Skip to content

Dependency review API is generally available with updates to dependency review enforcement

The dependency review API is now generally available.

The Dependency Review GitHub Action now allows you to reference a local or external configuration file. There are also new configuration options:

  • fail-on-scopes: contains a list of strings representing the build environments you want to support (development, runtime, unknown). The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list
  • allow-ghsas: contains a list of GitHub Security Advisory IDs that can be skipped during detection
  • license-check and vulnerability-check: a boolean option that allows you disable either one of the checks

Learn more about the dependency graph and dependency review

GraphQL Legacy Global ID Deprecation Message

As part of the ongoing initiative to deprecate legacy global IDs, you will begin to see deprecation warnings for GraphQL node queries using the legacy ID format.

The deprecation warnings will look like this:

{
  "data": {
    "node": {
      "login": "ahoglund",
    }
  },
  "extensions": {
    "warnings": [
      {
        "type": "DEPRECATION",
        "message": "The id MDQ6VXNlcjM0MDczMDM= is deprecated. Update your cache to use the next_global_id from the data payload.",
        "data": {
          "next_global_id": "U_kgDOADP9xw"
        },
        "link": "https://docs.github.com"
      }
    ]
  }
}

This will not impact the data portion of the payload. We recommend using these deprecation warnings along with the X-Github-Next-Global-ID to begin migrating any of your caches that contain legacy IDs. More information on how to migrate can be found in our last update as well as in the GitHub documentation.

If you have any concerns about the rollout of this change impacting your usage of the GitHub GraphQL API, please contact us and include any relevant information, so that we can better assist you.

See more

Risk and coverage views on the Security tab for organizations (public beta)

Security overview’s new risk and coverage views provide greater visibility into your security posture and risk analysis.

Each new view offers a refreshed design with several key improvements, including insights and dynamic filtering.

Coverage view

The coverage view gives visibility into enablement across all repositories. On the coverage view, you can:

  • See counts and percentages of repositories with GitHub security features enabled or disabled, which update when you apply filters
  • Track enablement for additional security features, including secret scanning push protection, Dependabot security updates, and code scanning pull request alerts.

security-tab-coverage-page

Risk view

The coverage view is complimented by a new risk view that gives visibility into all alerts across these repositories.
On the risk view, you can:

  • See counts and percentages of repositories with security vulnerabilities, which also update when you apply filters
  • See open alerts segmented by severity for both Dependabot and code scanning.

security-tab-risk-page

Both views are now available as a public beta. In the coming weeks, we will deprecate the overview in favor of these two new views.

Learn more about the new risk and coverage views and send us your feedback

See more
View all changes