The GitHub Security Lab’s journey to disclosing 500 CVEs in open source projects
SecurityThe GitHub Security Lab’s journey to disclosing 500 CVEs in open source projectsThe GitHub Security Lab audits open source projects for security vulnerabilities and helps maintainers fix them. Recently, we passed the milestone of 500 CVEs disclosed. Let’s take a trip down memory lane with a review of some noteworthy CVEs! When I stepped onto the scale this morning, I remembered that there
More secure private attachments
May 9, 2023 Previously, all attached (drag-and-dropped) images and videos on GitHub Issues, Pull Requests, Discussions, and wikis were available to view without authentication if you knew their direct URL. Now, future attachments associated with private repositories can only be viewed after logging in. This doesn’t apply retroactively to existing attachments, which are obfuscated by having a long,
We updated our RSA SSH host key
SecurityWe updated our RSA SSH host keyAt approximately 05:00 UTC on March 24, out of an abundance of caution, we replaced our RSA SSH host key used to secure Git operations for GitHub.com. At approximately 05:00 UTC on March 24, out of an abundance of caution, we replaced our RSA SSH host key used to secure Git operations for GitHub.com. We did this to protect our users from any chance of an adve
Bypassing OGNL sandboxes for fun and charities
SecurityBypassing OGNL sandboxes for fun and charitiesObject Graph Notation Language (OGNL) is a popular, Java-based, expression language used in popular frameworks and applications, such as Apache Struts and Atlassian Confluence. Learn more about bypassing certain OGNL injection protection mechanisms including those used by Struts and Atlassian Confluence, as well as different approaches to analy
The technology behind GitHub’s new code search
To perform a search, we intersect the results of multiple lookups to give us the list of documents where the string appears. With a trigram index you need four lookups: lim, imi, mit, and its in order to fulfill the query for limits. Unlike a hashmap though, these indices are too big to fit in memory, so instead, we build iterators for each index we need to access. These lazily return sorted docum
A smarter, quieter Dependabot | The GitHub Blog
SecurityA smarter, quieter DependabotDependabot is getting a little smarter—and, a little quieter—by reducing bot-based noise from repositories based on your interaction with Dependabot. In 2022, Dependabot automatically generated more than 75 million pull requests, which developers used to keep their dependencies up-to-date and to address millions of specific vulnerabilities. Moving forward, Depe
Security alert: Attack campaign involving stolen OAuth user tokens issued to two third-party integrators
SecuritySecurity alert: Attack campaign involving stolen OAuth user tokens issued to two third-party integratorsOn April 12, GitHub Security began an investigation that uncovered evidence that an attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm. Read on to learn more about the im
New sponsors-only repositories, custom amounts, and more
CommunityProductNew sponsors-only repositories, custom amounts, and moreAlong with the release of sponsors-only repositories, here’s a look at what’s new and what’s next for Sponsors. Since the launch of GitHub Sponsors, we’ve dramatically expanded the scope of what’s possible. We have enabled users to support other users, added the ability for organizations to create and receive sponsorship, and
Introducing stack graphs
EngineeringOpen SourceIntroducing stack graphsPrecise code navigation is powered by stack graphs, a new open source framework that lets you define the name binding rules for a programming language. Today, we announced the general availability of precise code navigation for all public and private Python repositories on GitHub.com. Precise code navigation is powered by stack graphs, a new open sourc
Improving GitHub code search
EngineeringProductImproving GitHub code searchToday, we are rolling out a technology preview for GitHub code search, the next iteration for search, discovery, and navigation on GitHub. Today, we are rolling out a technology preview for substantial improvements to searching code on GitHub. We want to give you an early look at our efforts and get your feedback as we iterate on helping you explore an
GitHub's commitment to npm ecosystem security
Open SourceSecurityGitHub’s commitment to npm ecosystem securityWe're sharing details of recent incidents on the npm registry, our investigations, and how we’re continuing to invest in the security of npm. The npm registry is central to all JavaScript development, and, as stewards of the registry, ensuring its security is a responsibility GitHub takes seriously. Transparency is key in maintaining
Webhook Deliveries API
June 30, 2021 You can now programmatically check the status and resend repository, organization, and Apps webhooks through the REST API, to complement functionality currently provided in the Settings user interface. Using these new API endpoints, you can now list webhook delivery attempts from the last 30 days, read the status and payload of specific deliveries, and trigger a redelivery if needed.
Privilege escalation with polkit: How to get root on Linux with a seven-year-old bug
About polkit polkit is the system service that’s running under the hood when you see a dialog box like the one below: It essentially plays the role of a judge. If you want to do something that requires higher privileges—for example, creating a new user account—then it’s polkit’s job to decide whether or not you’re allowed to do it. For some requests, polkit will make an instant decision to allow o
How we use Web Components at GitHub
EngineeringHow we use Web Components at GitHubAt GitHub, we pride ourselves on delivering a first-class developer experience. A considerable part of our work is on our front end, which we strive to keep as lightweight, fast,… At GitHub, we pride ourselves on delivering a first-class developer experience. A considerable part of our work is on our front end, which we strive to keep as lightweight, f
GitHub Actions update: Helping maintainers combat bad actors
Open SourceProductGitHub Actions update: Helping maintainers combat bad actorsGitHub Actions is a powerful, flexible CI/CD service that gives developers the ability to automate all of their software workflows. Developers have built amazing things with GitHub Actions, and the… GitHub Actions is a powerful, flexible CI/CD service that gives developers the ability to automate all of their software wo
npm is joining GitHub
CompanyProductnpm is joining GitHubWe're excited to announce that npm will be joining GitHub. I’m excited to announce that GitHub has signed an agreement to acquire npm. npm is a critical part of the JavaScript world. The work of the npm team over the last 10 years, and the contributions of hundreds of thousands of open source developers and maintainers, have made npm home to over 1.3 million pack
GitHub Advanced Security: Introducing security overview beta and general availability of secret scanning for private repositories
SecurityGitHub Advanced Security: Introducing security overview beta and general availability of secret scanning for private repositoriesGitHub Advanced Security helps you create secure applications with a community-driven, developer-first approach. Today, we are excited to announce two updates: Beta of the new security overview for organizations and… GitHub Advanced Security helps you create secu
Dependabot version updates are now generally available!
Dependabot version updates are now generally available! dependabotsecurity-and-compliance March 31, 2021 Millions of repos use Dependabot to keep their dependencies up to date, either by updating when a Dependabot alert lets them know about a vulnerable dependency (security updates), or on a fixed schedule (version updates). Dependabot security updates have been generally available for over a year
リリース、障害情報などのサービスのお知らせ
最新の人気エントリーの配信
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く
Multi-repository variant analysis: a powerful new way to perform security research across GitHub
CodeQL for VS Code: download CodeQL databases from GitHub.com