Resources

Enterprise

GitHub Security Lab is dedicated to community collaboration in order to improve open source security at scale, so that everyone – including enterprise organizations – benefits from a more secure open source ecosystem.

CodeQL Wall of Fame

The CodeQL Wall of Fame is a (non-exhaustive) list of vulnerabilities found in open source projects using CodeQL.

Explore CodeQL Wall of Fame

Advisory Database

Understand and remediate potential security issues in the open source projects you use with GitHub’s free and open source vulnerability database.

Explore Advisory Database

Secure your GitHub Actions workflows

Talk on securing your
GitHub Actions

In just 17 minutes, Jaroslav Lobacevski shares his knowledge about securing GitHub Actions, drawing from hands-on experience uncovering hundreds of real-world vulnerabilities.

Topics include best practices of using third party actions, common pitfalls that lead to Remote Code Execution (RCE), and more.

The talk wraps up with free tools to automate GitHub Actions security you can start using today.

New tool to secure your GitHub Actions

Introducing a new tool to monitor and control the permissions of the repository token for GitHub Actions, helping you apply the least-privilege principle by suggesting the minimum required permissions.

Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests

Combining the pull_request_target workflow trigger with an explicit checkout of an untrusted Pull Request is a dangerous practice that may lead to repository compromise.

Keeping your GitHub Actions and workflows secure Part 2: Untrusted input

Every GitHub Actions workflow trigger comes with a GitHub context. Some of this data might be attacker controlled and should be treated as potentially untrusted input.

Keeping your GitHub Actions and workflows secure Part 3: How to trust your building blocks

By referencing an external action with the uses directive, you’re running third-party code and giving it access to computing time, secrets, and your repository token.

Keeping your GitHub Actions and workflows secure Part 4: New vulnerability patterns and mitigation strategies

While implementing CodeQL support for GitHub Actions workflows, we came across new patterns of insecure workflows. Learn how to identify and mitigate them.

Latest articles

See all articles

Keeping your GitHub Actions and workflows secure Part 4: New vulnerability patterns and mitigation strategies

While implementing CodeQL support for GitHub Actions workflows, we came across new patterns of insecure workflows. Learn how to identify and mitigate them.

Security research without ever leaving GitHub

Don't make me leave my development platform! Your security teams can perform security research without ever leaving GitHub: From code scanning to CVE via Codespaces and private vulnerability reporting.

Gaining kernel code execution on an MTE-enabled Pixel 8

In this research nominated for the 2024 Pwnie award, Man Yue Mo gains arbitrary kernel code execution and root on an Android phone even with the Memory Tagging Extension (MTE) mitigation enabled.

mTLS: When certificate authentication is done wrong

Presented at Black Hat USA and DEFCON 2023, this research reveals interesting attacks on mTLS authentication. Read how mTLS systems can be vulnerable to user impersonation, privilege escalation, and information leakages.

Build a secure code mindset with the GitHub Secure Code Game

Are you happy with your security training? Try out our Secure Code Game, our hands-on and community-sourced security training, and build a secure code mindset for your developers.

The little bug that couldn’t: Securing OpenSSL

Improving the code security of widely used libraries like OpenSSL has a force multiplication effect for all of us. Read on to learn about the vulnerabilities, and how to use CodeQL to eliminate variants.

Don't shoot the emissary

Check out how we used CodeQL on NSA's Emissary open source project to find critical issues, and how the NSA leveraged GitHub code scanning and security advisories to address the issues.