security-overview - GitHub Changelog https://github.blog/changelog/label/security-overview/ Updates, ideas, and inspiration from GitHub to help developers build and design software. Mon, 09 Dec 2024 16:33:26 +0000 en-US hourly 1 https://wordpress.org/?v=6.7.1 https://github.blog/wp-content/uploads/2019/01/cropped-github-favicon-512.png?fit=32%2C32 security-overview - GitHub Changelog https://github.blog/changelog/label/security-overview/ 32 32 153214340 Enhanced CodeQL pull request alerts report https://github.blog/changelog/2024-12-09-enhanced-codeql-pull-request-alerts-report Mon, 09 Dec 2024 16:33:26 +0000 https://github.blog/changelog/2024-12-09-enhanced-codeql-pull-request-alerts-report Enhanced CodeQL pull request alerts report

The post Enhanced CodeQL pull request alerts report appeared first on The GitHub Blog.

]]>
The metrics overview for CodeQL pull request alerts now includes enhanced tracking and reporting mechanisms, resulting in greater accuracy and more CodeQL pull request alerts and Copilot Autofixes displayed on the dashboard.

These changes retroactively affect the dashboard numbers, allowing you to effectively monitor your organization’s security posture.

With these insights, you can proactively identify and address security risks before they reach your default branch. The metrics overview for CodeQL pull request alerts helps you understand how effectively CodeQL prevents vulnerabilities in your organization. You can use these metrics to easily identify the repositories where action is needed to mitigate security risks.

The change is now generally available on GitHub Enterprise Cloud.

Learn more about security overview and code scanning.

The post Enhanced CodeQL pull request alerts report appeared first on The GitHub Blog.

]]>
81590
Expanded flexibility and control for managing the security manager role https://github.blog/changelog/2024-11-26-expanded-flexibility-and-control-for-managing-the-security-manager-role Wed, 27 Nov 2024 01:40:43 +0000 https://github.blog/changelog/2024-11-26-expanded-flexibility-and-control-for-managing-the-security-manager-role Expanded flexibility and control for managing the security manager role

The post Expanded flexibility and control for managing the security manager role appeared first on The GitHub Blog.

]]>
For organization owners, managing the security manager role is now easier and more flexible. These updates empower you to tailor security responsibilities and streamline role assignments to fit your needs:

  1. Assign the security manager role to individual users: The security manager role can now be assigned directly to individual users, in addition to teams. This added flexibility ensures security responsibilities are allocated precisely where needed.
  2. Streamlined role management in organization settings: Security manager assignment and configuration is now part of Settings > Organization roles at the organization level. This relocation centralizes and simplifies role management, making it intuitive to oversee security managers alongside other organizational roles.

Security manager assignment modal on the Organization roles - Role assignments page

Building on recent improvements

The addition of custom organization roles with repository permissions takes flexibility to the next level. With these updates, you can customize security roles to balance the right level of responsibility and access for your team. Here’s how you can leverage these features to meet your specific requirements:

  1. Craft a security manager role with fewer permissions: The addition of repository permissions to custom organization roles means you can build custom security roles with a subset of security manager permissions, such as:
    • View secret scanning
    • Dismiss secret scanning
    • View code scanning
    • Dismiss code scanning
    • Delete code scanning analyses
    • View Dependabot alerts
    • Dismiss Dependabot alerts

    This lets you assign security responsibilities without granting the full access of a security manager role.

  2. Expand the security manager role with additional permissions: Using custom organization roles, you can enhance the security manager role by adding additional organization-level or repository-specific permissions. For example, you can grant audit log access or other highly requested capabilities to create a tailored role that fits your team’s specific needs.

User with security manager role and custom auditor role assigned

These updates are now generally available on GitHub Enterprise Cloud and will be included in GitHub Enterprise Server 3.16.

Learn more about the security manager role, custom organization roles and send us your feedback

The post Expanded flexibility and control for managing the security manager role appeared first on The GitHub Blog.

]]>
81444
CSV export for enterprise-level security overview https://github.blog/changelog/2024-11-26-csv-export-for-enterprise-level-security-overview Tue, 26 Nov 2024 20:43:47 +0000 https://github.blog/changelog/2024-11-26-csv-export-for-enterprise-level-security-overview CSV export for enterprise-level security overview

The post CSV export for enterprise-level security overview appeared first on The GitHub Blog.

]]>
You can now export security data for offline analysis, reporting, and archival purposes on the enterprise-level security overview pages. This includes:

  • Enterprise-level overview dashboard: Export alert-level data for all your scanning tools—including third-party scanning tools.
  • Enterprise-level risk page: Export repository-level data with aggregated counts of security alerts per repository for code scanning, Dependabot, and secret scanning.
  • Enterprise-level coverage page: Export repository-level data showing the enablement state for all Dependabot, code scanning, and secret scanning features.

New Export CSV button highlighted on the overview dashboard on the Security tab at the enterprise level

Just like at the organization level, exports will respect all filters you’ve applied to the page, making it easy to for you to tailor downloads to your specific needs. Whether you’re focused on enterprise-wide insights or repository-level details, the data is now at your fingertips.

You can download all data where you have an appropriate level of access.

Learn more about security overview and send us your feedback

The post CSV export for enterprise-level security overview appeared first on The GitHub Blog.

]]>
81443
Accessibility improvements for security overview https://github.blog/changelog/2024-11-20-accessibility-improvements-for-security-overview Wed, 20 Nov 2024 16:53:50 +0000 https://github.blog/changelog/2024-11-20-accessibility-improvements-for-security-overview Accessibility improvements for security overview

The post Accessibility improvements for security overview appeared first on The GitHub Blog.

]]>
New accessibility enhancements to the security overview data visuals make it easier and more inclusive for everyone to interact with and understand code security insights.

Graph showing open alerts by severity on the security overview dashboard, with enhanced accessibility

What’s new?

  • Improved visual accessibility: Enhanced color contrast and better support for users with low vision, making it easier to interpret data visuals.
  • Keyboard navigation enhancements: Full keyboard-only navigation, including a clearly visible focus indicator, for smoother interactions without a mouse.
  • Assistive technology support: Improved compatibility with screen readers for better navigation and understanding of content.

These updates are now generally available on GitHub Enterprise Cloud and will be included in GitHub Enterprise Server 3.16.

Join the discussion in the GitHub Community and read more about GitHub’s commitment to accessibility

The post Accessibility improvements for security overview appeared first on The GitHub Blog.

]]>
81238
SAST vulnerabilities summary now available on the security overview dashboard https://github.blog/changelog/2024-10-31-sast-vulnerabilities-summary-now-available-on-the-security-overview-dashboard Thu, 31 Oct 2024 17:17:02 +0000 https://github.blog/changelog/2024-10-31-sast-vulnerabilities-summary-now-available-on-the-security-overview-dashboard SAST vulnerabilities summary now available on the security overview dashboard

The post SAST vulnerabilities summary now available on the security overview dashboard appeared first on The GitHub Blog.

]]>
Now you can better manage and mitigate your security vulnerabilities with a new SAST vulnerabilities summary table, available directly on the security overview dashboard. This feature highlights your top 10 CodeQL and third-party open alerts by count, grouped by vulnerability type.

The SAST vulnerabilities table on the Detection tab of the overview dashboard

When prioritizing which alerts to address first, it’s crucial to consider various factors. One significant factor is the number of instances of a vulnerability across your codebase. The more areas of code affected by a vulnerability, the higher the potential risk for exploitation.

To access the new SAST vulnerabilities table, click your profile photo in the top-right corner of GitHub.com and select the organization or enterprise you want to view. For organizations, go to the Security tab and scroll to the bottom of the Detection view on the Overview dashboard. For enterprises, click Code Security in the sidebar, then select Overview and scroll to the bottom of the Detection view.

The SAST vulnerabilities summary is now generally available on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.16.

Learn more about security overview insights and join the discussion within the GitHub Community

The post SAST vulnerabilities summary now available on the security overview dashboard appeared first on The GitHub Blog.

]]>
81042
New code security configurations let you set security features at the organization level https://github.blog/changelog/2024-10-17-new-code-security-configurations-let-you-set-security-features-at-the-organization-level Thu, 17 Oct 2024 16:57:15 +0000 https://github.blog/changelog/2024-10-17-new-code-security-configurations-let-you-set-security-features-at-the-organization-level New code security configurations let you set security features at the organization level

The post New code security configurations let you set security features at the organization level appeared first on The GitHub Blog.

]]>
Now you can simplify the rollout of GitHub security products within your organization. Code security configurations now allow you to define collections of security settings and apply those settings to groups of repositories. Configurations help you maintain security settings for important features like code scanning, secret scanning, and Dependabot.

As previously announced in August, starting today, you can no longer enable or disable GitHub security features from the organization-level security coverage view, which has been deprecated and replaced with code security configurations for managing these settings.

Learn more about code security configurations and send us your feedback.

The post New code security configurations let you set security features at the organization level appeared first on The GitHub Blog.

]]>
80483
Enhanced security overview dashboard – detection, remediation, and prevention at the forefront https://github.blog/changelog/2024-09-19-enhanced-security-overview-dashboard-detection-remediation-and-prevention-at-the-forefront Thu, 19 Sep 2024 23:14:05 +0000 https://github.blog/changelog/2024-09-19-enhanced-security-overview-dashboard-detection-remediation-and-prevention-at-the-forefront Enhanced security overview dashboard - detection, remediation, and prevention at the forefront

The post Enhanced security overview dashboard – detection, remediation, and prevention at the forefront appeared first on The GitHub Blog.

]]>
Now, you can view Prevention metrics alongside Detection and Remediation metrics and in an enhanced security overview dashboard. This update is available at both the organization and enterprise levels.

New prevention tab on the security overview dashboard

New to the dashboard, the Prevention insights tab highlights CodeQL pull requests alerts and will soon include secret scanning push protection insights. It’s designed to help you shift from merely responding to vulnerabilities to actively preventing them, the ultimate goal in application security. With this dashboard, you and your team can proactively keep vulnerabilities at bay, successfully blocking threats before they ever reach production.

Deep dive into the CodeQL pull request alerts

For a deeper analysis, the new CodeQL pull request alerts report is also available at both the organization and enterprise levels. This report allows you to:

  • Track historical metrics for CodeQL pull request alerts
  • Monitor code as it progresses from feature branches to the default branch
  • Analyze metrics by CodeQL rule, autofix status, and repository

The enhanced dashboard is now generally available on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.16.

Learn more about pull request alerts and join the discussion within the GitHub Community

The post Enhanced security overview dashboard – detection, remediation, and prevention at the forefront appeared first on The GitHub Blog.

]]>
79863
CSV exports for the CodeQL pull request alerts report https://github.blog/changelog/2024-09-16-csv-exports-for-the-codeql-pull-request-alerts-report Mon, 16 Sep 2024 16:39:33 +0000 https://github.blog/changelog/2024-09-16-csv-exports-for-the-codeql-pull-request-alerts-report CSV exports for the CodeQL pull request alerts report

The post CSV exports for the CodeQL pull request alerts report appeared first on The GitHub Blog.

]]>
New Export CSV button highlighted on the CodeQL pull request alerts report

You can now export data from the CodeQL pull request alerts report in CSV format, enabling you to analyze prevention and autofix metrics offline or archive the data for future use. This functionality is available at both the organization and enterprise levels. Exports will respect all filters applied, allowing you to focus on the specific data most relevant to your needs. You can download all data where you have an appropriate level of access.

Learn more about tracking metrics on CodeQL pull request alerts and join the discussion within the GitHub Community.

The post CSV exports for the CodeQL pull request alerts report appeared first on The GitHub Blog.

]]>
79782
Prevention and autofix insights for CodeQL pull request alerts https://github.blog/changelog/2024-08-19-prevention-and-autofix-insights-for-codeql-pull-request-alerts Mon, 19 Aug 2024 16:24:57 +0000 https://github.blog/changelog/2024-08-19-prevention-and-autofix-insights-for-codeql-pull-request-alerts Prevention and autofix insights for CodeQL pull request alerts

The post Prevention and autofix insights for CodeQL pull request alerts appeared first on The GitHub Blog.

]]>
You can now track prevention metrics for CodeQL pull request alerts with the new CodeQL pull request alerts report—available at both the organization and enterprise level. These insights empower you to proactively identify and mitigate security risks before they reach your default branch.

Enterprise-level CodeQL pull request alerts report

With this report, you can historically track metrics for CodeQL pull request alerts as code moves from feature branches to the default branch. Gain insights into:

  • Unresolved and merged alerts: Understand what security vulnerabilities made it to the default branch.
  • Fixes (autofix and manual): Track which alerts were addressed before merging.
  • Dismissed alerts: See which alerts were deemed false positive or risk accepted.

Additionally, analyze metrics by CodeQL rule, autofix status, and repository.

Historical data is available starting from May 1, 2024.

To access these reports, click your profile photo in the top-right corner of GitHub.com and select the organization or enterprise you want to view. For organizations, go to the Security tab and find CodeQL pull request alerts in the sidebar. For enterprises, click Code Security in the sidebar, then select CodeQL pull request alerts.

These reports are now generally available on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.15.

Learn more about security overview and join the discussion within the GitHub Community.

The post Prevention and autofix insights for CodeQL pull request alerts appeared first on The GitHub Blog.

]]>
79503
Code security configurations will replace feature enablement on the organization-level security coverage page on October 15 https://github.blog/changelog/2024-08-14-code-security-configurations-will-replace-feature-enablement-on-the-organization-level-security-coverage-page-on-october-15 Thu, 15 Aug 2024 00:18:15 +0000 https://github.blog/changelog/2024-08-14-code-security-configurations-will-replace-feature-enablement-on-the-organization-level-security-coverage-page-on-october-15 Code security configurations will replace feature enablement on the organization-level security coverage page on October 15

The post Code security configurations will replace feature enablement on the organization-level security coverage page on October 15 appeared first on The GitHub Blog.

]]>
We are streamlining the deployment of GitHub’s security products at scale with code security configurations. This functionality simplifies the rollout of GitHub security products by defining collections of security settings and enabling you to apply those settings to groups of repositories. Configurations help you maintain security settings for important features like code scanning, secret scanning, and Dependabot.

As of October 15th, 2024, you will no longer be able to enable or disable GitHub security features for repositories from the organization-level security coverage view.

Learn more about code security configurations and send us your feedback.

The post Code security configurations will replace feature enablement on the organization-level security coverage page on October 15 appeared first on The GitHub Blog.

]]>
79421