advanced-security

Subscribe to all “advanced-security” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

Enable secret scanning with the enterprise-level REST API

Enterprises with GitHub Advanced Security can now enable secret scanning and push protection on all their organizations using a single call to an enterprise-level REST API endpoint.

You can also use the enterprise API to set a default custom link that will appear on a push protection block.

This new endpoint supplements the existing enterprise enablement settings in the UI and the repository-level and organization-level REST API enablement endpoints.

See more

Telnyx is now a GitHub secret scanning partner

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Telnyx to scan for their tokens and help secure our mutual users on all public repositories and private repositories with GitHub Advanced Security. Telnyx tokens allow users to manage their usage and resources on the Telnyx communications and connectivity platform.

GitHub will forward access tokens found in public repositories to Telnyx, who will immediately reach out to the user and work to swiftly rotate the key. More information about Telnyx tokens can be found here.

GitHub Advanced Security customers can also block Telnyx tokens from entering their private and public repositories with push protection.

Learn more about secret scanning
Learn more about protecting pushes
Partner with GitHub on secret scanning

See more

Improvements to GitHub Advanced Security billing pages

We've shipped improvements to the billing pages for GitHub Advanced Security so it is easier for you to see how many licenses you are using.

  • You can now see how enterprises and organizations are using licenses in the summary tiles.
  • You can download a CSV report for each item in the billing table so it is easier to report on license usage.
  • For enterprises, the table is sorted by the number of unique committers in each organization, so it is easy to see where GitHub Advanced Security licenses are used.
  • If an organization chooses to disable GitHub Advanced Security on a repository, the confirmation popup now informs you how this would impact your overall licenses usage.

Enterprise and Organisation GitHub Advanced Security usage

This is available on the GitHub Advanced Security section on the enterprise's billing settings page enterprise-name/settings/billing and the organization's code security and analysis settings page organization-name/settings/security_analysis.

This has shipped to GitHub.com and will be available in GitHub Enterprise Server 3.9. Learn more about the GitHub Advanced Security billing.

See more

Secret scanning now detects new secrets in issue content

GitHub Advanced Security customers using secret scanning can now view any new secrets exposed in an issue's title, description, or comments within the UI or the REST API. This expanded coverage will also detect and surface secrets matching any custom pattern defined at the repository, organization, or enterprise levels.

We have also expanded the secret scanning partner program. Secret scanning partners will now receive notifications for secrets found in public issues that match their token formats.

See more

Updated timeline for the deprecation of CodeQL Action v1

The deprecation date for the CodeQL Action v1 is shifting. Initially, this was December 2022, and now it is January 2023. This change follows the updated timeline on the deprecation of GitHub Enterprise Server (GHES) 3.3.

In January 2023, the CodeQL Action v1 will be officially deprecated (alongside GHES 3.3). GitHub Action workflows that refer to v1 of the CodeQL Action will continue to work, but no new analysis capabilities will be released to v1. New CodeQL analysis capabilities will only be available to users of v2. For more information about this deprecation and detailed upgrade instructions, please see the original deprecation announcement from April 2022.

All users of GitHub code scanning (which by default uses the CodeQL analysis engine) on GitHub Actions on the following platforms should update their workflow files:

Environments in which CodeQL runs in CI/CD systems other than GitHub Actions are not affected by this deprecation.

See more

Organization-level security risk and coverage pages replace overview page

The organization-level security overview page has been replaced by the risk and coverage views as previously announced and is no longer available. The risk view is designed to help you assess security exposure, and the coverage view is intended to help you manage security feature enablement.

GitHub Enterprise customers can use the new security overview experience today by clicking on an organization's "Security" tab.

Learn more about the new risk and coverage views and send us your feedback

See more

Code scanning organization-level REST API is available for public repositories

GitHub organizations can now use the code scanning organization-level API endpoint to retrieve code scanning alerts on public repositories; this no longer requires a GitHub Advanced Security license. This new endpoint supplements the existing repository-level endpoint.

Learn more about the code scanning organization-level REST API.

See more

CodeQL code scanning launches Kotlin analysis support (beta)

Starting today, GitHub code scanning includes beta support for analyzing code written in Kotlin, powered by the CodeQL engine.

Kotlin is a key programming language used in the creation of Android mobile applications, and is an increasingly popular choice for new projects, augmenting or even replacing Java. To help organisations and open source developers find potential vulnerabilities in their code, we’ve added Kotlin support (beta) to the CodeQL engine that powers GitHub code scanning. CodeQL now natively supports Kotlin, as well as mixed Java and Kotlin projects. Set up code scanning on your repositories today to receive actionable security alerts right on your pull-requests. To enable Kotlin analysis on a repository, configure the code scanning workflow languages to include java. If you have any feedback or questions, please use this discussion thread or open an issue if you encounter any problems.

Kotlin support is an extension of our existing Java support, and benefits from all of our existing CodeQL queries for Java, for both mobile and server-side applications. We’ve also improved and added a range of mobile-specific queries, covering issues such as handling of Intents, Webview validation problems, fragment injection and more.

CodeQL support for Kotlin has already been used to identify novel real-world vulnerabilities in popular apps, from task management to productivity platforms. You can watch the GitHub Universe talk on how CodeQL was used to identify vulnerabilities like these here.

Kotlin beta support is available by default in GitHub.com code scanning, the CodeQL CLI, and the CodeQL extension for VS Code. GitHub Enterprise Server (GHES) version 3.8 will include this beta release.

See more

Filter code scanning API results by alert severity

You can now filter results from the code scanning REST API based on alert severity. Use the parameter severity to return only code scanning alerts with a specific severity. This is available at the repository and organization level.

This feature is available on GitHub.com, and will also be included in GitHub Enterprise Server (GHES) version 3.8.

Read more about the code scanning API

See more

Feature enablement from the organization-level security coverage page

You can now enable and disable the following GitHub security features for a single repository from the organization-level security coverage view:

  • Dependency graph
  • Dependabot alerts
  • Dependabot security updates

If you are a GitHub Advanced Security customer, you can also enable and disable the following features for a single repository:

  • GitHub Advanced Security
  • Secret scanning
  • Push protection

In the future, you'll be able to enable and disable multiple repositories from the coverage view.

enablement panel on coverage view

Learn more about the new coverage view and send us your feedback

Learn more about GitHub Advanced Security

See more

Figma is now a GitHub secret scanning partner

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Figma to scan for their API tokens and help secure our mutual users on public repositories. Figma API tokens can be used to read and interact with Figma and FigJam files — both through Figma’s own platform and other Figma-integrated applications. GitHub will forward access tokens found in public repositories to Figma, who will will immediately notify token owners. You can read more information about Figma's tokens here.

GitHub Advanced Security customers can also scan for Figma tokens and block them from entering their private and public repositories with push protection.

See more

LocalStack is now a GitHub secret scanning partner

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with LocalStack to scan for their API key tokens and help secure our mutual users on public repositories. LocalStack's tokens allow for activation of the advanced LocalStack features for their Pro/Team/Enterprise products. GitHub will forward access tokens found in public repositories to LocalStack, who will immediately notify users and revoke any compromised tokens. You can read more information about LocalStack's tokens here.

GitHub Advanced Security customers can also scan for LocalStack tokens and block them from entering their private and public repositories with push protection.

See more

Risk and coverage views on the Security tab for organizations (public beta)

Security overview’s new risk and coverage views provide greater visibility into your security posture and risk analysis.

Each new view offers a refreshed design with several key improvements, including insights and dynamic filtering.

Coverage view

The coverage view gives visibility into enablement across all repositories. On the coverage view, you can:

  • See counts and percentages of repositories with GitHub security features enabled or disabled, which update when you apply filters
  • Track enablement for additional security features, including secret scanning push protection, Dependabot security updates, and code scanning pull request alerts.

security-tab-coverage-page

Risk view

The coverage view is complimented by a new risk view that gives visibility into all alerts across these repositories.
On the risk view, you can:

  • See counts and percentages of repositories with security vulnerabilities, which also update when you apply filters
  • See open alerts segmented by severity for both Dependabot and code scanning.

security-tab-risk-page

Both views are now available as a public beta. In the coming weeks, we will deprecate the overview in favor of these two new views.

Learn more about the new risk and coverage views and send us your feedback

See more

CodeQL code scanning launches Ruby analysis support in GA

Last year, we launched Ruby analysis support in beta for GitHub code scanning. Today, we're announcing the general availability of this feature — covering even more vulnerabilities in Ruby code.

Ruby is part of the top 10 most popular languages on GitHub today. In the past year alone, code scanning (powered by the CodeQL engine) helped Ruby developers resolve more than 4,000 security issues. Set up code scanning on your repositories today and receive actionable security alerts right on your pull-requests.

Since shipping in beta, our Ruby analysis has more than doubled the number of common weaknesses (CWEs) that it can detect. A total of 30 rules check your code for a range of vulnerabilities, including cross-site scripting (XSS), regular expression denial-of-service (ReDoS), SQL injection, and more. Additional library and framework coverage for Ruby-on-Rails ensures that web service developers get even more precise results. We currently support all common Ruby versions, up to and including 3.1. Check out the documentation for more details on compatibility.

Ruby support is available by default in GitHub.com code scanning, the CodeQL CLI, and the CodeQL extension for VS Code. GitHub Enterprise Server (GHES) version 3.4 shipped with Ruby (beta) support, and GHES 3.8 will include this GA release.

See more

Secret scanning: Organization admins can now set a link via the API to help developers blocked on push

GitHub Advanced Security customers using secret scanning can now specify a custom link via the organization level REST API that will show in the message when push protection detects and blocks a potential secret. Admins can use the custom link to point their developers to company-specific guidance on secrets.

Previously, admins could only set a custom link through the UI.

See more
View more changes