Category
On April 12, GitHub Security began an investigation that uncovered evidence that an attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm. Read on to learn more about the impact to GitHub, npm, and our users.
Today, we're shipping a new feature for Dependabot alerts which helps you better understand how you're affected by a vulnerability.
Upgrade your local installation of Git, especially if you are using Git for Windows, or you use Git on a multi-user machine.
Learn how to build packages with SLSA 3 provenance using GitHub Actions.
The new dependency review action and API prevents the introduction of known supply chain vulnerabilities into your code.
We want to take away the pain and effort of keeping your code secure, so check out how Dependabot empowers developers to keep to their projects secure.
Organizations with GitHub Advanced Security can now proactively protect against secret leaks with secret scanning’s new push protection feature.
Securing your projects is no easy task, but end-to-end supply chain security is more top of mind than ever. We've seen bad actors expand their focus to taking over user…
If there's one habit that can make software more secure, it's probably input validation. Here's how to apply OWASP Proactive Control C5 (Validate All Inputs) to your code.
Anyone can now provide additional information to further the community’s understanding and awareness of security advisories.
Today we launched new code scanning analysis features powered by machine learning. The experimental analysis finds more of the most common types of vulnerabilities.
A behind-the-scenes peek into the machine learning framework powering new code scanning security alerts.
Practical tips on how to apply OWASP Top 10 Proactive Control C4.
A comprehensive guide for vulnerability reporters.
Today, we’re shipping improvements to Dependabot alerts that make them easier to understand and remediate.
Starting today, we are rolling out mandatory 2FA to all maintainers of top-100 npm packages by dependents.
