Fixing security vulnerabilities with AI
A peek under the hood of GitHub Advanced Security code scanning autofix.
Home / Engineering / Platform security
Platform security
The software supply chain starts with the developer. To make sure that GitHub, the home of open source, can help defend the entire ecosystem against supply chain attacks, we bring our engineering and security teams together as we build. Here’s how.
Featured
How we use Dependabot to secure GitHub
A two-part story about how GitHub’s Product Security Engineering team rolled out Dependabot internally to track vulnerable dependencies, and how GitHub tracks and prioritizes technical debt.
Behind GitHub’s new authentication token formats
We’re excited to share a deep dive into how our new authentication token formats are built and how these improvements are keeping your tokens more secure. As we continue to…
SSH certificate authentication for GitHub Enterprise Cloud
Enterprise and organization admins can now register their SSH certificate authorities with GitHub, helping their team access repositories over Git using SSH certificates.
Latest
Security keys are now supported for SSH Git operations
GitHub has been at the forefront of security key adoption for many years. We were an early adopter of Universal 2nd Factor (“U2F”) and were also one of the first…
How we threat model
At GitHub, we spend a lot of time thinking about and building secure products—and one key facet of that is threat modeling. This practice involves bringing security and engineering teams…
CERT partners with GitHub Security Lab for automated remediation
Learn more about how we found ways to scale our vulnerability hunting efforts and empower others to do the same. In this post, we’ll take a deep-dive in the remediation of a security vulnerability with CERT.
Behind the scenes: GitHub security alerts
Learn more about what’s behind the scenes with GitHub vulnerability alerts.
GitHub Token Scanning—one billion tokens identified and five new partners
Token scanning has reached a new milestone: one billion tokens identified. We’ve also added five new partners—Atlassian, Dropbox, Discord, Proctorio, and Pulumi.
Commit signing support for bots and other GitHub Apps
Commit signing is now enabled for all bots by default.
Five years of the GitHub Bug Bounty program
Read about some big changes for the coming year: full legal protection for researchers, more GitHub properties eligible for rewards, and increased reward amounts.
Behind the scenes of GitHub Token Scanning
We’ve extended GitHub Token Scanning to include tokens from cloud service providers and additional credentials.
Applying machine intelligence to GitHub security alerts
Learn how we use machine learning to power and build on security alerts and make GitHub more secure.
Soft U2F
In an effort to increase the adoption of FIDO U2F second factor authentication, we’re releasing Soft U2F: a software-based U2F authenticator for macOS. We’ve long been interested in promoting better…
Discontinue support for weak cryptographic standards
Cryptographic standards are ever evolving. It is the canonical game of security cat and mouse, with attacks rendering older standards ill-suited, and driving the community to develop newer and stronger…
A glimpse into GitHub’s Bug Bounty workflow
Last month, we announced the third anniversary of our Bug Bounty Program. While there’s still time to disclose your findings through the program, we wanted to pull back the curtain…
GitHub’s post-CSP journey
Last year we shared some details on GitHub’s CSP journey. A journey was a good way to describe it, as our usage of Content Security Policy (CSP) significantly changed from…
SYN Flood Mitigation with synsanity
GitHub hosts a wide range of user content, and like all large websites this often causes us to become a target of denial of service attacks. Around a year ago,…
GitHub’s CSP journey
We shipped subresource integrity a few months back to reduce the risk of a compromised CDN serving malicious JavaScript. That is a big win, but does not address related content…
The world's largest developer platform
GitHub
Build what’s next on GitHub, the place for anyone from anywhere to build anything.
GitHub Universe 2024
Get tickets to the 10th anniversary of our global developer event on AI, DevEx, and security.