Secret scanning automatically detects leaked secrets across all public packages on the npm registry. If secret scanning detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact the committer directly. Package maintainers will not receive secret scanning alerts for these detections.
There are two new metrics available under the Repository object in the GraphQL API:
- LastContributionDate – The most recent date there was any of the following activity: a commit to a repository’s default branch, opening an issue or discussion, answering a discussion, proposing a pull request, or submitting a pull request review. This is a good single-number metric to find projects that may be unmaintained or in need of archiving.
- CommitCount – A monotonically increasing count of the total number of commits pushed to the default branch of the repository. Tracking the change in this over time will give a sense of the overall activity in the repository.
These metrics are currently in public beta, so you will need to include a header to your GraphQL requests to opt-in:
GraphQL-Features: ospo_metrics_apiAdditional documentation and context around these metrics is available in the github-ospo repo. Please provide your feedback on this discussion thread: https://github.com/orgs/community/discussions/72156
You can now access CodeQL, Secret Scanning, and other features of GitHub Advanced Security as part of your GitHub Enterprise Cloud trial. Enterprise admins can enable GitHub Advanced Security under Enterprise licensing.
- Join the community discussion and leave us your feedback!
New updates to the branches and commits pages are now in feature preview. These updates are focused on improved navigation, performance, and making these experiences more accessible.
Branches
We added clarity to the list header explaining what each section of the branches page does. Stale branches are now hidden by default to speed up page load times.
Commits
You can now filter commits by a date range and collapse the list per day to find the commits that matter to you quickly.
Click here if you have feedback and let us know in our community discussion.
Visual Studio
🤖 ARM Support
Version 1.116.0.0 of the Visual Studio extension now supports ARM.
🔒 Support for Proxies That Use Basic Authentication
Version 1.116.0.0 of the Visual Studio extension now support proxies that use a Basic Authentication scheme through an environment variable.
Visual Studio Code
🧪 Improvements to /tests Chat Command
The /test slash command is now better at detecting the testing framework you are using and will generate new tests in the same style, available with the GitHub Copilot Chat extension for Visual Studio, now in beta.
💬 Multi-Turn Chat Conversations
Chat can now refer to your previous messages to help answer your questions. To learn more about Copilot Chat beta in Visual Studio Code, head to the latest blog post.
💻 Ask GitHub Copilot defaults to the Chat view
A few months ago, we introduced an Ask GitHub Copilot option in the Command Palette so that you can take your query in the Command Palette and open it in a Copilot chat if the Command Palette didn’t provide a useful answer.
We gathered feedback on the preferred experience Ask GitHub Copilot should open: the Chat view in the side bar or Quick Chat. In an effort to make the first time experience more familiar, we chose the Chat view. With that said, if you would like Ask GitHub Copilot to open in Quick Chat, you can change the behavior with the askChatLocation setting:
“workbench.commandPalette.experimental.askChatLocation”: “quickChat”
🎨 Command Palette Similar Commands
This iteration, the Visual Studio Code team shipped the similar commands feature in the Command Palette. Copilot Chat users get an even better similar commands experience because we can use Copilot AI to determine similarity. These smarts help with synonyms and intent, and in our testing, Copilot was able to handle similarity across spoken languages as well. Finding the exact command you’re looking for in the Command Palette has never been easier!
General
📜 Enhanced Multi-Line Completions
We’ve heard your feedback and are excited to announce significant improvements to our multiline suggestions feature. ver the past several weeks, we have diligently tested and rolled out an update to enhance the number and quality of multiline suggestions. The model now does a better job of understanding when to suggest multiline code snippets, and you’ll notice that Copilot suggests multiline completions much more frequently.
This update impacts the following programming languages:
* JavaScript
* TypeScript
* Python
☀ Improved Copilot Content Filtering
We’ve introduced changes to our filtering mechanisms to incorporate more context from your environment and prompt, allowing for more accurate detection of abusive prompts and fewer false positives.
Questions, suggestions, or ideas?
Join the conversation in the Copilot community discussion. We’d love to hear from you!
Code scanning default setup now automatically attempts to analyze all CodeQL supported languages in a repository. This means default setup supports all CodeQL languages at the organization level, including enabling code scanning from an organization's Security Overview coverage page or settings page.
Previously, users would have to manually include the languages C, C++, C#, Java, or Kotlin in a default setup analysis, and enabling these languages was not supported at the organization level. Now, code scanning default setup automatically attempts to analyze all languages supported by CodeQL in a repository. If any analyses fail, the failed language will be automatically deselected from the code scanning configuration. Any alerts from the successfully analyzed languages will be shown on GitHub. This means code scanning will automatically set up the best possible configuration to get started easily with CodeQL and show the most relevant alerts to developers.
A warning banner is shown in the repository settings page if any languages fail and are deseslected. The "edit configuration" page shows all languages in the configuration, and allows users to change the language selection if required. For more information about the languages and versions supported by CodeQL and code scanning, see Supported languages and frameworks. To learn more about code scanning, see About code scanning.
This change is already available on GitHub.com and will be available in GitHub Enterprise Server 3.12.
GitHub secret scanning protects users by searching repositories for known types of secrets such as tokens and private keys. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.
We have partnered with Authress to scan for their service client access keys and their user API tokens to help secure our mutual users in public repositories. Authress access keys allow users to secure applications and platforms through machine-to-machine authentication and they enable granular resource-based authorization. GitHub will forward any exposed access keys found in public repositories to Authress, who will automatically revoke the exposed access key, create an audit trail message that can be ingested by SIEM technologies, and send an email alert to your Authress account admin. Read more information about Authress API access keys.
All users can scan for and block Authress keys from entering their public repositories for free with push protection. GitHub Advanced Security customers can also scan for and block Authress keys in their private repositories.
To enable developers to write code as securely as possible in their language of choice and using the latest features available, we constantly update code scanning with CodeQL. As such we are happy to announce that CodeQL now supports analyzing code written in Go 1.21.
Go 1.21 support is available by default in GitHub.com code scanning, CodeQL version 2.14.6, and GHES 3.11. For more information about the languages and versions supported by CodeQL and code scanning, see Supported languages and frameworks. To learn more about code scanning, see About code scanning.
On December 21st, 2023 GitHub Codespaces plans to remove the deprecated Repository Access and Security setting.
Rather than configuring cross-repository access at the account level, we now recommend declaring cross-repository dependencies and permissions directly within your devcontainer.json. This approach enables each development container to declare its own minimum set of permissions to operate, rather than allowing unrestricted access to other repositories your account can access.
This change will impact users and organizations that have set the Repository Access and Security setting to either selected or all repositories, and have not configured any development container level permissions. You will receive an email if you or any organizations you own may be impacted by this change.
To ensure continuity of usage, you will need to declare cross-repository permissions within each devcontainer.json, enabling access to each repository that a development container needs to access. You can test that you have successfully transferred all permissions by toggling the Access and Security setting to Selected Repositories and removing all entries once you have completed the conversion.
Please reach out to GitHub Support if you have any issues or questions.
Additional References
GitHub secret scanning protects users by searching repositories for known types of secrets such as tokens and private keys. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.
We have partnered with Mercury to scan for their license keys and help secure our mutual users on public repositories. Mercury tokens allow users to automate your banking needs through their API. GitHub will forward tokens found in public repositories to Mercury, who will then revoke them, keeping your account safe. Read more information about Mercury tokens.
All users can scan for and block Mercury tokens from entering their public repositories for free with push protection. GitHub Advanced Security customers can also scan for and block Mercury tokens in their private repositories.
We’ve now made migrating existing tag protection rules into repository rules easy. With a few clicks, you can take multiple tag protection rules and turn them into a single ruleset or turn each rule into corresponding rulesets for more granular control.
Tag protection rules control who can create, update, and delete tags. Moving your tag protections to repository rules allows you to require status checks, deployments to pass, and signed commits. You also get the rest of the repository rules power, with configurable enforcement status, bypass lists, and flexible targeting.
For GitHub Enterprise Cloud customers, you can pair metadata restrictions with your tag protection to manage commit messages and control the names of your tags.
Click here to learn more. If you have feedback, please share and let us know in our community discussion.
Up until recently, the /rate_limit REST API endpoint was not covered by the API's rate limit. While this allowed API consumers to fetch rate limit information whenever they wanted, it was also a potential vector for abuse.
With that in mind, the /rate_limit endpoint is now covered by rate limits. Requests to the endpoint will not consume the primary rate limit quotas for the authenticated user. However, making a very high number of requests to the endpoint in a short period of time will trigger the secondary rate limits. Please follow the guidelines on avoiding the limits and what to do if you do hit them.
These limits are not intended to cause friction for any normal usage of the API. Rather, their aim is to prevent abusive patterns. If you run into any problems with these limits for the /rate_limit endpoint, please contact GitHub Support.
By default, links within text blocks on GitHub are now underlined. This ensures links are easily distinguishable from surrounding text. If preferred, you can "hide" underlines for these links in the accessibility settings. More details can be found in the documentation – managing the appearance of links.
Should you encounter any issues with this feature during its public beta, please provide feedback.
Thanks for aiding our mission to enhance GitHub's accessibility!
Webhook delivery logs are now only retained for 3 days. For up to 3 days after a webhook delivery is posted, you can view details about that delivery and request a redelivery. For GitHub Enterprise Server instances, the retention period is still 7 days.
Learn more about viewing webhook deliveries and redelivering webhook deliveries.
The redesigned GitHub navigation is now live for everyone! After a successful beta phase, which allowed users to test and provide feedback, we’re confident in providing a more intuitive, responsive, and accessible navigation experience to all users by default.
Key Features & Improvements:
- Efficient Breadcrumbs: Navigate with a clear understanding of your location on GitHub.
- Streamlined Menus: New menus facilitate quick access to top repositories, teams, and common workflows. Just click the menu icon on the upper-left to access the global menu, or your user profile for the user menu.
- Built for Search: Optimized navigation for new code search experiences, inclusive of a quick-access button for the command palette.
- Enhanced Accessibility: Navigate seamlessly using any device and assistive technology.
- Direct Links: Immediate access to a users entire collection of ‘issues’ and ‘pull requests’ across GitHub are availabel at the upper level of the navigation.
- Mobile & Responsive Enhancements: Improved experiences on various screen sizes and devices.
- Bug and Accessibility Fixes: Resolved issues to refine user interaction and accessibility.
Your Feedback Matters:
Your insights during the beta were invaluable. Thank you for helping us enhance GitHub. Explore and enjoy the refreshed navigation experience!
Actions environments now makes it more secure to review and control deployments using manual approvals.
Previously, any user could trigger a workflow and also manually approve/reject a deployment job targeting a protected environment, if they are a required reviewer.
We are now introducing an option for environment admins to prevent required reviewers from self-reviews to secure deployments targeting their critical environments.
This would enforce that a different reviewer could approve and sign off the deployments, rather than the same user who triggered the run – making the deployments more secure.
Learn more about securing environments using deployment protection rules.
For questions, visit the GitHub Actions community.
To see what's next for Actions, visit our public roadmap.
GitHub Advanced Security customers that have validity checks enabled for secret scanning will see the validation status for the following Discord tokens:
- discord_api_token_v2
- discord_bot_token
View our supported secrets documentation to keep up to date as we expand validation support.
- Learn more about secret scanning
- Become a secret scanning partner
- Got feedback? Open a discussion in our code security community
Need to roll back a change to a ruleset? How about easily moving your ruleset around?
With today’s public beta you now have new tools to manage your ruleset.
Import and Export
Rulesets are now easier to share and reuse, with the ability to import and export rulesets as JSON files. Giving you the ability to share rules across repositories and organizations or to share your favorite rules with the community. Which is what we’re doing. The ruleset-recipes repository is home to a collection of pre-baked rulesets covering a number of popular scenarios ready for you to use.
History
If you are a repository or organization administrator of GitHub Enterprise cloud, we’re adding a history experience so you can track changes and revert rulesets. Now, it’s easy in the ruleset UI to see who changed a ruleset, when it happened, and what changed. Then, quickly get back to a known good state.
Only changes made to a ruleset after the public beta are included in ruleset history.
Click here to learn more. If you have feedback, please share and let us know in our community discussion.
Starting today, organization administrators can create custom properties to enrich repositories with valuable information. Using these properties, you can dynamically target repository rules to apply protections on just your production repositories or to a business unit or any other way you want to classify your repositories.
Only organization administrators can configure custom properties; you can be confident knowing that they are not accidentally removed by a repository administrator, ensuring your branch and tag rules are consistently applied. Property values can also be automatically applied with default values at repository creation, ensuring every new repository is classified, and its first commit is protected.
Today, organization administrators can only use custom properties for dynamically targeting rulesets. But soon, you can use properties to filter and search in an updated repository list and other experiences across GitHub.
Learn more about managing custom properties for your organization and managing rulesets for your organization.
The Source Imports REST API allows integrators to programatically import internet-accessible Git repositories into GitHub.com – for example, from code hosting platforms like Bitbucket Cloud or GitLab.com.
We're ending support for this API due to very low levels of usage and available alternatives. From 00:00 UTC on April 12, 2024, these endpoints will return an error. Integrators affected by this change will receive email alerts ahead of this deprecation.
If you're using the Source Imports API, you'll need to update your integration by that date, or it will stop working. You can learn about alternatives to this API on the new "Programatically importing repositories" page on the GitHub Docs.