Prevention and autofix insights for CodeQL pull request alerts

You can now track prevention metrics for CodeQL pull request alerts with the new CodeQL pull request alerts report—available at both the organization and enterprise level. These insights empower you to proactively identify and mitigate security risks before they reach your default branch.

Enterprise-level CodeQL pull request alerts report

With this report, you can historically track metrics for CodeQL pull request alerts as code moves from feature branches to the default branch. Gain insights into:

  • Unresolved and merged alerts: Understand what security vulnerabilities made it to the default branch.
  • Fixes (autofix and manual): Track which alerts were addressed before merging.
  • Dismissed alerts: See which alerts were deemed false positive or risk accepted.

Additionally, analyze metrics by CodeQL rule, autofix status, and repository.

Historical data is available starting from May 1, 2024.

To access these reports, click your profile photo in the top-right corner of GitHub.com and select the organization or enterprise you want to view. For organizations, go to the Security tab and find CodeQL pull request alerts in the sidebar. For enterprises, click Code Security in the sidebar, then select CodeQL pull request alerts.

These reports are now generally available on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.15.

Learn more about security overview and join the discussion within the GitHub Community.

Content Exclusion beta now supports non-Git files

You can now exclude non-Git files from being accessed by Copilot, in addition to Git files. This update gives you greater control over the content Copilot can access, ensuring that it will not access files that an organization owner has marked for exclusion, whether the files are part of a Git repository or not.

How to exclude non-Git files

The wildcard scope has expanded to include both files within and outside Git repositories, supporting the exclusion of non-Git files.

Previously

Wildcard rules applied exclusively to files within the Git repository. For example:

"*":
  - /test1 # => Blocks from the root of all git repositories: `/test1`

Now

Wildcard rules apply to files within the Git repository and the filesystem root. For example:

"*":
  - /test1 # => Blocks from the root of all git repositories AND the filesystem root: `/test1`, `/test1`

Note: These changes to our Content Exclusion beta apply to the latest versions of both the VS Code and JetBrains Copilot extensions, covering the code completions and chat features in each.

See more

Secret scanning for non-code GitHub surfaces is now generally available

GitHub secret scanning now detects and alerts you on secrets found in GitHub issues, wikis, discussions, and pull requests.

Secrets, like API keys, passwords, and tokens, can hide in many places. Throughout 2024, we’ve discovered over 100k unique secrets hiding in mediums outside of code. If these leaks aren’t managed correctly, each one of them could pose a substantial risk.

To help protect you from leaked secrets – anywhere within your GitHub perimeter – GitHub provides visibility across all major surfaces. We scan these surfaces for over 200+ token formats and work with relevant partners to help protect you from publicly leaked secrets. GitHub also supports generic patterns like RSA private keys and Copilot-detected passwords.

Learn more about how to secure your repositories with secret scanning.

Let us know what you think by participating in a GitHub community discussion or signing up for a 60 minute feedback session.

See more
View all changes