Enable secret scanning for an enterprise with one click

If you are an owner of an enterprise with GitHub Advanced Security, you can now enable secret scanning and push protection across your entire enterprise with only 1 click.

This new enablement setting also allows you to set a default custom link that will appear on a push protection block.

enterprise enablement

API users can now integrate with a new dependabot_alert webhook, which matches the naming and structure of the recently introduced Dependabot alerts REST API. You should use this webhook in place of the existing repository_vulnerability_alert.

What's new

Improvements with the new webhook include:

  • More informative payload, including state and scope of the dependency, dismissal comments, and helpful information about a vulnerability (e.g. CVE ID, summary, description, CWEs, and reference URL).
  • Support for GitHub Apps with the Dependabot alerts read permission.
  • Actions on an alert now include the full set of created, dismissed, reopened, fixed, or reintroduced. See below for descriptions:
Action Action definition
created github has opened the Dependabot alert
dismissed GitHub user dismissed the alert with dismissed_reason and an optional dismissed_comment
reopened GitHub user manually reopened the previously-dismissed alert
fixed github detected the Dependabot alert is resolved
reintroduced github reopened the previously-fixed alert

Deprecation notice

The repository_vulnerability_alert webhook is being deprecated. In 2023, we plan to remove the existing repository_vulnerability_alert webhook, which is superseded by the dependabot_alert webhook. We will give integrators at least 3 months notice of this removal — keep an eye on the GitHub Changelog in 2023 for more information.

Learn more about the Dependabot alerts webhook in our documentation.

See more