/
Research Advisories CodeQL Wall of Fame
Resources
Open Source Community Enterprise
Events Get Involved

Securing open source software, together

We are a team of security experts who cultivate a collaborative community where developers and security professionals come together to secure open source software.
Get Involved
Our Mission

Enhance security by fostering global collaboration.

Contributions from maintainers, developers, and security researchers around the world push us forward, making the open source software a better place.
Security Research

We do the hard work, you can use it.

Dive into security research on open-source projects to explore new and emerging threats, and learn how to mitigate them so that you can make your own software more secure.

Read the Research
987
vulnerabilities found
by Security Lab researchers
699 CVEs credited
See all disclosures

Latest vulnerabilities disclosed

  • Poisoned Pipeline Execution (PPE) via code injection in Sympy
    GHSL-2024-322 • published 2024/11/01 00:00:00 ago • Alvaro Munoz
  • Poisoned Pipeline Execution (PPE) via code injection in Trino DB
    GHSL-2024-319 • published 2024/11/01 00:00:00 ago • Alvaro Munoz
  • Poisoned Pipeline Execution (PPE) via execution of untrusted checked-out code in Hibernate ORM
    GHSL-2024-268 • published 2024/11/01 00:00:00 ago • Alvaro Munoz
  • Poisoned Pipeline Execution (PPE) via environment variable injection in Zephyr
    GHSL-2024-253 • published 2024/11/01 00:00:00 ago • Alvaro Munoz
  • Remote Code Execution in Plenti via arbitrary file write and arbitrary file deletion - CVE-2024-49380, CVE-2024-49381
    GHSL-2024-297_GHSL-2024-298CVE-2024-49380CVE-2024-49381 • published 2024/10/25 00:00:00 ago • Kevin Stubbings
CodeQL Wall of Fame

Join us in our mission to improve open source security for all

Have you used CodeQL’s variant analysis to find vulnerabilities on open source projects? Give your work the visibility it deserves by submitting your finding for the CodeQL Wall of Fame.

Share your work
20,000+
security advisories
curated by Security Lab researchers
6,000+  CVEs assigned for OS maintainers

GitHub Advisory Database

While CVEs identify vulnerabilities, they don’t tell the whole story. Entries in the GitHub Advisory database expand beyond identification to include additional context and details to support automated security tooling – sourced from a global community of security experts and curated by the Security Lab – to help you understand vulnerabilities, assess risk, and fix with confidence and efficiency.
Explore the Advisory Database
Resources

Open doors, open solutions:

Embracing Enterprise & Open Source

Open doors, open solutions: Embracing Enterprise & Open Source

Contributions from maintainers, developers, and security researchers around the world push us forward, making the open source software a better place.

Open Source Community

Learn about secure coding practices, get hands-on with AppSec training, and connect with experts during our office hours – free for open source developers, maintainers, and security researchers.

Explore open-source resources

GitHub Security Lab for the Enterprise

At the GitHub Security Lab, our security experts, through community collaboration, strengthen open source security which is crucial for enterprises. We channel the community’s contributions into proven CodeQL queries and timely security advisories, and offer enterprises actionable insights that help secure your supply chain and accelerate the software development lifecycle.

Explore enterprise resources
Team

About the GitHub Security Lab.

At the GitHub Security Lab, we cultivate a collaborative community of developers and security experts who work together to bolster the security of open source software.
Meet the team

Learn more on GitHub Security Lab

Through research, education, and maintenance of the GitHub Advisory Database, we empower the community.

We’re active on social media!

Through research, education, and maintenance of the GitHub Advisory Database, we empower the community.