security

Subscribe to all “security” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

Updates to the two-factor authentication setup flow

As we prepare for next year's 2FA requirement for active contributors on GitHub, we're making improvements to our two-factor setup UI to encourage best practices and ensure new 2FA users have their authentication factors set up correctly from the start.

We now take an opinionated stance on which second factor you should set up first – you'll no longer be asked to choose between SMS or setting up an authenticator app (known as TOTP), and instead see the TOTP setup screen immediately when first setting up 2FA.

If you wish to use SMS when setting up 2FA, you can switch your authentication method via the new option at the bottom. In the future, you'll also find security keys there as an option for initial setup on supported devices and browsers.

For more information, see "Configuring two-factor authentication".

See more

OIDC for Azure AD Enterprise Managed Users is now GA

OpenID Connect (OIDC) for authenticating enterprise managed users is now generally available for enterprises using Azure AD.

OIDC allows GitHub to use your identity provider's IP allow list policies to control where PAT and SSH keys can be used to access GitHub from, with granular control down to individuals. Enterprise customers using OIDC can now select whether to use their identity provider's IP allow list policies, or GitHub's built-in allow list feature.

image

image

To learn more about OIDC and enterprise managed users, see "Enterprise Managed Users" and "Migrating from SAML to OIDC for Enterprise Managed Users". To learn more about Azure AD's IP allow list functionality, see "Location based Conditional access"

See more

New session and device management settings page

You can now review and manage your browser and GitHub Mobile sessions using the new Sessions tab in your user settings. This new tab includes all of your signed-in web sessions, as well as each GitHub Mobile app your account is signed into. You can revoke each web and mobile session individually. For mobile sessions, this signs you out of the GitHub Mobile app on that device, and disables that application for use as a second factor. The new Sessions tab replaces the web sessions view that was present under Password and authentication.

image

This new settings page is generally available for GitHub.com users now, and will be released to GitHub Enterprise Server as part of GHES 3.8.

To learn more, see "Viewing and managing your sessions".

See more

GitHub Actions: Require approval for running workflows from private forks

You can now require approval from a user with write permissions to the repository before a workflow run can be triggered from a private fork. This can be useful for some inner source scenarios, where you want to ensure that the code is reviewed before it is run.

image

Learn more about enabling workflows for forks of private repositories
For questions, visit the GitHub Actions community.
To see what's next for Actions, visit our public roadmap.

See more

Privately report vulnerabilities to repository maintainers

Open source maintainers can now opt-in to private vulnerability reporting, a dedicated communications channel where the community can disclose security issues directly to you on GitHub.

You can see reports sent to you under the new "Needs triage" status on your advisories list:
Screen Shot of Advisories tab

If the report is accepted, it becomes a draft security advisory. The reporter remains involved unless explicitly removed, so you can collaborate on phrasing the resulting draft advisory or fixing the issue in a private fork.

See more

Fixed bug that allowed OAuth tokens improper access to SAML SSO protected organization resources when used with the `/issues` API endpoint

On September 15, 2022, we fixed a bug on GitHub.com that allowed OAuth tokens (such as personal access tokens) to bypass SAML single sign-on (SSO) requirements to view organization issue data using the /issues GitHub API endpoint.

The SAML SSO bypass could only happen when the token owner was a member of a SAML SSO protected organization, had the necessary permissions to view the issue data, and was using an OAuth token that was not authorized for use with SAML SSO. Integrations using an OAuth token matching the above criteria would also bypass SAML SSO requirements when making requests to the /issues API endpoint.

The accessible data included the title, body, labels, and assignee of the issue, but did not include comments on the issue itself. The bug did not allow organization members to view repository, issue, or other organization data that they did not have permission to view.

See more

High-impact package maintainers now require 2FA

Starting today, two-factor authentication (2FA) will be enforced for maintainers of all high-impact npm packages. A package is marked as a high impact package when they have more than 1 million weekly downloads or have more than 500 dependents. Maintainers of such packages will be notified 15 days in advance to enroll for 2FA.

To learn more about configuring 2FA, see Configuring two-factor authentication.
To learn more about 2FA in general, see About two-factor authentication.
For questions and comments, open a discussion in our feedback repository.

See more

Improved account recovery flow in case of a lost 2FA device

We have streamlined our account recovery flow to help us verify your identity in the instance you lose access to your two-factor authentication (2FA) device and get locked out of your npm account.

If you lose access to your 2FA device and your recovery codes, you can now sign in to your npm account using your username and password and then request an account recovery. You will be asked to fill the form as shown below. We recommend you provide as much information as possible when requesting an account recovery.

recover_accounts

Read more about how you can recover your 2FA enabled accounts here.

For accounts with 2FA, linking your GitHub account and Twitter account in your profile settings will help verify your identity quicker.

Note: The new account recovery flow tries to gather and map information about your identity such that our support team can address your request sooner. Since there is a manual review in place, this recovery process will take few days to complete. We recommend our users generate and keep a copy of their recovery code to be used as the primary recovery option and avoid getting locked out of your account for a prolonged period of time.

See more

Introducing fine-grained personal access tokens

Today we're enabling fine-grained personal access tokens (PATs) in Public Beta for all user accounts on GitHub.com. This new type of token gives developers and resource owners more control and visibility around token access. Learn more about this new token type in today's blog post.

These new tokens offer many more permissions to choose from, must be scoped to a specific organization or account, and must expire. Organization owners will also find new tools to manage tokens that can access their organization, and can require approval of those tokens before they may be used.

PATsv2-light2

You can try out the new token creation flow, and provide feedback in our community discussion.

For more information, see "Creating a fine-grained personal access token".

See more

Reverted recent change that caused some pull requests to be incorrectly marked as merged

On September 5, 2022, we reverted a recent change to our indirect pull request merge logic that was causing some pull requests to be incorrectly marked as merged. This could happen if a pull request's head branch was force pushed and resulted in the pull request showing no new commits compared to the base branch. The original change went live on August 1, 2022 and caused confusion about why some pull requests were marked as merged by a contributor who did not have the necessary permissions. It also had the side effect of removing the "first time contributor" flag from these contributors without them having made an accepted contribution by the repository maintainers. Depending on repository settings, this could have allowed first time contributors to run GitHub Actions workflows based on their branches.

At no point were users able to push changes or merge pull requests in repositories to which they did not have appropriate authorization. After the change was reverted, GitHub conducted an investigation into any bypasses of the "first time contributor" flag and found no evidence of abuse.

See more

More incremental improvements to community contributions

In February 2022, we launched a new feature called community contributions to security advisories. We've continued to iterate on this feature, and recently released more improvements:

  • You're now prompted to add a reason for the change, so your contribution can be reviewed more quickly.
  • You can now submit a contributions without reference links getting reordered in the diff.
  • You can now click through to relevant docs from the advisories page.
  • You can overall enjoy a cleaner UX experience through a handful of other small fixes.

Further reading:

See more

False-alert flags will appear in users security log due to a bug in 2FA recovery events

Users with 2FA enabled may see false-alert flags in their security log for recovery_code_regenerated events between July 15 and August 11, 2022.
These events were improperly emitted during an upgrade to the 2FA platform. The storage format of the per-user value GitHub uses to generate your recovery codes was updated, causing the watch job to trigger the erroneous recovery_code_regenerated event.

No action is required from impacted users with regards to these events. GitHub has a policy to not delete security log events, even ones generated in error. For this reason, we are adding flags to signal that these events are false-alerts. No recovery codes were regenerated, and your existing saved recovery codes are still valid.

image

See more

Advisory Database supports GitHub Actions advisories

The GitHub Advisory Database now includes curated security advisories for vulnerabilities on GitHub Actions. This brings the Advisory Database to ten supported ecosystems, including: Composer, Go, Hex, Maven, npm, NuGet, pip, RubyGems and Rust.

If you have a dependency on any vulnerable GitHub Actions, GitHub will send Dependabot alerts over the coming days.

See more
View more changes