Secret scanning AI-generated custom patterns (general availability)

Secret scanning now helps you more easily define custom patterns with GitHub Copilot.

Generally available as of today, you can now leverage AI to generate custom patterns without expert knowledge of regular expressions.

Generate a secret scanning custom pattern with AI

What’s changing?

Defining custom patterns is now simpler and more efficient. You can leverage AI to generate patterns via text input — without expert knowledge in regular expressions.

With secret scanning, you can create your own custom detectors by using custom patterns. Formatted as regular expressions, these custom patterns can be challenging to write. Secret scanning now supports a pattern generator backed by GitHub Copilot in order to generate regular expressions that match your input.

How do I use the regular expression generator?

When defining a custom pattern, you can select “generate with AI” in order to launch the regular expression generator.

The model returns up to three regular expressions for you to review. You can click on the regular expression to get an AI-generated plain language description of the regular expression. You should still review this input and carefully validate performance of results by performing a dry run across your organization or repository.

Who can use the regular expression generator?

All GitHub Advanced Security customers on GitHub Enterprise Cloud can use the regular expression generator today. Anyone able to define custom patterns is able to use the regular expression generator (e.g. any admin at the repository, organization, or enterprise levels). You do not need a GitHub Copilot license to use the regular expression generator.

Learn more about the regular expression generator or how to define your own custom patterns.

AI-powered autofixes for historical CodeQL alerts are now in public beta

Code scanning autofix for alerts in default branch is now available in public beta for all GitHub Advanced Security customers. This feature empowers developers to reduce the time and effort spent remediating existing alerts and reduce the number of vulnerabilities in the code base.

Powered by GitHub Copilot, code scanning generates fixes for alerts in all CodeQL supported languages.

Example autofix page for a Missing regular expression anchor vulnerability detected with CodeQL

With code scanning autofix, you can reduce security debt by generating fixes for alerts that are detected on the main or default branches of your repository. On the alert pages where autofix is available, press the ‘Generate fix’ button to get a natural language explanation of the suggested fix, along with a preview of the code suggestion. You can accept the fix by creating a PR with the fix and even edit the fix as part of the PR flow. These code suggestions can include changes to multiple files, and where needed, autofix may also add or modify dependencies.

Example of the autofix generation process, showing the Generate fix button

Code scanning autofix is automatically enabled on private repositories for all GitHub Advanced Security customers.

You can configure code scanning autofix for a repository or organisation. You can also use ‘Policies for Code security and analysis’ to allow autofix for CodeQL code scanning for an enterprise.

Enterprise level settings view of Autofix for CodeQL

The fix generation for any given alert depends on the context and location of the alert. In some cases, code scanning won’t display a fix suggestion for an alert if the suggested code change fails syntax tests or safety filtering.

You do not need a Copilot license to use autofix for existing alerts. For more information, see About code scanning autofix.

Provide feedback for code scanning autofix here.

See more

Sunset Notice – npm Hooks API Endpoints

Starting today, we are deprecating npm hooks services and they might no longer be functional, including current hooks subscriptions. This deprecation includes npm hooks API Endpoints and its related cli npm hook command. Users should expect the API Endpoints to respond with a deprecation message. The npm cli will no longer be able to add new hooks using the npm registry.

The npm hooks services were launched as Beta in 2016 so users could use the endpoints to be notified of changes in the npm packages, owners, or scopes. The service never achieved a full GA maturity. We are sunsetting the hooks services in favor of our ongoing investments for the npm platform, including high quality standards on the maintenance of our other existing services.

See more
View all changes