Skip to content

Changelog

Subscribe to all Changelog posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

Enhanced citation support

We've added enhanced support for CITATION.cff files to GitHub. CITATION.cff files are plain text files with human- and machine-readable citation information, and with this new feature, GitHub parses this information into convenient formats such as APA and BibTeX that can be copied by others.

Under the hood, we’re using the ruby-cff RubyGem to parse the contents of the CITATION.cff file and build a citation string that is then shown in the GitHub user interface. Special thanks to the gem creators @sdruskat @jspaaks and @hainesr who worked with us to build this.

See more

Introducing the CodeQL package manager (public beta)

The CodeQL package manager is now available in public beta on GitHub.com. CodeQL packages can contain CodeQL queries and CodeQL libraries — and of course you can express dependencies between packs. You can upload your packs to the package registry on GitHub.com, and CodeQL will automatically fetch any required dependencies when running queries from a pack. This makes it simple to create and share CodeQL queries and libraries!

CodeQL packs of course also integrate with GitHub code scanning (example below). Alternatively, you can use packs using the CodeQL CLI (version 2.6.0-beta.1 and up) on your local machine. More documentation about CodeQL packs can be found here.

Integrating CodeQL packs into GitHub code scanning workflows

You can integrate CodeQL packs into GitHub code scanning workflows by specifying that you want to run the CodeQL 2.6.0 beta version, and then specify the pack(s) you'd like to run. For example:

 - uses: github/codeql-action/init@v1
   with:
     tools: https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.6.0-beta.1
     packs: codeql/csharp-queries1@~1.2.3, octo-org/csharp-security

Alternatively, you can select CodeQL packs by specifying a list of package references in the packs section of your CodeQL configuration file. For example:

     - queries/DeadCodeCondition.ql
     - queries/GlobalUseBeforeInit.qls
   packs:
     - codeql/csharp-queries@~1.2.3  # latest version compatible with 1.2.3
     - octo-org/csharp-security      # latest version

For more information, see Configuring code scanning.

Standard CodeQL packs

All of our own CodeQL queries and libraries are now also released as CodeQL packs at github.com/codeql.

For each language there is a query pack containing all CodeQL queries for that language (from our open source repository). These packs are named codeql/<language>-queries. For example, the CodeQL pack containing the standard C/C++ queries is called codeql/cpp-queries.

We've also released packs with all CodeQL standard libraries for each language. These packs are named codeql/<language>-all (e.g. codeql/cpp-all). If you're writing your own query pack, you'll likely want to express a dependency on the CodeQL standard libraries for that language.

CodeQL pack visibility

You can choose the permission levels required for users to view and access your CodeQL packs. Currently, all CodeQL packs default to Internal and should manually be set to Public. If you want to make your CodeQL pack visible to everyone, go to the settings section of the package and Change package visibility to Public.

Downloading CodeQL packs

All CodeQL packs can be downloaded and installed using the CodeQL CLI. You do not need to use the docker pull command shown on the package page. For more information, see Publishing and using CodeQL packs.

For more information, see About CodeQL packs.

See more

Security alert digests now follow watching settings

In June, we announced that security alert notifications are opt-in on a per-repository basis, using the repository's watch settings. Today, we have updated security alert digest emails to also respect these settings.

If you are no longer receiving digest emails for a repository and want to, please update your notification subscription settings on that repo to include Security Alerts.

See more

Expiration options for personal access tokens

You can now set an expiration date on your new and existing personal access tokens.

Setting an expiration date on personal access tokens is highly recommended as this helps keep your information secure. GitHub will send you an email when it's time to renew a token that's about to expire. Tokens that have expired can be regenerated, giving you a duplicate token with the same properties as the original.

When using a personal access token with the GitHub API, you'll see a new response header, GitHub-Authentication-Token-Expiration, indicating the token's expiration date. You can use this in scripts, for example to log a warning message as the expiration date approaches.

Learn more about personal access tokens and how to use them.

See more

Improvements to the code scanning branch filter

We have shipped improvements to the code scanning alerts branch filter! These changes make it clearer which code scanning alerts are being displayed on the alerts page.

By default, the code scanning alerts are filtered to show alerts for the default branch of the repository only. You can use the branch filter to display the alerts on any of the non-default branches. Any branch filter that has been applied is shown in the search bar.

We have simplified the search syntax to the format branch: You can use this syntax multiple times in the search bar to filter on multiple branches. The previous syntax ref:refs/heads/[branch name] is still supported, so any saved URLs will continue to work.

Branch filter

See more

GitHub’s supply chain security features now support Go modules

In May we announced that GitHub Advisory Database now includes Go advisories. Today we're excited to announce that all of GitHub's supply chain security features are available for Go modules, which will help the Go community discover, report, and prevent security vulnerabilities.

Learn how each of GitHub’s supply chain security features works with Go modules on the GitHub blog.

See more

Machine translation for Discussions content

🌏 Today we're releasing a new beta feature that allows you to translate GitHub Discussions content into different spoken languages. This initial beta release includes support for Korean, Brazilian Portuguese, and English, and we plan to add support for more languages soon.

This beta feature is now enabled for all users. To try it out, configure your web browser with Korean or Brazilian Portuguese as the default language, then navigate to any GitHub repo that has Discussions enabled. Click the overflow menu beside any discussion comment and you'll see a link to translate it to your preferred language:

translation screenshot

To see some popular communities using GitHub Discussions, check out docs.github.com/discussions.

📣 Got feedback?

We'd love to hear what you think of this new feature and how it can be improved. Please join the discussions below to share your feedback.

See more

CodeQL code scanning: new severity levels for security alerts

New severity levels for security alerts

We now show security-severity levels for CodeQL security alerts in code scanning. security-severity levels help you understand in more detail the risks posed by security alerts, allowing you to assess the potential impact of the alerts, and make the right decision on which alerts to fix first. The severity level of security alerts can be critical, high, medium, or low.

The new security-severity levels are displayed on all security alerts. For example, if a PR triggers security alerts, the security-severity is visible on the alert annotations under the Files changed tab. You can also see the security-severity for each alert present in a repository by clicking Security > Code scanning alerts.

security-severity

About security severity levels

Security severity levels are displayed on code scanning alerts that are generated by security queries.
CodeQL automatically calculates security-severity levels and assigns an exact numerical score to each security query. To calculate the security-severity of an alert, we first group all CVEs reported by the CWEs assigned to the security query. We then calculate the 75th percentile of the CVSS score for those CVEs. Finally, we translate numerical scores to critical, high, medium, or low using the following definitions:

Severity Score Range
None 0.0
Low 0.1 – 3.9
Medium 4.0 – 6.9
High 7.0 – 8.9
Critical 9.0 – 10.0

Defining which security-severity levels cause pull request check failure

By default, any code scanning alerts with a security-severity of critical or high will cause pull request check failure. You can specify which security-severity level for code scanning results should cause check failure by going to the Security & Analysis tab in the repository settings.

security-settings

Severity levels for non-security alerts

Severity levels for non-security alerts remain as error, warning, or note. By default, any code scanning results with the severity of error will cause check failure. You can change this setting using the dropdown on the Security & Analysis tab in the repository settings. It allows two selections that apply to the security and non-security alerts.

Security severity levels in the code scanning API

You can also access security_severity_level data for security queries using the /alerts endpoint of the code scanning API.

How to add security-severity to a CodeQL query

You can add the expected security-severity level to the your custom security queries by adding the numerical score to the @security-severity query metadata property in the .ql file.

The new security-severity levels for security queries have been deployed to GitHub.com. These improvements will also be available in GitHub Enterprise Server 3.2.

Learn more about CodeQL and code scanning by reading the documentation.

See more

Linear and Ionic are now GitHub secret scanning integrators

GitHub Secret Scanning scans repositories for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally. This protects users from fraud and data leaks.

GitHub has partnered with Linear and Ionic to scan for their developer tokens! They are just the latest GitHub secret scanning integrators – since 2018 GitHub has collaborated with 36 token issuers to help keep their customers secure. We continue to welcome new partners for public repo secret scanning. In addition, GitHub Advanced Security customers can also scan their private repositories for leaked secrets.

See more

GitHub Actions: New settings for maintainers

Maintainers now have additional control over when they must approve Actions runs for new contributors.

preview

In April, we shipped an update for GitHub Actions that required maintainers to approve Actions runs for first-time contributors in their repositories. Based on your feedback we have added additional settings to give you more control over this behavior.

Learn more about approving first time contributor pull requests

See more

CodeQL code scanning now recognizes more sources and uses of untrusted user data

We’ve improved the depth of CodeQL's analysis by adding support for more libraries and frameworks and increasing the coverage of our existing library and framework models for several languages (C++, JavaScript, Python, and Java). As a result, CodeQL can now detect even more potential sources of untrusted user data, steps through which that data flows, and potentially dangerous sinks in which this data could end up. This results in an overall improvement of the quality of the code scanning alerts.

We carefully choose and prioritize the libraries and frameworks supported by CodeQL based on their popularity and through user feedback. The libraries and frameworks added and improved are listed below.

C/C++

JavaScript and TypeScript

Python

Java

Learn more about CodeQL and code scanning.

See more

Parameter to disable markdown rendering

Appending ?plain=1 to the url for any Markdown file will now display the file without rendering. As with other code files, it will also show line numbers, and can be used to link other users to a specific line or lines. For example, appending ?plain=1#L52 will highlight line 52 of a plain text Markdown file.

See more
View more changes