6 security settings every GitHub maintainer should enable this week - The GitHub Blog
Try GitHub Copilot CLI
Attend GitHub Universe
Search
Joseph Katsioloudes·@jkcso
July 1, 2026
6 minutes
Share:
At GitHub Security Lab, we spend a lot of our week talking to maintainers. Some find the settings page dense and the docs sprawl. Most maintainers we talk to weren’t hired to be security engineers. While this is true, ignoring a project’s security settings completely will lead into leaving a lot in the table in terms of automation and scalability, leading into a poor security posture, and before you realize it to vulnerabilities that pile up, exposing your users.
Here’s the short version. Six settings, free to use, updated in less than half an hour. We’ve bundled them into a guided flow called Protect Your Project so you can do them in one pass, and we walk through each tool you’ll use below.
1. Add a SECURITY.md file
This is the lightest-lift setting on the list and the one that makes everything else easier.
A SECURITY.md file tells the people who find bugs in your project where to send them. Without one, your options for a well-meaning reporter are a public issue (now a public exploit) or your personal email (if they can find it).
Set up a security policy are highlighted." class="wp-image-97205" srcset="https://github.blog/wp-content/uploads/2026/06/Screenshot-2026-06-30-at-3.28.09-PM.png?w=1306 1306w, https://github.blog/wp-content/uploads/2026/06/Screenshot-2026-06-30-at-3.28.09-PM.png?w=300 300w, https://github.blog/wp-content/uploads/2026/06/Screenshot-2026-06-30-at-3.28.09-PM.png?w=768 768w, https://github.blog/wp-content/uploads/2026/06/Screenshot-2026-06-30-at-3.28.09-PM.png?w=1024 1024w" sizes="auto, (max-width: 1000px) 100vw, 1000px" />
You don’t need to write much. We suggest adding a communication mean such as an email so that those reporting vulnerabilities can reach you directly without posting about them publicly. Then, you can state what bugs are in scope, alongside anything else a reporter should have in mind when contacting you. For reference, we point maintainers to the the systemd project’s security policy that we consider a complete example. It sets clear expectations about reproducers and doesn’t assume you have a 24/7 response team when you don’t. Borrow the structure, change the contact details, commit it.
Ten minutes, tops.
2. Turn on private vulnerability reporting
SECURITY.md tells reporters where to go. Private vulnerability reporting (PVR) gives them a private place to make their report.
Once enabled, a researcher can file a confidential advisory on your repo. You triage it out of the public eye and disclose on your timeline. The setup is one checkbox in Settings → Security.
Enable vulnerability reporting is highlighted." class="wp-image-97206" srcset="https://github.blog/wp-content/uploads/2026/06/Screenshot-2026-06-30-at-3.28.19-PM.png?w=1308 1308w, https://github.blog/wp-content/uploads/2026/06/Screenshot-2026-06-30-at-3.28.19-PM.png?w=300 300w, https://github.blog/wp-content/uploads/2026/06/Screenshot-2026-06-30-at-3.28.19-PM.png?w=768 768w, https://github.blog/wp-content/uploads/2026/06/Screenshot-2026-06-30-at-3.28.19-PM.png?w=1024 1024w" sizes="auto, (max-width: 1000px) 100vw, 1000px" />
If you only do one thing tonight, do these first two together. They are free, and are the fastest signal to your community that you take this seriously.
3. Turn on secret scanning, with push protection
This is the one with the most embarrassing failure mode.
GitGuardian’s State of Secrets Sprawl 2026 found 28.65 million new secrets leaked on public GitHub in 2025, a 34% jump over the prior year and the largest single-year increase on record. AI-assisted commits are leaking secrets at roughly twice the baseline rate. The average cost of a data breach now sits at $4.44 million globally ($10.22 million in the US) per IBM’s 2025 Cost of a Data Breach Report.
Secret scanning catches keys and tokens that slip into your repo by blocking them locally before they’re pushed to your repository. It doesn’t matter if your repo is public or private, because once secrets leave your local development, then they are available to anyone with access to your repo.
View detected secrets is highlighted." class="wp-image-97207" srcset="https://github.blog/wp-content/uploads/2026/06/Screenshot-2026-06-30-at-3.28.27-PM.png?w=1306 1306w, https://github.blog/wp-content/uploads/2026/06/Screenshot-2026-06-30-at-3.28.27-PM.png?w=300 300w, https://github.blog/wp-content/uploads/2026/06/Screenshot-2026-06-30-at-3.28.27-PM.png?w=768 768w, https://github.blog/wp-content/uploads/2026/06/Screenshot-2026-06-30-at-3.28.27-PM.png?w=1024 1024w" sizes="auto, (max-width: 1000px) 100vw, 1000px" />
4. Turn on Dependabot and dependency review
Your project isn’t just your code. It’s the dozens (often hundreds) of...