Skip to content

security

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History

security

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 

README.md

Security

Purpose

This directory houses information about Git security.

Best practices sensitive files to keep secure

[See Best practices sensitive files to keep secure of https://trello.com/c/GYruL063/167-familiarize-about-sensitive-files-to-keep-off-of-github-and-personal-dashboard#comment-65e76548e1ceb9b9ea814269]

Options

Security options through GitHub

Private vulnerability reporting

Allow your community to privately report potential security vulnerabilities to maintainers and repository owners.

In light of what is posted here there is currently no benefit of me using this feature. My repos are too small - no one else uses them.

Default: Disabled

Dependency graph

Understand your dependencies.

Dependency graph is always enabled for public repos.

Mandatory: Enabled

Dependabot

Keep your dependencies secure and up-to-date.

Dependabot keeps your dependencies up to date by informing you of any security vulnerabilities in your dependencies, and automatically opens pull requests to upgrade your dependencies to the next available secure version when a Dependabot alert is triggered, or to the latest version when a release is published.

  • Dependabot alerts — Displayed notification on the Security tab for the repository, and in the repository's dependency graph. The alert includes a link to the affected file in the project, and information about a fixed version.
  • Dependabot updates:
    • Dependabot security updates—Triggered updates to upgrade your dependencies to a secure version when an alert is triggered.
    • Dependabot version updates—Scheduled updates to keep your dependencies up to date with the latest version.

You can use Dependabot to alert you when your repository is using a software dependency with a known vulnerability. This guide will help get you started on enabling Dependabot for a repository, and exploring reported alerts.

Dependabot alerts

Dependabot alerts highlight repositories affected by a newly discovered vulnerability based on the dependency graph and the GitHub Advisory Database, which contains advisories for known vulnerabilities.

  • Dependabot performs a scan to detect insecure dependencies and sends Dependabot alerts when:
    • A new advisory is added to the GitHub Advisory Database.
    • The dependency graph for the repository changes.
  • Dependabot alerts are displayed on the Security tab for the repository and in the repository's dependency graph. The alert includes a link to the affected file in the project, and information about a fixed version.

NOTE - Dependabot alert rules can be modified and enabled/disabled.

Default: Enabled with 1 rule

Dependabot security updates

There are two types of Dependabot updates: Dependabot security updates and version updates. Dependabot generates automatic pull requests to update your dependencies in both cases, but there are several differences.

  • Dependabot security updates:
    • Triggered by a Dependabot alert
    • Update dependencies to the minimum version that resolves a known vulnerability
    • Supported for ecosystems the dependency graph supports
    • Does not require a configuration file, but you can use one to override the default behavior
  • Dependabot version updates:
    • Requires a configuration file
    • Run on a schedule you configure
    • Update dependencies to the latest version that matches the configuration
    • Supported for a different group of ecosystems

Default: Enabled

Grouped security updates

Groups all available updates that resolve a Dependabot alert into one pull request (per package manager and directory of requirement manifests). This option may be overridden by group rules specified in dependabot.yml

You can use the dependabot.yml file to create separate rules to group Dependabot version updates and Dependabot security updates.

Default: Disabled

Dependabot version updates

Allow Dependabot to open pull requests automatically to keep your dependencies up-to-date when new versions are available.

About version updates for dependencies

You enable Dependabot version updates by checking a dependabot.yml configuration file in to ...

  • There can be a dependabot.yml file that is used to configure dependency version updates.

The dependabot.yml file needs to go in the ./.github/ directory.

See https://github.com/JamieBort/Personal-Dashboard/tree/master/.github/dependabot.yml as an example.

Maybe the dependabot.yml file needs to be in the master/main branch before it will work.

Default: Disabled

Code scanning

Automatically detect common vulnerabilities and coding errors.

CodeQL analysis (Set up)

Identify vulnerabilities and errors with CodeQL for eligible repositories.

Other tools

Add any third-party code scanning tool.

Check runs failure threshold (High or higher/Only errors)

Select the alert severity level for code scanning check runs to fail. Create a branch ruleset to prevent a branch from merging when these checks fail.

Secret Scanning

Receive alerts on GitHub for detected secrets, keys, or other tokens.

Default: Disabled

Push protection

NOTE - Not visible until Secret Scanning is enabled.

Block commits that contain supported secrets.

Default: Disabled

Resources

GitHub Services/Features

Code Scanning

Secret Scanning

  • About secret scanning

    GitHub scans repositories for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally.

Directories and Files

Directories

Files

README

This readme file.