Dependency graph now supports submissions through the dependency submission API (beta). This enables you to add dependencies, such as those resolved when software is compiled or built, to the dependency…
GitHub Advanced Security customers can now view bypasses of secret scanning’s push protection in the enterprise and organization audit logs. The GitHub REST API and webhooks now also contain bypass…
GitHub Advanced Security customers can now perform dry runs of their custom patterns when editing a pattern. Dry runs allow admins to understand a pattern’s impact across an organization and…
In this post I’ll exploit CVE-2022-22057, a use-after-free in the Qualcomm gpu kernel driver, to gain root and disable SELinux from the untrusted app sandbox on a Samsung Z flip 3. I’ll look at various mitigations that are implemented on modern Android devices and how they affect the exploit.
GitHub’s Advisory Database now supports listing malware advisories. You can see them by searching “type:malware” on https://github.com/advisories. If you have enabled Dependabot alerts on your repositories, GitHub will send Dependabot…
To combat the prevalence of malware in the open source ecosystem, GitHub now publishes malware occurrences in the GitHub Advisory Database. These advisories power Dependabot alerts and remain forever free and usable by the community.
The Dependency Review GitHub Action, which checks if pull requests introduce a dependency with a known vulnerability, now supports configuration based on vulnerability severity and license type. The following configuration…
We share a recap of a recent roundtable event about what a federal open source software policy could look like in the United States.
Today, we’re shipping the ability to select multiple Dependabot alerts to reopen or dismiss from the index page UI. For example, from the Closed alerts tab, you can now select…
How can you robustly assert and identify a user’s identity?
Dependabot is generally available in GitHub Enterprise Server 3.5. Here is how to set up Dependabot on your instance.
GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, we help protect users from data leaks and fraud associated with…
We’re excited to announce that we’re open sourcing our Identity and Access Management solution: Entitlements.
When you visit the GitHub Advisory Database, you can now search for any historical advisory recognized by the National Vulnerability Database. Previously, we only displayed advisories from our supported ecosystems.…
GitHub Advanced Security customers can now use sort and direction parameters in the GitHub REST API when retrieving secret scanning alerts. API users can sort based on the alert’s created…
We are archiving Atom and all projects under the Atom organization for an official sunset on December 15, 2022.
A personal story about building the feature you want and sharing it with the world.
Custom repository roles are now GA for GitHub.com and Enterprise Server 3.5. Organization admins can create custom repository roles available to all repositories in their organization. Roles can be configured…
In February 2022, we launched a new feature called community contributions to security advisories. We have made a handful of changes to the UX based on your feedback: Fixed the…
The dependency graph now supports detecting Rust (Cargo.{toml,lock}) files. These will be displayed within the dependency graph section in the Insights tab. Users will receive Dependabot alerts and updates for…
CI/CD and workflow automation are native capabilities on GitHub platform. Here’s how to start using them and speed up your workflows.
Build what’s next on GitHub, the place for anyone from anywhere to build anything.
Last chance: Save $700 on your IRL pass to Universe and join us on Oct. 28-29 in San Francisco.
