Invoiced sponsors can now opt to pay for new sponsorships in full, the prorated amount or delay payment until your next billing cycle date.
Learn more about schedule sponsorships.
Users who are not part of the mandatory 2FA program will now be added to it within 24 hours of creating their first release. In August we expanded the 2FA requirement to include most GitHub.com users that had created a release. Those groups have now completed their 2FA enrollment, but additional developers have since created their first release. They will be added to the 2FA program in the coming days, as will more users over time as they create releases.
Enterprise or organization administrators can learn more about their users' current 2FA requirements by visiting the People page for their enterprise or organization.
To learn more about the 2FA program, see our May 2023 blog post, as well as the “About the mandatory 2FA program” documentation.
We are excited to announce the beta release of Copilot in GitHub Support, a faster way to find answers to your GitHub related questions! In August, we launched the Alpha to a limited number of randomly selected GitHub Enterprise Cloud customers. We have made lots of improvements to the experience since and are excited to welcome more customers into the new experience. Copilot in GitHub Support is now trained on the latest GitHub Enterprise Server documentation in addition to GitHub Enterprise Cloud documentation it was previously trained on.
Initially, we’re offering the Copilot experience to a limited number of randomly selected GitHub Enterprise customers. We hope to continue rolling out the experience to a wider audience over the coming months.
During the beta, GitHub will be reviewing answers provided and collecting feedback from participating customers to improve the accuracy.
Copilot in GitHub Support is part of our ongoing effort to make GitHub the best place for all developers to collaborate, innovate, and ship great software. We believe that Copilot in GitHub Support will enhance your experience and productivity.
We look forward to hearing from you and learning from your feedback.
We are excited to announce a significant update to the comment box used in GitHub issues, discussions, and pull requests, aiming to refine and enhance how you interact and collaborate. This release is a testament to our ongoing efforts to provide an exceptional user experience, making GitHub more intuitive, consistent, and accessible across the platform.
The updated comment box is designed to integrate seamlessly with the existing GitHub environment, ensuring a familiar yet improved experience for all users. Highlights and improvements include:
- Enhanced User Experience: The newly revamped comment box brings an elevated experience to a wider range of users across various devices. With this update, we've enhanced the responsiveness and streamlined the markup to better accommodate keyboard and screen reader users. This ensures a uniform and smooth user experience across issues, discussions, and pull requests, promoting seamless communication and collaboration.
- Consistency and Familiarity: Our design philosophy for the new comment box was clear: keep it familiar, make it better. We’ve developed the updated version to closely resemble the original while enhancing it with improved accessibility, consistency, and ease of use across various screen sizes. The transition for you will be smooth, with no disruptions to your workflow.
- Commitment to Accessibility: This update contributes to our continuous journey to make GitHub more accessible to everyone. The comment box now aligns more closely with our accessibility commitment, enhancing the experience in features such as issues, pull requests, and discussions. Check out our Accessibility Commitment to learn more about how we are making GitHub more inclusive.
We are excited for you to experience the new comment box and we welcome feedback to continue improving GitHub for everyone.
GitHub is introducing GPU hosted runners for GitHub Actions to provide teams working with ML models to have a single platform to build, test and deploy from.
GPU accelerated Builds
GitHub enables teams working with GPU accelerated ML models as part of their applications to fully adopt Actions as their DevOps platform to test and deploy their services. These new runners empower teams working with models such as large language models (LLMs) to run these more efficiently as part of their CI/CD process, empowering teams to do complete application testing, including the ML components, in Actions.
We know that developers and data scientists love GitHub Actions. Data scientists are moving away from ‘working in isolation’ towards a model of ML Ops and trying to understand how this feeds into the wider DevOps practices of their teams.
These runners will be entering private beta in November.
Interested?
Click here to join the waitlist for the private beta.
GitHub secret scanning protects users by searching repositories for known types of secrets such as tokens and private keys. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.
We have partnered with Onfido to scan for their tokens to help secure our mutual users in public repositories. Onfido tokens allow developers to interact with Onfido's API in order to integrate secure and reliable identity verification solutions into their applications and services, helping to enhance user onboarding processes and protect against fraud. GitHub will forward any exposed tokens found in public repositories to Onfido, who will then notify the customer about the leaked token. Read more information about Onfido API tokens.
GitHub Advanced Security customers can also scan for and block Onfido tokens in their private repositories.
Arm-based hosted runners are coming to GitHub Actions!
Unlock the power of Arm in Actions
By leveraging the power and efficiency of the Arm® architecture, GitHub is offering a new solution that will accelerate software development in GitHub. These new capabilities empower GitHub users to shift-left software development on the Arm architecture across the embedded edge, IoT and cloud infrastructure while providing significant power, performance and sustainability improvements to all users. Developers can now take advantage of Arm hardware hosted by GitHub to build and deploy their release assets anywhere Arm’s architecture is used.
Seamlessly integrated into GitHub Actions, these runners are powered by Arm-based Ampere® Altra® processors. Preloaded with a base image that contains a foundational set of development tools to build upon, these runners are extremely versatile and can handle any embedded software project from key markets such as automotive, IoT and industrial. The benefits do not stop at the embedded edge, as non-embedded, cloud native and everything in between will benefit by reducing their carbon footprint and getting more done within existing budgets.
These runners will be entering private beta in January 2024.
“With Arm-based GitHub-hosted runners, software developers can move faster while taking full advantage of the efficient Arm architecture, from cloud to edge,” said Bhumik Patel, director of software ecosystem development, Infrastructure Line of Business, Arm. “Our partnership with GitHub allows developers to optimize their Arm-based software development workflows and leverage GitHub’s ubiquitous deployment capability to more efficiently deliver code wherever they deploy – all while reducing costs and time to market.”
Interested?
Click here to join the waitlist for the private beta.
The GitHub Advanced Security billing REST API and CSV download now includes the email addresses for active committers. This provides information for insights into Advanced Security license usage across your business. Here is an example response from the GitHub Advanced Security billing REST API:
"advanced_security_committers_breakdown": [
{
"user_login": "octokitten",
"last_pushed_date": "2023-10-26",
"last_pushed_email": "octokitten@email.com"
}Read more about the GHAS billing API here and the GHAS billing CSV download here.
This is available now on GitHub.com and will ship to GitHub Enterprise Server 3.12
GitHub Advanced Security users can now use the REST API to retrieve the validity status of a secret scanning token and retrieve all tokens of a particular validity status. The API will return the status of the token as of the last validity check. Valid statuses are active, inactive, or unknown. Validity checks must be enabled for the enterprise, organization, or repository.
Starting today, in Actions workflows, the pull_request_target trigger is now supported for repository rulesets that require a successful workflow run. This is in addition to pull_request and merge_group, making pull_request_target the third workflow trigger supported by repository rulesets.
Read our recent general availability announcement to learn more about how organizations can set up policies with repository rules that require a successful workflow run before code can be merged into its repositories.
Learn more in our repository rulesets documentation and don’t forget to ask questions or leave feedback in the community discussion.
Auto-triage rules are a powerful tool to help you reduce alert and pull request fatigue substantially, while better managing your alerts at scale.
What's changing?
Starting today, you can define your own rules to control and enforce Dependabot behaviors across organizations and individual repositories.
- You can now define which alerts receive pull requests to resolve them, rather than targeting all alerts.
- You can enable and enforce those Dependabot security update rules across organizations, in addition to individual repositories.
- You can enable, disable, or enforce how GitHub default rulesets are applied across your organization.
- You can also now enable and enforce custom auto-dismiss (alert ignore and snooze) rules across organizations.
Auto-triage rules are defined by alert targeting criteria, the behaviors you'd like Dependabot to automatically perform for these alerts, as well as how you want the rule to be enabled or enforced across your organization.
Alerts can be targeted based on metadata related to the advisory, dependency, and how it's used. For this public beta, currently supported attributes at the organization level are: severity, scope, package-name, cwe, and ecosystem. At the repository level, you can also target specific manifest files.
For any existing or future alerts that match a custom rule, Dependabot will perform the selected behavior accordingly. You can proactively filter out false positives, snooze alerts until patch release, choose which alerts open Dependabot security updates, and – as rules apply to both future and current alerts – manage existing alerts in bulk.
This feature is free for open source (all public repositories) and available for use in private repositories through GitHub Advanced Security.
Frequently asked questions
Why is GitHub making this change?
At GitHub, we’ve been thinking deeply about how to responsibly address long-running issues around alert fatigue and false positives. Rather than over-indexing on one criterion like reachability or dependency scope, we believe that a responsibly-designed solution should be able to detect and reason on a rich set of complex, contextual alert metadata.
That’s why, moving forward, we’re releasing a series of ships powered by a flexible and powerful alert rules engine. Our first ship – Dependabot presets – leveraged our rules engine with GitHub-curated vulnerability patterns and has helped millions of repositories filter out false positive alerts. Today’s ship exposes our rules engine at the organization and repository levels, so you can create and enforce custom rules, too.
How do I create a rule?
From your organization or repository settings page, admins and security managers can navigate to Code security and analysis settings. Under Dependabot, select Dependabot rules to add or modify your own custom rules or modify GitHub presets.
How do I enforce rules for my organization?
At the organization level, rules can be set with the following states.
| State | Description |
|---|---|
Enabled |
This rule will be enabled across all eligible repositories in your organization. It will be on by default (new repositories are included). Any individual repository can choose to disable the rule. |
Enforced |
This rule will be enabled across all eligible repositories in your organization. It will be on by default (new repositories are included). Individual repositories cannot override this setting. |
Disabled |
This rule will be disabled and hidden across your organization. |
At the repository level, rules can be set to enabled or disabled if they're not enforced.
Which criteria are supported?
Rules can be created across the following attributes:
| Attribute | Description |
|---|---|
severity |
Alert severity, based on CVSS base score, across the following values: low, medium, high, and critical. |
scope |
Scope of the dependency: development (devDependency) or runtime (production). |
package-name |
Packages, listed by package name. |
cwe |
CWEs, listed by CWE ID. |
ecosystem |
Ecosystems, listed by ecosystem name. |
manifest |
Manifest files, listed by manifest path. |
Note: manifest is only available at the repository level.
How do I control how Dependabot automatically generates pull requests for alerts?
You can use the alert criteria (above) to indicate which alerts Dependabot will attempt to open pull requests to resolve. To use auto-triage rules with Dependabot updates, you must disable Dependabot's option to always open pull requests to resolve all open alerts from the repository Code security and analysis settings.
How do I control how Dependabot automatically closes or reopens alerts?
Similar to Dependabot pull request rules, you can control how Dependabot filters out false postives (with dismiss indefinitely) or snoozes alerts (with dismiss until patch).
How many custom rules can I create?
At the time of public beta, you can create 20 rules per organization and 10 rules for each repository. Want more? Let us know!
How will this activity be reported?
Auto-dismissal activity is shown in webhooks, REST, GraphQL, and the audit log for Dependabot alerts. Alerts are dismissed without a notification or new pull request and appear as a special timeline event. As these alerts are closed, you’ll still be able to review any auto-dismissed alerts with the resolution:auto-dismissed filter.
Who can create and modify rules?
Auto-triage rules are free for open source repositories. Anyone who can enable Dependabot alerts for a public repository will be able to create custom rules for it. Customers of GitHub Advanced Security can create and manage custom rules across private repositories and at the organization level.
How do I reopen an automatically dismissed alert?
Like any manually dismissed alert, you can reopen an auto-dismissed alert from the alert list view or details page. This specific alert won’t be auto-dismissed again (by any other auto-dismiss rule).
What happens if alert metadata changes or advisory information is withdrawn?
Dependabot recognizes and immediately responds to any changes to metadata which void auto-dismissal logic. For example, if you change the dependency scope and the alert no longer meets the criteria to be auto-dismissed, the alert will automatically reopen.
How do I learn more?
- About the auto-triage feature
- Dependabot alerts REST API
- Dependabot alerts GraphQL API
- Dependabot alerts webhook
How do I provide feedback?
Let us know what you think by providing feedback — we’re listening!
Secret scanning automatically detects leaked secrets across all public packages on the npm registry. If secret scanning detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact the committer directly. Package maintainers will not receive secret scanning alerts for these detections.
There are two new metrics available under the Repository object in the GraphQL API:
- LastContributionDate – The most recent date there was any of the following activity: a commit to a repository’s default branch, opening an issue or discussion, answering a discussion, proposing a pull request, or submitting a pull request review. This is a good single-number metric to find projects that may be unmaintained or in need of archiving.
- CommitCount – A monotonically increasing count of the total number of commits pushed to the default branch of the repository. Tracking the change in this over time will give a sense of the overall activity in the repository.
These metrics are currently in public beta, so you will need to include a header to your GraphQL requests to opt-in:
GraphQL-Features: ospo_metrics_apiAdditional documentation and context around these metrics is available in the github-ospo repo. Please provide your feedback on this discussion thread: https://github.com/orgs/community/discussions/72156
You can now access CodeQL, Secret Scanning, and other features of GitHub Advanced Security as part of your GitHub Enterprise Cloud trial. Enterprise admins can enable GitHub Advanced Security under Enterprise licensing.
- Join the community discussion and leave us your feedback!
New updates to the branches and commits pages are now in feature preview. These updates are focused on improved navigation, performance, and making these experiences more accessible.
Branches
We added clarity to the list header explaining what each section of the branches page does. Stale branches are now hidden by default to speed up page load times.
Commits
You can now filter commits by a date range and collapse the list per day to find the commits that matter to you quickly.
Click here if you have feedback and let us know in our community discussion.
Visual Studio
🤖 ARM Support
Version 1.116.0.0 of the Visual Studio extension now supports ARM.
🔒 Support for Proxies That Use Basic Authentication
Version 1.116.0.0 of the Visual Studio extension now support proxies that use a Basic Authentication scheme through an environment variable.
Visual Studio Code
🧪 Improvements to /tests Chat Command
The /test slash command is now better at detecting the testing framework you are using and will generate new tests in the same style, available with the GitHub Copilot Chat extension for Visual Studio, now in beta.
💬 Multi-Turn Chat Conversations
Chat can now refer to your previous messages to help answer your questions. To learn more about Copilot Chat beta in Visual Studio Code, head to the latest blog post.
💻 Ask GitHub Copilot defaults to the Chat view
A few months ago, we introduced an Ask GitHub Copilot option in the Command Palette so that you can take your query in the Command Palette and open it in a Copilot chat if the Command Palette didn’t provide a useful answer.
We gathered feedback on the preferred experience Ask GitHub Copilot should open: the Chat view in the side bar or Quick Chat. In an effort to make the first time experience more familiar, we chose the Chat view. With that said, if you would like Ask GitHub Copilot to open in Quick Chat, you can change the behavior with the askChatLocation setting:
“workbench.commandPalette.experimental.askChatLocation”: “quickChat”
🎨 Command Palette Similar Commands
This iteration, the Visual Studio Code team shipped the similar commands feature in the Command Palette. Copilot Chat users get an even better similar commands experience because we can use Copilot AI to determine similarity. These smarts help with synonyms and intent, and in our testing, Copilot was able to handle similarity across spoken languages as well. Finding the exact command you’re looking for in the Command Palette has never been easier!
General
📜 Enhanced Multi-Line Completions
We’ve heard your feedback and are excited to announce significant improvements to our multiline suggestions feature. ver the past several weeks, we have diligently tested and rolled out an update to enhance the number and quality of multiline suggestions. The model now does a better job of understanding when to suggest multiline code snippets, and you’ll notice that Copilot suggests multiline completions much more frequently.
This update impacts the following programming languages:
* JavaScript
* TypeScript
* Python
☀ Improved Copilot Content Filtering
We’ve introduced changes to our filtering mechanisms to incorporate more context from your environment and prompt, allowing for more accurate detection of abusive prompts and fewer false positives.
Questions, suggestions, or ideas?
Join the conversation in the Copilot community discussion. We’d love to hear from you!
Code scanning default setup now automatically attempts to analyze all CodeQL supported languages in a repository. This means default setup supports all CodeQL languages at the organization level, including enabling code scanning from an organization's Security Overview coverage page or settings page.
Previously, users would have to manually include the languages C, C++, C#, Java, or Kotlin in a default setup analysis, and enabling these languages was not supported at the organization level. Now, code scanning default setup automatically attempts to analyze all languages supported by CodeQL in a repository. If any analyses fail, the failed language will be automatically deselected from the code scanning configuration. Any alerts from the successfully analyzed languages will be shown on GitHub. This means code scanning will automatically set up the best possible configuration to get started easily with CodeQL and show the most relevant alerts to developers.
A warning banner is shown in the repository settings page if any languages fail and are deseslected. The "edit configuration" page shows all languages in the configuration, and allows users to change the language selection if required. For more information about the languages and versions supported by CodeQL and code scanning, see Supported languages and frameworks. To learn more about code scanning, see About code scanning.
This change is already available on GitHub.com and will be available in GitHub Enterprise Server 3.12.
GitHub secret scanning protects users by searching repositories for known types of secrets such as tokens and private keys. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.
We have partnered with Authress to scan for their service client access keys and their user API tokens to help secure our mutual users in public repositories. Authress access keys allow users to secure applications and platforms through machine-to-machine authentication and they enable granular resource-based authorization. GitHub will forward any exposed access keys found in public repositories to Authress, who will automatically revoke the exposed access key, create an audit trail message that can be ingested by SIEM technologies, and send an email alert to your Authress account admin. Read more information about Authress API access keys.
All users can scan for and block Authress keys from entering their public repositories for free with push protection. GitHub Advanced Security customers can also scan for and block Authress keys in their private repositories.
To enable developers to write code as securely as possible in their language of choice and using the latest features available, we constantly update code scanning with CodeQL. As such we are happy to announce that CodeQL now supports analyzing code written in Go 1.21.
Go 1.21 support is available by default in GitHub.com code scanning, CodeQL version 2.14.6, and GHES 3.11. For more information about the languages and versions supported by CodeQL and code scanning, see Supported languages and frameworks. To learn more about code scanning, see About code scanning.
On December 21st, 2023 GitHub Codespaces plans to remove the deprecated Repository Access and Security setting.
Rather than configuring cross-repository access at the account level, we now recommend declaring cross-repository dependencies and permissions directly within your devcontainer.json. This approach enables each development container to declare its own minimum set of permissions to operate, rather than allowing unrestricted access to other repositories your account can access.
This change will impact users and organizations that have set the Repository Access and Security setting to either selected or all repositories, and have not configured any development container level permissions. You will receive an email if you or any organizations you own may be impacted by this change.
To ensure continuity of usage, you will need to declare cross-repository permissions within each devcontainer.json, enabling access to each repository that a development container needs to access. You can test that you have successfully transferred all permissions by toggling the Access and Security setting to Selected Repositories and removing all entries once you have completed the conversion.
Please reach out to GitHub Support if you have any issues or questions.