security-and-compliance

Subscribe to all “security-and-compliance” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

Dependabot alerts will now be easier to prioritize with a new “Most Important” sort. For the alerts repository list view, by default, alerts will be sorted in a way to help you determine which alerts matter most. You will still be able to access additional sort options, like sort by Newest, CVSS severity, and Manifest path in the UI.

This “Most Important” sort considers CVSS score as the primary factor, along with additional factors across vulnerability impact (potential risk), relevancy, and actionability (how easy the vulnerability is to fix). For example, when supported, this sort calculation takes into consideration whether you’re calling a vulnerable function, as well as dependency scope (e.g. if an alert is a devDependency). This calculation will be improved over time.

This functionality will not affect Dependabot pull requests, the org-level list view of Dependabot alerts, or the GraphQL API.

For more information, see our documentation for Dependabot alerts.

See more

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Zuplo to scan for their API keys connected to a Zuplo API Gateway, which allows users to add API key authentication to their APIs. We'll forward access tokens found in public repositories to Zuplo, who follow customer preference to either notify their customers via email or automatically revoke the token. More information about Zuplo API tokens can be found here.

We continue to welcome new partners for public repository secret scanning. GitHub Advanced Security customers can also scan their private repositories for leaked secrets and prevent Zuplo keys from accidental leaks with push protection.

See more

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Sendinblue to scan for their API keys, which can be used to send emails. We'll forward API keys we find in public repositories to Sendinblue, who will review the detection then notify their users via email.

We continue to welcome new partners for public repo secret scanning. GitHub Advanced Security customers can also scan their private repositories for leaked secrets.

See more

On June 15th, we announced GitHub added malware advisories to the GitHub Advisory Database and will send malware alerts through Dependabot. Since shipping this change, we have received feedback that some organizations have been impacted with Dependabot alerts from these malware advisories that may be false positives.

GitHub has conducted a rapid root cause investigation and found that the majority of those alerts in question were for substitution attacks. During these types of incidents, an attacker would publish a package to the public registry with the same name as a dependency users rely on from a third party or private registry, in the hope a malicious version would be consumed. Dependabot doesn’t look at project configuration to determine if the packages are coming from a private registry, so it has been triggering an alert for packages with the same name from the public npm registry. While this does mean that your package was the target of a substitution attack it does not mean that there is an immediate action to be taken on your part as the malware has already been removed from the npm registry.

While we work to determine how to best notify customers of being the target of a substitution attack, we will be pausing all Dependabot notifications on malware advisories. For non-Enterprise-Server users, Malware advisories will still exist in the Advisory Database and send alerts on npm audit. We are not making any changes to existing alerts on github.com at this time.

For GitHub Enterprise Server users, who were the most impacted, no new advisories will come through GitHub Connect. If you are struggling with too many alerts, please reach out to support and we can share a script for you to run that will delete all malware advisories and alerts.

See more

When using the GraphQL API, you can now filter Dependabot alerts by the scope of the dependency affected. The possible scopes are DEVELOPMENT or RUNTIME.

Dependency scope information is available for alerts opened on or after June 23, 2022, and can also be viewed in the Dependabot alerts UI as of last week.

For more information, see Dependabot alerts in the GraphQL API reference or learn more about Dependabot alerts in our documentation.

See more

The GitHub Advisory Database now includes curated security advisories on Erlang [Hex], Elixir, and more. This brings the Advisory Database to nine supported ecosystems, including: Composer, Go, Maven, npm, NuGet, pip, RubyGems and Rust.

Support for this ecosystem in the dependency graph and Dependabot alerts will be available in the future.

See more

Today, we're shipping a new filter for the Dependabot alerts list view. In the alerts list view, you can now filter for scope:development or scope:runtime. Alerts for development dependencies also feature a label in the UI.

Dependency scope information will be available for alerts opened on or after June 23, 2022.

Which ecosystems are supported?

The following ecosystems are supported as of June 23, 2022:

Language Ecosystem Dependency Scope
Ruby RubyGems
JavaScript npm
JavaScript Yarn No, defaults to runtime
PHP Composer
Go Go modules No, defaults to runtime
Java Maven test maps to development, all else default to runtime
Python Poetry
Python pip ✅ for pipfile, for requirements.txt scope is development if the filename contains “test” or “dev”, else it is runtime
.NET NuGet ✅ only for .nuspec when tag != runtime; for all other cases defaults to runtime
Rust Cargo

For more information, learn more about Dependabot alerts in our documentation.

See more

GitHub Advanced Security customers can now use cursors to paginate over alert results they retrieve via the repository and organization level REST APIs.

Paginating with cursors, using the new before and after query parameters, can help assure data consistency and improve response times. To receive an initial cursor on your first request, include an empty "before" or "after" query string in your API call.

Learn more about the secret scanning REST API
Learn more about private repository scanning with Advanced Security

See more

GitHub Advanced Security customers can now see an overview of code scanning alerts at the enterprise level. This page provides a repo-centric view of application security risks, as well as an alert-centric view of all secret scanning, Dependabot and now code scanning alerts. This view is beta and will be followed in the coming weeks with an enterprise level REST API to retrieve code scanning alerts.

Code scanning alerts at the enterprise level

Learn more about security overview
Learn more about GitHub Advanced Security

See more

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, we help protect users from data leaks and fraud associated with exposed data.

We have partnered with SendGrid to scan for their access tokens, which allow users to retrieve account information and statistics. We'll forward access tokens found in public repositories to SendGrid. SendGrid will then either suspend the detected token or send it to their fraud team for manual review, depending on the token scope. More information about SendGrid API tokens can be found here.

GitHub Advanced Security customers can also scan for SendGrid's API keys and block them from entering their private and public repositories via secret scanning’s push protection feature.

Learn more about secret scanning
Partner with GitHub on secret scanning

See more

Dependency graph now supports submissions through the dependency submission API (beta). This enables you to add dependencies, such as those resolved when software is compiled or built, to the dependency graph. Submitted dependencies will appear in a repository’s dependency graph and any associated vulnerabilities will trigger Dependabot alerts.

Releasing alongside the dependency submission API are the:

Learn more about the dependency submission API.

See more

GitHub Advanced Security customers can now perform dry runs of their custom patterns when editing a pattern. Dry runs allow admins to understand a pattern's impact across an organization and to hone the pattern before publishing and generating alerts.

Admins can compose a new pattern or edit a published pattern then 'Save and dry run' to retrieve results from their selected repositories. Scan results will appear on screen as they're detected, but admins can leave the page and later come back to their saved pattern's dry run results.

For more information:

See more

GitHub's Advisory Database now supports listing malware advisories. You can see them by searching "type:malware" on https://github.com/advisories.

If you have enabled Dependabot alerts on your repositories, GitHub will send Dependabot alerts for malware automatically. Note that Dependabot does not send update pull requests for malware as the only resolution is to delete the package and find an alternative.

See more

The Dependency Review GitHub Action, which checks if pull requests introduce a dependency with a known vulnerability, now supports configuration based on vulnerability severity and license type.

The following configuration options are available:

  • fail-on-severity: the action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher
  • allow-licenses: the action will fail on pull requests that introduce dependencies with licenses that do not match the list
  • deny-licenses: the action will fail on pull requests that introduce dependencies with licenses that match the list

The action is available for all public repositories, as well as private repositories that have Github Advanced Security licensed.

Learn more about dependency review enforcement.
Learn more about configuring the Dependency Review GitHub Action.

See more

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, we help protect users from data leaks and fraud associated with exposed data.

We have partnered with redirect.pizza, a domain redirection service, to scan for their API tokens and help secure our mutual users. Their API keys allow users to create, update, and delete redirects. We'll forward API tokens found in public repositories to redirect.pizza, who will notify the user by email and automatically revoke the token. More information about redirect.pizza’s API tokens can be found here.

GitHub Advanced Security customers can also scan for redirect.pizza API keys and block them from entering their private and public repositories via secret scanning’s push protection feature.

See more