Skip to content
Security Overview Code Supply-chain

Find and fix security issues as you code

Write more secure code from the start with security analysis built into your development workflow. GitHub Advanced Security helps you find and address security issues in your code earlier, improving the security of your projects.

Sign up for a demo Contact sales

A security review with every git push

Code scanning scans your code for security issues as you write it, and integrates the results natively into the developer workflow. Schedule security analysis to run on every push and every pull request on a schedule or ad-hoc.

Read

Enabling code scanning for a repository

Get set up in minutes using GitHub Actions, or run analysis in any CI provider.

Read

Enabling code scanning using actions

Read

About CodeQL code scanning in your CI system

See security scanning results on your pull requests as part of code review.

Read

Scanning on push

Integrate any static application security testing (SAST) engine. Use CodeQL, an open source engine, or any commercial third-party SAST tool.

Read

About integration with code scanning

Audit changes to your code in response to a security scanning result.

Read

Triaging code scanning alerts in pull requests

Monitor results across codebases in a centralized view, allowing you to prioritize the most important issues.

Read

Managing code scanning alerts for your repository

Export results via our API and listen for new alerts via webhooks.

Read

Integrations with webhooks

Find critical vulnerabilities and eradicate them, forever

CodeQL is a revolutionary semantic code engine that queries your code as data. Find security issues deep in your code. CodeQL’s powerful analysis can trace data flows through your application to identify vulnerabilities like SQL injection and remote code execution.

Read

Read more about CodeQL on Security Lab

Focus on real results, not false positives. CodeQL’s security queries have been refined to deliver industry-leading fix rates—60% of reported issues in 2020.

Leverage the CodeQL community. CodeQL comes with 2,000+ queries created and supported by GitHub and the community, all of which are open source.

Read

CodeQL repository on GitHub

Create custom queries for bespoke problems. Find every instance of a bug across your codebases, then check every future git push for reversions automatically.

Read

Running additional queries

Read

CodeQL queries documentation

Discover and manage hard-coded secrets

Secret scanning watches your repositories for known secret formats and notifies you as soon as secrets are found.

Read

Configuring secret scanning for your repositories

Get notifications for 45+ secret providers including AWS, Azure, Google Cloud, npm, Stripe, and Twilio in the developer workflow.

Read

See all supported secret providers

Mark notifications as fixed, false positive, or won’t fix.

Read

Managing alerts from secret scanning

Best practices for more secure software

The complete guide

Developer-first application security

Take an in-depth look at the current state of application security.

Industry spotlight

The government agency's guide to DevSecOps

Learn how to write more secure code from the start with DevSecOps.

How-to

Avoid AppSec pitfalls

Explore common application security pitfalls and how to avoid them.

Secure software from the start

Whether you’re contributing to an open source project or choosing new tools for your team, your security needs are covered.

Create a free account Contact sales