A Security.md file in the root of a repository will now be highlighted on the repository overview in the sidebar. For more information, see "Adding a security policy to your repository".
Dependabot pull requests off by default for forks
Dependabot helps you keep your dependencies up-to-date with Dependabot version updates. These pull requests are configured via a dependabot.yml file.
Starting today, if you fork a repository with an existing dependabot.yml, Version updates will be disabled by default. To enable Dependabot pull requests based on this configuration, you can click “enable” from your forked repository’s “Code security and analysis” settings page.
After enabling Dependabot version updates, you will also be able to disable with a single click from this settings page.
Learn more about configuring Dependabot version updates.
GitHub Advanced Security customers using secret scanning can now specify a custom link via the organization level REST API that will show in the message when push protection detects and blocks a potential secret. Admins can use the custom link to point their developers to company-specific guidance on secrets.
Previously, admins could only set a custom link through the UI.
- Learn more about secret scanning for GitHub Advanced Security
- Learn more about protecting pushes with secret scanning