Dependency review is now generally available for all public repositories and for private repositories with GitHub Advanced Security enabled. Dependency review helps you understand dependency changes and the security impact…
The npm security advisory database is now part of the GitHub Advisory Database. As a result, npm audit will now return URLs to the GitHub Advisory Database and the advisories…
Recover Accounts Elsewhere allows a user to store a recovery token with a third-party recovery partner to use as a recovery method when their account is protected by two-factor authentication.…
Manage your company in the cloud with more control and governance using enterprise managed users.
In this post, I’ll exploit a use-after-free (CVE-2021-30528) in the Chrome browser process that I reported to escape the Chrome sandbox. This is a fairly interesting bug that shows some of the subtleties involved in the interactions between C++ and Java in the Android version of Chrome.
GitHub Enterprise Cloud’s Services Continuity and Incident Management Plan is now available for self-service alongside additional resources under the Compliance tab. Enterprise owners may download and view current GitHub compliance…
GitHub Enterprise Server 3.2 is now generally available for all customers. This release contains more than 70 new features and changes that create a more delightful development experience, and provide…
This release brings over 70 new features and changes that improve developer experience and deliver new security capabilities.
As part of GitHub’s strong commitment to developer privacy, we are excited to announce updates to our privacy agreements in line with new legal requirements and our own robust data protection practices.
Filtered files on the Pull Request Files Changed tab are now completely hidden from view (not just collapsed). This helps decrease distractions and lets you focus on just the files…
This post is a technical analysis of a recently disclosed Chrome JIT vulnerability (CVE-2021-30632) that was believed to be exploited in the wild. This vulnerability was reported by an anonymous researcher and was patched on September 13, 2021 in Chrome version 93.0.4577.82. I’ll cover the root cause analysis of the bug, as well as detailed exploitation.
Code scanning runs analysis tools that scan your code on the triggers defined in your .yml Actions workflow file. The default CodeQL workflow analyzes your code each time you push…
The GitHub Advisory Database now includes curated Rust advisories. This brings the Advisory Database to eight supported ecosystems, including: Composer (PHP), Go, Maven, npm, NuGet, pip, and RubyGems. Support for…
npm access tokens will now follow the established format of GitHub authentication tokens.
We’re excited to announce that the GitHub Advisory Database now includes curated security advisories on the Rust ecosystem!
npm access tokens will now follow the established format of GitHub authentication tokens as part of our work to create a more secure supply chain. Previously, the npm access tokens…
We’ve added support for Java 16 standard language features (such as records and pattern matching) to CodeQL. Code using those features can now benefit from CodeQL’s security analysis as part…
GitHub code scanning with CodeQL works seamlessly with GitHub Actions. For users of other CI/CD systems, we provided a way to run the code analysis using the CodeQL runner. The…
During an audit of Apache Dubbo v2.7.8 source code, I found multiple vulnerabilities enabling attackers to compromise and run arbitrary system commands on both Dubbo consumers and providers. In this blog post I detailed how I leveraged CodeQL as an audit oracle to help me find these issues.
GitHub Advanced Security customers can now edit their custom patterns defined at the repository, organization, and enterprise levels. After a user edits and saves a pattern, secret scanning searches for…
If you’re a GitHub Enterprise Cloud customer, you can now set up a stream of audit log and Git events to Splunk or an Azure Event Hub.
Build what’s next on GitHub, the place for anyone from anywhere to build anything.
Catch up on the GitHub podcast, a show dedicated to the topics, trends, stories and culture in and around the open source developer community on GitHub.
