Full Report
These six free settings will not make your project unhackable. Nothing will. What they will do is close the easy doors. Turn these on, and your project will be meaningfully harder to attack than it was before. The post 6 security settings every GitHub maintainer should enable this week appeared first on The GitHub Blog.
Analysis Summary
# Best Practices: GitHub Repository Hardening
## Overview
These practices address the "low-hanging fruit" of repository security. By automating vulnerability detection, secret prevention, and dependency management, maintainers can close common attack vectors that are frequently exploited by automated scripts and opportunistic attackers.
## Key Recommendations
### Immediate Actions
1. **Add a SECURITY.md file:** Establish a clear protocol for researchers to report vulnerabilities privately rather than via public issues.
2. **Enable Private Vulnerability Reporting (PVR):** Provide a secure, integrated channel within GitHub for researchers to collaborate with maintainers on fixes before public disclosure.
3. **Turn on Secret Scanning with Push Protection:** Proactively block commits that contain API keys, tokens, or credentials before they reach the remote repository.
### Short-term Improvements (1-3 months)
1. **Enable Dependabot Alerts and Security Updates:** Automate the monitoring of third-party dependencies and generate Pull Requests to patch known vulnerabilities.
2. **Implement Dependency Review:** Integrate checks into the Pull Request workflow to visualize security risks in new dependencies before they are merged.
3. **Activate Code Scanning (CodeQL):** Deploy static analysis (SAST) to identify common coding flaws like SQL injection, command injection, and insecure GitHub Actions configurations.
### Long-term Strategy (3+ months)
1. **Establish a Security Governance Model:** Regularly review CodeQL findings and Dependabot trends to identify recurring architectural weaknesses.
2. **Community Engagement:** Use the established security policy to build trust with the security research community, incentivizing responsible disclosure over public exploitation.
## Implementation Guidance
### For Small Organizations / Individual Maintainers
- Use the **"Protect Your Project"** guided flow to enable all six settings in a single pass.
- Focus on automation (Dependabot and Secret Scanning) to compensate for a lack of dedicated security staff.
### For Medium Organizations
- Standardize the `SECURITY.md` across all repositories using a template.
- Enforce **Push Protection** at the organization level to ensure developers cannot bypass secret scanning accidentally.
### For Large Enterprises
- Integrate **CodeQL** into existing CI/CD pipelines for deeper analysis.
- Use GitHub’s security overview dashboards to monitor compliance and risk posture across hundreds or thousands of repositories.
## Configuration Examples
**SECURITY.md Template (Simplified):**
# Security Policy
## Reporting a Vulnerability
Please do not report security vulnerabilities through public GitHub issues.
Instead, please use the "Report a vulnerability" button under the Security tab
of this repository or email [[email protected]].
**Technical Path for PVR:**
`Settings` -> `Code security and analysis` -> `Private vulnerability reporting` -> Click `Enable`.
## Compliance Alignment
- **NIST SSDF (Software Supply Chain Security):** Aligns with tasks for protecting software and responding to vulnerabilities.
- **ISO/IEC 27001:** Supports controls related to secure coding and vulnerability management.
- **CIS Benchmarks:** Addresses repository-level security configuration and access controls.
## Common Pitfalls to Avoid
- **Implicit Trust in AI:** Avoid assuming AI-assisted code is secure; statistics show AI commits leak secrets at twice the baseline rate.
- **Public Reporting:** Never ask researchers to report bugs via public issues, as this provides a roadmap for attackers before a patch is ready.
- **Ignoring "Informational" Alerts:** Some CodeQL or Dependabot alerts may seem minor but can be chained together for a complex exploit.
## Resources
- **GitHub Protect Your Project Tool:** hxxps://securitylab[.]github[.]com/protect-your-project[.]html
- **Systemd Security Policy Reference:** hxxps://github[.]com/systemd/systemd/security/policy
- **GitHub Advisory Database:** hxxps://github[.]com/advisories
- **GitGuardian State of Secrets Sprawl:** hxxps://www[.]gitguardian[.]com/state-of-secrets-sprawl-report-2026