Website URL:
   Skip to content
   Sign up  (BUTTON)
     * Why GitHub?
       Features →
          + Code review
          + Project management
          + Integrations
          + Actions
          + Packages
          + Security
          + Team management
          + Hosting
          + Customer stories →
          + Security →
     * Enterprise
     * Explore
          + Explore GitHub →

Learn & contribute
          + Topics
          + Collections
          + Trending
          + Learning Lab
          + Open source guides

Connect with others
          + Events
          + Community forum
          + GitHub Education
     * Marketplace
     * Pricing
       Plans →
          + Compare plans
          + Contact Sales
          + Nonprofit →
          + Education →

   Sign in  Sign up 


Securing software, together

   We all play a role in securing the world’s code—developers, maintainers, researchers, and security teams. On GitHub, development teams everywhere can work together to secure the world’s software supply chain, from fork to finish.

   Ready to talk about advanced security features for GitHub Enterprise?
   Contact Sales
   Identify  Disclose  Fix  Alert  Update  Prevent 


Find vulnerabilities that other tools miss

   CodeQL is the industry’s leading semantic code analysis engine. Our revolutionary approach treats code as data to identify security vulnerabilities faster.
   Security vulnerability Security vulnerability alert
   Treating code as data

Treating code as data

   Traditionally, vulnerabilities are discovered by security researchers, inspecting code by hand. Semmle’s semantic code analysis engine, CodeQL, treats code as data with a powerful query engine. It identifies even the most complex semantic patterns at scale and gets smarter over time.
   A revolutionary engine

A revolutionary engine

   CodeQL combines the latest research for compiler optimization with insights in database implementation to provide a declarative, object-oriented language. So security teams can find vulnerabilities at scale that evade other tools.
   Community-led approach

Community-led approach

   Leading security researchers express patterns in CodeQL queries to share their expertise with the world. CodeQL ships with thousands of queries used to power variant analysis, so developers, maintainers, and security teams can build on existing queries or create their own.


Defining the open source security workflow

   Open source powers the world’s software. GitHub provides the infrastructure security researchers and open source maintainers need to report and disclose security vulnerabilities.
   Responsible vulnerability reporting

Responsible vulnerability reporting

   Open source maintainers set security policies for their projects, letting their communities know the best way to responsibly report vulnerabilities.
   Security policy

Organization-wide security policies

   A repository’s SECURITY.MD file describes everything researchers and users need to report a potential vulnerability. Maintainers can create per-project policies or automatically apply one security policy to every repository in their organization.
   Security policy
   Security workspace
   Security workspace comment Security workspace comment Security workspace queued changes Security workspace merge


GitHub Security Advisories

   Open source maintainers have a secure and private space to work through vulnerabilities together. They collaborate on fixes and publish security advisories to the community of people that rely on their projects without leaving GitHub—or tipping off would-be hackers.
   Private collaboration for maintainers

Private collaboration for maintainers

   Before they send out public advisories, maintainers privately discuss the impact of a vulnerability in draft advisories. They collaborate in temporary private forks, and then publish advisories to alert and update the entire ecosystem.
   Securing repositories and their dependents

Securing repositories and their dependents

   Since the launch of security advisories in 2019, open source projects have relied on GitHub to publish security advisories and notify all dependent repositories.
   New CVE records from GitHub

CVEs issued by GitHub

   GitHub can now issue CVEs for any public repository. CVEs allow anyone to reference a vulnerability and its fix anywhere, including the GitHub Advisory Database and the National Vulnerability Database.


Security alerts

   GitHub reviews every security vulnerability to identify and alert affected repositories. We source our vulnerability information from industry experts to provide the details project owners need to understand and remediate risks.
   Research-driven vulnerability data

Research-driven vulnerability data

   GitHub tracks vulnerabilities in packages from supported package managers using data from security researchers, maintainers, and the National Vulnerability Database— including release notes, changelog entries, and commit details. All discoverable in the GitHub Advisory Database.
   Expert analysis on every alert

Helping everyone stay secure

   GitHub continuously scans security advisories for popular languages. We send security alerts to maintainers of affected repositories with details on the severity level and a link to relevant files.


Update vulnerable
dependencies, automatically

   Identifying security vulnerabilities is only half the challenge—but project owners can update vulnerable dependencies faster than ever with automated security updates.

Automated pull requests for security updates

   Automated security updates keep projects secure by automatically opening pull requests that update dependencies to the minimum version that resolves the vulnerability. Compatibility scores based on community tests help maintainers merge updates with confidence.
   Dependabot comment Merge Pull Request
   GitHub Security

Protecting codebases from new vulnerabilities

   Keeping code up to date isn’t enough to secure open source for everyone. We’re working with security researchers, maintainers, and developers to prevent new vulnerabilities from entering software projects.


Automatic token scanning

   Every developer has to manage credentials. GitHub scans for tokens that have accidentally been exposed in public repositories, then alerts the provider within seconds so they may revoke or notify the owner as appropriate.
   Alert exposed token Patched exposed token Code with exposed token

Collaborating with service providers

   Once the service provider validates the credential, they decide whether they should revoke the token, issue a new token, or reach out to a user directly.

Keeping GitHub tokens secret

   When a valid GitHub token is pushed to a public repository, we’ll revoke it and notify the token owner within seconds.

Growing support for popular service providers

   Popular provider logos

   Token scanning supports tokens from Alibaba Cloud, Atlassian, AWS, Azure, Dropbox, Discord, Google Cloud, Mailgun, npm, Proctorio, Pulumi, Slack, Stripe, and Twilio, with more added all of the time.

Eradicate vulnerabilities and their variants before they become a problem

   Never make the same mistake twice. Security teams leverage Semmle LGTM to build security into DevOps processes, scaling secure development to all engineers.
   Vulnerability found with LGTM Deserializing user-controlled data may allow attackers to execute arbitrary code.

Find and eliminate all variants of bugs and vulnerabilities

   Scan across multiple codebases at scale. By building on existing queries and automating variant analysis, teams find critical vulnerabilities and their variants faster, even in the largest codebases.

Analyze new changes to prevent mistakes from reaching production

   LGTM’s continuous code analysis helps prevent vulnerabilities from reaching production by analyzing every commit and recognizing vulnerable code as soon as it’s checked in.

Secure development at every step

   LGTM brings consistent analysis to every step of the development process by integrating with IDEs, issue trackers, CI/CD services, and more.
   Query language for LGTM

Compare plans

   Whether you’re contributing to an open source project or choosing new tools for your team, your security needs are covered. Interested in learning more about secure development in your organization?
   Contact Sales
                                                                                     Feature                                                                                               Free                          Pro                         Team                                                                                  Enterprise
   Advanced vulnerability scanning                                                                                                                                             Included Public repositories Included Public repositories Included Public repositories Contact us
   Automated security updates Included                     Included                     Included                     Included Enterprise Cloud
   GitHub Security Advisories                                   Included Public repositories Included Public repositories Included Public repositories Included Public repositories Enterprise Cloud
   Security alerts                                 Included                     Included                     Included                     Included
   Security policies                                     Included Public repositories Included Public repositories Included Public repositories Included Public repositories Enterprise Cloud
   Token scanning                                                                                          Included Public repositories Included Public repositories Included Public repositories Included Public repositories Enterprise Cloud
   Dependency insights                                        Not included                 Not included                 Not included                 Included Enterprise Cloud
   Two-factor Authentication (2FA)                                                                                                                                             Included                     Included                     Included                     Included
   WebAuthn & security keys                                                                                                                                                    Included                     Included                     Included                     Included
   Required 2FA for organizations                                                                                                                                              Not included                 Not included                 Included                     Included
   Delegated Account Recovery                                                                                                                                                  Included                     Included                     Included                     Not included
   Git over Secure Shell (SSH) and HTTPS                                                                                                                                       Included                     Included                     Included                     Included
   Git over Secure Shell with Enterprise issued certificate authentication                                                                                                     Not included                 Not included                 Not included                 Included
   GPG commit-signing verification                                                                                                                                             Included                     Included                     Included                     Included
   Security audit log                                                                                                                                                          Not included                 Not included                 Included                     Included
   SAML                                                                                                                                                                        Not included                 Not included                 Not included                 Included
   LDAP                                                                                                                                                                        Not included                 Not included                 Not included                 Included
   Protected branches                                                    Included                     Included                     Included                     Included
   Required reviews                                                                                                                                                            Included Public repositories Included                     Included                     Included
   Required status checks                                                                                                                                                      Included Public repositories Included                     Included                     Included

Learn more about Semmle

   Semmle makes dozens of disclosures every year. Learn more about their security discoveries—or try LGTM free.
   Explore recent disclosures Try LGTM free

Advanced vulnerability scanning for GitHub Enterprise is here

   Contact Sales



     * Features
     * Security
     * Enterprise
     * Customer stories
     * Pricing
     * Resources


     * Developer API
     * Partners
     * Atom
     * Electron
     * GitHub Desktop


     * Help
     * Community Forum
     * Professional Services
     * Learning Lab
     * Status
     * Contact GitHub


     * About
     * Blog
     * Careers
     * Press
     * Social Impact
     * Shop


     * © 2020 GitHub, Inc.
     * Terms
     * Privacy

   (BUTTON) You can’t perform that action at this time.

   You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.