security

Subscribe to all “security” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

In February 2022, we launched a new feature called community contributions to security advisories. We've continued to iterate on this feature, and recently released more improvements:

  • You're now prompted to add a reason for the change, so your contribution can be reviewed more quickly.
  • You can now submit a contributions without reference links getting reordered in the diff.
  • You can now click through to relevant docs from the advisories page.
  • You can overall enjoy a cleaner UX experience through a handful of other small fixes.

Further reading:

See more

Users with 2FA enabled may see false-alert flags in their security log for recovery_code_regenerated events between July 15 and August 11, 2022.
These events were improperly emitted during an upgrade to the 2FA platform. The storage format of the per-user value GitHub uses to generate your recovery codes was updated, causing the watch job to trigger the erroneous recovery_code_regenerated event.

No action is required from impacted users with regards to these events. GitHub has a policy to not delete security log events, even ones generated in error. For this reason, we are adding flags to signal that these events are false-alerts. No recovery codes were regenerated, and your existing saved recovery codes are still valid.

image

See more

The GitHub Advisory Database now includes curated security advisories for vulnerabilities on GitHub Actions. This brings the Advisory Database to ten supported ecosystems, including: Composer, Go, Hex, Maven, npm, NuGet, pip, RubyGems and Rust.

If you have a dependency on any vulnerable GitHub Actions, GitHub will send Dependabot alerts over the coming days.

See more

Enhanced Two-Factor Authentication (2FA) experience is now Generally Available. Previously, we had announced a set of improvements in our public beta. Further to this we have made the following new changes to streamline the CLI login experience.

  • As of npm 8.15.0 Login and Publish authentication from CLI can now be managed by the browser with the --auth-type=web flag.
  • Login can use an existing web session, only prompting for your second factor or email verification OTP to create a new CLI session.
  • Publish now supports “remember me for 5 minutes” and allows for subsequent publishes from the same IP + access token to avoid the 2FA prompt for a 5-minute period.
  • You can now use 2FA for re-verification requests while performing high privilege operations on npmjs.com.

Read more about two-factor authentication
from our documentation.

See more

The public npm registry is migrating away from the existing PGP signatures to ECDSA signatures that are more compact and can be verified without extra dependencies in the npm CLI.

Ensure the integrity of packages you download from the public npm registry, or any registry that supports signatures, by verifying the registry signatures of downloaded packages using the following npm CLI command:

npm audit signatures

The CLI will error if some packages have missing or invalid signatures. This could indicate that those packages might have been tampered with.

Read more about this feature from our documentation: about registry signatures.

See more

On June 15th, we announced GitHub added malware advisories to the GitHub Advisory Database and will send malware alerts through Dependabot. Since shipping this change, we have received feedback that some organizations have been impacted with Dependabot alerts from these malware advisories that may be false positives.

GitHub has conducted a rapid root cause investigation and found that the majority of those alerts in question were for substitution attacks. During these types of incidents, an attacker would publish a package to the public registry with the same name as a dependency users rely on from a third party or private registry, in the hope a malicious version would be consumed. Dependabot doesn’t look at project configuration to determine if the packages are coming from a private registry, so it has been triggering an alert for packages with the same name from the public npm registry. While this does mean that your package was the target of a substitution attack it does not mean that there is an immediate action to be taken on your part as the malware has already been removed from the npm registry.

While we work to determine how to best notify customers of being the target of a substitution attack, we will be pausing all Dependabot notifications on malware advisories. For non-Enterprise-Server users, Malware advisories will still exist in the Advisory Database and send alerts on npm audit. We are not making any changes to existing alerts on github.com at this time.

For GitHub Enterprise Server users, who were the most impacted, no new advisories will come through GitHub Connect. If you are struggling with too many alerts, please reach out to support and we can share a script for you to run that will delete all malware advisories and alerts.

See more

The GitHub Advisory Database now includes curated security advisories on Erlang [Hex], Elixir, and more. This brings the Advisory Database to nine supported ecosystems, including: Composer, Go, Maven, npm, NuGet, pip, RubyGems and Rust.

Support for this ecosystem in the dependency graph and Dependabot alerts will be available in the future.

See more

GitHub's Advisory Database now supports listing malware advisories. You can see them by searching "type:malware" on https://github.com/advisories.

If you have enabled Dependabot alerts on your repositories, GitHub will send Dependabot alerts for malware automatically. Note that Dependabot does not send update pull requests for malware as the only resolution is to delete the package and find an alternative.

See more

In February 2022, we launched a new feature called community contributions to security advisories.

We have made a handful of changes to the UX based on your feedback:

  • Fixed the breadcrumb on unreviewed advisories to more clearly display they are unreviewed.
  • Hid the link to submit a community contribution when it is not possible due to OSV constraints.
  • Added an information icon clarifying that not all ecosystems are supported.
  • Updated the auto-generated PR title to the format "[GHSA-####-####-####] Advisory Name" to be clearer on which advisory its for.
  • Fixed a bug that was adding unnecessary noise to the PR diff.
  • Added function to auto-post an affirming comment when a contribution is accepted.
  • Learn more about the GitHub Advisory Database
  • Learn more about GitHub community contributions
See more

You can now enable debug logging when you re-run jobs in a GitHub Actions workflow run. This gives you additional information about the job's execution and its environment which can help you diagnose failures.

To enable debug logging, select "Enable debug logging" in the re-run dialog.

Re-run dialog screenshot

You can also enable debug logging using the API or the command-line client.

For more details see
Re-running workflows and jobs.

For questions, visit the GitHub Actions community.

To see what's next for Actions, visit our public roadmap.

See more

Device verification protects new sessions if you don’t have two-factor authentication enabled, using an email notification. We’ve updated this feature to allow you to verify your sign in using GitHub Mobile. Device verification will by default use GitHub Mobile notifications. However, you can still request an email notification if your phone is unavailable.

For more information, read about “Authenticating in your browser.”

See more

Our newly available ISO/IEC 27001:2013 Certification report can be downloaded now.

  • For enterprises, administrators may download this report by navigating to the Compliance tab of the enterprise account: https://github.com/enterprises/"your-enterprise"/settings/compliance.
  • For organizations, owners may find these reports under 'Security' > Authentication Security settings tab of their organization: https://github.com/organizations/"your-org"/settings/security.
  • For everyone else, you may download this report at any time by navigating to the GitHub security page, https://github.com/security.

To learn more about this new report, check out our blog post.

See more

A variety of improvements to the npm 2FA experience are now in public beta, including:

  • Support for registering multiple second factors, such as security keys, biometric devices, and authentication applications
  • A new 2FA configuration menu to manage keys and recovery codes
  • Full CLI support for login and publish capabilities with physical security keys and biometric devices in npm 6 and higher
  • Ability to view and regenerate recovery codes

To learn more about configuring 2FA, see Configuring two-factor authentication.
To learn more about 2FA in general, see About two-factor authentication.
For questions and comments, open a discussion in our feedback repository.

See more

To further reduce the risk of a user using Actions to merge a change into a protected branch that was not reviewed by another person, the organization setting to disallow Actions from approving pull requests, which was introduced in January 2022, has been extended to also limit Actions from creating pull requests.

The Allow GitHub Actions to create and approve pull requests setting can be managed by admins in organization settings under Actions > General > Workflow permissions.

image

See more

Enterprise owners can now prevent organization owners from inviting outside collaborators to repositories in their enterprise. The "Repository outside collaborators" policy includes an additional option, "Enterprise admins only", which restricts the ability to invite outside collaborators only to users with admin permissions to the enterprise. For more info, see "Enforcing a policy for inviting outside collaborators to repositories".

Shows the new option "Enterprise admins only" in the "Repository outside collaborators" policy

See more

From today the OAuth Device Authorization flow feature must be manually enabled for all OAuth and GitHub Apps. This change reduces the likelihood of Apps being used in phishing attacks against GitHub users by ensuring integrators are aware of the risks and make a conscious choice to support this form of authentication.

If you own or manage an OAuth App or GitHub App that makes use of the OAuth Device Authorization flow, you can enable it for your App via its settings page:

Enable device flow

The OAuth Device Authorization flow API endpoints will respond with status code 400 to Apps that have not enabled this feature.

Learn more about the OAuth Device Authorization flow.

See more

GitHub changed which keys are supported in SSH and removed the unencrypted Git protocol.
You can read more about the motivation behind these changes in our blog post from last September.
As a reminder, these changes were:

  • Removed all support for DSA keys
  • Required SHA-2 signatures on all RSA keys uploaded after November 2, 2021 (RSA keys uploaded prior to the cutoff may still use SHA-1 signatures)
  • Removed legacy SSH algorithms HMAC-SHA-1 and CBC ciphers
  • Permanently disabled the unencrypted Git protocol
See more