Developers can now use Dependabot to automatically keep their Helm dependencies up to date. For projects that use Helm as a package manager, Dependabot version updates can now ensure dependencies stay current with the latest releases.
Fine-grained Personal Access Tokens (PATs) have been used by millions of users to make tens of billions of API calls over the last two years in public preview. In that time, we’ve added requested features such as management APIs and webhooks, mandatory expiration policies, and usability improvements.
However, feedback has been clear on one item in particular – while fine-grained PATs solve a significant set of challenges in their current state, many organizations cannot fully adopt them due to the lack of support statements and the risk of breaking changes while they’re in public preview. Our goal at GitHub is to ensure that everyone can secure their workflows as best they can, which is why we’re graduating fine-grained PATs to a generally available (GA) state.
This update brings two major changes to PATs at GitHub. Most notably, fine-grained PATs are now enabled by default for all organizations on GitHub, unless that organization or enterprise explicitly disabled them during the preview. The PAT approval flow is also enabled by default, so developers must request organization owner approval in order to successfully use their fine-grained PAT against their organizations.
We’re also updating the release state for both fine-grained PATs and PAT expiration policies. These features are now fully supported by GitHub and adhere to the same breaking change policies as the rest of the product. While there are some scenarios where fine-grained PATs are not yet supported, your organization should be confident in suggesting, or even requiring, the use of these more secure tokens.
Administrators, auditors, and security teams can also look for improved auditability of PATs – the token_id is now included in all API calls and supported as a built-in filter in the audit logs. With this filter, you can now easily track the use of a token throughout your enterprise or organization.
Customers on GHES should expect these changes to arrive in version 3.17.
There are several scenarios where fine-grained PATs are not a suitable solution at this time. GitHub continues to invest in building more secure access patterns and will implement these capabilities over time. You can track our progress and goals on our public roadmap. The most notable scenarios are:
internal repositories in your enterprise, outside of a targeted organizationPackages and Checks APIsWe’re currently focused on implementing enterprise access for GitHub Apps and fine-grained PATs so that enterprise owners can reduce the over-permissioning of their current automation solutions. After that, we’ll continue to invest in this area with a goal of enabling organizations to eventually disable the use of PATs (Classic) for their resources.
To learn more about fine-grained PATs and how your organization can control them, see our documentation on managing your personal access tokens, and enforcing policies for PATs in your enterprise.
Developers can now use Dependabot to automatically keep their uv dependencies up to date. For projects that use uv as a package manager, Dependabot version updates can now ensure dependencies stay current with the latest releases.
CodeQL is the static analysis engine behind GitHub code scanning, which finds and remediates security issues in your code. We’ve recently released CodeQL 2.20.6, which brings support for a new version of Java and a variety of other improvements that improve the accuracy of your code scanning results:
Java
java/xss) query when javax.servlet.http.HttpServletResponse is used without an exploitable content typeJavaScript / TypeScript
response threat model, which can be enabled with advanced setup. When enabled, the response data coming back from an outgoing HTTP request is considered a tainted source.C/C++
cpp/static-buffer-overflow query, resulting in improved resultsC#
cs/call-to-object-tostring query, resulting in improved analysis resultsGitHub Actions (Public Preview)
actions/unversioned-immutable-action from the public suite of queries, which will close any alerts triggered from itFor a full list of changes, please refer to the complete changelog for version 2.20.6. Every new version of CodeQL is automatically deployed to users of GitHub code scanning on GitHub.com. The new functionality in CodeQL 2.20.6 will also be included in GitHub Enterprise Server (GHES) version 3.17. If you use an older version of GHES, you can manually upgrade your CodeQL version.
CodeQL version 2.20.5 has been released and includes a host of coverage improvements, including extended support for C# 13 and new detection capabilities for Java and GitHub Actions workflow files.
CodeQL is the static analysis engine that powers GitHub code scanning, which finds and remediates security issues in your code.
CodeQL 2.20.5 adds full support for new language features introduced in C# 13 / .NET 9, as well improved coverage for .NET 9. This will improve the detection of alerts and reduce the chance of false negative results.
CodeQL Java analysis is improved with additional support for Cross Site Request Forgery (CSRF). The new analysis capability detects vulnerabilities that occur when using HTTP request types that are not protected against cross site requests by default.
Go analysis has been updated to support Go 1.24, which includes new language features and improvements. This will improve the detection of alerts and reduce the chance of false negative results.
For a full list of changes, please refer to the complete changelog for version 2.20.5. Every new version of CodeQL is automatically deployed to users of GitHub code scanning on GitHub.com. The new functionality in CodeQL 2.20.5 will also be included in GitHub Enterprise Server (GHES) version 3.17. If you use an older version of GHES, you can manually upgrade your CodeQL version.
We recently launched analysis capabilities for GitHub Actions workflow files in public preview.
With the release of CodeQL 2.20.5, we are expanding the analysis capabilities to detect additional types of security risks associated with Actions workflow files and we have adjusted some of the existing queries.
The analysis coverage is improved with the addition of five new queries that identify additional types of security risks associated with Actions workflow files. The new queries are:
actions/envpath-injection/medium detects situations where user-controlled sources (like the text of a GitHub issue) are used to populate the PATH environment variable. This could allow an attacker to alter the execution of system commands.actions/envvar-injection/medium detects situations where environment variables which are not properly sanitized can lead to the injection of additional unwanted variables, using new lines or {delimiters}.actions/code-injection/medium– detects situation where user-controlled input can end up in contexts like run: or script:, leading to malicious code being executed and secrets being leaked.actions/artifact-poisoning/medium detects situations where artifacts are not correctly extracted, stored and verified, which could result in a poisoned artifact being executed, leading to repository compromise.actions/untrusted-checkout/medium detects situations where workflows triggered by events like pull_request_target or issue_comment can execute arbitrary code from untrusted sources, if followed by an explicit checkout.Because of its lower precision and the large number of alerts it generates, the query actions/unpinned-tag has been moved to the security-extended query suite from the default query suite, and all existing alerts for this query will be automatically closed if the security-extended suite is not being used.
Three queries have been removed from the default and security-extended query suites because they do not produce relevant security alerts. Alerts generated by these queries will be closed automatically.
actions/if-expression-always-true/criticalactions/if-expression-always-true/highactions/unnecessary-use-of-advanced-configThese changes are now available with the release of CodeQL 2.20.5. For a full list of changes, please refer to the complete changelog for version 2.20.5. Every new version of CodeQL is automatically deployed to users of GitHub code scanning on GitHub.com. The new functionality in CodeQL 2.20.5 will also be included in GitHub Enterprise Server (GHES) version 3.17. If you use an older version of GHES, you can manually upgrade your CodeQL version.
Copilot Autofix helps you fix code scanning alerts and avoid introducing new security vulnerabilities by using large language models to suggest potential fixes.
We recently expanded the range of CodeQL security alerts where Copilot can suggest an autofix, covering a group that accounts for 29% of all CodeQL alerts. This expansion led to an 8% overall increase in alerts with an available autofix and a 270% increase in autofixes for this specific group of improved alerts. With more autofix suggestions, you can resolve security issues identified by CodeQL more easily—either by applying Copilot’s suggested fix directly or using it as a starting point for your own edits.
We made these improvements by analyzing our usage data to understand the most common types of alerts where Copilot was not suggesting fixes and then made a targeted effort to improve autofix for these alerts. Read more about the testing process that GitHub uses to identify the quality of autofix suggestions.
We continuously evaluate the performance of CodeQL and Copilot Autofix, so look for more improvements in the future.
Dependabot alerts now feature the Exploit Prediction Scoring System (EPSS) from the global Forum of Incident Response and Security Teams (FIRST), helping you better assess vulnerability risks.
EPSS scores predict the likelihood of a vulnerability being exploited, with scores ranging from 0 to 1 (0 to 100%). Higher scores mean higher risk. We also show the EPSS score percentile, indicating how a vulnerability compares to others.
For example, a 90.534% EPSS score at the 95th percentile means:
You can use EPSS scores to help prioritize dependency vulnerabilities based on exploit likelihood. Only ~0.5% of vulnerabilities have an EPSS score above 50%. This makes EPSS a powerful tool for prioritization based on exploitation likelihood, especially when used in conjunction with exploitation severity (CVSS). For more information on using EPSS and/or CVSS for vulnerability prioritization, check out FIRST’s EPSS user guide.
This feature is available on GitHub.com today, and will be available in GitHub Enterprise Server staring with version 3.17.
Learn more in FIRST’s EPSS User Guide.
Join the discussion within GitHub Community.
Read more about viewing, sorting, and filtering Dependabot alerts in GitHub’s Dependabot docs.
Developers can now use Dependabot to keep their bun dependencies up to date automatically. For projects that use bun as a package manager, Dependabot Version Updates can now ensure dependencies stay current with the latest releases.
Support for bun security updates will be added in the future.
CodeQL is the static analysis engine behind GitHub code scanning, which finds and remediates security issues in your code. The CodeQL engine has become faster, covers 28 more security queries, supports more ecosystems, and can now scan GitHub Actions (public preview)—among various other bug fixes and small improvements.
All of these improvements were automatically rolled out to code scanning users in the past few months. For users of the CodeQL CLI, here are some highlights of the past few CodeQL releases:
actions language (for analysis of GitHub Actions workflows) no longer requires the CODEQL_ENABLE_EXPERIMENTAL_FEATURES environment variable to be set.bottle web framework for Python is now supported.codeql resolve packs, shows each step in the pack search process, including what packs were found in each step.Detailed changelogs for every CodeQL release are available in the CodeQL documentation, and new CodeQL releases occur roughly every two weeks.
For GitHub Enterprise Server customers: All new functionality from CodeQL releases 2.19.0 through 2.20.3 will be included in GHES 3.16 and the latest patch versions of 3.12-3.15. Functionality from 2.20.3 and later 2.20.X versions will be included in 3.17. If you use an older version of GHES, you can manually upgrade your CodeQL version.
As of February 5, 2025, Dependabot no longer supports Python 3.8, which has reached its end-of-life. If you continue to use Python 3.8, Dependabot will not be able to create pull requests to update dependencies. If this affects you, we recommend updating to a supported release of Python. As of February 2025, Python 3.13 is the newest supported release.
View Python’s official documentation for more information about supported releases.
Starting today, Dependabot offers full support for pnpm workspace catalogs.
pnpm workspace catalogs are widely used in monorepos, and improper dependency handling can lead to:
Starting today, Dependabot fully supports pnpm workspace catalogs. This means that Dependabot now:
Learn more about Dependabot
Learn more about pnpm catalogs
Join the community discussion to share feedback and tips
GitHub Code Scanning powered by CodeQL now supports dependency caching for Java, Go, and C# projects. This feature ensures that scans can deliver meaningful results even if registries are temporarily unavailable, while also reducing overall scanning time after the cache is established.
Dependency Caching Availability:
This is now available on github.com.
CodeQL build-mode: none scans can now access private dependencies stored in private registries (e.g. Artifactory) for Java and C# projects. This makes your scans more comprehensive, ensuring you receive all important alerts regardless of where your dependencies are stored.
Previously, build-mode: none code scans with the default setup were unable to fetch code for dependent packages stored in private registries, which could result in incomplete analysis. Now, organization administrators can configure access credentials for private registries at the organization level. This enhancement allows CodeQL scans in child repositories to retrieve all necessary dependencies, enabling comprehensive code analysis when using the code scanning default setup.
This feature is currently in public preview for GitHub Advanced Security customers.