About security findings on a repository
After you apply a security configuration to a repository, the enabled security features will likely raise security findings on that repository. These findings may show up as feature-specific alerts, or as automatically generated pull requests designed to keep your repository secure. To best secure your organization, you should be able to understand and resolve these alerts and pull requests, then analyze the findings and make any necessary adjustments to your security configuration.
Interpreting secret scanning alerts
Secret scanning is a security tool that scans the entire Git history of your repository, as well as issues, pull requests, and discussions in that repository, for leaked secrets that have been accidentally committed, such as tokens or private keys. There are two types of secret scanning alerts:
- Secret scanning alerts for partners, which are sent to the provider who issued the secret
- Secret scanning alerts for users, which appear on GitHub and can be resolved
You can view secret scanning alerts for a repository by navigating to the main page of that repository, clicking the Security tab, then clicking Secret scanning.
For an introduction to secret scanning alerts, see "About secret scanning alerts."
To learn how to interpret and resolve secret scanning alerts, see "Managing alerts from secret scanning."
Interpreting code scanning alerts
Code scanning is a feature that you use to analyze the code in a GitHub repository to find security vulnerabilities and coding errors. Any problems identified by the analysis are shown in your repository. These problems are raised as code scanning alerts, which contain detailed information on the vulnerability or error detected.
You can view the code scanning alerts for a repository by navigating to the main page of that repository, clicking the Security tab, then clicking Code scanning.
For an introduction to code scanning alerts, see "About code scanning alerts."
To learn how to interpret and resolve code scanning alerts, see "Managing code scanning alerts for your repository."
Interpreting Dependabot alerts
Dependabot alerts inform you about vulnerabilities in the dependencies that you use in your repository. You can view Dependabot alerts for a repository by navigating to the main page of that repository, clicking the Security tab, then clicking Dependabot.
For an introduction to Dependabot alerts, see "About Dependabot alerts."
To learn how to interpret and resolve Dependabot alerts, see "Viewing and updating Dependabot alerts."
Note: If you enabled Dependabot security updates or Dependabot version updates, Dependabot can also automatically raise pull requests to update the dependencies used in your repository. For more information, see "About Dependabot security updates" and "About Dependabot version updates."
Next steps
If you are using the GitHub-recommended security configuration, and your findings indicate the security enablement settings are not meeting your needs, you should create a custom security configuration. To get started, see "Creating a custom security configuration."
If you are using a custom security configuration, and your findings indicate the security enablement settings are not meeting your needs, you can edit your existing configuration. For more information, see "Editing a custom security configuration."
Lastly, you can also edit your organization-level security settings with global settings. To learn more, see "Configuring global security settings for your organization."