PayPal users may start seeing a temporary authorization hold after accruing usage of metered products. This will appear as a pending charge in your account’s payment method and will be immediately reversed as soon as PayPal authorizes the amount. You will not be charged for the hold.
For more information, visit documentation for our metered products.
Developers can now manually run workflows set with workflow_dispatch directly from the Workflow view (Repository -> Actions -> Workflows) on GitHub Mobile. This addition provides developers with greater flexibility and control over their workflows, enabling them to trigger workflows manually while on the go using GitHub Mobile. Whether they are away from their desks, traveling, or simply need to run a workflow quickly, this feature ensures developers can manage their projects efficiently from anywhere.
Join the discussion within GitHub Community.
Copilot Chat in GitHub Mobile just got smarter! It now has improved contextual awareness within the app, allowing you to ask it about the specific file or repository you are currently viewing. For enterprise licenses, Copilot Chat can also provide information about your open issues, pull requests, and discussions. This enhancement makes it easier than ever to get the assistance you need, exactly when you need it, all on the go.
Download or update GitHub Mobile today from the Apple App Store or Google Play Store to get started.
Learn more about GitHub Mobile and share your feedback to help us improve.
We are excited to announce new keyboard behavior for navigating and dismissing hovercards without the need for a mouse! This enhancement is designed to make our platform more user-friendly for everyone, particularly those who rely on keyboard navigation.
When you focus on a link with a hovercard, you can now press Alt + Up to make the hovercard appear and move focus inside it. This ensures that you can interact with the hovercard content without leaving your keyboard. Focus is trapped within the hovercard, similar to how it would be in a dialog box. To dismiss the hovercard and restore focus to the link, press Esc.
In response to both community and internal feedback, we have also introduced a new user setting that allows you to disable all hovercards. This option can be found under Accessibility Settings.
You can reach out to us at GitHub Community. Your feedback is invaluable as we strive to create an inclusive and accessible environment for all users.
To create a comprehensive model of the dependencies in a Maven project, it is essential to understand the the transitive dependencies that are resolved at build-time. This feature automatically performs build-time resolution of Maven dependencies and submits them to the dependency graph. This improves visibility into your project’s composition by including both the direct and transitive dependencies in your repository’s dependency graph and Dependabot alerts.
When you enable this feature, GitHub will monitor changes to the pom.xml file in the root of all branches of the repository, discover the dependencies referenced in this file, and automatically submit details about them to the dependency graph. This feature requires GitHub Actions, and it is compatible with both GitHub-hosted or self-hosted runners.
See the documentation to learn more about how to enable automatic dependency submission to help you secure your software supply chain.
CodeQL is the static analysis engine that powers GitHub code scanning. CodeQL version 2.18.1 has been released and has now been rolled out to code scanning users on GitHub.com.
Important changes by version include:
2.17.6:
build-mode: none, which allows scanning C# code without requiring working builds.2.18.0:
2.18.1:
build-mode: none analyses now only report a warning on the tool status page when significant analysis problems are detected.js/functionality-from-untrusted-domain has been added to detect usage of scripts from untrusted domains, including polyfill.io content delivery network and js/insecure-helmet-configuration to detect instances where important Helmet security features are disabled.cpp/iterator-to-expired-container & cpp/unsafe-strncat have been increased to high. They have been moved to the default query suite. For a full list of changes, please refer to the complete changelog for versions 2.17.6, 2.18.0, and 2.18.1. All new functionality will be included in GHES 3.15. Users of GHES 3.14 or older can upgrade their CodeQL version.
Today, we’re introducing the beta for Copilot Enterprise Mixed Licensing within an enterprise. This grants GitHub Enterprise Cloud customers greater flexibility in selecting the best Copilot plans for their needs. Now, you can set a Copilot plan at the organization level instead of at the enterprise level.
To update an organization’s Copilot plan, an Enterprise Admin should navigate to Copilot Settings for the enterprise and select the desired plan via the dropdown menu for each organization.
Learn more about Copilot Enterprise Mixed Licensing in our documentation here and let us know what you think via Discussions.
To make it easier to submit security advisories, GitHub now validates package names.
When submitting a new GHSA (GitHub Security Advisory) in a repository, the user is prompted to enter the ecosystem (e.g. npm, maven) and package name (e.g. webpack, lodash). Now, when they enter the name, there will be a validation message at the bottom of the form to confirm whether or not the package name they entered has been found in the ecosystem they specified.
To learn more about submitting advisories to our Advisory Database, check out our documentation here.
Actions Usage Metrics is now generally available for all GitHub Enterprise Cloud customers. Actions Usage Metrics enables you to view data about your Actions workflow runs throughout your organization. You can use this data to identify opportunities to optimize your pipelines and reduce wasted runtime minutes which, when addressed, can lead to faster runs and increased developer productivity. Actions Usage Metrics breaks down the utilization of workflows, jobs, source repositories, and operating systems for GitHub hosted runners and self-hosted runners. All of this data is available in the UI and can be exported and shared as a .csv file if you wish to integrate your usage data with internal or third party tools.
To learn more about Actions Usage Metrics, check out our docs or head to our community discussion to ask questions and provide feedback.
The enum field indicating a ‘detached’ status will be deprecated from the ‘Get repositories associated with a code security configuration’ endpoint.
The endpoint itself will remain.
We will replace the ‘detached’ status with a ‘removed’ status. We will also add an additional status of ‘removed_by_enterprise’ to indicate situations where enterprise level settings changes have caused an organization-level code security configuration to be removed from a repository.
This change ensures that the code security configurations API is more inline with the status filters in the UI.
Today, we’re releasing a beta version of an open source GitHub App that manages private mirrors of public upstream repositories. The Private Mirrors App (PMA) enables organizations with regulatory or policy code review requirements to conduct their reviews in private, before contributing changes upstream. The app manages the lifecycle and synchronization of these private mirrors and automatically configures rulesets to manage PRs made to the mirrors.
The main benefits of working on private mirrors through PMA are:
If this is interesting to you, check out the Private Mirrors App repo. If you’ve got questions or feedback, feel free to file an issue in the repostitory or join the conversation in the GitHub Community Discussions.
Copilot text completion for pull request descriptions is now available to all Copilot Enterprise customers. After typing just a few characters, Copilot will suggest completions to finish your sentences, leveraging the context of the PR and linked issues to ensure highly accurate and relevant suggestions.
This feature is currently in beta. An enterprise or organization admin must enable beta features using the “Opt in to preview features” Copilot policy to access text completion.
An enterprise admin can enable beta features using the Copilot policy.
For more information about policies for Copilot Enterprise, see the documentation.
This feature is on by default if you have a Copilot Enterprise seat and your organization has the “Opt in to preview features” policy enabled. Additionally, individual users have the ability to easily disable and reenable completions based on their personal preferences.
To learn more, check the documentation for Copilot pull request text completion. This beta feature is subject to GitHub’s preview terms.
As always, we welcome any feedback on Copilot Enterprise in the discussion within GitHub Community.
GitHub Advanced Security customers using secret scanning can now use the REST API to enable or disable support for non-provider patterns at the repository level.
Non-provider patterns scans for token types from generic providers, like private keys, auth headers, and connection strings.
Code security configurations were made generally available on July 10th, 2024. This experience replaces our old settings experience and its API.
If you are currently using the REST API endpoint to enable or disable a security feature for an organization, this endpoint is now considered deprecated.
It will continue to work for an additional year in the current version of the REST API before being removed in July of 2025. However, users should note this will conflict with the settings assigned in code security configurations if the configuration is unenforced. This may result in a code security configuration being unintentionally removed from a repository.
The endpoint will be removed entirely in the next version of the REST API.
To change the security settings for repositories, you can use the code security configurations UI, the configurations API, or the unaffected enterprise-level security settings.
Today, we’re excited to announce the general availability of our new organization and enterprise-level security overview dashboards, alongside enhanced secret scanning metrics and the enablement trends reports. These features are designed to provide comprehensive insights, improved prioritization, and advanced filtering options to streamline your security improvements.
Our new security overview dashboard, available at both the organization and enterprise levels, integrates security into the core of the development lifecycle. This empowers you to proactively identify and address vulnerabilities. Key features include:
Monitor the enablement trends of all security tools with detailed insights into the activation status of Dependabot alerts, Dependabot security updates, code scanning, secret scanning alerts, and secret scanning push protection, giving you at-a-glance oversight of your security coverage.
Gain insights into how push protection is functioning throughout your enterprise. Monitor the number of pushes containing secrets that have been successfully blocked, as well as instances where push protection was bypassed. Detailed insights by secret type, repository, and reasons for bypassing are also available.
To access these features, navigate to your profile photo in the top-right corner of GitHub.com and select the organization or enterprise you wish to view. For organizations, click on the Security tab. For enterprises, click Code Security in the enterprise account sidebar.
These features are generally available on GitHub.com today and will be generally available in GitHub Enterprise Server 3.14.
Learn more about the security overview dashboard, the secret scanning metrics report and the enablement trends report
GitHub Enterprise Cloud customers can now see code security configurations data in audit log events.
Code security configurations simplify the rollout of GitHub security products at scale by defining collections of security settings and helping you apply those settings to groups of repositories. Configurations help you change the settings for important features like code scanning, secret scanning, and Dependabot.
With the addition of configurations data in the audit log, organization and enterprise owners have easy visibility into why the settings on certain repositories may have changed.
Audit log events now include:
– Name of the configuration applied to a repository
– When the configuration application fails
– When a configuration is removed from a repository
– When configurations are created, updated, or deleted
– When configurations become enforced
– When the default configuration for new repositories changes
Code security configurations are now available in public beta on GitHub.com and will be available in GitHub Enterprise Server 3.15. You can learn more about code security configurations or send us your feedback.
The REST API now supports the following code security configuration actions for organizations:
– Detach configurations from repositories
– Enforce configurations
– Enable validity checks for secret scanning in a configuration
The API is now available on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.15.0. You can learn more about security configurations, the REST API, or send us your feedback.
Secret scanning now detects generic passwords using AI. Passwords are difficult to find with custom patterns — the AI-powered detection offers greater precision for unstructured credentials that can cause security breaches if exposed.
Passwords found in git content will create a secret scanning alert in a separate tab from regular alerts. Passwords will not be detected in non-git content, like GitHub Issues or pull requests, and are not included in push protection. Password detection is backed by the Copilot API and is available for all repositories with a GitHub Advanced Security license. You do not need a Copilot license to enable generic secret detection.
To start detecting passwords, select “Use AI detection to find additional secrets” within your code security and analysis settings at the repository level, or the code security global settings at the organization level.
Organization owners and security managers can now filter the table of repositories on the code security configurations settings page by configuration attachment failure reason.
This is useful when you’ve attempted to attach a code security configuration to many repositories at the same time, and some have failed. The reason for the failure is also now listed in the row with the repository name.
Use the search bar to filter by failure-reason: and then insert one of the following options:
– actions_disabled – When you are attempting to rollout default setup for code scanning, but the repository does not have Actions enabled on it.
– code_scanning – When you are attempting to rollout default setup for code scanning, but the repository already has advanced setup for code scanning.
– enterprise_policy – When the enterprise does not permit GitHub Advanced Security to be enabled in this organization.
– not_enough_licenses – When enabling advanced security on these repositories would exceed your seat allowance.
– not_purchased – When you are attempting to rollout a configuration with GitHub Advanced Security features, but GitHub Advanced Security has not been purchased.
– unknown – When something unexpected occurred.
Learn more about code security configurations, the configurations REST API, or send us your feedback.
Secret scanning now helps you more easily define custom patterns with GitHub Copilot.
Generally available as of today, you can now leverage AI to generate custom patterns without expert knowledge of regular expressions.
Defining custom patterns is now simpler and more efficient. You can leverage AI to generate patterns via text input — without expert knowledge in regular expressions.
With secret scanning, you can create your own custom detectors by using custom patterns. Formatted as regular expressions, these custom patterns can be challenging to write. Secret scanning now supports a pattern generator backed by GitHub Copilot in order to generate regular expressions that match your input.
When defining a custom pattern, you can select “generate with AI” in order to launch the regular expression generator.
The model returns up to three regular expressions for you to review. You can click on the regular expression to get an AI-generated plain language description of the regular expression. You should still review this input and carefully validate performance of results by performing a dry run across your organization or repository.
All GitHub Advanced Security customers on GitHub Enterprise Cloud can use the regular expression generator today. Anyone able to define custom patterns is able to use the regular expression generator (e.g. any admin at the repository, organization, or enterprise levels). You do not need a GitHub Copilot license to use the regular expression generator.
Learn more about the regular expression generator or how to define your own custom patterns.