GitHub best practices - knowlesy/AZ400 GitHub Wiki

One default feature every repository enjoys is dependency graphs. GitHub scans common package manifests, such as package.json, requirements.txt, and others. These graphs allow project owners to recursively track all of the dependencies their project relies on.

GitHub provides automated dependency alerts that watch your dependency graphs for you.

Dependabot scans for dependency alerts and creates pull requests so that a contributor can validate the update and merge the request.

Code scanning has several benefits; you can use it to find, triage, and prioritize fixes for existing problems or potential security vulnerabilities. It's also useful to help prevent developers from introducing any new security problems into the code.

Secret scanning looks for known secrets or credentials committed within the repository.

GitHub Security Advisories allow repository maintainers to privately discuss and fix a security vulnerability in a project.

Keep sensitive files out of your repository with .gitignore

You should assume that any data committed to GitHub at any point has been compromised. Simply overwriting a commit isn't enough to ensure the data will not be accessible in the future. For the complete guide to removing sensitive data from GitHub, see Removing sensitive data from a repository.