Home / Companies / GitHub / Blog / July 2020

July 2020 Summaries

27 posts from GitHub

Filter
Month: Year:
Post Summaries Back to Blog
GitHub Actions provides developers with the ability to automate their workflows, enhancing creativity and innovation by connecting with familiar tools and enabling seamless deployment across cloud platforms. Swechhya Bista, a participant in the GitHub Actions Hackathon, leveraged this tool to automate her R package, excelR, eliminating the need for external accounts and simplifying the process of running automated checks. Her journey highlights the accessibility and ease of integration offered by GitHub Actions, although testing and debugging remain challenges. Inspired by her success, Swechhya is developing additional Actions to facilitate code coverage checks, exemplifying the platform's potential to streamline software development processes. Users can explore and utilize these tools on the GitHub Marketplace and engage with the community through learning resources and developer stories.
Jul 31, 2020 561 words in the original blog post.
Keeping open source software secure is a collective effort, as exemplified by the OWASP Zed Attack Proxy (ZAP), a dynamic application security testing tool. Simon Bennetts, leader of the OWASP ZAP project and StackHawk engineer, highlights the tool's role in identifying web application vulnerabilities early in the development process, making it a cost-effective alternative to expensive commercial solutions. ZAP integrates seamlessly into CI/CD pipelines, allowing developers to address issues like cross-site scripting and SQL injection before deployment. Despite the open-source ethos of "many eyes" on the code, Bennetts notes that most contributors lack formal security training, underscoring the importance of tools like ZAP and complementary static application security testing (SAST) methodologies. He also emphasizes the necessity of regular dependency updates, facilitated by tools like Dependabot, and the value of security practices such as branch protection rules, mandatory code reviews, and the use of CodeQL for static code scanning. The ZAP project also enforces two-factor authentication and incentivizes security through a bug bounty program, rewarding discoveries of remote code execution vulnerabilities.
Jul 30, 2020 954 words in the original blog post.
Beginning November 13th, 2020, GitHub will require token-based authentication, such as personal access tokens, OAuth tokens, or GitHub App installation tokens, for all authenticated API operations on GitHub.com, moving away from password-based authentication to enhance security. This change aims to provide benefits such as unique, revocable, limited, and random tokens, reducing vulnerabilities associated with reused passwords. Although GitHub Enterprise Server users are unaffected, those using Git operations will eventually need to adopt token or SSH key authentication. The transition encourages developers and integrators to update their authentication methods to avoid disruption, with further requirements for Git operations expected by mid-2021. Two-factor authentication users will not be affected by future Git changes, and GitHub Apps remain unaffected as they do not use password authentication. GitHub emphasizes the importance of these changes for improved security and urges users to prepare by updating their systems accordingly.
Jul 30, 2020 930 words in the original blog post.
IBM has introduced a GitHub Starter Workflow designed to facilitate the deployment of containerized applications to the IBM Cloud Kubernetes Service, as shared by Senior Technical Staff Member Steve Martinelli. This new workflow is integrated with GitHub Actions, allowing developers to quickly generate and customize workflows for their specific cluster and application requirements. It includes default steps such as installing and authenticating with the IBM Cloud CLI, building and pushing Docker images to the IBM Cloud Container Registry, and deploying to a Kubernetes cluster. Developers need to configure specific fields, including IMAGE_NAME, IKS_CLUSTER, DEPLOYMENT_NAME, and PORT, while creating GitHub Secrets for the IBM Cloud API key and Container Registry namespace. Future enhancements will focus on separate actions for CLI installation and authentication to streamline workflow creation. IBM encourages developers to join discussions and address queries via Slack channels, emphasizing their commitment to community engagement and support.
Jul 29, 2020 422 words in the original blog post.
GitHub has introduced a public roadmap to enhance transparency and user engagement by offering insights into upcoming features and functionalities. This roadmap, accessible as a public repository on GitHub, includes a project board with detailed issues on future releases, enabling users to filter by labels such as "beta," "server," and "security & compliance" to identify planned features like code and secret scanning for GitHub Enterprise Server. Users can subscribe to updates and participate by providing feedback through the GitHub Community Forum or a dedicated feedback page. Historically reserved for major events or blog posts, GitHub's product announcements will continue alongside this new initiative that regularly updates the roadmap's content and format. The initiative aims to foster better planning and early feedback from users, with potential enhancements including reactions and GitHub Discussions for community interaction.
Jul 28, 2020 451 words in the original blog post.
GitHub Sponsors, a program designed to financially support open source project maintainers, has seen significant success in its initial year, with individuals like Caleb Porzio earning $100k annually through sponsorships. The program's expansion continues as it becomes available in more regions, including Malta and Cyprus, bringing the total to 34 supported regions. Recent developments include the release of features like sponsored organizations, sponsorship transaction export options, and the ability to display selected repositories on profiles. With continuous community feedback, GitHub strives to make the Sponsors program more accessible and lightweight, encouraging further participation from both sponsors and maintainers globally.
Jul 28, 2020 343 words in the original blog post.
GitHub has open-sourced an OpenAPI description of its REST API, which has undergone three major revisions since its initial release shortly after the site's launch. This move aims to enhance developer interaction by using the OpenAPI specification, a widely adopted standard that describes the interface of HTTP APIs in a language-agnostic manner. The description includes over 600 operations and is available in two formats: a bundled version for most use cases and a fully dereferenced version for tools with limited support for inline references. This initiative, currently in beta, is built from existing JSON schemas, documented examples, and contract testing, with quarterly updates for GitHub Enterprise Server and more frequent updates for GitHub.com. GitHub encourages contributions to improve the accuracy and consumption of the description, acknowledging the efforts of a dedicated team and highlighting contributions from individuals like Gregor Martynus and the Docs Engineering team.
Jul 27, 2020 485 words in the original blog post.
Git 2.28 introduces several notable updates and optimizations, including the introduction of the init.defaultBranch configuration, which allows users to set a default initial branch name for new repositories, moving away from the traditional "master" branch. This change supports broader community efforts to rename default branch names in repositories. The release also enhances performance through the use of changed-path Bloom filters, which improve the efficiency of commands like git log and git blame by reducing the number of diffs needed to determine file changes. Additionally, Git 2.28 introduces a --show-pulls flag to revision walking commands to display merge commits that brought changes into the main line of development. Other updates include warnings for ambiguous pull operations, a GitHub Actions workflow for integration tests, a streamlined bug reporting process with git bugreport, and improvements to the sparse checkout feature in git status. These changes aim to make Git more flexible, performant, and user-friendly, catering to evolving community standards and technical needs.
Jul 27, 2020 1,977 words in the original blog post.
GitHub Actions provides developers the ability to automate workflows, deploy to the cloud, and build containers, among other features, fostering innovation and creativity. The platform encourages open-source collaboration, as exemplified by Nigerian full-stack developer Samson Amaugo, who used GitHub Actions to create a tool for exporting images into different sizes for JSON files during his first hackathon experience. Despite challenges, such as limited documentation on using Node.js with GitHub Actions, Samson leveraged community resources and documentation to successfully develop his Action. His journey emphasizes the importance of community support and continuous learning in software development. Samson is now exploring DevOps and plans to build more GitHub Actions to enhance his build pipelines, showcasing the ongoing impact of GitHub Actions in supporting developer innovation and tool creation.
Jul 24, 2020 850 words in the original blog post.
The Court of Justice of the European Union recently invalidated the EU-US Privacy Shield, impacting personal data transfers from the EU to the US due to concerns about US government access to EU personal data. In response, GitHub has shifted to relying on Standard Contractual Clauses (SCCs) to ensure data protection for developers and customers, updating its data protection terms and Privacy Statement accordingly. Despite the ruling, GitHub remains committed to maintaining high privacy standards, applying the European Union's General Data Protection Regulation (GDPR) to all users globally, and providing transparency and accountability through its privacy practices and transparency reporting. The company is prepared to adapt to future regulatory changes to continue supporting international developer collaboration while safeguarding personal data.
Jul 23, 2020 463 words in the original blog post.
Shipping secure code begins with prioritizing developers and integrating security into every workflow stage, as emphasized by Maya Kaczorowski, GitHub's Supply Chain Security Product Manager. The focus is on the importance of keeping dependencies updated, not only for the latest features but also to ensure security patches can be applied swiftly. Regular updates are crucial because patches typically address urgent issues in the latest versions, and delaying them can make future updates more complex and risky. Continuous updates align with site reliability engineering principles, promoting smaller, manageable changes that reduce negative impacts and increase confidence in deploying critical fixes. Testing and continuous integration are vital for quick remediation when dealing with vulnerabilities, as security issues might not always be disclosed initially. Tools like GitHub's Dependabot assist in maintaining updated dependencies by automating pull requests for both security and version updates, thereby enhancing security by ensuring readiness to apply necessary patches and addressing potential security-related bugs.
Jul 23, 2020 1,099 words in the original blog post.
Enterprise software development is a complex and lengthy process, often taking between four to nine months, with challenges such as ambiguous requirements and legacy code. GitHub Enterprise offers a suite of secure software development best practices to address these challenges, focusing on access control and authentication features to protect code integrity. By integrating with identity providers like Azure AD, Okta, or Onelogin, organizations can leverage single sign-on (SSO) and other security features such as IP allow lists and two-factor authentication (2FA) to enhance security. GitHub also provides configurable permissions to prevent data leaks, reinforcing security through policies on repository creation, forking, visibility changes, and deletion. Recent improvements include setting default repository visibility to private for users with active SAML SSO sessions, helping prevent accidental public exposure. These measures aim to support developers in creating secure, high-quality software while ensuring seamless integration and workflow for both developers and administrators.
Jul 23, 2020 842 words in the original blog post.
GitHub Enterprise Server (GHES) offers robust security features for organizations hosting their source code, but administrators can enhance this further through several key practices. Strengthening the Management Console password, limiting site admin and administrative shell access, and using passphrase-protected SSH keys are crucial steps for securing GHES. Regular updates and hot-patch releases should be applied to maintain the latest security fixes without downtime. Enabling two-factor authentication, Transport Layer Security (TLS), subdomain isolation, private mode, and disabling anonymous Git read access enhance the overall security posture. Administrators should also configure a secure backup server, consider using an outbound proxy to control external communications, and restrict network ports to minimize exposure. GHES users are encouraged to explore additional security best practices and seek support or audits from GitHub's Professional Services for comprehensive protection.
Jul 20, 2020 1,020 words in the original blog post.
GitHub Actions is a powerful tool for developers to automate workflows, and Nikita Sobolev, a seasoned software developer, is one of its early adopters. With over a decade of experience, Nikita uses GitHub Actions to streamline processes by creating various tools like Python Style Guide, dotenv-linter, and restrict-cursing-action. These tools serve different purposes, from ensuring code quality to maintaining clear communication by restricting inappropriate language. Nikita appreciates GitHub Actions for its simplicity and the rich marketplace that offers a plethora of ready-to-use Actions. The GitHub community is celebrated for its collaborative spirit, continuously innovating and creating new tools. Nikita's favorite Action, dotenv-linter, highlights the importance of maintaining error-free configuration files, while the docker-image-size-limit Action addresses practical issues related to Docker image sizes. GitHub encourages developers to explore, contribute, and benefit from its extensive Action offerings, underscoring the platform's commitment to fostering a supportive environment for innovation and collaboration.
Jul 17, 2020 837 words in the original blog post.
Managing open source security and dependencies poses significant challenges for companies, particularly in terms of handling CVEs, ensuring compliance with OSS licenses, and tracking dependency versions. GitHub's dependency insights offer a comprehensive solution by compiling all OSS dependencies across organizational repositories, allowing users to filter by ecosystem, license type, and more. The tool provides visibility into license compliance through histograms detailing license frequency, helping organizations mitigate risks associated with non-compliant licenses. Additionally, GitHub Security Advisories enable teams to identify and address high-risk vulnerabilities by providing detailed insights into dependency versions affected by CVEs. Dependabot further aids in vulnerability remediation by automatically generating pull requests with necessary updates and compatibility scores, facilitating secure and efficient dependency management. The integration of these features in GitHub's ecosystem allows for enhanced security and streamlined DevSecOps workflows, as demonstrated in GitHub's Demo Day events.
Jul 16, 2020 696 words in the original blog post.
GitHub's Archive Program, announced at GitHub Universe 2019, aims to preserve open source software for future generations through the GitHub Arctic Code Vault, which stores data in a secure location in Svalbard, Norway. On July 8, 2020, the program successfully deposited 21TB of data from GitHub's public repositories into the vault, transported via piqlFilm, a digital photosensitive archival film. The initiative is supported by partnerships with organizations like the Internet Archive, which is archiving GitHub data, and the Software Heritage Foundation, which preserves software development history. Project Silica, another partner, is advancing storage technology using quartz glass for long-term data preservation. The Tech Tree, a component of the archive, aims to provide a comprehensive understanding of modern computing, open source software, and related technologies, and GitHub is inviting community input to enhance its content.
Jul 16, 2020 1,086 words in the original blog post.
Securing the world's code requires a collaborative effort among teams, companies, and individuals, leveraging community knowledge and partner technologies to enhance software security while enabling innovation. The widespread use of open-source software, which constitutes 99% of projects, brings inherited security risks, highlighted by a 71% increase in open-source-related breaches over five years. Organizations can enhance security by understanding their open-source inventory, automating fixes, and integrating security solutions into the developer workflow to reduce friction and improve productivity. By embedding security into the software development lifecycle and establishing organization-wide visibility and governance, businesses can manage application security without hindering operations. GitHub emphasizes that security is a shared responsibility and advocates for implementing solutions that secure the supply chain, custom code, and software lifecycle to foster a trustworthy digital future.
Jul 15, 2020 775 words in the original blog post.
GitHub's Sales and Support teams have been adapting their remote working practices to better engage with customers as remote work becomes more prevalent. Sue Morris, VP of Global Support, emphasizes the importance of supporting teammates and customers, while Matthew McCullough, VP of Field Services, notes the shift to virtual customer interactions as both efficient and effective. With the COVID-19 pandemic accelerating the need for digital collaboration, they have found virtual meetings to be beneficial and suggest they may permanently replace some in-person interactions. As remote work has become the norm, GitHub has embraced flexible scheduling and global talent acquisition, fostering a supportive team culture. Both leaders stress the importance of empathy, regular communication, and creative virtual interactions to maintain team cohesion and enhance customer service.
Jul 10, 2020 1,456 words in the original blog post.
GitHub Actions is a versatile tool embraced by developers for automating workflows, deploying to clouds, and building containers, among other functions, with the flexibility likened to playing with Lego. Highlighting the journey of Jeremy Shore, a software engineer at PlayStation, the article describes how he developed a GitHub Action for Firebase to streamline his work with multiple Firebase sites and cloud functions. Initially, challenges such as limited documentation and functionality posed difficulties for early adopters, but improvements like comprehensive documentation and the ability to build Actions with Node have since enhanced the experience. The open-source nature of GitHub Actions allows developers to download, use, and contribute to the growing repository of nearly 4,000 Actions available on the GitHub Marketplace. Despite the initial hurdles, the platform's evolution demonstrates its potential for innovation and collaboration, empowering developers to build customized solutions and contributing to a dynamic community of creators.
Jul 10, 2020 1,039 words in the original blog post.
Securing the open source supply chain has become crucial due to the increased adoption of open source components, which has heightened susceptibility to security threats. In response, GitHub launched the Open Source Security Coalition (OSSC) in November 2019, aiming to unite organizations globally to strengthen open source security. The coalition focuses on four main areas: identifying threats to open source projects, establishing best practices for developers, enhancing security tooling, and managing vulnerability disclosures. With its initial 14 partners growing to 21, the coalition serves as a collaborative forum to pool resources, build infrastructure, and reduce duplicated efforts. GitHub's bottom-up approach, emphasizing operational and communication foundations, has proven effective, fostering a partner-led, results-driven culture. The coalition has already produced a report detailing threats, risks, and mitigations in the open source ecosystem, demonstrating its commitment to the mission. As the coalition evolves, formalizing its structure while maintaining its founding values is key to its continued success.
Jul 09, 2020 599 words in the original blog post.
GitHub has introduced a monthly Availability Report to enhance transparency and accountability regarding its service availability, with the aim of sharing insights and learnings from any incidents that occur. The report includes descriptions of incidents, technical explanations, and updates on how GitHub is evolving its engineering systems to maintain high availability and fault tolerance. In May and June, GitHub experienced four incidents, including issues with database table sizes and MySQL server crashes during maintenance, which impacted service availability. These incidents have prompted GitHub to implement improvements like better monitoring, enhanced test frameworks, and internal gameday exercises to prepare for future issues. The organization views each incident as a valuable learning opportunity to improve reliability and operational excellence, with ongoing analyses and adjustments aimed at preventing similar failures in the future.
Jul 08, 2020 949 words in the original blog post.
The analysis of CVE-2018-16621 in Nexus Repository Manager 3 highlights a critical Expression Language (EL) Injection vulnerability that was mitigated initially by sanitizing user input, but not by preventing the injection or sandboxing the EL engine. This oversight allowed for potential bypasses, as the root cause was linked to user-controlled data being reflected in validation error messages, which could lead to Remote Code Execution (RCE) if certain conditions were met. The vulnerability was explored using Java Bean Validation (JSR 380) and demonstrated how interpolation issues within custom validators could expose applications to RCE threats. The analysis further delves into various mitigation strategies, such as disabling EL interpolation, using parameterized templates, and employing robust sanitization logic, while highlighting the role of CodeQL in identifying such vulnerabilities. The exploration revealed multiple vulnerable applications, including Sonatype Nexus and Netflix Conductor, and discussed the exploitation tactics and challenges faced with different EL engines and limitations, such as incomplete EL implementations and OSGi module constraints. The study underscores the importance of proper implementation of custom validators and the risks associated with untrusted bean validation and default EL expression evaluations, suggesting a potential rise in similar vulnerabilities in open-source and proprietary applications.
Jul 07, 2020 3,891 words in the original blog post.
GitHub Actions is a powerful tool that enhances developer productivity by automating workflows, enabling rapid feedback, and allowing developers to run actions locally through tools like Casey Lee's "act." Casey Lee, an experienced tech professional, created "act" to address the slow feedback loop in developing GitHub Actions by providing rapid feedback and replacing Makefiles with a local task runner. With thousands of actions available on the GitHub marketplace, developers can compose complex workflows or create custom actions, though learning the platform's extensive capabilities can be challenging. The GitHub community is encouraged to explore and create new actions, with resources like GitHub's Learning Lab course and the GitHub Actions Hackathon providing opportunities for innovation and skill development.
Jul 03, 2020 760 words in the original blog post.
GitHub recently overhauled its documentation websites, unifying content from help.github.com and developer.github.com into a single platform at docs.github.com to enhance user experience and streamline the documentation process. This transformation involved developing a custom dynamic backend to replace the static site setup, allowing for improved versioning, internationalization, and auto-generation of API documentation. The project maintained existing Markdown and YAML conventions while transitioning to a Node.js site with Express, enabling dynamic content rendering and faster deployment times. The new system supports multiple products with a more organized content structure, facilitates better search functionality, and reduces manual tasks through automation, such as using GitHub Actions for GraphQL documentation updates. Redirects were carefully implemented to prevent 404 errors, ensuring users can find content seamlessly despite the structural changes. This comprehensive effort sets the stage for continued enhancements in GitHub's documentation experience.
Jul 02, 2020 1,952 words in the original blog post.
GitHub, alongside over 500 other organizations, has recently signed a letter urging the U.S. Congress to continue supporting the Open Technology Fund (OTF), which plays a crucial role in funding open-source tools aimed at enhancing internet freedom. OTF has effectively utilized modest government grants to develop and sustain numerous tools that bolster digital security and counteract censorship and surveillance, benefiting approximately 2 billion users globally. By backing projects such as Signal, Qubes OS, Tor, and WireGuard, OTF significantly contributes to protecting the privacy and security of individuals worldwide, especially those in vulnerable groups. However, a leadership change at the United States Agency for Global Media (USAGM), the agency supporting OTF, threatens the continuation of its mission, prompting this petition to Congress to secure OTF's future in supporting open-source security initiatives.
Jul 02, 2020 190 words in the original blog post.
Authentication is a fundamental aspect of software development, especially when dealing with open-source and proprietary software, as it ensures secure access to code repositories. Git supports two main authentication methods: HTTP(S), which uses usernames and passwords or personal access tokens (PATs), and SSH, which uses public keys. While SSH is more secure, it can be challenging to set up, whereas PATs are easier but less secure. To streamline the authentication process, Git relies on credential managers that securely store authentication information. The Git Credential Manager (GCM) Core, a new open-source tool available for Windows and macOS, aims to unify the Git authentication experience across platforms by supporting GitHub, Bitbucket, and Azure Repos, with plans to extend to Linux and other hosting services. GCM Core simplifies the authentication flow with interactive sessions and supports various two-factor authentication mechanisms while securely storing credentials. It was developed in response to the fragmented landscape of previous credential managers and the need for a cross-platform solution, leveraging .NET Core and .NET Standard to enhance compatibility across different environments. The tool remains in beta, and developers are encouraged to contribute to its evolution as it seeks to provide a seamless authentication experience for all users.
Jul 02, 2020 1,547 words in the original blog post.
GitHub has consolidated its product documentation into a single site, docs.github.com, which merges the content previously spread across help.github.com for users and developer.github.com for integrators. This new unified platform aims to provide a comprehensive resource for both new and experienced developers to access all necessary information about GitHub products in one location. The site supports searches across all GitHub product content, and currently offers language support in Japanese, Simplified Chinese, Brazilian Portuguese, and Spanish, with plans to expand language support further in the future. This launch marks the beginning of GitHub's efforts to enhance user experience by offering a centralized hub for discovering tools and information, with additional improvements anticipated.
Jul 01, 2020 863 words in the original blog post.