Secret scanning for private repositories is generally available!

April 1, 2021

Secret scanning for private repositories is now generally available for all GitHub Advanced Security customers on GitHub Enterprise Cloud. Since announcing the beta last year, we've:

Expanded our pattern coverage from 24 partners to 37
Added an API and webhooks
Added notifications for commit authors when they commit secrets
Updated the index view to made it easy to triage secrets in bulk
Reduced the false positive rate on many patterns

We have lots more improvements planned for secret scanning, including support for custom patterns in June.

Learn more about secret scanning
Learn more about GitHub Advanced Security

Authentication token format updates are generally available

March 31, 2021

As we announced previously, the format of GitHub authentication tokens has changed. The following token types are affected:

If you use any of these tokens, we encourage you to reset them now. This will give you additional security benefits and allow Secret Scanning to detect the tokens.

Notably, the token formats now include the following updates:

The character set changed from [a-f0-9] to [A-Za-z0-9_]
The format now includes a prefix for each token type:
- ghp_ for Personal Access Tokens
- gho_ for OAuth Access tokens
- ghu_ for GitHub App user-to-server tokens
- ghs_ for GitHub App server-to-server tokens
- ghr_ for GitHub App refresh tokens

The length of our tokens is remaining the same for now. However, GitHub tokens will likely increase in length in future updates, so integrators should plan to support tokens up to 255 characters after June 1, 2021.

See more See more

Dependabot version updates are now generally available!

March 31, 2021

Millions of repos use Dependabot to keep their dependencies up to date, either by updating when a Dependabot alert lets them know about a vulnerable dependency (security updates), or on a fixed schedule (version updates). Dependabot security updates have been generally available for over a year, and it's time that version updates join them in general availability.

Dependabot version updates extend the functionality provided by security updates by creating pull requests updating all configured dependencies to their latest versions, staying ahead of potential security vulnerabilities. You can configure it to update selected ecosystems on your schedule, including or excluding desired dependencies.

Thanks to all Dependabot users who have filed issues, provided feedback, and helped us achieve this milestone.

Learn more about Dependabot version updates.

To see what's next for Dependabot, visit the public roadmap.

See more See more

View all changes