GIT Going with GitHub

Appendix Episode 29 12-15 min

GitHub Security Features

Dependabot, secret scanning, code scanning, and private security advisories.

Workshop docs

security features

Listen

Download MP3 Subscribe via RSS

Transcript

Alex: Welcome back. Today we're looking at GitHub security features, and this one is bigger than a settings tour. In open source, your project is connected to packages, workflows, tokens, build tools, and other people's code. A weak link in that chain can affect everyone who installs or contributes to the project.

Jamie: So security is not only the maintainer's problem. If I open a pull request, review an alert, or notice something strange, I'm part of the safety system too.

Alex: Exactly. GitHub gives repositories a set of tools for that work: Dependabot for vulnerable dependencies, secret scanning for leaked credentials, code scanning for risky patterns in the code, and private reporting for vulnerabilities that should not be posted in public.

Jamie: I like that framing. We are not trying to become security experts overnight. We are learning what the signals mean and how to respond without making things worse.

Alex: Most of these signals live behind the repository's Security and quality tab. What you see there depends on your access. A public visitor may see the security policy and, if the maintainer enabled it, a private vulnerability reporting form.

Jamie: And if I have write or admin access, I may see more: Dependabot alerts, secret scanning alerts, code scanning alerts, security advisories, and security settings.

Alex: Right. On a repository page, move to the secondary navigation and open the Security link. GitHub also supports the keyboard shortcut G then S, as long as GitHub keyboard shortcuts are available in your current mode.

Jamie: Inside that tab, the alerts are separated by type, right? Dependabot, secret scanning, and code scanning each have their own area, so I should not assume one empty page means everything is clear.

Alex: Yes. Also, severity labels use words like Critical, High, Medium, and Low, not just color. If there are no open alerts, GitHub may show a green shield or a no alerts message, which is a good confirmation to look for.

Alex: Dependabot is GitHub's automated system for watching dependencies. A dependency is a package your project relies on, like an npm package, a Python package, or a GitHub Action. If a known vulnerability is found in one of those packages, GitHub can create a Dependabot alert.

Jamie: Known vulnerability means something like a CVE?

Alex: Yes. CVE stands for Common Vulnerabilities and Exposures, which is a public identifier for a reported security flaw. Dependabot alerts usually tell you the package name, the package ecosystem, the vulnerable version range, the fixed version, the advisory ID, a description, and the severity.

Jamie: And the severity is not just vibes. Critical is roughly a CVSS score from 9.0 to 10.0, High is 7.0 to 8.9, Medium is 4.0 to 6.9, and Low is 0.1 to 3.9.

Alex: Exactly. When you see an alert, read the advisory first. Then check whether the project actually uses the affected code path. Most of the time, the practical fix is to update the dependency to the fixed version.

Jamie: And sometimes Dependabot has already done that work by opening a pull request.

Alex: Yes. Dependabot security updates can automatically open a PR with a title like, bump lodash from 4.17.20 to 4.17.21. The author is dependabot[bot], and the description usually links release notes, changelogs, and commits. Reviewing those PRs, running tests, and merging them when they pass can be a strong contribution.

Jamie: There is also the non-emergency version of this, where Dependabot keeps packages current even when there is no known security issue.

Alex: That is Dependabot version updates. Teams configure it in .github/dependabot.yml. A common setup says version 2, updates for the npm ecosystem in the root directory, run weekly, and keep the number of open Dependabot PRs limited, maybe five at a time.

Jamie: Secrets are the feature that makes people nervous. What counts as a secret here?

Alex: A secret is a credential that grants access, like a token, API key, password, private key, or cloud credential. Secret scanning looks for those patterns in code and commit history. The goal is to catch accidental leaks before someone can use them.

Jamie: And push protection can stop the problem before it reaches the repository, right?

Alex: Right. If you run git push and GitHub detects a known secret pattern, the push can be blocked. The terminal message may include GH013, the commit, the file, the line number, and the secret type, such as a GitHub personal access token.

Jamie: What should I do in that moment? Because my first instinct might be, just delete the line and push again.

Alex: Delete the secret from the file, yes, but also revoke and rotate the credential. Revoke means disable the old secret. Rotate means create a new one and update the service that needs it. GitHub may automatically revoke certain GitHub tokens, but you still need to verify the damage is contained.

Jamie: And if it is a false positive?

Alex: Investigate first. Some systems allow a bypass with a written reason, but bypassing should be rare and deliberate. The safer pattern is to store secrets outside the code, usually in environment variables, so your code reads something like process.env.GITHUB_TOKEN instead of hardcoding a token string.

Jamie: For existing public repositories, secret scanning alerts can also appear after the fact. If an alert says a credential has been sitting in history, treat it as urgent, because it may already be exposed.

Alex: Code scanning is different from Dependabot. Dependabot looks at packages. Code scanning looks at your code. GitHub's built-in engine is CodeQL, which uses static analysis, meaning it examines code without needing to run the app.

Jamie: So it can find patterns like SQL injection or cross-site scripting before a user ever hits that path in production.

Alex: Exactly. It may also flag unsafe data flow, insecure configuration, or places where untrusted input reaches a sensitive operation. A code scanning alert usually includes the rule name, severity, file, line, explanation, and sometimes a path showing how data moves through the program.

Jamie: Where do I find those alerts?

Alex: Open the Security and quality tab, then Code scanning. You can move through the alert list, open one alert, read the affected file and line, and check the recommendation. It is worth reading the full alert before changing code, because the fix is often about the flow of data, not just one line.

Jamie: How does a repository turn CodeQL on?

Alex: Usually through GitHub Actions. In the repository, you add a workflow file under .github/workflows, often a CodeQL workflow that chooses the language, initializes CodeQL, builds if needed, and runs analysis. It can run on pushes, pull requests, and a schedule, so new code gets checked continuously.

Jamie: What if I find something serious that is not already an alert? Like a vulnerability that could expose user data.

Alex: Do not open a public issue with exploit details. If the repository has private vulnerability reporting enabled, go to the Security and quality tab and choose the reporting option. The form lets you privately describe the vulnerability, affected versions or files, reproduction steps, and impact.

Jamie: That gives maintainers a chance to fix it before the whole internet gets a recipe for abuse.

Alex: Yes. Maintainers can triage the report, discuss it privately, prepare a fix, create a security advisory, and publish details when the patch is ready. They may also credit the reporter or request a CVE, depending on the project and severity.

Jamie: And if nobody responds?

Alex: Check the repository's security policy for response expectations. Many projects describe how long to wait and what contact path to use. If there is still no response, follow responsible disclosure norms: avoid posting exploit steps publicly, keep records of your contact attempts, and choose the least harmful way to escalate.

Alex: A SECURITY.md file is the repository's written security policy. It usually explains supported versions, what is in scope, how to report a vulnerability, what information to include, and what response timeline to expect.

Jamie: Where would I find it?

Alex: The Security and quality tab often links to it if it exists. You may also find it at the repository root, inside .github, or in a default community health file for the organization. If you are unsure whether to post publicly or report privately, SECURITY.md is the first document to check.

Jamie: The appendix also mentions SBOMs. That acronym shows up a lot in software supply chain conversations.

Alex: SBOM stands for Software Bill of Materials. It is an inventory of the components and dependencies in a project. In GitHub, when dependency graph data is available, repository maintainers can export an SBOM, often from the dependency graph area, such as Insights, Dependency graph, then Export SBOM.

Jamie: So if a new vulnerability appears in a library, an SBOM helps a team answer, are we using that thing anywhere?

Alex: Exactly. It is not a fix by itself, but it gives teams a clearer map of what the project is built from.

Jamie: Let's slow down on navigation, because security pages can be dense.

Alex: From any repository page, you can Tab to the secondary navigation and open Security, or use G then S if GitHub shortcuts are active for you. Once inside, use headings, links, and tables to move by alert type. In many screen readers, T can help reach tables, and arrow keys can read rows and columns.

Jamie: For Dependabot alerts, I would listen for package name, severity, vulnerable version, fixed version, and advisory link.

Alex: Yes. For code scanning alerts, listen for rule name, severity, file, line, and any data-flow explanation. For the private vulnerability reporting form, move field by field and include impact, reproduction steps, affected area, and any safe supporting details.

Jamie: Low vision learners may need a slightly different tactic.

Alex: Increase browser zoom or terminal font size when reading alert tables and push protection errors. Severity badges include text, so you do not have to rely on color alone. In an editor, syntax highlighting can make environment variable names and accidental hardcoded strings easier to spot.

Alex: Security also connects to the Accessibility Agents work in this course. The Accessibility Agents collection is a living catalog, so the useful move is to inspect the current repository state, not memorize a fixed number of agents.

Jamie: And for Challenge 15, learners browse that catalog first. They are not required to fork the accessibility-agents repository just to complete discovery.

Alex: Right. A security-focused agent or checklist could summarize a repository's current posture: Dependabot alerts open, secret scanning status, code scanning status, open Dependabot PRs, and a recommendation like, review the high-severity dependency update before adding new features.

Jamie: For community-access/accessibility-agents, that means a dashboard should be treated as a current snapshot, not a permanent truth.

Alex: Exactly. A sample output might say, Dependabot alerts: check the Security and quality tab. Secret scanning: verify whether alerts are enabled and whether any are open. Code scanning: review CodeQL results if configured. Dependabot PRs open: review, test, and merge safe updates. Recommendation: keep security maintenance visible alongside accessibility improvements.

Jamie: That also fits the Capstone Project. Challenge 16 can be a contribution to Accessibility Agents, GLOW, or another meaningful repository, and a review-ready draft or contribution plan can be valid evidence when the work is thoughtful and actionable.

Alex: One last habit: use GitHub's code security documentation as the source of record when you need exact behavior. These features change, and repository settings vary by visibility, plan, and maintainer choices.

Jamie: So the workflow is: open the Security and quality tab, identify the alert type, read the details, act carefully, and document what you did.

Alex: Yes. Security work rewards patience. Read before clicking, revoke secrets instead of just deleting them, test dependency updates, keep vulnerability reports private when needed, and use SECURITY.md to respect the project's process.

Jamie: That makes security feel less mysterious. It is still serious, but it becomes a set of careful contribution habits.

Workshop Content

Full chapter content from the Git Going with GitHub workshop guide.

Companion Podcast and Transcript

Use audio and transcript companions to review concepts in a conversational format.

GitHub Security Features

Companion audio: this episode reinforces key ideas and may not be a word-for-word reading of this page.

Open audio file (external) Full transcript source (external)

Transcript preview

Alex: Welcome back. Today we're looking at GitHub security features, and this one is bigger than a settings tour. In open source, your project is connected to packages, workflows, tokens, build tools, and other people's code. A weak link in that chain can affect everyone who installs or contributes to the project.

Jamie: So security is not only the maintainer's problem. If I open a pull request, review an alert, or notice something strange, I'm part of the safety system too.

Alex: Exactly. GitHub gives repositories a set of tools for that work: Dependabot for vulnerable dependencies, secret scanning for leaked credentials, code scanning for risky patterns in the code, and private reporting for vulnerabilities that should not be posted in public.

Jamie: I like that framing. We are not trying to become security experts overnight. We are learning what the signals mean and how to respond without making things worse.

Appendix P: GitHub Security Features

Listen to Episode 29: GitHub Security Features - a conversational audio overview of this chapter. Listen before reading to preview the concepts, or after to reinforce what you learned.

Reference companion to: Chapter 08: Open Source Culture | Also relevant: Chapter 17

Authoritative source: GitHub Docs: Code security

Dependabot, Secret Scanning, Code Scanning, and Private Advisories

Who this is for: Anyone contributing to open source repositories needs to understand how GitHub protects code and what security alerts mean. This appendix explains the GitHub Security and quality tab, how to interpret and respond to alerts, and how to responsibly report vulnerabilities - including in community-access/accessibility-agents.

Quick Navigation

  1. The Security and quality tab - What It Contains
  2. Dependabot - Automated Dependency Updates
  3. Secret Scanning - Preventing Credential Leaks
  4. Code Scanning and CodeQL
  5. Private Vulnerability Reporting
  6. The SECURITY.md File
  7. Software Bill of Materials (SBOM)
  8. Screen Reader Navigation of the Security and quality tab
  9. Security and Accessibility Agents

1. The Security and quality tab - What It Contains

Every GitHub repository has a Security and quality tab in its navigation bar. What you see there depends on whether you are a contributor with elevated access or a public viewer.

Public viewers see

  • Security policy (if the repo has a SECURITY.md)
  • The private vulnerability reporting form (if enabled by the maintainer)

Contributors with write or admin access see

  • Dependabot alerts
  • Secret scanning alerts
  • Code scanning alerts
  • Security advisories
  • The ability to manage security settings

Screen Reader Path to the Security and quality tab

On any repository page:
Tab navigation → secondary nav region → "Security" link → Enter
Or: G then S (GitHub keyboard shortcut - enable Focus Mode first)

Learning Cards: The Security and quality tab

Screen reader users
  • Use G then S (GitHub keyboard shortcut) to jump directly to the Security and quality tab from any repo page — much faster than Tab-navigating the full nav bar
  • The Security and quality tab content varies by your access level — public viewers see only the security policy and vulnerability reporting form; contributors with write access see alerts
  • Dependabot alerts, secret scanning alerts, and code scanning alerts are each a separate link inside the Security and quality tab — use K to navigate between them
Low vision users
  • The Security and quality tab link sits in the repository's top navigation bar alongside Code, Issues, PRs, and Actions — zoom in if the tab labels are small
  • Alert severity badges (Critical, High, Medium, Low) use colored labels — each badge also includes the severity word, so color is not the only indicator
  • If the Security and quality tab shows "No alerts," that is good news — look for the green shield icon next to the tab name as confirmation
Sighted users
  • Find the Security and quality tab in the repository navigation bar — it shows a shield icon and may display a count badge if alerts exist
  • Inside the Security and quality tab, the left sidebar lists Dependabot, Secret scanning, and Code scanning as separate pages — click each to see its alert list
  • A green shield on the repo home page (or no security count badge) means zero open security alerts

2. Dependabot - Automated Dependency Updates

Dependabot is GitHub's automated dependency monitoring and update system. It does two things:

Dependabot Alerts

When a known security vulnerability (CVE - Common Vulnerability and Exposure) is discovered in a package your project depends on, GitHub creates a Dependabot alert.

Alert severity levels

Level CVSS Score Range What it means
Critical 9.0-10.0 Exploit likely, wide impact - fix immediately
High 7.0-8.9 Significant risk - fix this sprint
Medium 4.0-6.9 Some risk with specific conditions - schedule fix
Low 0.1-3.9 Low likelihood of exploitation - fix when convenient

What a dependency alert looks like

Alert: Dependabot alert #5
Severity: High
Package: lodash (npm)
Vulnerable version: < 4.17.21
Fixed version: 4.17.21
Advisory: GHSA-35jh-r3h4-6jhm
Description: Prototype pollution vulnerability allows an attacker to
modify Object.prototype leading to denial of service or remote code execution.

What to do as a contributor when you see an alert

  1. Read the advisory to understand the vulnerability scope
  2. Check whether the project actually uses the vulnerable code path
  3. The fix is almost always: update the dependency to the fixed version
  4. Dependabot Security Updates may have already opened a PR - check the PRs tab

Dependabot Security Updates

If enabled, Dependabot automatically opens a PR to update the vulnerable dependency. The PR will look like:

Title: Bump lodash from 4.17.20 to 4.17.21
Author: dependabot[bot]
Description: Bumps lodash from 4.17.20 to 4.17.21.
  - Release notes
  - Changelog
  - Commits (linked)

As a contributor with access, reviewing and merging these Dependabot PRs is a high-value, low-risk way to contribute.

Dependabot Version Updates

Beyond security fixes, Dependabot can be configured to open PRs keeping all dependencies at their latest versions (not just security fixes). This is configured in .github/dependabot.yml.

Example dependabot.yml

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 5

3. Secret Scanning - Preventing Credential Leaks

Secret scanning detects if you accidentally commit tokens, API keys, passwords, or other credentials to a repository.

Push Protection (Real-Time Prevention)

Push Protection intercepts a git push before it reaches GitHub and blocks it if it detects a known secret pattern.

If your push is blocked:

remote: error: GH013: Repository rule violations found for refs/heads/main.
remote: Push cannot contain secrets
remote:
remote: - commit: abc123 in file: config.js
remote:   secret: GitHub Personal Access Token
remote:   location: line 5

What to do

  1. Remove the secret from the file immediately
  2. Rotate the exposed credential (GitHub will automatically revoke detected GitHub tokens)
  3. If it was a false positive, you can bypass with justification - but investigate first

Best practice: Use environment variables for secrets, never hardcode them. Example:

// BAD - never do this
const token = "ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";

// GOOD
const token = process.env.GITHUB_TOKEN;

Secret Scanning Alerts

For public repositories, GitHub scans all existing commits and creates alerts for any detected secrets. These appear in Security → Secret scanning.

Priority action: If you find a secret scanning alert in a project you contribute to - especially a token or API key - treat it as urgent. The credential may have been exposed for a long time.

Learning Cards: Secret Scanning

Screen reader users
  • If your git push is blocked with "GH013: Repository rule violations found," the terminal output lists the exact file, line number, and secret type — read the error lines carefully
  • After removing the secret from your code, use environment variables instead (process.env.GITHUB_TOKEN) — your screen reader will confirm the variable name in the code
  • Secret scanning alerts appear under Security and quality tab, Secret scanning — navigate with T to reach the alert table, then arrow keys to read each row
Low vision users
  • Push Protection error messages appear in your terminal with red text — increase terminal font size to read the file path, line number, and secret type clearly
  • The secret scanning alert list in the Security and quality tab uses a table layout — zoom in to read the Secret type and Location columns
  • Environment variable names in code (like process.env.GITHUB_TOKEN) are easier to spot when syntax highlighting is enabled in your editor theme
Sighted users
  • Push Protection errors show a red banner in your terminal with the exact commit, file, and line containing the secret — look for the "secret:" label
  • In the Security and quality tab, secret scanning alerts are listed with a yellow or red severity icon — click any alert to see the exposed credential's location and revocation status
  • The code examples in this section show the BAD vs. GOOD pattern — never hardcode tokens; always use environment variables as shown

4. Code Scanning and CodeQL

Code scanning uses static analysis to find security vulnerabilities in the code itself (not dependencies). GitHub's built-in tool is CodeQL, which understands the code's logic and can detect:

  • SQL injection risks
  • Cross-site scripting (XSS) vulnerabilities
  • Path traversal issues
  • Insecure cryptography usage
  • Authentication bypasses
  • Command injection risks

Reading a Code Scanning Alert

Alert: Uncontrolled format string
Rule: py/tainted-format-string
Severity: High
File: src/utils/logger.py
Line: 47

Details:
  logging.info(user_input)  ← user_input flows unsanitized into format string

  Flow:
  1. User input enters at: request.args.get('message') [line 12]
  2. Passed to: logger.info(message) [line 47]
  3. Risk: format string injection if message contains %s, %d patterns

As a contributor: Code scanning alerts are excellent, well-scoped contribution opportunities. Each alert shows you the exact file, line, and the data flow causing the issue. Fixing it is often a one-line change.

Where to Find Code Scanning Alerts

Security and quality tab → Code scanning → filter by severity, rule, or file.

5. Private Vulnerability Reporting

When you discover a security vulnerability in a project, never report it as a public issue. A public issue immediately broadcasts the vulnerability to anyone who could exploit it.

GitHub provides Private Vulnerability Reporting - a disclosure form that sends your report only to the repository's security team, not to the public.

How to Submit a Private Report

  1. Navigate to the repository's Security and quality tab
  2. Select "Report a vulnerability" (this button only appears if the maintainer has enabled private reporting)
  3. Fill in the form:
    • Title: Short description of the vulnerability
    • Description: Detailed explanation, how to reproduce it, and impact
    • Severity: Your assessment
    • Affected versions: Which versions are vulnerable
    • CVSS score: Optional - the Common Vulnerability Scoring System rating
  4. Submit - only the maintainers see your report

The Responsible Disclosure Process

After you submit:

  1. Maintainers acknowledge your report (typically within 1-7 days for active projects)
  2. They may ask follow-up questions in the private advisory thread
  3. They develop and test a fix
  4. They request a CVE (Common Vulnerability and Exposure) number from GitHub
  5. They publish a new release with the fix
  6. They publish a public security advisory - you may be credited as the reporter
  7. The CVE is published publicly (usually 90 days after report or after the fix is released)

What If the Maintainer Doesn't Respond?

If a maintainer doesn't respond within a reasonable time (30-90 days is the standard window):

  1. Send a follow-up in the private advisory thread
  2. Contact GitHub directly if the issue is critical (GitHub can assist with coordinated disclosure)
  3. Follow the project's SECURITY.md for their stated disclosure policy

6. The SECURITY.md File

A SECURITY.md file at the repository root defines the project's security policy. It typically contains:

  • Supported versions: Which versions receive security patches
  • Reporting instructions: How to report a vulnerability (email, private advisory form, etc.)
  • Response timeline: How quickly maintainers aim to respond
  • Disclosure policy: When the project will publish a fix publicly

accessibility-agents's security policy: community-access/accessibility-agents has a SECURITY.md that points to GitHub's private advisory form. If you find a security issue in accessibility-agents - even a potential one - use the private advisory form rather than opening a public issue.

From the repository:

  1. Security and quality tab → Policies section → "Security policy" link
  2. Or directly: https://github.com/owner/repo/security/policy

Screen reader path:

Security and quality tab → H → "Policy" heading → Link: "Security policy" → Enter

7. Software Bill of Materials (SBOM)

An SBOM is a machine-readable inventory of every component (libraries, packages, dependencies) in a software project. It is increasingly required by enterprise and government organizations for supply chain security compliance.

Exporting an SBOM from GitHub

  1. Navigate to the repository's Insights tab
  2. Select "Dependency graph"
  3. Select "Export SBOM" button (top right of the Dependency graph page)
  4. GitHub generates a SPDX-format JSON file listing all dependencies with their versions and licenses

This export is useful when:

  • Your organization requires SBOM documentation before adopting an open source dependency
  • You're auditing a project's complete dependency chain
  • You want to identify license compatibility for a commercial product

8. Screen Reader Navigation of the Security and quality tab

Reaching the Security and quality tab

From any repo page:
Secondary navigation landmark → Tab through: Code, Issues, PRs, Actions, Projects, Wiki, Security
Or: Focus Mode → G then S (GitHub shortcut)
Security and quality tab → select "Dependabot alerts" link
Alert list is a table: T (NVDA/JAWS Browse Mode) → navigate rows
Each row: Tab to expand → Enter to open full alert details
Inside an alert:
  H → navigate: Alert title, Package details, Description, References headings
  2 → jump between major sections
  Links → navigate to the GHSA advisory, the vulnerable package, the Dependabot PR
Security and quality tab → select "Code scanning" link
Alert list: T to find the table → ↑/↓ to navigate rows
Open an alert: Enter
Inside the alert:
  H → Alert title, Description, Code flow, Steps headings
  Links → navigate to the specific file and line
  The code flow section shows the path from source to sink:
  Navigate with ↓ through the flow steps

The Private Vulnerability Reporting Form

Security and quality tab → "Report a vulnerability" button → Enter
Form fields: F or E → cycle through: Title, Description, Severity (select), Versions, CVSS
Describe field: NVDA+Space → Focus Mode → type → NVDA+Space to leave
Submit: Tab → "Submit report" button → Enter

9. Security and Accessibility Agents

Accessibility Agents' /security-dashboard slash command gives you a quick security overview without visiting the Security and quality tab in the browser:

/security-dashboard

Sample output

## Security Dashboard - community-access/accessibility-agents

### Dependabot Alerts
- 0 Critical
- 1 High: actions/cache < 3.3.2 (fixed: 3.3.3)
- 2 Medium: misc dependency updates available

### Secret Scanning
- No active alerts

### Code Scanning
- Last scan: 2 days ago - 0 new alerts

### Dependabot PRs Open
- #47: Bump actions/cache from 3.3.1 to 3.3.3
  "Review and merge to resolve the High severity alert"

### Recommendation
Action needed: Review PR #47 (5 minutes - single file change)

Next: Appendix Q: GitHub Actions
Back: Appendix O: Branch Protection
Teaching chapter: Chapter 08: Open Source Culture

Authoritative Sources

Use these official references when you need the current source of truth for facts in this chapter.

Section-Level Source Map

Use this map to verify facts for each major section in this file.