GitHub Deep Dive Part 3: Packages, Container Registry & Advanced Security (Dependabot, CodeQL, Secret Scanning)

GitHub Packages and Security Deep Dive - Dependabot, CodeQL, Secret Scanning, SBOM

📘 GITHUB DEEP DIVE SERIES

Part 1: Repositories, Branches & Pull Requests →
Part 2: GitHub Actions, Workflows & OIDC →
▸ Part 3: Packages, Container Registry & Security YOU ARE HERE

Note: This is Part 3 of a three-part deep dive into GitHub. Part 1 covered repositories and the collaboration model, Part 2 covered GitHub Actions in depth.

Modern software is assembled from hundreds or thousands of open-source dependencies, packaged into containers, signed, and deployed across cloud platforms. GitHub has built an integrated suite to manage this entire supply chain: GitHub Packages for hosting artifacts, the GitHub Container Registry (GHCR) for OCI images, and the GitHub Advanced Security (GHAS) suite for finding vulnerabilities, leaked secrets, and supply-chain risks before they reach production. This final part of the series walks through each piece.

1. The Big Picture: Supply Chain on GitHub

Your code sits at the center of a wider supply chain: dependencies you pull in, container base images you build on, secrets used for cloud auth, and artifacts you produce and ship. GitHub provides controls at every step of that chain.

SUPPLY CHAIN STAGES

Source
Code + commits

Deps
Dependabot + Advisory DB

Build
Actions + SLSA

Artifact
Packages + GHCR + SBOM

Deploy
Sigstore + provenance

2. GitHub Packages: One Registry for Everything

GitHub Packages is a unified, multi-format registry hosted alongside your code. It supports npm, NuGet, Maven, Gradle, RubyGems, and Docker / OCI images. Packages are scoped to the repo or organization that owns them, and inherit access controls from there. For container images, packages are surfaced under the dedicated GHCR domain ghcr.io.

Supported Package Formats

Ecosystem	Endpoint	Auth
npm	`npm.pkg.github.com`	PAT or GITHUB_TOKEN
Container (OCI)	`ghcr.io`	PAT or GITHUB_TOKEN
Maven / Gradle	`maven.pkg.github.com`	PAT
NuGet	`nuget.pkg.github.com`	PAT
RubyGems	`rubygems.pkg.github.com`	PAT

3. Publishing to GHCR with Actions

Container publishing is the most common Packages workflow. A few key patterns: use the built-in GITHUB_TOKEN with packages: write permission, tag images with both a SHA and a semver tag, and enable provenance attestations so consumers can verify the image was built by your workflow.

name: Publish container
on:
  push:
    tags: ['v*']

permissions:
  contents: read
  packages: write
  id-token: write   # for attestations
  attestations: write

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - uses: docker/metadata-action@v5
        id: meta
        with:
          images: ghcr.io/${{ github.repository }}
          tags: |
            type=semver,pattern={{version}}
            type=sha
      - uses: docker/build-push-action@v6
        id: push
        with:
          context: .
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
      - uses: actions/attest-build-provenance@v1
        with:
          subject-name: ghcr.io/${{ github.repository }}
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true

4. Dependabot: Three Features in One

Dependabot is GitHub free dependency-management bot, and it actually combines three distinct features that are worth understanding separately.

The Three Dependabots

Dependabot Alerts
Notifies when a dependency has a known CVE. Free for all repos.

Security Updates
Auto-opens PRs to patch vulnerable versions. Free.

Version Updates
Opens PRs for non-security upgrades on a schedule. Configured via dependabot.yml.

# .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    groups:
      production:
        dependency-type: "production"
      development:
        dependency-type: "development"

  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"

  - package-ecosystem: "docker"
    directory: "/"
    schedule:
      interval: "daily"

5. CodeQL: GitHub Native SAST

CodeQL is the static analysis engine behind GitHub Code Scanning. It treats your code as a queryable database and runs a curated catalogue of security queries written in the QL language to find injection, deserialization, path traversal, and dozens of other vulnerability classes. Results land in the Security tab and as PR comments.

name: CodeQL
on:
  push:
    branches: [main]
  pull_request:
  schedule:
    - cron: '0 2 * * 1'

permissions:
  security-events: write
  contents: read

jobs:
  analyze:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        language: [javascript-typescript, python, csharp]
    steps:
      - uses: actions/checkout@v4
      - uses: github/codeql-action/init@v3
        with:
          languages: ${{ matrix.language }}
          queries: security-extended,security-and-quality
      - uses: github/codeql-action/autobuild@v3
      - uses: github/codeql-action/analyze@v3

6. Secret Scanning and Push Protection

Secret Scanning looks for committed credentials matching more than 200 partner-supplied patterns (AWS keys, Stripe tokens, npm tokens, GitHub PATs, and many more). When found in a public repo, GitHub notifies the provider so the secret can be revoked. Push protection goes a step further by blocking pushes that contain secrets before they ever land on the server.

Secret Scanning Tiers

Detection (free for public)
Scans history, alerts owners, notifies issuing partners to auto-revoke.

Push Protection (GHAS)
Blocks pushes containing secrets. Developer can bypass with justification.

7. SBOMs and Software Composition

An SBOM (Software Bill of Materials) is an inventory of every component, version, and license inside a build. GitHub auto-generates an SPDX-format SBOM for each repository (via the Dependency Graph) and you can download it from the repo Insights tab or fetch it through the API. SBOMs are increasingly required for federal procurement, ISO certifications, and customer audits.

DEPENDENCY GRAPH POWERS

SBOM export - SPDX-format, downloadable per repo
Dependabot Alerts - cross-referenced with GitHub Advisory Database
Dependency Review - PR check showing added/removed/vulnerable deps
Insights -> Dependency Graph - direct + transitive deps visualization

8. Provenance and Sigstore

Modern supply-chain security is shifting toward signed provenance: cryptographic statements that say "this artifact was built by that workflow run from that commit." GitHub integrates with Sigstore (via cosign and the new actions/attest-build-provenance action) to produce keyless, verifiable attestations stored in a public transparency log called Rekor.

# Verify an image was built by a specific GitHub repo workflow
gh attestation verify oci://ghcr.io/myorg/myimage:v1.2.3 \
  --owner myorg

# Or using cosign directly
cosign verify ghcr.io/myorg/myimage:v1.2.3 \
  --certificate-identity-regexp "https://github.com/myorg/myrepo/.+" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

9. Branch Protection and Rulesets

The classic way to enforce policy is branch protection rules. The newer system is repository rulesets, which support: required status checks, required signed commits, required linear history, required deployments, restricted file paths, push limits, and tag protection - all manageable at the organization level and applicable to many repos at once with pattern matching.

Branch Protection vs Rulesets

Feature	Branch Protection	Rulesets
Scope	Per branch, per repo	Org-wide, multiple repos
Modes	Active only	Active / Evaluate (dry-run)
Layering	Single rule	Multiple rules merge
Targets	Branches	Branches + Tags + Push

10. GitHub Advanced Security (GHAS) at a Glance

GHAS is the paid security bundle for organizations. Many features are free on public repos and require GHAS licensing on private/enterprise repos. The product is increasingly split into focused SKUs (Code Security, Secret Protection) but the underlying capabilities are the same.

GHAS CAPABILITIES

Code scanning - CodeQL + 3rd-party SARIF

Secret scanning - 200+ patterns + custom regexes

Push protection - blocks secrets at push time

Dependency review - PR-level dep diff

Security overview - org-wide dashboards

Copilot Autofix - AI-suggested fixes for findings

11. Vulnerability Disclosure: Security Advisories

If you maintain an open-source project, GitHub provides a private workspace under Security > Advisories where maintainers can collaborate with reporters and an embargoed CVE can be coordinated, including a private fork for the patch. When ready, publishing the advisory updates the GitHub Advisory Database and propagates to Dependabot users.

12. Tying It All Together: A Hardened Repo Checklist

Production-Grade Repo Checklist

SECURITY.md with vulnerability disclosure policy
Branch protection / rulesets requiring CI + CODEOWNER review
Signed commits required on protected branches
Dependabot enabled for code, Actions, and Docker
CodeQL workflow on push + PR + weekly schedule
Secret scanning with push protection enabled
Actions pinned by SHA, with allow-list at org level
OIDC for all cloud deploys, zero long-lived secrets
Provenance attestations on every release artifact
SBOM export wired into the release workflow

Conclusion

GitHub has quietly become not just a code host but a full supply-chain platform: a multi-format registry, an automation engine, and a deep security toolkit, all wired together through events, identity, and a unified API. The three articles in this series mapped that surface, from the basic primitives of repositories and pull requests, through the automation layer of Actions and OIDC, to the security and packaging tier that protects what you ship. The result is that with relatively little YAML and a few well-chosen settings, even a small team can ship software with the kind of supply-chain assurance that used to require dedicated platforms and tooling teams. That accessibility - more than any single feature - is what makes GitHub the default home for modern software development today.