Now you can find answers to commonly asked questions about GitHub Enterprise Cloud in the GitHub Trust Center, a comprehensive resource for understanding how GitHub meets security, privacy, and compliance standards. Designed with transparency in mind, this resource centralizes key information, empowering you to build on GitHub with complete confidence.
Key Highlights:
GitHub Enterprise Cloud FAQ: Addressing common questions on security, compliance, data residency, and privacy practices.
Security Practices: Detailed explanations of GitHub’s encryption, access management, and threat detection features.
Data Residency: Information on data storage locations and residency options.
Compliance and Certifications: Discover compliance standards, such as SOC 2, ISO 27001, and GDPR.
Privacy and Data Protection: Insight into GitHub’s approach to handling data in accordance with global privacy laws.
How to Access:
Visit the GitHub Trust Center and explore the GitHub Enterprise Cloud FAQ for all your security, privacy, and compliance queries.
Stay informed by regularly visiting the GitHub Trust Center, where updates are provided to ensure you have the latest insights.
Explore the new GitHub Trust Center today and build with confidence!
✕
Wait! Don't Go Yet 🚀
Get our FREE eBook "10 Programming Tips That Changed Everything" when you subscribe!
GitHub is now a participant in TISAX with an Assessment Level 2 (AL2) label in the ENX Portal. TISAX is a recognized assessment and exchange mechanism for the German automotive industry, ensuring that companies meet specific information security requirements. It is based on the German Association of the Automotive Industry or Verband de Automobile (VDA) Information Security Assessment (ISA) catalog, which aligns most closely with ISO/IEC 27001.
What does this mean for me as a customer?
For our customers, this participation provides additional assurance that GitHub is a trusted partner in managing and securing their data. It opens new opportunities for customers who require TISAX participation to consider using GitHub Enterprise Cloud products, GitHub Copilot, and GitHub Actions.
Participating in the TISAX program at Assessment Level 2 means that GitHub has demonstrated the ability to adequately protect sensitive information in accordance with industry standards. This assessment level focuses on:
Information Security: Implementing robust security measures to prevent unauthorized data access and breaches.
Risk Management: Continuously identifying, evaluating, and mitigating potential risks to GitHub’s information systems.
The scope of the TISAX assessment, using the newly released VDA ISA version 6, is the same as the GitHub Information Security Management System (ISMS), which has already been assessed against ISO/IEC 27001:2013. To see the scope, you can review GitHub’s ISO/IEC 27001:2013 certification.
Customers who are interested and registered as TISAX participants with ENX can find the details of GitHub’s assessment via the ENX portal by searching for GitHub, our Assessment ID (APC0RT), or our AL2 scope ID (SY52MN).
If you have any questions or need more information about GitHub’s compliance practices, please visit the GitHub Trust Center.
✕
Wait! Don't Go Yet 🚀
Get our FREE eBook "10 Programming Tips That Changed Everything" when you subscribe!
Actions Usage Metrics is in public preview for all GitHub Enterprise Cloud customers at the repository level.
Actions Usage Metrics enables you to view data about your Actions workflow runs in your repositories. Launched initially at the Organization level, this dashboard helps teams identify opportunities to optimize pipelines and reduce wasted runtime minutes which, when addressed, can lead to faster runs and increased developer productivity.
To learn more about Actions Usage Metrics, check out our docs or head to our community discussion to ask questions and provide feedback.
✕
Wait! Don't Go Yet 🚀
Get our FREE eBook "10 Programming Tips That Changed Everything" when you subscribe!
GitHub Issues has been how the world’s best software teams collaborate since it first launched in 2009. Today we are excited to unveil a major evolution of issues and projects, featuring a range of highly requested enhancements including sub-issues, issue types and advanced search for issues. Together, these additions make it easier than ever to break down work, visualize progress, categorize and find just the right issue in GitHub.
These new features are now available in public preview for you to try. To gain access for your organization, please sign up here.
🔗 Break down and nest issues with sub-issues
Sub-issues allow you to break down and organize issues within a parent-child hierarchy. You can create sub-issues from any issue and use their nested structure to track progress and understand remaining work. You can also easily track sub-issues progress within your projects.
Issues types allow you to classify and manage your issues with a shared and consistent language across all repositories in an organization. You can quickly understand the progress of your bug backlog, find all of the high level initiatives teams are working on, and understand the breakdown of work in a project.
🔍 Find exactly what you’re looking for with advanced search
From the repository issues page, you can build advanced searches using the AND and OR keywords and parentheses for nested searches. This allows you to build more complex filters to find the exact set of issues you’re looking for.
All these new features are based upon an update to the issues front end, designed to be fast and familiar. This means there are no new UI patterns to slow you down, but we did include a few tweaks to speed you up, including:
The issues index page has a new filter bar with autocomplete and syntax highlighting.
Creating multiple issues is faster with a ‘create more’ option to quickly get back to the creation screen.
Issue form and templates are now presented in alphabetical order based on file name, making it easier for you to set just the right order.
Easily share the URL to an issue with a new ‘copy link’ button.
On long issues, selecting ‘load more’ will now fetch 150 events instead of 50.
Earlier this year, we introduced the private beta of increased project item limits, expanding the capacity from 1,200 to 50,000 items in a project. Today, we’re expanding the audience for these increased limits.
Since the private beta, we’ve added support for slice by, swimlanes, and GraphQL API. We’ve also fixed your top bug reports and made performance improvements.
If you’re a project admin and your project is approaching the item limit without utilizing Insights (our only currently unsupported feature), a banner will appear over your project to notify you.
As this update is on a project by project basis rather than per organization, to join, just click the “Join waitlist” button on eligible projects.
With a subscription to Copilot Individual or Copilot Business, you can now access Copilot in GitHub.com, allowing you to:
Discover codebases on GitHub effortlessly using powerful natural language code search using Copilot Chat.
Streamline development processes by receiving suggestions to resolve build failures and summarizing changes in pull requests.
Quickly get up to speed with the help of Copilot through summaries and key takeaways from discussions, issues, pull requests and more.
These features are also now available in GitHub Mobile for all Copilot users.
GitHub Enterprise Cloud’s open support for the System for Cross-domain Identity Management (SCIM) specification is now generally available for Enterprise Managed Users (EMUs). This allows administrators to mix and match their preferred choices of SAML and SCIM identity systems, providing the flexibility required to meet access management needs.
This release also includes significant improvements for security and auditing:
– A new reduced personal access token (PAT) scope, scim:enterprise, now lets you grant a least privilege, enterprise-level permission set just for read and write access to GitHub’s EMU SCIM API. Use of the admin:enterprise PAT scope is no longer required or recommended.
– New audit log entries exist for SCIM events to enable debugging of any provisioning failures with SCIM APIs.
Learn more about lifecycle management of Enterprise Managed Users with the SCIM API.
✕
Wait! Don't Go Yet 🚀
Get our FREE eBook "10 Programming Tips That Changed Everything" when you subscribe!
We are excited to introduce the CI/CD Admin role, a pre-defined organization role designed to streamline the management of settings and policies for GitHub Actions.
In March 2024, GitHub announced fine-grained permissions for Actions, which organizations could apply to custom roles. However, organizations are limited to 10 custom roles, and many customers prefer not to use these slots for an all-encompassing CI/CD role that requires ongoing updates as new permissions are added.
With the new CI/CD Admin role, organization owners and teams can now delegate comprehensive CI/CD management to individuals without the need to maintain a custom role. This pre-defined role, maintained by GitHub, includes the following permissions:
Actions general settings
Organization runners and runner groups
Actions secrets
Actions variables
Network configuration
Actions usage metrics
For more details about pre-defined organization roles and the fine-grained permissions included in the CI/CD Admin role, please refer to our documentation.
✕
Wait! Don't Go Yet 🚀
Get our FREE eBook "10 Programming Tips That Changed Everything" when you subscribe!
CodeQL version 2.19.0 has been released and has now been rolled out to code scanning users on GitHub.com. CodeQL is the static analysis engine that powers GitHub code scanning.
Important changes by version include:
CodeQL 2.18.2
Support for scanning Java codebases without needing a build is generally available.
The Python py/cookie-injection query, which finds instances of cookies being constructed from user input, is now part of the main query pack.
One new query for Ruby rb/weak-sensitive-data-hashing, to detect cases where sensitive data is hashed using a weak cryptographic hashing algorithm.
CodeQL 2.18.3
New C# models for local sources from System.IO.Path.GetTempPath and System.Environment.GetFolderPath.
CodeQL 2.18.4
Support for scanning C# codebases without needing a build is generally available.
Support for Go 1.23.
CodeQL 2.19.0
Support for TypeScript 5.6.
One new query for JavaScript js/actions/actions-artifact-leak to detect GitHub Actions artifacts that may leak the GITHUB_TOKEN token.
A 13.7% evaluator speed improvement over CodeQL 2.17.0 release.
For a full list of changes, please refer to the complete changelog for versions 2.18.2, 2.18.3, 2.18.4 and 2.19.0.
All new functionality from 2.18.Z releases will be included in GHES 3.15, while functionality from 2.19.0 will be included in GHES 3.16. If you use GHES 3.14 or older, you can upgrade your CodeQL version.
✕
Wait! Don't Go Yet 🚀
Get our FREE eBook "10 Programming Tips That Changed Everything" when you subscribe!
The Ubuntu 24.04 image for Actions is now generally available. To use Ubuntu 24 directly on your GitHub-hosted runners update runs-on: in your workflow file to ubuntu-24.04.
The Ubuntu 24.04 runner image has different tools and tool versions than Ubuntu 22.04.
ubuntu-latest migration
The ubuntu-latest label will migrate to Ubuntu 24 over the course of the next month, beginning September 23rd and finishing on October 30th. During migration, you can determine if your job has migrated by viewing the “Runner Image” information in the “Set up job” step of your Actions logs.
macOS 15 for GitHub-hosted runners in Public Beta
The macOS 15 image for Actions is now available in public beta. To use macOS 15 directly, update runs-on: in your workflow file to macos-15, macos-15-xlarge, or macos-15-large.
jobs:
build:
runs-on: macos-15
steps:
- uses: actions/checkout@v4
- name: Build
run: swift build
- name: Run tests
run: swift test
The macOS 15 runner image has different tools and tool versions than macOS 14.
To view the list of installed software for each image, or report issues, head to the runner-images repository.
✕
Wait! Don't Go Yet 🚀
Get our FREE eBook "10 Programming Tips That Changed Everything" when you subscribe!
From the 15th of October, we will no longer include Node16 in the Actions runner and customers will no longer be able to use Node16 Actions or operating systems that do not support Node20.
To prevent disruption to your Actions workflows, if you’re an Actions maintainer, update your actions to run on Node20 instead of Node16. If you’re an Actions user, update your workflows with latest versions of the actions, which run on Node20.
Starting today, existing GitHub Enterprise customers will begin to transition to the enhanced billing platform.
What is the enhanced billing platform?
The enhanced billing platform is a suite of new features designed to help administrators understand and manage GitHub spend for their enterprise. Benefits of the new platform include:
Cost allocation – create cost centers to allocate spend to different Azure subscriptions
Spend transparency – view usage for organizations, repositories, products, cost centers, and SKUs by hour, day, month, or year
Improved control – set budgets to limit spending and configure alerts to stay informed of budget utilization
What to expect
Existing enterprises will gain access to the enhanced billing platform on a rolling basis, and all enterprises will have access by March 2025. You will be informed via email as well as through an in-app banner on the billing page in advance of the transition .
Here are some things to know about the transition:
– Once transitioned, a new Billing & Licensing section will appear in the enterprise account menu.
– Spending limits will be migrated and renamed as budgets in the new billing platform. For more details about budgets, visit “Preventing overspending.”
– While the new billing platform will not visually display historical usage, you will be able to download a usage report to get your pre-transition historical usage.
Other important changes
Git Large File Storage will transition from prepaid, quota-based data packs to a usage-based metered billing model. If you use Git Large File Storage today, you’ll receive credits for any unused data packs. For more information, visit “About enhanced billing for Git Large File Storage.”
Note: some billing-related APIs will no longer work or will work differently, and the relevant API documentation will be updated to reflect this information. In the coming weeks, there will be a separate changelog post that summarizes these changes. For more information about the billing API, visit “REST API endpoints for enterprise billing.”
Recent improvements to enterprise repository policy, rulesets, and custom properties now ensure a more consistent, intuitive experience, making it easier for you to navigate and accomplish your tasks efficiently.
Enterprise repository policy page has been renamed to “Member privileges” to align the page title with the current URL path, API endpoints and the corresponding organization setting.
Repository rulesets now support enterprise owners as a bypass actor, ensuring your most privileged roles across your enterprise can bypass rulesets.
Custom repository properties now have an “additional options” section for administrators to easily manage properties.
Each column’s title is now a second level heading, and each card’s title is a third level heading. We hope this update helps make navigation via screen reader easier and more intuitive for this experience.
You can reach out to us in the GitHub Community discussions. Your feedback is invaluable as we continue on our journey to create an inclusive and accessible environment for all.
✕
Wait! Don't Go Yet 🚀
Get our FREE eBook "10 Programming Tips That Changed Everything" when you subscribe!
Now, you can view Prevention metrics alongside Detection and Remediation metrics and in an enhanced security overview dashboard. This update is available at both the organization and enterprise levels.
New to the dashboard, the Prevention insights tab highlights CodeQL pull requests alerts and will soon include secret scanning push protection insights. It’s designed to help you shift from merely responding to vulnerabilities to actively preventing them, the ultimate goal in application security. With this dashboard, you and your team can proactively keep vulnerabilities at bay, successfully blocking threats before they ever reach production.
Deep dive into the CodeQL pull request alerts
For a deeper analysis, the new CodeQL pull request alerts report is also available at both the organization and enterprise levels. This report allows you to:
Track historical metrics for CodeQL pull request alerts
Monitor code as it progresses from feature branches to the default branch
Analyze metrics by CodeQL rule, autofix status, and repository
The enhanced dashboard is now generally available on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.16.
You can now join the waitlist for early access to OpenAI o1 for use in GitHub Copilot in Visual Studio Code and GitHub Models. The waitlist is currently available to all Copilot users.
In Visual Studio Code, you can choose to use o1-preview or o1-mini to power GitHub Copilot Chat in place of the current default model, GPT-4o.
Note: to access this feature, you’ll need to be on VS Code Insiders with the latest pre-release version of the Copilot Chat extension.
In GitHub Models, you can use o1 models both in the playground and via the API. GitHub Models is currently in limited preview and you can sign up for access today.
Access to these models will roll out progressively while in preview and usage will be rate-limited.
Join the discussion and share feedback with us via Discussions.
✕
Wait! Don't Go Yet 🚀
Get our FREE eBook "10 Programming Tips That Changed Everything" when you subscribe!
GitHub Advanced Security customers using secret scanning can now use the REST API to enable or disable support for non-provider patterns at the enterprise level. This enables you to manage your enterprise settings programatically.
To help you triage and remediate secret leaks more effectively, GitHub secret scanning now indicates if a secret detected in your repository has also leaked publicly with a public leak label on the alert. The alert also indicates if the secret was exposed in other repositories across your organization or enterprise with a multi-repo label.
These labels provide additional understanding into the distribution of an exposed secret, while also making it easier to assess an alert’s risk and urgency. For example, a secret which has a known associated exposure in a public location has a higher likelihood of exploitation. Detection of public leaks is only currently supported for provider-based patterns.
The multi-repo label makes it easier to de-duplicate alerts and is supported for all secret types, including custom patterns. Both indicators apply only for newly created alerts.
In the future, GitHub will surface locations of the known public leak, as well as repository names with duplicate alerts. This metadata will also be surfaced via the REST API and webhooks.
A new version of the commit details page is now available in public beta!
This new page, which is enabled by default, lets you quickly understand and navigate the changes in a commit with improvements to filtering, commenting, and keyboard navigation.
What’s new 🎉
Here are a few of the noteworthy changes:
Floating comments: Code comments float over the diff when selected. To select, click on the commenter’s avatar to the right of the line.
Comment counts: To help you identify files with comments, the number of comments for a file now appears in the file tree.
Keyboard navigation within diffs: You can now navigate around changed lines in the diff using the up and down keys on your keyboard. A new context menu also makes it easier to comment, copy, and select.
Quick view switching: Switching between unified and split views no longer reloads the page.
Filter by file extension: Easily filter changed files by file extension in the diff to see the content most relevant to you.
Filtered out diffs hidden: When filtering the file tree, diffs are filtered as well, allowing you to reduce distraction and see the files you care about most.
Next steps 📣
To give feedback, ask questions, or report a bug join us in the feedback discussion.
To opt out of the preview, go the Feature Preview dialog on your profile, select New Commit Details Page, and click Disable.
To learn more about viewing commits, see About commits.
✕
Wait! Don't Go Yet 🚀
Get our FREE eBook "10 Programming Tips That Changed Everything" when you subscribe!
When reviewing code security configurations, you can now more easily filter repositories with new filter options.
The new filters allow you to sort repositories based on the status of specific features or GHAS itself:
advanced-security:enabled
dependabot-alerts:enabled
dependabot-security-updates:enabled
code-scanning-alerts:enabled
code-scanning-default-setup:enabled
code-scanning-pull-request-alerts:enabled
secret-scanning-alerts:enabled
secret-scanning-push-protection:enabled
Note that :disabled also works for each of the filters above to achieve the inverse.
Additionally, you can filter based on whether or not a repository is eligible for code scanning default setup:
– code-scanning-default-setup:eligible
– code-scanning-default-setup:not-eligible
These filters are available for organizations with GitHub Advanced Security (GHAS) enabled, and are only available in the UI at this time.
