News

New 'Security Manager' Role Leads GitHub Enterprise Server 3.3 Security Push

The new GitHub Enterprise Server 3.3 release focuses on security, with a new "security manager" role leading several changes made in the same of safety.

GitHub Enterprise Server is an organization's private, cloud-hosted or on-premises copy of the GitHub software development platform/code repository contained within a virtual appliance.

The security focus for v3.3 is nothing new, as GitHub Advanced Security was enhanced in this year's earlier release of v3.0, which was described by the Microsoft-owned company as "the biggest ever change to Enterprise Server."

For example, that February v3.0 release introduced code scanning. "It's a developer-first, GitHub-native approach to easily find security vulnerabilities before they reach production," GitHub said. "Powered by the world's most powerful code analysis engine, CodeQL, it automates security as an integral part of the developer workflow."

The v3.3 release improves other CodeQL functionality (part of Advanced Security) and also adds the security manager role in a beta program, which according to documentation "can give your security team the least access they need to your organization."

Concerning that "least access" functionality, the associated GitHub issue for the new role states: "This new role is intended to be used by members of a security team. It will remove the need for security team members to be organization owners, which is a common workaround but provides these team members with more permissions than they would like (such as the ability to delete any repository)."

animated gif showing picking and assigning a security role
[Click on image for larger view, animated GIF view.] Choosing a Security Role in Animated Action (source: GitHub).

In addition to being a beta offering, this feature is not available for organizations using legacy per-repository billing plans.

"Security manager is an organization-level role that organization owners can assign to any team in an organization," GitHub said. "When applied, it gives every member of the team permissions to manage security alerts and settings across your organization, as well as read permissions for all repositories in the organization."

Specifically, those permissions ("only the permissions required to effectively manage security") include:

  • Read access on all repositories in the organization, in addition to any existing repository access
  • Write access on all security alerts in the organization
  • Access to the organization's security overview
  • The ability to configure security settings at the organization level, including the ability to enable or disable GitHub Advanced Security
  • The ability to configure security settings at the repository level, including the ability to enable or disable GitHub Advanced Security

Along with the security role being introduced in beta, another such early-look program is also related to security: Dependabot Security Updates, which maintain project security by opening pull requests that update all dependencies to non-vulnerable versions.

As far as the aforementioned CodeQL changes, GitHub explained more in a recap of November changes.

"CodeQL had a big month," it said. "To start, we've added support for more Python libraries and frameworks and more Java and JavaScript libraries and frameworks, which means that CodeQL code scanning can now detect more potential sources of untrusted user data, steps through which that data flows, and potentially dangerous sinks in which this data could end up. In fact, Java now covers more than three times the endpoints of previous CodeQL versions, and JavaScript analysis now supports most common templating languages.

"If you use CodeQL, you're likely familiar with the help text that displays in the code scanning UI when a default query generates an alert, which provides details about the problem. With the latest CodeQL CLI release, you can add P. These will be uploaded to GitHub and displayed in code scanning."

GitHub also touted many other security-related changes.

"The security conscious will also welcome the addition of the option to set an expiration date for personal access tokens, new and existing," GitHub said of last month's RC release."User renewals will be requested by email and can easily be regenerated with the same properties as the original. When using a personal access token with the GitHub API, a new GitHub-Authentication-Token-Expiration header is included in the response, which indicates the token's expiration date. For more information, see "Creating a personal access token" or check out the release notes for other security related changes."

The company also highlighted five other changes that don't pertain to security:

  • Get extra visual clarity with dark mode high contrast theme and other color enhancements to GitHub themes (#202).
    animated gif showing picking another theme
    [Click on image for larger view, animated GIF view.] Managing GitHub Themes in Animated Action (source: GitHub).
  • Easier self-hosted runner auto-scaling with job lifecycle events and ephemeral (single job) runners (#165, #243).
  • Set expiration dates for Personal Access Tokens (PATs) to better scope token lifetimes and reduce risk (#219).
  • Scan for user-defined patterns with GitHub Advanced Security to identify secrets, credentials and other sensitive information in your repositories (#270).
  • We have upgraded the GitHub Enterprise Server operating system to Debian 10 (codenamed Buster) (#324).
  • About the Author

    David Ramel is an editor and writer at Converge 360.

    comments powered by Disqus

    Featured

    • Compare New GitHub Copilot Free Plan for Visual Studio/VS Code to Paid Plans

      The free plan restricts the number of completions, chat requests and access to AI models, being suitable for occasional users and small projects.

    • Diving Deep into .NET MAUI

      Ever since someone figured out that fiddling bits results in source code, developers have sought one codebase for all types of apps on all platforms, with Microsoft's latest attempt to further that effort being .NET MAUI.

    • Copilot AI Boosts Abound in New VS Code v1.96

      Microsoft improved on its new "Copilot Edit" functionality in the latest release of Visual Studio Code, v1.96, its open-source based code editor that has become the most popular in the world according to many surveys.

    • AdaBoost Regression Using C#

      Dr. James McCaffrey from Microsoft Research presents a complete end-to-end demonstration of the AdaBoost.R2 algorithm for regression problems (where the goal is to predict a single numeric value). The implementation follows the original source research paper closely, so you can use it as a guide for customization for specific scenarios.

    • Versioning and Documenting ASP.NET Core Services

      Building an API with ASP.NET Core is only half the job. If your API is going to live more than one release cycle, you're going to need to version it. If you have other people building clients for it, you're going to need to document it.

    Subscribe on YouTube