Skip to content

/ Blog

Try GitHub Copilot Contact sales

AI & ML
- AI & ML
  Learn about artificial intelligence and machine learning across the GitHub ecosystem and the wider industry.
  - Generative AI
    Learn about and how to build with generative AI.
  - GitHub Copilot
    Change how you work with GitHub Copilot.
  - LLMs
    Everything developers need to know about LLMs.
  - Machine learning
    Machine learning tips, tricks, and best practices.
- How AI code generation works
  Explore the capabilities and benefits of AI code generation and how it can improve your developer experience.
  Learn more
Developer skills
- Developer skills
  Resources for developers to grow in their skills and careers.
  - Application development
    Insights and best practices for building apps.
  - Career growth
    Tips & tricks to grow as a professional developer.
  - GitHub
    Improve how you use GitHub at work.
  - GitHub Education
    Learn how to move into your first professional role.
  - Programming languages & frameworks
    Stay current on what’s new (or new again).
- Get started with GitHub documentation
  Learn how to start building, shipping, and maintaining software with GitHub.
  Learn more
Engineering
- Engineering
  Get an inside look at how we’re building the home for all developers.
  - Architecture & optimization
    Discover how we deliver a performant and highly available experience across the GitHub platform.
  - Engineering principles
    Explore best practices for building software at scale with a majority remote team.
  - Infrastructure
    Get a glimpse at the technology underlying the world’s leading AI-powered developer platform.
  - Platform security
    Learn how we build security into everything we do across the developer lifecycle.
  - Scripting & automation
    How GitHub engineers use scripting and automation.
  - User experience
    Find out what goes into making GitHub the home for all developers.
- How we use GitHub to be more productive, collaborative, and secure
  Our engineering and security teams do some incredible work. Let’s take a look at how we use GitHub to be more productive, build collaboratively, and shift security left.
  Learn more
Enterprise software
- Enterprise software
  Explore how to write, build, and deploy enterprise software at scale.
  - Automation
    Automating your way to faster and more secure ships.
  - CI/CD
    Guides on continuous integration and delivery.
  - Collaboration
    Tips, tools, and tricks to improve developer collaboration.
  - DevOps
    DevOps resources for enterprise engineering teams.
  - DevSecOps
    How to integrate security into the SDLC.
  - Governance & compliance
    Ensuring your builds stay clean.
  - Secure enterprise development
    Locking down the SDLC one step at time.
- How enterprise engineering teams can successfully adopt AI
  Learn how to bring AI to your engineering teams and maximize the value that you get from it.
  Learn more
News & insights
- News & insights
  Keep up with what’s new and notable from inside GitHub.
  - Company news
    An inside look at news and product updates from GitHub.
  - Product
    The latest on GitHub’s platform, products, and tools.
  - Octoverse
    Insights into the state of open source on GitHub.
  - Policy
    The latest policy and regulatory changes in software.
  - Research
    Data-driven insights around the developer ecosystem.
  - Surveys
    What developers and industry leaders say matters most.
  - The library
    Older news and updates from GitHub.
- Unlocking the power of unstructured data with RAG
  Learn how to use retrieval-augmented generation (RAG) to capture more insights.
  Learn more
Open source
- Open source
  Everything open source on GitHub.
  - Documentation
    Tips for creating and maintaining documentation.
  - Gaming
    Open source games on GitHub.
  - Git
    The latest Git updates.
  - Licenses
    Open source licenses, explained.
  - Maintainers
    Spotlighting open source maintainers.
  - Social impact
    How open source is driving positive change.
- An introduction to innersource
  Organizations worldwide are incorporating open source methodologies into the way they build and ship their own software.
  Learn more
Security
- Security
  Stay up to date on everything security.
  - Application security
    Application security, explained.
  - Supply chain security
    Demystifying supply chain security.
  - Vulnerability research
    Updates from the GitHub Security Lab.
  - Web application security
    Helpful tips on securing web applications.
- The enterprise guide to AI-powered DevSecOps
  Learn about core challenges in DevSecOps, and how you can start addressing them with AI and automation.
  Learn more

Categories

AI & ML
- AI & ML
  Learn about artificial intelligence and machine learning across the GitHub ecosystem and the wider industry.
  - Generative AI
    Learn about and how to build with generative AI.
  - GitHub Copilot
    Change how you work with GitHub Copilot.
  - LLMs
    Everything developers need to know about LLMs.
  - Machine learning
    Machine learning tips, tricks, and best practices.
- How AI code generation works
  Explore the capabilities and benefits of AI code generation and how it can improve your developer experience.
  Learn more
Developer skills
- Developer skills
  Resources for developers to grow in their skills and careers.
  - Application development
    Insights and best practices for building apps.
  - Career growth
    Tips & tricks to grow as a professional developer.
  - GitHub
    Improve how you use GitHub at work.
  - GitHub Education
    Learn how to move into your first professional role.
  - Programming languages & frameworks
    Stay current on what’s new (or new again).
- Get started with GitHub documentation
  Learn how to start building, shipping, and maintaining software with GitHub.
  Learn more
Engineering
- Engineering
  Get an inside look at how we’re building the home for all developers.
  - Architecture & optimization
    Discover how we deliver a performant and highly available experience across the GitHub platform.
  - Engineering principles
    Explore best practices for building software at scale with a majority remote team.
  - Infrastructure
    Get a glimpse at the technology underlying the world’s leading AI-powered developer platform.
  - Platform security
    Learn how we build security into everything we do across the developer lifecycle.
  - Scripting & automation
    How GitHub engineers use scripting and automation.
  - User experience
    Find out what goes into making GitHub the home for all developers.
- How we use GitHub to be more productive, collaborative, and secure
  Our engineering and security teams do some incredible work. Let’s take a look at how we use GitHub to be more productive, build collaboratively, and shift security left.
  Learn more
Enterprise software
- Enterprise software
  Explore how to write, build, and deploy enterprise software at scale.
  - Automation
    Automating your way to faster and more secure ships.
  - CI/CD
    Guides on continuous integration and delivery.
  - Collaboration
    Tips, tools, and tricks to improve developer collaboration.
  - DevOps
    DevOps resources for enterprise engineering teams.
  - DevSecOps
    How to integrate security into the SDLC.
  - Governance & compliance
    Ensuring your builds stay clean.
  - Secure enterprise development
    Locking down the SDLC one step at time.
- How enterprise engineering teams can successfully adopt AI
  Learn how to bring AI to your engineering teams and maximize the value that you get from it.
  Learn more
News & insights
- News & insights
  Keep up with what’s new and notable from inside GitHub.
  - Company news
    An inside look at news and product updates from GitHub.
  - Product
    The latest on GitHub’s platform, products, and tools.
  - Octoverse
    Insights into the state of open source on GitHub.
  - Policy
    The latest policy and regulatory changes in software.
  - Research
    Data-driven insights around the developer ecosystem.
  - Surveys
    What developers and industry leaders say matters most.
  - The library
    Older news and updates from GitHub.
- Unlocking the power of unstructured data with RAG
  Learn how to use retrieval-augmented generation (RAG) to capture more insights.
  Learn more
Open source
- Open source
  Everything open source on GitHub.
  - Documentation
    Tips for creating and maintaining documentation.
  - Gaming
    Open source games on GitHub.
  - Git
    The latest Git updates.
  - Licenses
    Open source licenses, explained.
  - Maintainers
    Spotlighting open source maintainers.
  - Social impact
    How open source is driving positive change.
- An introduction to innersource
  Organizations worldwide are incorporating open source methodologies into the way they build and ship their own software.
  Learn more
Security
- Security
  Stay up to date on everything security.
  - Application security
    Application security, explained.
  - Supply chain security
    Demystifying supply chain security.
  - Vulnerability research
    Updates from the GitHub Security Lab.
  - Web application security
    Helpful tips on securing web applications.
- The enterprise guide to AI-powered DevSecOps
  Learn about core challenges in DevSecOps, and how you can start addressing them with AI and automation.
  Learn more

Contact sales Try GitHub Copilot

advanced-security

Subscribe to all “advanced-security” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

→ ~ cd github-changelog

→ ~/github-changelog|main git log main

showing all changes successfully

Code scanning with CodeQL no longer installs Python dependencies automatically for new users

July 12, 2023

When analyzing a Python project with code scanning using CodeQL through advanced setup, we would try to automatically install dependencies for the project. Over the past months and years, we’ve made significant improvements to the Python analysis, which means CodeQL no longer needs to fetch these dependencies in order to analyze a codebase.

Therefore, starting now, we have disabled automatic dependency installation for new users of CodeQL for Python. This should improve scan times for Python projects, while having minimal impact on results. Code scanning users that have already set up CodeQL to scan at least one Python project will not see any changes to newly configured repos: the new behaviour only applies to those with no prior Python projects set up. We encourage existing users that configured code scanning with CodeQL via advanced setup to disable dependency installation by setting setup-python-dependencies: false as described in documentation.

Users of GitHub Enterprise Server (GHES) will benefit from this change starting version 3.11. We plan to deprecate all dependency installation (including for existing users) by the end of 2023.

See more See more

Workato is now a GitHub secret scanning partner

July 5, 2023

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Workato to scan for their API tokens and help secure our mutual users on public repositories. Workato Developer API tokens allow users to effectively manage their Workato workspaces programmatically and reduce administrative overhead as they onboard teams from across their organisation. GitHub will forward access tokens found in public repositories to Workato, which will then notify the user about the leaked token. You can read more information about Workato's tokens here.

All users can scan for and block Workato's tokens from entering their public repositories for free with push protection. GitHub Advanced Security customers can also scan for and block Workato tokens in their private repositories.

See more See more

Code scanning with CodeQL supports Swift 5.8

July 5, 2023

After we released Swift in beta on the 1st June, we are now adding support for long awaited Swift 5.8.1 and Xcode 14.3.1. This release also brings better support for Swift 5.x on Linux, which now supports versions up to and including 5.8.1.

Swift 5.8.1 support is available starting with CodeQL version 2.13.5. Code scanning users on GitHub.com will automatically benefit from the latest CodeQL version, while those on GitHub Enterprise Server can update using these guidelines. Security researchers can set up the CodeQL CLI and VS Code extension by following these instructions.

While our Swift analysis support remains in public beta we welcome your input. If you have any feedback or questions about the Swift beta, consider joining our community in the #codeql-swift-beta channel in the GitHub Security Lab Slack.

See more See more

Security risk and coverage pages are now generally available and replace the enterprise-level overview page

June 29, 2023

Today we are announcing the general availability of our organization and enterprise-level security risk and coverage pages.

Additionally, the alert-centric pages for Dependabot, code scanning, and secret scanning are also now generally available at both the organization and enterprise levels.

The enterprise-level security overview page has been replaced by the risk and coverage pages as previously announced. The risk page is designed to help you assess security exposure, and the coverage view is intended to help you manage security feature enablement.

To access the new enterprise-level risk and coverage pages, follow these steps:

Navigate to your profile photo in the top-right corner of GitHub.com.
Click Your enterprises.
From the list of enterprises, select the enterprise you wish to view.
In the enterprise account sidebar, click on Code Security.

These improvements have shipped to GitHub.com and will be available in GitHub Enterprise Server 3.10.

Learn more about the new risk and coverage pages and send us your feedback

See more See more

Code scanning default setup is now available for all CodeQL supported languages, excluding Swift

June 29, 2023

Code scanning default setup is now available for all CodeQL supported languages, excluding Swift. This includes supporting JavaScript/TypeScript, Ruby, Python, Go, Java/Kotlin, C/C++, and C# at the repository level. We will extend support to include Swift soon. We are also working to extend all CodeQL language support to the organization level.

Default setup detects the languages in the repository and automatically analyzes JavaScript/TypeScript, Ruby, Python, and Go. With this enhancement, you can customize the configuration to also analyze Java/Kotlin, C/C++, and C#. The configuration can be viewed and edited at any time, during or after set up.

You can also use the REST API to include CodeQL supported languages in the default setup configuration.

What if the analysis for a language fails in default setup?

It is possible for the CodeQL analysis for a particular language to fail, such as when the code can't be compiled. If the CodeQL analysis for a language fails in default setup, you will see an error message on the repository's settings page, in the code security and analysis section. To resolve the situation you can:

Deselect the language from the configuration and continue to use default setup for the successful languages.

Convert to advanced setup. The advanced setup uses a yml file and allows you to provide the build information required for the CodeQL analysis to succeed.

Debug and fix the cause of the language failure. The Actions log will provide the failure reason so you can resolve this for a successful analysis.

Why aren't some languages automatically included in the default setup configuration ?

Java (including Kotlin), C/C++, and C# are not automatically included in the default setup configuration because they often require more advanced configuration. Code written in these languages needs to be compiled in order for CodeQL analysis to proceed. CodeQL will attempt to build your code automatically but may fail if your code requires bespoke build steps.

Java (including Kotlin), C/C++, and C# are not included in bulk code scanning setup from the organization level. We are working to extend all CodeQL language support to the organization level soon.

For more information on code scanning default setup, see Configuring code scanning automatically.

See more See more

Code scanning default setup automatically updates when the languages in the repository change

June 26, 2023

Code scanning default setup now automatically updates when the languages in a repository change.

If a repository that uses default setup changes to include the languages JavaScript/TypeScript, Ruby, Python, or Go, the configuration will automatically update to include these languages. If the new configuration fails, we’ll resume the previous configuration automatically so that the repository does not lose coverage. The configuration will also automatically update if a repository removes a language.

You can always view the repository’s default setup configuration from the Code security and analysis settings page. Additionally, you can use the tool status page to view useful information about your setup and debug any failed languages.

Default set up makes it easy to get started with code scanning. The supported languages are currently JavaScript/TypeScript, Python, Ruby and Go and the list is constantly evolving. For more information on code scanning default setup, see Configuring code scanning automatically.

See more See more

Organization-level code scanning default setup for CodeQL is now generally available

June 23, 2023

Today we are announcing the general availability of code scanning default setup enablement at the organization level.

Code scanning enable all default setup button on the organization's 'Settings' page

You can use code scanning default setup to enable CodeQL analysis for pull requests and pushes on eligible repositories without committing any workflow files. Currently, this feature is only available for repositories that use GitHub Actions and it supports analysis of JavaScript/TypeScript, Python, Ruby and Go. We plan to add support for additional languages soon.

This feature is also available as a public beta in GitHub Enterprise Server 3.9 and will be generally available in GitHub Enterprise Server 3.10.

Learn more about configuring code scanning at scale using CodeQL and the "Enable or disable a security feature for an organization" REST API
Learn more about GitHub Advanced Security

See more See more

Use GitHub code search to support security research with multi-repository variant analysis for CodeQL (beta)

June 23, 2023

The latest release of CodeQL for VS Code includes new functionality for creating lists of target repositories for multi-repository variant analysis with GitHub code search.

Multi-repository variant analysis (MRVA) allows security researchers to run CodeQL analyses against large numbers of repos straight from the CodeQL extension for VS Code, making it possible to identify new types of security vulnerabilities in the most popular open-source codebases. Curated lists of up to 1,000 widely-used public GitHub repositories are included with MRVA to help you get started quickly – you can even trigger an MRVA run against up to 1,000 repositories in a single GitHub organization.

However, if you’d prefer to target different repositories, you can also create your own custom lists. To help make it easier to identify the most relevant repositories to include in your custom lists we have just released a new integration with the GitHub search API in the CodeQL extension. With this new feature, you can restrict the repositories appearing in your custom lists by the contents of source files, file paths, file location, or any other supported search qualifier.

For more information about how to use GitHub code search with MRVA, see Using GitHub code search to add repositories to a custom list in the CodeQL for VS Code documentation.

See more See more

Code scanning can filter alerts by language and file path

June 20, 2023

You can now easily find all alerts associated with a specific language with the new language filter on the code scanning alerts page.

To show all the code scanning alerts for a language, type 'language:javascript' in the Filter alerts text box.

Language filter

You can also use a file path filter to see all the alerts located in specific files or directories to sort and manage them efficiently by focusing on a specific part of the code related to the project.
This can be useful to manage lots of alerts on big repositories (monorepos) to review all alerts specific to the part of the code you are responsible for faster.

To apply the file path filter, type 'path:' and the path to the file or directory in the Filter alerts text box.

Path filter

This has shipped to GitHub.com and will be available in GitHub Enterprise Server 3.10.

Learn more about filtering code scanning alerts.

See more See more

Risk and coverage views on the Code Security tab for enterprises (public beta)

June 15, 2023

Building upon the success of our organization-level security coverage and risk views, today we're introducing enterprise-level views to offer enhanced visibility into your enterprise's security coverage and risk analysis. The refreshed design provides you with an improved user experience with insights and dynamic filtering to maximize your productivity.

Coverage view

The coverage view allows you to gain visibility into the enablement status of security features across all repositories within your enterprise. Within the coverage view, you can:

Monitor the counts and percentages of repositories with GitHub security features enabled or disabled, which update when you apply filters.
Track enablement for additional security features, including secret scanning push protection, Dependabot security updates, and code scanning pull request alerts.

Enterprise-level security coverage

Risk view

Complementing the coverage view, the new risk view provides a comprehensive overview of all alerts across your enterprise. In the risk view, you can:

View the counts and percentages of repositories with security vulnerabilities, which also update when you apply filters.
Access open alerts categorized by severity for both Dependabot and code scanning.

Enterprise-level security risk

Both views are now available as a public beta. In the next few weeks, we will deprecate the enterprise-level overview page in favor of these two new views.

Learn more about the new risk and coverage views and send us your feedback

Learn more about GitHub Advanced Security

See more See more

Choose which languages to enable in code scanning default setup for your repository

June 15, 2023

Code scanning now has the option to enable default setup for a subset of languages in a repository. This lets you customize the configuration to suit your repository's needs, for example deselecting a language which is failing the analysis.

Default set up makes it easy to get started with code scanning. The supported languages are currently JavaScript/TypeScript, Python, Ruby and Go and the list is constantly evolving.

When you choose default setup, we automatically tailor a code scanning configuration for the repository. By default we will enable the best CodeQL configuration for all languages in your repository. However, if there is a language that you'd prefer to disable in code scanning, you can now customize the languages in your default setup configuration.

Use the 'edit configuration' page or REST API to edit the default setup configuration for a repository. You can customize the languages and query suites used in the analysis. The configuration can be viewed and edited at any time, during or after set up.

{
  "state": "configured",
  "languages": ["javascript-typescript", "ruby"],
  "query_suite": "default", 
  "updated_at": "2023-02-24T20:00:42Z"
}

For more information on code scanning default setup, see Configuring code scanning automatically.

See more See more

GitHub Advanced Security trial now available on GitHub Enterprise Cloud

June 12, 2023

All eligible GitHub Enterprise accounts can now try GitHub Advanced Security for free for 14 days. GitHub Advanced Security provides integrated security with unparalleled access to curated security intelligence. This unlocks your ability to keep your code, supply chain, and secrets secure before pushing the code to production. During the trial, you can try features such as:

Code scanning to help find and remediate security issues in your code
Secret scanning to prevent and detect secret exposures across your organization
Dependency review to catch vulnerable dependencies before introducing them to your environment

Explore our documentation to learn more about GitHub Advanced Security features and how to deploy them in your organization.
GitHub Advanced Security on Enterprise Cloud

Join the community discussion and leave us your feedback!

See more See more

CodeQL code scanning now supports Swift (beta)

June 1, 2023

Today, we're extending CodeQL code scanning support to Swift! Developers working on Swift libraries and apps on Apple platforms can now benefit from our best-in-class code security analysis. We currently identify issues such as path injection, unsafe web view fetches, numerous cryptographic misuses and other types of unsafe evaluation or processing of unsanitized user-controlled data. During this beta, we’ll gradually increase our coverage of distinct weaknesses.

Swift joins our existing supported languages (C/C++, Java/Kotlin, JS/TS, Python, Ruby, C#, and Go), which in sum run nearly 400 checks on your code, all while keeping false positive rates low and precision high.

Set up code scanning on your Swift repositories today and receive actionable security alerts right on your pull requests. Read more about our supported Swift versions and platforms here.

Swift support is available starting with CodeQL version 2.13.3. GitHub.com users are automatically updated, while GitHub Enterprise Server users can update using these guidelines. Security researchers can set up the CodeQL CLI and VS Code extension by following these instructions.

This is just the start for Swift support in GitHub Advanced Security, keep an eye on the main GitHub blog for further announcements. If you have any feedback or questions about the Swift beta, consider joining our community in the #codeql-swift-beta channel in the GitHub Security Lab Slack. Thanks to all Swift community members who have participated in the private beta.

See more See more

Canadian Digital Service is now a GitHub secret scanning partner

May 25, 2023

GitHub secret scanning protects users by searching repositories for known types of tokens. By identifying and flagging these tokens, our scans help prevent data leaks and fraud.

We have partnered with Canadian Digital Service (CDS) to scan for their tokens and help secure our mutual users on public repositories. Canadian Digital Service tokens allow users to send email and text messages using the Government of Canada’s Notify service. GitHub will forward access tokens found in public repositories to CDS, which will then revoke the token and contact the impacted users to help them generate new tokens. You can read more information about CDS's tokens here.

All users can scan for and block CDS tokens from entering their public repositories for free with push protection. GitHub Advanced Security customers can also scan for and block CDS tokens in their private repositories.

See more See more

LogicMonitor is now a GitHub secret scanning partner

May 19, 2023

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with LogicMonitor to scan for their tokens and help secure our mutual users on public repositories. LogicMonitor tokens allow users to authenticate requests to LogicMonitor's REST API. GitHub will forward access tokens found in public repositories to LogicMonitor, which will then inform their portal contacts for remediation. You can read more information about LogicMonitor's tokens here.

All users can scan for and block LogicMonitor tokens from entering their public repositories for free with push protection. GitHub Advanced Security customers can also scan for and block LogicMonitor tokens in their private repositories.

See more See more

View more changes