Security strategy essentials

Learn security best practices and keep your project’s contributions—and contributors—safe.

Start free course Join 3166 others!

social preview

This course will show you how to build, host, and maintain a secure repository on GitHub. By following simple security best practices, you can rest easy knowing your project is secure for contributors and contributions today and in the future.

Collaboration is key to building great software. As you welcome more contributions, keeping your project secure becomes more important than ever.

What you'll learn

This course will answer common questions like:

  • How can I prevent sensitive data from being pushed to my repository?
  • How do I remove traces of the sensitive data if it is indeed published?
  • How do I use GitHub's vulnerability alerts?
  • How do I automatically fix vulnerable dependencies?
  • What's a security policy and how do I implement one?
  • What's .gitignore and how do I use it?
  • How can I trace sensitive data to its introduction?

In this course, you’ll learn how to:

  • Enable vulnerable dependency detection for private repositories
  • Detect and fix outdated dependencies
  • Automate the detection and fix of vulnerable dependencies with Dependabot
  • Add a security policy with the a file
  • Remove a commit exposing sensitive data in a pull request
  • Keep sensitive files out of your repository by leveraging the use of a .gitignore file
  • Remove historical commits exposing sensitive data deep in your repository

What you'll build

A picture matching game in play


This course is a great introduction. If you're unfamiliar with working in Pull Requests, consider taking the following course.

Projects used

This course makes use of the following open source projects. Consider exploring these repos and maybe even making contributions!


Developers, new GitHub users, teams, security professionals, open source maintainers

Steps to complete this course 13
  1. Enable repository settings

    Enable settings in your repository for the next activities.

  2. Find the vulnerable dependency

    Find the vulnerable dependency, and comment with the suggested update version.

  3. Update the dependency version

    Edit the file in the pull request to update the dependency.

  4. Merge your pull request

    Merge the pull request you've opened to update the vulnerability dependency.

  5. Enable Dependabot

    Install Dependabot on your repository.

  6. Add a file

    Add a file to your repository.

  7. Merge the pull request

    Merge the pull request.

  8. Remove sensitive data in a pull request

    Remove sensitive data pushed to a pull request

  9. Approve the pull request

    Approve the contributors pull request

  10. Add a `.gitignore` file

    The .gitignore file is ready to be edited in an open pull request. Add the .env file to the .gitignore file.

  11. Merge the pull request

    Merge the second pull request with updates to the .gitignore file.

  12. Find historical reference to a previous .env file

    Find historical reference to a previously committed .env file

  13. Remove historical reference to a previous .env file

    Remove historical reference to a previously committed .env file

Dependency management
Share Security strategy essentials
Average time to complete

55 minutes


All public courses on Learning Lab are free.

Latest release

Learning Paths that include this course

Users who took this course also took

What is GitHub Learning Lab?

Learn new skills by completing fun, realistic projects in your very own GitHub repository.

Ready to start learning?

Start Security strategy essentials