
Hardening repositories against credential theft
Some best practices and important defenses to prevent common attacks against GitHub Actions that are enabled by stolen personal access tokens, compromised accounts, or compromised GitHub sessions.
Some best practices and important defenses to prevent common attacks against GitHub Actions that are enabled by stolen personal access tokens, compromised accounts, or compromised GitHub sessions.
With enterprise accounts for all, your organization can take advantage of all that GitHub Enterprise has to offer, from GitHub Actions and GitHub Advanced Security, to Copilot.
The Sigstore GA means you can protect your software supply chain today with GitHub Actions, and will power new npm security capabilities in the near future.
GitHub Actions workflows in the Security category will now appear among the workflow recommendations based on a repository’s content.
Organizations using GitHub security configurations can now choose to require CodeQL to run on repositories using either default or advanced setup. Previously, if a repository was using advanced setup, you…
We’re making several important updates to our macOS runner image offerings to ensure you have access to the latest and most efficient CI/CD capabilities. macos-latest migration begins August 4, 2025…
Today, the Git project released new versions to address seven security vulnerabilities that affect all prior versions of Git.
Automatic dependency submission now supports the pip package manager for Python. This release completes the cohort of package managers that now have auto-submission support, adding to the previously-released Maven, Gradle,…
Dependency auto-submission now supports the .NET package manager NuGet. This feature continues to expand the supported range of package manager ecosystems, adding to the existing Maven and Gradle support. Dependency…
Today, we’re extending CodeQL code scanning support to Rust. Developers working on Rust libraries and apps can now benefit from our best-in-class code security analysis. We currently identify issues such…
CodeQL is the static analysis engine behind GitHub code scanning, which finds and remediates security issues in your code. We’ve recently released CodeQL 2.21.4, which brings support for a new…
You can now run prompt evaluations from the command line using the new gh models eval command. This evaluates prompts defined in a .prompt.yml file using the same built-in evaluators…
Projects that use Gradle need to include dependencies that are resolved at build time in order to get a full, transitive dependency tree. To make this easier, dependency auto-submission now…
In the context of GitHub Actions runners, virtual network (vNet) is an Azure Virtual Network that provides network isolation, enhanced security, and private connectivity for runners deployed in a controlled…
Actions Runner Controller (ARC) is a Kubernetes operator that automates the deployment, scaling, and lifecycle management of self-hosted actions runners within a Kubernetes cluster. It enables dynamic provisioning of runners…
CodeQL is the static analysis engine behind GitHub code scanning, which finds and remediates security issues in your code. We’ve recently released version 2.21.1 of CodeQL. Here’s what’s new and…
See how I built a developer-focused landing page in under 30 minutes using GitHub Copilot agent mode and Claude 3.5 Sonnet—with just screenshots and prompts.
Security should be native to your workflow, not a painful separate process.
CodeQL is the static analysis engine behind GitHub code scanning, which finds and remediates security issues in your code. We’ve recently released CodeQL 2.20.6, which brings support for a new…
CodeQL version 2.20.5 has been released and includes a host of coverage improvements, including extended support for C# 13 and new detection capabilities for Java and GitHub Actions workflow files.…
GitHub’s Digital Public Goods Open Source Community Manager Program just wrapped up a second successful year, helping Community Managers gain experience in using open source for good.
Build what’s next on GitHub, the place for anyone from anywhere to build anything.
Last chance: Save $700 on your IRL pass to Universe and join us on Oct. 28-29 in San Francisco.