Skip to content
GitHub Copilot is now available for free. Learn more
GitHub Supply Chain

Secure your software supply chain

Manage open source risks with GitHub’s supply chain security. Detect and fix threats early with automated scanning, updates, and policy enforcement — keeping your software resilient.

The image shows a GitHub Actions dependency review report on a blue gradient background. It indicates 0 vulnerable packages, 1 package with an incompatible license, and 0 packages with unknown licenses. Each issue has a "Details" link for more information.

Secure your dependencies

Automatically detect vulnerabilities and get trusted updates with Dependabot.

Prioritize what matters

Dependabot surfaces the top 10% of your most critical alerts first using exploitation likelihood, severity scores, and triage rules.

Distribute what you build

Easily sign and verify your builds with artifact attestations—simplifying security and compliance.

From dependencies to deployment,
lock down your supply chain.

Understand your supply chain

Identify critical risks faster with EPSS scores and automated alerts. Map dependencies and dependents, including transitive ones, with one-click SBOMs.

Explore supply chain security
The image shows a screenshot of a security vulnerability report for various npm packages. The background is blue, and the report lists four packages with their respective versions and types of vulnerabilities. The first package, "vm2" version 3.9.19, is marked as "Direct" with 5 critical vulnerabilities detected automatically. The second package, "@babel/traverse" version 7.22.6, is marked as "Transitive" with 3 moderate vulnerabilities detected automatically. The third package, "@babel/cli" version 7.17.10, is also marked as "Transitive," but no specific vulnerabilities are listed in the image snippet provided here (the text cuts off). The fourth package, "browserify-sign" version 4.2.1, is similarly marked as "Transitive," with no specific vulnerabilities listed in this snippet.

Make updates a breeze

Stay secure with automatic pull requests for the latest dependencies. Dependabot groups updates for faster reviews and merges.

Explore Dependabot
The image shows a GitHub pull request notification from dependabot. The title of the pull request is "Bump tomli from 2.0.1 to 2.2.1 in python.helpers #127". The status of the pull request is "Open" and it indicates that dependabot wants to merge 1 commit. Below, there is a comment from dependabot on behalf of GitHub stating "Bumps tomli from 2.0.1 to 2.2.1". There are expandable sections for "Changelog" and "Commits (1)". A note at the bottom states that Dependabot will resolve any conflicts.

Prevent new risks

Enforce security and license compliance on pull requests with the dependency review action (available with GitHub Code Security).

Explore the Dependency Review Action
The image shows a "Dependency Review" report generated by the GitHub Actions bot. The report lists the following issues: 0 vulnerable packages, 1 package with incompatible licenses, and 0 packages with unknown licenses. Each issue has a "Details" link next to it for more information.

Don’t just comply, be secure

Easily sign and verify builds with artifact attestations. Meet external compliance frameworks like SOC2 or strengthen internal security with SLSA — up to Build Level 3.

Explore artifact attestations
The image shows a digital interface with a blue gradient background. In the center, there is a semi-transparent rectangular overlay containing information about a software build. The overlay includes the following details: A URL link at the top: "https://slsa.dev/provenance/v1 #4920729" Created date and time: "3 weeks ago (Tue, 11 Feb 2025 19:52:54 GMT)" Commit hash: "6890fe21dd88873893dd1a3bf3bdd4d334bb2338" Build Summary link: "/cli/cli/actions/runs/13271193192/attempts/1" Workflow File path: ".github/workflows/deployment.yml@refs/heads/trunk"

Secure software from the start

Whether you’re contributing to an open source project or choosing new tools for your team, your security needs are covered with GitHub.

Contact sales

Best practices for more secure software

Securing your end-to-end supply chain

Learn how to protect your entire GitHub workflow, from personal accounts to code and builds.

Read the guide

Explore the DevSecOps guide

Learn how to write more secure code from the start with DevSecOps.

Read the whitepaper

Avoid AppSec pitfalls

Explore common application security pitfalls and how to avoid them.

Read the whitepaper

FAQs

What is supply chain security?

When developing a software project, you likely use other software to build and run your application, such as open-source libraries, frameworks or other tools. These resources are collectively referred to as your “dependencies”, because your project depends on them to function properly. Your project could rely on hundreds of these dependencies, forming what is known as your "supply chain".

Your supply chain can pose a security risk. If one of your dependencies has a known security weakness or a bug, malicious actors could exploit this vulnerability to, for example, insert malicious code (malware), steal sensitive data, or cause some other type of disruption to your project. This type of threat is called a "supply chain attack". Having vulnerable dependencies in your supply chain compromises the security of your own project, and you put your users at risk, too.

One of the most important things you can do to protect your supply chain is to patch your vulnerable dependencies.

Attackers don’t just target dependencies you use; they will also target user accounts and build processes as well. It’s important to secure both to ensure that the code you distribute hasn’t been tampered with.

GitHub offers a range of features to help you understand the dependencies and secure the dependencies in your environment, and to secure your GitHub accounts and build system.

Why choose GitHub’s supply chain features instead of third-party products?

Unlike third-party security add-ons, GitHub’s supply chain features operate entirely in the native GitHub workflows that developers already know and love. By making it easier for developers to remediate vulnerabilities as they go, GitHub frees time for security teams to focus on critical strategies that protect businesses, customers, and communities from application-based vulnerabilities.

What is SLSA and SLSA level 3?

Supply-chain Levels for Software Artifacts (SLSA) is a framework for improving the end-to-end integrity of a software artifact throughout its development lifecycle. It provides a comprehensive, step-by-step methodology for building integrity and provenance guarantees into your software supply chain. SLSA Level 3 signifies a significantly hardened software supply chain where builds are highly isolated, source code history is verified, and provenance is strictly controlled, providing a strong guarantee against tampering and ensuring the integrity of software artifacts. GitHub Actions and Artifact Attestations greatly simplify the journey to SLSA Level 3.

Can GitHub create software bill of materials or SBOMs?

You can export a software bill of materials or SBOM for your repository from the GitHub dependency graph. SBOMs allow transparency into your open source usage and help expose supply chain vulnerabilities, reducing supply chain risks.

Are GitHub’s supply chain features paid or free?

Most of GitHub’s supply chain features are available for free to all users. A select few advanced features are available to private repos only in GitHub Code Security. See pricing.