Securing your public GitHub Repos for Free!

[potaders]

GitHub is the largest open source community in the world, and security is a top priority for us. Using code security tooling is nothing new to software development though for many developers it's usually associated with expensive license price tags making them difficult to use on open source. What if I told you that many of the tools used by GitHub's largest customers are free on public repos?

At GitHub, we believe that code security is essential for the open source community to build the software that runs the world. That's why many of GitHub's Advanced Security feature set is FREE for public repos on GitHub.com! Some of these features may be familiar to you, such as Secret Scanning, Code Scanning, and Dependabot. In this post I'll explain more on what those features are and how you as a developer can quickly implement them on your public repos.

🙊 Secret Scanning

Did you ever work on a project and while testing something locally you had to type a password or API key to a local file? Did you then forget to remove it and then accidentally committed it to your repository? If so, you're not alone. At GitHub, we understand that this is a common mistake and that's why GitHub created Secret Scanning.

Secret Scanning is a feature that scans for secrets, such as API keys, passwords, and other sensitive information that shouldn't be in your GitHub repo. When a secret is found, GitHub will notify the repository owner and provide guidance on how to remove the secret wherever it's detected. Secrets might not always show up in just your code, they can also be found in your GitHub issues, pull requests, discussions, and wikis. GitHub Secret Scanning will scan all of these locations to ensure that your repo is secure.

Secret Scanning also features push protection, which proactively prevent secrets from being pushed to your repository. When push protection is enabled and a potential secret is detected, GitHub will block the push and notify the repository owner that a secret was found. This can help prevent secrets from being accidentally pushed to your repository (and prevent any embarasing situations like I shared earlier).

All of these Secret Scanning features are enabled by default on public repos on GitHub.com, so getting started is as easy as creating a public repo!

🔒 Code Scanning

One of the largest challenges today in software development is ensuring that open source software is secure. Many of the building blocks of software are open source, and it's important to ensure that the software you're using is as secure as it can be. To provide solution to this challenge, GitHub built Code Scanning to find, show, and provide soluitions to security vulnerabilities for code that's stored in GitHub.

Code Scanning is GitHub's tool to perform static code analysis to find security vulnerabilities in your code. Static code analysis is the process of analyzing your code without running it to find potential security vulnerabilities. What is unique to GitHub is that Code Scanning is powered by CodeQL, a powerful query language that GitHub uses to find security vulnerabilities in code. We can go into more detail on CodeQL in a future post, but for now it's sufficient to know that CodeQL is used by many of GitHub's largest customers to secure their code.

The best part about this feature? It's also free on public repos on GitHub.com! This means that you can start using Code Scanning to secure your open source projects today.

Dependabot

Something that many developers might not think about when writing code is the security of the software that they're using to build projects. Say you're writing some code to make a React Native app and you find an open source library to help put the finishing touches on the app. How do you know that the library you're using is secure? That's where Dependabot comes in.

Dependabot is GitHub's tool to help keep your projects free of any insecure (or out of date) libraries while letting you focus on coding. Depending on the language you're working on, Dependabot will scan supported dependency files for any outdated or insecure dependencies and create alerts and/or pull requests to assist you in updating them.

I cannot mention Dependabot without covering one of it's most helpful features, Dependency Review. Dependency Review was build by GitHub to help developers check for insecure dependencies before they ever enter the primary branch of a repo. When opening a Pull Request, developers can use Repository Rulesets in tandem with the Dependency Review in GitHub Action to review and block insecure dependencies before they become a problem!
Prefer to use an API? GitHub has a Dependency Review API that can be used to run Dependency Review on your own CI systems!

Dependabot is free for all public AND private repos on GitHub.com, so you can start securing your projects today!

Conclusion

Security is a critical part of software development and GitHub is here to help ensure your code is as secure as possible. With features like Secret Scanning, Code Scanning, and Dependabot, GitHub is providing the tools to help secure what's in open source today and in the future. And the best part? These features are all free on public repos on GitHub.com!

If you have any questions leave a comment on this discussion. We're here to help!

Want to keep reading? More security posts in our community blog and on the GitHub Blog:

• GitHub Blog: Security
• Keeping your GitHub account secure with 2FA Fallbacks
• Account Security Best Practices