Collaborating in a temporary private fork to resolve a security vulnerability

You can create a temporary private fork to privately collaborate on fixing a security vulnerability in your repository.

Note: Maintainer security advisories are currently in public beta and subject to change.

Before you can collaborate in a temporary private fork, you must create a maintainer security advisory. For more information, see "Creating a maintainer security advisory."

To keep information about vulnerabilities secure, integrations, including CI, cannot access temporary private forks.

In this article

Creating a temporary private fork

Anyone with admin permissions to a security advisory can create a temporary private fork.

  1. On GitHub, navigate to the main page of the repository.

  2. Under your repository name, click Security.

    Security tab

  3. In the left sidebar, click Advisories.

    Advisories tab

  4. In the "Security Advisories" list, click the advisory you'd like to create a temporary private fork in.

  5. Click New temporary private fork.

    New temporary private fork button

Adding changes to a temporary private fork

Anyone with write permissions to a security advisory can add changes to a temporary private fork.

  1. On GitHub, navigate to the main page of the repository.

  2. Under your repository name, click Security.

    Security tab

  3. In the left sidebar, click Advisories.

    Advisories tab

  4. In the "Security Advisories" list, click the advisory you'd like to add changes to.

  5. Add your changes on GitHub or locally:

Creating a pull request from a temporary private fork

Anyone with write permissions to a security advisory can create a pull request from a temporary private fork.

  1. On GitHub, navigate to the main page of the repository.

  2. Under your repository name, click Security.

    Security tab

  3. In the left sidebar, click Advisories.

    Advisories tab

  4. In the "Security Advisories" list, click the advisory you'd like to create a pull request in.

  5. To the right of your branch name, click Compare & pull request.

    Compare & pull request button

  6. Type a title and description for your pull request.

    Pull request title and description fields

  7. To create a pull request that is ready for review, click Create Pull Request. To create a draft pull request, use the drop-down and select Create Draft Pull Request, then click Draft Pull Request. For more information about draft pull requests, see "About pull requests."

    Create pull request button

You cannot merge individual pull requests in a temporary private fork. Instead, you merge all open pull requests at once, in the corresponding advisory. For more information, see "Merging changes in an advisory."

Merging changes in an advisory

Anyone with admin permissions to a security advisory can merge changes in an advisory.

You cannot merge individual pull requests in a temporary private fork. Instead, you merge all open pull requests at once, in the corresponding advisory.

Before you can merge changes in an advisory, every open pull request in the temporary private fork must be mergeable. There can be no merge conflicts, and branch protection requirements must be satisfied. To keep information about vulnerabilities secure, status checks do not run on pull requests in temporary private forks. For more information, see "About protected branches."

  1. On GitHub, navigate to the main page of the repository.

  2. Under your repository name, click Security.

    Security tab

  3. In the left sidebar, click Advisories.

    Advisories tab

  4. In the "Security Advisories" list, click the advisory with changes you'd like to merge.

  5. To merge all open pull requests in the temporary private fork, click Merge pull requests.

    Merge pull requests button

After you merge changes in an advisory, you can publish the advisory to alert your community about the security vulnerability in previous versions of your project. For more information, see "Publishing a maintainer security advisory."

Ask a human

Can't find what you're looking for?

Contact us