Safeguard
Tag

github-security

Safeguard articles tagged "github-security" — guides, analysis, and best practices for software supply chain and application security.

13 articles

Supply Chain Security

How Attackers Clone GitHub Repos to Ship Malware

One threat actor ran 3,000+ fake GitHub accounts and 2,200+ cloned repos to infect over 1,300 victims in four days. Here's how to spot the fakes.

Jul 8, 20267 min read
Best Practices

The complete workflow for finding and remediating hardcoded secrets in GitHub

GitGuardian found 12.8 million secrets leaked on public GitHub in 2023 alone, and over 90% were still valid five days later. Here's the fix workflow that actually closes the gap.

Jul 8, 20268 min read
Threat Research

Repojacking Explained: Hijacking Abandoned Repository Names

Repojacking lets an attacker claim a renamed or deleted GitHub namespace and serve malicious code to everyone still referencing the old path. Here is how it works.

Jul 7, 20266 min read
Software Supply Chain Security

GitHub repo confusion and malware repositories

Fake GitHub repos with forged stars and AI-written READMEs are stealing crypto and credentials. Here's how repo confusion attacks actually work.

Jul 1, 20267 min read
Best Practices

6 free GitHub security settings every maintainer should e...

GitHub Advanced Security costs per committer, but six free GitHub repository security settings — from 2FA to secret scanning — already stop most real-world supply chain attacks.

Jul 1, 20267 min read
Application Security

10 GitHub security best practices

10 concrete GitHub security controls—2FA, push protection, branch rules, pinned Actions, SBOM—with real CVEs and dates security teams can act on today.

May 23, 20267 min read
Application Security

Finding and fixing exposed hardcoded secrets in GitHub projects

Hardcoded secrets leak into GitHub every day and get exploited within minutes. Here's how to find, fix, and prevent exposed credentials at scale.

May 16, 20266 min read
Cloud Security

Repojacking

Aqua Security found nearly 37,000 GitHub repos vulnerable to repojacking, including Google and Lyft. Here's how the attack works and how Safeguard catches it.

Apr 13, 20267 min read
Software Supply Chain Security

How to enable Dependabot version updates

A step-by-step guide to enabling Dependabot version updates on GitHub, including dependabot.yml configuration, scheduling, and verification checks.

Feb 21, 20267 min read
Software Supply Chain Security

How to configure GitHub branch protection rules

A practical guide to configuring GitHub branch protection rules — required reviews, status checks, and security settings that keep your main branch safe.

Feb 18, 20268 min read
Software Supply Chain Security

How to set up signed commits with GPG

A step-by-step guide to set up GPG signed commits in Git: generate a key, configure Git, publish it to GitHub, verify signatures, and fix common errors.

Feb 17, 20267 min read
Open Source Security

Malicious Go modules found on GitHub

Malicious Go modules keep surfacing on GitHub, exploiting the ecosystem's lack of a curated registry. Here's the pattern — and how to defend against it.

Nov 20, 20257 min read
github-security — Safeguard Blog