GitHub Enterprise Server 3.5 is now available, including access to the container registry, the addition of Dependabot, enhanced admin capabilities, and GitHub Advanced Security capabilities.
Version 3.5 includes 60 new features. Many focus on protecting the code used by developers and must ensure that it does not contain any vulnerabilities. Focusing on prior “cleaning” the code should prevent serious problems in applications due to vulnerabilities in open source software.
What’s included in GitHub Enterprise Server 3.5
GitHub Container Registry now available in public beta
Since releasing the Container registry to GitHub Packages last year, developers are using the registry to publish and manage thousands of containers and consume these containers millions of times on a daily basis.
Starting with GitHub Enterprise Server 3.5, customers will have access to the GitHub Container registry, which admins can enable from the management console. With this release, customers can now:
- Achieve tighter integrations with their Actions workflow and securely access containers from workflows via the GITHUB_TOKEN.
- Anonymously access public containers, thereby allowing customers to be able to access public containers without providing any credentials.
- Store and manage Open Container Initiative (OCI) images.
- Configure fine-grained permissions control for containers in their organization.
- Configure “Internal” visibility settings for containers within organisations in addition to “Private” and “Public.”
- Share data at the organisation level, thereby decreasing bandwidth and storage requirements.
GitHub Advanced Security
Prevent secret leaks with secret scanning push protection now in public beta
GitHub Advanced Security customers can now block pushes that include secrets. Push protection scans for highly identifiable secrets with a false positive rate of less than 1%. Developers can review the identified secrets and remove them or, if needed, bypass the block. For more information, see “Protecting pushes with secret scanning.”
Additionally, CodeQl makes it easier for developers to develop secure applications. The tool scans code for known vulnerabilities. In version 3.5, the tool is faster and can recognize other types of security vulnerabilities.
Other features include securing sensitive data. The platform can now, inter alia, automatically block code containing sensitive data such as encryption keys. In addition, developers can now use the platform to track whether their applications are compliant with cybersecurity best practices, based on data from Dependabot, CodeOL, and 41 other metrics.
Quantify your security risk with security overview org-level view (Generally Available) and enterprise-level view (Public Beta)
GitHub Advanced Security customers now have access to a security overview at both the organization and enterprise level. The security overview aggregates security results, with both repo-centric and alert-centric views for secret scanning, Dependabot, and code scanning.
Secret scanning supports organization-level and repository-level dry runs now in public beta
A poorly authored custom pattern can create thousands of results across an organization or repository. To solve this, GitHub Advanced Security customers can now dry-run scans before publishing them. Dry runs can be used at the organization-level and repository-level, and are in public beta.
CodeQL detects more security issues, supports new language versions
GitHub Advanced Security customers can now benefit from a range of improvements to CodeQL, including support for new languages, improved detection for a large number of CWEs, and performance improvements. More details.
Dependabot now generally available
Now, all customers hosting their own GitHub Enterprise Server instance will be able to take advantage of all that Dependabot has to offer. This has been a long time in the making and fulfills one of our most common feature requests from GitHub Enterprise Server customers. For those unfamiliar, Dependabot consists of three services:
- Dependabot alerts: alert you the moment vulnerabilities in your dependencies are detected
- Dependabot security updates: upgrades a dependency to patched version when a vulnerability is detected by opening a pull request to your repo
- Dependabot version updates: opens pull requests to keep all your dependencies up to date, decreasing your exposure to vulnerabilities and chance of getting stuck on an outdated version
to set up Dependabot on your GitHub Enterprise Server instance, see enabling Dependabot for your enterprise and enabling the dependency graph for your enterprise.
To set up Dependabot on your GitHub Enterprise Server instance, see Enable Dependabot for your enterprise and enable dependency graph for your enterprise.
GitHub Actions
Reusable Workflows now generally available
Reusable workflows, formally known as “templates,” is the key component of centrally managed workflows. This feature enables you to reuse an entire workflow as if it were an action. Instead of copying and pasting workflow definitions across repositories, you can reference an existing workflow with a single line of configuration.
Cache Support now generally available
GitHub Actions enables customers to cache intermediate outputs and dependencies for their workflows, which is an effective way to make jobs faster.
Restrict self-hosted runner groups to specific workflows
In addition to restricting which repositories can access specific enterprise and organization runner groups, administrators can further control access by selecting specific workflow files and versions. Combining this feature with reusable workflow can help you create more secure standard workflows in your organization.
Self-hosted runners can now disable automatic updates
You now have more control over when your self-hosted runners perform software updates. If you specify the --disableupdate flag to the runner then it will not try to perform an automatic software update if a newer version of the runner is available. This allows you to update the self-hosted runner on your own schedule, and is especially convenient if your self-hosted runner is in a container.
For Enterprise Administrators
IP allow list for maintenance
We are introducing a new option for maintenance settings to keep GitHub Enterprise Server in a healthy state to serve production traffic after any operational changes while in maintenance mode. This modification enables administrators to only allow a set of certain IP addresses access to the appliance.
GitHub Enterprise Server Statistics
Customers can now gather 41 GitHub Enterprise Server metrics to understand how they are using the platform. These metrics will give insights into how the users are utilising the product, clarity on how teams operate, and gain maximum value from all aspects of GitHub Enterprise Server.
Security
Audit Log now includes git events
Three new events, git.clone, git.fetch, and git.push,will be incorporated alongside existing audit log events and available for search via the UI, export via JSON/CSV, and search via the API and streaming. Customers will be able to more fully observe UI and CLI activity on their account through the audit log. This will help customers to better meet administration, compliance, and security response needs.
To learn more about all the new features in GitHub Enterprise Server 3.5, read the release notes or you download it directly from Github
If you’re currently using GitHub Enterprise Server version you can use the Upgrade Assistant to find the upgrade path from your current version of GitHub Enterprise Server to your desired version.
