Search results for: Security

The dependency graph shows a summary of the manifest and lock files stored in a repository. The repository view has an updated user experience that includes: Search by package name…

A software bill of materials (SBOM) is a standardized inventory of a software project’s dependencies and associated metadata (versions, licenses, etc). You can now export your repository’s dependency graph as…

Developers and compliance teams get a new SBOM generation tool for cloud repositories.

Learn how GitHub’s one, integrated platform–powered by AI and secure at every step—helps developer teams be more productive, collaborative, and efficient.

The new code scanning tool status page allows users to view the status of CodeQL and other code scanning tools. The page shows all the tools that are enabled on…

The repository dependency graph GraphQL API preview now returns dependencies that have been submitted using the dependency submission API. Learn more about the dependency graph Learn more about the dependency…

In addition to Ubuntu & Windows, GitHub Actions now attaches a SBOM (Software Bill of Materials) to hosted runner image releases for macOS. In the context of GitHub Actions hosted…

At approximately 05:00 UTC on March 24, out of an abundance of caution, we replaced our RSA SSH host key used to secure Git operations for GitHub.com.

GitHub Security was notified about an issue where private issue and pull request titles would be displayed in search results. Our Security team investigated potential instances and determined that this…

Writing secure code is as much of an art as writing functional code, and it is the only way to write quality code. Learn how our Secure Code Game can provide you with hands-on training to spot and fix security issues in your code so that you can build a secure code mindset.

Code scanning have shipped an API for repositories to programmatically enable code scanning default setup with CodeQL. The API can be used to: Onboard a repository to default setup: gh…

Enabling CodeQL analysis with code scanning default setup for eligible repositories in your organization is now as easy as a single click from the organization’s settings page or a single…

We announced two weeks ago that we are changing how you receive notifications for secret scanning alerts. From today, those changes are in effect. What action should I take? If…

Code scanning is now using a new way of analysing and displaying alerts on pull requests. The change ensures code scanning only shows accurate and relevant alerts for the pull…

We’re looking forward to working with policymakers to improve cybersecurity and support developers.

The “Require SSH certificates” policy now allows GitHub apps to call Git APIs using a user-to-server token, bringing them up to parity with OAuth app support. The SSH certificate requirement…

GitHub Security was notified about an issue where users still had access to organizations after being removed. Our Security team investigated potential instances and determined there were occasional instances where…

GitHub organization owners can now opt-in to a public beta to display organization members’ IP addresseses in audit logs events. When enabled, IP addresses will be displayed for all audit…

If you use Gradle Version Catalogs to centralize managing dependencies for a Gradle project, you will now be able to use Dependabot version updates to keep these dependencies up-to-date! You…

If you use versioned reusable workflows in GitHub Actions, you can now use Dependabot version updates to keep those workflows up-to-date in your repositories! This is useful for anyone using…

We are open sourcing our own OSPO policies, tools, and guides to help other OSPOs get started.