Open an issue: gh issue create --title 'Bug' --body 'Description'. Create a Project Board: GitHub → Projects → New Project. Automate: use issue templates, labels, and project workflows.
✦ Definition~90s read
What is GitHub Issues and Projects?
GitHub Issues tracks bugs, features, and tasks. GitHub Projects provides a Kanban-style board to organize and prioritize issues across repositories. Together they form GitHub's built-in project management system.
★
GitHub Issues is like a communal to-do list for your codebase.
Plain-English First
GitHub Issues is like a communal to-do list for your codebase. Anyone can add a card ('the login button is broken'), assign it to someone, label it ('bug', 'urgent'), and discuss the fix. GitHub Projects is a bulletin board where you move these cards through columns: 'To Do' → 'In Progress' → 'Done'. Together they turn chaos (random bug reports in Slack) into a structured workflow that the whole team can see.
⚙ Browser compatibility
Latest versions — ✓ supported
Chrome
Firefox
Safari
Edge
✓
✓
✓
✓
Every team has a Slack channel where bugs get reported. And lost. GitHub Issues solves this by putting every bug, feature request, and task in a searchable, assignable, labeled database tied directly to the code. GitHub Projects adds prioritization and workflow tracking. The combination is powerful enough for many teams to replace Jira entirely. This guide covers issue templates, labels, project boards with automation, and the incident where a missing triage process led to a 6-month-old security issue becoming a production breach.
Setting Up Issue Templates and Project Boards
Issue templates standardize how bugs and features are reported. Create .github/ISSUE_TEMPLATE/bug_report.md with YAML front matter and markdown fields. GitHub shows templates as a chooser when someone opens a new issue.
Labels categorize issues:bug, enhancement, security, good first issue, help wanted. GitHub auto-labels can be configured via .github/labels.yml.
Projects boards track workflow: create one at GitHub → Projects. Link to repositories. Columns by default: 'To Do', 'In Progress', 'Done'. Add custom columns for your workflow. Automation rules move cards between columns: 'When issue is closed → move to Done', 'When PR is opened → move to In Progress'.
01_issues_setup.shBASH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# Create an issue via CLI
gh issue create --title 'Fix login redirect' \
--body '## Steps to reproduce
1. Go to /login
2. Log in with valid credentials
3. Page redirects to /404 instead of /dashboard' \
--label bug --assignee @me
# List issues
gh issue list --label bug
# View issue details
gh issue view 42
# Close an issue
github issue close 42
# Create a project from CLI (via gh extension)
# gh project create owner/org --title 'Sprint 24' --template 'Basic Kanban'
Output
Opening github.com/owner/repo/issues/new with template chooser...
Showing 5 of 5 open issues matching 'bug'
#42 Fix login redirect (bug) about 2 hours ago
#38 Broken image upload (bug) about 3 days ago
Use GitHub Issue Forms for Structured Reports
GitHub Issue Forms (YAML-based) create UI forms with text inputs, dropdowns, and checkboxes. They enforce required fields and produce consistently formatted issues. More structured than markdown templates. Create .github/ISSUE_TEMPLATE/config.yml and form YAML files.
Production Insight
Critical: set up a 'security' label with auto-notification. Use GitHub's code security tab to enable Dependabot alerts, secret scanning, and code scanning. These auto-file issues for vulnerabilities. Connect your project board to CI: failing tests can auto-create issues, deploy success can auto-close the 'Deploy' tracking issue.
Key Takeaway
Issue templates standardize reports. Labels enable triage and filtering. Project boards with automation replace manual Kanban. Security issues need a separate pipeline with SLA. Automate issue creation from CI and security alerts.
● Production incidentPOST-MORTEMseverity: high
The Security Issue That Sat in the Backlog for 6 Months
Symptom
A security researcher filed a critical XSS vulnerability via GitHub Issues. The issue had no assignee, no label, no priority. It sat in the default 'Issues' list for 6 months. An attacker exploited the same vulnerability. The breach was traced to the unfiled issue.
Assumption
The team assumed 'critical' issues would naturally get attention. They had no triage process, no labels, no project board.
Root cause
1. A security researcher opened an issue describing an XSS vulnerability with a proof of concept. 2. No one was assigned (GitHub doesn't auto-assign). 3. No label was added (no label convention existed). 4. The issue fell off the first page of the issue list within a week. 5. 6 months later, the vulnerability was exploited in production. 6. During the postmortem, the 6-month-old issue was found — with all the information needed to prevent the breach.
Fix
1. Fixed the XSS vulnerability immediately. 2. Created issue templates with required fields: severity, steps to reproduce, affected versions. 3. Set up label automation: issues filed via security template get 'security' label automatically. 4. Created a 'Security Triage' project board with auto-add from the security label. 5. Assigned a rotating security reviewer to triage the board weekly. 6. Configured GitHub's 'code security' alerts to auto-file issues for dependency vulnerabilities.
Key lesson
Every issue needs a triage process: labels, project board, assignee rotation.
Security issues need a separate triage pipeline with SLA.
Use issue templates with required fields.
Automate labeling and project board placement.
Production debug guideUse this when production is on fire3 entries
Symptom · 01
Need to report a bug
→
Fix
Open an issue with a clear title, steps to reproduce, expected vs actual behavior
Symptom · 02
Need to organize issues into a workflow
→
Fix
Create a GitHub Project with columns: Backlog, To Do, In Progress, Review, Done
Symptom · 03
Need to automate issue triage
→
Fix
Use issue templates, label automation rules, and project board workflows
Key takeaways
1
Issue templates enforce consistent bug reports
2
Labels + project boards enable structured triage
3
Automation
auto-label, auto-assign, auto-move between columns
4
Security issues need their own triage pipeline with SLA