github-security
Safeguard articles tagged "github-security" — guides, analysis, and best practices for software supply chain and application security.
13 articles
How Attackers Clone GitHub Repos to Ship Malware
One threat actor ran 3,000+ fake GitHub accounts and 2,200+ cloned repos to infect over 1,300 victims in four days. Here's how to spot the fakes.
The complete workflow for finding and remediating hardcoded secrets in GitHub
GitGuardian found 12.8 million secrets leaked on public GitHub in 2023 alone, and over 90% were still valid five days later. Here's the fix workflow that actually closes the gap.
Repojacking Explained: Hijacking Abandoned Repository Names
Repojacking lets an attacker claim a renamed or deleted GitHub namespace and serve malicious code to everyone still referencing the old path. Here is how it works.
GitHub repo confusion and malware repositories
Fake GitHub repos with forged stars and AI-written READMEs are stealing crypto and credentials. Here's how repo confusion attacks actually work.
6 free GitHub security settings every maintainer should e...
GitHub Advanced Security costs per committer, but six free GitHub repository security settings — from 2FA to secret scanning — already stop most real-world supply chain attacks.
10 GitHub security best practices
10 concrete GitHub security controls—2FA, push protection, branch rules, pinned Actions, SBOM—with real CVEs and dates security teams can act on today.
Finding and fixing exposed hardcoded secrets in GitHub projects
Hardcoded secrets leak into GitHub every day and get exploited within minutes. Here's how to find, fix, and prevent exposed credentials at scale.
Repojacking
Aqua Security found nearly 37,000 GitHub repos vulnerable to repojacking, including Google and Lyft. Here's how the attack works and how Safeguard catches it.
How to enable Dependabot version updates
A step-by-step guide to enabling Dependabot version updates on GitHub, including dependabot.yml configuration, scheduling, and verification checks.
How to configure GitHub branch protection rules
A practical guide to configuring GitHub branch protection rules — required reviews, status checks, and security settings that keep your main branch safe.
How to set up signed commits with GPG
A step-by-step guide to set up GPG signed commits in Git: generate a key, configure Git, publish it to GitHub, verify signatures, and fix common errors.
Malicious Go modules found on GitHub
Malicious Go modules keep surfacing on GitHub, exploiting the ecosystem's lack of a curated registry. Here's the pattern — and how to defend against it.