Improved code scanning coverage for GitHub Actions (Public Preview)

We recently launched analysis capabilities for GitHub Actions workflow files in public preview.

With the release of CodeQL 2.20.5, we are expanding the analysis capabilities to detect additional types of security risks associated with Actions workflow files and we have adjusted some of the existing queries.

The analysis coverage is improved with the addition of five new queries that identify additional types of security risks associated with Actions workflow files. The new queries are:

  • actions/envpath-injection/medium detects situations where user-controlled sources (like the text of a GitHub issue) are used to populate the PATH environment variable. This could allow an attacker to alter the execution of system commands.
  • actions/envvar-injection/medium detects situations where environment variables which are not properly sanitized can lead to the injection of additional unwanted variables, using new lines or {delimiters}.
  • actions/code-injection/medium– detects situation where user-controlled input can end up in contexts like run: or script:, leading to malicious code being executed and secrets being leaked.
  • actions/artifact-poisoning/medium detects situations where artifacts are not correctly extracted, stored and verified, which could result in a poisoned artifact being executed, leading to repository compromise.
  • actions/untrusted-checkout/medium detects situations where workflows triggered by events like pull_request_target or issue_comment can execute arbitrary code from untrusted sources, if followed by an explicit checkout.

Because of its lower precision and the large number of alerts it generates, the query actions/unpinned-tag has been moved to the security-extended query suite from the default query suite, and all existing alerts for this query will be automatically closed if the security-extended suite is not being used.

Three queries have been removed from the default and security-extended query suites because they do not produce relevant security alerts. Alerts generated by these queries will be closed automatically.

These changes are now available with the release of CodeQL 2.20.5. For a full list of changes, please refer to the complete changelog for version 2.20.5. Every new version of CodeQL is automatically deployed to users of GitHub code scanning on GitHub.com. The new functionality in CodeQL 2.20.5 will also be included in GitHub Enterprise Server (GHES) version 3.17. If you use an older version of GHES, you can manually upgrade your CodeQL version.

GitHub Copilot GPT-4.5

OpenAI’s latest model, GPT-4.5, is now available in GitHub Copilot Chat to Copilot Enterprise users. GPT-4.5 is a large language model designed with advanced capabilities in intuition, writing style, and broad knowledge. It performs effectively with creative prompts and provides reliable responses to obscure knowledge queries. GPT-4.5 will launch in Visual Studio Code and on github.com for Copilot Enterprise users with a limit of 10 requests every 12 hours per user. In the coming weeks, we’ll be scaling rate limits and extending support to Visual Studio and JetBrains.

GPT 4.5 in the VS Code Model Picker

As model releases have continued to accelerate, we’ve been thinking about how we can sustainably offer advanced AI models like GPT-4.5 to more GitHub users. This includes individual developers who want the most advanced capabilities from day one. Stay tuned for updates.

Enabling access

Copilot Enterprise administrators will need to enable access to GPT-4.5 via a new policy in Copilot settings. As an administrator, you can confirm availability by checking your individual Copilot settings and confirming the policy for GPT-4.5 is set to “enabled”. Once enabled, users will see GPT-4.5 in the Copilot Chat model selector in VS Code and on github.com.

See more

Codespaces will be undergoing maintenance in Europe and Southeast Asia from 17:00 UTC on Friday, February 28 to 02:00 UTC on Saturday, March 1. Maintenance will begin in North Europe at 17:00 UTC on Friday, February 28. Once it is complete, maintenance will start in Southeast Asia, followed by UK South. Each region will take approximately two to three hours to complete.

During this time period, users may experience connectivity issues with new and existing Codespaces.

If you have uncommitted changes you may need during the maintenance window, you should verify they are committed and pushed before maintenance starts. Codespaces with any uncommitted changes will be accessible as usual once maintenance is complete.

See more