Updates to security configuration settings for customers in existing grace periods

For customers affected by ongoing grace periods, GitHub will automatically update the enable for new repositories security configuration setting for customers not opted out. This change helps you avoid unexpected billing charges without manual effort needed from your part.

Team and Enterprise customers with a configuration applied before April 1, 2025 enabling paid security features for newly created private repositories will see one of the following two changes applied:

  • Configurations with enable for new repositories set to for all public and private repositories will be adjusted to for all public repositories only.
  • Configurations with enable for new repositories set to for all private repositories will be adjusted to for no newly created repositories.

Customers who haven’t yet opted out with a representative from GitHub will see these settings enabled on the follow dates:

  • Team customers will see this change on April 23, 2025.
  • Enterprise customers will see this change on April 28, 2025.

Have questions? Reach out to GitHub for support.

GitHub Actions workflow security analysis with CodeQL is now generally available

GitHub code scanning now offers enhanced security protection for your GitHub Actions workflow files through CodeQL analysis, which is now generally available. This feature enables you to identify and remediate security vulnerabilities in your Actions workflows through automated code scanning, helping prevent potential security issues before they impact your CI/CD pipeline. CodeQL automatically analyzes your workflows to detect common security vulnerabilities, including missing required permissions, dangerous inputs without proper validation, and script injection vulnerabilities.

During the public preview period, we’ve helped secure over 158,000 repositories, detecting more than 800,000 potential vulnerabilities in Actions workflows, with approximately 15% of these issues being fixed by repository maintainers. This strong adoption demonstrates the value of automated security analysis for CI/CD workflows that use GitHub Actions.

For repositories using code scanning’s default setup, we will now automatically enable Actions workflow analysis when workflow files are detected in the default branch. For repositories using advanced setup, simply add the actions language to your existing configuration to enable this protection.

We’ve also added Copilot autofix functionality for the actions/missing-workflow-permissions query, one of the most frequent findings in Actions workflows. When this vulnerability is detected, you’ll receive automated fix suggestions to implement the principle of least privilege in your workflows, making remediation faster and easier.

To improve analysis quality, we’ve moved the actions/unversioned-immutable-action query to the extended query suite, allowing for more targeted and comprehensive analysis. If you’re using default setup, you can configure your scanning options to include extended queries. For repositories with advanced setup, you can specify this query suite in your CodeQL configuration. You can find more information about this change in the CodeQL release notes for 2.20.6.

Code scanning’s analysis of GitHub Actions workflow files will be available in GitHub Enterprise Server 3.18.

Learn more about configuring code scanning, securing your use of Actions, and vulnerabilities identified with CodeQL.

See more

Dependabot now lets you schedule update frequencies with cron expressions

Dependabot users can now schedule custom update frequencies by using cron expressions in schedule.interval in the Dependabot configuration file. This enhances the predefined intervals (daily, weekly, and monthly) and provides a more generic and robust solution. This gives Dependabot users the ability to define custom schedules that meet their specific needs.

For help writing a cron expression, try this tool.

To learn more about using cron expressions to schedule Dependabot updates in the dependabot.yml file, check out GitHub’s Dependabot schedule.interval docs.

To engage with the Dependabot community on the topic of cron-based update scheduling, join the conversation.

See more
View all changes