependencies.
Set up secret scanning to guard against accidental check-ins of tokens, passwords, and other secrets to your repository.
Check your default branch and every pull request to keep vulnerabilities and errors out of your repository.
Set up CodeQL within your existing CI and upload results to GitHub code scanning.
Adding a security policy to your repository
You can give instructions for how to report a security vulnerability in your project by adding a security policy to your repository.
GitHub security features
An overview of GitHub security features.
Securing your organization
You can use a number of GitHub features to help keep your organization secure.
Securing your repository
You can use a number of GitHub features to help keep your repository secure.
About secret scanning
GitHub scans repositories for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally.
Configuring secret scanning for your repositories
You can configure how GitHub scans your repositories for secrets.
Managing alerts from secret scanning
You can view and close alerts for secrets checked in to your repository.
Tracking code scanning alerts in issues using task lists
You can add code scanning alerts to issues using task lists. This makes it easy to create a plan for development work that includes fixing alerts.