Code security guides

Learn about the different ways that GitHub can help you improve your code's security.

Fix and disclose a security vulnerability
Using repository security advisories to privately fix a reported vulnerability and get a CVE.
Start learning path
1
Overview
关于安全漏洞的协调披露
漏洞披露是安全报告者与仓库维护者之间的协调工作。
2
Overview
关于 GitHub 公告数据库
GitHub Advisory Database 包含已知安全漏洞和恶意软件的列表，分为两类：经 GitHub 审核的公告和未经审核的公告。
3
Overview
关于全局安全公告
全局安全公告位于 GitHub Advisory Database，它是影响开源环境的 CVE 和 GitHub 发起的公告集合。你可以为改进全局安全公告做出贡献。
4
Overview
关于存储库安全公告
可以使用存储库安全公告来私下讨论、修复和发布有关存储库中安全漏洞的信息。
5
How-to guide
Best practices for writing repository security advisories
When you create or edit security advisories, the information you provide is easier for other users to understand when you specify the ecosystem, package name, and affected versions using the standard formats.
6
How-to guide
私下报告安全漏洞
某些公共存储库配置安全公告，以便任何人都可以直接并私下向维护人员报告安全漏洞。
7
How-to guide
管理私下报告的安全漏洞
存储库维护人员可以管理由存储库安全研究人员向其私下报告的安全漏洞，这些存储库已启用了非公开漏洞报告。
8
How-to guide
Configuring private vulnerability reporting for a repository
Owners and administrators of public repositories can allow security researchers to report vulnerabilities securely in the repository by enabling private vulnerability reporting.
9
How-to guide
Configuring private vulnerability reporting for an organization
Organization owners and security managers can allow security researchers to report vulnerabilities securely in repositories within the organization by enabling private vulnerability reporting for all its public repositories.
10
How-to guide
创建存储库安全公告
您可以创建安全通告草稿，以私下讨论和修复开源项目中的安全漏洞。
11
How-to guide
Adding a collaborator to a repository security advisory
You can add other users or teams to collaborate on a security advisory with you.
12
How-to guide
在临时专用分支中协作以解决存储库安全漏洞
您可以创建临时私有复刻，以私下协作修复仓库中的安全漏洞。
13
How-to guide
Publishing a repository security advisory
You can publish a security advisory to alert your community about a security vulnerability in your project.
14
How-to guide
编辑存储库安全通告
如果需要更新详细信息或更正错误，可以编辑存储库安全公告的元数据和说明。
15
How-to guide
撤销存储库安全通告
你可以撤销已发布的存储库安全公告。
16
How-to guide
删除存储库安全公告中的协作者
协作者从存储库安全公告中删除后，将失去对安全公告的讨论和元数据的读取和写入权限。

Code security learning paths

Learning paths are a collection of guides that help you master a particular subject.

Get notifications for insecure dependencies

Set up Dependabot to alert you to new vulnerabilities or malware in your dependencies.

Start learning path

Get pull requests to update your vulnerable dependencies

Set up Dependabot to create pull requests when new vulnerabilities are reported.

Start learning path

Keep your dependencies up-to-date

Use Dependabot to check for new releases and create pull requests to update your dependencies.

Start learning path

Scan for secrets

Set up secret scanning to guard against accidental check-ins of tokens, passwords, and other secrets to your repository.

Start learning path

Run code scanning with GitHub Actions

Check your default branch and every pull request to keep vulnerabilities and errors out of your repository.

Start learning path

Run CodeQL code scanning in your CI

Set up CodeQL within your existing CI and upload results to GitHub code scanning.

Start learning path

Integrate with code scanning

Upload code analysis results from third-party systems to GitHub using SARIF.

Start learning path

End-to-end supply chain

How to think about securing your user accounts, your code, and your build process.

Start learning path

All Code security guides

Filter the guide list using these controls

75 guides found

Fix and disclose a security vulnerability

关于安全漏洞的协调披露

关于 GitHub 公告数据库

关于全局安全公告

关于存储库安全公告

Best practices for writing repository security advisories

私下报告安全漏洞

管理私下报告的安全漏洞

Configuring private vulnerability reporting for a repository

Configuring private vulnerability reporting for an organization

创建存储库安全公告

Adding a collaborator to a repository security advisory

在临时专用分支中协作以解决存储库安全漏洞

Publishing a repository security advisory

编辑存储库安全通告

撤销存储库安全通告

删除存储库安全公告中的协作者

关于 Dependabot 警报

管理存储库的安全和分析设置

查看和更新 Dependabot 警报

Configuring notifications for Dependabot alerts

关于 Dependabot 安全更新

配置 Dependabot 安全更新

Configuring notifications for Dependabot alerts

管理存储库的安全和分析设置

关于 Dependabot 版本更新

配置 Dependabot 版本更新

自定义依赖项更新

Configuration options for the dependabot.yml file

About secret scanning

为存储库配置机密扫描

管理来自机密扫描的警报

机密扫描模式

关于代码扫描

Configuring code scanning for a repository

Customizing code scanning

为编译的语言配置 CodeQL 工作流

关于 CI 系统中的 CodeQL 代码扫描

在 CI 系统中安装 CodeQL CLI

Configuring CodeQL CLI in your CI system

Migrating from the CodeQL runner to CodeQL CLI

关于与代码扫描的集成

将 SARIF 文件上传到 GitHub

对代码扫描的 SARIF 支持

Code Scanning

保护端到端供应链

确保帐户安全的最佳做法

Best practices for securing code in your supply chain

保护生成系统的最佳做法

Adding a security policy to your repository

GitHub 安全功能

保护你的组织

保护您的仓库

About secret scanning

为存储库配置机密扫描

为机密扫描定义自定义模式

管理来自机密扫描的警报

使用机密扫描保护推送