Search results for: Security

How to exploit a double-free vulnerability in Ubuntu’s accountsservice (CVE-2021-3939)

On Thursday, December 9, 2021, GitHub was made aware of a vulnerability in the Log4j logging framework, CVE-2021-44228.

We shipped a ton of updates in November, from the push notification for PR review activities on the go, to an easy way to create Markdown links.

Starting 12-09-2021, GitHub Actions workflows triggered by Dependabot for the create, deployment, and deployment_status events will always receive a read-only token and no secrets. Starting 12-09-2021, GitHub Actions workflows triggered…

GitHub Enterprise Server is now generally available for all customers. This release improves performance for CI/CD and for customers with large repositories.

Today we’re introducing enhanced login verification to the npm registry, and we will begin a staged rollout to maintainers beginning Dec 7.

This lesser-known OWASP project aims to help developers prevent vulnerabilities from being introduced in the first place.

GitHub has partnered with the OpenSSF and Project Sigstore to add container image signing to our default “Publish Docker Container” workflow.

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans may prevent data leaks and any fraud associated with…

GitHub Advanced Security customers can now use the GitHub REST API to retrieve commit details of secrets detected in private repository scans. Now available on cloud, the new endpoint will…

GitHub Actions workflows triggered by Dependabot will now be sent the Dependabot secrets. This change will enable you to pull from private package registries in your CI using the same…

From learning YAML to scripting with Bash, here are a few simple tips for developers who want to speed up their workflows.

DRY your Actions configuration with reusable workflows (and more!)

The OpenID Connect (OIDC) support for secure cloud deployments with GitHub Actions is now generally available.You can configure your workflows to request short-lived access tokens that are automatically rotated for…

GitHub Actions now supports OpenID Connect for secure deployment to different cloud providers via short-lived, auto-rotated tokens.

OSS-Fuzz is Google’s awesome fuzzing service for open source projects. GitHub Security Lab’s @kevinbackhouse describes enrolling a project.

The latest release of the CodeQL CLI supports including markdown-rendered query help in SARIF files so that the help text can be viewed in the code scanning UI. This functionality…

A recap of all the GitHub Education news from Universe 2021, including the new Intro to Web Dev Experience.

A public beta of the new GitHub Issues, a “security manager” role for organizations, a command palette beta, and lots more.

Check out some advanced automation and CI/CD capabilities you can use today with GitHub Actions on any GitHub account.

In this post, I’ll use three bugs that I reported to Qualcomm in the NPU (neural processing unit) driver to gain arbitrary kernel code execution as root user and disable SELinux from the untrusted app sandbox in an Android phone.