GitHub for Beginners: Getting started with GitHub security

Source: GitHub Blog

# GitHub for Beginners – Season 3

Welcome back! In this third season we’re shifting focus to **security** and the tools GitHub provides to keep your code safe.

## What we’ve covered so far

- **GitHub Issues & Projects** – [Watch the video](https://youtu.be/c67GaAkf1BE?si=gQm38vCKp0S8y66C)  
- **GitHub Actions** – [Watch the video](https://www.youtube.com/watch?v=BQrohJ3PT7I)

## What’s coming up

In this post you’ll learn how to **detect and fix vulnerabilities** in your repository using GitHub’s built‑in security features:

- **Secret scanning** – automatically finds exposed credentials.
- **Dependabot** – alerts you to vulnerable dependencies and can open pull requests to update them.
- **Code scanning** – runs static analysis on your code to spot security issues.
- **Copilot Autofix** – suggests quick fixes for identified problems.

By the end of the article you’ll be able to:

1. Enable and configure each of these tools in your repository.  
2. Interpret the alerts they generate.  
3. Apply the recommended fixes (or automate the process where possible).

Let’s dive in and make your code more secure! 🚀

Why Security Matters

Vulnerabilities are weaknesses in your code—or in the libraries you depend on—that attackers can exploit. The moment you import a library, you inherit any risk it carries, even if you didn’t write the vulnerable code yourself. That’s why even small or brand‑new projects can have vulnerabilities: almost all software relies on third‑party packages.

GitHub makes finding and fixing these issues easier than ever with GitHub Advanced Security (GHAS), a suite of tools that helps you improve and maintain code quality. On public repositories you get access to:

• Dependabot – automatically opens pull requests to update vulnerable dependencies.
• Code scanning – runs static analysis to surface security flaws in your code.
• Secret scanning – detects exposed credentials and other secrets.
• Copilot Autofix – suggests fixes for identified issues.

Want to learn more? Check out the GitHub Advanced Security documentation.

Below we’ll walk through enabling and using some of these features.

Enabling Security Features

The first step is to make sure that GitHub Advanced Security (GHAS) is turned on.

1. Open the repository settings

1. Navigate to your repository.
2. Click the Settings tab at the top of the page.

2. Enable Advanced Security

• In the left‑hand sidebar, under Security, select Advanced Security.

3. Configure Dependabot

• Under Dependabot, toggle on:
  • Dependabot alerts
  • Dependabot security updates

4. Set up Code Scanning (CodeQL)

1. Scroll down to the Code scanning section.
2. For CodeQL analysis, click Set up → Default.
3. In the dialog that appears, click Enable CodeQL (no additional settings needed).

5. Enable Secret Protection

• Scroll to Secret Protection and toggle it on.

Note: These tools are available to public repositories by default. For private repositories you’ll need a GHAS license.

6. View the Security Dashboard

• Click the Security tab at the top of the repository page to open the security home page.
• Here you can view alerts for:
  • Exposed secrets
  • Vulnerable dependencies
  • Risky code paths

Now you can explore each tool in greater detail. For a visual walkthrough, check out the video version of this blog available online.

Using Secret Scanning

GitHub can help you protect sensitive information with secret scanning. If you accidentally commit an API key or token, secret scanning will flag it in the Security tab under Secret scanning. When you see an alert, click the alert title to view the detected secret and its location.

Revoking an Exposed Secret

One way to address an exposed secret is to revoke it. Revoking disables the old key so it can no longer be used. Typically you generate a new key on the platform where the secret originated (e.g., Azure, Stripe).

Note: GitHub cannot revoke the secret automatically; you must do it manually. Secret scanning provides early warning to prevent exploitation.

Closing the Secret‑Scanning Alert

After revoking the secret, close the alert:

1. Click Close as in the top‑right corner of the alert window.
2. Choose Revoked from the dropdown menu.
3. Press the green Close alert button at the bottom.

What is Dependabot?

Dependabot is a code‑scanning tool that helps you keep your dependencies up to date. When you add a library to your project you also inherit its vulnerabilities. Dependabot alerts you when a known vulnerability exists in any of the libraries your project depends on.

How to use Dependabot alerts

1. Open the Security tab
   In your repository, click the Security tab.

2. View an alert
   Click on a Dependabot alert. You’ll be taken to a pull request that proposes an update.

3. Inspect the advisory
   In the pull request, scroll down and click See advisory in GitHub Advisory Database to read the specific security advisory that triggered the alert.

4. Review the update
   At the top of the pull request, click the green Review security update button. Examine the suggested version bump and any related changes.

5. Merge when ready
   If everything looks good, merge the pull request to apply the fix.

Why Dependabot matters

• Automation – Turns GitHub security advisories into ready‑to‑merge pull requests.
• Visibility – Shows the exact advisory behind each alert.
• Safety – Encourages you to review changes before they’re merged, reducing the risk of introducing breaking changes.

By using Dependabot, you no longer need to manually track common vulnerabilities and exposures; GitHub does the heavy lifting for you.

Responding to CodeQL alerts

CodeQL is the engine that scans your code and produces code‑scanning alerts (found under the Security tab). It isn’t a linter; it understands data flow, showing where input starts and where it ends up.

When you select a code‑scanning alert, GitHub explains the issue and, when possible, provides:

• A recommendation for a fix
• Example code illustrating the problem and a possible solution

Fixing an alert with Copilot Autofix

1. Click Generate fix at the top of the alert.
2. Copilot suggests a patch – review it and verify it meets your needs.
3. Click the green Commit to new branch button at the bottom.
4. In the pop‑up window, select Open a pull request, then click Commit change.
5. Treat the generated PR like any other: review, approve, and merge.

Note: Copilot accelerates security fixes, but you remain in full control of the changes.

What’s next?

Congratulations! You now know how to use GitHub Advanced Security to detect and fix vulnerabilities. Public repositories get these GHAS tools for free, so you can keep projects safe from day one.

• Test your skills with GitHub Skills or the vulnerable-node repository.
• Explore more documentation:

Happy coding!

Written by

Kedasha Kerr – Developer Advocate at GitHub. She enjoys sharing lessons with the wider developer community, helping others learn about the tech industry, and sharing her experience as a software developer. Find her online @itsthatladydev.

Explore more from GitHub

Docs	Everything you need to master GitHub, all in one place.
[Go to Docs]
GitHub	Build what’s next on GitHub, the place for anyone from anywhere to build anything.
[Start building]
Customer stories	Meet the companies and engineering teams that build with GitHub.
[Learn more]
The GitHub Podcast	Catch up on the GitHub podcast, a show dedicated to topics, trends, stories, and culture in the open‑source developer community.
[Listen now]