What are GitHub's repository security features?

Answer

GitHub provides multiple layers of security for repositories: (1) Dependabot: automatically scans dependencies for known CVEs and creates PRs to update vulnerable packages. Configured via .github/dependabot.yml. Dependabot alerts notify of vulnerabilities without auto-PRs; (2) Code scanning (CodeQL): GitHub's static analysis engine scans for security vulnerabilities and code quality issues. Configured as a GitHub Action. Supports many languages; (3) Secret scanning: scans pushed code for known secret patterns (API keys, tokens, passwords) from 200+ providers. Automatically notifies providers to revoke compromised tokens. Push protection prevents pushing secrets; (4) GHAS (GitHub Advanced Security): paid tier with additional security features; (5) Signed commits (GPG/SSH): verified commits confirm the committer is who they claim; (6) Security advisories: private namespace to triage, fix, and publish security vulnerabilities; coordinate disclosure; (7) SBOM (Software Bill of Materials): export dependency inventory; (8) Dependency review: in PR diff, shows newly added vulnerable dependencies; (9) Private vulnerability reporting: security researchers can privately report vulnerabilities. Security tab in each repo aggregates all findings.