security-overview

Subscribe to all “security-overview” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

Now you can better manage and mitigate your security vulnerabilities with a new SAST vulnerabilities summary table, available directly on the security overview dashboard. This feature highlights your top 10 CodeQL and third-party open alerts by count, grouped by vulnerability type.

The SAST vulnerabilities table on the Detection tab of the overview dashboard

When prioritizing which alerts to address first, it’s crucial to consider various factors. One significant factor is the number of instances of a vulnerability across your codebase. The more areas of code affected by a vulnerability, the higher the potential risk for exploitation.

To access the new SAST vulnerabilities table, click your profile photo in the top-right corner of GitHub.com and select the organization or enterprise you want to view. For organizations, go to the Security tab and scroll to the bottom of the Detection view on the Overview dashboard. For enterprises, click Code Security in the sidebar, then select Overview and scroll to the bottom of the Detection view.

The SAST vulnerabilities summary is now generally available on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.16.

Learn more about security overview insights and join the discussion within the GitHub Community

See more

Now you can simplify the rollout of GitHub security products within your organization. Code security configurations now allow you to define collections of security settings and apply those settings to groups of repositories. Configurations help you maintain security settings for important features like code scanning, secret scanning, and Dependabot.

As previously announced in August, starting today, you can no longer enable or disable GitHub security features from the organization-level security coverage view, which has been deprecated and replaced with code security configurations for managing these settings.

Learn more about code security configurations and send us your feedback.

See more

Now, you can view Prevention metrics alongside Detection and Remediation metrics and in an enhanced security overview dashboard. This update is available at both the organization and enterprise levels.

New prevention tab on the security overview dashboard

New to the dashboard, the Prevention insights tab highlights CodeQL pull requests alerts and will soon include secret scanning push protection insights. It’s designed to help you shift from merely responding to vulnerabilities to actively preventing them, the ultimate goal in application security. With this dashboard, you and your team can proactively keep vulnerabilities at bay, successfully blocking threats before they ever reach production.

Deep dive into the CodeQL pull request alerts

For a deeper analysis, the new CodeQL pull request alerts report is also available at both the organization and enterprise levels. This report allows you to:

  • Track historical metrics for CodeQL pull request alerts
  • Monitor code as it progresses from feature branches to the default branch
  • Analyze metrics by CodeQL rule, autofix status, and repository

The enhanced dashboard is now generally available on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.16.

Learn more about pull request alerts and join the discussion within the GitHub Community

See more

New Export CSV button highlighted on the CodeQL pull request alerts report

You can now export data from the CodeQL pull request alerts report in CSV format, enabling you to analyze prevention and autofix metrics offline or archive the data for future use. This functionality is available at both the organization and enterprise levels. Exports will respect all filters applied, allowing you to focus on the specific data most relevant to your needs. You can download all data where you have an appropriate level of access.

Learn more about tracking metrics on CodeQL pull request alerts and join the discussion within the GitHub Community.

See more

You can now track prevention metrics for CodeQL pull request alerts with the new CodeQL pull request alerts report—available at both the organization and enterprise level. These insights empower you to proactively identify and mitigate security risks before they reach your default branch.

Enterprise-level CodeQL pull request alerts report

With this report, you can historically track metrics for CodeQL pull request alerts as code moves from feature branches to the default branch. Gain insights into:

  • Unresolved and merged alerts: Understand what security vulnerabilities made it to the default branch.
  • Fixes (autofix and manual): Track which alerts were addressed before merging.
  • Dismissed alerts: See which alerts were deemed false positive or risk accepted.

Additionally, analyze metrics by CodeQL rule, autofix status, and repository.

Historical data is available starting from May 1, 2024.

To access these reports, click your profile photo in the top-right corner of GitHub.com and select the organization or enterprise you want to view. For organizations, go to the Security tab and find CodeQL pull request alerts in the sidebar. For enterprises, click Code Security in the sidebar, then select CodeQL pull request alerts.

These reports are now generally available on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.15.

Learn more about security overview and join the discussion within the GitHub Community.

See more

We are streamlining the deployment of GitHub’s security products at scale with code security configurations. This functionality simplifies the rollout of GitHub security products by defining collections of security settings and enabling you to apply those settings to groups of repositories. Configurations help you maintain security settings for important features like code scanning, secret scanning, and Dependabot.

As of October 15th, 2024, you will no longer be able to enable or disable GitHub security features for repositories from the organization-level security coverage view.

Learn more about code security configurations and send us your feedback.

See more

New Export CSV button highlighted on the overview dashboard on the Security tab at the organization level

Enhance your security workflows by exporting security alert data for offline analysis, reporting, and archival purposes with our new CSV export functionality, available at the organization level. CSV exports will respect all filters you’ve applied to the page, allowing you to generate multiple exports focusing on different datasets. You can download all data where you have an appropriate level of access.

Learn more about the security overview dashboard and send us your feedback.

See more

Today, we’re excited to announce the general availability of our new organization and enterprise-level security overview dashboards, alongside enhanced secret scanning metrics and the enablement trends reports. These features are designed to provide comprehensive insights, improved prioritization, and advanced filtering options to streamline your security improvements.

Code security insights

Organization-level overview dashboard on the security tab

Our new security overview dashboard, available at both the organization and enterprise levels, integrates security into the core of the development lifecycle. This empowers you to proactively identify and address vulnerabilities. Key features include:

  • Track security improvements: Monitor trends over time by age, severity, and security tool, simplifying prioritization with top 10 lists focused on repositories and advisories.
  • Autofix impact: Understand how autofix, powered by GitHub Copilot, is influencing your enterprise’s security remediation efforts.
  • Advanced filtering: Customize data focus with filters by attributes such as team, repository metadata (i.e., custom repository properties), and security tool-specific filters:
    • Dependabot: Filter by ecosystem, package, and dependency scope.
    • CodeQL/Third-Party: Filter by specific rules.
    • Secret Scanning: Filter by secret type, provider, push protection status, and validity.

Organization-level enablement trends report

Monitor the enablement trends of all security tools with detailed insights into the activation status of Dependabot alerts, Dependabot security updates, code scanning, secret scanning alerts, and secret scanning push protection, giving you at-a-glance oversight of your security coverage.

Push protection insights for secret scanning

Organization-level secret scanning metrics page

Gain insights into how push protection is functioning throughout your enterprise. Monitor the number of pushes containing secrets that have been successfully blocked, as well as instances where push protection was bypassed. Detailed insights by secret type, repository, and reasons for bypassing are also available.

To access these features, navigate to your profile photo in the top-right corner of GitHub.com and select the organization or enterprise you wish to view. For organizations, click on the Security tab. For enterprises, click Code Security in the enterprise account sidebar.

These features are generally available on GitHub.com today and will be generally available in GitHub Enterprise Server 3.14.

Learn more about the security overview dashboard, the secret scanning metrics report and the enablement trends report

See more

Gain valuable insights and effectively monitor your enterprise’s security landscape and progress with two new enterprise-level pages: the security overview dashboard and secret scanning metrics.

New overview dashboard on the security tab at the organization level

Key features

  • Customizable filters: Select specific time periods and focus areas such as security tool, team, or custom repository property.
  • Comprehensive data: Trending and snapshot data provide a robust security landscape overview.
  • Detailed metrics: Includes metrics such as the average age of security alerts, mean time to remediate, and push protection statistics.

To access these new enterprise-level views, navigate to your enterprise account. In the enterprise account sidebar, click Code Security. The new pages are accessible to organization owners and organization security managers, with data scoped to the repositories and alerts you have access to.

These two pages are now available as a public beta on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.14.

Learn more about security overview, managing code security for your enterprise, and send us your feedback

Questions or suggestions? Join the conversation in the community discussion.

See more

The new Tool group-by option on the security overview trends graph provides a visualization of alert trends, organized by the security tools that detected each vulnerability. It’s designed to improve your ability to track and analyze the effectiveness of your scanning tools, enabling more strategic decision-making.

Example of the alert trends chart grouped by security tool

With this new functionality, you can:
* Pinpoint which tools are detecting the most critical vulnerabilities.
* Monitor the performance of your scanners over time.
* Prioritize your remediation efforts based on detailed insights.

To access this feature, navigate to the Security tab at the organization level on GitHub, and choose the Tool option in the Group by dropdown.

This functionality is now available as a public beta on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.14.

Learn more about the security overview dashboard for your organization and send us your feedback

See more

For enterprise owners and security managers dedicated to managing security products, we are excited to announce a new capability: you can now gain historical insights into security products enablement trends across your GitHub enterprise. This overview helps you understand how security product coverage is being implemented across your company.

Following our March announcement of the public beta of the enablement trends report for organizations, which allowed monitoring of enablement trends for all security products within your GitHub organization, we’ve expanded this capability to the enterprise level. The addition of an owner filter further simplifies the navigation of metrics for repositories owned by specific organizations.

Enterprise enablement trends report

Explore enablement trends and gain historical insights into the activation status of GitHub security features:
* Dependabot alerts
* Dependabot security updates
* Code scanning
* Secret scanning alerts
* Secret scanning push protection

Historical data is available from January 1, 2024, with the exception of Dependabot security updates data, which is available from January 17, 2024.

To access the enablement trends report, navigate to your enterprise account. In the enterprise account sidebar, click Code Security.

This feature is now available as a public beta on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.14.

Learn more about security overview and join the discussion within the GitHub Community

See more

Today, we’re releasing security tool-specific filters for the security overview dashboard and secret scanning metrics page.

Security tool-centric filters in the filter bar drop-down on the overview dashboard

Have you ever wondered, “How well is my organization handling SQL injections?” or “How quickly are we responding to [partner name] secret leaks?” Maybe you’re curious about the pace of updating your npm dependencies. Well, wonder no more!

With our new security tool filters, you can tailor your search to the exact details you’re curious about, giving you a more focused and relevant report for your needs.

Discover the new filters that are designed to transform your security analysis:

  • Dependabot filters: Zero in on a specific ecosystem, package, and dependency scope.
  • CodeQL/third-party filters: Drill down to the rule that matters most to you.
  • Secret scanning filters: Get granular with filters for secret type, provider, push protection bypassed status and validity.

These features are now available as a public beta on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.14.

Learn more about security overview and send us your feedback

See more

Today, we’re releasing a host of new insights to the security overview dashboard, as well as an enhanced secret scanning metrics page.

New dashboard insights

overview dashboard with third-party tools, the trend indicator for age of alerts, and reopened alerts tile highlighted

  • Third-party alerts integration: Beyond GitHub’s own CodeQL, secret scanning, and Dependabot security tools, you can now view alert metrics for third-party tools directly on the overview dashboard. Use tool:[third-party-tool name] to view metrics for a specific third-party security tool, or tool:third-party to view metrics for all third-party security alerts.
  • Reopened alerts tracking: Uncover recurring vulnerabilities with the new reopened alerts metric tile, which identifies vulnerabilities that have resurfaced after being previously resolved. This data point helps assess the long-term effectiveness of your remediation efforts.
  • Trend indicators: Review changes over time with trend indicators for key metrics like age of alerts, mean time to remediate, net resolve rate, and total alert count. These indicators offer a clear view of performance shifts and trends between a given date range and that same range reflected backward in time.
  • Advisories tab: Stay informed with the new advisories table, which details the top 10 alert advisories affecting your organization, including the advisories’ CVE IDs, ecosystems, open alert counts, and severities.

Secret scanning metrics page enhancements

secret scanning metrics page with filter bar highlighted

You can now refine your insights with filters for dates, repository custom properties, teams, and more on the secret scanning metrics page. These new filters empower you to pinpoint specific repositories and view changes over time, enabling a more targeted analysis. Additionally, if you are an organization member, you can now view metrics for the repositories you have access to.

These features are now available as a public beta on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.13.

Learn more about security overview and send us your feedback

See more

Starting today, you can take advantage of the new “age” grouping for the alert trends graph and explore enhanced filter options on the security overview dashboard, aimed at improving your analytical process and security management.

alert trends grouped by age

Explore the dynamics of your security alerts with the new alert age grouping on the alert trends graph. This new functionality offers a refined view into the lifecycle of your security alerts, enabling you to better evaluate the timeliness and effectiveness of your response strategies.

New filter options

repository custom property filter on the security overview page

Leverage enhanced filters to fine-tune your security insights on the overview dashboard:
* Custom repository property filters: With repository custom properties, you can now tag your repositories with descriptive metadata, aiding in efficient organization and analysis across security overview.
* Severity filters: Severity-based filters allow you to concentrate on the vulnerabilities that matter most, streamlining the process of security risk assessment and prioritization.
* Improved date picker controls: Navigate through time with ease using the new date picker options, allowing for quick selection of rolling periods like “Last 14 days,” “Last 30 days,” or “Last 90 days.” Bookmark your preferred time window to keep your analysis current with each visit.

You can access these new functionalities in security overview by navigating to the “Security” tab at the organization level.

These features are now available as a public beta on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.13.

Learn more about security overview and send us your feedback

See more

Code scanning autofix is now available in public beta for all GitHub Advanced Security customers. Powered by GitHub Copilot, code scanning suggests fixes for Javascript, Typescript, Java, and Python alerts found by CodeQL.
This feature empowers developers to reduce the time and effort spent remediating alerts found in pull requests, and helps prevent new vulnerabilities from being introduced into your code base.

Autofix

The feature is automatically enabled on all private repositories for GitHub Advanced Security customers.
When code scanning analysis is performed on pull requests, autofixes will be generated for supported alerts. They include a natural language explanation of the suggested fix, together with a preview of the code suggestion that the developer can accept, edit, or dismiss. In addition to changes to the current file, these code suggestions can include changes to multiple files. Where needed, autofix may also add or modify dependencies.

You can see the total number of autofix suggestions provided for CodeQL alerts in open and closed pull requests in security overview:

Autofixes on the overview dashboard

You can configure code scanning autofix for a repository or organisation. You can also use Policies for Code security and analysis to allow autofix for CodeQL code scanning for an enterprise.

Enterprise settings

Code scanning autofix supports, on average, 90% of CodeQL Javascript, Typescript, Java, and Python alerts from queries in the Default code scanning suite. The fix generation for any given alert also depends on the context and location of the alert. In some cases, code scanning won’t display a fix suggestion for an alert if the suggested code change fails syntax tests or safety filtering.

This change is now available to all GitHub Advanced Security customers on GitHub.com. For more information, see About autofix for CodeQL code scanning.

Provide feedback for code scanning autofix here.

See more