Listen to this Post

Introduction:
Open source security doesn’t have to be complicated. Most maintainers aren’t security engineers—they’re developers building amazing software. Yet, a few simple security settings can dramatically improve a project’s security posture. In less than 30 minutes, you can enable six free GitHub features that automate protection and reduce the risk of costly vulnerabilities. Security isn’t about making your project impossible to hack—it’s about eliminating the easy attack paths before they become incidents.
Learning Objectives:
- Understand the six free GitHub security features every repository maintainer should enable
- Learn how to configure SECURITY.md, Private Vulnerability Reporting, Secret Scanning with Push Protection, Dependabot, CodeQL, and Branch Protection
- Implement practical step-by-step security hardening for both personal and enterprise GitHub repositories
You Should Know:
- SECURITY.md – Your Project’s First Line of Defense
A `SECURITY.md` file tells security researchers and bug hunters exactly where and how to report vulnerabilities responsibly. Without one, your options for a well-meaning reporter are a public issue (now a public exploit) or your personal email (if they can find it).
Step-by-step guide:
1. Navigate to your repository on GitHub
2. Click Add file → Create new file
- Name the file `SECURITY.md` (place it in the root directory,
.github/, ordocs/)
4. Add the following template content:
Security Policy Supported Versions <table> <thead> <tr> <th>Version</th> <th>Supported</th> </tr> </thead> <tbody> <tr> <td>5.1.x</td> <td>:white_check_mark:</td> </tr> <tr> <td>5.0.x</td> <td>:x:</td> </tr> <tr> <td>4.0.x</td> <td>:white_check_mark:</td> </tr> <tr> <td>< 4.0</td> <td>:x:</td> </tr> </tbody> </table> Reporting a Vulnerability Please report security vulnerabilities by emailing <a href="mailto:[email protected]">[email protected]</a>. You should receive a response within 48 hours. If you don't, please follow up via email. Please include: - Description of the vulnerability - Steps to reproduce - Affected versions - Potential impact We will coordinate disclosure and publicly acknowledge your responsible disclosure.
5. Commit the file to your default branch
Best practice: Borrow the structure from the systemd project’s security policy—it sets clear expectations without assuming you have a 24/7 response team. Ten minutes, tops.
- Private Vulnerability Reporting – Keep Security Discussions Confidential
SECURITY.md tells reporters where to go. Private Vulnerability Reporting (PVR) gives them a private place to make their report. Once enabled, a researcher can file a confidential advisory on your repo. You triage it out of the public eye and disclose on your timeline.
Step-by-step guide:
1. Navigate to your repository on GitHub
- Click Settings → Code security and analysis (in the Security section of the sidebar)
- Under “Code security and analysis,” find Private vulnerability reporting
4. Click Enable
What changes:
- Security researchers will see a “Report a vulnerability” button on the repository’s Security tab
- You receive notifications when new vulnerabilities are reported privately
- You can collaborate with researchers on fixes in private before public disclosure
⚠️ Critical: These first two features together are free and the fastest signal to your community that you take security seriously.
- Secret Scanning with Push Protection – Stop Secrets Before They Reach Your Repo
This is the one with the most embarrassing failure mode. GitGuardian’s State of Secrets Sprawl 2026 found 28.65 million new secrets leaked on public GitHub in 2025—a 34% jump over the prior year and the largest single-year increase on record. AI-assisted commits are leaking secrets at roughly twice the baseline rate. The average cost of a data breach now sits at $4.44 million globally ($10.22 million in the US).
Secret scanning catches keys and tokens that slip into your repo. Push protection blocks the push before it lands—the moment a developer runs git push.
Step-by-step guide:
Enable Secret Scanning and Push Protection at the repository level:
- Navigate to your repository → Settings → Code security and analysis
2. Click Enable next to Secret scanning
3. Click Enable next to Push protection
Enable at the organization level (recommended for teams):
- Go to your organization → Settings → Code security and analysis
- Apply GitHub’s recommended security configuration—this enables secret scanning and push protection across all your repos in a few clicks
- Choose to apply it to both current and future repositories so new repos are covered automatically
What the developer experiences when push protection blocks a secret:
$ git push remote: error: GH013: Push rejected because secret scanning detected a high-confidence secret. remote: error: Secret: AWS_ACCESS_KEY_ID (xxxxxxxxxxxxxxxxxxxx) remote: error: Commit: abc123def456 remote: error: File: config/credentials.json remote: error: To push, remove the secret and commit again, or use --1o-verify. To github.com:username/repo.git ! [remote rejected] main -> main (push rejected)
To bypass a block (use sparingly and with justification):
git push --1o-verify
Best practice: GitHub maintains a list of over 200 supported secret types from providers like AWS, Azure, Google Cloud, Stripe, Slack, and more. For partner-supported secrets, GitHub automatically notifies the provider, who may revoke the token on your behalf.
- Dependabot & Dependency Review – Stay Ahead of Vulnerable Third-Party Packages
Your project is only as secure as its dependencies. Dependabot automatically monitors and updates dependencies, while Dependency Review catches vulnerabilities before they’re added to your project.
Step-by-step guide:
Enable Dependabot:
- Navigate to your repository → Settings → Code security and analysis
2. Click Enable next to Dependabot alerts
3. Click Enable next to Dependabot security updates
Configure `dependabot.yml` (optional but recommended):
Create `.github/dependabot.yml` in your repository:
version: 2 updates: Enable version updates for npm - package-ecosystem: "npm" directory: "/" schedule: interval: "weekly" day: "monday" open-pull-requests-limit: 10 reviewers: - "your-security-team" assignees: - "lead-developer" labels: - "dependencies" - "security" Enable version updates for GitHub Actions - package-ecosystem: "github-actions" directory: "/" schedule: interval: "weekly" Enable version updates for Docker - package-ecosystem: "docker" directory: "/" schedule: interval: "weekly"
Enable Dependency Review:
- Navigate to your repository → Settings → Code security and analysis
2. Click Enable next to Dependency review
What changes:
- Dependabot raises pull requests to update vulnerable dependencies
- Dependency Review analyzes pull requests for dependency changes, blocking merges that introduce security risks or non-compliant licenses
- You can configure auto-triage rules to prioritize which alerts matter most
💡 Pro tip: Group related updates together using dependency groups to minimize PR noise. Dedicate time weekly or bi-weekly for reviewing dependency updates.
- Code Scanning (CodeQL) – Automatically Detect Security Issues
CodeQL automatically detects common security issues like SQL injection, command injection, and insecure workflows. It analyzes your code each time you push to the default branch or raise a pull request.
Step-by-step guide:
Default setup (quickest):
- Navigate to your repository → Settings → Code security and analysis
- Under Code scanning, click Set up → Default
- GitHub automatically chooses the languages to analyze, query suite to run, and events that trigger scans
4. Click Enable CodeQL
Advanced setup (more control):
- Navigate to your repository → Settings → Code security and analysis
2. Click the setup dropdown and select Advanced
- You’ll be taken to a new page with a generated `codeql.yml` workflow file
4. Customize the workflow or commit it as-is
5. Click Commit changes
Example CodeQL workflow trigger configuration:
name: "CodeQL Advanced"
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
schedule:
- cron: '30 1 0' Weekly scan on Sundays at 1:30 AM
jobs:
analyze:
name: Analyze (${{ matrix.language }})
runs-on: 'ubuntu-latest'
timeout-minutes: 360
permissions:
security-events: write
packages: read
actions: read
contents: read
strategy:
fail-fast: false
matrix:
include:
- language: javascript-typescript
build-mode: none
- language: python
build-mode: none
- language: go
build-mode: autobuild
steps:
- name: Checkout repository
uses: actions/checkout@v4
<ul>
<li>name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}</p></li>
<li><p>name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"
Bulk setup for multiple repositories: Use scripts like `jhutchings1/Create-ActionsPRs` (PowerShell) or `nickliffen/ghas-enablement` (Node.js) to raise pull requests that add CodeQL workflows across many repositories at once.
6. Branch Protection – Gatekeep Your Production Code
Protect your default branch by requiring pull requests and approvals before code reaches production. This prevents direct pushes, enforces code review, and ensures status checks pass before merging.
Step-by-step guide:
- Navigate to your repository → Settings → Branches
2. Under Branch protection rules, click Add rule
- In Branch name pattern, enter `main` (or your default branch name)
4. Configure the following protections:
Recommended settings:
| Setting | Recommendation | Why |
|||–|
| Require a pull request before merging | ✅ Enabled | No direct pushes to main |
| Required approvals | 2 (minimum 1) | Peer review enforcement |
| Dismiss stale pull request approvals | ✅ Enabled | Re-review after changes |
| Require status checks to pass before merging | ✅ Enabled | CI must succeed |
| Require review from Code Owners | ✅ Enabled (if CODEOWNERS exists) | Domain expertise required |
| Restrict who can push | ✅ Enabled | Limit to admins or specific teams |
Example branch protection rule via GitHub CLI:
List current branch protection rules
gh api repos/username/repo/branches/main/protection
Create a branch protection rule
gh api -X PUT repos/username/repo/branches/main/protection \
-f required_status_checks='{"strict":true,"contexts":["continuous-integration"]}' \
-f enforce_admins=true \
-f required_pull_request_reviews='{"required_approving_review_count":2}'
What Undercode Say:
- Security is a continuous thread, not a gated process – Enable these features once, and they automate protection continuously. The settings work together: SECURITY.md and PVR create the reporting pipeline, Secret Scanning prevents leaks, Dependabot secures dependencies, CodeQL finds bugs, and Branch Protection gates production.
-
30 minutes today saves millions tomorrow – With the average data breach costing $4.44 million globally, investing half an hour in these free GitHub features is one of the highest-ROI security activities any developer or team can undertake. The 2026 State of DevSecOps research highlights that GitHub Actions is particularly vulnerable to supply chain attacks if not properly secured—these settings are your first line of defense.
Analysis: The six features outlined above represent a complete security baseline that requires no paid GitHub Advanced Security license for the core functionality. They address the OWASP Top 10 and supply chain security concerns across the entire SDLC—from code commit (Secret Scanning, CodeQL) to dependency management (Dependabot) to production deployment (Branch Protection). What makes this approach particularly powerful is that these features are automated and free, removing the “security is too hard” excuse that plagues many open source and even enterprise projects. The 29 million secrets detected on GitHub in 2025 prove that human error is inevitable—automation is the only scalable defense.
Prediction:
- +1 Organizations that adopt these six GitHub security features will see a measurable reduction in security incidents within 90 days, with secret leaks dropping by an estimated 60-70% across enabled repositories.
-
+1 The “shift left” movement will accelerate as these built-in GitHub features become the de facto security baseline for all repositories, making security screening a natural part of the development workflow rather than a separate compliance exercise.
-
-1 Projects that fail to enable these basic security settings will face increasing scrutiny from enterprise users and security researchers, potentially leading to reduced adoption and public vulnerability disclosures that damage reputation.
-
-1 As AI-assisted coding tools become more prevalent, secret leakage rates will continue to rise—repositories without push protection will be at exponentially higher risk of credential exposure in 2026 and beyond.
▶️ Related Video (76% Match):
https://www.youtube.com/watch?v=1CICkxLKVmE
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Kitsodadakakambi Github – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


