You can now filter by repository topic or team on the organization-level Dependabot, code scanning, and secret scanning pages in security overview.
These improvements have shipped to GitHub.com and will be available in GitHub Enterprise Server 3.9.
We've recently released a few improvements to the slide-out enablement panel on the security coverage page in security overview:
- Active committers for the repository are now visible, providing insight into the number of Advanced Security licenses being utilized. For repositories where Advanced Security is not enabled, the number indicates the number of licenses required to enable the feature.
- Unsaved changes are now clearly labeled with a "Modified" tag. Additionally, the "Save security settings" button now displays the total number of enablement changes being made.
- While a security feature is being enabled, the coverage page will show a status of "Updating…" to keep you informed of the ongoing process.
These improvements have shipped to GitHub.com and will be available in GitHub Enterprise Server 3.9.
Learn more security overview and send us your feedback
Learn more about GitHub Advanced Security
Enabling CodeQL analysis with code scanning default setup for eligible repositories in your organization is now as easy as a single click from the organization’s settings page or a single API call.
You can use code scanning default setup to enable CodeQL analysis for pull requests and pushes on eligible repositories without committing any workflow files. Currently, this feature is only available for repositories that use GitHub Actions and it supports analysis of JavaScript/TypeScript, Python and Ruby. We plan to add support for additional languages soon.
To help you identify which repositories are eligible for the “enable all” feature, two new security coverage filters have been added:
code-scanning-default-setup: returns a list of enabled, eligible or not eligible repositoriesadvanced-security: returns a list of repositories with GitHub Advanced Security enabled or not enabled
This feature has been released as a public beta on GitHub.com and will also be available as a public beta on GitHub Enterprise Server 3.9.
Learn more about configuring code scanning at scale using CodeQL and the “Enable or disable a security feature for an organization” REST API
Code scanning default setup can now be easily enabled for a single repository from the slide-out panel on your organization's "Security Coverage" page, without needing to navigate to the repository's "Settings" tab.
The feature automatically detects the languages in your repository and enables analysis for pull requests and pushes, without requiring you to commit a workflow file. Default setup currently supports JavaScript, Python, and Ruby, with more languages to come. The feature is available for repositories using GitHub Actions and can be accessed by organization owners, repository administrators and security managers. Expect one-click enablement functionality for all organization repositories to be rolled out next.
This has shipped as a public beta to GitHub.com and will be available in GitHub Enterprise Server 3.9.
Learn more about automatically setting up code scanning for a repository and send us your feedback
Learn more about GitHub Advanced Security
In security overview, when you select a team from the Team dropdown or filter by team in either the security risk or the security coverage views, results include repositories where the team has write privileges. Previously, results only included repositories where the team had admin privileges or had been granted access to security alerts.
This has shipped to GitHub.com and will be available in GitHub Enterprise Server 3.9.
The organization-level security overview page has been replaced by the risk and coverage views as previously announced and is no longer available. The risk view is designed to help you assess security exposure, and the coverage view is intended to help you manage security feature enablement.
GitHub Enterprise customers can use the new security overview experience today by clicking on an organization's "Security" tab.
Learn more about the new risk and coverage views and send us your feedback
You can now enable and disable the following GitHub security features for a single repository from the organization-level security coverage view:
- Dependency graph
- Dependabot alerts
- Dependabot security updates
If you are a GitHub Advanced Security customer, you can also enable and disable the following features for a single repository:
- GitHub Advanced Security
- Secret scanning
- Push protection
In the future, you'll be able to enable and disable multiple repositories from the coverage view.
Learn more about the new coverage view and send us your feedback
Learn more about GitHub Advanced Security
Security overview’s new risk and coverage views provide greater visibility into your security posture and risk analysis.
Each new view offers a refreshed design with several key improvements, including insights and dynamic filtering.
Coverage view
The coverage view gives visibility into enablement across all repositories. On the coverage view, you can:
- See counts and percentages of repositories with GitHub security features enabled or disabled, which update when you apply filters
- Track enablement for additional security features, including secret scanning push protection, Dependabot security updates, and code scanning pull request alerts.
Risk view
The coverage view is complimented by a new risk view that gives visibility into all alerts across these repositories.
On the risk view, you can:
- See counts and percentages of repositories with security vulnerabilities, which also update when you apply filters
- See open alerts segmented by severity for both Dependabot and code scanning.
Both views are now available as a public beta. In the coming weeks, we will deprecate the overview in favor of these two new views.
Learn more about the new risk and coverage views and send us your feedback
We’ve expanded access to GitHub’s security overview pages in two ways:
- All GitHub Enterprise accounts now have access to the security overview, not just those with GitHub Advanced Security
- All users within an enterprise can now access the security overview, not just admins and security managers
Security overview provides a centralized view of risk for application security teams, engineering leaders, and developers who work across many repositories. It displays code scanning, Dependabot, and secret scanning alerts across every repository you have access to in an organization or enterprise. The security overview also shows you where you have unknown risks because security features haven’t been enabled.
Learn more about security overview and send us your feedback
Security Overview at the organization level is now out of beta and generally available. GitHub Advanced Security customers can use Security Overview to view a repo-centric view of application security risks. They can also see an alert-centric view of all Code Scanning, Dependabot, and Secret Scanning alerts, across all repositories in an organization.
Learn more about security overview
Learn more about GitHub Advanced Security
GitHub Advanced Security customers can now view an overview of security alerts at the enterprise level. The new “Security” tab at the enterprise level provides a repo-centric view of application security risks, as well as an alert-centric view of all secret scanning alerts. Both views are in beta, and will be followed in the coming months by alert-centric views for code scanning and Dependabot alerts.
Learn more about security overview
Learn more about GitHub Advanced Security
The new security overview for organizations and teams – which provides a high-level view of the application security risks a GitHub organization is exposed to – is now in beta for all GitHub Advanced Security customers on GitHub Enterprise Cloud.
With the new security overview GitHub Advanced Security customers now have a single place to see the application security risks detected by code scanning, Dependabot, and secret scanning. The security overview shows both these known security risks as well as where you have unknown risks because security features haven’t been configured.
Learn more about security overview
Learn more about GitHub Advanced Security
The repository security tab now includes two new experiences to help you better understand your repository's security at a glance.
- First, we have added a counter which makes it easy to understand how many security alerts your repository has active. The counter only includes information which is otherwise visible to the logged in user. This change will be rolling out gradually over the next couple of days.
- Second, we have added an overview experience for your repository security tab which is located at
https://github.com/:org/:repo/security. This new overview provides helpful insights about how to configure your repository to make the most of GitHub's built-in security and analysis features. It also provides a summary of known security issues.
