enterprise

Subscribe to all “enterprise” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

Organization Invitation Improvements

Whether you invite a user to an organization via the API or via our user interface, we are bringing enhancements to make this experience better. From today, you can:

  • search for a user via a verified email address both within the API and on an organization’s “People” pages;
  • utilize the API to assign more than one enterprise member at a time to additional organizations within your enterprise;
  • view additional user information provided within the enterprise and organization “People” invitation pages.

To learn more, read about inviting users in an organization.

See more

Displaying authentication token data in your Enterprise audit log is generally available

GitHub Enterprise and organization owners will have improved visibility into authentication activity with the addition of authentication token data to audit logs events. Stolen and compromised credentials are the number one cause of data breaches across the industry, and now enterprise and organization owners can query their audit logs for activity associated with a specific authentication token. They will be better equipped to detect and trace activity associated with corrupt authentication tokens. This feature is generally available for GitHub Enterprise Cloud customers, and will be released to GitHub Enterprise server as part of GHES 3.8.

To learn more, read our documentation on identifying audit log events performed by an access token.

See more

GitHub Enterprise Server 3.7 is now generally available

GitHub Enterprise Server 3.7 is now generally available. This release continues our trend of bringing new features to GitHub Enterprise Server (GHES) in record numbers. Beyond the numbers, the features in GHES 3.7 not only enable developers to build world class software every day, but also provide administrators with the tools needed to reliably run GitHub at scale.

We're making more than 70 features available, including:

  • Reusable workflows and new support for Google Cloud Storage, making it easier to build with GitHub Actions at scale.
  • Security Overview dashboard to give all security teams a single view of code risk.
  • An improved management console to keep your instance more secure than ever with automated user onboarding and offboarding.
  • New forking and repository policies, so adopting innersource best practices is easier, all while balancing auditability and project maintenance in the long term.
  • Code scanning alerts are now more collaborative and part of the flow for GitHub Advanced Security customers.

To learn more about GitHub Enterprise Server 3.7, read the release notes, and download it now.

See more

Permissions filtering for organization fine-grained PATs

Organization administrators can now filter fine-grained personal access tokens (PATs) by their permissions in the organization settings UI. Both pending token requests and active tokens can be filtered by permission, such as issues_write and members_read.

image

After setting a filter, only tokens with that permission will be shown in the table.

To learn more about fine-grained PATs, see "Reviewing fine-grained personal access tokens" and "Managing requests for fine-grained personal access tokens".

See more

Code scanning now supports using CodeQL packs on GitHub.com and GHES

CodeQL comes with a built-in package manager that helps you share and manage custom queries. Last year, we announced the public beta of CodeQL packaging — including direct integration into GitHub code scanning. This makes it easier to roll out custom queries to your repositories and gives you full control over exactly which queries are run.

This functionality will soon be released for users of GitHub Enterprise Server (GHES): it will be available with GHES 3.7. This release also includes support for using packs that are published to GitHub Container Registries (GHCR) hosted on GHES.

How do I use CodeQL query packs in code scanning?

To use CodeQL query packs in code scanning, specify a with: packs: entry in the uses: github/codeql-action/init@v2 section of your code scanning workflow. By default code scanning downloads packs the from GHCR on GitHub.com, so if you want to run one of the standard CodeQL query packs or any other public CodeQL query pack, then simply include the pack scope/name and version requirements here. You can find the full documentation here.

If you want to run packs from the GHCR on GHES, then you need to tell code scanning how to access and authenticate to the appropriate registry. For an example of how to do this in your code scanning workflow, see Downloading CodeQL packs from GitHub Enterprise Server in the GitHub documentation.

How do I publish my own CodeQL packs?

You can publish you own CodeQL packs using the CodeQL CLI. By default, the CodeQL CLI publishes packs to the GHCR on GitHub.com. If you want to publish packs to the GHCR associated with your instance of GHES, you need to tell the CodeQL CLI how to access and authenticate to the registry you want to work with. For a full example of how to specify these details, see Working with CodeQL packs on GitHub Enterprise Server in the CodeQL CLI documentation.

Where can I find more information about CodeQL packaging and code scanning?

This changelog post only provides a brief summary of how you can use CodeQL packs in code scanning. For more information, see:

See more

Private beta introducing innersource restrictions for Enterprise Managed Users

GitHub Enterprise Cloud customers that use Enterprise Managed Users (EMUs) can now participate in a private beta for a new user role that has restricted visibility of internal repositories. This role helps companies to work with contractors and collaborators in a flexible and managed fashion on specific projects, while also sharing code and ideas without restrictions amongst employees.

Users are granted this new role by being marked as "Restricted Users" in your identity provider. Enterprise members granted this role can be added to Organizations as members, and added to Organization teams – but they won't be able to see internal repositories in other Organizations unless explicitly added to those repositories one-by-one.

If you would like to enroll your EMU enterprise in this private beta, please reach out to your account team or contact our sales team for more details.

See more

Display SAML SSO authentication data in audit log – Private Beta

GitHub Enterprise Cloud customers can now participate in a private beta displaying SAML single sign-on (SSO) identities for relevant users in audit log events.

SAML SSO gives organization and enterprise owners a way to control and secure access to resources like repositories, issues, and pull requests. Organization owners can invite GitHub users to join an organization backed by SAML SSO, allowing users to become members of the organization while retaining their existing identity and contributions on GitHub.

With the addition of SAML SSO identities in the audit log, organization and enterprise owners can easily link audit log activity with the user's corporate identity, used to SSO into GitHub.com. This not only provides increased visibility into the identity of the user, but also enables logs from multiple systems to quickly and easily be linked using a common SAML identity.

Enterprise owners interested in participating in the private beta should reach out to your GitHub account manager or contact our sales team to have this feature enabled for your enterprise. Once enabled, enterprise and organization owners can provide feedback at the logging SAML SSO authentication data for enterprise and org audit log events community discussion page.

See more

The GitHub Enterprise Server 3.7 Release Candidate is available

The GitHub Enterprise Server 3.7 release candidate is here

GitHub Enterprise Server 3.7 brings new capabilities to help companies build and deliver secure software, more quickly. With over 70 new features, here are a few highlights.

  • It's easier to deploy GitHub Actions, securely, at scale. Teams looking to standardise their workflows with reusable workflows will benefit from the ability to nest reusable workflows in one another, and build matrixing into reusable workflows. What's more, Actions now supports Google Cloud Storage and security teams will love our enhancements to the OIDC connection patterns for Actions to support cloud deployments at scale
  • Security teams now have a single view of their code security posture. The Security Overview page, an at-a-glance view of your code security alerts and risk, is now available to all customers. And to ensure all repositories are covered by your company's policies, administrators can now restrict new repositories to Organizations only.
  • Forking is clearer and simpler, especially for companies adopting innersource. Developers will benefit from a whole host of enhancements that make working with forks easier, including the ability to fork within an organization and fork internal repositories.
  • Code scanning alerts for GitHub Advanced Security customers are now more collaborative and relevant, with alerts now appearing in pull requests. And, you can now improve Dependabot alert and update coverage by submitting dependencies directly to the Dependency graph via an API.

Release Candidates are a way for you to try the latest features at the earliest time, and they help us gather feedback early to ensure the release works in your environment. They should be tested on non-production environments. Here are some highlights for this release. Read more about the release candidate process.

Read more about GitHub Enterprise Server 3.7 in the release notes, or download the release candidate now. If you have any feedback or questions, please contact our Support team.

See more

Introducing fine-grained personal access tokens

Today we're enabling fine-grained personal access tokens (PATs) in Public Beta for all user accounts on GitHub.com. This new type of token gives developers and resource owners more control and visibility around token access. Learn more about this new token type in today's blog post.

These new tokens offer many more permissions to choose from, must be scoped to a specific organization or account, and must expire. Organization owners will also find new tools to manage tokens that can access their organization, and can require approval of those tokens before they may be used.

PATsv2-light2

You can try out the new token creation flow, and provide feedback in our community discussion.

For more information, see "Creating a fine-grained personal access token".

See more

New enterprise policies for code security

Enterprise owners can now configure whether repository administrators can enable or disable Dependabot alerts.

If you are owner of an enterprise with GitHub Advanced Security, you can now also set policies to allow or disallow repository administrators access to enablement for:

  • GitHub Advanced Security
  • Secret scanning

image

Learn more about enterprise policies for code security and send us your feedback

See more

Audit Log Streaming to Datadog is generally available

GitHub Enterprise Cloud customers can now stream their audit log to a Datadog endpoint. Enterprise owners need to be able to use the right tools for their job, whether that be short-term investigation or longer-term threat analysis and prevention. With audit log streaming to Datadog, customers can be assured that:

  • no audit log event will be lost,
  • they may satisfy longer-term data retention goals, and
  • they can analyze GitHub's audit log data using Datadog products.

For GitHub Enterprise Server customers, this feature is planned to come to GHES 3.8.

For additional information, read our documentation about setting up streaming to Datadog.

See more

Display Authentication Token Data in your Enterprise Audit Log – Beta

GitHub Enterprise Cloud customers can now participate in a private beta enabling authentication token data to display for audit log events. In doing so, enterprise owners will be able to query their audit logs for activity associated with specific authentication tokens. With the introduction of this feature, enterprise owners will be better equipped to detect and trace activity associated with corrupt authentication tokens, which have the potential to provide threat actors access to sensitive private assets.

Enterprise owners interested in participating in the private beta should reach out to your GitHub account manager or contact our sales team to have this feature enabled for your enterprise. Once enabled, enterprise owners can find guidance and provide feedback at the displaying authentication token data in enterprise audit log events community discussion..

See more

Enable secret scanning for an enterprise with one click

If you are an owner of an enterprise with GitHub Advanced Security, you can now enable secret scanning and push protection across your entire enterprise with only 1 click.

This new enablement setting also allows you to set a default custom link that will appear on a push protection block.

enterprise enablement

See more

Stream audit log to AWS S3 with OpenID Connect (OIDC)

The functionality for GitHub Enterprise Cloud customers to configure audit log streaming to AWS S3 with OpenID Connect (OIDC) is now generally available. Audit log streaming configured with OIDC eliminates storage of long-lived cloud secrets on GitHub by using short-lived tokens exchanged via REST/JSON message flows for authentication.

For additional information, please read about setting up audit log streaming to AWS S3 with OpenID Connect.

See more
View more changes