GitHub security features: highlights from 2020

In 2020, GitHub made significant advancements in its security products, including the introduction of CodeQL for code scanning, which provides security reviews with every Git push by identifying vulnerabilities like SQL injection and cross-site scripting. GitHub integrated over a dozen partner tools and improved the CodeQL engine for faster and more efficient analysis, with features like an AST viewer in the VS Code extension. Secret scanning was expanded to include private repositories and new token formats, with notifications for secret leaks and an API for easier resolution. Dependabot was enhanced to automate dependency updates and alert users about vulnerabilities, while dependency review helps prevent the introduction of vulnerable dependencies. The GitHub Advisory Database now includes npm advisories, providing a comprehensive source of security information. GitHub simplified the enablement of these features at both the repository and organization levels, offering many tools for free to enhance security across environments, with more updates and features detailed in the GitHub Changelog and public roadmap.