When resolving security alerts for vulnerable transitive npm dependencies, it is possible that updating a direct dependency will remove the vulnerable transitive dependency from the tree. Dependabot can now resolve these security alerts by creating a pull request that removes the unnecessary transitive dependency.
You can now programmatically view and act on Dependabot alerts via the REST API. New endpoints to view, list, and update Dependabot alerts are available in a public beta.
For more information, see Dependabot alerts in the REST API reference or learn more about Dependabot alerts in our documentation.
We have started creating and storing CodeQL databases for the most popular open-source projects on GitHub.com. If you use CodeQL for security research, you can now obtain these databases easily and directly through the CodeQL extension for Visual Studio Code, which makes it much easier to write and run your own custom CodeQL queries.
The CodeQL engine powers GitHub code scanning: it analyses source code and flags up potential security problems (for example, in pull requests). By default, code scanning runs a large set of open source queries that are able to identify the most important and common security problems.
CodeQL is also a powerful tool for variant analysis and other types of security research. CodeQL treats source code as data, and anyone can write custom CodeQL queries to explore a codebase and identify vulnerabilities. Like code search on steroids!
The first step of any CodeQL analysis is extracting the source code into a CodeQL database. This database contains a relational representation of the source code — including elements like the abstract syntax tree, the data flow graph, and the control flow graph. You can create CodeQL databases yourself using the CodeQL CLI, but with the feature we shipped today, it's much quicker to get started: you can download a ready-built CodeQL database from GitHub.com.
To download a CodeQL database for use in the CodeQL extension in VS Code:
owner/repo identifier of the public repository you'd like to analyze.
Once you've downloaded a CodeQL database, you're ready to start your research. Find more information in the CodeQL documentation.
We currently store databases for over 200,000 repositories on GitHub.com. That list is constantly growing and evolving to make sure that it includes the most interesting codebases for security research.
We create and store databases for all of the languages that we support in CodeQL code scanning. For more information, see About code scanning with CodeQL.
Yes, you can also download CodeQL databases using the GitHub REST API. For more information, see Downloading databases from GitHub.com in the CodeQL CLI documentation.
If there is a repository that you'd like to analyze, but a CodeQL database is not available yet, then you can trigger the creation (and storing) of a database by enabling GitHub code scanning with the CodeQL engine. Alternatively, you could fork the repository and enable code scanning on the fork. For more information, see the code scanning documentation.
Your GitHub repositories with Dependabot alerts enabled and Dependabot security updates enabled will automatically generate Dependabot pull requests for vulnerable npm transitive dependencies.
Previously, Dependabot couldn't generate a security update for a transitive dependency when its parent dependency required incompatible specific version range. In this locked state, developers had to manually upgrade the parent and transitive dependencies.
Now, Dependabot will be able to create pull requests for npm projects that upgrade both the parent and child dependencies together.
For example, if a vulnerability for the transitive dependency node-forge triggers a Dependabot alert and allows a PR to be created:
Prior to this change Dependabot would fail to create a Dependabot security update for transitive dependencies :confused:. But not anymore! 😀 Now, Dependabot will unlock the node-forge security update by bumping the parent webpack-dev-server version in addition to patching the `node-forge dependency within the same Pull Request!
This change will apply to pull requests generated by Dependabot that update vulnerable npm packages.
At the organization level, you can now view (GET) and update (PATCH) enablement status as well as configure the setting to automatically enable new repositories for the following GitHub security products:
If you are a GitHub Advanced Security customer, you can also view and update the same settings for:
In addition, GitHub Advanced Security customers can view and update the enablement status for GitHub Advanced Security at the organization level.
Learn more about the organization REST API and send us your feedback
The default code scanning query suites include checks for the most important security vulnerabilities for each supported language, so that any potential problems can be surfaced to developers before they are committed to their repository. However, in some situations a particular check is not relevant for a codebase and you might prefer to not run that CodeQL query. You can now easily exclude queries using code scanning query filters.
Query filters use the same syntax as CodeQL query suites and you can filter on any CodeQL query metadata property. Query filters must be specified in a custom code scanning configuration file, which you refer to from your code scanning analysis workflow file.
In your code scanning workflow file, use the config-file parameter of the init action to specify the path to the configuration file you want to use:
- uses: github/codeql-action/init@v2
with:
config-file: path/to/config/file.ymlIn your configuration file, specify the query filters you want to use. For example, to exclude the Unsafe HTML constructed from library input query from the default code scanning query suite for JavaScript you can specify its id in an exclude block:
name: "My code scanning CodeQL config"
query-filters:
- exclude:
id: js/html-constructed-from-inputFor more information about how to use query filters, see Configuring code scanning in the code scanning documentation.
GitHub Advanced Security customers using secret scanning can now specify a custom link that will show in the error message when push protection detects and blocks a potential secret. Admins can use the custom link to provide their developers with a point of reference on best practices with secrets.
Learn more about protecting pushes with secret scanning.
Dependabot alerts users can now add an optional comment when dismissing an alert. These comments (maximum 280 characters) are viewable in the alert timeline and via the new dismissComment field in the GraphQL API.
Learn more about Dependabot alerts and the GraphQL API.
GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.
We have partnered with Prefect to scan for their access tokens and help secure our mutual users on public and private repositories. The Prefect service account API keys are not associated with a user and are restricted to a specific tenant, but they are recommended for application and automation use. GitHub will forward access tokens found in public repositories to Prefect, who will immediately email the owner of the leaked key. More information about Prefect API Tokens can be found here.
GitHub Advanced Security customers can also scan for Prefect tokens and block them from entering their private and public repositories with push protection.
GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.
We have partnered with ReadMe to scan for their API keys and help secure our mutual users on public and private repositories. ReadMe’s API keys allow users to sync OpenAPI and Markdown files to their developer hubs using the rdme GitHub Action, as well as perform other programmatic updates using the ReadMe API. We’ll forward exposed API keys found in public repositories to ReadMe, who will immediately revoke the token and notify the project administrators via email. More information about ReadMe’s API keys can be found here.
GitHub Advanced Security customers can also scan for ReadMe tokens and block them from entering their private and public repositories with push protection.
GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.
We have partnered with UNIwise to scan for their access tokens and help secure our mutual users on public and private repositories. The WISEflow API Key allows for institutions to manage key aspects of their license, such as exams and their life cycle. GitHub forwards access tokens found in public repositories to UNIwise, who will immediately disable the API Key and contact the customer. More information about WISEflow API Keys can be found here
GitHub Advanced Security customers can also scan for UNIwise tokens and block them from entering their private and public repositories with push protection.
Dependabot alerts listed at the organization level are now easier to prioritize with the new "Most Important" sort, which released recently for the repository list view of Dependabot alerts.
Learn more about Dependabot alerts and the Security overview.
GitHub Advanced Security customers can now dry run their secret scanning custom patterns on all repositories within an organization. Previously, admins could only dry run on a maximum of 10 selected repositories.
Learn more about secret scanning
Learn more about defining custom patterns
The GitHub Advisory Database now includes curated security advisories for vulnerabilities on GitHub Actions. This brings the Advisory Database to ten supported ecosystems, including: Composer, Go, Hex, Maven, npm, NuGet, pip, RubyGems and Rust.
If you have a dependency on any vulnerable GitHub Actions, GitHub will send Dependabot alerts over the coming days.
We’ve expanded access to GitHub’s security overview pages in two ways:
Security overview provides a centralized view of risk for application security teams, engineering leaders, and developers who work across many repositories. It displays code scanning, Dependabot, and secret scanning alerts across every repository you have access to in an organization or enterprise. The security overview also shows you where you have unknown risks because security features haven’t been enabled.
Learn more about security overview and send us your feedback
Organizations participating in the security manager role public beta may now manage security manager teams via the GitHub REST API. In addition, legacy organizations can now participate in the public beta.
Learn more about the security manager REST API and send us your feedback
It's now easier to debug CodeQL analysis problems in code scanning: click Re-run jobs from the GitHub Actions workflow run page, check the Enable debug logging box, and hit the Re-run jobs button.
The data will be uploaded as an Actions artifact named debug-artifacts, attached to the workflow run. Such artifacts contain CodeQL logs, CodeQL databases, and the SARIF files that were produced.
These artifacts will help you when you're debugging problems with CodeQL code scanning. When contacting GitHub support, you might be asked for this data.
As part of the analysis, CodeQL extracts your source code into a relational database format. The debug artifacts include more detailed information about CodeQL extraction errors and warnings that occurred during database creation. If you want to permanently enable debug logging for the CodeQL analysis, or would like more information about troubleshooting CodeQL, please follow these instructions.
This feature is now available to all users on GitHub.com and will also be available in GitHub Enterprise Server 3.7.
Dependabot alerts will now show more information on an alert's activity. In the details page for a Dependabot alert, you will see a timeline of events (e.g. opened, fixed, reopened). Events will also show additional metadata when available, like relevant pull requests.
For more information, see our documentation for Dependabot alerts.
GitHub Advanced Security customers who are watching a repository's secret scanning alerts will now receive an email notification when a contributor bypasses a secret blocked by push protection. Previously, notifications were not sent if the secret was marked as a false positive or as used in tests.
GitHub Advanced Security customers can now sort and filter their list of custom patterns at the repository, organization, and enterprise levels. This upgrade to the experience supports admins who need to manage dozens, or hundreds, of custom patterns.
Learn more about custom patterns for GitHub Advanced Security