Enterprise and organizations administrators can now create personal access tokens (classic) and OAuth apps with the read:audit_log scope to access the Audit Log REST API.
Why is this important? Stolen and compromised credentials are the number one cause of data breaches across the industry. To mitigate the risk of compromised credentials, GitHub recommends adhering to the principle of least privilege which promotes "giving a user account or process only those privileges which are essential to perform its intended function." The new scope will enable access to the audit log endpoints, without requiring full administrative privileges.
This feature is generally available for GitHub Enterprise Cloud customers, and will be released to GitHub Enterprise Server in version 3.8. To learn more, read our documentation on using the audit log API for your enterprise.
✕
Wait! Don't Go Yet 🚀
Get our FREE eBook "10 Programming Tips That Changed Everything" when you subscribe!
GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.
We have partnered with Tencent WeChat to scan for their tokens and help secure our mutual users on all public repositories and private repositories with GitHub Advanced Security. Tencent WeChat tokens allow users to verify the WeChat Official Accounts and Mini Program developers, obtain sensitive information on business applications and can be used to verify merchant identities.
GitHub will forward access tokens found in public repositories to Tencent WeChat, who will notify affected users. Tencent WeChat encourages users to delete leaked API tokens on GitHub and to create a new token on the WeChat Pay Merchant Platform or WeChat Official Accounts Platform. More information about Tencent WeChat tokens can be found here.
Secret scanning alerts for third party API key detections now include a link to relevant documentation provided by the service provider, where available. These links are intended to help users better understand detections and take appropriate action.
The links will appear in the alert view for all repositories with secret scanning enabled. You can enable secret scanning on your public repositories and any private repository with GitHub Advanced Security. If you have feedback on any provided links, please write us a note in our code security discussion.
GitHub Actions hosted runner images are now more secure than ever, with the ability to see exactly what software is pre-installed on the image that was used by the runner during your build. GitHub now attaches a software bill of materials (SBOM) as an asset to each image release for Ubuntu and Windows. Support for Mac runners is targeted for Q1 2023.
In the context of GitHub Actions hosted runners, an SBOM details the software pre-installed on the virtual machine that is running your Actions workflows. This is useful in the situation where there is a vulnerability detected, you will be able to quickly tell if you are affected or not. If you are building artifacts, you can include this SBOM in your bill of materials for a comprehensive list of everything that went into creating your software.
To check out the new files, head over to the runner-images repository release page now or check out our docs for more information.
✕
Wait! Don't Go Yet 🚀
Get our FREE eBook "10 Programming Tips That Changed Everything" when you subscribe!
Now, admins can also enable push protection for any custom pattern defined at the repository or organization level. Push protection for enterprise-level custom patterns will come in January.
Previously, only organizations with GitHub Advanced Security could enable secret scanning's user experience on their repositories. Now, any admin of a public repository on GitHub.com can detect leaked secrets in their repositories with GitHub secret scanning.
The new secret scanning user experience complements the secret scanning partner program, which alerts over 100 service providers if their tokens are exposed in public repositories. You can read more about this change and how secret scanning can protect your contributions in our blog post.
The GitHub Enterprise Cloud Dormant Users report is now generally available. This report shows enterprise members who have not been active in the last 90 days.
The actions and reusable workflows from private repositories can now be shared with other private repositories within the same organization, user account, or enterprise.
See managing the repository settings and managing the enterprise repository settings to allow access to workflows in other repositories.
Enterprises with GitHub Advanced Security can now enable secret scanning and push protection on all their organizations using a single call to an enterprise-level REST API endpoint.
You can also use the enterprise API to set a default custom link that will appear on a push protection block.
We've hardened our Dependabot support for private registries such that it will no longer make package requests to public registries if private registries are configured for the following ecosystems:
Now admins can transfer and rename a repository at the same time. Before, each action was separate.
In the transfer repository screen, choose “Select one of my organizations”. The “Repository name” field will appear below. You must be an admin on the target organization to rename the repository. Renaming isn’t available if you “Specify an organization or username”.
Optionally change the name the repository will have after transferring. Then complete the transfer!
GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.
We have partnered with Telnyx to scan for their tokens and help secure our mutual users on all public repositories and private repositories with GitHub Advanced Security. Telnyx tokens allow users to manage their usage and resources on the Telnyx communications and connectivity platform.
GitHub will forward access tokens found in public repositories to Telnyx, who will immediately reach out to the user and work to swiftly rotate the key. More information about Telnyx tokens can be found here.
GitHub Advanced Security customers can also block Telnyx tokens from entering their private and public repositories with push protection.
GitHub Security was recently notified about a caching issue affecting npm. This bug had been present since 2016 and sporadically caused npm maintainers to be re-invited upon removal from packages or organizations. Our Security team investigated potential instances of the issue and believe this bug only occurred if a user was removed, followed shortly by the addition of a different member. This bug affected npm-cli version 6 and above, and was fixed in version 7+.
Out of an abundance of caution, we are recommending all npm users review the maintainers of their projects and organizations for any discrepancies that may be a result of this bug and remove any unexpected members. Please feel free to reach out to us with any additional questions or concerns through the following contact form: https://www.npmjs.com/support.
✕
Wait! Don't Go Yet 🚀
Get our FREE eBook "10 Programming Tips That Changed Everything" when you subscribe!
The GitHub Packages NuGet registry now runs on a new architecture, unlocking great new capabilities:
Publishing packages at organization level with GitHub Packages
Previously, NuGet packages published to GitHub Packages were closely coupled to their repositories. Now packages can be published at an organization level. They can still be linked to a repository at any time, if needed.
Fine grained permissions for NuGet packages published to GitHub Packages
You can now configure Actions and Codespaces repository access on the package's settings page, or invite other users to access the package. Additionally, NuGet packages published to GitHub Packages can still be configured to automatically inherit all permissions from a linked repository.
In addition to public and private, a package's visibility can now also be set to internal. It is then visible for all members of the GitHub organization.
These new features are now available to all users on github.com.
We've shipped improvements to the billing pages for GitHub Advanced Security so it is easier for you to see how many licenses you are using.
You can now see how enterprises and organizations are using licenses in the summary tiles.
You can download a CSV report for each item in the billing table so it is easier to report on license usage.
For enterprises, the table is sorted by the number of unique committers in each organization, so it is easy to see where GitHub Advanced Security licenses are used.
If an organization chooses to disable GitHub Advanced Security on a repository, the confirmation popup now informs you how this would impact your overall licenses usage.
This is available on the GitHub Advanced Security section on the enterprise's billing settings page enterprise-name/settings/billing and the organization's code security and analysis settings page organization-name/settings/security_analysis.
This has shipped to GitHub.com and will be available in GitHub Enterprise Server 3.9. Learn more about the GitHub Advanced Security billing.
✕
Wait! Don't Go Yet 🚀
Get our FREE eBook "10 Programming Tips That Changed Everything" when you subscribe!
GitHub Advanced Security customers using secret scanning can now view any new secrets exposed in an issue's title, description, or comments within the UI or the REST API. This expanded coverage will also detect and surface secrets matching any custom pattern defined at the repository, organization, or enterprise levels.
We have also expanded the secret scanning partner program. Secret scanning partners will now receive notifications for secrets found in public issues that match their token formats.
We have made bunch of improvements to our GitHub app in Slack and Microsoft Teams.
Slack
1. Introduced comment capability within Pull request notification cards
We have now added support to add comments on your pull requests directly from the notification card in Slack.
2. Introduced threading for Pull request notifications
Notifications for any Pull request will be grouped under a parent card as replies. The parent card always shows the latest status of the PR along with other meta-data like title, description, reviewers, labels and checks. Threading gives context, improve collaboration and reduces noise in the channel.
3. Added support to turn on/off threading for Issues and Pull requests
If you do not want to use threading or need some flexibility, we are also rolling out an option to turn on/off threading for issues and pull requests.
For more information, please visit the GitHub app guidance for Slack
Microsoft Teams
1. Improved the create issue functionality
You can now create issues with just a click, right from the place where you interact with your team i.e. from your channels and personal app.
The content of the chat is automatically added into the description along with the link to the MS Teams conversation.
The last used repo in the channel will be automatically filled in. However, you can go ahead and change to the repo if needed.
You can optionally fill in labels, assignees and milestones when you create an issue.
Once the issue is created you will receive a confirmation card in the channel where you created the issue.
2. Enhanced the PR notification cards in Channel and Personal App
We made few UI improvements to the Pull request notifications experience in MS Teams.
Introduced PR comment capability in GitHub personal app.
Made few updates to the look and feel of the Pull request notification card.
For more information, please visit the GitHub app guidance for Microsoft Teams
✕
Wait! Don't Go Yet 🚀
Get our FREE eBook "10 Programming Tips That Changed Everything" when you subscribe!
Starting today, GitHub Copilot is officially available to invoiced GitHub Enterprise customers with our new Copilot for Business offering which joins Copilot for Individuals.
This new add-on means enterprise users can now leverage GitHub Copilot’s powerful AI to write code and even entire functions with a simple editor extension.
Copilot for Business will also provide additional capabilities including license management, centralized policy controls, and industry-leading privacy. Each license will cost $19 USD/month and will be billed directly to existing Enterprise accounts.
The deprecation date for the CodeQL Action v1 is shifting. Initially, this was December 2022, and now it is January 2023. This change follows the updated timeline on the deprecation of GitHub Enterprise Server (GHES) 3.3.
In January 2023, the CodeQL Action v1 will be officially deprecated (alongside GHES 3.3). GitHub Action workflows that refer to v1 of the CodeQL Action will continue to work, but no new analysis capabilities will be released to v1. New CodeQL analysis capabilities will only be available to users of v2. For more information about this deprecation and detailed upgrade instructions, please see the original deprecation announcement from April 2022.
All users of GitHub code scanning (which by default uses the CodeQL analysis engine) on GitHub Actions on the following platforms should update their workflow files:
GitHub.com (including open source repositories, users of GitHub Teams and GitHub Enterprise Cloud)
