Search

github.blog › security › supply-chain-security

A year of open source vulnerability trends: CVEs, advisories, and malware

… Unlike reviewed global advisories, which are always mapped to packages in ecosystems we support, any maintainer on GitHub can request a CVE , even if they don’t publish that package to a supported ecosystem. …

Mar 26, 2026 · Jonathan Evans

github.blog › security

Securing the git push pipeline: Responding to a critical remote code execution vulnerability

… For GitHub Enterprise Server, we prepared patches across all supported releases 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4, 3.20.0, or later and published CVE-2026-3854 . These are available today and we strongly recommend that all GHES customers upgrade immediately. …

Apr 28, 2026 · Alexis Wales

github.blog › security

Investigating unauthorized access to GitHub-owned repositories

… Some of GitHub’s internal repositories contain information from customers, for example, excerpts of support interactions. …

May 20, 2026 · Alexis Wales

github.blog › security › supply-chain-security

Securing the open source supply chain across GitHub

… What to expect in the coming months In late 2025 the Shai-Hulud attacks motivated a revamped security roadmap for npm, which we talked about in Our plan for a more secure npm supply chain and Strengthening supply chain security: Preparing for the next malware campaign . …

Apr 1, 2026 · Zachary Steindler

github.blog › security › application-security

GitHub expands application security coverage with AI‑powered detections

… Expanding application security coverage with static analysis and AI Static analysis remains an effective way to identify vulnerabilities in supported languages, which is why GitHub Code Security continues to rely on CodeQL for deep semantic analysis. …

Mar 23, 2026 · Marcelo Oliveira

github.blog › latest

The latest blogs from GitHub

… AI & ML Build a personal organization command center with GitHub Copilot CLI Learn about the productivity tool one GitHub engineer built, and how AI supported the development process. …

May 7, 2026 · Landon Cox

2 sources covering this — show 1 more

• The latest on AI & ML github.blog

github.blog › security

Security-related product updates - GitHub Blog

… Strengthening supply chain security: Preparing for the next malware campaign Security advice for users and maintainers to help reduce the impact of the next supply chain malware attack. …

Apr 28, 2026 · Alexis Wales

github.blog › security

Raising the bar: Quality, shared responsibility, and the future of GitHub's bug bounty program

… A strong report has three things: a short summary of the issue, clear steps to reproduce with supporting evidence screenshots, HTTP requests, terminal output , and an impact statement explaining what an attacker can actually achieve. …

May 15, 2026 · Jarom Brown

github.blog › security › supply-chain-security

Investing in the people shaping open source and securing the future together

… Because open source thrives when maintainers are supported, respected, and empowered to do their best work. We are grateful to every maintainer building the future with us. Activate the tools available, and consider applying for GitHub Secure OSS Fund . …

Mar 17, 2026 · Kevin Crosby

github.blog › security › application-security

Application security Archives

… Out of this research we produced new support for workflows in CodeQL, empowering you to secure yours. AppSec is harder than you think. Here’s how AI can help. In practice, shifting left has been more about shifting the burden rather than the ability. But AI is bringing its promise closer to reality. …

Apr 14, 2026 · Dorothy Pearce