pnpm is now fully supported by dependency graph, Dependabot alerts, and Dependabot security updates! If you manage your Node.js dependencies with the pnpm package manager, you can now receive and fix alerts about security vulnerabilities in those dependencies. To use this, enable Dependabot Security Updates from the repository settings page on the code security and analysis tab.
To read more about how to use Dependabot and dependency graph, you can read our documentation here
Dependabot can now open pull requests to update your Swift dependencies. In June, support for Swift advisories in the Advisory Database and Dependabot alerts was released. Dependabot will now be able to open pull requests to fix related alerts, and you will also be able to configure scheduled updates for your dependencies via dependabot.yml.
For more information on how to configure Dependabot updates, please view our documentation here: https://docs.github.com/en/code-security/dependabot
Organization owners and security managers can now view metrics associated with push protection usage across their organization.
The overview shows a summary of how many pushes containing secrets have been successfully blocked across the organization by push protection, as well as how many times push protection was bypassed.
You can also find more granular metrics, including:
These metrics are found under the Security tab of your organization and are based on activity from the last 30 days.
Code scanning default setup is now available for Swift analysis with CodeQL! Default setup now supports all CodeQL supported languages at the repository level. This includes JavaScript/TypeScript, Ruby, Python, Go, Java, Kotlin, C/C++, C#, and Swift. We're working to support enabling code scanning at the organization level for all CodeQL languages soon.
Default setup automatically detects the languages used in a repository, and automatically analyzes JavaScript/TypeScript, Ruby, Python, and Go. You can also optionally customize the configuration to analyze Java/Kotlin, C/C++, C# and Swift. The configuration can be viewed and edited at any time, during or after set up. You can also use the REST API to include languages in the default setup configuration.
Java, Kotlin, C/C++, C# and Swift are not automatically included in the default setup configuration because they often require more advanced configuration. Code written in these languages needs to be compiled in order for CodeQL analysis to proceed. CodeQL will attempt to build your code automatically but may fail if your code requires bespoke build steps.
If a language fails in default setup, you will see an error message on the repository's settings page, in the code security and analysis section. To resolve the situation you can:
yml file and allows you to provide the build information required for the CodeQL analysis to succeed.For more information, see the documentation for when a particular language is causing default setup to fail. For more information on code scanning default setup, see Configuring code scanning automatically.
You can now use the REST API to get global security advisories from the Advisory Database. This makes it easy to get access to the Advisory Database's free, open source list of actionable security advisories and CVEs which include machine readable mappings to the ecosystem, package name, and affected versions of impacted software.
Learn more about GitHub's global security advisories and the Advisory Database.
CodeQL is the analysis engine that powers GitHub code scanning for over 100,000 repositories. We continuously improve our analysis capabilities, language support and performance to help open source developers and enterprises catch vulnerabilities before they make their way into production code. CodeQL is also an instrumental tool for the security researcher community and was used to identify 36 new CVE.
We release updates and improvements for CodeQL on a regular basis. We don’t get to call out all the improvements, but we want to highlight some of the most important updates we’ve shipped for CodeQL in the first half of the year:
These features have been shipped across multiple versions of CodeQL from 2.12.0 up to 2.14.0, which are shipped with GHES 3.9 and upcoming 3.10. All users of CodeQL code scanning on GitHub.com automatically benefit from the latest improvements.
You now have the option to select either the "Extended" or "Default" query suite when setting up code scanning with default setup for eligible repositories within your organization.
Code scanning's default query suite has been carefully designed to ensure that it looks for the security issues most relevant to developers, whilst also minimizing the occurrence of false positive results. However, if you and your developers are interested in seeing a wider range of alerts, you can enable the extended query suite. This suite includes everything from the default query suite, plus additional queries with slightly lower precision and severity.
The query suite selection can be made whenever you enable code scanning with default setup:
Previously, our system would automatically choose the default query suite when you enabled code scanning with default setup. Now, you can choose either the extended or default query suite.
Additionally, you can specify either the extended or default query suite as the preferred choice for your organization. This preference determines which query suite is "recommended" when a user is enabling code scanning setup with default setup.
These improvements have shipped to GitHub.com and will be available in GitHub Enterprise Server 3.11.
Learn more about configuring default setup for code scanning and send us your feedback
Learn more about GitHub Advanced Security
You can now use the REST API to add collaborators to your draft security advisory.
Learn more about the repository security advisories REST API
GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.
We have partnered with Defined to scan for their tokens and help secure our mutual users on public repositories. Defined tokens allow users to access various administrative functions of their managed mesh networking offerings. GitHub will forward access tokens found in public repositories to Defined, which will then email the user. You can read more information about Defined's tokens here.
All users can scan for and block Defined's tokens from entering their public repositories for free with push protection. GitHub Advanced Security customers can also scan for and block Defined tokens in their private repositories.
When analyzing a Python project with code scanning using CodeQL through advanced setup, we would try to automatically install dependencies for the project. Over the past months and years, we’ve made significant improvements to the Python analysis, which means CodeQL no longer needs to fetch these dependencies in order to analyze a codebase.
Therefore, starting now, we have disabled automatic dependency installation for new users of CodeQL for Python. This should improve scan times for Python projects, while having minimal impact on results. Code scanning users that have already set up CodeQL to scan at least one Python project will not see any changes to newly configured repos: the new behaviour only applies to those with no prior Python projects set up. We encourage existing users that configured code scanning with CodeQL via advanced setup to disable dependency installation by setting setup-python-dependencies: false as described in documentation.
Users of GitHub Enterprise Server (GHES) will benefit from this change starting version 3.11. We plan to deprecate all dependency installation (including for existing users) by the end of 2023.
You will now be able to see whether Dependabot security updates are enabled or disabled in the security and analysis block within the repository information you can fetch from the REST API, and enable or disable them via API requests.
For more information, you can check out our repository API documentation.
We have added over 17.5 million new package licenses to our database, expanding the license coverage for packages that appear in dependency graph, dependency insights, dependency review, and a repository's software bill of materials (SBOM). Package licenses dictate how a package can be used, making them an essential aspect of compliance when working with open source software.
These licenses are sourced from ClearlyDefined, a curated data store for open source licenses.
GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.
We have partnered with Workato to scan for their API tokens and help secure our mutual users on public repositories. Workato Developer API tokens allow users to effectively manage their Workato workspaces programmatically and reduce administrative overhead as they onboard teams from across their organisation. GitHub will forward access tokens found in public repositories to Workato, which will then notify the user about the leaked token. You can read more information about Workato's tokens here.
All users can scan for and block Workato's tokens from entering their public repositories for free with push protection. GitHub Advanced Security customers can also scan for and block Workato tokens in their private repositories.
With GHES 3.9, you and your organization can better manage your Dependabot alerts thanks to more granular enablement controls. You can now enable Dependabot alerts at the repository, organization, and enterprise level, rather than having to enable Dependabot alerts across an entire enterprise at once.
This release also adds support for “automatically enable for new repositories” at the organization and enterprise levels.
Enterprise admins still need to opt in to Dependabot alerts via GitHub Connect, which approves outbound calls for advisories to sync.
Learn more about changes for GHES 3.9 for Dependabot.