Skip to main content

Security best practices for apps on GitHub Marketplace

Guidelines for preparing a secure app to share on GitHub Marketplace.

Note: This article applies to publishing apps in GitHub Marketplace only. For more information about publishing GitHub Actions in GitHub Marketplace, see "Publishing actions in GitHub Marketplace."

Before listing an app on GitHub Marketplace, you should follow the best practices for the type of app that you are listing:

Additionally, you should have the capability to notify GitHub within 24 hours of a confirmed security incident.

In addition to following security best practices, you should also follow customer experience best practices. For more information, see "Customer experience best practices for apps."