Code scanning adds beta support for Ruby

Ruby is the 10th most popular language within the open source community. To help more open source maintainers and organizations find potential vulnerabilities in their code, we’ve added Ruby support (beta) to the CodeQL engine that powers GitHub code scanning.

Our CodeQL analysis identifies security issues in your code, along with the flow of data to the vulnerable location. To help secure services and tools created with Ruby, the CodeQL beta release spots many of the most common security issues:

We’ve been putting this beta through its paces by analyzing some of the world's largest Ruby codebases at GitHub and select customers. The feedback has been overwhelmingly positive, and in many cases CodeQL identified real vulnerabilities, all while keeping the number of false-positives at a minimum.

CodeQL for Ruby is available by default in GitHub.com code scanning, the CodeQL CLI, and the CodeQL extension for VS Code starting today. It will also be included in GitHub Enterprise Server 3.4. Ruby joins the list of supported CodeQL languages, which also includes C/C++, C#, Java, JavaScript/TypeScript, Python, and Go.

We currently support all common Ruby versions, up to and including 3.02. Check out the documentation for more details on compatibility.

To start using the new Ruby analysis, simply update your existing workflow file by adding Ruby to the language matrix:

jobs:
  analyze:
    name: Analyze
    ...
    strategy:
      fail-fast: false
      matrix:
        # add here
        language: ['ruby']

If you’re new to code scanning, set up a CodeQL analysis workflow from the Security tab in your repository.

Want to contribute or write your own CodeQL queries for Ruby? This guide will help you get started.

To give us feedback, join the Ruby beta discussion in the public CodeQL repository, which is also a good place to ask questions about anything CodeQL.

GitHub Actions now supports OpenID Connect (OIDC) for secure deployments to cloud, which uses short-lived tokens that are automatically rotated for each deployment.
This enables:

  • Seamless authentication between Cloud Providers and GitHub without the need for storing any long-lived cloud secrets in GitHub
  • Cloud Admins can rely on the security mechanisms of their cloud provider to ensure that GitHub Actions workflows get the minimal access for cloud resources. There is no duplication of secret management in GitHub and the cloud.

How this works:

  1. Developers set up OIDC trust on their cloud roles to manage access between their deployment workflows and cloud resources.
  2. In each deployment, GitHub Actions workflow presents an autogenerated OIDC JWT token to the cloud provider
  3. Cloud provider validates the claims in the OIDC token against the cloud role definition and provides a cloud access token to connect and deploy to the Cloud only during the workflow run.

image

Learn more about Security hardening your GitHub Workflows using OpenID Connect.

See more

Since we introduced the new GitHub Issues earlier this year in a private beta, we've been working hard to expand access to all developers in order to make GitHub the best place to plan, track, and manage your work. Today, we are really excited to announce that we're moving into a public beta, and now everyone on GitHub.com has access to the new project tables and boards. 🎉

We've used the past few months to work with our private beta users and continue to build up the capabilities of project planning on GitHub with the ability to convert a draft issue to an issue, do bulk actions in tables and boards, automate repetitive actions, set your team's tempo with iterations, and so much more. Along with the new Issues being available for everyone, we're shipping these new capabilities to you today:

📬 Live updates

Collaborate with your team in real-time! Now projects will update as you work so you never miss a thing.

This feature is rolling out gradually, and may take a few weeks to get enabled for your projects.

live-updates

🌐 Public Projects

Public projects let you share what you are working on with the world. Whether this is your team's roadmap, a list of items where you're seeking feedback, or the current work you have in progress – public projects help you work with your community.

  • Project admins can now toggle between public and private visibility in a project's settings screen.
  • Quickly see if a project is public or private via the lock or globe icon next to the project name.
  • Public projects will only show public items, any issues or PRs added from private repositories will be redacted. This includes any metadata added to them in the project view.

public-projects-setup

📊 Insights

Our new burn up chart is designed to help teams visualize progress towards completion, understand development flow, and provide early warning of potential bottlenecks.

This capability has been released as a limited alpha. More organizations will be added in the future.

Insights-alpha

✨ Bug fixes & improvements

We have a whole bunch of improvements for you, including:

  • GitHub Apps support, available as part of the organization projects permissions scope.
  • Projects can now be created under user accounts in addition to organization accounts – head to the projects tab on your profile page to get started.
  • Increased the number of views a project can have to 42 📈
  • Bug fix: removed unnecessary blank rows at the bottom of the table layout.
  • Bug fix: select all (meta+a) works when you are in the No Status column of the board.
  • Resolved scrolling problems in Safari, especially in group by.
  • Added the ability to applysort and group by in the view menu. (Previously you could only clear these in the view menu – which was very confusing!)
  • Archive all cards in a column via a new option in the column header menu.
  • Improved how , is handled in the filter bar which now correctly triggers a new OR search.
  • Custom fields are now clickable in the board layout to quickly apply a filter. (This was a major request!)
  • Row highlights are easier to dismiss with the esc key.
  • Draft issues are included as issues when filtering for is:issue.
  • Hide a grouped column in the table layout.
  • Closed issues are now purple 💜.

Thank you so much to everyone who has helped us with feedback during the private beta 🙏

See how to use GitHub for project planning on the GitHub Issues page, see what's on the roadmap, and learn more in the docs.

See more