6 Essential Security Settings Every GitHub Maintainer Should Enable Right Now
As a GitHub maintainer, you’re probably not a dedicated security engineer. But that doesn’t mean you can afford to ignore your project’s security settings. Neglecting these settings can leave your project vulnerable to attacks, exposing your users and compromising your hard work. The good news? You can significantly improve your project’s security in less than 30 minutes by enabling six free, easy-to-use settings.
GitHub Security Lab has bundled these settings into a guided flow called Protect Your Project, making it simple to implement them all at once. Let’s dive into each setting and why it matters.
1. Add a SECURITY.md File
This is the easiest and most impactful step. A SECURITY.md file provides clear instructions for researchers on how to report vulnerabilities in your project. Without it, reporters may resort to public issues (which become public exploits) or hunt for your personal email.
Here’s what to include:
- A direct contact method (e.g., an email address).
- The types of bugs that are in scope.
- Any additional guidelines reporters should follow.
Check out the systemd project’s security policy for a great example. It sets clear expectations without assuming you have a 24/7 response team.
Time to implement: 10 minutes.
2. Turn On Private Vulnerability Reporting (PVR)
Once you have a SECURITY.md file, enable Private Vulnerability Reporting. This gives researchers a private channel to report vulnerabilities, allowing you to triage and disclose issues on your timeline.
To enable PVR, simply check a box in Settings → Security. It’s that easy.
Why it matters: PVR ensures vulnerabilities are reported confidentially, preventing public disclosure of sensitive issues.
3. Enable Secret Scanning with Push Protection
Secret scanning is a must-have in today’s development environment. According to GitGuardian’s 2026 report, over 28 million secrets were leaked on public GitHub repositories in 2025—a 34% increase from the previous year. AI-assisted commits are especially prone to leaking secrets, making this setting even more critical.
Secret scanning blocks keys, tokens, and other sensitive data from being pushed to your repository. This protects your secrets whether your repo is public or private.
Why it matters: Leaked secrets can lead to data breaches, with the average cost now exceeding $4.44 million globally.
4. Turn On Dependabot and Dependency Review
Your project isn’t just your code—it’s also the packages you depend on. Dependabot alerts you when a package you’re using has a known vulnerability, while Dependency Review shows you exactly what’s being added or upgraded in a pull request.
Together, these tools make it easy to keep your dependencies secure without spending hours reviewing package updates.
Why it matters: Unpatched dependencies are a common attack vector. Dependabot and Dependency Review help you stay on top of vulnerabilities in your project’s ecosystem.
5. Enable Code Scanning
Code scanning runs static analysis on your repository, flagging patterns that lead to real bugs like SQL injection, command injection, and unsafe deserialization. It even detects unsafe GitHub Actions workflows.
The best part? Code scanning is free for open-source projects and requires no configuration. It automatically runs on every pull request using CodeQL, GitHub’s powerful analysis engine.
Why it matters: Code scanning catches vulnerabilities early, reducing the risk of security issues slipping into production.
6. Enable Branch Protection on Your Default Branch
Branch protection ensures that changes to your default branch (e.g., main) require a pull request with at least one approval. This simple setting prevents accidental or malicious direct pushes to your production branch.
Why it matters: Branch protection is your last line of defense against compromised credentials, confused contributors, or tired developers making mistakes. It also ensures that other security settings, like Dependabot alerts and code scanning findings, can block a merge.
Why These Settings Matter
These six settings won’t make your project unhackable—nothing will. But they will close the most common attack vectors, making your project significantly harder to exploit. By enabling these settings, you’re not just protecting your project—you’re also safeguarding every project that depends on it.
Ready to Get Started?
All six settings are free, quick to enable, and come with clear documentation. Head over to the Protect Your Project flow on GitHub and spend 30 minutes today to secure your project for the long term. Your users (and your future self) will thank you.
For more on GitHub security, check out our related posts:
