To help you track and remediate secret scanning alerts more effectively, secret scanning alert assignees and security campaigns are now generally available. What’s new? Notifications: Alert assignees receive email notifications…
Learn more about the agentic security principles that we use to build secure AI products—and how you can apply them to your own agents.
Editor’s note (November 5, 2025): We’ve updated this post to explicitly clarify that the affected tokens are npm tokens. Today marks another milestone in our ongoing effort to strengthen npm’s…
GitHub Copilot coding agent is GitHub’s asynchronous, autonomous developer agent that helps your teams move faster by allowing you to delegate a wide range of tasks to it, including implementing…
For this year’s Cybersecurity Awareness Month, the GitHub Bug Bounty team is excited to put the spotlight on a talented security researcher—André Storfjord Kristiansen!
For this year’s Cybersecurity Awareness Month, the GitHub Bug Bounty team is excited to feature another spotlight on a talented security researcher — @xiridium!
As part of our ongoing commitment to securing the npm ecosystem, we’re implementing the first phase of security improvements outlined in our recent announcement. These changes will roll out over…
For this year’s Cybersecurity Awareness Month, GitHub’s Bug Bounty team is excited to offer some additional incentives to security researchers!
Today, we’re announcing two major enhancements that help security and developer teams remediate security debt more efficiently. Security campaigns for secret scanning alerts Security campaigns are already generally available for…
CodeQL scans on pull requests for Go, C#, C/C++ and Swift are now incremental. All CodeQL languages now support incremental analysis. This is powered by our new incremental analysis, which…
GitHub is introducing post-quantum secure key exchange methods for SSH access to better protect Git data in transit.
Enterprise admins can now designate a specific contact email for security incident notifications by navigating to Settings > Profile in their enterprise account. This optional field allows for targeted security…
CodeQL is the static analysis engine behind GitHub code scanning, which finds and remediates security issues in your code. We’ve recently released CodeQL 2.23.0, which introduces a new Rust security…
Starting today, developers with write access to repositories in security campaigns will receive email notifications without needing to subscribe to repository activity. Previously, users needed to subscribe to All activity…
You can now choose a Not set option for GitHub Code Security features in your organization’s security configurations. Previously, you could only enable or disable features like code scanning and…
Organizations using GitHub security configurations can now choose to require CodeQL to run on repositories using either default or advanced setup. Previously, if a repository was using advanced setup, you…
Discover how to increase the coverage of your CodeQL CORS security by modeling developer headers and frameworks.
Today, the Git project released new versions to address seven security vulnerabilities that affect all prior versions of Git.
Use these insights to automate software security (where possible) to keep your projects safe.
Stricter requirements are being enforced for application authentication and cross-organization access
We’ve introduced a new Dependabot metrics section in the Security tab, available at the organization level. This update helps application security managers cut through the noise and focus on remediating…
Build what’s next on GitHub, the place for anyone from anywhere to build anything.
Catch up on the GitHub podcast, a show dedicated to the topics, trends, stories and culture in and around the open source developer community on GitHub.
