Skip to content

/ Blog

Try GitHub Copilot Contact sales

AI & ML
- AI & ML
  Learn about artificial intelligence and machine learning across the GitHub ecosystem and the wider industry.
  - Generative AI
    Learn how to build with generative AI.
  - GitHub Copilot
    Change how you work with GitHub Copilot.
  - LLMs
    Everything developers need to know about LLMs.
  - Machine learning
    Machine learning tips, tricks, and best practices.
- How AI code generation works
  Explore the capabilities and benefits of AI code generation and how it can improve your developer experience.
  Learn more
Developer skills
- Developer skills
  Resources for developers to grow in their skills and careers.
  - Application development
    Insights and best practices for building apps.
  - Career growth
    Tips & tricks to grow as a professional developer.
  - GitHub
    Improve how you use GitHub at work.
  - GitHub Education
    Learn how to move into your first professional role.
  - Programming languages & frameworks
    Stay current on what’s new (or new again).
- Get started with GitHub documentation
  Learn how to start building, shipping, and maintaining software with GitHub.
  Learn more
Engineering
- Engineering
  Get an inside look at how we’re building the home for all developers.
  - Architecture & optimization
    Discover how we deliver a performant and highly available experience across the GitHub platform.
  - Engineering principles
    Explore best practices for building software at scale with a majority remote team.
  - Infrastructure
    Get a glimpse at the technology underlying the world’s leading AI-powered developer platform.
  - Platform security
    Learn how we build security into everything we do across the developer lifecycle.
  - User experience
    Find out what goes into making GitHub the home for all developers.
- How we use GitHub to be more productive, collaborative, and secure
  Our engineering and security teams do some incredible work. Let’s take a look at how we use GitHub to be more productive, build collaboratively, and shift security left.
  Learn more
Enterprise software
- Enterprise software
  Explore how to write, build, and deploy enterprise software at scale.
  - Automation
    Automating your way to faster and more secure ships.
  - CI/CD
    Guides on continuous integration and delivery.
  - Collaboration
    Tips, tools, and tricks to improve developer collaboration.
  - DevOps
    DevOps resources for enterprise engineering teams.
  - DevSecOps
    How to integrate security into the SDLC.
  - Governance & compliance
    Ensuring your builds stay clean.
- How enterprise engineering teams can successfully adopt AI
  Learn how to bring AI to your engineering teams and maximize the value that you get from it.
  Learn more
News & insights
- News & insights
  Keep up with what’s new and notable from inside GitHub.
  - Company news
    An inside look at news and product updates from GitHub.
  - Product
    The latest on GitHub’s platform, products, and tools.
  - Octoverse
    Insights into the state of open source on GitHub.
  - Policy
    The latest policy and regulatory changes in software.
  - Research
    Data-driven insights around the developer ecosystem.
  - The library
    Older news and updates from GitHub.
- Unlocking the power of unstructured data with RAG
  Learn how to use retrieval-augmented generation (RAG) to capture more insights.
  Learn more
Open Source
- Open Source
  Everything open source on GitHub.
  - Git
    The latest Git updates.
  - Maintainers
    Spotlighting open source maintainers.
  - Social impact
    How open source is driving positive change.
  - Gaming
    Explore open source games on GitHub.
- An introduction to innersource
  Organizations worldwide are incorporating open source methodologies into the way they build and ship their own software.
  Learn more
Security
- Security
  Stay up to date on everything security.
  - Application security
    Application security, explained.
  - Supply chain security
    Demystifying supply chain security.
  - Vulnerability research
    Updates from the GitHub Security Lab.
  - Web application security
    Helpful tips on securing web applications.
- The enterprise guide to AI-powered DevSecOps
  Learn about core challenges in DevSecOps, and how you can start addressing them with AI and automation.
  Learn more

Categories

AI & ML
- AI & ML
  Learn about artificial intelligence and machine learning across the GitHub ecosystem and the wider industry.
  - Generative AI
    Learn how to build with generative AI.
  - GitHub Copilot
    Change how you work with GitHub Copilot.
  - LLMs
    Everything developers need to know about LLMs.
  - Machine learning
    Machine learning tips, tricks, and best practices.
- How AI code generation works
  Explore the capabilities and benefits of AI code generation and how it can improve your developer experience.
  Learn more
Developer skills
- Developer skills
  Resources for developers to grow in their skills and careers.
  - Application development
    Insights and best practices for building apps.
  - Career growth
    Tips & tricks to grow as a professional developer.
  - GitHub
    Improve how you use GitHub at work.
  - GitHub Education
    Learn how to move into your first professional role.
  - Programming languages & frameworks
    Stay current on what’s new (or new again).
- Get started with GitHub documentation
  Learn how to start building, shipping, and maintaining software with GitHub.
  Learn more
Engineering
- Engineering
  Get an inside look at how we’re building the home for all developers.
  - Architecture & optimization
    Discover how we deliver a performant and highly available experience across the GitHub platform.
  - Engineering principles
    Explore best practices for building software at scale with a majority remote team.
  - Infrastructure
    Get a glimpse at the technology underlying the world’s leading AI-powered developer platform.
  - Platform security
    Learn how we build security into everything we do across the developer lifecycle.
  - User experience
    Find out what goes into making GitHub the home for all developers.
- How we use GitHub to be more productive, collaborative, and secure
  Our engineering and security teams do some incredible work. Let’s take a look at how we use GitHub to be more productive, build collaboratively, and shift security left.
  Learn more
Enterprise software
- Enterprise software
  Explore how to write, build, and deploy enterprise software at scale.
  - Automation
    Automating your way to faster and more secure ships.
  - CI/CD
    Guides on continuous integration and delivery.
  - Collaboration
    Tips, tools, and tricks to improve developer collaboration.
  - DevOps
    DevOps resources for enterprise engineering teams.
  - DevSecOps
    How to integrate security into the SDLC.
  - Governance & compliance
    Ensuring your builds stay clean.
- How enterprise engineering teams can successfully adopt AI
  Learn how to bring AI to your engineering teams and maximize the value that you get from it.
  Learn more
News & insights
- News & insights
  Keep up with what’s new and notable from inside GitHub.
  - Company news
    An inside look at news and product updates from GitHub.
  - Product
    The latest on GitHub’s platform, products, and tools.
  - Octoverse
    Insights into the state of open source on GitHub.
  - Policy
    The latest policy and regulatory changes in software.
  - Research
    Data-driven insights around the developer ecosystem.
  - The library
    Older news and updates from GitHub.
- Unlocking the power of unstructured data with RAG
  Learn how to use retrieval-augmented generation (RAG) to capture more insights.
  Learn more
Open Source
- Open Source
  Everything open source on GitHub.
  - Git
    The latest Git updates.
  - Maintainers
    Spotlighting open source maintainers.
  - Social impact
    How open source is driving positive change.
  - Gaming
    Explore open source games on GitHub.
- An introduction to innersource
  Organizations worldwide are incorporating open source methodologies into the way they build and ship their own software.
  Learn more
Security
- Security
  Stay up to date on everything security.
  - Application security
    Application security, explained.
  - Supply chain security
    Demystifying supply chain security.
  - Vulnerability research
    Updates from the GitHub Security Lab.
  - Web application security
    Helpful tips on securing web applications.
- The enterprise guide to AI-powered DevSecOps
  Learn about core challenges in DevSecOps, and how you can start addressing them with AI and automation.
  Learn more

Contact sales Try GitHub Copilot

security-and-compliance

Subscribe to all “security-and-compliance” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

→ ~ cd github-changelog

→ ~/github-changelog|main git log main

showing all changes successfully

Secret scanning non-provider patterns are generally available

October 4, 2024

Secret scanning support for non-provider patterns is now generally available for all GitHub Advanced Security customers.

Non-provider patterns are generic detectors that help you uncover secrets outside of patterns tied to specific token issuers, like HTTP authentication headers, connection strings, and private keys. You can enable them in your repository’s code security and analysis settings, or through code security configurations at the organization level.

Learn more about secret scanning and non-provider patterns, and join the GitHub Community discussion.

See more See more

Secret scanning alert lists renamed to “Default” and “Experimental”

October 4, 2024

The secret scanning alert lists are now named “Default” and “Experimental,” better reflecting the alert categories and making it easier for you to tell experimental alerts from default alerts.

The Default list includes alerts for provider patterns and custom patterns. The Experimental list includes alerts for non-provider patterns and AI-detected passwords. You can view the alert counts of these two lists in the organization-level Security tab in the sidebar, bringing more clarity and visibility into your alerts.

You can filter within the alert list using results:default and results:experimental.

Learn more about secret scanning and the supported patterns.

See more See more

Code security configurations now support archived repositories

October 3, 2024

You can now apply code security configurations to archived repositories. This makes it simpler to roll out configurations without having to filter for archived repos, and ensures features like Dependabot, code scanning, and secret scanning are automatically reapplied if a repo is unarchived.

If a repository has configurations applied and later becomes archived, the settings will persist and still apply.

Note: when a repository is archived, the only security feature that will still run is secret scanning. However, if the repository is ever unarchived, all other features in the applied configuration, such as Dependabot or code scanning, will be reapplied automatically.

This release also adds a new filter to the repository table on the code security configurations UI page, allowing you to filter for archived repositories with archived:true.

Learn more about code security configurations, the REST API and send us your feedback.

See more See more

Secret scanning: on-demand revocation for GitHub PATs (Public Beta)

October 2, 2024

You can now report compromised GitHub personal access tokens to GitHub, directly from a secret scanning alert. When you let GitHub know that the secret has been compromised, GitHub will treat the token like a publicly leaked token and revoke it. This change simplifies remediation and makes it more easily actionable.

The token owner will receive an email notification when their token is revoked. As a best practice, you should review any associated token metadata and reach out to the token owner, if possible, before reporting the token. Consider rotating the secret first to prevent breaking workflows.

Learn more

Learn more about how to report a compromised GitHub personal access token. Let us know what you think by participating in a GitHub community discussion or signing up for a 60 minute feedback session.

See more See more

Announcing TISAX for GitHub

October 1, 2024

GitHub is now a participant in TISAX with an Assessment Level 2 (AL2) label in the ENX Portal. TISAX is a recognized assessment and exchange mechanism for the German automotive industry, ensuring that companies meet specific information security requirements. It is based on the German Association of the Automotive Industry or Verband de Automobile (VDA) Information Security Assessment (ISA) catalog, which aligns most closely with ISO/IEC 27001.

What does this mean for me as a customer?

For our customers, this participation provides additional assurance that GitHub is a trusted partner in managing and securing their data. It opens new opportunities for customers who require TISAX participation to consider using GitHub Enterprise Cloud products, GitHub Copilot, and GitHub Actions.

Participating in the TISAX program at Assessment Level 2 means that GitHub has demonstrated the ability to adequately protect sensitive information in accordance with industry standards. This assessment level focuses on:

Information Security: Implementing robust security measures to prevent unauthorized data access and breaches.
Risk Management: Continuously identifying, evaluating, and mitigating potential risks to GitHub’s information systems.

The scope of the TISAX assessment, using the newly released VDA ISA version 6, is the same as the GitHub Information Security Management System (ISMS), which has already been assessed against ISO/IEC 27001:2013. To see the scope, you can review GitHub’s ISO/IEC 27001:2013 certification.

Customers who are interested and registered as TISAX participants with ENX can find the details of GitHub’s assessment via the ENX portal by searching for GitHub, our Assessment ID (APC0RT), or our AL2 scope ID (SY52MN).

If you have any questions or need more information about GitHub’s compliance practices, please visit the GitHub Trust Center.

See more See more

CodeQL 2.19.0: TypeScript 5.6 and Go 1.23 support, new queries for JavaScript and Ruby

September 25, 2024

CodeQL version 2.19.0 has been released and has now been rolled out to code scanning users on GitHub.com. CodeQL is the static analysis engine that powers GitHub code scanning.

Important changes by version include:

CodeQL 2.18.2
- Support for scanning Java codebases without needing a build is generally available.
- The Python py/cookie-injection query, which finds instances of cookies being constructed from user input, is now part of the main query pack.
- One new query for Ruby rb/weak-sensitive-data-hashing, to detect cases where sensitive data is hashed using a weak cryptographic hashing algorithm.
CodeQL 2.18.3
- New C# models for local sources from System.IO.Path.GetTempPath and System.Environment.GetFolderPath.
CodeQL 2.18.4
- Support for scanning C# codebases without needing a build is generally available.
- Support for Go 1.23.
CodeQL 2.19.0
- Support for TypeScript 5.6.
- One new query for JavaScript js/actions/actions-artifact-leak to detect GitHub Actions artifacts that may leak the GITHUB_TOKEN token.
- A 13.7% evaluator speed improvement over CodeQL 2.17.0 release.

For a full list of changes, please refer to the complete changelog for versions 2.18.2, 2.18.3, 2.18.4 and 2.19.0.

All new functionality from 2.18.Z releases will be included in GHES 3.15, while functionality from 2.19.0 will be included in GHES 3.16. If you use GHES 3.14 or older, you can upgrade your CodeQL version.

See more See more

Enhanced security overview dashboard – detection, remediation, and prevention at the forefront

September 19, 2024

Now, you can view Prevention metrics alongside Detection and Remediation metrics and in an enhanced security overview dashboard. This update is available at both the organization and enterprise levels.

New prevention tab on the security overview dashboard

New to the dashboard, the Prevention insights tab highlights CodeQL pull requests alerts and will soon include secret scanning push protection insights. It’s designed to help you shift from merely responding to vulnerabilities to actively preventing them, the ultimate goal in application security. With this dashboard, you and your team can proactively keep vulnerabilities at bay, successfully blocking threats before they ever reach production.

Deep dive into the CodeQL pull request alerts

For a deeper analysis, the new CodeQL pull request alerts report is also available at both the organization and enterprise levels. This report allows you to:

Track historical metrics for CodeQL pull request alerts
Monitor code as it progresses from feature branches to the default branch
Analyze metrics by CodeQL rule, autofix status, and repository

The enhanced dashboard is now generally available on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.16.

Learn more about pull request alerts and join the discussion within the GitHub Community

See more See more

Enable secret scanning for non-provider patterns for enterprises with the REST API

September 19, 2024

GitHub Advanced Security customers using secret scanning can now use the REST API to enable or disable support for non-provider patterns at the enterprise level. This enables you to manage your enterprise settings programatically.

The following endpoints have been updated:
– Get code security and analysis features for an enterprise: check if non-provider patterns are enabled for the enterprise
– Update code security and analysis features for an enterprise: enable or disable non-provider patterns for all new repositories in an enterprise
– Enable or disable a security feature: enable or disable non-provider patterns for all existing repositories in an enterprise

Non-provider patterns scans for token types from generic providers, like private keys, auth headers, and connection strings.

Learn more about secret scanning and non-provider patterns.

Join the community discussion and share feedback with us in this dedicated community post.

See more See more

Secret scanning indicates known public leaks and duplicate alerts for private exposures (public beta)

September 19, 2024

To help you triage and remediate secret leaks more effectively, GitHub secret scanning now indicates if a secret detected in your repository has also leaked publicly with a public leak label on the alert. The alert also indicates if the secret was exposed in other repositories across your organization or enterprise with a multi-repo label.

These labels provide additional understanding into the distribution of an exposed secret, while also making it easier to assess an alert’s risk and urgency. For example, a secret which has a known associated exposure in a public location has a higher likelihood of exploitation. Detection of public leaks is only currently supported for provider-based patterns.

The multi-repo label makes it easier to de-duplicate alerts and is supported for all secret types, including custom patterns. Both indicators apply only for newly created alerts.

In the future, GitHub will surface locations of the known public leak, as well as repository names with duplicate alerts. This metadata will also be surfaced via the REST API and webhooks.

Learn more

Learn more about how to secure your repositories with secret scanning. Let us know what you think by participating in a GitHub community discussion or signing up for a 60 minute feedback session.

See more See more

New advanced filters for code security configurations

September 18, 2024

When reviewing code security configurations, you can now more easily filter repositories with new filter options.

The new filters allow you to sort repositories based on the status of specific features or GHAS itself:

advanced-security:enabled
dependabot-alerts:enabled
dependabot-security-updates:enabled
code-scanning-alerts:enabled
code-scanning-default-setup:enabled
code-scanning-pull-request-alerts:enabled
secret-scanning-alerts:enabled
secret-scanning-push-protection:enabled

Note that :disabled also works for each of the filters above to achieve the inverse.

Additionally, you can filter based on whether or not a repository is eligible for code scanning default setup:
– code-scanning-default-setup:eligible
– code-scanning-default-setup:not-eligible

These filters are available for organizations with GitHub Advanced Security (GHAS) enabled, and are only available in the UI at this time.

Learn more about code security configurations and send us your feedback.

See more See more

Now available for free on all public repositories: Copilot Autofix for CodeQL code scanning alerts

September 18, 2024

Now you can remediate existing security issues in your public repositories faster with Copilot Autofix for CodeQL alerts. Following our general availability release for all Advanced Security customers, Copilot Autofix for CodeQL alerts is now generally available (GA) for all public repositories, for free.

Powered by GitHub Copilot, this feature provides automatic fixes for vulnerabilities found by CodeQL, both on pull requests and for historical alerts that already exist in a codebase.

Importantly, you stay in full control of your codebase: Copilot Autofix will try and suggest fixes for CodeQL alerts in pull requests, but it’s ultimately up to you to decide whether you wish to accept Copilot’s suggestion wholly, partially, or not at all. The same applies to historical alerts in a codebase: you can request an autofix from Copilot, then review it, and decide whether you want to open a PR with the fix suggestion or commit straight to the affected branch (or neither).

Example of Copilot Autofix generation on the alert page

Copilot Autofix is available for all public repositories that use code scanning CodeQL, and is enabled by default for alerts on PRs. It does not generate additional notifications. If you would like to enable Copilot Autofix on your organization’s private repositories, please have a look at this blog post where we announce Autofix for GitHub Advanced Security.

For more information, see: About Copilot Autofix for CodeQL code scanning. If you have feedback for Copilot Autofix for code scanning, please join the discussion here.

See more See more

Manage secret scanning bypass requests at the organization level

September 17, 2024

GitHub Advanced Security customers that have enabled delegated bypass rules for push protection can now manage and review their bypass requests at the organization level. The list is located within the Security tab of your organization.

To view and manage requests from this list, you must either be an organization owner, security manager, or have the fine-grained permission to review and manage push protection bypass requests within your organization.

Learn more about secret scanning or delegated bypass. If you have feedback, we would love for you to join the discussion within GitHub Community.

See more See more

CSV exports for the CodeQL pull request alerts report

September 16, 2024

New Export CSV button highlighted on the CodeQL pull request alerts report

You can now export data from the CodeQL pull request alerts report in CSV format, enabling you to analyze prevention and autofix metrics offline or archive the data for future use. This functionality is available at both the organization and enterprise levels. Exports will respect all filters applied, allowing you to focus on the specific data most relevant to your needs. You can download all data where you have an appropriate level of access.

Learn more about tracking metrics on CodeQL pull request alerts and join the discussion within the GitHub Community.

See more See more

GitHub security advisories support CVSS 4.0

September 13, 2024

GitHub security advisories now support the new CVSS 4.0 schema. CVSS, or the Common Vulnerability Scoring System, is an industry standard maintained by FIRST. The CVSS 4.0 standard adds new metrics for a more thorough assessment of the risk of a particular vulnerability.

When creating a repository security advisory, you can now calculate either a CVSS 4.0 or 3.1 base score and view this data on the published global advisory, related Dependabot alerts, and through the API.

Learn more about CVSS scores and GitHub security advisories and the GitHub Advisory Database.

See more See more

Copilot Chat in GitHub.com is now contextually aware of GitHub Advanced Security alerts

September 5, 2024

You can now use Copilot Chat in GitHub.com to search across GitHub to find and learn more about GitHub Advanced Security Alerts from code scanning, secret scanning, and Dependabot. This change helps you to better understand and seamlessly fix security alerts in your pull request. ✨

Try it yourself by asking questions like:
– How would I fix this alert?
– How many alerts do I have on this PR?
– What class is this code scanning alert referencing?
– What library is affected by this Dependabot alert?
– What security alerts do I have in this repository?

Learn more about asking questions in Copilot Chat on GitHub.com or about GitHub Advanced Security.

See more See more

View more changes