GitHub Security

Coordinated Disclosure: 1-Click RCE on GNOME (CVE-2023-43641)

Today, in coordination with Ilya Lipnitskiy (the maintainer of libcue) and the distros mailing list, the GitHub Security Lab is disclosing CVE-2023-43641, a memory corruption vulnerability in libcue. We have also sent a text-only version of this blog post to the oss-security list. It’s quite likely that you have never heard of libcue before, and […]

Read More

Introducing secret scanning validity checks for major cloud services

At GitHub, we launched secret scanning with the mission of eliminating all credential leaks. In support of this mission, this year we’ve made secret scanning and secret scanning push protection free on public repositories to help open source users detect and prevent secret leaks. We also shipped push protection metrics for GitHub Advanced Security customers […]

Read More

Cybersecurity spotlight on bug bounty researcher @inspector-ambitious

As we kick off Cybersecurity Awareness Month, the GitHub bug bounty team is excited to spotlight one of the top performing security researchers who participates in the GitHub Security Bug Bounty Program, @inspector-ambitious! As home to over 100 million developers and 372 million repositories, GitHub maintains a strong dedication to ensuring the security and reliability […]

Read More

mTLS: When certificate authentication is done wrong

Although X.509 certificates have been here for a while, they have become more popular for client authentication in zero-trust networks in recent years. Mutual TLS, or authentication based on X.509 certificates in general, brings advantages compared to passwords or tokens, but you get increased complexity in return. In this post, I’ll deep dive into some […]

Read More

A faster way to manage version updates with Dependabot

When the next Log4j lands, you don’t want to find out that you’re several versions behind, and that it’s going to take the team days to fix all of the breaking changes. Dependabot version updates automate the patching process, giving you a measure of protection from unwelcome surprises. But just as with any inbox, the […]

Read More

CodeQL team uses AI to power vulnerability detection in code

AI is fundamentally changing the technology and security landscape. At GitHub, we see AI as a way for developers to both speed up their development process and simultaneously write more secure code. For instance, GitHub Copilot includes a security filter that targets the most common vulnerable coding patterns in Python and JavaScript–including hardcoded credentials, SQL […]

Read More

Introducing auto-triage rules for Dependabot

Since the May beta release of our GitHub-curated Dependabot policies that detect and close false positive alerts, over 250k repositories have manually opted in, with an average improvement of over 1 in 10 alerts. The impact so far: auto-dismissal of millions of alerts that would have otherwise demanded a developer’s attention to manually assess and […]

Read More