Fixing security vulnerabilities with AI
A peek under the hood of GitHub Advanced Security code scanning autofix.
The software supply chain starts with the developer. To make sure that GitHub, the home of open source, can help defend the entire ecosystem against supply chain attacks, we bring our engineering and security teams together as we build. Shifting security left and using tools that multiply our capabilities allow us to deploy quickly and with confidence.
A peek under the hood of GitHub Advanced Security code scanning autofix.
A two-part story about how GitHub’s Product Security Engineering team rolled out Dependabot internally to track vulnerable dependencies, and how GitHub tracks and prioritizes technical debt.
We’re excited to share a deep dive into how our new authentication token formats are built and how these improvements are keeping your tokens more secure. As we continue to…
Enterprise and organization admins can now register their SSH certificate authorities with GitHub, helping their team access repositories over Git using SSH certificates.
GitHub has been at the forefront of security key adoption for many years. We were an early adopter of Universal 2nd Factor (“U2F”) and were also one of the first…
At GitHub, we spend a lot of time thinking about and building secure products—and one key facet of that is threat modeling. This practice involves bringing security and engineering teams…
Learn more about how we found ways to scale our vulnerability hunting efforts and empower others to do the same. In this post, we’ll take a deep-dive in the remediation of a security vulnerability with CERT.
Learn more about what’s behind the scenes with GitHub vulnerability alerts.
Token scanning has reached a new milestone: one billion tokens identified. We’ve also added five new partners—Atlassian, Dropbox, Discord, Proctorio, and Pulumi.
Commit signing is now enabled for all bots by default.
Read about some big changes for the coming year: full legal protection for researchers, more GitHub properties eligible for rewards, and increased reward amounts.
We’ve extended GitHub Token Scanning to include tokens from cloud service providers and additional credentials.
Learn how we use machine learning to power and build on security alerts and make GitHub more secure.
In an effort to increase the adoption of FIDO U2F second factor authentication, we’re releasing Soft U2F: a software-based U2F authenticator for macOS. We’ve long been interested in promoting better…
Cryptographic standards are ever evolving. It is the canonical game of security cat and mouse, with attacks rendering older standards ill-suited, and driving the community to develop newer and stronger…
Last month, we announced the third anniversary of our Bug Bounty Program. While there’s still time to disclose your findings through the program, we wanted to pull back the curtain…
Last year we shared some details on GitHub’s CSP journey. A journey was a good way to describe it, as our usage of Content Security Policy (CSP) significantly changed from…
GitHub hosts a wide range of user content, and like all large websites this often causes us to become a target of denial of service attacks. Around a year ago,…
We shipped subresource integrity a few months back to reduce the risk of a compromised CDN serving malicious JavaScript. That is a big win, but does not address related content…
Build what’s next on GitHub, the place for anyone from anywhere to build anything.
Get tickets to the 10th anniversary of our global developer event on AI, DevEx, and security.