Skip to content

/ Blog

Try GitHub Copilot Contact sales

AI & ML
- AI & ML
  Learn about artificial intelligence and machine learning across the GitHub ecosystem and the wider industry.
  - Generative AI
    Learn how to build with generative AI.
  - GitHub Copilot
    Change how you work with GitHub Copilot.
  - LLMs
    Everything developers need to know about LLMs.
  - Machine learning
    Machine learning tips, tricks, and best practices.
- How AI code generation works
  Explore the capabilities and benefits of AI code generation and how it can improve your developer experience.
  Learn more
Developer skills
- Developer skills
  Resources for developers to grow in their skills and careers.
  - Application development
    Insights and best practices for building apps.
  - Career growth
    Tips & tricks to grow as a professional developer.
  - GitHub
    Improve how you use GitHub at work.
  - GitHub Education
    Learn how to move into your first professional role.
  - Programming languages & frameworks
    Stay current on what’s new (or new again).
- Get started with GitHub documentation
  Learn how to start building, shipping, and maintaining software with GitHub.
  Learn more
Engineering
- Engineering
  Get an inside look at how we’re building the home for all developers.
  - Architecture & optimization
    Discover how we deliver a performant and highly available experience across the GitHub platform.
  - Engineering principles
    Explore best practices for building software at scale with a majority remote team.
  - Infrastructure
    Get a glimpse at the technology underlying the world’s leading AI-powered developer platform.
  - Platform security
    Learn how we build security into everything we do across the developer lifecycle.
  - User experience
    Find out what goes into making GitHub the home for all developers.
- How we use GitHub to be more productive, collaborative, and secure
  Our engineering and security teams do some incredible work. Let’s take a look at how we use GitHub to be more productive, build collaboratively, and shift security left.
  Learn more
Enterprise software
- Enterprise software
  Explore how to write, build, and deploy enterprise software at scale.
  - Automation
    Automating your way to faster and more secure ships.
  - CI/CD
    Guides on continuous integration and delivery.
  - Collaboration
    Tips, tools, and tricks to improve developer collaboration.
  - DevOps
    DevOps resources for enterprise engineering teams.
  - DevSecOps
    How to integrate security into the SDLC.
  - Governance & compliance
    Ensuring your builds stay clean.
  - Secure enterprise development
    Locking down the SDLC one step at time.
- How enterprise engineering teams can successfully adopt AI
  Learn how to bring AI to your engineering teams and maximize the value that you get from it.
  Learn more
News & insights
- News & insights
  Keep up with what’s new and notable from inside GitHub.
  - Company news
    An inside look at news and product updates from GitHub.
  - Product
    The latest on GitHub’s platform, products, and tools.
  - Octoverse
    Insights into the state of open source on GitHub.
  - Policy
    The latest policy and regulatory changes in software.
  - Research
    Data-driven insights around the developer ecosystem.
  - The library
    Older news and updates from GitHub.
- Unlocking the power of unstructured data with RAG
  Learn how to use retrieval-augmented generation (RAG) to capture more insights.
  Learn more
Open Source
- Open Source
  Everything open source on GitHub.
  - Git
    The latest Git updates.
  - Maintainers
    Spotlighting open source maintainers.
  - Social impact
    How open source is driving positive change.
  - Gaming
    Explore open source games on GitHub.
- An introduction to innersource
  Organizations worldwide are incorporating open source methodologies into the way they build and ship their own software.
  Learn more
Security
- Security
  Stay up to date on everything security.
  - Application security
    Application security, explained.
  - Supply chain security
    Demystifying supply chain security.
  - Vulnerability research
    Updates from the GitHub Security Lab.
  - Web application security
    Helpful tips on securing web applications.
- The enterprise guide to AI-powered DevSecOps
  Learn about core challenges in DevSecOps, and how you can start addressing them with AI and automation.
  Learn more

Categories

AI & ML
- AI & ML
  Learn about artificial intelligence and machine learning across the GitHub ecosystem and the wider industry.
  - Generative AI
    Learn how to build with generative AI.
  - GitHub Copilot
    Change how you work with GitHub Copilot.
  - LLMs
    Everything developers need to know about LLMs.
  - Machine learning
    Machine learning tips, tricks, and best practices.
- How AI code generation works
  Explore the capabilities and benefits of AI code generation and how it can improve your developer experience.
  Learn more
Developer skills
- Developer skills
  Resources for developers to grow in their skills and careers.
  - Application development
    Insights and best practices for building apps.
  - Career growth
    Tips & tricks to grow as a professional developer.
  - GitHub
    Improve how you use GitHub at work.
  - GitHub Education
    Learn how to move into your first professional role.
  - Programming languages & frameworks
    Stay current on what’s new (or new again).
- Get started with GitHub documentation
  Learn how to start building, shipping, and maintaining software with GitHub.
  Learn more
Engineering
- Engineering
  Get an inside look at how we’re building the home for all developers.
  - Architecture & optimization
    Discover how we deliver a performant and highly available experience across the GitHub platform.
  - Engineering principles
    Explore best practices for building software at scale with a majority remote team.
  - Infrastructure
    Get a glimpse at the technology underlying the world’s leading AI-powered developer platform.
  - Platform security
    Learn how we build security into everything we do across the developer lifecycle.
  - User experience
    Find out what goes into making GitHub the home for all developers.
- How we use GitHub to be more productive, collaborative, and secure
  Our engineering and security teams do some incredible work. Let’s take a look at how we use GitHub to be more productive, build collaboratively, and shift security left.
  Learn more
Enterprise software
- Enterprise software
  Explore how to write, build, and deploy enterprise software at scale.
  - Automation
    Automating your way to faster and more secure ships.
  - CI/CD
    Guides on continuous integration and delivery.
  - Collaboration
    Tips, tools, and tricks to improve developer collaboration.
  - DevOps
    DevOps resources for enterprise engineering teams.
  - DevSecOps
    How to integrate security into the SDLC.
  - Governance & compliance
    Ensuring your builds stay clean.
  - Secure enterprise development
    Locking down the SDLC one step at time.
- How enterprise engineering teams can successfully adopt AI
  Learn how to bring AI to your engineering teams and maximize the value that you get from it.
  Learn more
News & insights
- News & insights
  Keep up with what’s new and notable from inside GitHub.
  - Company news
    An inside look at news and product updates from GitHub.
  - Product
    The latest on GitHub’s platform, products, and tools.
  - Octoverse
    Insights into the state of open source on GitHub.
  - Policy
    The latest policy and regulatory changes in software.
  - Research
    Data-driven insights around the developer ecosystem.
  - The library
    Older news and updates from GitHub.
- Unlocking the power of unstructured data with RAG
  Learn how to use retrieval-augmented generation (RAG) to capture more insights.
  Learn more
Open Source
- Open Source
  Everything open source on GitHub.
  - Git
    The latest Git updates.
  - Maintainers
    Spotlighting open source maintainers.
  - Social impact
    How open source is driving positive change.
  - Gaming
    Explore open source games on GitHub.
- An introduction to innersource
  Organizations worldwide are incorporating open source methodologies into the way they build and ship their own software.
  Learn more
Security
- Security
  Stay up to date on everything security.
  - Application security
    Application security, explained.
  - Supply chain security
    Demystifying supply chain security.
  - Vulnerability research
    Updates from the GitHub Security Lab.
  - Web application security
    Helpful tips on securing web applications.
- The enterprise guide to AI-powered DevSecOps
  Learn about core challenges in DevSecOps, and how you can start addressing them with AI and automation.
  Learn more

Contact sales Try GitHub Copilot

dependabot

Subscribe to all “dependabot” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

→ ~ cd github-changelog

→ ~/github-changelog|main git log main

showing all changes successfully

Deprecation of API endpoint to enable or disable a security feature for an organization

July 22, 2024

Code security configurations were made generally available on July 10th, 2024. This experience replaces our old settings experience and its API.

If you are currently using the REST API endpoint to enable or disable a security feature for an organization, this endpoint is now considered deprecated.

It will continue to work for an additional year in the current version of the REST API before being removed in July of 2025. However, users should note this will conflict with the settings assigned in code security configurations if the configuration is unenforced. This may result in a code security configuration being unintentionally removed from a repository.

The endpoint will be removed entirely in the next version of the REST API.

To change the security settings for repositories, you can use the code security configurations UI, the configurations API, or the unaffected enterprise-level security settings.

Send us your feedback!.

See more See more

Security overview dashboards, secret scanning metrics and enablement trends reports are now generally available

July 19, 2024

Today, we’re excited to announce the general availability of our new organization and enterprise-level security overview dashboards, alongside enhanced secret scanning metrics and the enablement trends reports. These features are designed to provide comprehensive insights, improved prioritization, and advanced filtering options to streamline your security improvements.

Code security insights

Organization-level overview dashboard on the security tab

Our new security overview dashboard, available at both the organization and enterprise levels, integrates security into the core of the development lifecycle. This empowers you to proactively identify and address vulnerabilities. Key features include:

Track security improvements: Monitor trends over time by age, severity, and security tool, simplifying prioritization with top 10 lists focused on repositories and advisories.
Autofix impact: Understand how autofix, powered by GitHub Copilot, is influencing your enterprise’s security remediation efforts.
Advanced filtering: Customize data focus with filters by attributes such as team, repository metadata (i.e., custom repository properties), and security tool-specific filters:
- Dependabot: Filter by ecosystem, package, and dependency scope.
- CodeQL/Third-Party: Filter by specific rules.
- Secret Scanning: Filter by secret type, provider, push protection status, and validity.

Enablement trends for security tools

Organization-level enablement trends report

Monitor the enablement trends of all security tools with detailed insights into the activation status of Dependabot alerts, Dependabot security updates, code scanning, secret scanning alerts, and secret scanning push protection, giving you at-a-glance oversight of your security coverage.

Push protection insights for secret scanning

Organization-level secret scanning metrics page

Gain insights into how push protection is functioning throughout your enterprise. Monitor the number of pushes containing secrets that have been successfully blocked, as well as instances where push protection was bypassed. Detailed insights by secret type, repository, and reasons for bypassing are also available.

To access these features, navigate to your profile photo in the top-right corner of GitHub.com and select the organization or enterprise you wish to view. For organizations, click on the Security tab. For enterprises, click Code Security in the enterprise account sidebar.

These features are generally available on GitHub.com today and will be generally available in GitHub Enterprise Server 3.14.

Learn more about the security overview dashboard, the secret scanning metrics report and the enablement trends report

See more See more

Code security configurations are supported in the audit log

July 19, 2024

GitHub Enterprise Cloud customers can now see code security configurations data in audit log events.

Code security configurations simplify the rollout of GitHub security products at scale by defining collections of security settings and helping you apply those settings to groups of repositories. Configurations help you change the settings for important features like code scanning, secret scanning, and Dependabot.

With the addition of configurations data in the audit log, organization and enterprise owners have easy visibility into why the settings on certain repositories may have changed.

Audit log events now include:
– Name of the configuration applied to a repository
– When the configuration application fails
– When a configuration is removed from a repository
– When configurations are created, updated, or deleted
– When configurations become enforced
– When the default configuration for new repositories changes

Code security configurations are now available in public beta on GitHub.com and will be available in GitHub Enterprise Server 3.15. You can learn more about code security configurations or send us your feedback.

See more See more

Code security configurations API now includes validity checks, enforcement, and removal

July 17, 2024

The REST API now supports the following code security configuration actions for organizations:
– Detach configurations from repositories
– Enforce configurations
– Enable validity checks for secret scanning in a configuration

The API is now available on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.15.0. You can learn more about security configurations, the REST API, or send us your feedback.

See more See more

Dependabot migration to GitHub Actions for Enterprise Cloud and Free, Pro, and Teams accounts with Actions enabled

July 10, 2024

Over the next few weeks, jobs generating Dependabot pull requests will start running as GitHub Actions workflows on Github.com accounts with GitHub Actions enabled. This migration will include faster Dependabot runs, increased troubleshooting visibility, self-hosted runner support, and other performance and feature benefits. No additional steps are required, and you should not experience service disruptions during the migration. By the beginning of September, repositories with GitHub Actions enabled should expect to see the jobs that generate Dependabot pull requests run as GitHub Actions workflows.

Running Dependabot does not count towards GitHub Actions minutes – meaning that using Dependabot continues to be free for everyone.

Are you so excited for the Dependabot performance benefits that you want to get started today? You can optionally enroll your repositories and/or organizations before the migration begins! Get started by opting in to run Dependabot PR jobs as GitHub Actions workflows here.

If your organization has disabled GitHub Actions by policy, Dependabot will continue to run on the legacy compute provider. If you want to use Dependabot on GitHub Actions, an organization administrator must update your configuration before opting in to run Dependabot on GitHub Actions.

Check out our docs to learn more about Dependabot on GitHub Actions. For additional information, check out our blog post or previous changelog.

See more See more

Code security configurations are now GA

July 10, 2024

Code security configurations are now generally available (GA)!

Code security configurations simplify the rollout of GitHub security products at scale. They help you define collections of security settings and apply them across groups of repositories.

Since the beta release on April 2, 2024, we’ve launched several improvements, including configuration enforcement and an API.

We have sunset the old organization-level code security settings UI experience along with the API parameters that complemented it.

All new changes to security settings must happen through the new code security configurations expereince. Organizations that were previously opted out of the experience have been opted back in. All default settings for new repositories have been migrated to a configuration called “Legacy” and automatically applied to new repos.

Learn more about code security configurations, the configurations REST API, or send us your feedback.

See more See more

Sunsetting security settings default parameters in the organization REST APIs

July 9, 2024

Code security configurations will be made generally available (GA) on July 10th, 2024. At that point, we will sunset the organization-level code security settings UI experience along with the API parameters that complemented it.

If you are currently using the Update an organization REST API endpoint to set default security settings for new repositories, or the Get an organization REST API endpoint to retrieve current defaults for security settings on new repositories, those parameters will now be ignored. The parameters will be removed entirely in the next version of the REST API.

Your previous default settings in your organization have been saved to a code security configuration called “Legacy” and will continue to apply. To change the default security settings for new repositories, use the code security configurations UI, the configurations API, or the unaffected enterprise-level security settings.

Learn more about code security configurations, the configurations REST API, or send us your feedback.

See more See more

Dependabot auto-triage rules are generally available

June 26, 2024

Auto-triage rules help you reduce alert and pull request fatigue, while better managing your alerts at scale.

With Dependabot auto-triage rules, you can create your own custom rules to control how Dependabot ignores alerts with auto-dismissal, snoozes and reopens alerts, and generates pull requests to fix alerts – so you can focus on the alerts that matter, without worrying about the alerts that don’t.

Rules can be created with the following alert attributes:
– CVE ID
– CWE
– Dependency scope (devDependency or runtime)
– Ecosystem
– GHSA ID
– Manifest path (for repository-level rules only)
– Package name
– Patch availability
– Severity

For more information and how to use this feature, please refer to our documentation.

See more See more

Simplified dependabot.yml configuration with multi-directory key (directories) and wildcard / glob (*) support

June 25, 2024

Dependabot version updates requires developers to configure and check in a dependabot.yml file. In the past, it was challenging for administrators to configure a dependabot.yml that works for all repositories without per-repo customization. With this change, you can now specify multiple directories of dependency manifests using the directories key. Directories can be configured with wildcards or globbing to make targeting easier as well. This will simplify the process of creating configurations and allow greater flexibility for developers who wish to customize their behavior.

To learn more, visit our dependabot.yml configuration documentation for the directories key.

See more See more

Manage code security configurations via API

June 20, 2024

You can now use the REST API to create and manage code security configurations, as well as attach them to repositories at scale.

The API supports the following code security configuration actions for organizations:
– Create, get, update, and delete configurations
– Set and retrieve default configurations
– List all configurations
– Attach configurations to repositories

The API is now available as a public beta on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.15.0. You can learn more about security configurations, the REST API, or send us your feedback.

See more See more

Code security configurations can now be enforced

June 6, 2024

Configurations are collections of security settings that organization administrators and security managers can define to help roll out GitHub security products at scale.

Starting today, you can enforce configurations. This new feature allows you to prevent users at the repository level from changing the security features that have been enabled and disabled in the configuration attached to their repository.

You can mark a configuration as enforced or unenforced at the bottom of the configurations edit page under the policy section:
Configuration Enforcement

Security configurations are currently available in public beta on GitHub.com and will be available in GitHub Enterprise Server 3.15. You can learn more about security configurations or send us your feedback.

See more See more

Dependabot now supports private Cargo registries

June 3, 2024

Dependabot can now provide updates to Rust dependencies by accessing Cargo private registries.

To learn more, check out the documentation for configuring private registries for Dependabot.

See more See more

dependabot-core is now open source with an MIT license

May 13, 2024

We’re excited to announce that the dependabot-core project is being relicensed under the MIT License, making it easier for the community to contribute to Dependabot.

Keeping dependencies updated is a crucial part of securing your software supply chain, and Dependabot has been helping GitHub users do this since 2019. It’s used by millions of developers each month to keep their dependencies up-to-date and free of known security vulnerabilities. We don’t charge anyone to use Dependabot, because we think everyone should be able to use open source without fear of vulnerabilities.

dependabot-core is the component of Dependabot that defines the logic to create pull requests for dependency updates across the 20+ languages and package managers it supports today. The update logic in dependabot-core is tightly integrated with the rest of GitHub’s Dependabot features, such as grouped updates and auto-triage rules, and contributions from collaborators have helped with its support of Swift and improvements to NuGet. By adopting the MIT license, we will simplify the process for members of the community to contribute to Dependabot and innovate together.

Dependabot-core was previously available under the Prosperity Public License 2.0, and has received contributions from more than 300 developers over the past few years. Now, the MIT license will make it easier than ever for members of the community to join our cause to improve the security of all the world’s software. If you’d like to learn more about contributing to dependabot-core, please check out the repository, and drop us an issue or pull request!

See more See more

Security alerts tool trends on the security overview dashboard

May 8, 2024

The new Tool group-by option on the security overview trends graph provides a visualization of alert trends, organized by the security tools that detected each vulnerability. It’s designed to improve your ability to track and analyze the effectiveness of your scanning tools, enabling more strategic decision-making.

Example of the alert trends chart grouped by security tool

With this new functionality, you can:
* Pinpoint which tools are detecting the most critical vulnerabilities.
* Monitor the performance of your scanners over time.
* Prioritize your remediation efforts based on detailed insights.

To access this feature, navigate to the Security tab at the organization level on GitHub, and choose the Tool option in the Group by dropdown.

This functionality is now available as a public beta on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.14.

Learn more about the security overview dashboard for your organization and send us your feedback

See more See more

Dependabot pull requests jobs are now available to run on self hosted GitHub Actions runners

May 2, 2024

Previously, developers who used private registries to host their packages on internal networks could not use Dependabot to update the versions of those packages in their code.

With this change, users can choose to run Dependabot pull request jobs on their private networks with self-hosted GitHub Actions runners, allowing Dependabot to access on-premises private registries and update those packages.

A prerequisite for enabling self-hosted runners includes enabling GitHub Actions for the repositories of interest. It’s important to note that running Dependabot does not count towards GitHub Actions minutes – meaning that using Dependabot continues to be free for everyone.

To get started, check out our documentation on managing self-hosted runners with Dependabot Updates.

If you’re interested in learning more about what it means to run Dependabot as a GitHub Actions workflow, check out our changelog and FAQ or Dependabot on Actions documentation.

See more See more

View more changes