Changelog

Subscribe to all Changelog posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

CodeQL 2.18.1: Kotlin & Swift mobile support is generally available, TypeScript 5.5 support, C# build-mode: none public beta

CodeQL is the static analysis engine that powers GitHub code scanning. CodeQL version 2.18.1 has been released and has now been rolled out to code scanning users on GitHub.com.

Important changes by version include:

For a full list of changes, please refer to the complete changelog for versions 2.17.6, 2.18.0, and 2.18.1. All new functionality will be included in GHES 3.15. Users of GHES 3.14 or older can upgrade their CodeQL version.

See more

Copilot Enterprise Mixed Licensing beta

Today, we’re introducing the beta for Copilot Enterprise Mixed Licensing within an enterprise. This grants GitHub Enterprise Cloud customers greater flexibility in selecting the best Copilot plans for their needs. Now, you can set a Copilot plan at the organization level instead of at the enterprise level.

Try it out now

To update an organization’s Copilot plan, an Enterprise Admin should navigate to Copilot Settings for the enterprise and select the desired plan via the dropdown menu for each organization.

Enterprise Mixed Licensing Dropdown Menu

Learn more about Copilot Enterprise Mixed Licensing in our documentation here and let us know what you think via Discussions.

See more

Validation on package name when submitting a new GitHub security advisory (GHSA)

To make it easier to submit security advisories, GitHub now validates package names.

When submitting a new GHSA (GitHub Security Advisory) in a repository, the user is prompted to enter the ecosystem (e.g. npm, maven) and package name (e.g. webpack, lodash). Now, when they enter the name, there will be a validation message at the bottom of the form to confirm whether or not the package name they entered has been found in the ecosystem they specified.

To learn more about submitting advisories to our Advisory Database, check out our documentation here.

See more

Actions Usage Metrics is generally available

Actions Usage Metrics is now generally available for all GitHub Enterprise Cloud customers. Actions Usage Metrics enables you to view data about your Actions workflow runs throughout your organization. You can use this data to identify opportunities to optimize your pipelines and reduce wasted runtime minutes which, when addressed, can lead to faster runs and increased developer productivity. Actions Usage Metrics breaks down the utilization of workflows, jobs, source repositories, and operating systems for GitHub hosted runners and self-hosted runners. All of this data is available in the UI and can be exported and shared as a .csv file if you wish to integrate your usage data with internal or third party tools.

Actions Usage Metrics screen shot!

To learn more about Actions Usage Metrics, check out our docs or head to our community discussion to ask questions and provide feedback.

See more

Deprecation of enum field “detached” from the “get repositories associated with a code security configuration” endpoint

The enum field indicating a ‘detached’ status will be deprecated from the ‘Get repositories associated with a code security configuration’ endpoint.

The endpoint itself will remain.

We will replace the ‘detached’ status with a ‘removed’ status. We will also add an additional status of ‘removed_by_enterprise’ to indicate situations where enterprise level settings changes have caused an organization-level code security configuration to be removed from a repository.

This change ensures that the code security configurations API is more inline with the status filters in the UI.

See more

GitHub Private Mirrors App – Public Beta

Today, we’re releasing a beta version of an open source GitHub App that manages private mirrors of public upstream repositories. The Private Mirrors App (PMA) enables organizations with regulatory or policy code review requirements to conduct their reviews in private, before contributing changes upstream. The app manages the lifecycle and synchronization of these private mirrors and automatically configures rulesets to manage PRs made to the mirrors.

The main benefits of working on private mirrors through PMA are:

  • Branch protection rules can enforce PR reviews by people on particular teams to ensure proper signoffs
  • If commits include code/keys/docs that should not be made public, there’s the opportunity to remove them and squash merge without leaking history
  • Initial development can happen inside an Enterprise Managed Users (EMU) organization, whose users ordinarily can’t interact with public GitHub repos. Once the app syncs a change, the public fork and upstream PR use normal github.com identities.

If this is interesting to you, check out the Private Mirrors App repo. If you’ve got questions or feedback, feel free to file an issue in the repostitory or join the conversation in the GitHub Community Discussions.

See more

Copilot text completion for pull request descriptions beta

Enhance your pull request workflow: Copilot pull request text completion now in beta

Copilot text completion for pull request descriptions is now available to all Copilot Enterprise customers. After typing just a few characters, Copilot will suggest completions to finish your sentences, leveraging the context of the PR and linked issues to ensure highly accurate and relevant suggestions.

This feature is currently in beta. An enterprise or organization admin must enable beta features using the “Opt in to preview features” Copilot policy to access text completion.

animation of getting Copilot help writing a pull request description

How to enable text completion for your Enterprise

An enterprise admin can enable beta features using the Copilot policy.

screen grab of enterprise policy for enabling preview Copilot Enterprise features

For more information about policies for Copilot Enterprise, see the documentation.

Users can control the feature

This feature is on by default if you have a Copilot Enterprise seat and your organization has the “Opt in to preview features” policy enabled. Additionally, individual users have the ability to easily disable and reenable completions based on their personal preferences.

screen grab of user controlling text completion using the copilot menu in the pull request description

Learn more

To learn more, check the documentation for Copilot pull request text completion. This beta feature is subject to GitHub’s preview terms.

As always, we welcome any feedback on Copilot Enterprise in the discussion within GitHub Community.

See more

Enable secret scanning for non-provider patterns on repositories with the REST API

GitHub Advanced Security customers using secret scanning can now use the REST API to enable or disable support for non-provider patterns at the repository level.

Non-provider patterns scans for token types from generic providers, like private keys, auth headers, and connection strings.

See more

Deprecation of API endpoint to enable or disable a security feature for an organization

Code security configurations were made generally available on July 10th, 2024. This experience replaces our old settings experience and its API.

If you are currently using the REST API endpoint to enable or disable a security feature for an organization, this endpoint is now considered deprecated.

It will continue to work for an additional year in the current version of the REST API before being removed in July of 2025. However, users should note this will conflict with the settings assigned in code security configurations if the configuration is unenforced. This may result in a code security configuration being unintentionally removed from a repository.

The endpoint will be removed entirely in the next version of the REST API.

To change the security settings for repositories, you can use the code security configurations UI, the configurations API, or the unaffected enterprise-level security settings.

Send us your feedback!.

See more

Security overview dashboards, secret scanning metrics and enablement trends reports are now generally available

Today, we’re excited to announce the general availability of our new organization and enterprise-level security overview dashboards, alongside enhanced secret scanning metrics and the enablement trends reports. These features are designed to provide comprehensive insights, improved prioritization, and advanced filtering options to streamline your security improvements.

Code security insights

Organization-level overview dashboard on the security tab

Our new security overview dashboard, available at both the organization and enterprise levels, integrates security into the core of the development lifecycle. This empowers you to proactively identify and address vulnerabilities. Key features include:

  • Track security improvements: Monitor trends over time by age, severity, and security tool, simplifying prioritization with top 10 lists focused on repositories and advisories.
  • Autofix impact: Understand how autofix, powered by GitHub Copilot, is influencing your enterprise’s security remediation efforts.
  • Advanced filtering: Customize data focus with filters by attributes such as team, repository metadata (i.e., custom repository properties), and security tool-specific filters:
    • Dependabot: Filter by ecosystem, package, and dependency scope.
    • CodeQL/Third-Party: Filter by specific rules.
    • Secret Scanning: Filter by secret type, provider, push protection status, and validity.

Organization-level enablement trends report

Monitor the enablement trends of all security tools with detailed insights into the activation status of Dependabot alerts, Dependabot security updates, code scanning, secret scanning alerts, and secret scanning push protection, giving you at-a-glance oversight of your security coverage.

Push protection insights for secret scanning

Organization-level secret scanning metrics page

Gain insights into how push protection is functioning throughout your enterprise. Monitor the number of pushes containing secrets that have been successfully blocked, as well as instances where push protection was bypassed. Detailed insights by secret type, repository, and reasons for bypassing are also available.

To access these features, navigate to your profile photo in the top-right corner of GitHub.com and select the organization or enterprise you wish to view. For organizations, click on the Security tab. For enterprises, click Code Security in the enterprise account sidebar.

These features are generally available on GitHub.com today and will be generally available in GitHub Enterprise Server 3.14.

Learn more about the security overview dashboard, the secret scanning metrics report and the enablement trends report

See more

Code security configurations are supported in the audit log

GitHub Enterprise Cloud customers can now see code security configurations data in audit log events.

Code security configurations simplify the rollout of GitHub security products at scale by defining collections of security settings and helping you apply those settings to groups of repositories. Configurations help you change the settings for important features like code scanning, secret scanning, and Dependabot.

With the addition of configurations data in the audit log, organization and enterprise owners have easy visibility into why the settings on certain repositories may have changed.

Audit log events now include:
– Name of the configuration applied to a repository
– When the configuration application fails
– When a configuration is removed from a repository
– When configurations are created, updated, or deleted
– When configurations become enforced
– When the default configuration for new repositories changes

Code security configurations are now available in public beta on GitHub.com and will be available in GitHub Enterprise Server 3.15. You can learn more about code security configurations or send us your feedback.

See more

Code security configurations API now includes validity checks, enforcement, and removal

The REST API now supports the following code security configuration actions for organizations:
Detach configurations from repositories
Enforce configurations
Enable validity checks for secret scanning in a configuration

The API is now available on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.15.0. You can learn more about security configurations, the REST API, or send us your feedback.

See more

Secret scanning detects generic passwords with AI (public beta)

Secret scanning now detects generic passwords using AI. Passwords are difficult to find with custom patterns — the AI-powered detection offers greater precision for unstructured credentials that can cause security breaches if exposed.

Passwords found in git content will create a secret scanning alert in a separate tab from regular alerts. Passwords will not be detected in non-git content, like GitHub Issues or pull requests, and are not included in push protection. Password detection is backed by the Copilot API and is available for all repositories with a GitHub Advanced Security license. You do not need a Copilot license to enable generic secret detection.

To start detecting passwords, select “Use AI detection to find additional secrets” within your code security and analysis settings at the repository level, or the code security global settings at the organization level.

See more

Filter repositories by configuration attachment failure reason in the code security configurations UI

Organization owners and security managers can now filter the table of repositories on the code security configurations settings page by configuration attachment failure reason.

This is useful when you’ve attempted to attach a code security configuration to many repositories at the same time, and some have failed. The reason for the failure is also now listed in the row with the repository name.

Use the search bar to filter by failure-reason: and then insert one of the following options:
actions_disabled – When you are attempting to rollout default setup for code scanning, but the repository does not have Actions enabled on it.
code_scanning – When you are attempting to rollout default setup for code scanning, but the repository already has advanced setup for code scanning.
enterprise_policy – When the enterprise does not permit GitHub Advanced Security to be enabled in this organization.
not_enough_licenses – When enabling advanced security on these repositories would exceed your seat allowance.
not_purchased – When you are attempting to rollout a configuration with GitHub Advanced Security features, but GitHub Advanced Security has not been purchased.
unknown – When something unexpected occurred.

Learn more about code security configurations, the configurations REST API, or send us your feedback.

See more

Secret scanning AI-generated custom patterns (general availability)

Secret scanning now helps you more easily define custom patterns with GitHub Copilot.

Generally available as of today, you can now leverage AI to generate custom patterns without expert knowledge of regular expressions.

Generate a secret scanning custom pattern with AI

What’s changing?

Defining custom patterns is now simpler and more efficient. You can leverage AI to generate patterns via text input — without expert knowledge in regular expressions.

With secret scanning, you can create your own custom detectors by using custom patterns. Formatted as regular expressions, these custom patterns can be challenging to write. Secret scanning now supports a pattern generator backed by GitHub Copilot in order to generate regular expressions that match your input.

How do I use the regular expression generator?

When defining a custom pattern, you can select “generate with AI” in order to launch the regular expression generator.

The model returns up to three regular expressions for you to review. You can click on the regular expression to get an AI-generated plain language description of the regular expression. You should still review this input and carefully validate performance of results by performing a dry run across your organization or repository.

Who can use the regular expression generator?

All GitHub Advanced Security customers on GitHub Enterprise Cloud can use the regular expression generator today. Anyone able to define custom patterns is able to use the regular expression generator (e.g. any admin at the repository, organization, or enterprise levels). You do not need a GitHub Copilot license to use the regular expression generator.

Learn more about the regular expression generator or how to define your own custom patterns.

See more

AI-powered autofixes for historical CodeQL alerts are now in public beta

Code scanning autofix for alerts in default branch is now available in public beta for all GitHub Advanced Security customers. This feature empowers developers to reduce the time and effort spent remediating existing alerts and reduce the number of vulnerabilities in the code base.

Powered by GitHub Copilot, code scanning generates fixes for alerts in all CodeQL supported languages.

Example autofix page for a Missing regular expression anchor vulnerability detected with CodeQL

With code scanning autofix, you can reduce security debt by generating fixes for alerts that are detected on the main or default branches of your repository. On the alert pages where autofix is available, press the ‘Generate fix’ button to get a natural language explanation of the suggested fix, along with a preview of the code suggestion. You can accept the fix by creating a PR with the fix and even edit the fix as part of the PR flow. These code suggestions can include changes to multiple files, and where needed, autofix may also add or modify dependencies.

Example of the autofix generation process, showing the Generate fix button

Code scanning autofix is automatically enabled on private repositories for all GitHub Advanced Security customers.

You can configure code scanning autofix for a repository or organisation. You can also use ‘Policies for Code security and analysis’ to allow autofix for CodeQL code scanning for an enterprise.

Enterprise level settings view of Autofix for CodeQL

The fix generation for any given alert depends on the context and location of the alert. In some cases, code scanning won’t display a fix suggestion for an alert if the suggested code change fails syntax tests or safety filtering.

You do not need a Copilot license to use autofix for existing alerts. For more information, see About code scanning autofix.

Provide feedback for code scanning autofix here.

See more

Sunset Notice – npm Hooks API Endpoints

Starting today, we are deprecating npm hooks services and they might no longer be functional, including current hooks subscriptions. This deprecation includes npm hooks API Endpoints and its related cli npm hook command. Users should expect the API Endpoints to respond with a deprecation message. The npm cli will no longer be able to add new hooks using the npm registry.

The npm hooks services were launched as Beta in 2016 so users could use the endpoints to be notified of changes in the npm packages, owners, or scopes. The service never achieved a full GA maturity. We are sunsetting the hooks services in favor of our ongoing investments for the npm platform, including high quality standards on the maintenance of our other existing services.

See more

Audit log streaming can now be configured via GitHub’s REST API – Private Beta

Enterprise Owners on GitHub Enterprise Cloud (GHEC) can join a private beta allowing them to configure audit log streaming via the REST API. This private beta grants access to new API endpoints for the following audit log streaming actions:

  • GET Endpoint Configuration: Retrieve the audit log streaming configuration for your Enterprise.
  • Stream Key Endpoint: Provide the customer with an audit streaming key. This key is essential for our customers to encrypt their secrets before sending them via an API call.
  • POST Endpoint: Create new audit log stream configurations.
  • PUT Endpoint: Update existing audit log stream configurations.
  • DELETE Endpoint: Delete existing audit log stream configurations.

With the introduction of these new REST API endpoints, enterprise owners can programmatically create, update, delete and list their Enterprise’s audit log streams. By allowing programmatic updates to the audit log streaming configuration, customers can automate tasks like rotating your audit log streaming secrets.

These new audit log streaming endpoints will impose a rate limit of 15 API requests per hour to protect the availability of the audit log streaming service. For the time being, these endpoints are only accessible via personal access token (PAT) classic and OAuth token with admin:enterprise scope.

Enterprise owners interested in participating in the private beta should reach out to your GitHub account manager or contact our sales team to have this feature enabled for your enterprise. Enterprise owners can follow instructions for these API endpoints, and provide feedback on their experience on our community discussion.

See more

Pre-defined organization roles that grant access to all repositories

Organization owners can now grant a user or team access to all of the repositories in their org with a single click. Five new pre-defined roles have been added to the organization settings, under Organization Roles > Role Management, where all organization owners can view and assign them.

Pre-defined roles ship natively with GitHub. We will add more pre-defined roles over time that support common personas like “CI/CD Admin” or “Security Manager”.

A screenshot showing the five new roles in the organization settings

Introducing pre-defined roles and organization-wide repository permissioning

These five new roles showcase an expansion of organization roles – the ability to also include repository-level base roles (like read) and permissions (like close issue). When granted, the recipient has those privileges on all of the repositories in the organization, current and future. While organization owners cannot yet create organization roles that include repository permissions, that will be supported in the coming months.

A screenshot of the Triage role expanded to show the repository permissions included in the role

This new functionality of organization roles helps organizations replace automation that watches for new repository creation and adds the right users or team to every repository.

UI updates to show role assignments

When users and teams are assigned access across all repositories, this is called out in the team and repository view rather than list all of the accesses.

A screenshot showing that this team has access to all of the repositories in the organization. Below it is a listing of the repositories that the team has been given specific access to.

In addition, the Roles Management view in the organization settings has been updated to show indirect assignments – these are roles that a user or team recieves due to a team that they are a member of. This provides a full accounting of all organization roles that a user or team has within the organization.

A screenshot showing a user that has been granted two roles. One is directly assigned, and has a remove button on the right hand side of the row. The other is indirectly assigned via a team named org-member-parent-team, and does not have a remove option.

The APIs for organization role management have been updated to support these pre-defined roles. You’ll find a base_role field in the description of the organization role, which is the repository role (like read) that is included in the organization role.

You can learn more about organization roles at “Using organization roles“.

See more

Dependabot migration to GitHub Actions for Enterprise Cloud and Free, Pro, and Teams accounts with Actions enabled

Over the next few weeks, jobs generating Dependabot pull requests will start running as GitHub Actions workflows on Github.com accounts with GitHub Actions enabled. This migration will include faster Dependabot runs, increased troubleshooting visibility, self-hosted runner support, and other performance and feature benefits. No additional steps are required, and you should not experience service disruptions during the migration. By the beginning of September, repositories with GitHub Actions enabled should expect to see the jobs that generate Dependabot pull requests run as GitHub Actions workflows.

Running Dependabot does not count towards GitHub Actions minutes – meaning that using Dependabot continues to be free for everyone.

Are you so excited for the Dependabot performance benefits that you want to get started today? You can optionally enroll your repositories and/or organizations before the migration begins! Get started by opting in to run Dependabot PR jobs as GitHub Actions workflows here.

If your organization has disabled GitHub Actions by policy, Dependabot will continue to run on the legacy compute provider. If you want to use Dependabot on GitHub Actions, an organization administrator must update your configuration before opting in to run Dependabot on GitHub Actions.

Check out our docs to learn more about Dependabot on GitHub Actions. For additional information, check out our blog post or previous changelog.

See more
View more changes