You can now use the REST API to create a temporary private fork within a draft security advisory or private vulnerability report.
Learn more about the repository security advisories REST API
You can now use the REST API to create a temporary private fork within a draft security advisory or private vulnerability report.
Learn more about the repository security advisories REST API
As of February 15th, 2024, you will no longer be able to create security advisories in private repositories. Formerly published advisories will no longer be available.
This change does not affect security advisories in public repositories, or the advisories listed in GitHub’s open-source Advisory Database.
Repository admins or members of the security manager role can now enable or disable private vulnerability reporting on respositories via REST API.
Learn more about private vulnerability reporting.
As an organization owner or member of the security manager role, you can now use the repository security advisories REST API to get all repository security advisories across your organization.
Learn more about repository security advisories.
You can now use the REST API to request a CVE identifier for your repository security advisories.
Learn more about repository security advisories and CVE identification numbers.
You can now use the REST API to get global security advisories from the Advisory Database. This makes it easy to get access to the Advisory Database's free, open source list of actionable security advisories and CVEs which include machine readable mappings to the ecosystem, package name, and affected versions of impacted software.
Learn more about GitHub's global security advisories and the Advisory Database.
You can now use the REST API to add collaborators to your draft security advisory.
Learn more about the repository security advisories REST API
Starting today, you will now receive Dependabot alerts for vulnerabilities associated with your Swift dependencies.
The GitHub Advisory Database now includes curated Swift advisories. This brings the Advisory Database to twelve supported ecosystems, including: Composer (PHP), Erlang, GitHub Actions, Go, Maven, npm, NuGet, pip, Pub, RubyGems and Rust.
The dependency graph now supports detecting Package.resolved
files. Swift dependencies from these files will be displayed within the dependency graph section in the Insights tab.
Dependabot security updates support will be added at a later date.
You can now use the REST API to open a private vulnerability report on open-source repositories that have this feature enabled.
Learn more about the repository security advisories REST API
You can now programmatically view and act on repository advisories via a new REST API. New endpoints to create, view, list, and update advisories are available to all. Additionally, new webhooks have been introduced that will alert maintainers when advisories are published or when a private vulnerability report is submitted.
Current advisory permissions extend to API usage.
You can now designate different types of credits to users who contribute to GitHub security advisories.
These new credit types mirror those in the CVE 5.0 schema:
finder
reporter
analyst
coordinator
remediation developer
remediation reviewer
remediation verifier
tool
sponsor
other
Going forward, GitHub will automatically apply the the reporter
credit type to anyone credited after submitting a private vulnerability report and the analyst
type to anyone credited after submitting an edit to the global Advisory Database. We've also retroactively applied those labels to previously credited individuals who took those actions.
Further reading:
Organization admins and security managers can now enable private vulnerability reporting for all public repositories within an organization at once.
With this enhancement, you no longer have to enable the feature for each repository individually.
Find this option under your organization's "Settings" tab under "Code security and analysis".
We've recently released a few minor user experience improvements for our GitHub Security Advisory form:
Further reading:
Dart developers will now receive Dependabot alerts for known vulnerabilities on their pubspec dependencies.
The dependency graph supports detecting pubspec.lock
and pubspec.yaml
files. Dependencies from these files will be displayed within the dependency graph section in the Insights tab.
The Advisory Database includes curated security advisories for vulnerabilities on pubspec packages.
Learn more about:
In February 2022, we launched a new feature called community contributions to security advisories. We've continued to iterate on this feature, and recently released more improvements:
Further reading:
The GitHub Advisory Database now includes curated security advisories for vulnerabilities on GitHub Actions. This brings the Advisory Database to ten supported ecosystems, including: Composer, Go, Hex, Maven, npm, NuGet, pip, RubyGems and Rust.
If you have a dependency on any vulnerable GitHub Actions, GitHub will send Dependabot alerts over the coming days.
On June 15th, we announced GitHub added malware advisories to the GitHub Advisory Database and will send malware alerts through Dependabot. Since shipping this change, we have received feedback that some organizations have been impacted with Dependabot alerts from these malware advisories that may be false positives.
GitHub has conducted a rapid root cause investigation and found that the majority of those alerts in question were for substitution attacks. During these types of incidents, an attacker would publish a package to the public registry with the same name as a dependency users rely on from a third party or private registry, in the hope a malicious version would be consumed. Dependabot doesn’t look at project configuration to determine if the packages are coming from a private registry, so it has been triggering an alert for packages with the same name from the public npm registry. While this does mean that your package was the target of a substitution attack it does not mean that there is an immediate action to be taken on your part as the malware has already been removed from the npm registry.
While we work to determine how to best notify customers of being the target of a substitution attack, we will be pausing all Dependabot notifications on malware advisories. For non-Enterprise-Server users, Malware advisories will still exist in the Advisory Database and send alerts on npm audit. We are not making any changes to existing alerts on github.com at this time.
For GitHub Enterprise Server users, who were the most impacted, no new advisories will come through GitHub Connect. If you are struggling with too many alerts, please reach out to support and we can share a script for you to run that will delete all malware advisories and alerts.
The GitHub Advisory Database now includes curated security advisories on Erlang [Hex], Elixir, and more. This brings the Advisory Database to nine supported ecosystems, including: Composer, Go, Maven, npm, NuGet, pip, RubyGems and Rust.
Support for this ecosystem in the dependency graph and Dependabot alerts will be available in the future.
GitHub's Advisory Database now supports listing malware advisories. You can see them by searching "type:malware" on https://github.com/advisories.
If you have enabled Dependabot alerts on your repositories, GitHub will send Dependabot alerts for malware automatically. Note that Dependabot does not send update pull requests for malware as the only resolution is to delete the package and find an alternative.