Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

advanced-security

Subscribe to all “advanced-security” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

Copilot Chat in GitHub.com is now contextually aware of GitHub Advanced Security alerts

You can now use Copilot Chat in GitHub.com to search across GitHub to find and learn more about GitHub Advanced Security Alerts from code scanning, secret scanning, and Dependabot. This change helps you to better understand and seamlessly fix security alerts in your pull request. ✨

Try it yourself by asking questions like:
– How would I fix this alert?
– How many alerts do I have on this PR?
– What class is this code scanning alert referencing?
– What library is affected by this Dependabot alert?
– What security alerts do I have in this repository?

Learn more about asking questions in Copilot Chat on GitHub.com or about GitHub Advanced Security.

See more

Unkey is now a GitHub secret scanning partner

For Unkey users, GitHub secret scanning now scans for Unkey tokens to help secure your public repositories. Unkey’s Root API Key enables users to create and manage Unkey resources including APIs, API keys, global rate limiting, and access controls. GitHub will forward any exposed tokens found in public repositories to Unkey, who will then revoke the compromised tokens and notify the affected users. Read more information about Unkey tokens.

GitHub secret scanning protects users by searching repositories for known types of secrets such as tokens and private keys. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

GitHub Advanced Security customers can also scan for and block Unkey tokens in their private repositories.

See more

Secret scanning fine-grained permissions for bypasses

You can now grant fine-grained permissions to review and manage push protection bypass requests within your organization.

Anyone with this permission will have the ability to approve and manage the list of bypass requests. You can still also grant these permissions by adding roles or teams to the “Bypass list” in your code security and analysis settings.

Next month, GitHub will be removing custom role support from the bypass list along with this change. To avoid disruption, existing custom roles that were added as bypass reviewers previously will be granted the fine grained permissions to review and manage bypass requests.

Delegated bypasses for secret scanning push protection allow organizations and repositories to control who can push commits that contain secrets. Developers can request approval from authorized users to push a blocked secret.

Learn more

Learn more about how to secure your repositories with secret scanning. Let us know what you think by participating in a GitHub community discussion or signing up for a 60 minute feedback session.

See more

CodeQL code scanning can analyze Java and C# codebases without needing a build (GA)

CodeQL code scanning can now analyze Java and C# code without having to observe a build. This makes it easier to roll out the security analysis on large numbers of repositories, especially when enabling and managing repositories with GHAS security configurations.

CodeQL is the analysis engine that powers GitHub code scanning. When analyzing source code, it is important that the analysis engine has detailed knowledge of all aspects of the codebase. Now, the analysis engine no longer depends on observing the build process for Java and C# code, resulting in higher setup success and adoption rates for CodeQL code scanning (Java and C#).

During the testing of this feature, we validated that the analysis results were as accurate as the previous methodology. This feature was previously in public beta earlier this year (Java, C#), when it became the new default analysis mode for new users of CodeQL code scanning for these languages. Some customers experienced time significant savings as some tasks that previously took weeks now are achievable in minutes.

CodeQL’s new zero-configuration analysis mechanisms for both Java and C# are available on GitHub.com. If you are setting up CodeQL code scanning for these repositories, you will benefit from this analysis mechanism by default. If you set up CodeQL code scanning for Java or C# before their respective public beta releases of this feature, your analysis will remain unchanged (but can be migrated by disabling the current configuration and re-enabling code scanning using default setup). This new functionality will also be released to our GitHub Enterprise Server (GHES) customers starting with version 3.14 for Java and 3.15 for C#.

Repositories that use code scanning advanced setup will continue to use whichever analysis mechanism is specified in the Actions workflow file. The template for new analysis configurations now uses the new analysis mechanism by specifying `build-mode: none`. The old analysis mechanisms remain available. Users of the CodeQL CLI can find more documentation here.

Learn more about GitHub code scanning. If you have any feedback about these new analysis mechanisms for Java and C#, please join the discussion here.

See more

Secret scanning displays branch and file paths for push protection bypasses

Push protection bypass requests will now show file path and branch information for the secret. This improvement helps you more effectively triage any secrets for which you’ve requested push protection bypasses. Branch information is only available for pushes to single branches.

Delegated bypasses for secret scanning push protection allow organizations and repositories to control who can push commits that contain secrets. Developers can request approval from authorized users to push a blocked secret.

Learn more

Learn more about how to secure your repositories with secret scanning. Let us know what you think by participating in a GitHub community discussion or signing up for a 60 minute feedback session.

See more

Secret scanning non-provider patterns inclusion in recommended security configuration

Now, secret scanning non-provider patterns are included in the GitHub-recommended security configuration. Non-provider patterns have also been automatically enabled for any repositories with the recommended configuration previously attached.

Secret scanning non-provider patterns are generic detectors which help you uncover secrets outside of patterns tied to specific token issuers, like HTTP authentication headers, connection strings, and private keys.

Learn more

Learn more about how to secure your repositories with secret scanning. Let us know what you think by participating in a GitHub community discussion or signing up for a 60 minute feedback session.

See more

Secret scanning now deduplicates non-provider patterns

To help you triage and remediate secret leaks more effectively, GitHub secret scanning now dededuplicates non-provider patterns (generic patterns) against provider patterns.

Secret scanning non-provider patterns are generic detectors that help you uncover secrets outside of patterns tied to specific token issuers, like HTTP authentication headers, connection strings, and private keys.

Note: Custom patterns are not deduplicated, as removing a custom pattern will also delete those alerts. We recommend adjusting your custom patterns to avoid overlap with any GitHub-defined detectors.

Learn more

Learn more about how to secure your repositories with secret scanning. Let us know what you think by participating in a GitHub community discussion or signing up for a 60 minute feedback session.

See more

Secret scanning non-provider patterns are included in security configurations

You can now enable non-provider patterns (generic patterns) through security configurations at the organization level.

Non-provider patterns will also be included in the GitHub-recommended security configuration on August 23, 2024. At that time, non-provider patterns will be automatically enabled for any repositories with the recommended configuration attached.

Learn more about how to secure your repositories with secret scanning.

Let us know what you think by participating in a GitHub community discussion or signing up for a 60 minute feedback session.

See more

Anthropic is now a GitHub secret scanning partner

For Anthropic users, GitHub secret scanning now scans for Anthropic tokens to help secure your public repositories. Anthropic tokens enable users to access Claude through the Anthropic API. GitHub will forward any exposed tokens found in public repositories to Anthropic, who will then revoke the compromised tokens and notify the affected users. Read more information about Anthropic tokens.

GitHub secret scanning protects users by searching repositories for known types of secrets such as tokens and private keys. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

GitHub Advanced Security customers can also scan for and block Anthropic tokens in their private repositories.

See more

Prevention and autofix insights for CodeQL pull request alerts

You can now track prevention metrics for CodeQL pull request alerts with the new CodeQL pull request alerts report—available at both the organization and enterprise level. These insights empower you to proactively identify and mitigate security risks before they reach your default branch.

Enterprise-level CodeQL pull request alerts report

With this report, you can historically track metrics for CodeQL pull request alerts as code moves from feature branches to the default branch. Gain insights into:

  • Unresolved and merged alerts: Understand what security vulnerabilities made it to the default branch.
  • Fixes (autofix and manual): Track which alerts were addressed before merging.
  • Dismissed alerts: See which alerts were deemed false positive or risk accepted.

Additionally, analyze metrics by CodeQL rule, autofix status, and repository.

Historical data is available starting from May 1, 2024.

To access these reports, click your profile photo in the top-right corner of GitHub.com and select the organization or enterprise you want to view. For organizations, go to the Security tab and find CodeQL pull request alerts in the sidebar. For enterprises, click Code Security in the sidebar, then select CodeQL pull request alerts.

These reports are now generally available on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.15.

Learn more about security overview and join the discussion within the GitHub Community

See more

Secret scanning for non-code GitHub surfaces is now generally available

GitHub secret scanning now detects and alerts you on secrets found in GitHub issues, wikis, discussions, and pull requests.

Secrets, like API keys, passwords, and tokens, can hide in many places. Throughout 2024, we’ve discovered over 100k unique secrets hiding in mediums outside of code. If these leaks aren’t managed correctly, each one of them could pose a substantial risk.

To help protect you from leaked secrets – anywhere within your GitHub perimeter – GitHub provides visibility across all major surfaces. We scan these surfaces for over 200+ token formats and work with relevant partners to help protect you from publicly leaked secrets. GitHub also supports generic patterns like RSA private keys and Copilot-detected passwords.

Learn more about how to secure your repositories with secret scanning.

Let us know what you think by participating in a GitHub community discussion or signing up for a 60 minute feedback session.

See more

Retrieve the code security configuration currently applied to a repository via API

You can now retrieve the code security configuration applied to a specific repository via the repos endpoint in the REST API. Previously, you could only retrieve all the repositories associated with a configuration rather than the inverse.

Code security configurations help you manage and enforce the enablement of your security features like Dependabot, code scanning, and secret scanning.

To learn more about retrieving code security configurations with our repository REST API endpoint, check out our docs here.

See more

Code security configurations will replace feature enablement on the organization-level security coverage page on October 15

We are streamlining the deployment of GitHub’s security products at scale with code security configurations. This functionality simplifies the rollout of GitHub security products by defining collections of security settings and enabling you to apply those settings to groups of repositories. Configurations help you maintain security settings for important features like code scanning, secret scanning, and Dependabot.

As of October 15th, 2024, you will no longer be able to enable or disable GitHub security features for repositories from the organization-level security coverage view.

Learn more about code security configurations and send us your feedback.

See more

Bypass list for secret scanning push protection can include the maintainer role

Starting in April 2024, GitHub Advanced Security customers using secret scanning have been able to specify which teams or roles have the ability to bypass push protection using a delegated bypass list.

Administrators can now add the maintainer role to this list.

See more

Copilot Autofix for CodeQL code scanning alerts is now generally available

Today, we’ve announced the general availability of Copilot Autofix for CodeQL alerts in GitHub code scanning! Powered by GitHub Copilot, this feature brings automatic fixes for vulnerabilities found by CodeQL into the developer workflow.

Through a deep integration in GitHub pull requests, autofixes help developers to fix vulnerabilities quickly and early in the development process, thereby preventing new vulnerabilities from entering your codebase. Data from our beta programme shows that vulnerabilities with a fix suggestion are fixed 3x faster across all vulnerability types, and even faster for complicated vulnerability types like cross-site scripting (7x faster) and SQL injection (12x faster). For security debt that already exists in your codebases, Copilot Autofix can help you with on-demand autofixes for historical alerts. Copilot Autofix for CodeQL code scanning was previously called “code scanning autofix”, and is now generally available for all GitHub Advanced Security customers on GitHub.com.

As developers start using autofixes, security teams can see an overview of how their organisation adopts autofixes generated by Copilot on their security overview dashboard. This includes detailed information about remediation rates.

For more information, see: About Copilot Autofix for CodeQL code scanning. If you have feedback for Copilot Autofix for code scanning, please join the discussion here.

Example of Copilot Autofix operating on a CodeQL alert in a pull request

See more
View more changes