Dependabot
Automated dependency management that monitors your project's dependencies for known vulnerabilities. When a vulnerability is found, Dependabot automatically creates a pull request to update the affected package. Also supports scheduled version updates to keep all dependencies current, even without known vulnerabilities.
Code Scanning (CodeQL)
GitHub's semantic code analysis engine that finds security vulnerabilities and coding errors. CodeQL treats code as data, running queries against a database representation of your codebase to find patterns like SQL injection, XSS, buffer overflows, and authentication bypasses. Free for public repos, included in Enterprise for private repos.
Secret Scanning
Detects accidentally committed secrets (API keys, tokens, passwords, certificates) across your repository history. Partners with 200+ service providers to automatically revoke leaked credentials when detected. Push protection can block commits containing secrets before they reach the repository.
Security Advisories
Private spaces to discuss, fix, and publish information about security vulnerabilities in your projects. Integrated with the GitHub Advisory Database, which feeds into npm, pip, and other ecosystem security tools.