GitHub uses your repository's data to connect you to relevant tools, people, projects, and information.
GitHub aggregates metadata and parses content patterns for the purposes of delivering generalized insights within the product. It uses data from public repositories, and also uses metadata and aggregate data from private repositories when a repository's owner has chosen to share the data with GitHub through an opt-in. If you opt a private repository into data use, then it will perform read-only analysis of that specific private repository.
If you opt in to data use, we will continue to treat your private data, source code, or trade secrets as confidential and private consistent with our Terms of Service. The information we learn only comes from aggregated data. For more information, see "Opting into or out of data use for your private repository."
We'll announce substantial new features that use metadata or aggregate data on the GitHub blog.
How data improves security recommendations
As an example of how your data might be used, we can detect and alert you to a security vulnerability in your public repository's dependencies. For more information, see "About security alerts for vulnerable dependencies."
To detect potential security vulnerabilities, GitHub scans the contents of your dependency manifest file to draw a list of your project's dependencies.
GitHub also learns from changes you make to your dependency manifest. For example, if you upgrade a vulnerable dependency to a safe version after getting a security alert and others do the same, GitHub learns how to patch the vulnerability and can recommend a similar patch to affected repos.
Privacy and data sharing
Private repository data is scanned by machine and never read by GitHub staff. Human eyes will never see the contents of your private repositories, except as described in our Terms of Service.
Your individual personal or repository data will not be shared with third parties. We may share aggregate data learned from our analysis with our partners.