Audit log events are now created when secret scanning non-provider patterns are enabled or disabled at the repository, organization, or enterprise level.
The existing secret_scanning_alert
event now includes a secret_type
field.
Audit log events are now created when secret scanning non-provider patterns are enabled or disabled at the repository, organization, or enterprise level.
The existing secret_scanning_alert
event now includes a secret_type
field.
For GitHub Advanced Security customers that use secret scanning, you can now specify which teams or roles have the ability to bypass push protection. This feature is in public beta on GitHub Enterprise Cloud.
This is managed through a new bypass list, where organizations can select which teams or roles are authorized to bypass push protection and act as reviewers for bypass requests. If an individual not included in this list needs to push a commit that is initially blocked, they must submit a bypass request. This request is then reviewed by an authorized individual who can either approve or deny it, determining whether the commit can proceed into the repository.
Please note, this feature is not yet compatible with web UI pushes.
This public beta enables developers to use a directories
key to list multiple directories for the same ecosystem configuration in the dependabot.yml
file.
Previously, developers with multiple package manifests for the same ecosystem (e.g. npm, pip, gradle) across multiple directories had to create separate dependabot.yml
configurations for each of those directories. This could lead to many duplicated configurations, and high maintenance costs if a developer wished to make a change that spanned multiple directories.
A new dependabot.yml
key, directories
, is now available in public beta. The directories
key accepts a list of strings representing directories, and can be used instead of directory
.
Below is an example dependabot.yml
multi-directory configuration setup, including how you can use the directories
key:
version: 2
updates:
- package-ecosystem: "bundler"
directories:
- "/frontend"
- "/backend"
- "/admin"
schedule:
interval: "weekly"
This example configuration applies to both security and version updates.
Wildcards and globbing support (i.e. using *
to represent a pattern of directories) is coming soon in our next public beta releases, with an expected public beta launch within the next few months. Stay tuned for more!
If a developer still wishes to explicitly enumerate configurations for the same ecosystem using directory
, they can still choose to do so; the directory
key still accepts single-directory entries. For more information on the directory
key, check out the dependabot.yml
configuration options for the directory
key documentation.
CodeQL is the static analysis engine that powers GitHub code scanning. CodeQL version 2.17.1
has been released and has now been rolled out to code scanning users on GitHub.com.
CodeQL code scanning now supports automatic fix suggestions for C# alerts on pull requests, powered by Copilot. This is automatically enabled for all private repositories for all GitHub Advanced Security customers. For the first time, autofix covers nearly all security queries for a language, with 49 supported queries for C# from our Default and Extended suites. Use our public discussion for questions and feedback.
Also included in this release:
rb/insecure-mass-assignment
detects instances of mass assignment operations accepting arbitrary parametersrb/csrf-protection-not-enabled
detects cases where Cross-Site Request Forgery protection is not enabled in Ruby on Rails controllersPathGraph
now produce information about the models used for each flow step.For a full list of changes, please refer to the complete changelog for version 2.17.1. All new functionality will also be included in GHES 3.13. Users of GHES 3.12 or older can upgrade their CodeQL version.
Starting today, developers using GitHub Enterprise Cloud (GHEC) and Free, Pro, and Teams accounts can enable their repositories and/or organizations to run Dependabot updates as an Actions workflow. With this change, the job that Dependabot runs to generate pull requests will run in GitHub Actions. This is the start of an effort to consolidate Dependabot’s compute platform to Actions, with further migration plans to be announced later.
GHEC, Free, Pro, and Teams administrator users can enable Dependabot on Actions today.
GitHub Enterprise Server (GHES) and Proxima users already run Dependabot on Actions; no further steps are required to enable Dependabot on Actions for these users.
Enabling Dependabot on Actions will yield performance benefits like faster Dependabot runs and increased visibility into errors to manually detect and troubleshoot failed runs. Actions APIs and webhooks will also be able to detect failed runs and perform downstream processing should developers wish to configure this in their CI/CD pipelines. There will be no change or impact to the Dependabot functionality, and there will be no impact to billed Actions minutes (i.e. Dependabot runs are free).
This does not count towards GitHub Actions minutes – meaning that using Dependabot continues to be free for everyone. Beginning today, using Dependabot as an Actions workflow is free for everyone and generally available on all repositories.
Over the course of the next year, we are migrating all Dependabot workflows to run on Actions compute infrastructure. You can opt-in today to gain access to these benefits, but they’ll be coming soon to all repos without needing to opt-in as well. We’re excited for faster runs, increased troubleshooting visibility, and other future benefits running Dependabot on Actions will unlock. We’ll be in close contact with those organizations who own repositories with Actions disabled and Dependabot enabled as we kick off the compute infrastructure migration. If you have questions or concerns, please contribute to our community discusson or contact our support team.
GHEC, Free, Pro, and Teams administrator users can enable Dependabot on Actions runners at either the repository or organization level from the Code security and analysis settings pages. For more information, see our documentation on enabling Dependabot on Actions runners.
May 2024
This work is still in progress; we don’t yet have an estimated date when these will be available.
Today, Dependabot jobs can only be triggered from the Dependabot UI, and not by Actions workflows or APIs.
Check out our documentation on re-running a verison updates job or re-running a security updates job.
At this time, you can opt out of enabling Dependabot on Actions. However, this ability will change within the next year as we consolidate Dependabot’s compute platform to Actions.
During this opt-in phase of the compute infrastructure migration, if you enable Dependabot on Actions but disable Actions at the repository or organization level, Dependabot will run on the legacy compute infrastructure. Please enable Actions either in your Dependabot-enabled repository or across your organization if you wish to opt in to run Dependabot on Actions.
Read more about Dependabot on GitHub Actions runners.
Join the discussion within GitHub Community.
CodeQL is the static analysis engine that powers GitHub code scanning. CodeQL version 2.17.0
has been released and has now been rolled out to code scanning users on GitHub.com.
Important changes in this release include:
cpp/type-confusion
detects casts to invalid typesgo/uncontrolled-allocation-size
detects slice memory allocation with excessive size valuejava/unvalidated-url-forward
prevents information disclosure due to unsafe URL constructionFor a full list of changes, please refer to the complete changelog for version 2.17.0. All new functionality will also be included in GHES 3.13. Users of GHES 3.12 or older can upgrade their CodeQL version.
Today we are announcing exciting updates for GitHub Actions hosted runners, the cloud-based service that provides powerful virtual machines to developers and teams to integrate their automation and CI/CD workflows within GitHub. These updates mark a significant leap towards enhancing enterprise readiness for GitHub Actions and a testament to our commitment to simplifying the adoption of GitHub Actions hosted runners across all project sizes and complexities.
We’re eager to hear your feedback on any and all of these functionalities. Share your thoughts on our GitHub Community Discussion.
Dependabot grouped security updates are now generally available. This feature automatically groups Dependabot pull requests, lets you specify several additional options to fine tune your groupings.
You can enable grouped security updates for Dependabot at the repository or organization-level. To enable this feature, go to your repository or organization settings page, then go to the Code security and analysis tab, and click “Enable” for grouped security updates (this also requires each affected repository to enable Dependency graph, Dependabot alerts, and Dependabot security updates). When you enable this feature, Dependabot will collect all available security updates in a repository and attempt to open one pull request with all of them, per ecosystem, across directories.
If you would like more granular control over Dependabot’s grouping, you can also configure the dependabot.yml
file in a repository to group by any of the following:
For additional information, check out the Dependabot configuration file documentation.
For GitHub Enterprise Server users, grouped security updates will be available in Version 3.14.
With the 2.16.5
release of CodeQL, we’re introducing a new mechanism for creating a CodeQL database for Java codebases, without relying on a build. This enables organizations to more easily adopt CodeQL for Java projects at scale. Note: this release announcement contains details for users of the CodeQL CLI and advanced setup for code scanning. If you’re using GitHub code scanning default setup (which is powered by the CodeQL engine), this related release announcement will likely contain the information you’re looking for.
Previously, CodeQL required a working build to analyze Java projects. This could either be automatically detected or manually specified. Starting with CodeQL 2.16.5
, you can now scan Java code without the need for a build. Our large-scale testing has shown that CodeQL can be successfully enabled for over 90% of Java repos without manual intervention.
This feature is currently in public beta and is accessible to all GitHub.com advanced setup for code scanning and CodeQL CLI users scanning Java code:
build-mode
. The default value for newly configured Java repos will be build-mode: none
.
CodeQL CLI users will not experience any change in the default behaviour, for compatibility with existing workflows. Users that want to enable this feature can now use the --build-mode none
option. Generally, we also recommend users set the --build-mode
option when using the CLI to make it easier to debug and persist the configuration should default behaviour change at any point in the future.
codeql database create test_no_build_db --language java --build-mode none
The new mechanism for scanning Java is available on GitHub.com and in CodeQL CLI 2.16.5
. While in public beta, this feature will not be available on GitHub Enterprise Server for default setup or advanced setup for code scanning. As we continue to work on scanning Java projects without the need for working builds, send us your feedback.
CodeQL, the static analysis engine that powers GitHub code scanning, can now analyze Java projects without needing a build. This enables organizations to more easily roll out CodeQL at scale. This new way of analyzing Java codebases is now enabled by default for GitHub.com users setting up new repositories with default setup for code scanning.
Previously, CodeQL required a working build to analyze Java projects. This could either be automatically detected or manually specified. By removing that requirement, our large-scale testing has shown that CodeQL can be successfully enabled for over 90% of Java repos without manual intervention.
This feature is currently in public beta and is accessible to all users scanning Java code using default setup for code scanning on GitHub.com:
autobuild
build mode to automatically try and detect the right build command.GitHub.com users using advanced setup for code scanning and users of the CodeQL CLI will be able to analyze Java projects without needing a working build as part of CodeQL CLI version 2.16.5
. While in public beta, this feature will not be available for GitHub Enterprise Server. As we continue to work on scanning Java projects without needing a working build, send us your feedback.
Dependency review helps you understand dependency changes and the security impact of these changes at every pull request. We have updated the dependency review action to include information from the OpenSSF Scorecard project into the review, helping you better understand the security posture of the dependencies that you’re using.
Previously, if Dependabot encountered 30 consecutive failures, it would stop running scheduled jobs until manual intervention via updating the dependency graph or manifest file. Dependabot will now pause scheduled jobs after 15 failures. This will give an earlier indication of potential issues while still ensuring that critical security updates will continue to be applied without interruption.
Read more in the Dependabot Docs.
CodeQL is the static analysis engine that powers GitHub code scanning. CodeQL version 2.16.4
has been released and has now been rolled out to code scanning users on GitHub.com.
CodeQL code scanning now supports automatic fix suggestions for Java alerts on pull requests, powered by Copilot. This is automatically enabled for all current autofix preview participants. You can sign up for the preview here and use our public discussion for questions and feedback.
The number of generated autofixes is now also visible in a dedicated security overview tile:
Furthermore, this release
For a full list of changes, please refer to the complete changelog for version 2.16.4. All new functionality will also be included in GHES 3.13. Users of GHES 3.12 or older can upgrade their CodeQL version.
All new public repositories owned by personal accounts will now have secret scanning and push protection enabled by default. Pushes to the repository that include known secrets will be blocked by push protection, and any known secrets that are detected in the repository will generate a secret scanning alert. Secret scanning and push protection can be disabled by the repository administrator after the repository is created.
Existing public repositories are not affected, nor are new public repositories that belong to an organization.
You can now use the REST API to check if a repository has private vulnerability reporting enabled.
Learn more about:
– Evaluating a repository’s security settings
– Repository security advisories
– Private vulnerability reporting