GitHub security features: highlights from 2020

It’s been …a year. Nonetheless, while you were busy homeschooling, baking, or well, working longer hours, so were we, and we’ve made huge advances in our security products at GitHub. Here are some highlights from GitHub security from 2020:

Code scanning with CodeQL provides a security review with every Git push

Code scanning scans your code for security issues as you write it and integrates the results natively into the developer workflow. You can schedule security analysis to run on every push, every pull request on a schedule, or ad hoc. It leverages GitHub’s CodeQL analysis engine, which traces data flows through your application to identify vulnerabilities. That way, you can find security issues deep in your code, like SQL injection, cross-site scripting and remote code execution. We’ve also integrated over a dozen partner tools to allow you to use the tools you want, right inside GitHub, including for static analysis, developer security training, infrastructure as code, and container scanning.

Since the beta launch in early 2020, we’ve added an API for code scanning results, added support for third-party CI/CD tools, and made code scanning generally available on GitHub Enterprise Cloud, and will do the same in GitHub Enterprise Server 3.0.

We’ve also continued to improve the CodeQL engine to make the code scanning analysis faster and better. For example, compiled CodeQL queries now take 90% less space, and we’ve improved our support for libraries and frameworks for all languages. The VS Code extension for writing and running CodeQL queries now has an AST viewer and jump-to-definition. Oh, and we contributed to the OpenSSF CVE Benchmark project, which is now open source!

Secret scanning scans for a dozen new types of tokens, as well as private repositories and zip archives

Secret scanning watches your repositories for known secret formats. For public repos, we were already notifying providers that your secrets were leaked, and this year, we introduced secret scanning for private repos to notify you when you need to rotate a secret. We launched secret scanning for private repos to beta on GitHub Enterprise Cloud, and will release beta in GitHub Enterprise Server 3.0. Since then, we’ve added an API giving you the ability to more easily resolve secret scanning results.

We added detectors for tokens from new partners including Adafruit, Samsara, Shopify, MessageBird, Dynatrace, SSLMate, Frame.io, Clojars, Mailchimp, Finicity, Plivo, and Doppler to round out the year with 33 token scanning partners. We also added the ability to scan for tokens inside ZIP files.

Dependabot keeps your dependencies secure and up to date

Dependabot version updates are automated pull requests that keep your dependencies updated, even when they don’t have any vulnerabilities. Regularly updating your dependencies means you know you can actually update when it matters, like when there is a vulnerability. To enable version updates, check a dependabot.yml configuration file into your repository.

Since the beta, we’ve added support for Actions workflows, Ruby (bundler) vendoring, golang vendoring, and dependencies in your private git repositories.

What if you are responding to a vulnerability? Dependabot alerts and Dependabot security updates notify you and suggest automated fixes for vulnerable dependencies. You can now assign a team to review Dependabot pull requests, get clearer error messages as to why an update isn’t possible, and receive fewer notifications by only sending you notifications for high and critical severity vulnerabilities—to let you focus on those that matter most.

Dependency review helps you prevent vulnerable dependencies from being introduced

Dependency review allows you to easily understand your dependencies before you introduce them to your environment. As part of a pull request, you can see what dependencies you’re introducing, changing, or removing, and information about their vulnerabilities, age, usage, and license. Dependency review is available in beta to all public repositories, and to Advanced Security customers on GitHub Enterprise Cloud.

GitHub Advisory Database now includes all npm advisories

The GitHub Advisory Database contains a curated list of security vulnerabilities from maintainers as well as third party sources like the National Vulnerability Database. After GitHub’s acquisition of npm, we also ingested all npm advisory information, giving you a single source of truth for advisory information across your ecosystems.

For maintainers, it’s easier than ever to file a security advisory for your repository and get a CVE. You can now maintain edit history for an advisory and give credit where credit is due to those who helped find the issue.

Turn on all the things!

To make it easier to use these new security features, we also simplified enablement at the repo level, and made it possible for you to enable features at the organization level across repositories. Keep your days merry and bright by enabling these security features, and watch your repo light up like a Christmas tree to keep the holiday spirit alive. The best gift of all is the vulnerability you find before it becomes a problem.

Dependency graph, Dependabot alerts, Dependabot security updates, and Dependabot version updates are free tools to help you keep your environment secure. Code scanning, secret scanning, and dependency review are free for public repositories and part of GitHub Advanced Security for GitHub Enterprise customers. Learn more about GitHub’s security features.

To keep up to date with the latest security features and releases, follow the GitHub Changelog. Also, to get a glimpse of what’s coming next, check out the GitHub public roadmap.