With delegated alert dismissal for secret scaning alerts, you can require a review process before alerts are dismissed. This helps you better manage your security risk as well as meet audit and compliance requirements.
Managing alert dismissal requests is now available with the REST API, offering flexibility for triage and reviews by integrating with your existing workflows.
Reviewers can retrieve dismissal requests for an organization or repository with the following endpoints:
When CodeQL scans repositories with Java and/or C# code that depend on packages in private registries—but don’t include those registry addresses in their Maven, Gradle, or NuGet configuration files—the analysis now uses private registry addresses configured at the organization level. This makes it even easier to roll out CodeQL’s Java and C# analysis at scale.
Last year we enabled CodeQL build-mode: nonescans to access private dependencies stored in private registries (e.g. Artifactory) for Java and C# projects. This required the addresses of the private registry to be defined in the project configuration. With this change, projects that relied on configurations defined in the build systems or locations external to the project will be able to use private registries.
This makes your scans more comprehensive, ensuring you receive all important alerts regardless of where your dependencies are stored.
This officially marks the end of the preview phase for CodeQL Java/C# private registry support; this feature is now generally available on GitHub.com. It will also roll out with GitHub Enterprise server version 3.18.
CodeQL version 2.21.0 has been released and includes TypeScript 5.8 support, a new Java query to detect exposed Spring Boot actuators, and support for new JavaScript libraries.
TypeScript 5.8 support
CodeQL can now analyze code written in TypeScript version 5.8, helping you find and automatically remediate security issues in the latest TypeScript projects, all without additional configuration.
Improved Java analysis
The community-contributed query java/spring-boot-exposed-actuators by @ggolawski has been promoted out of experimental status and is now included in the default code scanning query pack. This query helps you identify publicly accessible Spring Boot actuators, preventing unintended information disclosure.
Expanded JavaScript framework coverage
We’ve extended our JavaScript analysis to include popular modern frameworks and libraries:
Apollo Server: Added support for analyzing data coming from GraphQL when using @apollo/server.
React Relay: Added analysis support for React applications using the react-relay library.
SAP ecosystem: Added CodeQL support for analysis of SAP packages, including @sap/hana-client, @sap/hdbext, and hdb.
TanStack: Added support for analyzing applications using the @tanstack/angular-query-experimental package.
For a full list of changes, please refer to the complete changelog for version 2.21.0. Every new version of CodeQL is automatically deployed to users of GitHub code scanning on github.com. The new functionality in CodeQL 2.21.0 will also be included in GitHub Enterprise Server (GHES) version 3.18. If you use an older version of GHES, you can manually upgrade your CodeQL version.
GitHub regularly updates the default pattern set for secret scanning with new patterns and upgrades of existing patterns, ensuring your repositories have comprehensive detection for different secret types.
The following new patterns were added over the last few months. Secret scanning automatically detects any secrets matching these patterns in your repositories. See the full list of supported secrets in the documentation.
Provider
Token
Partner
User
Push protection
Bitrise
bitrise_personal_access_token
✓
✓
✓
Bitrise
bitrise_workspace_api_token
✓
✓
✓
Buildkite
buildkite_user_access_token
✓
✓
LinkedIn
linkedin_client_secret
✓
Mailersend
mailersend_smtp_password
✓
Naver Cloud
navercloud_gov_access_key
✓
✓
Naver Cloud
navercloud_gov_access_key_secret
✓
✓
Naver Cloud
navercloud_gov_sts
✓
✓
Naver Cloud
navercloud_gov_sts_secret
✓
✓
Naver Cloud
navercloud_pub_access_key
✓
✓
Naver Cloud
navercloud_pub_access_key_secret
✓
✓
Naver Cloud
navercloud_pub_sts
✓
✓
Naver Cloud
navercloud_pub_sts_secret
✓
✓
Neon
neon_api_key
✓
Neon
neon_connection_uri
✓
Pangea
pangea_token
✓
Planning Center
planning_center_oauth_access_token
✓
✓
✓
Planning Center
planning_center_oauth_app_secret
✓
✓
✓
Planning Center
planning_center_personal_access_token
✓
✓
✓
Ramp
ramp_client_id
✓
✓
Ramp
ramp_client_secret
✓
✓
Ramp
ramp_oauth_token
✓
✓
RunPod
runpod_api_key
✓
✓
✓
Sourcegraph
sourcegraph_access_token
✓
✓
Sourcegraph
sourcegraph_dotcom_user_gateway
✓
✓
Sourcegraph
sourcegraph_instance_identifier_access_token
✓
✓
Sourcegraph
sourcegraph_license_key_token
✓
✓
Sourcegraph
sourcegraph_product_subscription_token
✓
✓
The following existing patterns were upgraded to be included in push protection. When push protection is enabled, secret scanning automatically blocks any pushes that contain a secret matching these patterns.
Developers can now use Dependabot to automatically keep their Helm dependencies up to date. For projects that use Helm as a package manager, Dependabot version updates can now ensure dependencies stay current with the latest releases.
Security campaigns with Copilot Autofix are now generally available. As part of GitHub Code Security, you can use security campaigns to prioritize and rapidly reduce your backlog of application security debt. Copilot Autofix generates contextual explanations and fixes for historical code scanning alerts in a security campaign, which help developers and security teams collaborate to fix vulnerabilities with speed and confidence.
With the help of GitHub’s CodeQL and Copilot Autofix, it has never been easier to prevent new vulnerabilities from being added to your code. However, if you don’t address vulnerabilities discovered in already-merged code, security debt can build up and pose a serious risk to deployed applications.
A security campaign on GitHub can contain a large number of code scanning alerts, prioritized by your security team to be fixed within a chosen timeframe. When a campaign is created, Copilot Autofix automatically suggests fixes, and developers who are most familiar with the code are notified. From there, they can review the fixes, open pull requests, and remediate security debt. Security teams can monitor the progress of the campaign and track the number of fixed alerts. Using security campaigns, security and developer teams work together with Copilot Autofix to remove security debt in targeted efforts aimed at maximizing impact by focusing on the alerts that matter.
Starting today, you can also access these new features to plan and manage security campaigns more effectively:
Draft security campaigns: Security managers can now iterate on the scope of campaigns and save them as draft campaigns before making them available to developers. With draft campaigns, security managers can ensure that the highest priority alerts are included before the work goes live.
Automated GitHub issues: Security managers can optionally create GitHub issues in repositories that have alerts included in the campaign. These issues are created and automatically updated as the campaign progresses and can be used by teams to track, manage, and discuss campaign-related work.
Organization-level security campaign statistics: Security managers can now view aggregated statistics showing the progress across all currently-active and past campaigns.
Security campaigns are available for users of GitHub Code Security on GitHub Enterprise Cloud. For more information about security campaigns, see About security campaigns in the GitHub documentation.
If you have any feedback on security campaigns, join the discussion in GitHub Community.
GitHub’s dependency graph now supports a wider range of package ecosystems, including transitive path information and the registered name of the ecosystem. This change increases the accuracy and usefulness of GitHub’s dependency insights, SBOMs, and API results.
The Package URL project provides a registry of software package ecosystems, with a standardized format for package type, namespace, version, and human-readable identifiers. With this release, graphs posted to the dependency submission API that include purl identifiers will now:
Correctly preserve transitive and direct relationships, if they were submitted.
Show the package ecosystem name in the Dependency Graph insights page.
Include the submitted package url in the GraphQL DependencyGraphDependency object, in the field packageUrl.
For searching and filtering, note that the top-level ecosystem type for all purl-identified packages is now other. These packages used to have the unknown type.
To begin using this feature, add a dependency submission action for a purl-supported package ecosystem you’re using in your repository. Then navigate to the repository’s Insights tab and select Dependency graph.
At GitHub, we believe that investing in the security of your codebases should be straightforward, affordable, and scalable. Today, we’re rolling out standalone GitHub Advanced Security products for GitHub Enterprise customers. This aligns with our ongoing mission to help organizations of all sizes secure their code with the flexibility they seek.
Getting started as an existing GitHub Advanced Security customer
Existing GitHub Advanced Security customers with plans subscription-based plans can choose to transition at renewal. Customers with pay-as-you-go, metered-based plans can transition at any time. Please reach out to your GitHub or Microsoft sales account team for details.
Customers on subscription billing can migrate to either a standalone subscription or a standalone metered plan. For pricing details, please contact your account representatives.
How do I right-size enablement for my enterprise?
Customers transitioning before May 2025 can work with their account teams on right-sizing enablement for their enterprise across both Secret Protection and Code Security. All repositories will have both Secret Protection and Code Security enabled at the time of transition, regardless of your contractual plan.
Customers on contractual plans limited to secret scanning features will be able to optionally choose to transition with only Secret Protection enabled (and Code Security disabled) for their enterprise starting in May 2025.
When will the standalone plans be available for Enterprise Server?
Standalone SKUs will be available for Enterprise Server customers starting with GHES 3.17. To use metered billing, GitHub Connect is required.
Getting started as an existing GitHub Advanced Security self-serve customer
For existing self-serve customers, instructions on how to transition to the new GitHub Advanced Security plans will be announced over the next 30 days. You’ll receive an email notification when the new plans are available to your enterprise. Transitioning to the standalone plans will be self-serve and optional.
Getting started for new customers
Starting today, GitHub Enterprise customers without an existing GitHub Advanced Security plan can self-serve purchase both Secret Protection and Code Security. To get started, admins can navigate to Advanced Security under their enterprise, organization, or repository settings. From this page, you can choose to enable and purchase Secret Protection or Code Security features.
You can try the new standalone SKUs before committing. Contact your account team for more details. Alternatively, you can get started with a GitHub Enterprise trial.
Talk to someone from GitHub
In addition, Enterprise customers are welcome to reach out to their existing account team or request a demo from someone at GitHub.
GitHub is committed to empowering the developer community by helping organizations recognize and address the risks of secret leaks. That’s why we’re launching a new free tool which will help provide clear insights into your organization’s exposure, along with actionable steps to strengthen your security and protect your code.
Starting today, you can scan your organization for aggregate insights on public leaks, private exposures, and token types.
What will this dashboard include?
Available in the Security tab, organization and security admins will be able to run a scan to understand how their organization is affected by secret leaks and exposures. Once a scan is initiated, GitHub will look for secret leaks and exposures across your organization, returning a collection of insights including:
The number of secrets leaked per type.
The number of publicly visible secrets in your public repositories.
The number of repositories affected for each secret type.
No specific secrets will be stored or shared.
Once enabled, GitHub will run a point-in-time scan across all public, private, internal, and archived repositories in your organization. Results are static and will not be automatically updated. You’ll also be able to download results as a CSV file.
For organizations ready to adopt a continuous monitoring tool, we recommend enabling secret scanning for detection and incident management of specific secrets. Learn more about GitHub Secret Protection.
Why are we doing this?
GitHub is committed to making a meaningful impact on the developer community by helping organizations recognize their secret leak footprint across their GitHub perimeter. Our goal is to provide clear insights into organizations’ potential secret exposure and a clear path to stronger security.
Who can use this feature?
This feature will be available for free to organizations with a GitHub Team or Enterprise plan. Organization admins and security managers will be able to run the report and review any results. This feature will be available for Enterprise Server starting with GHES 3.18.
Share feedback while the feature is in public preview
This feature is available in public preview and is subject to improvement. Have feedback? Let us know what you think by joining our discussion in GitHub Community — we’re listening.
At GitHub, we believe that investing in the security of your codebase should be accessible for organizations of all sizes.
Starting today, GitHub Team plan customers can purchase GitHub Secret Protection and GitHub Code Security without upgrading your organization to GitHub Enterprise. This makes it easier to secure your codebase with GitHub Advanced Security products.
GitHub Secret Protection
GitHub Team organizations can purchase GitHub Secret Protection, which detects and prevents secret leaks (e.g. secret scanning, AI-detected passwords, and push protection for secrets).
Secret Protection will be available for $19 per month per active committer, with features including:
Push protection, to prevent secret leaks before they happen.
AI detection with a low rate of false positives, so you can focus on what matters.
Secret scanning alerts with notifications, to help you catch exposures before they become a problem.
Custom patterns for secrets, so you can search for sensitive, organization-specific information.
Security overview, which provides insight into distribution of risk across your organization.
Push protection and alert dismissal enforcement for secrets, which supports governance at enterprise scale.
In addition, we’re launching a new scanning feature to help organizations understand their secret leak footprint across their GitHub perimeter. This feature is free for GitHub Team organizations.
GitHub Code Security
GitHub Team organizations will also be able to purchase Code Security, which detects and fixes vulnerabilities in your code before it reaches production.
Code Security will be available for $30 per month per active committer, with features including:
Copilot Autofix for vulnerabilities in existing code and pull requests to provide developer-first security management.
Security campaigns to address security debt at scale.
Dependabot features for protection against dependency-based vulnerabilities.
Security overview, which provides insight into the distribution of risk across your organization.
Security findings for third-party tools.
Get Started
To get started, admins can navigate to Advanced Security under their organization or repository settings. From this page, you can choose to enable and purchase Secret Protection or Code Security features.
For example, from your organization settings, you can navigate to Security / Advanced Security / Configurations in order to create a new configuration with Secret Protection features enabled. Learn more about enabling GitHub Advanced Security.
In addition, admins can enable Secret Protection features in one click from their organization’s Security tab. Once the secret risk assessment has been run for your organization, you’ll be able to enable Secret Protection in one click from the system banner.
Dependabot alerts now contain a direct label if they are associated with a package you’ve directly included. In addition, there’s now a relationship:direct filter in the search bar to only show those alerts caused by your direct dependencies.
The direct dependency that led to a package’s inclusion in your dependency graph is visible both in the text of any new Dependabot alerts and the dependency insights page (click the … button, then Show options to view it).
A repository’s SBOM will contain a relationships section that uses the SPDX relationshipType: DEPENDS_ON field to express the tree of package dependencies. Similarly, the GraphQL API will now return a relationship field with direct, transitive, or unknown values in the DependencyGraphDependency object.
Ability to refresh Dependabot alerts from the list view
In addition to the Maven-specific additions, the Alert Settings menu on Dependabot alert tables now provides a Refresh Dependabot alerts option which will rescan your repository’s manifest files, rebuild its dependency graph, and refresh its open Dependabot alerts.
Getting started
To get transitive dependency labeling on your repositories, make sure dependency graph is enabled, and either enable Automatic dependency submission on the same settings page or use a dependency submission action. As a beneficial side-effect of this change, other package ecosystems with actions that create transitive dependency trees – such as go – will also now receive transitive and direct labels.
GitHub’s Payment Card Industry Data Security Standard (PCI DSS) v4.0 service provider Attestation of Compliance (AoC) as well as the corresponding shared responsibility matrix has been completed. This report is the first time GitHub has provided a PCI DSS service provider report for our customers. This enables customers to meet their own PCI DSS compliance needs using GitHub as part of their development environment.
Going forward, GitHub intends to provide this attestation of compliance each year.
If you’re an Enterprise customer and need to obtain copies of GitHub’s AoC or Shared Responsibility Matrix, please reach out to your account manager.
Developers can now use Dependabot to automatically keep their uv dependencies up to date. For projects that use uv as a package manager, Dependabot version updates can now ensure dependencies stay current with the latest releases.
Alerts for non-provider patterns and Copilot-detected passwords are now categorized as generic instead of experimental. This change applies to alert filters and the secondary inbox in your alert list views.
Non-provider patterns and Copilot secret scanning were made generally available in October 2024, after careful iteration to reach the level of quality you’ve come to know and expect from provider-based patterns. These alerts are not considered experimental and should be remediated in accordance with your organization’s standard policies.
Detection for these secret types are available for repositories with a GitHub Advanced Security license. They can be enabled through your repository settings or organization and enterprise code security configurations.
CodeQL is the static analysis engine behind GitHub code scanning, which finds and remediates security issues in your code. We’ve recently released CodeQL 2.20.6, which brings support for a new version of Java and a variety of other improvements that improve the accuracy of your code scanning results:
Java
CodeQL now supports Java version 24
We’ve improved the accuracy of the (java/xss) query when javax.servlet.http.HttpServletResponse is used without an exploitable content type
JavaScript / TypeScript
We’ve added support for the response threat model, which can be enabled with advanced setup. When enabled, the response data coming back from an outgoing HTTP request is considered a tainted source.
We’ve improved the precision of data flow through arrays and call resolution logic, both resulting in improved analysis results
C/C++
We’ve improved the accuracy of the cpp/static-buffer-overflow query, resulting in improved results
C#
We’ve improved the precision of the cs/call-to-object-tostring query, resulting in improved analysis results
GitHub Actions (Public Preview)
We’ve removed the query actions/unversioned-immutable-action from the public suite of queries, which will close any alerts triggered from it
For a full list of changes, please refer to the complete changelog for version 2.20.6. Every new version of CodeQL is automatically deployed to users of GitHub code scanning on GitHub.com. The new functionality in CodeQL 2.20.6 will also be included in GitHub Enterprise Server (GHES) version 3.17. If you use an older version of GHES, you can manually upgrade your CodeQL version.
