As of February 15th, 2024, you will no longer be able to create security advisories in private repositories. Formerly published advisories will no longer be available.
This change does not affect security advisories in public repositories, or the advisories listed in GitHub’s open-source Advisory Database.
Repository admins or members of the security manager role can now enable or disable private vulnerability reporting on respositories via REST API.
Learn more about private vulnerability reporting.
As an organization owner or member of the security manager role, you can now use the repository security advisories REST API to get all repository security advisories across your organization.
Learn more about repository security advisories.
You can now use the REST API to request a CVE identifier for your repository security advisories.
Learn more about repository security advisories and CVE identification numbers.
You can now use the REST API to get global security advisories from the Advisory Database. This makes it easy to get access to the Advisory Database's free, open source list of actionable security advisories and CVEs which include machine readable mappings to the ecosystem, package name, and affected versions of impacted software.
Learn more about GitHub's global security advisories and the Advisory Database.
You can now use the REST API to add collaborators to your draft security advisory.
Learn more about the repository security advisories REST API
Starting today, you will now receive Dependabot alerts for vulnerabilities associated with your Swift dependencies.
The GitHub Advisory Database now includes curated Swift advisories. This brings the Advisory Database to twelve supported ecosystems, including: Composer (PHP), Erlang, GitHub Actions, Go, Maven, npm, NuGet, pip, Pub, RubyGems and Rust.
The dependency graph now supports detecting Package.resolved files. Swift dependencies from these files will be displayed within the dependency graph section in the Insights tab.
Dependabot security updates support will be added at a later date.
You can now use the REST API to open a private vulnerability report on open-source repositories that have this feature enabled.
Learn more about the repository security advisories REST API
You can now programmatically view and act on repository advisories via a new REST API. New endpoints to create, view, list, and update advisories are available to all. Additionally, new webhooks have been introduced that will alert maintainers when advisories are published or when a private vulnerability report is submitted.
Current advisory permissions extend to API usage.
You can now designate different types of credits to users who contribute to GitHub security advisories.
These new credit types mirror those in the CVE 5.0 schema:
finderreporteranalystcoordinatorremediation developerremediation reviewerremediation verifiertoolsponsorotherGoing forward, GitHub will automatically apply the the reporter credit type to anyone credited after submitting a private vulnerability report and the analyst type to anyone credited after submitting an edit to the global Advisory Database. We've also retroactively applied those labels to previously credited individuals who took those actions.
Further reading:
Organization admins and security managers can now enable private vulnerability reporting for all public repositories within an organization at once.
With this enhancement, you no longer have to enable the feature for each repository individually.
Find this option under your organization's "Settings" tab under "Code security and analysis".
We've recently released a few minor user experience improvements for our GitHub Security Advisory form:
Further reading:
Dart developers will now receive Dependabot alerts for known vulnerabilities on their pubspec dependencies.
The dependency graph supports detecting pubspec.lock and pubspec.yaml files. Dependencies from these files will be displayed within the dependency graph section in the Insights tab.
The Advisory Database includes curated security advisories for vulnerabilities on pubspec packages.
Learn more about:
In February 2022, we launched a new feature called community contributions to security advisories. We've continued to iterate on this feature, and recently released more improvements:
Further reading: