Skip to main content
A GitHub Security Campaign is a time-bound effort to find, fix, and prevent vulnerabilities across multiple repositories. Endor Labs and GitHub Advanced Security (GHAS) turn findings into coordinated fixes that keep developers working in GitHub. This approach works well when projects share vulnerable dependencies or when your organization faces compliance deadlines. Endor Labs generates vulnerability findings in SARIF format. Upload the SARIF output to GitHub Advanced Security manually or with a configured GHAS exporter. After import, these findings become actionable alerts that help developers triage, fix, and track vulnerabilities without leaving their familiar environment. The security campaign allows organizations to:
  • Target a specific class of vulnerabilities, for example Log4j, or CVE-2024-xyz.
  • Drive dependency upgrades and security fixes across all affected repositories.
  • Address secrets detection and SAST findings alongside for comprehensive security remediation.
  • Enforce consistent remediation timelines and accountability across teams.
  • Monitor reduction in overall security debt using both GitHub’s campaign dashboard and Endor Labs analytics.
Ensure you have deployed Endor Labs and enabled GitHub Advanced Security before creating a security campaign.

Create and manage a security campaign

Use GitHub Security Campaigns to coordinate large-scale remediation by importing Endor Labs findings.
  1. Run a scan with Endor Labs to generate vulnerability findings in SARIF format and upload them to GitHub Advanced Security. See SARIF output format for detailed information on generating, customizing, and uploading SARIF files.
    Automatic SARIF uploadConfigure Endor Labs GitHub App (Pro) with a GHAS SARIF exporter to automatically upload findings to GitHub after each scan. See Export findings to GitHub Advanced Security for setup instructions.
  2. In GitHub, navigate to Security > Campaigns > New Campaign to define your campaign parameters. Refer to security campaign guide for more information on GitHub’s campaign features and configuration options.
  3. Define the scope of your campaign.
    • Organization-wide: Apply the campaign across all repositories in your organization.
    • Selected repositories: Target specific repositories affected by the vulnerability class.
    • Teams or projects: Scope by team ownership or project grouping.
  4. Specify a clear focus area of the campaign that aligns with your security requirements. For example, remediating Log4j vulnerabilities across Java projects, or upgrading vulnerable npm packages to secure versions.
  5. Define campaign objectives with clear remediation timelines. For example, close 80% of critical dependency vulnerabilities within 30 days, or fully remediate exposed secrets within 10 days.
  6. Monitor campaign metrics in GitHub, including percentage of vulnerabilities remediated, active versus resolved alerts, and repository-level completion.

Best practices

Security campaigns help you fix alerts at scale and build developer security knowledge. Follow these practices for successful campaigns.

Plan and prioritize alerts strategically

Select a related group of security alerts for remediation rather than attempting to fix all alerts at once. For organizations building secure coding knowledge, prioritize alerts that can serve as learning opportunities. Use Endor Labs’ reachability analysis and severity scoring to identify high-impact vulnerabilities.
  • Focus on reachable vulnerabilities where the vulnerable code is actually used in execution paths.
  • Filter by exploitability score, CVE severity, or policy violation type.
  • Use Endor Labs Dependency Graph to visualize transitive relationships and focus on the most impactful fixes.
You can tag repositories with metadata such as critical, frontend, or backend in Endor Labs and scope your campaign accordingly. Exclude inactive or archived repositories to focus efforts where they matter most.

Provide educational resources

Include links to relevant educational materials in the campaign description to help developers understand and remediate vulnerabilities effectively, such as OWASP references, secure secrets management guides, or internal upgrade instructions.

Enable AI assistance for faster remediation

Leverage AI-powered tools to accelerate remediation while maintaining code quality:
  • Use GitHub Copilot Autofix to suggest fixes for code scanning alerts automatically, reducing manual effort.
  • Make GitHub Copilot Chat available for developers to ask questions about vulnerabilities, testing, and secure coding best practices.
  • Enable Endor Labs automated remediation PRs to create pull requests with updated dependency versions, vulnerability references (CVE IDs, severity, reachability), and compatibility checks.

Assign and support campaign managers

Campaign managers play a critical role in maintaining momentum and ensuring developers have the support they need to succeed. Campaign managers should:
  • Review PRs, provide guidance, and maintain consistent communication.
  • Provide a contact link for questions and collaboration.
  • Monitor progress and provide support where needed to ensure sustained engagement.
  • Help resolve complex or unclear fixes through open communication with developers.

Define realistic deadlines

Set timelines according to issue complexity and remediation scope. Simple dependency upgrades require minimal validation, whereas compatibility or architectural fixes need extended testing and integration checks. Align campaigns with sprint cycles or release milestones. Iterative, focused campaigns lead to more predictable outcomes and better code quality.

Track progress and engagement

Monitor campaign performance through GitHub dashboards. Track remediation percentage, active versus resolved alerts, repository-level progress, and time-to-fix metrics. Use GitHub Issues for task tracking and developer communication.
Use GitHub labels such as security-campaign-q4 or log4j-remediation on issues and pull requests to enable easy filtering and audit tracking across repositories.

Log4j vulnerability remediation example

Scenario: A critical Log4j vulnerability affects multiple Java microservices across the organization. Campaign execution:
  1. Export a SARIF file containing all dependency vulnerabilities from Endor Labs.
  2. Upload the SARIF file to GitHub to populate alerts across affected repositories.
  3. Create a security campaign titled “Fix outdated Log4j dependencies across all repos”.
  4. Assign the campaign to the Java development team with a 30-day remediation deadline.
  5. Developers fix vulnerabilities directly in GitHub by updating affected dependencies.
  6. The security team monitors campaign progress in GitHub until developers resolve 85% of alerts, then closes the campaign.
Outcome: The organization remediates 85% of Log4j-related vulnerabilities within 30 days, improving dependency security posture and reducing exposure to known CVEs.

FAQs

Yes. Security campaigns work with both public and private repositories. For private repositories, turn on GitHub Advanced Security and grant the Endor Labs GitHub App the permissions it needs.
GitHub’s campaign filters and Endor Labs’ vulnerability data determine which alerts appear in a campaign. Use Endor Labs’ reachability analysis to prioritize alerts where vulnerable code is actively used in execution paths.
GitHub permits a maximum of 10 active campaigns, each with up to 1,000 alerts. You can prioritise active repositories, target specific vulnerability types, close completed campaigns swiftly, and run campaigns sequentially or split them into focused initiatives
Yes. You can run multiple campaign types simultaneously, such as dependency remediation, secrets rotation, and license compliance. Each campaign can target different repositories, teams, or vulnerability classes.
GitHub Security Campaigns integrate with GitHub Issues, GitHub Actions, Slack, Jira, and Endor Labs. You can export Campaign data to business intelligence tools and internal reporting dashboards