advanced-security

Subscribe to all “advanced-security” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

CodeQL, the static analysis engine that powers GitHub code scanning, can now analyze C# projects without needing a build. This public beta capability enables organizations to more easily roll out CodeQL at scale. Previously, CodeQL required a working build to analyze C# projects. By removing that requirement, our large-scale testing has shown that CodeQL can be successfully enabled for over 90% of C# repos without manual intervention.
This new way of analyzing C# codebases is now enabled by default for all code scanning users on GitHub.com. CodeQL CLI users can enable this feature using the build-mode: none flag, starting with version 2.17.6.

Repositories with an existing code scanning setup, default or advanced, will not experience any changes. If code scanning is working for you today it will continue to work as-is, and there is no need to change your configuration.

  • Repositories using code scanning default setup will automatically benefit from this new analysis approach.
  • Repositories using advanced setup for code scanning via workflow files will have the option to choose a build-mode. The default value for newly configured C# repositories will be build-mode: none.
  • CodeQL CLI users will not experience any change in the default behaviour, for compatibility with existing workflows. Users that want to enable this feature can now use the --build-mode none option. Generally, you should set the --build-mode option when using the CLI to make it easier to debug and persist the configuration should default behaviour change at any point in the future.

The new mechanism for scanning C# is available on GitHub.com and will be available with CodeQL CLI 2.17.6. While in public beta, this feature will not be available on GitHub Enterprise Server for default setup or advanced setup for code scanning. As we continue to work on scanning C# projects without the need for working builds, send us your feedback.

See more

You can now use the REST API to create and manage code security configurations, as well as attach them to repositories at scale.

The API supports the following code security configuration actions for organizations:
– Create, get, update, and delete configurations
– Set and retrieve default configurations
– List all configurations
– Attach configurations to repositories

The API is now available as a public beta on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.15.0. You can learn more about security configurations, the REST API, or send us your feedback.

See more

CodeQL is the static analysis engine that powers GitHub code scanning. CodeQL version 2.17.5 has been released and has now been rolled out to code scanning users on GitHub.com.

CodeQL code scanning now supports automatic fix suggestions for C/C++ alerts, powered by Copilot. This is automatically enabled for all private repositories for all GitHub Advanced Security customers. Autofix covers all security queries for C/C++ from our Default suite. Use our public discussion for questions and feedback.

Also included in this release:
– C/C++ now supports adding models for sources, sinks and summaries in data extension files, making it easier to expand support to new libraries.
– Python adds support for opml library and C/C++ adds partial support for Boost.Asio network library.
– All the CodeQL CLI commands that produce SARIF will output a minified version to reduce size.

For a full list of changes, please refer to the complete changelog for version 2.17.5. All new functionality will also be included in GHES 3.14. Users of GHES 3.13 or older can upgrade their CodeQL version.

See more

Secret scanning’s delegated bypass for push protection allows you to specify which teams or roles have the ability to bypass push protection, and requires everyone else to submit a request to bypass. These requests are reviewed by designated approvers.

A new webhook event, bypass_request_secret_scanning, is now created when:
* bypass requests are created or cancelled
* bypass responses are submitted or dismissed
* bypass requests are completed

Delegated bypass for push protection is available for GitHub Advanced Security customers on Enterprise Cloud, and will be available on GitHub Enterprise Server 3.14.

See more

CodeQL is the static analysis engine that powers GitHub code scanning. CodeQL version 2.17.4 has been released and has now been rolled out to code scanning users on GitHub.com.

This changelog combines significant updates from the release of CodeQL 2.17.2,2.17.3, and 2.17.4:

For a full list of changes, please refer to the complete changelog for versions 2.17.2, 2.17.3, and 2.17.4. All new functionality will also be included in GHES 3.14. Users of GHES 3.13 or older can upgrade their CodeQL version.

See more

Configurations are collections of security settings that organization administrators and security managers can define to help roll out GitHub security products at scale.

Starting today, you can enforce configurations. This new feature allows you to prevent users at the repository level from changing the security features that have been enabled and disabled in the configuration attached to their repository.

You can mark a configuration as enforced or unenforced at the bottom of the configurations edit page under the policy section:
Configuration Enforcement

Security configurations are currently available in public beta on GitHub.com and will be available in GitHub Enterprise Server 3.15. You can learn more about security configurations or send us your feedback.

See more

GitHub secret scanning lets you know if your secret is active or inactive with partner validity checks. These checks are run on an ongoing basis for supported providers for any repositories that have enabled the validity check feature.

Starting today, secret validity will now be reflected in an alert’s timeline, alongside the existing resolution and bypass events. Changes to a secret’s validity will continue to be included in an organization’s audit log.

Sign up for a 60 minute feedback session on secret scanning and be compensated for your time.

Learn how to secure your repositories with secret scanning or become a secret scanning partner.

See more

Secret scanning will now continually run validity checks on closed alerts, similarly to the behavior for open alerts today. You can still request on-demand checks for supported secret types from the alert at any time.

Validity checks indicate if the exposed credentials are active and could possibly still be exploited. GitHub Advanced Security customers on Enterprise Cloud can enable validity checks at the repository, organization, or enterprise level from your Code security settings.

Sign up for a 60 minute feedback session on secret scanning and be compensated for your time.

Learn how to secure your repositories with secret scanning or become a secret scanning partner.

See more

Gain valuable insights and effectively monitor your enterprise’s security landscape and progress with two new enterprise-level pages: the security overview dashboard and secret scanning metrics.

New overview dashboard on the security tab at the organization level

Key features

  • Customizable filters: Select specific time periods and focus areas such as security tool, team, or custom repository property.
  • Comprehensive data: Trending and snapshot data provide a robust security landscape overview.
  • Detailed metrics: Includes metrics such as the average age of security alerts, mean time to remediate, and push protection statistics.

To access these new enterprise-level views, navigate to your enterprise account. In the enterprise account sidebar, click Code Security. The new pages are accessible to organization owners and organization security managers, with data scoped to the repositories and alerts you have access to.

These two pages are now available as a public beta on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.14.

Learn more about security overview, managing code security for your enterprise, and send us your feedback

Questions or suggestions? Join the conversation in the community discussion.

See more

The new Tool group-by option on the security overview trends graph provides a visualization of alert trends, organized by the security tools that detected each vulnerability. It’s designed to improve your ability to track and analyze the effectiveness of your scanning tools, enabling more strategic decision-making.

Example of the alert trends chart grouped by security tool

With this new functionality, you can:
* Pinpoint which tools are detecting the most critical vulnerabilities.
* Monitor the performance of your scanners over time.
* Prioritize your remediation efforts based on detailed insights.

To access this feature, navigate to the Security tab at the organization level on GitHub, and choose the Tool option in the Group by dropdown.

This functionality is now available as a public beta on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.14.

Learn more about the security overview dashboard for your organization and send us your feedback

See more

Secret scanning is expanding coverage for push protection to repository file uploads made via a browser. If push protection is enabled for a repository, secret scanning will now also block contributors from uploading files with detected secrets.

Learn more about push protection or sign up for a 60 minute feedback session on secret scanning and be compensated for your time.

See more

When uploading a SARIF file that contains multiple SARIF runs for the same tool and category,
Code Scanning combines those runs into a single run.

Combining multiple runs within the same SARIF file is an undocumented feature that was originally intended to simplify uploading multiple analyses for the same commit. Since then, we have introduced the explicit concept of category to be able to upload multiple analysis for the same commit, thus better aligning with the SARIF Specification.

Today, we are starting the deprecation path for the combination of multiple SARIF runs with the same tool and category within the same file. Specifically, in the next few days, the github/codeql-action/upload-sarif action will start showing a deprecation warning when using 3rd party tools that rely on the combination of multiple SARIF runs with the same tool and category within the same file. While showing the deprecation warning, the upload of the SARIF file will succeed.

We expect to fully stop combining multiple SARIF runs with the same tool and category within the same file in June 2025 (for github.com) and in GHES 3.18, at which point the upload of the SARIF file will fail.

How does this affect me?

You are affected if you are using the github/codeql-action/upload-sarif action to upload results from a 3rd party Code Scanning tool and the tool generates multiple runs with the same category in a single SARIF file.
If that is the case, you will start seeing the deprecation warning, and you should work with the tool provider so that each run in the SARIF file has a distinct tool or category.

You are affected if you are using github/codeql-action/upload-sarif action to upload multiple SARIF files from a 3rd party tool. You can end up with multiple SARIF files if the tool either generates multiple SARIF files itself or if you are using a matrix build to run multiple analyses. Specifically, if you are doing a matrix build that generates multiple SARIF files and have a dedicated job to upload all the SARIF files together. For example, your workflow might look like the following if you analyze two apps using a matrix build but then have a dedicated upload job to upload all the SARIF files together:

jobs:
  analyze:
    ...
    strategy:
      matrix:
        app: ['app1', 'app2']

    steps:
    - name: SAST Scan
      ...

    - name: Temporary store SARIF file
      uses: actions/upload-artifact@v4
      with:
        name: sarif-${{ matrix.app }}
        path: "results"

  upload:
      name: Upload SARIF
      needs: analyze
      steps:
      - name: Fetch SARIF files
          uses: actions/download-artifact@v4
          with:
          path: ../results
          pattern: sarif-*
          merge-multiple: true

      - name: Upload Results
          uses: github/codeql-action/upload-sarif@v3

In this case, you need to make the call to the github/codeql-action/upload-sarif action to include a distinct category. For example, you can embed the step in the matrix job and use the matrix variables to generate a unique category. In this way, the example above becomes:

jobs:
  analyze:
    ...
    strategy:
      matrix:
        app: ['app1', 'app2']

    steps:
    - name: SAST Scan
      ...

    - name: Upload Results
      uses: github/codeql-action/upload-sarif@v3
      with:
        category: ${{ matrix.app }}

Note that changing the value of the category causes older alerts to remain open, and you might want to delete the configuration using the previous category value.

You are not affected if you are only using CodeQL via the github/codeql-action action. For the few repositories that rely on this behavior, the CodeQL CLI (starting version 2.17.0) includes backwards compatible logic.

You are not affected if you are uploading multiple SARIF files for the same commit using one of the documented approaches.

What’s next?

In June 2025, SARIF uploads to github.com that contain multiple runs with the same tool and category will be rejected.

See more

Previously, developers who used private registries to host their packages on internal networks could not use Dependabot to update the versions of those packages in their code.

With this change, users can choose to run Dependabot pull request jobs on their private networks with self-hosted GitHub Actions runners, allowing Dependabot to access on-premises private registries and update those packages.

A prerequisite for enabling self-hosted runners includes enabling GitHub Actions for the repositories of interest. It’s important to note that running Dependabot does not count towards GitHub Actions minutes – meaning that using Dependabot continues to be free for everyone.

To get started, check out our documentation on managing self-hosted runners with Dependabot Updates.

If you’re interested in learning more about what it means to run Dependabot as a GitHub Actions workflow, check out our changelog and FAQ or Dependabot on Actions documentation.

See more