Search results for: Security

We’re excited to highlight another top contributing researcher to GitHub’s Bug Bounty Program: @yvvdwf

GitHub Actions can automate several common security and compliance tasks, even if your CI/CD pipeline is managed by another tool.

Organizations can now grant teams permission to manage security alerts and settings on all their repositories. The “security manager” role can be applied to any team and grants the team’s…

On September 28, 2021, we received notice from the developer Axosoft regarding a vulnerability in a dependency of their popular git GUI client – GitKraken. An underlying issue with a dependency, called `keypair`, resulted in the GitKraken client generating weak SSH keys.

GitHub’s bug bounty team is excited to kick off Cybersecurity Awareness Month with a spotlight on two security researchers who participate in the GitHub Security Bug Bounty Program.

GitHub Enterprise Server 3.2 is available today as a release candidate.

We put out a call to open source developers and security researchers to talk about the security vulnerability disclosure process. Here’s what we found.

Between July 21, 2021 and August 13, 2021 we received reports through one of our private security bug bounty programs from researchers regarding vulnerabilities in tar and @npmcli/arborist.

We’re changing which keys are supported in SSH and removing unencrypted Git protocol. Only users connecting via SSH or git:// will be affected. If your Git remotes start with https://, nothing in this post will affect you. If you’re an SSH user, read on for the details and timeline.

Today, we’re happy to announce more than 15 new integrations with open source security tools that broaden our language coverage to include PHP, Swift, Kotlin, Ruby, and more.

In June, we announced that security alert notifications are opt-in on a per-repository basis, using the repository’s watch settings. Today, we have updated security alert digest emails to also respect…

In May we announced that GitHub Advisory Database now includes Go advisories. Today we’re excited to announce that all of GitHub’s supply chain security features are available for Go modules,…

GitHub’s supply chain security features are now available for Go modules, which will help the Go community discover, report, and prevent security vulnerabilities.

New severity levels for security alerts We now show security-severity levels for CodeQL security alerts in code scanning. security-severity levels help you understand in more detail the risks posed by…

We’ve shipped a couple of changes to our APIs: The code scanning API now returns the CodeQL query version used for an analysis. This can be used to reproduce results…

GitHub’s bug bounty program is now a mature component of how we improve product security. We’re excited to highlight some achievements (and interesting vulnerabilities)!

Last month, we announced that security alert notifications were changing to an opt-in model. We have completed this change and users now receive notifications only for repositories they watch and…

You can now authenticate to SSH using a FIDO2 security key by adding a sk-ecdsa-sha2-nistp256@openssh.com or sk-ssh-ed25519@openssh.com SSH key to your account. SSH security keys store secret key material on…

GitHub has been at the forefront of security key adoption for many years. We were an early adopter of Universal 2nd Factor (“U2F”) and were also one of the first…

We are implementing a change to the default notification settings for security alerts. Previously, if you had permission to view security alerts in a repository, you would receive notifications for…

The new security overview for organizations and teams – which provides a high-level view of the application security risks a GitHub organization is exposed to – is now in beta…