惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

量子位
云风的 BLOG
云风的 BLOG
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
The Hacker News
The Hacker News
Martin Fowler
Martin Fowler
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
U
Unit 42
F
Full Disclosure
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Recorded Future
Recorded Future
Security Archives - TechRepublic
Security Archives - TechRepublic
阮一峰的网络日志
阮一峰的网络日志
T
Threatpost
P
Privacy International News Feed
GbyAI
GbyAI
Stack Overflow Blog
Stack Overflow Blog
MongoDB | Blog
MongoDB | Blog
I
Intezer
Recent Announcements
Recent Announcements
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
P
Privacy & Cybersecurity Law Blog
A
Arctic Wolf
博客园 - 聂微东
博客园 - 叶小钗
Cisco Talos Blog
Cisco Talos Blog
H
Help Net Security
S
Schneier on Security
Y
Y Combinator Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
The Exploit Database - CXSecurity.com
T
Tor Project blog
月光博客
月光博客
NISL@THU
NISL@THU
A
About on SuperTechFans
Spread Privacy
Spread Privacy
Blog — PlanetScale
Blog — PlanetScale
D
DataBreaches.Net
雷峰网
雷峰网
C
CXSECURITY Database RSS Feed - CXSecurity.com
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
博客园 - 【当耐特】
G
Google Developers Blog
W
WeLiveSecurity
P
Palo Alto Networks Blog
The Last Watchdog
The Last Watchdog
K
Kaspersky official blog
博客园 - 司徒正美
L
LINUX DO - 热门话题
小众软件
小众软件

The GitHub Blog

GitHub for Beginners: Your roadmap to mastering the GitHub essentials Better tools made Copilot code review worse. Here's how we actually improved it. How GitHub gave every repository a durable owner Automating cross-repo documentation with GitHub Agentic Workflows GitHub availability report: June 2026 How GitHub Copilot enables zero DNS configuration for GitHub Pages Q1 2026 Innovation Graph update: Open source collaboration is accelerating worldwide How GitHub used secret scanning to reach inbox zero 6 security settings every GitHub maintainer should enable this week How GitHub maintains compliance for open source dependencies Highlights from Git 2.55 Inside the Advisory Database and what happens when vulnerability volume breaks records GitHub and UNDP team up to advance development priorities in Ghana with open source Transitioning as a Hubber Evaluating performance and efficiency of the GitHub Copilot agentic harness across models and tasks I automated my job (and it made me a better leader) GitHub joins coalition advocating for fixes to California AI Transparency Act to protect open source From pledge to practice: Building a more inclusive open source ecosystem How we built an internal data analytics agent How pull request limits are cutting down the noise Getting more from each token: How Copilot improves context handling and model routing What are git worktrees, and why should I use them? GitHub Copilot CLI for Beginners: Overview of common slash commands Accelerating researchers and developers building multilingual AI with a new open dataset How we made GitHub Copilot CLI more selective about delegation GitHub availability report: May 2026 Making secret scanning more trustworthy: Reducing false positives at scale Give GitHub Copilot CLI real code intelligence with language servers From one-off prompts to workflows: How to use custom agents in GitHub Copilot CLI GitHub for Beginners: Answers to some common questions GitHub Universe is back: All together now, in the agentic era GitHub Copilot app: The agent-native desktop experience Still a developer. Just outside. Our latest GitHub Shop collection is here. GitHub for Beginners: Getting started with Git and GitHub in VS Code GitHub recognized as a Leader in the Gartner® Magic Quadrant™ for Enterprise AI Coding Agents for the third year in a row Beyond the engine: 10 open source projects shaping how games actually get made Building GitHub’s next chapter in accessibility Investigation update: GitHub Enterprise Server signing key rotation Take your local GitHub sessions anywhere Building a general-purpose accessibility agent—and what we learned in the process Raising the bar: Quality, shared responsibility, and the future of GitHub’s bug bounty program GitHub availability report: April 2026 From latency to instant: Modernizing GitHub Issues navigation performance Dungeons & Desktops: 10 roguelikes that never die (because their communities won’t let them) GitHub Copilot individual plans: Introducing flex allotments in Pro and Pro+, and a new Max plan Dungeons & Desktops: Building a procedurally generated roguelike with GitHub Copilot CLI GitHub for Beginners: Getting started with OSS contributions Why age assurance laws matter for developers How researchers are using GitHub Innovation Graph data to reveal the “digital complexity” of nations Improving token efficiency in GitHub Agentic Workflows Agent pull requests are everywhere. Here’s how to review them. Validating agentic behavior when “correct” isn’t deterministic Welcome to Maintainer Month: Celebrating the people behind the code Register now for OpenClaw: After Hours @ GitHub GitHub Copilot CLI for Beginners: Interactive v. non-interactive mode GitHub for Beginners: Getting started with Markdown Securing the git push pipeline: Responding to a critical remote code execution vulnerability Highlights from Git 2.54 Building an emoji list generator with the GitHub Copilot CLI Bringing more transparency to GitHub’s status page How GitHub uses eBPF to improve deployment safety Build a personal organization command center with GitHub Copilot CLI Developer policy update: Intermediary liability, copyright, and transparency Hack the AI agent: Build agentic AI security skills with the GitHub Secure Code Game How exposed is your code? Find out in minutes—for free GitHub for Beginners: Getting started with GitHub Pages GitHub Copilot CLI for Beginners: Getting started with GitHub Copilot CLI GitHub availability report: March 2026 GitHub Universe is back: We want you to take the stage GitHub Copilot CLI combines model families for a second opinion The uphill climb of making diff lines performant Securing the open source supply chain across GitHub Run multiple agents at once with /fleet in Copilot CLI Agent-driven development in Copilot Applied Science What’s coming to our GitHub Actions 2026 security roadmap
GitHub for Beginners: Getting started with GitHub security
Kedasha Kerr · 2026-03-31 · via The GitHub Blog

Welcome back to GitHub for Beginners, season three! So far this year, we’ve covered GitHub Issues and Projects, as well as GitHub Actions. This time around, we’re going to be talking a little bit about security, and what tools GitHub provides to help you keep your code secure. By the end of this post, you’ll understand how to fix vulnerabilities in your repository using built-in tools like secret scanning, Dependabot, code scanning, and Copilot Autofix.

Why security matters

Vulnerabilities are weaknesses in your code or the libraries you use that attackers can exploit. It’s important to realize that you inherit any risk from a library the moment you import it into your project, even though you didn’t write the vulnerable code yourself. This is why even small or brand-new projects can have vulnerabilities—almost all software relies on third-party packages.

GitHub makes finding and fixing these issues easier than ever with GitHub Advanced Security (GHAS), a suite of products that helps you improve and maintain the quality of your code. On public repositories, you have access to Dependabot, code scanning, secret scanning, and Copilot Autofix. If you want to learn even more about the different features, check out our documentation about GHAS. Or keep reading as we walk through enabling and using some of these features.

Enabling security features

The first step is making sure that GHAS is turned on.

  1. Navigate to your repository.
  2. Click the Settings tab at the top of the page.
  3. In the left-hand bar, under the “Security” section, select Advanced Security.
  4. Under “Dependabot,” enable “Dependabot alerts” and “Dependabot security updates.”
  5. Scroll down to the “Code scanning” section.
  6. For “CodeQL analysis,” select Set up and then select Default from the context menu.
  7. A new window will appear. Select Enable CodeQL without changing any settings.
  8. Scroll down to “Secret Protection” and enable it.

These tools are available to public repositories by default. If you have a private repository, you’ll need a GHAS license.

Select the Security tab at the top of the window to navigate to the security home page for this repository. Here you’ll see options for the various GHAS tools you’ve enabled. This is where you can see alerts for exposed secrets, vulnerable dependencies, and risky code paths.

Now let’s take a look at some of these tools in greater detail. To see how the various alerts look, remember that we have a video version of this blog available online.

Using secret scanning

GitHub can help you protect sensitive information with secret scanning. If you accidentally commit an API key or token, secret scanning will flag it in the security tab in the left-hand column underneath Secret scanning. When you see an alert, click the title of the specific alert to see what secret was detected and where it was found.

One of the ways to address this exposed secret is to revoke it. Revoking a secret means disabling the old key so that it can’t be used anymore. You usually do this by generating a new key on the platform where the secret came from, such as Azure or Stripe.

GitHub can’t automatically revoke the secret for you. You’ll need to do that part yourself. However, secret scanning gives you an early warning so that a leaked secret doesn’t become an exploited secret.

Once you’ve revoked the secret, you can close the secret scanning alert by doing the following:

  1. Select Close as in the top-right of the window.
  2. Select Revoked from the context menu.
  3. Click the green Close alert button at the bottom of the context menu.

What is Dependabot?

Dependabot is a code scanning tool that helps you keep your dependencies up to date. Remember when we talked about how you inherit the vulnerabilities of every library you pull into your project? Dependabot helps to address this by alerting you if it finds vulnerabilities in the libraries your project depends on.

To find Dependabot alerts, navigate back to the Security tab in your repository. When you click on a Dependabot alert, it’ll navigate you to the pull request, so you can update your library. In the pull request, if you scroll down, you can see the specific advisory that triggered the alert by selecting See advisory in GitHub Advisory Database.

From the pull request, select the green Review security update button at the top to review the version bump. You should always review suggested changes before incorporating them. As long as everything looks good, go ahead and merge the pull request.

Dependabot automates turning GitHub security advisories into pull requests so you don’t have to manually track common vulnerabilities and exposures.

Responding to CodeQL alerts

CodeQL is the engine that scans your code and produces the code scanning alerts (which you can find under the Security tab). CodeQL is not a linter. It’s much more powerful because it understands data flow, showing where input starts and where it ends up.

As a result, code scanning alerts can cover a wide range of possible scenarios. When you select a code scanning alert, it will explain the issue and, if it can, provide additional information, such as a recommendation for fixes and examples to illustrate the problem and possible solution.

Once you have an understanding of the alert, you can use Copilot Autofix to resolve it by following these steps:

  1. Select the Generate fix button at the top of the alert.
  2. Copilot will suggest a patch. Review the change and verify it addresses your needs.
  3. Click the green Commit to new branch button at the bottom.
  4. In the new pop-up window, select the Open a pull request option, and click Commit change.
  5. Treat the generated pull request as you would any other pull request: review it and merge changes. Remember that while Copilot accelerates security fixes, you stay in control the entire time.

What’s next?

Congratulations! You’ve now learned how to use GitHub Advanced Security to confidently detect and fix vulnerabilities in your code. Public repositories have access to these GHAS tools for free, so you can keep your projects safe from the start. Test your skills using GitHub Skills or the vulnerable-node repository any time.

And if you’re looking for more information, we have lots of documentation available. Here are just a few links to get your started:

Happy coding!

Written by

Kedasha Kerr

Kedasha is a Developer Advocate at GitHub where she enjoys sharing the lessons she's learned with the wider developer community. She finds joy in helping others learn about the tech industry and loves sharing her experience as a software developer. Find her online @itsthatladydev.

Explore more from GitHub

Docs

Docs

Everything you need to master GitHub, all in one place.

Go to Docs

GitHub

GitHub

Build what’s next on GitHub, the place for anyone from anywhere to build anything.

Start building

Customer stories

Customer stories

Meet the companies and engineering teams that build with GitHub.

Learn more

The GitHub Podcast

The GitHub Podcast

Catch up on the GitHub podcast, a show dedicated to the topics, trends, stories and culture in and around the open source developer community on GitHub.

Listen now