Skip to content

security-overview

Subscribe to all “security-overview” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

Code scanning default setup on the security coverage page (public beta)

Code scanning default setup can now be easily enabled for a single repository from the slide-out panel on your organization's "Security Coverage" page, without needing to navigate to the repository's "Settings" tab.

The feature automatically detects the languages in your repository and enables analysis for pull requests and pushes, without requiring you to commit a workflow file. Default setup currently supports JavaScript, Python, and Ruby, with more languages to come. The feature is available for repositories using GitHub Actions and can be accessed by organization owners, repository administrators and security managers. Expect one-click enablement functionality for all organization repositories to be rolled out next.

This has shipped as a public beta to GitHub.com and will be available in GitHub Enterprise Server 3.9.

code scanning on the slide-out enablement panel on the security coverage page

Learn more about automatically setting up code scanning for a repository and send us your feedback

Learn more about GitHub Advanced Security

See more

Security overview’s team filter now includes repositories with write privileges

In security overview, when you select a team from the Team dropdown or filter by team in either the security risk or the security coverage views, results include repositories where the team has write privileges. Previously, results only included repositories where the team had admin privileges or had been granted access to security alerts.

This has shipped to GitHub.com and will be available in GitHub Enterprise Server 3.9.

Learn more about the team filter and send us your feedback

Learn more about GitHub Advanced Security

See more

Organization-level security risk and coverage pages replace overview page

The organization-level security overview page has been replaced by the risk and coverage views as previously announced and is no longer available. The risk view is designed to help you assess security exposure, and the coverage view is intended to help you manage security feature enablement.

GitHub Enterprise customers can use the new security overview experience today by clicking on an organization's "Security" tab.

Learn more about the new risk and coverage views and send us your feedback

See more

Feature enablement from the organization-level security coverage page

You can now enable and disable the following GitHub security features for a single repository from the organization-level security coverage view:

  • Dependency graph
  • Dependabot alerts
  • Dependabot security updates

If you are a GitHub Advanced Security customer, you can also enable and disable the following features for a single repository:

  • GitHub Advanced Security
  • Secret scanning
  • Push protection

In the future, you'll be able to enable and disable multiple repositories from the coverage view.

enablement panel on coverage view

Learn more about the new coverage view and send us your feedback

Learn more about GitHub Advanced Security

See more

Risk and coverage views on the Security tab for organizations (public beta)

Security overview’s new risk and coverage views provide greater visibility into your security posture and risk analysis.

Each new view offers a refreshed design with several key improvements, including insights and dynamic filtering.

Coverage view

The coverage view gives visibility into enablement across all repositories. On the coverage view, you can:

  • See counts and percentages of repositories with GitHub security features enabled or disabled, which update when you apply filters
  • Track enablement for additional security features, including secret scanning push protection, Dependabot security updates, and code scanning pull request alerts.

security-tab-coverage-page

Risk view

The coverage view is complimented by a new risk view that gives visibility into all alerts across these repositories.
On the risk view, you can:

  • See counts and percentages of repositories with security vulnerabilities, which also update when you apply filters
  • See open alerts segmented by severity for both Dependabot and code scanning.

security-tab-risk-page

Both views are now available as a public beta. In the coming weeks, we will deprecate the overview in favor of these two new views.

Learn more about the new risk and coverage views and send us your feedback

See more

Security overview is now available to all GitHub Enterprise users

We’ve expanded access to GitHub’s security overview pages in two ways:

  1. All GitHub Enterprise accounts now have access to the security overview, not just those with GitHub Advanced Security
  2. All users within an enterprise can now access the security overview, not just admins and security managers

Security overview provides a centralized view of risk for application security teams, engineering leaders, and developers who work across many repositories. It displays code scanning, Dependabot, and secret scanning alerts across every repository you have access to in an organization or enterprise. The security overview also shows you where you have unknown risks because security features haven’t been enabled.

Learn more about security overview and send us your feedback

See more

Security Overview for organizations is generally available

Security Overview at the organization level is now out of beta and generally available. GitHub Advanced Security customers can use Security Overview to view a repo-centric view of application security risks. They can also see an alert-centric view of all Code Scanning, Dependabot, and Secret Scanning alerts, across all repositories in an organization.

Security overview at the organization level

Learn more about security overview
Learn more about GitHub Advanced Security

See more

Security overview for enterprise in beta

GitHub Advanced Security customers can now view an overview of security alerts at the enterprise level. The new "Security" tab at the enterprise level provides a repo-centric view of application security risks, as well as an alert-centric view of all secret scanning alerts. Both views are in beta, and will be followed in the coming months by alert-centric views for code scanning and Dependabot alerts.

Security overview at the enterprise level

Learn more about security overview
Learn more about GitHub Advanced Security

See more

Security overview for organizations and teams in beta

The new security overview for organizations and teams – which provides a high-level view of the application security risks a GitHub organization is exposed to – is now in beta for all GitHub Advanced Security customers on GitHub Enterprise Cloud.

Security overview

With the new security overview GitHub Advanced Security customers now have a single place to see the application security risks detected by code scanning, Dependabot, and secret scanning. The security overview shows both these known security risks as well as where you have unknown risks because security features haven’t been configured.

Learn more about security overview
Learn more about GitHub Advanced Security

See more

Security overview and counter

The repository security tab now includes two new experiences to help you better understand your repository's security at a glance.

  • First, we have added a counter which makes it easy to understand how many security alerts your repository has active. The counter only includes information which is otherwise visible to the logged in user. This change will be rolling out gradually over the next couple of days.
  • Second, we have added an overview experience for your repository security tab which is located at https://github.com/:org/:repo/security. This new overview provides helpful insights about how to configure your repository to make the most of GitHub's built-in security and analysis features. It also provides a summary of known security issues.

Screenshot of new security overview experience

See more