The organization-level security overview page has been replaced by the risk and coverage views as previously announced and is no longer available. The risk view is designed to help you assess security exposure, and the coverage view is intended to help you manage security feature enablement.
GitHub Enterprise customers can use the new security overview experience today by clicking on an organization's "Security" tab.
Learn more about the new risk and coverage views and send us your feedback
We've recently released a few minor user experience improvements for our GitHub Security Advisory form:
Further reading:
GitHub organizations can now use the code scanning organization-level API endpoint to retrieve code scanning alerts on public repositories; this no longer requires a GitHub Advanced Security license. This new endpoint supplements the existing repository-level endpoint.
Learn more about the code scanning organization-level REST API.
Dependabot security updates now supports the Pub ecosystem, making it easier for you to fix vulnerable dependencies in your Dart or Flutter apps. With security updates enabled, Dependabot will automatically raise a pull request to update vulnerable Pub dependencies to the latest patched version.
GitHub's audit log allows organization and enterprise admins to quickly review the actions performed by members of their organization or enterprise. For Dependabot alerts, the audit log includes actions such as repository enablement, creation or reintroduction of alerts, dismissal of alerts, and resolving of alerts.
The audit log now supports the following improvements:
alert_number, ghsa_id, dismiss_reason, and dismiss_comment.This release is available for organization and enterprise admins (including GHES 3.7 and later).
For more information, view documentation on Dependabot alerts in the GitHub audit log.
Starting today, GitHub code scanning includes beta support for analyzing code written in Kotlin, powered by the CodeQL engine.
Kotlin is a key programming language used in the creation of Android mobile applications, and is an increasingly popular choice for new projects, augmenting or even replacing Java. To help organisations and open source developers find potential vulnerabilities in their code, we’ve added Kotlin support (beta) to the CodeQL engine that powers GitHub code scanning. CodeQL now natively supports Kotlin, as well as mixed Java and Kotlin projects. Set up code scanning on your repositories today to receive actionable security alerts right on your pull-requests. To enable Kotlin analysis on a repository, configure the code scanning workflow languages to include java. If you have any feedback or questions, please use this discussion thread or open an issue if you encounter any problems.
Kotlin support is an extension of our existing Java support, and benefits from all of our existing CodeQL queries for Java, for both mobile and server-side applications. We’ve also improved and added a range of mobile-specific queries, covering issues such as handling of Intents, Webview validation problems, fragment injection and more.
CodeQL support for Kotlin has already been used to identify novel real-world vulnerabilities in popular apps, from task management to productivity platforms. You can watch the GitHub Universe talk on how CodeQL was used to identify vulnerabilities like these here.
Kotlin beta support is available by default in GitHub.com code scanning, the CodeQL CLI, and the CodeQL extension for VS Code. GitHub Enterprise Server (GHES) version 3.8 will include this beta release.
You can now filter results from the code scanning REST API based on alert severity. Use the parameter severity to return only code scanning alerts with a specific severity. This is available at the repository and organization level.
This feature is available on GitHub.com, and will also be included in GitHub Enterprise Server (GHES) version 3.8.
Read more about the code scanning API
Dependabot security updates now supports the GitHub Actions ecosystem, making it easier for you to fix vulnerable GitHub Actions dependencies. With security updates enabled, Dependabot will automatically raise a pull request to update vulnerable GitHub Actions used in your workflows to the minimum patched version.
Dependabot expands its existing Hex private registry support beyond Hex organizations by adding support for self-hosted Hex repositories. You can configure your self-hosted Hex package repository as a private registry for use with Dependabot version updates. Special thanks to @sorentwo for their contribution to Dependabot!
Learn more about configuring Dependabot version updates and its supported ecosystems and package managers.
You can now enable and disable the following GitHub security features for a single repository from the organization-level security coverage view:
If you are a GitHub Advanced Security customer, you can also enable and disable the following features for a single repository:
In the future, you'll be able to enable and disable multiple repositories from the coverage view.
Learn more about the new coverage view and send us your feedback
Learn more about GitHub Advanced Security
GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.
We have partnered with Figma to scan for their API tokens and help secure our mutual users on public repositories. Figma API tokens can be used to read and interact with Figma and FigJam files — both through Figma’s own platform and other Figma-integrated applications. GitHub will forward access tokens found in public repositories to Figma, who will will immediately notify token owners. You can read more information about Figma's tokens here.
GitHub Advanced Security customers can also scan for Figma tokens and block them from entering their private and public repositories with push protection.
GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.
We have partnered with LocalStack to scan for their API key tokens and help secure our mutual users on public repositories. LocalStack's tokens allow for activation of the advanced LocalStack features for their Pro/Team/Enterprise products. GitHub will forward access tokens found in public repositories to LocalStack, who will immediately notify users and revoke any compromised tokens. You can read more information about LocalStack's tokens here.
GitHub Advanced Security customers can also scan for LocalStack tokens and block them from entering their private and public repositories with push protection.
Dependabot version updates now proactively updates Docker image tags in Kubernetes manifests.
When specifying the Docker ecosystem in dependabot.yml include an entry for each directory where a Kubernetes manifest which references Docker image tags is located. Kubernetes manifests can be either Kubernetes Deployment YAML files or Helm charts. Dependabot will parse the unrendered version of the manifest in order to keep your Docker image tags updated.
Learn more about configuring Dependabot version updates.
The dependency review API is now generally available.
The Dependency Review GitHub Action now allows you to reference a local or external configuration file. There are also new configuration options:
fail-on-scopes: contains a list of strings representing the build environments you want to support (development, runtime, unknown). The action will fail on pull requests that introduce vulnerabilities in the scopes that match the listallow-ghsas: contains a list of GitHub Security Advisory IDs that can be skipped during detectionlicense-check and vulnerability-check: a boolean option that allows you disable either one of the checks Learn more about the dependency graph and dependency review
Security overview’s new risk and coverage views provide greater visibility into your security posture and risk analysis.
Each new view offers a refreshed design with several key improvements, including insights and dynamic filtering.
The coverage view gives visibility into enablement across all repositories. On the coverage view, you can:
The coverage view is complimented by a new risk view that gives visibility into all alerts across these repositories.
On the risk view, you can:
Both views are now available as a public beta. In the coming weeks, we will deprecate the overview in favor of these two new views.
Learn more about the new risk and coverage views and send us your feedback
Open source maintainers can now opt-in to private vulnerability reporting, a dedicated communications channel where the community can disclose security issues directly to you on GitHub.
You can see reports sent to you under the new "Needs triage" status on your advisories list:
If the report is accepted, it becomes a draft security advisory. The reporter remains involved unless explicitly removed, so you can collaborate on phrasing the resulting draft advisory or fixing the issue in a private fork.
Last year, we launched Ruby analysis support in beta for GitHub code scanning. Today, we're announcing the general availability of this feature — covering even more vulnerabilities in Ruby code.
Ruby is part of the top 10 most popular languages on GitHub today. In the past year alone, code scanning (powered by the CodeQL engine) helped Ruby developers resolve more than 4,000 security issues. Set up code scanning on your repositories today and receive actionable security alerts right on your pull-requests.
Since shipping in beta, our Ruby analysis has more than doubled the number of common weaknesses (CWEs) that it can detect. A total of 30 rules check your code for a range of vulnerabilities, including cross-site scripting (XSS), regular expression denial-of-service (ReDoS), SQL injection, and more. Additional library and framework coverage for Ruby-on-Rails ensures that web service developers get even more precise results. We currently support all common Ruby versions, up to and including 3.1. Check out the documentation for more details on compatibility.
Ruby support is available by default in GitHub.com code scanning, the CodeQL CLI, and the CodeQL extension for VS Code. GitHub Enterprise Server (GHES) version 3.4 shipped with Ruby (beta) support, and GHES 3.8 will include this GA release.
Dependabot helps you keep your dependencies up-to-date with Dependabot version updates. These pull requests are configured via a dependabot.yml file.
Starting today, if you fork a repository with an existing dependabot.yml, Version updates will be disabled by default. To enable Dependabot pull requests based on this configuration, you can click “enable” from your forked repository’s “Code security and analysis” settings page.
After enabling Dependabot version updates, you will also be able to disable with a single click from this settings page.
Learn more about configuring Dependabot version updates.
GitHub Advanced Security customers using secret scanning can now specify a custom link via the organization level REST API that will show in the message when push protection detects and blocks a potential secret. Admins can use the custom link to point their developers to company-specific guidance on secrets.
Previously, admins could only set a custom link through the UI.