Securing GitHub: Challenges and Solutions

Jacob DePriest, VP and Deputy Chief Security Officer at GitHub, joins the show this week to talk about securing GitHub. From Artifact Attestations, profile hardening, preventing XZ-like attacks, GitHub Advanced Security, code scanning, improving Dependabot, and more.

Join the discussion

Changelog++ members save 14 minutes on this episode because they made the ads disappear. Join today!

Sponsors:

• Socket – Secure your supply chain and ship with confidence. Install the GitHub app, book a demo or learn more
• Neon – Fleets of Postgres! Enterprises use Neon to operate hundreds of thousands of Postgres databases: Automated, instant provisioning of the world’s most popular database.
• Cronitor – Cronitor helps you understand your cron jobs. Capture the status, metrics, and output from every cron job and background process. Name and organize each job, and ensure the right people are alerted when something goes wrong.
• Fly.io – The home of Changelog.com — Deploy your apps and databases close to your users. In minutes you can run your Ruby, Go, Node, Deno, Python, or Elixir app (and databases!) all over the world. No ops required. Learn more at fly.io/changelog and check out the speedrun in their docs.

Featuring:

• Jacob DePriest – GitHub, X
• Adam Stacoviak – Website, GitHub, LinkedIn, Mastodon, X
• Jerod Santo – GitHub, LinkedIn, Mastodon, X

Show Notes:

• Where does your software (really) come from?
• Keeping secrets out of public repositories
• GitHub Advanced Security
• Dependabot
• Introducing Artifact Attestations–now in public beta
• Software Bill of Materials (SBOM)
• 😶‍🌫️ Who in the world is Jia Tan?!

Something missing or broken? PRs welcome!