GitHub Security Lab

👋 Hey maintainers You build the software the world relies on — we’ll help you keep it secure. Protect your project for free in 15 minutes ➡️ gh.io/protect-your-project

Are you in Warsaw for The Hack Summit? Join Sylwia Budzynska for an introductory talk about security research, static analysis, and CodeQL: "From One Bug to Hundreds: Scaling Vulnerability Research with CodeQL" Learn how to scale your security research by codifying your vulnerabilities into CodeQL queries. 📆 October 14, 11:20 CEST Track: Security in Software Development & DevSecOps

Here are our September bug bounty stats! ✅ 166 bounty reports submitted 👥 120 hackers participated in our program 💰 Awarded $113,008 in bounties Found a vulnerability? Submit it here: https://t.co/HG2AqybW0p.

⏱️ Maintainers, we know you don’t have time to research every security best practice. That’s why we’ve made it simple: in just 15 minutes, you can protect your project from vulnerabilities, secrets leaks, and exploits. ✅ No security expertise required ✅ Free for open source ✅ Quick wins with long-term impact Protect your project now at gh.io/protect-your-project

Recent account takeovers and attacks on package registries are a wake-up call: it's time to raise the bar on authentication and secure publishing practices. Find out what npm is doing—and what steps you can take—to help secure the open source supply chain: https://lnkd.in/gE9fWg6U Together, we can build a safer, more trustworthy open source ecosystem. #SupplyChainSecurity #OpenSourceSecurity

Here are our August bug bounty stats! ✅ 173 bounty reports submitted 👥 131 hackers participated in our program 💰 Awarded $28,667 in bounties Found a vulnerability? Submit it here: https://bounty.github.com/.

I'm super excited to share that at GitHub, we deepened our partnership with JFrog to launch cross-platform build integrity with attestations and production-aware security alert prioritization 🚀 Artifact attestations created in GitHub Actions now seamlessly follow your artifacts into JFrog Evidence. Under the hood, these attestations are Sigstore bundles, meaning they’re self-contained, portable, and cryptographically verifiable, with no runtime dependency on GitHub. This is huge for Sigstore as well: JFrog now natively supports verifying Sigstore bundles as evidence using their CLI. That means you can enforce provenance and integrity checks directly in Artifactory, automate policies for artifact promotion (like requiring SLSA provenance before anything reaches production), and be confident that only trusted, verified releases ship. With this strong link between artifact and source established, production context from JFrog now flows back into GitHub. You can use this context to prioritize security alerts in GitHub Advanced Security, focusing remediation on what’s actually shipping to production and cutting through the noise. I’m genuinely excited about how GitHub and JFrog are coming together to solve attestation, governance, and alert prioritization in a more holistic way. If you want to see it in action, chat about artifact attestations, or need help setting it up, drop me a message! 😊 #slsa #sigstore #supplychainsecurity #devsecops #appsec https://lnkd.in/ddvpTrmx

Georg Semmler, who is the maintainer of https://lnkd.in/gAsi4tye and was one of the recent participants in the GitHub Secure Open Source Fund, has written a tool called cargo-safe-publish which can help to protect against supply chain attacks in the Rust Cargo ecosystem. Read his blog post here: https://lnkd.in/g9WkkcsG

scikit-learn was honored to be selected to participate in Cohort 2 of the GitHub Secure Open Source Fund (OSF) Training Program. It was an intense 3-week training program, with over 90 open source maintainers joining the training. There were numerous workshops delivered by experts at the GitHub Security Lab. ⭐️ For many of these workshops, the learning materials are publicly available, and they are shared in the article here. 🙏Thank you to Gregg Cochran, Kevin Crosby, all the instructors at GitHub Security Lab, and the funders for this pivotal opportunity and support of open source projects. #opensource #security #machinelearning https://lnkd.in/emA_yx6a