How to secure your end-to-end supply chain on GitHub
Securing your projects is no easy task, but end-to-end supply chain security is more top of mind than ever. We’ve seen bad actors expand their focus to taking over user…
Securing your projects is no easy task, but end-to-end supply chain security is more top of mind than ever. We’ve seen bad actors expand their focus to taking over user accounts, commonly used dependencies, and also build systems. Defending against these attacks is hard, because there’s no one thing you can do to protect your project end-to-end.
To help you defend against these attacks, we created new guides in our Docs that cover how to get started securing your end-to-end supply chain. These guides walk you through how to think about risk in the security of your accounts, your code, and your build processes, as well as showing how GitHub features like two-factor authentication, Dependabot, and GitHub Actions can help you start your security journey. Don’t think you have to do everything at once! Instead, use these guides to help you plan the security improvements you can make to decrease your risk of attack over time.
The guides have content for all users, whether you’re on a free plan or an enterprise administrator. Here’s a quick summary of the topics covered in each section.
Securing your accounts
Keeping ownership over your account, whether personal, organization, or enterprise is one of the biggest ways you can stay secure against bad actors. In this guide, you’ll find information on how to do the following:
- Configure two-factor authentication for your personal account
- Connect to GitHub using SSH keys
- Centralize user authentication (enterprises)
- Configure two-factor authentication (organizations and enterprises)
💡 Learn more in our guide to Securing your accounts.
Securing your code in your supply chain
Top-of-mind for most developers is making sure the code that they’re building, using and introducing into their own project isn’t going to expose them to a huge amount of risk. From introducing vulnerabilities in your dependency tree, or leaking authentication credentials or tokens, or even personally writing in security vulnerabilities into your code, there are a lot of ways you can expose yourself to risk in your codebase. In this guide, you’ll find information on how to do the following:
- Create a vulnerability management program for dependencies
- Secure your communication tokens
- Keep vulnerable coding patterns out of your repository
💡 Learn more in our guide to Securing your code in your supply chain.
Securing your build system
Some attacks focus on the build system—to attack your system without having to take over accounts or exploit dependencies. In this guide, we’ll share some information on how to protect yourself from these types of attacks by doing the following:
- Sign your builds
- Harden security for GitHub Actions
💡 Learn more in our guide to Securing your build system.
That’s a wrap!
End-to-end supply chain security is a broad topic. We hope the new guides help you get started, or show new paths if you’re already on your way. Think there’s something we missed? Want more detail on a topic? Let us know here.
Tags:
Written by
Related posts
Execute commands by sending JSON? Learn how unsafe deserialization vulnerabilities work in Ruby projects
Can an attacker execute arbitrary commands on a remote server just by sending JSON? Yes, if the running code contains unsafe deserialization vulnerabilities. But how is that possible? In this blog post, we’ll describe how unsafe deserialization vulnerabilities work and how you can detect them in Ruby projects.
10 years of the GitHub Security Bug Bounty Program
Let’s take a look at 10 key moments from the first decade of the GitHub Security Bug Bounty program.
Where does your software (really) come from?
GitHub is working with the OSS community to bring new supply chain security capabilities to the platform.