You can now enable secret scanning alerts on all your personal public repositories from your account's code security and analysis settings.
As before, you can also enable secret scanning alerts on any individual public repository or on all public repositories within an organization or cloud enterprise.
Secret scanning is free on public repositories, and available as part of GitHub Advanced Security on private repositories.
This feature makes it easier to enable Dependabot alerts and check enablement status across all your repositories at an enterprise level, with updates across both enablement UI and APIs. These updates will ship today for GitHub.com and will ship for GitHub Enterprise Server users in 3.9.
Dependabot alerts have been added to existing endpoints:
You can also adjust your enablement settings from your enterprise settings page (under ‘code security and analysis’). Options include enable all, disable all, and enable for new repositories for your enterprise.
Back in November 2022 we announced the public beta for Kotlin analysis. We continue to invest in Kotlin and we now support Kotlin 1.8.0 analysis in beta.
If you have any feedback or questions, please use this discussion thread or open an issue in the open source CodeQL repository if you encounter any problems.
Kotlin beta support is available by default in GitHub.com code scanning, the CodeQL CLI, and the CodeQL extension for VS Code. GitHub Enterprise Server (GHES) version 3.9 will include this beta release.
Dependency graph now supports parsing Python dependencies for pyproject.toml files that follow the PEP 621 standard.
GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.
We have partnered with WakaTime to scan for their tokens and help secure our mutual users on public repositories. WakaTime tokens allow users to programmatically access their WakaTime code statistics. GitHub will forward access tokens found in public repositories to WakaTime, who will immediately revoke the leaked token and email the token's owner with instructions on next steps. You can read more information about WakaTime tokens here.
GitHub Advanced Security customers can also scan for WakaTime tokens and block them from entering their private and public repositories with push protection.
Dependency graph automatically supports many ecosystems, but some additional ecosystems require configuration to submit dependencies with the dependency submission API. The community maintains several GitHub Actions that make this easier.
Users with write access to Gradle, Maven, Scala, and Mill repositories now see messaging on their dependency graph that directs them to an action that will scan and submit dependencies for their ecosystem. Users with access to Dependabot alerts will also see messaging on their repository's Dependabot alerts tab.
Prompts will display if a repository includes any of the following files: pom.xml, build.gradle, build.gradle.kts, build.sbt, or build.sc.
The dependency graph team is working to have native support for these types of ecosystems with more news to come later this year.
CodeQL is the engine that powers GitHub code scanning, used by more than 100,000 repositories to catch security vulnerabilities before they cause issues in deployments.
CodeQL is fully integrated into the Pull Request workflow, so it has to be as fast as possible to keep developers unblocked.
We're constantly working on performance improvements, from incremental optimizations to fundamental research, all with the goal of speeding up the nearly 150,000 checks we run every single day, without compromising our best-in-class precision and low false-positive rate.
With the recent release of CodeQL version 2.12, we looked back at the performance gains compared to version 2.11 (September 2022) to see how far we've come. We compared the analysis time for the same 55,000 repositories on GitHub.com and found an average improvement of 15.7% across all supported languages:
Users on GitHub.com automatically run the latest CodeQL version. Customers on GitHub Enterprise Server can update by following the sync processes explained here.
Following feedback from code scanning users, we've moved documentation about the CodeQL CLI from codeql.github.com to docs.github.com, the main GitHub Docs site.
You can now find the articles under the “Using the CodeQL CLI” and “CodeQL CLI reference” categories, which correspond to the categories on the original site. We’ve updated each of the original articles on codeql.github.com with links to the new location of the article and to each subsection, so that if you go to the old location you can easily find the information you need.
The source files now exist in Markdown format in the public, open-source docs repository. If you would like to contribute, you can consult and follow the steps listed in the GitHub Docs contributing guide.
Starting today, anyone with repository write or maintain roles will be able to view and act on Dependabot alerts by default. Previously, only repository admins could view and act on Dependabot alerts. This change will help ensure that alerts are visible to the same developers responsible for fixing them.
No action needed–this change will be applied to all existing and new repositories starting today.
This doesn’t affect custom roles, the Security Manager role, or organization permissions for Dependabot alerts. Only repository admins can enable or disable Dependabot alerts.
This change also will not affect your alert notification or repository watching settings. So, if you aren’t opted in to Dependabot alert notifications based on your user settings, you won’t receive any.
If you are currently receiving notifications on alerts, any new repositories will be included with existing Dependabot alerts notifications.
Learn more about this change here.
Code scanning can now be set up to never cause a pull request check failure.
By default, any code scanning alerts with a security-severity of critical or high will cause a pull request check failure.
You can specify which security-severity level for code scanning results should cause the code scanning check to fail, including None, by going to the Code security and Analysis tab in the repository settings.
This has shipped to GitHub.com and will be available in GitHub Enterprise Server 3.9. Learn more about severity levels for security alerts and Code scanning results check failures on pull requests.
GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.
We have partnered with Persona to scan for their API keys and help secure our mutual users on all public repositories and private repositories with GitHub Advanced Security. Persona API keys allow users to create, update, and interact with their identity-related data. GitHub will forward API keys found in public repositories to Persona, who will notify affected customers and work with them to rotate their API keys. You can read more information about Persona API keys here.
GitHub Advanced Security customers can also scan for Persona API keys and block them from entering their private and public repositories with push protection.
Learn more about secret scanning
Partner with GitHub on secret scanning
Organization admins and security managers can now enable private vulnerability reporting for all public repositories within an organization at once.
With this enhancement, you no longer have to enable the feature for each repository individually.
Find this option under your organization's "Settings" tab under "Code security and analysis".
Starting today, when linking to a Dependabot alert in an issue and or pull requests, anyone with permissions to view the alert will see a rich Dependabot alert mention, with detailed hovercard and a prettified link with the title of the alert.
Card details include:
GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.
We have partnered with Twilio Segment to scan for their tokens and help secure our mutual users on all public repositories, and private repositories with GitHub Advanced Security. Twilio Segment tokens allow users to programmatically manage their workspaces. GitHub will forward access tokens found in public repositories to Twilio Segment, who will immediately revoke the token and notify workspace owners. You can learn more about Twilio Segment tokens here.
GitHub Advanced Security customers can also block Twilio Segment tokens from entering their private and public repositories with push protection.
Learn more about secret scanning
Partner with GitHub on secret scanning
Secret scanning users can now view the validity of detected GitHub tokens by clicking into the related alert's UI page. The alert page will tell you whether the GitHub token is still active and able to be used.
Secret scanning alerts are available for free on public repositories and as part of GitHub Advanced Security on private repositories.
