GitHub Security Features
Quick Summary
GitHub provides built-in security tools that automatically detect vulnerabilities in your dependencies (Dependabot), scan for leaked secrets (Secret Scanning), find code vulnerabilities (Code Scanning), and enforce safe workflows (Branch Protection). These features are free for public repositories and available on GitHub Advanced Security for private repos.
Feature Overview
| Feature | What It Does | Availability |
|---|---|---|
| Dependabot Alerts | Detects vulnerable dependencies | Free (all repos) |
| Dependabot Updates | Auto-creates PRs to update deps | Free (all repos) |
| Secret Scanning | Detects leaked API keys/tokens | Free (public) / GHAS (private) |
| Code Scanning | Static analysis for code vulnerabilities | Free (public) / GHAS (private) |
| Branch Protection | Enforce rules before merging | Free (all repos) |
| Security Advisories | Privately report and fix vulnerabilities | Free (all repos) |
Dependabot
Automatic Dependency Updates
Create .github/dependabot.yml:
version: 2
updates:
# JavaScript (npm)
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
open-pull-requests-limit: 10
labels:
- "dependencies"
reviewers:
- "donnyaw"
# Docker
- package-ecosystem: "docker"
directory: "/"
schedule:
interval: "weekly"
# GitHub Actions
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
How It Works
flowchart LR
D["Dependabot"] -->|Scans| L["package.json<br/>Dockerfile<br/>requirements.txt"]
L -->|Vulnerability found| A["Alert created"]
A -->|Auto-PR| PR["Pull Request<br/>'Bump lodash 4.17.20 → 4.17.21'"]
PR -->|CI passes| M["Review & Merge"]
Secret Scanning
GitHub automatically scans for:
- API keys (AWS, Google Cloud, Azure)
- OAuth tokens
- SSH private keys
- Database connection strings
- Personal access tokens
What Happens When a Secret is Detected
- GitHub sends an alert to repository admins
- If push protection is enabled, the push is blocked entirely
- The service provider is notified (e.g., AWS can auto-revoke the leaked key)
Enable Push Protection
Settings → Code security and analysis → Secret scanning → Push protection → Enable
If you accidentally push a secret
- Revoke the secret immediately (API key, token, password)
- Remove from code and commit
- The secret is still in Git history — use
git filter-repoto purge it - Force-push to overwrite remote history
Revoking is more important than removing from Git — assume the secret was compromised the moment it was pushed.
Branch Protection Rules
Settings → Branches → Add rule
| Rule | Effect |
|---|---|
| Require pull request | No direct pushes to main |
| Require approvals | At least N reviewers must approve |
| Require status checks | CI must pass before merging |
| Require signed commits | Only GPG-signed commits allowed |
| Restrict who can push | Limit to specific users/teams |
| Block force pushes | Prevent history rewriting |
| Require linear history | Only allow squash or rebase merges |
Recommended Setup for main
✅ Require pull request before merging
✅ Require at least 1 approval
✅ Dismiss stale reviews when new commits are pushed
✅ Require status checks to pass (CI pipeline)
✅ Block force pushes
✅ Restrict deletions
.gitignore for Security
Prevent accidental commits of sensitive files:
# Environment files
.env
.env.local
.env.production
# SSH keys
id_rsa
id_ed25519
*.pem
*.key
# Credentials
credentials.json
token.txt
*secret*
# Database files
*.sqlite
*.db
# OS / IDE
.DS_Store
.vscode/settings.json
Security Checklist
- Enable Dependabot alerts and updates
- Enable secret scanning with push protection
- Set up branch protection on
main - Use
.gitignoreto exclude sensitive files - Rotate secrets regularly (every 90 days)
- Use SSH keys (not passwords) for Git authentication
- Sign commits with GPG keys
- Review Dependabot PRs weekly
Best Practices
- Enable all security features — they're free for public repos
- Never commit secrets — use environment variables and GitHub Secrets
- Rotate credentials that may have been exposed
- Review dependency updates — don't blindly merge Dependabot PRs
- Use branch protection on all production branches
What's Next
- Advanced Git — Interactive Rebase — Clean up history before merging
- Hooks & Automation — Run scripts on Git events locally