Bring Your Own Identity Provider to Enterprise Managed Users

GitHub Enterprise Cloud’s open support for the System for Cross-domain Identity Management (SCIM) specification is now generally available for Enterprise Managed Users (EMUs). This allows administrators to mix and match their preferred choices of SAML and SCIM identity systems, providing the flexibility required to meet access management needs.

This release also includes significant improvements for security and auditing:
– A new reduced personal access token (PAT) scope, scim:enterprise, now lets you grant a least privilege, enterprise-level permission set just for read and write access to GitHub’s EMU SCIM API. Use of the admin:enterprise PAT scope is no longer required or recommended.
– New audit log entries exist for SCIM events to enable debugging of any provisioning failures with SCIM APIs.

Learn more about lifecycle management of Enterprise Managed Users with the SCIM API.

We are excited to introduce the CI/CD Admin role, a pre-defined organization role designed to streamline the management of settings and policies for GitHub Actions.

In March 2024, GitHub announced fine-grained permissions for Actions, which organizations could apply to custom roles. However, organizations are limited to 10 custom roles, and many customers prefer not to use these slots for an all-encompassing CI/CD role that requires ongoing updates as new permissions are added.

With the new CI/CD Admin role, organization owners and teams can now delegate comprehensive CI/CD management to individuals without the need to maintain a custom role. This pre-defined role, maintained by GitHub, includes the following permissions:

  • Actions general settings
  • Organization runners and runner groups
  • Actions secrets
  • Actions variables
  • Network configuration
  • Actions usage metrics

For more details about pre-defined organization roles and the fine-grained permissions included in the CI/CD Admin role, please refer to our documentation.

See more

CodeQL version 2.19.0 has been released and has now been rolled out to code scanning users on GitHub.com. CodeQL is the static analysis engine that powers GitHub code scanning.

Important changes by version include:

  • CodeQL 2.18.2
    • Support for scanning Java codebases without needing a build is generally available.
    • The Python py/cookie-injection query, which finds instances of cookies being constructed from user input, is now part of the main query pack.
    • One new query for Ruby rb/weak-sensitive-data-hashing, to detect cases where sensitive data is hashed using a weak cryptographic hashing algorithm.
  • CodeQL 2.18.3
    • New C# models for local sources from System.IO.Path.GetTempPath and System.Environment.GetFolderPath.
  • CodeQL 2.18.4
    • Support for scanning C# codebases without needing a build is generally available.
    • Support for Go 1.23.
  • CodeQL 2.19.0
    • Support for TypeScript 5.6.
    • One new query for JavaScript js/actions/actions-artifact-leak to detect GitHub Actions artifacts that may leak the GITHUB_TOKEN token.
    • A 13.7% evaluator speed improvement over CodeQL 2.17.0 release.

For a full list of changes, please refer to the complete changelog for versions 2.18.2, 2.18.3, 2.18.4 and 2.19.0.

All new functionality from 2.18.Z releases will be included in GHES 3.15, while functionality from 2.19.0 will be included in GHES 3.16. If you use GHES 3.14 or older, you can upgrade your CodeQL version.

See more