What are GitHub's repository security features?
Answer
GitHub provides multiple layers of security for repositories: (1) Dependabot: automatically scans dependencies for known CVEs and creates PRs to update vulnerable packages. Configured via .github/dependabot.yml. Dependabot alerts notify of vulnerabilities without auto-PRs; (2) Code scanning (CodeQL): GitHub's static analysis engine scans for security vulnerabilities and code quality issues. Configured as a GitHub Action. Supports many languages; (3) Secret scanning: scans pushed code for known secret patterns (API keys, tokens, passwords) from 200+ providers. Automatically notifies providers to revoke compromised tokens. Push protection prevents pushing secrets; (4) GHAS (GitHub Advanced Security): paid tier with additional security features; (5) Signed commits (GPG/SSH): verified commits confirm the committer is who they claim; (6) Security advisories: private namespace to triage, fix, and publish security vulnerabilities; coordinate disclosure; (7) SBOM (Software Bill of Materials): export dependency inventory; (8) Dependency review: in PR diff, shows newly added vulnerable dependencies; (9) Private vulnerability reporting: security researchers can privately report vulnerabilities. Security tab in each repo aggregates all findings.
Previous
What is Git's garbage collection and how does it work?
Next
How does GitHub's pull request merge queue work?