A total redesign of GitHub’s code search and navigation was released to all logged in GitHub users in May. Starting today, the new redesigned code navigation experience, including a file tree and symbols pane, will be available to anyone browsing anonymously on GitHub.com. To access the new code search experience, and make full use of the symbol navigation, create an account or log in to GitHub.com.
GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.
We have partnered with Workato to scan for their API tokens and help secure our mutual users on public repositories. Workato Developer API tokens allow users to effectively manage their Workato workspaces programmatically and reduce administrative overhead as they onboard teams from across their organisation. GitHub will forward access tokens found in public repositories to Workato, which will then notify the user about the leaked token. You can read more information about Workato's tokens here.
All users can scan for and block Workato's tokens from entering their public repositories for free with push protection. GitHub Advanced Security customers can also scan for and block Workato tokens in their private repositories.
The 2023 updates to our ISO/IEC 27001:2013 certificate can be downloaded now. In addition, we have completed the processes for ISO/IEC 27701:2019 (PII Processor), ISO/IEC 27018:2019, and CSA STAR certifications. Those certificates can also be downloaded now.
- For enterprises, administrators may download this report by navigating to the
Compliancetab of the enterprise account:https://github.com/enterprises/"your-enterprise"/settings/compliance. - For organizations, owners may find these reports under
Security>Compliancesettings tab of their organization:https://github.com/organizations/"your-org"/settings/compliance.
For detailed guidance on accessing these reports, read our compliance documentation for organizations and enterprises.
Check out the GitHub blog for more information.
With GHES 3.9, you and your organization can better manage your Dependabot alerts thanks to more granular enablement controls. You can now enable Dependabot alerts at the repository, organization, and enterprise level, rather than having to enable Dependabot alerts across an entire enterprise at once.
This release also adds support for “automatically enable for new repositories” at the organization and enterprise levels.
Enterprise admins still need to opt in to Dependabot alerts via GitHub Connect, which approves outbound calls for advisories to sync.
Learn more about changes for GHES 3.9 for Dependabot.
After we released Swift in beta on the 1st June, we are now adding support for long awaited Swift 5.8.1 and Xcode 14.3.1. This release also brings better support for Swift 5.x on Linux, which now supports versions up to and including 5.8.1.
Swift 5.8.1 support is available starting with CodeQL version 2.13.5. Code scanning users on GitHub.com will automatically benefit from the latest CodeQL version, while those on GitHub Enterprise Server can update using these guidelines. Security researchers can set up the CodeQL CLI and VS Code extension by following these instructions.
While our Swift analysis support remains in public beta we welcome your input. If you have any feedback or questions about the Swift beta, consider joining our community in the #codeql-swift-beta channel in the GitHub Security Lab Slack.
GitHub provides Enterprise customers with the ability to programmatically retrieve enterprise and organization audit log events in near real-time using the audit log API. A high-quality audit log is an essential tool used by enterprises to ensure compliance, maintain security, investigate issues, and promote accountability. To support these objectives, the audit log API needs to be highly reliable, consistently available, and extremely scalable.
Recognizing the audit log API's importance as a data source to enterprises, each audit log API endpoint will impose a rate limit of 15 queries per minute per enterprise or org starting August 1st, 2023. Based on a thorough analysis of event generation data, we are confident that the new rate limit will continue to support customers in accessing near real-time data via the audit log API. Additionally, query cost is a crucial consideration, and in the future, the audit log may impose further rate limiting for high-cost queries that place significant strain on our data stores.
What can you do to prepare for these changes? First, programs or integrations querying the audit log API should be adjusted to query at a maximum frequency of 15 queries per minute. Additionally, applications querying the audit log API should be updated to be capable of honoring HTTP 429 responses, enabling them to dynamically adjust to the back-pressure exerted by our systems. Alternatively, Enterprises seeking access to near real-time data should consider streaming your enterprise audit log.
Auto-scaling self-hosted runners using the Actions runner controller and runner scale sets is now in generally avaliable.
Learn more about scalling self hosted runners and share your feedback with us in the Community Discussion!
Dependabot version updates helps you keep your dependencies up-to-date by opening pull requests when dependencies can be upgraded. With today's release, you can now group version updates by dependency name.
Until today, Dependabot would always open individual pull requests for every dependency update in accordance with your configuration in dependabot.yml. Not only can this result in a large number of Dependabot pull requests, but there are some dependencies which must be updated in tandem with each other or the update will fail. In these cases, the individual Dependabot pull requests would always fail until you manually intervened to do the update.
Now, in your dependabot.yml configuration file, you can set custom grouping rules for Dependabot based on pattern matching on package name. Here is an example of how these rules can be set up:
version: 2
updates:
- package-ecosystem: "bundler"
directory: "/"
schedule:
interval: weekly
# New!
groups:
# This is the name of your group, it will be used in PR titles and branch names
dev-dependencies:
# A pattern can be...
patterns:
- "rubocop" # a single dependency name
- "aws*" # or a wildcard string that matches multiple dependencies
# If you'd simply like to group as many dependencies together as possible,
# you can use the wildcard * - but keep in mind this may open a very large PR!
# Additionally, you can specify any dependencies to be excluded from the group
exclude-patterns:
- "aws-sdk"This configuration applies to regularly scheduled Dependabot version updates only. Security updates for Dependabot will continue to open as individual pull requests, even if they match a configured grouping rule.
This feature is in beta, so you may encounter instability and the feature-set is currently limited. You may file any bugs encountered in the dependabot-core repo.
To learn more about grouping rules for Dependabot version updates, please refer to our documentation.
During two-factor authentication and when entering sudo mode for sensitive actions on GitHub.com, TOTP codes could be successfully used multiple times within their validity window. To improve security, this reuse is no longer allowed on GitHub.com, and will be updated in GHES with version 3.10.
Systems that have attempted to script the login flow, across multiple parallel jobs, may break as a result of this change.
Learn more about two-factor authentication with TOTP.
Today we are announcing the general availability of our organization and enterprise-level security risk and coverage pages.
Additionally, the alert-centric pages for Dependabot, code scanning, and secret scanning are also now generally available at both the organization and enterprise levels.
The enterprise-level security overview page has been replaced by the risk and coverage pages as previously announced. The risk page is designed to help you assess security exposure, and the coverage view is intended to help you manage security feature enablement.
To access the new enterprise-level risk and coverage pages, follow these steps:
- Navigate to your profile photo in the top-right corner of GitHub.com.
- Click Your enterprises.
- From the list of enterprises, select the enterprise you wish to view.
- In the enterprise account sidebar, click on Code Security.
These improvements have shipped to GitHub.com and will be available in GitHub Enterprise Server 3.10.
Learn more about the new risk and coverage pages and send us your feedback
With GitHub Copilot being used by over 20K organizations
GitHub Copilot Chat (Visual Studio Code)
Note: To get access to the new chat-based GitHub Copilot features, you’ll need to sign up for the GitHub Copilot chat waitlist.
The GitHub Copilot Chat extension graduated from Insiders into Stable with the release of Visual Studio Code v1.79. Highlights include:
– Improvements to editor chat, most notably we have changed its default mode to be “livePreview”. In this mode, changes are applied directly to the document and shown with an embedded diff view.
– When using Copilot in a notebook document, Copilot can use the notebook context to provide more relevant suggestions.
– When running notebook cells, Copilot provides suggestions for cell execution failures.
– When viewing a review thread, it is now possible to directly apply a review comment using Copilot.
– An experiment using chat to ask quick programming questions without leaving context.
– You can now delete a chat request/response pair by clicking the X icon in the chat request.
– Added the ability to move chat sessions back and forth between the sidebar and editor.
For previous updates, reference the Insiders April 2023 (v1.78) release notes.
To learn more about GitHub Copilot as well as tips and tricks and best practices, have a look at the VS Code YouTube channel. There you’ll find an introduction to GitHub Copilot, language-specific usage, and guidance on effective prompting when using Copilot for development.
Copilot with your debugger (Visual Studio)
Copilot Chat in Visual Studio helps you figure out how to fix issues when you’ve hit an exception. Just hit the link in the exception dialog to see an explanation of the exception together with likely causes and suggested code solutions to fix the problem inline. Copilot gathers the data about your exception, code, and variable values to help form an exact question and get you a great answer. Combine that with the power of features like Hot Reload, and you can test out the suggested change and be on your way much faster.
Visual Studio’s IntelliSense list can now steer GitHub Copilot code completions
GitHub Copilot and Visual Studio’s built-in AI assistance features are now better together. With the latest release (version 1.84+), Copilot predictions are not only visible when IntelliSense is open, but your IntelliSense selection also steers the prediction offered by Copilot. This helps you explore and get just the code completion you want. It’s particularly helpful with the starred completions that Visual Studio’s built-in IntelliCode AI provides with member ranking in the IntelliSense list.
Code completion improvements
- GitHub Copilot is now even more powerful and responsive for developers, thanks to a new model powered by GPT-3.5 Turbo through the collaboration across OpenAI, Azure AI, and GitHub that offers 13% latency improvements.
- Code completion uses an 8k context window that improves suggestions and acceptance rates.
Bug fixes and improvements
- Added the ability to export a CSV of all users for an org. From the seat management page, you can export a flat list of all your users – helping address a significant pain point for our admins who want to avoid scrolling through page after page and want better insight into who within a Team is using Copilot.
- We updated the Copilot signup flow to make signing up for a GitHub account AND Copilot in one fluid experience easier.
- France is our newest region serving Copilot code completion requests, improving latency for European customers. This is in addition to our existing Switzerland presence.
- In Visual Studio, we added the ability to preview code insertions back into your code using the same grey text approach we use for code completions.
- In Visual Studio, you can now delete chat requests
Enterprise users will now notice added functionality where Dependabot security and version updates may be paused for repositories.
If you are an enterprise user that uses Dependabot updates and there has been no activity in a repository, such as merging, closing, or any other interaction, with Dependabot pull requests for a period exceeding 90 days, the updates will be paused. To resume activity, simply merge or close one of Dependabot's pull requests, or modify the Dependabot config file in the repository.
This change will help Dependabot be more focused to the repositories you care about and reduce use of GitHub Actions minutes on inactive Dependabot pull requests.
If you are using security overview with GitHub Advanced Security, you will be able to see which repositories in your organization have been paused from the security coverage view.
You will also be able to see whether Dependabot has been paused for a repository by querying the /repos/{owner}/{repo}/automated-security-fixes REST API endpoint, which will return both the enablement status and paused status of the repository.
When will Dependabot become paused?
This change only applies to repositories where Dependabot pull requests exist but remain untouched. If no Dependabot pull requests have been opened, Dependabot will never become paused.
The following must be true for at least 90 days:
- Has not had a Dependabot PR merged
- Has not had changes made to the Dependabot config file
- Has not had any @dependabot comment-ops performed
- Has not had any Dependabot PRs closed by the user
- Has received at least one Dependabot PR before the 90 day window
- Has at least one Dependabot PR open at the end of the 90 day window
- Has had Dependabot enabled for this entire period
How will Dependabot let me know?
Dependabot will add a notice to the body of all open Dependabot pull requests and add a dependabot-paused label to them. Dependabot will also add a banner notice in the UI of your repository settings page (under “Dependabot”) as well as your Dependabot alerts page (if Dependabot security updates are affected).
Who can use this feature?
This change does not apply to Dependabot alerts or subsequent notifications. So, only repositories that have automated Dependabot version updates or security updates, but haven't interacted with these pull requests for a while, will be affected.
Learn more about this change
Learn more about how to interact with the REST API
Code scanning default setup is now available for all CodeQL supported languages, excluding Swift. This includes supporting JavaScript/TypeScript, Ruby, Python, Go, Java/Kotlin, C/C++, and C# at the repository level. We will extend support to include Swift soon. We are also working to extend all CodeQL language support to the organization level.
Default setup detects the languages in the repository and automatically analyzes JavaScript/TypeScript, Ruby, Python, and Go. With this enhancement, you can customize the configuration to also analyze Java/Kotlin, C/C++, and C#. The configuration can be viewed and edited at any time, during or after set up.
You can also use the REST API to include CodeQL supported languages in the default setup configuration.
What if the analysis for a language fails in default setup?
It is possible for the CodeQL analysis for a particular language to fail, such as when the code can't be compiled. If the CodeQL analysis for a language fails in default setup, you will see an error message on the repository's settings page, in the code security and analysis section. To resolve the situation you can:
- Deselect the language from the configuration and continue to use default setup for the successful languages.
- Convert to advanced setup. The advanced setup uses a
ymlfile and allows you to provide the build information required for the CodeQL analysis to succeed.
- Debug and fix the cause of the language failure. The Actions log will provide the failure reason so you can resolve this for a successful analysis.
Why aren't some languages automatically included in the default setup configuration ?
Java (including Kotlin), C/C++, and C# are not automatically included in the default setup configuration because they often require more advanced configuration. Code written in these languages needs to be compiled in order for CodeQL analysis to proceed. CodeQL will attempt to build your code automatically but may fail if your code requires bespoke build steps.
Java (including Kotlin), C/C++, and C# are not included in bulk code scanning setup from the organization level. We are working to extend all CodeQL language support to the organization level soon.
For more information on code scanning default setup, see Configuring code scanning automatically.
The Enterprise and Organization audit log UI and user security logs UI now include an expandable view that displays the full audit log payload of each event.
Customers can now see the same event metadata when searching your audit log via U/I, exporting audit logs to a JSON file, querying the audit log API, or streaming your audit logs to one of our supported streaming endpoints.
Last year, we made merging pull requests much faster by using the merge-ort strategy. Now, rebase commits get the same merge-ort treatment. This results in significantly improved speed: the P99 (the average time to complete rebases excluding the 1% slowest outliers) used to take around 3.6 seconds. P99 with the new strategy is 0.35 seconds. Because of the speedup, the fraction of PR rebases which fail due to timeouts dropped from 1.3% to 0.14%.
Learn more about the Git merge-ort strategy and merge methods for pull requests.
We have received customers reporting errors with Actions’ OIDC integration with AWS.
This happens for customers who are pinned to a single intermediary thumbprint from the Certificate Authority (CA) of the Actions SSL certificate.
There are two possible intermediary certificates for the Actions SSL certificate and either can be returned by our servers, requiring customers to trust both. This is a known behavior when the intermediary certificates are cross-signed by the CA.
Customers experiencing issues authenticating via OIDC with AWS should configure both thumbprints to be trusted in the AWS portal.
The two known intermediary thumbprints at this time are:
6938fd4d98bab03faadb97b34396831e3780aea11c58a3a8518e8759bf075b76b750d4f2df264fcd
Accessing your projects just got easier and faster than ever before! You can now view all projects you're collaborating on directly from the home screen on GitHub Mobile. Browsing, managing and customizing your projects on the go has never been more convenient.
Read more about GitHub Mobile and send us your feedback to help us improve.
We are introducing a number of enhancements, bug fixes and a breaking API change to repository rules.
1. UI Updates
* Added a repository picker to target select repositories for organization rulesets.
* Improvements to rule violations in the WebUI and git client.
2. Ruleset Bypass updates
- Bypass can be limited to pull request exemptions only.
- Single UI for bypass, collapsing bypass mode, and bypass list into one experience.
- Support for using repository roles as a bypass type
- Integrations (bots/apps) are now bypassable at the org.
3. API Enhancements
- Add fields for created and updated date
- Permission changes so all repo contributors can query the API for relevant rules enforced on branches.
4. Bug fixes
- Linear merge history could block bypass
- Branches could not always be created when using commit metadata rules
- Tag protections were failing for apps
5. API Changes
GraphQL changes will be delayed by 24-72 hours.- Breaking Change Remove
bypass_modefrom the Ruleset object and input - Breaking Change Add
bypass_modeas a required field for bypass actors to indicate if an actor can “always” bypass a ruleset or can only bypass for a “pull_request” - Breaking Change for GraphQL Change
bypass_actor_idsto a new bypass_actors object on the create and update mutations that can accept repository roles and organization admins - Add
repository_role_database_id,repository_role_name, andorganization_adminfields toRepositoryRulesetBypassActorto indicate when the bypass actor is a role or org admin bypass - “get rules for a branch” REST API endpoint now returns ruleset source info for each rule.
- “get a repo ruleset” REST API endpoint now has a
current_user_can_bypassfield that indicates whether the user making the request can bypass the ruleset. sourcefield for rulesets returned via the REST API will now properly contain the repo inowner/namesyntax when the ruleset is configured on a repository, rather than just the repository’s name.
We want to hear from you on how we can improve repository rules! Join the conversation in the repository rules public beta discussion.
Code scanning default setup now automatically updates when the languages in a repository change.
If a repository that uses default setup changes to include the languages JavaScript/TypeScript, Ruby, Python, or Go, the configuration will automatically update to include these languages. If the new configuration fails, we’ll resume the previous configuration automatically so that the repository does not lose coverage. The configuration will also automatically update if a repository removes a language.
You can always view the repository’s default setup configuration from the Code security and analysis settings page. Additionally, you can use the tool status page to view useful information about your setup and debug any failed languages.
Default set up makes it easy to get started with code scanning. The supported languages are currently JavaScript/TypeScript, Python, Ruby and Go and the list is constantly evolving. For more information on code scanning default setup, see Configuring code scanning automatically.
Today we are announcing the general availability of code scanning default setup enablement at the organization level.
You can use code scanning default setup to enable CodeQL analysis for pull requests and pushes on eligible repositories without committing any workflow files. Currently, this feature is only available for repositories that use GitHub Actions and it supports analysis of JavaScript/TypeScript, Python, Ruby and Go. We plan to add support for additional languages soon.
This feature is also available as a public beta in GitHub Enterprise Server 3.9 and will be generally available in GitHub Enterprise Server 3.10.
Learn more about configuring code scanning at scale using CodeQL and the "Enable or disable a security feature for an organization" REST API
Learn more about GitHub Advanced Security