Date posted: 21 Sep 2022, 1 minutes to read

Presentation dotnetsheff - Protect your code with GitHub security features

I have the pleasure of virtually speaking at dotnetsheff and these are the slides for it:

Creating modern software has a lot of moving parts. We all build on top of the shoulders of giants by leveraging closed/open source packages or containers that other people have shared. That makes securing our software a lot more complex as well!

In this session you’ll learn what possible attack vectors you need to look for, how to protect yourself against them and how to leverage GitHub’s features to make your life easier!


  • Signed Commits
  • Dependabot updates
  • Dependency scanning for known vulnerabilities
  • Secret scanning (and revoking) out of the box
  • Using CodeQL

You can download the slides here.

Opening slide of the presentation


Some questions that came up during the presentation: Q: Can we configure Dependabot to use conventional commits? A: No you can’t. There are several issues on the repo that ask for this, but they have not included it. What you can do, is work with prefixes in the commit message. Read more on this from the docs

Q: Can you run Dependabot locally? A: You can through a local install or from a Docker container, for example using this project. But for a feature rich experience, you should use the GitHub setup.

GitHub Advanced Security

Want to learn more about these GitHub Advanced Security features?
Check out the LinkedIn Learning course I made for it:
Image of my GitHub Advanced Security course at LinkedIn Learning

Click the image to go to LinkedIn Learning