Secure your software supply chain
Avoid adding new vulnerabilities with dependency review. Your software is more than the code you have written. With up to 94% of active repositories relying on open source*, you rely on many components you didn’t produce, but which you still need to secure.
Know what’s in your environment
Identify your dependencies, dependents, and their properties to understand your software supply chain.
Discover your dependencies using GitHub’s dependency graph, including transitive dependencies.
Manage your dependencies
Get notified when there are new vulnerabilities affecting your dependencies, and keep your dependencies up-to-date and optimized with Dependabot.
Understand the risks from your dependencies, including inherited vulnerabilities and licensing restrictions, and easily see what dependencies have changed in a pull request using dependency review.
Update dependencies for the latest functionality and security patches with automated pull requests from Dependabot.
Keep your dependencies up to date even when there isn’t a new vulnerability, so that you can quickly respond when it’s critical.
Fix and publish vulnerability information
Review, fix and publish issues securely. Contribute and refer to a curated, open-source database of vulnerabilities.
Develop a private fix and publish an advisory about a vulnerability in your project, and share your reporting and disclosure policy with the world.
Best practices for more secure software
The complete guide
Developer-first application security
Take an in-depth look at the current state of application security.
The government agency's guide to DevSecOps
Learn how to write more secure code from the start with DevSecOps.