Bugs and new features aside, a project’s longevity hinges not only on its usefulness but also on the trust it earns from its users. Strong security measures are important to keep this trust alive.
No technical degree required - you can safeguard your project without being a security guru. You can enable, with just a few clicks, and for free, GitHub’s security tools that will help you write secure code, prevent secret leaks, scan your dependencies for security vulnerabilities, and globally keep your users safe.
Follow these easy steps to enable the must-have security features that will keep your work secure against security vulnerabilities.
Secure your code in your flow with code scanning, CodeQL and Copilot Autofix
Security vulnerabilities in your code may arise at any point during development and be difficult to identify without using automated tools. Failure to patch up these vulnerabilities ASAP can expose you to a whole host of security threats down the line.
Consider a situation where a contributor unknowingly introduces a buffer overflow vulnerability while implementing a new feature. Surprisingly, it’s the thing that nobody catches during those long hours of review and testing. This security hole becomes a launchpad for an attacker, who is capable of running code that puts the entire system in a precarious state.
Code scanning is like having a skilled expert look over your code repository, helping you find security vulnerabilities that could be hiding in plain sight as you code. Paired with Copilot Autofix, which shares actionable feedback to explain these vulnerabilities and gives you code suggestions on how to fix those problems in the pull request, code scanning helps make detection and remediation faster right in your workflow. And starting in September, Copilot Autofix will be available free for open source projects.
Secure your secrets, protect your business with secret scanning
Sensitive data, such as API keys, tokens, and passwords, can sometimes accidentally get committed to your repository.
Imagine this scenario: You are the maintainer of a popular open-source project with contributions from developers worldwide. One day, a contributor unknowingly commits to the repository some API keys of a third-party service. Days later, someone finds these keys and uses them to get into the service without permission. The service is compromised, users of your project experience downtime, and your project’s reputation takes a hit. As the maintainer, you’re now faced with the daunting tasks of revoking compromised secrets, notifying affected users, and implementing fixes.
To prevent such incidents, secret scanning with push protection guards over 300 token types and patterns from more than 180 service providers. Stop threats in their tracks by revoking old secrets and spinning up fresh ones – it’s a major security boost.
Use dependencies you can depend on with Dependabot
Dependencies in your project can have vulnerabilities that compromise the security of your project. Manually keeping dependencies up to date can be a time-consuming task.
Picture this: a project built on the sturdy foundation of a widely-used library. The library later finds a big security problem, but the people who keep it up don’t know about it. Sensitive user data is left exposed when an attacker takes advantage of this weakness, swooping in to grab it.
To prevent such scenarios, Dependabot automatically checks your dependencies for known vulnerabilities and creates pull requests to update them to safe versions. Staying up-to-date with the latest dependency versions safeguards your project from potential risks.
Avoid unwanted changes with protected branches
Unrestricted access to your main branches can lead to accidental or malicious changes that may introduce vulnerabilities or disrupt the stability of your project.
A new contributor gets write access to the main branch and accidentally pushes changes that have not been tested. A dire security flaw is then uncovered, courtesy of the latest changes.
To prevent such issues, branch protection rules ensure that changes cannot be pushed or merged into important branches without first undergoing reviews and passing specified status checks. You’re safer and better off with this extra measure in place, guaranteeing top-notch quality every time.
Manage your security bugs with a security policy and private vulnerability reporting
You will never be aware of all vulnerabilities in your projects and it’s a good practice to make it easy for people external to the project –users, security researchers– to report security bugs, but the big question is: how can they safely report them to you?
Picture this: A security researcher discovers a vulnerability in your project but finds no clear or secure way to report it. Without a designated process, they might create a public issue or discuss it openly on social media. This public disclosure will expose the vulnerability to malicious actors before you have a chance to address it, potentially leading to a zero-day exploit, attacking your project and its users.
Security Policy
To avoid this, publish a security policy. A security policy, defined in a security.md
file, details the steps for reporting security concerns, creating a transparent process for responsible disclosure, and establishing the project team’s responsibilities for addressing reported issues.
Private Vulnerability Reporting
Once you have a security policy in place, you can streamline and strengthen your vulnerability management process, from intake to broadcast, by enabling private vulnerability reporting (PVR). PVR enables maintainers to receive and address vulnerability reports, all within the GitHub platform. GitHub will automatically create a private fork to write the fixes, and a draft security advisory. All of this remains confidential until you decide to disclose the issues and release the fixes. To close the loop, security advisories will be published, and will inform and protect all your users through Dependabot alerts and updates.
Conclusion
We’ve covered a lot of ground, and this is where it all comes together.
Turning on these GitHub security features will help strengthen your open source project and make it more resilient to vulnerabilities from the start. To begin using these features, look at the helpful resources we’ve included in GitHub’s documentation. They’ll walk you through each step.
By using these tools, your project will be more secure and stable, moving us closer to ensuring the overall safety and dependability of open source communities for everyone.