Search results for: Security

As GitHub Pages, home to 16 million websites, approaches its 15th anniversary, we’re excited to announce that all sites now build and deploy with GitHub Actions.

The GitHub Advisory Database now includes curated security advisories for vulnerabilities on GitHub Actions. This brings the Advisory Database to ten supported ecosystems, including: Composer, Go, Hex, Maven, npm, NuGet,…

GitHub Actions gives teams access to powerful, native CI/CD capabilities right next to their code hosted in GitHub. Starting today, GitHub will send a Dependabot alert for vulnerable GitHub Actions, making it even easier to stay up to date and fix security vulnerabilities in your actions workflows.

From hosting private packages in a private repository to tightening your security profile with GITHUB_TOKEN, here are five simple ways you can streamline your workflow with GitHub Packages.

It’s now easier to debug CodeQL analysis problems in code scanning: click Re-run jobs from the GitHub Actions workflow run page, check the Enable debug logging box, and hit the…

The GitHub Enterprise Server 3.6 Release Candidate is available and contains exciting updates and additions across the board. Release Candidates are a way for you to try the latest features…

Dependabot alerts will now show more information on an alert’s activity. In the details page for a Dependabot alert, you will see a timeline of events (e.g. opened, fixed, reopened).…

GitHub Advanced Security customers who are watching a repository’s secret scanning alerts will now receive an email notification when a contributor bypasses a secret blocked by push protection. Previously, notifications…

In this post I’ll exploit CVE-2022-20186, a vulnerability in the Arm Mali GPU kernel driver and use it to gain arbitrary kernel memory access from an untrusted app on a Pixel 6. This then allows me to gain root and disable SELinux. This vulnerability highlights the strong primitives that an attacker may gain by exploiting errors in the memory management code of GPU drivers.

GitHub Advanced Security customers can now sort and filter their list of custom patterns at the repository, organization, and enterprise levels. This upgrade to the experience supports admins who need…

The dependency graph now shows additional metadata for Rust dependencies, and listed dependencies link back to the GitHub repositories for the package if available. Learn more about the dependency graph.

From incorporating accessibility testing to implementing blue-green deployment models, here are six practical and strategic ways to improve your CI/CD pipeline.

GitHub Advanced Security customers can now retrieve repository code scanning results at the enterprise level via the GitHub REST API. This new endpoint supplements the existing repository-level and organization-level endpoints.…

Dependabot alerts will now be easier to prioritize with a new “Most Important” sort. For the alerts repository list view, by default, alerts will be sorted in a way to…

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud. We have partnered…

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud. We have partnered…

A Little Game Called Mario is an open source, collectively developed hell project. Anyone and everyone is welcome to contribute their unique talents to make both the player and developer experience more enjoyable. Find out how the collective leverages GitHub Actions to manage this wonderful little community.

On June 15th, we announced GitHub added malware advisories to the GitHub Advisory Database and will send malware alerts through Dependabot. Since shipping this change, we have received feedback that…

New Actions from Anchore, NowSecure, SBT, and Trivy are now available to create a more comprehensive GitHub Dependency Graph.

In this post I’ll exploit CVE-2022-1134, a type confusion in Chrome that I reported in March 2022, which allows remote code execution (RCE) in the renderer sandbox of Chrome by a single visit to a malicious site. I’ll also look at some past vulnerabilities of this type and some implementation details of inline cache in V8, the JavaScript engine of Chrome.

When using the GraphQL API, you can now filter Dependabot alerts by the scope of the dependency affected. The possible scopes are DEVELOPMENT or RUNTIME. Dependency scope information is available…