I Added Minimum GitHub Security Settings to My OSS Repositories and Created a Setup Guide

(This is an English translation of my original Japanese article: 日本語版はこちら)

Recently, attacks on well-known OSS projects hosted on GitHub have become more frequent (e.g., the Nx incident in August 2025 (Japanese)). I decided to learn from these cases and apply minimum security settings to my own repositories.

The following three articles were particularly helpful when considering the settings:

• Quickstart for securing your repository - GitHub Docs
• Lessons from the Nx Attack (Japanese)
• Enable GitHub's Immutable Releases to Prevent Security Incidents (Japanese)

Based on these references, I collaborated with AI to create a minimum setup document, which I'm sharing here. If you have suggestions for additional settings I should include, I'd love to hear them.

GitHub OSS Minimum Security Setup

Checklist

• [ ] Enable Dependabot Alerts
• [ ] Enable Private vulnerability reporting / Security Advisories
• [ ] Enable CodeQL
• [ ] Enable Secret scanning & Push protection
• [ ] Protect the main/master branch (require PRs + CI)
• [ ] Protect version tags
• [ ] Add SECURITY.md
• [ ] Enable release immutability

Enable Dependabot Alerts (Vulnerability Notifications)

What to do: Get alerts in the Security tab when vulnerabilities are found in your dependencies. Reference

Steps:

1. Repository > Settings > Advanced Security
2. Enable Dependabot alerts

Enable Private Vulnerability Reporting / Security Advisories

What to do: Allow external reporters to submit vulnerability reports privately, and display a "Report a vulnerability" option. Reference

Steps:

1. Repository > Settings > Advanced Security
2. Enable Private vulnerability reporting

Enable CodeQL (Code Scanning)

What to do: Catch potential vulnerabilities with static analysis. The quickest way is to use the Default setup. Reference

Steps:

1. Repository > Settings > Advanced Security
2. Under CodeQL analysis, click Set up > Default
3. Enable with the suggested triggers (push / PR / schedule)

Enable Secret Scanning & Push Protection

What to do: Detect and alert when tokens, API keys, or other secrets are committed.

Steps:

1. Repository > Settings > Advanced Security
2. Enable Secret scanning (or Secret Protection)
3. Enable Push protection

Protect main/master Branch (Require PRs + CI)

What to do: Block direct pushes and require CI to pass before merging. GitHub offers either the traditional "Branch protection" or the more flexible "Rulesets." Rulesets can target both branches and tags. Reference

Steps:

1. Repository > Settings > Rules > Rulesets
2. New branch ruleset
3. Target main (or master) (e.g., Default branch / pattern matching)
4. Enable rules:
   • Enforcement status: Active
   • Add Repository admin to bypass list
     • This is because I do releases on the main branch — ideally, I'd remove this bypass too
   • Target branches: Include default branch
   • Restrict deletions
   • Require a pull request before merging
   • Require status checks to pass
     • Use "Add checks" to select your CI jobs (e.g., ci / test)
     • Note: The checks you want to require must have run at least once so GitHub recognizes the check name. Reference
   • Block force pushes
   • Require code scanning results

Protect Version Tags

What to do: Restrict who can create version tags.

Steps:

1. Repository > Settings > Rules > Rulesets
2. New tag ruleset
3. Enable rules:
   • Enforcement status: Active
   • Add Repository admin to bypass list
   • Target tags: v*
   • Restrict creations
   • Restrict updates
   • Restrict deletions
   • Require signed commits
   • Block force pushes

Add SECURITY.md

What to do: Document how to report vulnerabilities so reporters don't use public Issues. You can create and commit the template directly from GitHub's UI. Reference

Steps:

1. Repository > Security > Set up a security policy
2. Edit and commit SECURITY.md

Minimal template (copy & paste):

# Security Policy

## Supported Versions

Only the latest version is supported with security updates.
Please always use the latest release.

## Reporting a Vulnerability

**Please do not report security vulnerabilities through public GitHub issues.**

Instead, report a vulnerability through GitHub's security advisory feature at https://github.com/<owner>/<repository_name>/security/advisories/new.

You can expect an initial response within a few days. If for some reason you do not, please follow up with a comment on the advisory to ensure we received your original report.

Enable Release Immutability

What to do: Prevent GitHub Tags, Releases, and Release assets from being modified after creation. Reference (Japanese)

Steps:

1. Repository > Settings > General, then enable "Enable release immutability"