Gartner®: Application Security Guide for Software Engineering Leaders
Github Security

Table of content

What is GitHub security?

GitHub is one of the most popular solutions to host software development and version control using Git. It is also commonly used for open-source projects. In January 2020, GitHub boasted more than 28 million open-source repositories on the platform and 190 million in total.GitHub security has been a key concern for the platform for the past years, so they integrated a set of security features into the platform.

There are 2 categories of security features provided by GitHub: some are available for all repositories, and others are only available for public repositories or companies that purchased an additional security product from GitHub.

Called GitHub Advanced Security, it was introduced in late 2019. This GitHub security layer provides:

  • Code scanning searches for potential security vulnerabilities in your code.
  • Dependency review reports on any vulnerable versions of your dependencies.
  • Secret scanning detects secrets, for example keys and tokens, that are hardcoded in your repositories.

Several third-party tools are available for developers and security teams to improve their GitHub security.

  • For example, Checkmarx, Codacy, or CodeScan are all available on the GitHub marketplace as code scanning tools.
  • Snyk is a very established commercial dependency scanning tool. There are also open-source alternatives such as ​​OWASP Dependency-Check.
  • At GitGuardian, we scan GitHub for secrets since 2018 - and find thousands of leaked secrets keys every day! If you fall out of our free tier and cannot buy a secret scanning enterprise grade solution, there are open-source alternatives such as gitleaks and truffleHog.
GitGuardian is #1 GitHub Security App on GitHub Marketplace

Did you know? GitGuardian is now the #1 GitHub Security App on their marketplace!

While GitHub Advanced Security is best if you want to quickly implement minimum security standards, it has a high cost and third-party vendors often go much more in-depth and are compatible with other version control systems such as GitLab and BitBucket.

The State of Secrets Sprawl 2023.

With over 1 billion data points, this is the most comprehensive research on exposed secrets in public GitHub, Terraform projects, and private codebases.

Get your copy
State of Secrets Sprawl 2022 report cover