This is not

Like what you see? Install OctoLinker now!

Skip to content


Securing software, together

We all play a role in securing the world’s code—developers, maintainers, researchers, and security teams. On GitHub, teams work together to secure the world’s software at every step.

Ready to talk about advanced security features for GitHub Enterprise?

Contact Sales


Find security issues as you code

Write safer code from day one with end-to-end security. GitHub helps you address vulnerabilities earlier and ship secure applications.

Security vulnerability Security vulnerability alert
Treating code as data

Shift security left

Build securely without slowing down innovation. Automated security always works for you by scanning code as it's created.

A revolutionary engine

Code as data

While fuzzing or inspecting code manually is great for finding specific vulnerabilities, this approach doesn’t scale to cover your entire codebase. CodeQL treats code as data and encodes vulnerabilities as queries—making it possible to find every instance of a bug in a codebase, a portfolio, or the entire open source software ecosystem.

Community-led approach

Community-led approach

CodeQL ships with thousands of queries written by GitHub and the world’s leading security researchers. Code scanning queries are open source so developers, maintainers, and security teams can build on existing queries or create their own.


Defining the open source security workflow

Open source powers the world’s software. GitHub provides the infrastructure security researchers and open source maintainers need to report and disclose security vulnerabilities.

Responsible vulnerability reporting

Organization-wide security policies

A repository’s `SECURITY.MD` file describes everything researchers and users need to report a potential vulnerability. Maintainers can create per-project policies or automatically apply one security policy to every repository in their organization.

Security policy

Responsible vulnerability reporting

Open source maintainers set security policies for their projects, letting their communities know the best way to responsibly report vulnerabilities.

Security policy
Security workspace
Security workspace comment Security workspace comment Security workspace queued changes Security workspace merge


GitHub Security Advisories

Open source maintainers have a secure and private space to work through vulnerabilities together. They collaborate on fixes and publish security advisories to the developer community that relies on their projects without leaving GitHub—or tipping off would-be hackers.

Private collaboration for maintainers

Private collaboration for maintainers

Before they send out public advisories, maintainers privately discuss the impact of a vulnerability in draft advisories. They collaborate in temporary private forks, and then publish advisories to alert and update the entire ecosystem.

Securing repositories and their dependents

Securing repositories and their dependents

The GitHub Advisory Database serves as the single source of truth for open source security issues with 1800-plus advisories reported so far. Since launching the database in 2019, open source projects have relied on GitHub to publish security advisories and notify all dependent repositories.

New CVE records from GitHub

CVEs issued by GitHub

Common Vulnerabilities and Exposures (CVEs) allow anyone to reference a vulnerability and its fix anywhere, including the GitHub Advisory Database and the National Vulnerability Database. GitHub can now issue CVEs for any public repository, making it easier for security researchers and maintainers to create CVEs and keep our community safe.


Dependabot alerts

GitHub reviews every security vulnerability to identify and alert affected repositories. For project owners, we’ll always share the details you need to understand and remediate risks with confidence.

Research-driven vulnerability data

Rich vulnerability data

GitHub tracks vulnerabilities in packages from supported package managers using data from security researchers, maintainers, and the National Vulnerability Database— including release notes, changelog entries, and commit details. All discoverable in the GitHub Advisory Database.

Expert analysis on every alert

Helping everyone stay secure

GitHub continuously scans security advisories for popular languages. We send Dependabot alerts to maintainers of affected repositories with details on the severity level and a link to relevant files.


Update vulnerable
dependencies, automatically

Identifying security vulnerabilities is only half the challenge—but project owners can update vulnerable dependencies faster than ever with Dependabot security updates.

Automated pull requests for security updates

Dependabot security updates keep your projects secure and up to date by monitoring them for vulnerable components. If a vulnerability is found, we’ll automatically open a pull request with suggested fixes—and share compatibility scores based on community tests so you can see the impact of proposed changes before merging.

Dependabot comment Merge Pull Request
GitHub Security

Protecting codebases from new vulnerabilities

Keeping code up to date isn’t enough to secure open source for everyone. We’re working with security researchers, maintainers, and developers to prevent new vulnerabilities from entering software projects.


Secret scanning

Every developer has to manage credentials. Secret scanning watches public and private repositories for known secret formats and immediately notifies either the secret provider or private repository admins when secrets are found.

Alert exposed token Patched exposed token Code with exposed token

Collaborating with service providers

We work closely with more than 24 leading service providers to revoke or replace exposed secrets, so you can continue using secrets securely.

Keeping GitHub secrets safe

When a valid GitHub secret is pushed to a public repository, we’ll revoke it and notify the repository owner within seconds.

Growing support for popular service providers

Popular provider logos

Secret scanning supports tokens from Alibaba Cloud, Atlassian, AWS, Azure, Dropbox, Discord, Google Cloud, Mailgun, npm, Proctorio, Pulumi, Slack, Stripe, and Twilio, with more added all of the time.

Eradicate vulnerabilities and their variants before they become a problem

Never make the same mistake twice. Security teams leverage GitHub Advanced Security to build security into DevOps processes, scaling secure development to all engineers.

Vulnerability found with LGTM Deserializing user-controlled data may allow attackers to execute arbitrary code.

Find and eliminate all variants

Scan across multiple codebases at scale. By building on existing queries and automating variant analysis, teams find critical vulnerabilities and their variants faster, even in the largest codebases.

Analyze changes to prevent mistakes from reaching production

Code scanning helps prevent vulnerabilities from reaching production by analyzing every pull request, commit, and merge—recognizing vulnerable code as soon as it’s created.

Secure development at every step

Advanced Security brings consistent analysis to every step of the development process by integrating with the development workflow.

Query language for LGTM

Compare plans

Whether you’re contributing to an open source project or choosing new tools for your team, your security needs are covered. Interested in learning more about secure development in your organization?

Contact Sales
Feature Free Pro Team Enterprise
Code scanning Public repositories Public repositories Public repositories Contact us
Dependabot security updates Enterprise Cloud
GitHub Security Advisories Public repositories Public repositories Public repositories Public repositories Enterprise Cloud
Dependabot alerts
Security policies Public repositories Public repositories Public repositories Public repositories Enterprise Cloud
Secret scanning Public repositories Public repositories Public repositories Public repositories Private repositories Beta Enterprise Cloud
Dependency insights Enterprise Cloud
Two-factor Authentication (2FA)
WebAuthn & security keys
Required 2FA for organizations
Delegated Account Recovery
Git over Secure Shell (SSH) and HTTPS
Git over Secure Shell with Enterprise issued certificate authentication
GPG commit-signing verification
Security audit log
IP allow list Enterprise Cloud
Protected branches
Required reviews Public repositories
Required status checks Public repositories

Learn more about GitHub Security Lab

Security Lab makes dozens of disclosures every year. Learn more about their security discoveries—or join the Advanced Security Cloud beta.

Explore recent disclosures

Sign up for GitHub Advanced Security

Get our best security tools for teams with Advanced Security, available now for GitHub Enterprise customers.

Contact Sales

Join our beta program

Try our beta features: code scanning and secret scanning, available now as part of Advanced Security for Enterprise Cloud and free for public repositories.

Sign up for the beta