Code Security Best Practices

[Abdumajidov2005]

Select Topic Area

Question

Body

Let's discuss how to build security into our GitHub workflow. Share tips, tools, and strategies to keep secrets and vulnerabilities out of our codebase and ensure a secure software supply chain.

[SuyashT0911]

Building security into a GitHub workflow means integrating security checks throughout the development lifecycle. Here are some practical tips, tools, and strategies:

1. Protect Secrets

• Never hardcode secrets (API keys, tokens, passwords) in the repository.
• Use GitHub Secrets for storing sensitive values used in GitHub Actions.
• Use tools like GitHub Secret Scanning or Gitleaks to detect leaked secrets.
• Rotate credentials regularly and use short-lived tokens when possible.

2. Secure Dependencies

• Enable Dependabot alerts and updates to automatically detect vulnerable dependencies.
• Regularly review dependency updates and remove unused packages.
• Use lock files (package-lock.json, requirements.txt, etc.) to ensure reproducible builds.

3. Code Scanning and Static Analysis

• Use GitHub CodeQL or other SAST tools to automatically scan code for vulnerabilities.
• Run security checks in CI pipelines so vulnerabilities are detected before merging code.

4. Protect the Main Branch

• Enable branch protection rules:

  • Require pull request reviews
  • Require status checks before merging
  • Restrict direct pushes to the main branch

5. Secure GitHub Actions

• Use trusted actions from verified sources.
• Pin actions to specific commit SHAs instead of floating versions.
• Limit permissions in workflows using least privilege (permissions: field).

6. Enforce Good Collaboration Practices

• Use pull requests and code reviews to catch security issues early.
• Encourage developers to follow secure coding guidelines.
• Add automated linting and testing before merges.

7. Monitor and Respond

• Enable security advisories and vulnerability reporting.
• Set up alerts for unusual activity.
• Regularly audit repository permissions and access.

8. Use Security Policies

• Add a SECURITY.md file so researchers know how to report vulnerabilities responsibly.

✅ Key idea: Security should be integrated into code, dependencies, CI/CD, and access control, creating a secure software supply chain from development to deployment.