You can now filter by repository topic or team on the organization-level Dependabot, code scanning, and secret scanning pages in security overview.
These improvements have shipped to GitHub.com and will be available in GitHub Enterprise Server 3.9.
You can now filter by repository topic or team on the organization-level Dependabot, code scanning, and secret scanning pages in security overview.
These improvements have shipped to GitHub.com and will be available in GitHub Enterprise Server 3.9.
GitHub Advanced Security users can now view alert metrics for custom patterns at the repository, organization, and enterprise levels directly from the custom pattern's page. Custom patterns with push protection enabled also show metrics like total secrets blocked and bypassed.
We welcome feedback in our code security discussion.
GitHub enterprise and organization owners can now use a REST API to delete their organizations and all corresponding repositories. Organization names will be locked for 90 days following the organization deletion.
We recommend reading our Terms of Service around account deletion before utilizing this endpoint.
To learn more, please read our Organization REST API documentation.
GitHub Enterprise Cloud administrators may need to review external identity information via the GraphQL API. Historically, this has required a token with the admin:org
or admin:enterprise
scope. We've taken a "least privilege" mindset in reviewing this flow and have now made this information available via the read:enterprise
and read:org
scopes for enterprise owner and organization owner actors.
For more information, see the GraphQL API documentation for Enterprise and Organization SAMLIdentity
objects.
The new code scanning tool status page allows users to view the status of CodeQL and other code scanning tools.
The page shows all the tools that are enabled on the repository and provides information about their setup types, configurations, and any relevant failures or warnings. If a tool is not working as expected, this is a good place to start troubleshooting the issue.
You can visit the new tool status page by using the button at the top of the repository's Code Scanning page.
The page indicates three possible statuses for the tool: all configurations are working, some need attention, and some are not working.
Code scanning needs to have received at least one analysis for the default branch to provide a tool status. Only the status of the default branch is reported.
The page shows the latest state of all analysis configurations for the tool. For instance, if you created two separate workflows to scan two distinct parts of the repository independently, the page displays the most recent state of the tool by combining the statuses of both.
For each tool, the page provides actionable information about misconfigurations and errors, the number of scanned files per language, the setup types and configurations, the list of rules the tool checks against, and detailed CSV reports.
To help you with debugging, the tool status page shows error messages gathered from multiple code scanning system components during tool setup and analysis execution. These include errors from CodeQL, code scanning workflows, SARIF upload limits, and the internal code scanning system.
Third party code scanning tools are not yet able to deliver tool related errors to the page. In the future, these tools will be able to submit error messages to code scanning via SARIF uploads.
A Scanned Files section shows the number of analysed files per language compared to the number of files in the repository.
The section helps you determine whether code scanning tools are operating correctly on your repository and only shows information about languages supported and analysed by the tool while ignoring languages that are present in the repository but are not supported or being analysed by the tool.
This section is not yet displayed for third party code scanning tools. In the future, third party tools will be able to submit error messages to code scanning via SARIF uploads.
This has shipped to GitHub.com and will be available in GitHub Enterprise Server 3.9.
Learn more about code scanning and the tool status page.
Learn more about GitHub Advanced Security.
We've recently released a few improvements to the slide-out enablement panel on the security coverage page in security overview:
These improvements have shipped to GitHub.com and will be available in GitHub Enterprise Server 3.9.
Learn more security overview and send us your feedback
Learn more about GitHub Advanced Security
Organization owners can now automate the approval and auditing of fine-grained personal access tokens (PATs) in their organization using a GitHub app. New APIs and webhook events allow a GitHub app to be notified of new PAT requests in an organization, review the request, and then approve or deny the PAT. They also provide a view of all approved fine-grained PATs for an organization, with the ability to revoke their authorization as well. These APIs and events are part of the ongoing fine-grained PAT public beta that launched last year.
Details included in the webhook event and API listings include the repositories and permissions requested, the expiration time of the token, and the user's explanation for what they plan to do with the PAT. The personal_access_token_request
events are generated when a request is created, approved or denied by an administrator or application, or cancelled by the requesting user.
Only a GitHub app is able to call these APIs, either acting on its own or on behalf of a signed-in organization administrator.
The organization_personal_access_tokens
permission is needed to manage the active tokens, while the organization_personal_access_token_requests
permission enables the app to recieve webhooks about requests and call the request management APIs.
Organizations must have the personal access token approval flow enabled in order to manage these requests, otherwise fine-grained personal access tokens are automatically approved for the organization (which generates a personal_access_token_request: approved
event).
To learn more about these APIs, see "List requests to access organization resources with fine-grained PATs" and the "personal_access_token_request
webhook event". To learn more about fine-grained PATs, and how to enable them for your organization, see "Setting a personal access token policy for your organization".
If you have feedback or bugs to report about fine-grained PATs, please let us know in the dedicated feedback discussion.
Code scanning have shipped an API for repositories to programmatically enable code scanning default setup with CodeQL.
The API can be used to:
gh api -X PATCH /repos/[org-name]/[repo-name]/code-scanning/default-setup -f state=configured
gh api -X PATCH /repos/[org-name]/[repo-name]/code-scanning/default-setup -f query_suite=extended
gh api /repos/[org]/[repo-name]/code-scanning/default-setup
gh api -X PATCH /repos/[org-name]/[repo-name]/code-scanning/default-setup -f state=not-configured
When you onboard a repository via the API, you will recieve a workflow run ID which can be used to monitor the setup progress. This can be used to see the status and conclusion of the run: gh api repos/[org-name]/[repo-name]/actions/runs/[run-id] --jq '.status, .conclusion'
{
"state": "configured",
"languages": ["javascript", "ruby"],
"query_suite": "default",
"updated_at": "2023-02-24T20:00:42Z"
}
For more information, see "Get the code scanning default setup configuration" and "Update the code scanning default setup configuration".
You can now enable the "security extended" query suite for repositories using code scanning default setup with CodeQL. This query suite can be selected during set up, or changed at any time by viewing and editing the CodeQL configuration.
Code scanning's default query suites have been carefully designed to ensure that they look for the security issues most relevant to developers, whilst also minimizing the occurrence of false positive results. However, if you and you developers are interested in seeing a wider range of alerts you can enable the security extended query suite. This suite includes the same queries as in the default query suite, plus:
If you enable the security extended suite you may see more CodeQL alerts in your repository and on pull requests. For more information, see "About code scanning alerts".
Read more about code scanning default setup.
Enabling CodeQL analysis with code scanning default setup for eligible repositories in your organization is now as easy as a single click from the organization’s settings page or a single API call.
You can use code scanning default setup to enable CodeQL analysis for pull requests and pushes on eligible repositories without committing any workflow files. Currently, this feature is only available for repositories that use GitHub Actions and it supports analysis of JavaScript/TypeScript, Python and Ruby. We plan to add support for additional languages soon.
To help you identify which repositories are eligible for the “enable all” feature, two new security coverage filters have been added:
code-scanning-default-setup
: returns a list of enabled, eligible or not eligible repositoriesadvanced-security
: returns a list of repositories with GitHub Advanced Security enabled or not enabledThis feature has been released as a public beta on GitHub.com and will also be available as a public beta on GitHub Enterprise Server 3.9.
Learn more about configuring code scanning at scale using CodeQL and the “Enable or disable a security feature for an organization” REST API
Code scanning is now using a new way of analysing and displaying alerts on pull requests. The change ensures code scanning only shows accurate and relevant alerts for the pull request.
Previously, code scanning presented all alerts unique to the pull request branch, even if they were unrelated to the code changes the pull request introduced. Now, the tool reports only alerts inside the lines of code that the pull request has changed, which makes it easier to fix these contextualised alerts in a timely manner.
The complete list of code scanning alerts on the pull request branch can be seen on the Security tab of the repository.
In addition, code scanning will no longer show fixed alerts on pull requests. Instead, you can check whether an alert has been fixed by your pull request on the Security tab of the repository by using search filters: pr:111 tool:CodeQL
. If you fix an alert in the initial commit in the pull request, it will not be present on the PR branch.
This has shipped to GitHub.com and will be available in GitHub Enterprise Server 3.10.
Learn more about viewing an alert on your pull request.
Learn more about GitHub Advanced Security.
The "Require SSH certificates" policy now allows GitHub apps to call Git APIs using a user-to-server token, bringing them up to parity with OAuth app support.
The SSH certificate requirement mandates that users in your organization call Git APIs using an SSH certificate issued by your organization, in place of their own SSH key or a PAT.
To support automation, it has an exception in place for OAuth apps and GitHub app server-to-server tokens, which allows applications you've approved to call Git APIs for your organization.
With this change, we are extending that exception to GitHub app user-to-server tokens, for when a user has signed into a GitHub app that's installed in your organization.
This change also applies when the enterprise-level setting requires SSH certificates across all organizations in the enterprise.
To learn more, see "Managing your organization's SSH certificate authorities" or "Managing SSH certificate authorities for your enterprise".
GitHub organization owners can now opt-in to a public beta to display organization members' IP addresseses in audit logs events. When enabled, IP addresses will be displayed for all audit log events performed by organization members on organization assets other than public repositories, which will be treated differently due to privacy obligations.
The inclusion of IP addresses in audit logs helps software developers and administrators protect their systems and data from potential threats and improve their overall security posture by providing the source of an action or event within a system or network. This information is crucial for troubleshooting issues or investigating security incidents. IP addresses are often used in forensic investigations to trace the origin of cyberattacks, unauthorized access, or other malicious activities.
For additional information and instructions for enabling this feature, read about displaying IP addresses in the audit log for your organization.
Code scanning configurations can now be deleted from the code scanning alert page. This could be used to delete stale configurations causing alerts to remain open, or delete old configurations which are no longer used.
Code scanning can be configured to use different tools, target different languages, or even analyze different parts of the codebase in the same repository. In certain circumstances more than one of these configurations may produce the same alert. However, if one of the configurations is no longer used and becomes 'stale' you may find that the alert is fixed in one configuration but not in the stale configuration, which is potentially confusing. Today we are releasing a new feature that allows you to easily delete stale configurations which cause alerts to remain open after they've been fixed.
In the code scanning alert page, the counter in the 'Affected branches' sidebar shows the number of configurations for the branch. Click a branch to view the configuration details, and delete configurations as required. A configuration is deleted for a branch, so may have an impact on the status of other alerts on the same branch. When a configuration is deleted, a timeline entry is recorded on the alert, and repositories in an organization also record an audit log entry. If a configuration is deleted by mistake, re-run the analysis to update the alert and reinstate the configuration.
Read more about removing stale code scanning configurations and alerts.
GitHub Enterprise Server 3.8 brings new capabilities to help companies build and deliver secure software. We've added over 100 features, and here are a few highlights:
To learn more about about GitHub Enterprise Server 3.8, read the release notes, and download it now.