Advisory Database now includes an Unreviewed Advisories section

Up until today, the GitHub Advisory Database has only published advisories that have been curated and approved by our Security Lab team.

This approach meant users sometimes couldn't find advisories in our database when searching, so the Advisory Database now has a separate section of listings for unreviewed advisories. These will be auto-published from the National Vulnerability Database feed.

Screenshot of unreviewed advisories

If you search for a term like "WordPress plugin," you can now see listings that are both GitHub reviewed and unreviewed. If you'd like to filter for only reviewed advisories, add type:reviewed to your query. Alternatively, you can also enter your query and then click the "All reviewed" button on the left-hand sidebar.

Screenshot of filtering for reviewed advisories

Dependabot alerts will continue to only be generated for GitHub Reviewed advisories in order to preserve their curated level of quality.

Restrict renaming protected branches to admins

Now, only admins can rename branches that are protected by branch protection rules.

GitHub allows repository collaborators to rename every branch in a repository, with the exception of the default branch.
When a collaborator renames a branch, any non-wildcard branch protection rules that apply to that branch are also changed to match the branch's new name.
Because only admins can modify branch protection rules, renaming of a protected branch is now limited to admin users.

For more information, visit Renaming a branch and Managing a branch protection rule.

See more

OpenAPI Description of REST API is now 3.1 compliant

GitHub upgraded its OpenAPI description to the OpenAPI Specification (OAS) 3.1.

Upgrading to OAS 3.1 will enable us to add GitHub Webhooks to the description, simplify the description of nullable schemas, and reduce the description size by removing duplicate nullable reference schemas.

The GitHub OpenAPI description contains more than 600 operations exposed in our API. For visual exploration of the API, you can load the description as a Postman Collection. Programmatically, the description can be used to generate mock servers, test suites, and bindings for languages not supported by Octokit.

The description is provided under two formats. The bundled version is preferred for most use cases as it makes use of OpenAPI components for reuse and readability. For tooling that doesn't support inline references to components, we also provide a fully dereferenced version.

We are currently still publishing the 3.0 version of the description, which is now generally available in the latest release. The 3.1 version of the description is being published in parallel and can be found in the descriptions-next folder in the github/rest-api-description repository. More information about GitHub's OpenAPI description can also be found in our documentation.

See more
View all changes