Open SourceSecurityFour tips to keep your GitHub Actions workflows secureResearchers from Purdue and NCSU have found a large number of command injection vulnerabilities in the workflows of projects on GitHub. Follow these four tips to keep your GitHub Actions workflows secure. Continuous Integration and Continuous Deployment (CI/CD) software supply chains are a lucrative target for threat actors.

SecuritySecurity alert: social engineering campaign targets technology industry employeesGitHub has identified a low-volume social engineering campaign that targets the personal accounts of employees of technology firms. No GitHub or npm systems were compromised in this campaign. We’re publishing this blog post as a warning for our customers to prevent exploitation by this threat actor. GitHub has

Pull request merge queue is now generally available! merge-queuepull-requestsvelocity July 12, 2023 Today we are announcing the general availability of pull request merge queue! 🎉 Merge queue helps increase velocity in software delivery by automating pull request merges into your busiest branches. Before merge queue, developers would often need to update their pull request branches prior to mergi

パスキーがパブリックベータ版にて利用が可能になりました。オプトインすることで、セキュリティキーをパスキーにアップグレードし、パスワードと2FA方式の代わりにパスキーを使用することができます。 セキュリティ侵害のほとんどは、珍しいゼロデイ攻撃によるものではなく、ソーシャルエンジニアリング攻撃、認証情報の盗用または漏洩、被害アカウントやその先のリソースへの広範なアクセス権を攻撃者に提供する手段など、低コストな攻撃によるものです。実際、私たち全員が頼りにしているパスワードは、データ漏洩の80%以上の根本原因となっています。 だからこそ、私たちGitHubは「ユーザーエクスペリエンスを損なわない」という約束を守りながら、すべての開発者が強固なアカウントセキュリティを担保できるよう支援しています。GitHub全体の取り組みとして2要素認証(2FA)の採用から始まり、本日よりパスキー認証をパブリックベ

SecurityIntroducing passwordless authentication on GitHub.comPasskeys are now available in public beta. Opting in lets you upgrade security keys to passkeys, and use those in place of both your password and your 2FA method. Most security breaches are not the product of exotic zero-day attacks but rather involve lower-cost attacks like social engineering, credential theft or leakage, and other aven

EducationSecurityIntroduction to SELinuxSELinux is the most popular Linux Security Module used to isolate and protect system components from one another. Learn about different access control systems and Linux security as I introduce the foundations of a popular type system. At GitHub Security Lab, our main mission is helping secure the open source software we all rely on. While securing applicatio

June 27, 2023 We have received customers reporting errors with Actions’ OIDC integration with AWS. This happens for customers who are pinned to a single intermediary thumbprint from the Certificate Authority (CA) of the Actions SSL certificate. There are two possible intermediary certificates for the Actions SSL certificate and either can be returned by our servers, requiring customers to trust bo

EngineeringProductHow to use GitHub Copilot: Prompts, tips, and use casesIn this prompt guide for GitHub Copilot, two GitHub developer advocates, Rizel and Michelle, will share examples and best practices for communicating your desired results to the AI pair programmer. Leia este artigo em português As ferramentas de programação de IA generativa estão transformando a maneira como as pessoas desenv

CompanyEngineeringEnterpriseAddressing GitHub’s recent availability issuesGitHub recently experienced several availability incidents, both long running and shorter duration. We have since mitigated these incidents and all systems are now operating normally. Read on for more details about what caused these incidents and what we’re doing to mitigate in the future. Last week, GitHub experienced sever

These files make up the visual of your pop-up window. popup.html is the interface, including layout, structure, and content. style.css determines the way the HTML file should be displayed in the browser, including font, text color, background, etc. 2. Create the manifest.json 🧾 🧑🏾‍💻 Inside a folder in my IDE, I created a file called manifest.json. In manifest.json, I described my desired file:

CommunityOpen SourceProductSecurityPush protection is generally available, and free for all public repositoriesAnnouncing the general availability of push protection–a feature that proactively prevents secret leaks in your public and private repositories. At GitHub, we believe that by empowering developers with intuitive security built into their workflows, we can, together, shift security from re

May 9, 2023 Previously, all attached (drag-and-dropped) images and videos on GitHub Issues, Pull Requests, Discussions, and wikis were available to view without authentication if you knew their direct URL. Now, future attachments associated with private repositories can only be viewed after logging in. This doesn’t apply retroactively to existing attachments, which are obfuscated by having a long,

GitHub Actions: All Actions will run on Node16 instead of Node12 actions May 4, 2023 Node 12 has been out of support since April 2022, as a result we have started the deprecation process of Node 12 for GitHub Actions. We plan to migrate all actions to run on Node16 by Summer 2023. Following on from our warning in workflows using Node 12, we will start enforcing the use of Node16 rather than Node12

April 17, 2023 Today we are announcing the public beta of repository rules! 🎉 Repository rules are GitHub’s next evolution of branch protections to help make your repositories more secure and compliant at scale. Rules allow you to easily define protections for branches and tags in your repositories and, if you are a GitHub Enterprise Cloud customer, to enforce them across your organization. It is

EngineeringEnterpriseOpen SourceWhat developers need to know about generative AIGenerative AI has been dominating the news lately—but what exactly is it? Here’s what you need to know, and what it means for developers. By now, you’ve heard of generative artificial intelligence (AI) tools like ChatGPT, DALL-E, and GitHub Copilot, among others. They’re gaining widespread interest thanks to the fact t

EngineeringOpen SourceBuilding GitHub with Ruby and RailsSince the beginning, GitHub.com has been a Ruby on Rails monolith. Today, the application is nearly two million lines of code and more than 1,000 engineers collaborate on it daily.… Since the beginning, GitHub.com has been a Ruby on Rails monolith. Today, the application is nearly two million lines of code and more than 1,000 engineers colla

SecurityWe updated our RSA SSH host keyAt approximately 05:00 UTC on March 24, out of an abundance of caution, we replaced our RSA SSH host key used to secure Git operations for GitHub.com. At approximately 05:00 UTC on March 24, out of an abundance of caution, we replaced our RSA SSH host key used to secure Git operations for GitHub.com. We did this to protect our users from any chance of an adve

GitHub Copilotは、チャットや音声インターフェイスの組み込み、Pull Requestのサポート、ドキュメントに関する質問への回答、OpenAIのGPT-4の採用など、よりパーソナライズした開発者体験を提供できるよう進化を遂げています。 GitHubのミッションは常に、時代の先を行くイノベーションを起こし、ソフトウェアで強化された世界で、開発者がより幸せかつ生産的になるために必要なものを提供することです。数年前に大規模言語モデルの実験を開始し、生成系AIはソフトウェア開発の未来を象徴する存在であることがすぐに明らかになりました。GitHubはOpenAIと提携して、GPT-3の子孫であるOpenAIのCodexモデルを使用した世界初の大規模な生成系AI開発ツールとしてGitHub Copilotを開発しました。 GitHub Copilotは、コメントやコードを自動補完すること

ProductGitHub Copilot X: The AI-powered developer experienceGitHub Copilot is evolving to bring chat and voice interfaces, support pull requests, answer questions on docs, and adopt OpenAI’s GPT-4 for a more personalized developer experience. At GitHub, our mission has always been to innovate ahead of the curve and give developers everything they need to be happier and more productive in a world p

SecurityGitHub Security Lab audited DataHub: Here’s what they foundThe GitHub Security Lab audited DataHub, an open source metadata platform, and discovered several vulnerabilities in the platform's authentication and authorization modules. These vulnerabilities could have enabled an attacker to bypass authentication and gain access to sensitive data stored on the platform. At GitHub, we really ca