Search results for: Security

Some best practices and important defenses to prevent common attacks against GitHub Actions that are enabled by stolen personal access tokens, compromised accounts, or compromised GitHub sessions.

We have released a new API for people who write custom CodeQL queries which make use of dataflow analysis. The new API offers additional flexibility, improvements that prevent common pitfalls…

GitHub Advanced Security customers can now perform on-demand validity checks for supported partner patterns, and the alert index view now shows if a secret is active. This builds on our…

If you are using the Dependabot grouped version updates feature (currently in public beta), you can now tell Dependabot to ignore updates in the group (similar to how you can…

If you are using the Dependabot grouped version updates feature (currently in public beta), you can now group your pull requests by dependency type in ecosystems that support this. Instead…

GitHub environments can be configured with deployment branch policies to allow-list the branches that can deploy to them. We are now security hardening these branch policies further by blocking runs…

Secret scanning’s push protection feature prevents supported secrets from being pushed into repositories, and has to date been enabled at the repository, organization, or enterprise level. Now, everyone across GitHub…

Introducing two new secret scanning push protection features that will enable individual developers to protect all their pushes and organizations to gain insights and trends across their repositories.

The administrator account (ending in _admin) of Enterprise Managed User enterprises is now required to enter sudo mode before taking sensitive actions. As with standard user accounts, the administrator must…

Researchers from Purdue and NCSU have found a large number of command injection vulnerabilities in the workflows of projects on GitHub. Follow these four tips to keep your GitHub Actions workflows secure.

The GitHub Enterprise Server 3.10 release candidate is here GitHub Enterprise Server 3.10 gives customers more control over how their instance is used and run. Here are a few highlights:…

For security reasons, source IP addresses have been removed from error messages that are returned from the GitHub API when callers try to access protected resources from non-permitted IP addresses.…

In the world of software development, collaboration can make the difference between a brittle last-minute release and a reliable, maintainable, pain-free project. Whether you’ve been coding for a day or a decade, your colleagues are there to help strengthen your work. But they can only help if you’ve given them the tools to do so.

Learn how you can structure your enterprise to get the most value out of GitHub and provide the best experience for your developers!

Learn about how we build containerized services that power microservices on the GitHub.com platform and many internal tools.

Dependabot can now open pull requests to update your Swift dependencies. In June, support for Swift advisories in the Advisory Database and Dependabot alerts was released. Dependabot will now be…

As part of the two-factor authentication requirement program on GitHub.com, the People pages of enterprises and organizations have been updated to include the 2FA requirement status of members and collaborators.…

Organization owners and security managers can now view metrics associated with push protection usage across their organization. The overview shows a summary of how many pushes containing secrets have been…

Code scanning default setup is now available for Swift analysis with CodeQL! Default setup now supports all CodeQL supported languages at the repository level. This includes JavaScript/TypeScript, Ruby, Python, Go,…

This blog post describes two security vulnerabilities in Decidim, a digital platform for citizen participation. Both vulnerabilities were addressed by the Decidim team with corresponding update releases for the supported versions in May 2023.

GitHub switched to performing merges and rebases using merge-ort. Come behind the scenes to see why and how we made this change.