Get new issues of The GitHub Insider in your inbox. Sign up now →
The GitHub Insider
GitHub found over 39M secrets in 2024. Don’t be next. Lock down your code with these tools. ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ ͏‌ 
GitHub

Let's face it—security tools often aren't built with developers in mind. They're usually cumbersome, disruptive, and can flood you with false positives. At GitHub, we're changing that. Our tools integrate smoothly into your workflow, helping keep security manageable and your code secure.

In this edition of The GitHub Insider, we'll look at three ways GitHub is making security easier for you and give the basics on how to get started.

🔐 Secret Protection: Catch leaks early

Ever accidentally left an API key in your code? You're not alone. In 2024 alone, GitHub users detected over 39 million leaked secrets. With GitHub Secret Protection (formerly known as secret scanning), issues are flagged immediately upon pushing code, letting you fix them while your code is fresh. No jumping between apps—fix alerts quickly and easily bypass false positives.

Enable secret scanning alerts for users

Secret scanning alerts for users are enabled when you enable Secret Protection for your repository.

  1. On GitHub, navigate to the main page of the repository.
  2. Under your repository name, click Settings. If you cannot see the Settings tab, select the dropdown menu, then click Settings.
  3. In the "Security" section of the sidebar, click Advanced Security.
  4. To the right of "Secret Protection", click Enable.
  5. Review the impact of enabling Secret Protection, then click Enable Secret Protection.

➡️ Get started with Secret Protection

📦 Dependabot: Secure your dependencies

Committed code with open source dependencies? Dependabot automatically spots vulnerabilities—even in your dependencies’ dependencies—and creates pull requests for quick fixes. It now includes EPSS scores, highlighting vulnerabilities most likely to be exploited—keeping your backlog manageable.

Enable or disable Dependabot alerts for existing repositories

  1. In the upper-right corner of any page on GitHub, click your profile photo, then click Settings.
  2. In the "Security" section of the sidebar, click Code security.
  3. Under "Advanced Security", to the right of Dependabot alerts, click Disable all or Enable all.
  4. Optionally, you can enable Dependabot alerts by default for new repositories you create by selecting Enable by default for new repositories.
  5. Click Disable Dependabot alerts or Enable Dependabot alerts to take these actions for all the repositories you own.

When you enable Dependabot alerts for existing repositories, you’ll see any results displayed on GitHub within minutes.

Enable or disable Dependabot alerts for new repositories

  1. In the upper-right corner of any page on GitHub, click your profile photo, then click Settings.
  2. In the "Security" section of the sidebar, click Code security.
  3. Under "Advanced Security", to the right of Dependabot alerts, select Automatically enable for new repositories.

➡️ Start using Dependabot

🛡️ Code security: Automate your scans and fixes

When you open a pull request, GitHub Actions and GitHub Code Security (formerly known as code scanning) automatically run static analysis. CodeQL queries your code for vulnerabilities and suggests solutions for 90% of alert types in JavaScript, TypeScript, Java, and Python through Copilot Autofix. Got an SQL injection vulnerability? Autofix quickly creates a pull request with the fix, speeding up remediation by 60%.

Configure default setup for a repository

  1. On GitHub, navigate to the main page of the repository.
  2. Under your repository name, click Settings. If you cannot see the Settings tab, select the dropdown menu, then click Settings.
  3. In the "Security" section of the sidebar, click Advanced Security.
  4. To the right of "Code Security", click Enable.
  5. Under "Code Security", to the right of "CodeQL analysis", select Set up, then click Default. You will then see a CodeQL default configuration dialog summarizing the code scanning configuration automatically created by default setup.
  6. Review the settings for default setup on your repository, then click Enable CodeQL. This will trigger a workflow that tests the new, automatically generated configuration.

➡️ Explore Code Security

🚀 Security made seamless

GitHub’s security tools work quietly in the background, only popping up when truly necessary. Addressing vulnerabilities early saves you significant time and effort, letting you focus more on building and less on security firefighting.

Happy secure coding!

✨ This newsletter was written by Mike Melanson and produced by Gwen Davis. ✨

More to explore 🌎



Join our code security conversations 🤖

Visit our community forum to see what people are saying + offer your own two cents.

Visit now



Subscribe to our LinkedIn newsletter 🚀

Do your best work on GitHub. Subscribe to our LinkedIn newsletter, Branching Out_.

Sign up now



Attend GitHub Universe 2025 ✨

Our Super Early Bird sale is running for a limited time! Don’t wait, buy your tickets now.

Register for GitHub Universe



GitHub

The world’s leading AI-powered developer platform.