audit-log

Subscribe to all “audit-log” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

Organizations and enterprises using branch protections may see false-alert flags in their security log for protected_branch.policy_override and protected_branch.rejected_ref_update events between January 6 and January 11, 2023.
These events were improperly emitted due to a change in the underlying logic that checks if branch protection criteria have been met.

No action is required from impacted users with regards to these events. GitHub has a policy to not delete security log events, even ones generated in error. For this reason, we are adding flags to signal that these events are false-alerts.

an audit log entry with the flash message displayed above it

See more

GitHub's audit log allows organization and enterprise admins to quickly review the actions performed by members of their organization or enterprise. For Dependabot alerts, the audit log includes actions such as repository enablement, creation or reintroduction of alerts, dismissal of alerts, and resolving of alerts.

The audit log now supports the following improvements:

  • Dismissal comments, if provided with a Dependabot alert, are now displayed in the audit log
  • The audit log API for Dependabot alerts now supports several new fields: alert_number, ghsa_id, dismiss_reason, and dismiss_comment.
  • Additional minor improvements, including links back to the alert and correct timestamps added to events.

This release is available for organization and enterprise admins (including GHES 3.7 and later).

For more information, view documentation on Dependabot alerts in the GitHub audit log.

See more

The enterprise audit log now records changes to GitHub Advanced Security, secret scanning, and push protection enablement.

The organization-level audit log now also records when a push protection custom message is enabled, disabled, or updated.

For more information:

See more

GitHub Enterprise Cloud customers can now stream their audit log to a Datadog endpoint. Enterprise owners need to be able to use the right tools for their job, whether that be short-term investigation or longer-term threat analysis and prevention. With audit log streaming to Datadog, customers can be assured that:

  • no audit log event will be lost,
  • they may satisfy longer-term data retention goals, and
  • they can analyze GitHub's audit log data using Datadog products.

For GitHub Enterprise Server customers, this feature is planned to come to GHES 3.8.

For additional information, read our documentation about setting up streaming to Datadog.

See more

GitHub Enterprise Cloud customers can now participate in a private beta enabling authentication token data to display for audit log events. In doing so, enterprise owners will be able to query their audit logs for activity associated with specific authentication tokens. With the introduction of this feature, enterprise owners will be better equipped to detect and trace activity associated with corrupt authentication tokens, which have the potential to provide threat actors access to sensitive private assets.

Enterprise owners interested in participating in the private beta should reach out to your GitHub account manager or contact our sales team to have this feature enabled for your enterprise. Once enabled, enterprise owners can find guidance and provide feedback at the displaying authentication token data in enterprise audit log events community discussion..

See more

The functionality for GitHub Enterprise Cloud customers to configure audit log streaming to AWS S3 with OpenID Connect (OIDC) is now generally available. Audit log streaming configured with OIDC eliminates storage of long-lived cloud secrets on GitHub by using short-lived tokens exchanged via REST/JSON message flows for authentication.

For additional information, please read about setting up audit log streaming to AWS S3 with OpenID Connect.

See more

GitHub's audit log allows admins to quickly review the actions performed by members of their Enterprise. It includes details such as who performed the action, what the action was, and when it was performed. GitHub's audit log provides users with the ability to export audit log activity for your enterprise as a JSON or CSV file download. Moving forward, customers can expect to see the following enhancements to their audit log exports:

  • Audit log exports will contain the same fields as the REST API and audit log streaming, bringing consistency across these three audit log consumption modalities.
  • actions events will be present in audit log exports.
  • For Enterprises who have enabled the feature to display IP addresses in their enterprise audit logs, IP addresses will be present in audit log exports.
  • Audit log exports will be delivered as a compressed file.
  • Audit log JSON exports will be formatted with each line of the JSON file contains a single event, rather than a single JSON document with an array containing all the events as array elements.

This feature will be gradually enabled for an increasing percentage of GitHub Enterprise Cloud customers with a goal of 100% enablement by October 28, 2022. Should you encounter a problem with your audit log exports, please reach out to GitHub Support for assistance.

See more

We've made some improvements to audit log search to make it easier to discover events. Since audit log events are found through key:value pairs, we now show you a list of possible options to choose from.
key-value pair dropdown menu available in audit log search

We've also linked to our documentation in the filter dropdown so that you can more easily discover all the possible options for audit log queries.

view advanced search syntax added to audit log filter

To learn more about how to query the audit log, check out our documentation, "About search for the enterprise audit log".

See more

GitHub's audit log allows admins to quickly review the actions performed by members of their Enterprise. It includes details such as who performed the action, what the action was, and when it was performed. To ensure the audit log can be used as an effective security and compliance tool, GitHub is constantly evaluating new audit log events and ensuring those events have the necessary fields to provide meaningful context. GitHub has made the following enhancements to the Enterprise audit logs:

  • business.sso_response and org.sso_response events will be displayed in the REST API and audit log streaming payloads for GitHub Enterprise Cloud (GHEC) and GitHub Enterprise Server (GHES) version 3.8 or later.
  • repo.rename, project.rename, and protected_branch.update_name events will now include the old_name field make clear the current and past name of renamed repos, projects, and protected branches.
See more

GitHub Enterprise Cloud (GHEC) customers can now participate in a public beta enabling audit log streaming to a Datadog endpoint. Joining this beta allows enterprises to continue to satisfy long-term data retention goals and also analyze GitHub audit log data using the tools offered by Datadog.

GHEC administrators interested in participating in the public beta can enable audit log streaming by following the instructions for setting up streaming to Datadog. Customers can provide feedback on their experience at the audit log streaming to Datadog community discussion.

See more

Users with 2FA enabled may see false-alert flags in their security log for recovery_code_regenerated events between July 15 and August 11, 2022.
These events were improperly emitted during an upgrade to the 2FA platform. The storage format of the per-user value GitHub uses to generate your recovery codes was updated, causing the watch job to trigger the erroneous recovery_code_regenerated event.

No action is required from impacted users with regards to these events. GitHub has a policy to not delete security log events, even ones generated in error. For this reason, we are adding flags to signal that these events are false-alerts. No recovery codes were regenerated, and your existing saved recovery codes are still valid.

image

See more

GitHub Enterprise Cloud customers can elect to participate in a public beta to configure audit log streaming to AWS S3 with OpenID Connect (OIDC). Audit log streaming configured with OIDC eliminates storage of long-lived cloud secrets on GitHub by using short-lived tokens exchanged via REST/JSON message flows for authentication.

For additional information, please follow the instructions for setting up audit log streaming to AWS S3 with OpenID Connect.

See more

The ability for GitHub Enterprise Cloud owners to display members’ IP addresses for all audit logs events for private repositories and other enterprise assets, such as issues and projects, is generally available.

These IP addresses can be used to improve threat analyses and further secure your software. Note, IP addresses will continue to not be displayed for activity related to public repositories.

For additional information, read about displaying IP addresses in the audit log for your enterprise.

See more

GitHub Enterprise Cloud (GHEC) customers can now participate in a private beta enabling audit log streaming to a Datadog endpoint. Audit log streaming to Datadog not only allows enterprises to satisfy long-term data retention goals but also analyze GitHub audit log data using the tools offered by Datadog.

GHEC administrators interested in participating in the private beta should reach out to your GitHub account manager or contact our sales team to make the feature available for your enterprise. Once enabled, administrators can follow the instructions for setting up streaming to Datadog and provide feedback on their experience at the audit log streaming to Datadog community discussion.

See more

GitHub Enterprise Cloud customers can elect to participate in a private beta to configure audit log streaming to AWS S3 with OpenID Connect (OIDC). Audit log streaming configured with OIDC eliminates storage of long-lived cloud secrets on GitHub by using short-lived tokens exchanged via REST/JSON message flows for authentication.

If interested in participating in the private beta, please reach out to your GitHub account manager or contact our sales team to make the feature available for your enterprise. For additional information on configuring OIDC, read about setting up audit log streaming to AWS S3 with OpenID Connect.

See more

GitHub audit log streaming is now out of beta and generally available. Your experience using audit log streaming will not change, but we expanded the number of options you have for where you can stream your audit and Git events:

  • Amazon S3
  • Azure Blob Storage
  • Azure Event Hubs
  • Google Cloud Storage
  • Splunk

Enterprise owners can set up their stream in minutes by navigating to their enterprise account settings under the Audit log tab and configuring the collection endpoint.

Learn more about audit log streaming

See more

Pull request and review-related events are now included in the audit log at both the enterprise and organization levels. This helps administrators better monitor pull request activity and ensure security and compliance requirements are being met.

Events now included in the audit log:

  • A pull request is created, merged, closed, reopened, converted to draft, or marked ready for review
  • A review is requested or a request is removed
  • A review comment is added, updated, or deleted
  • A review is submitted, dismissed, or deleted

Events can be viewed from the web UI, exported as CSV or JSON, or accessed via REST API. You can also search the audit log for specific pull request events. For example action:pull_request filters for events directly on a pull request, action:pull_request.merge shows just merge events, and action:pull_request_review shows review events.

Learn more about audit log and available pull request actions

See more