Supply chain security

In today’s interconnected development environment, a single vulnerability in any component of the supply chain poses a threat. Find out how GitHub’s security alerts, code scanning, secret scanning, and dependency management features can help you avoid supply chain security issues. You can also check out our documentation to learn more about supply chain security on GitHub.

Featured

Where does your software (really) come from?

GitHub is working with the OSS community to bring new supply chain security capabilities to the platform.

Securing millions of developers through 2FA

We’ve dramatically increased 2FA adoption on GitHub as part of our responsibility to make the software ecosystem more secure. Read on to learn how we secured millions of developers and why we’re urging more organizations to join us in these efforts.

How to stay safe from repo-jacking

Repo-jacking is a specific type of supply chain attack. This blog post explains what it is, what the risk is, and what you can do to stay safe.

Do you know if all your repositories have up-to-date dependencies?

Consider deploying the GitHub Action: Evergreen so that you know each of your repositories are leveraging active dependency management with Dependabot.

Latest

3 strategies to expand your threat model and secure your supply chain

How to get the security basics right at your organization.

Four tips to keep your GitHub Actions workflows secure

Researchers from Purdue and NCSU have found a large number of command injection vulnerabilities in the workflows of projects on GitHub. Follow these four tips to keep your GitHub Actions workflows secure.

Swift support brings broader mobile application security to GitHub Advanced Security

We’ve launched the beta of code scanning support for Swift. This launch, paired with our launch of Kotlin support in November, means that CodeQL covers both IOS and Android development languages, bringing a heightened level of security to the mobile application development process.

Dependabot relieves alert fatigue from npm devDependencies

A new alert rules engine for Dependabot leverages alert metadata to identify and auto-dismiss up to 15% of alerts as false positives.

Private vulnerability reporting now generally available

Open source maintainers and security researchers embrace a new best practice to report and fix vulnerabilities.

Introducing npm package provenance

How to verifiably link npm packages to their source repository and build instructions.

Unlocking security updates for transitive dependencies with npm

How Dependabot integrated with npm to address security vulnerabilities on transitive dependencies and increase the likelihood of success for JavaScript security updates by 40%.

A smarter, quieter Dependabot

Dependabot is getting a little smarter—and, a little quieter—by reducing bot-based noise from repositories based on your interaction with Dependabot.

The importance of improving supply chain security in open source

We think a lot about a high-profile supply chain attack that might cause developers, teams, and organizations to lose trust in open source. That’s why we’re investing in new ways to protect the open source ecosystem.

Why we’re excited about the Sigstore general availability

The Sigstore GA means you can protect your software supply chain today with GitHub Actions, and will power new npm security capabilities in the near future.

GitHub’s supply chain security features now support Dart

Cross-platform apps built with the popular Flutter toolkit can now benefit from Dependabot alerts.

5 tips for prioritizing Dependabot alerts

Dependabot alerts can give you the ability to secure your project by keeping dependency-based vulnerabilities out of your code. Here are some tips to more efficiently prioritize and take action on your alerts, so you can get back to building.

SCA vs SAST: what are they and which one is right for you?

We’re taking a look at two commonly-used security tools and detailing how they can help secure your projects.

New request for comments on improving npm security with Sigstore is now open

Supply chain attacks exploit our implicit trust of open source to hurt developers and our customers. Read our proposal for how npm will significantly reduce supply chain attacks by signing packages with Sigstore.