News
New 'Security Manager' Role Leads GitHub Enterprise Server 3.3 Security Push
The new GitHub Enterprise Server 3.3 release focuses on security, with a new "security manager" role leading several changes made in the same of safety.
GitHub Enterprise Server is an organization's private, cloud-hosted or on-premises copy of the GitHub software development platform/code repository contained within a virtual appliance.
The security focus for v3.3 is nothing new, as GitHub Advanced Security was enhanced in this year's earlier release of v3.0, which was described by the Microsoft-owned company as "the biggest ever change to Enterprise Server."
For example, that February v3.0 release introduced code scanning. "It's a developer-first, GitHub-native approach to easily find security vulnerabilities before they reach production," GitHub said. "Powered by the world's most powerful code analysis engine, CodeQL, it automates security as an integral part of the developer workflow."
The v3.3 release improves other CodeQL functionality (part of Advanced Security) and also adds the security manager role in a beta program, which according to documentation "can give your security team the least access they need to your organization."
Concerning that "least access" functionality, the associated GitHub issue for the new role states: "This new role is intended to be used by members of a security team. It will remove the need for security team members to be organization owners, which is a common workaround but provides these team members with more permissions than they would like (such as the ability to delete any repository)."
In addition to being a beta offering, this feature is not available for organizations using legacy per-repository billing plans.
"Security manager is an organization-level role that organization owners can assign to any team in an organization," GitHub said. "When applied, it gives every member of the team permissions to manage security alerts and settings across your organization, as well as read permissions for all repositories in the organization."
Specifically, those permissions ("only the permissions required to effectively manage security") include:
- Read access on all repositories in the organization, in addition to any existing repository access
- Write access on all security alerts in the organization
- Access to the organization's security overview
- The ability to configure security settings at the organization level, including the ability to enable or disable GitHub Advanced Security
- The ability to configure security settings at the repository level, including the ability to enable or disable GitHub Advanced Security
Along with the security role being introduced in beta, another such early-look program is also related to security: Dependabot Security Updates, which maintain project security by opening pull requests that update all dependencies to non-vulnerable versions.
As far as the aforementioned CodeQL changes, GitHub explained more in a recap of November changes.
"CodeQL had a big month," it said. "To start, we've added support for more Python libraries and frameworks and more Java and JavaScript libraries and frameworks, which means that CodeQL code scanning can now detect more potential sources of untrusted user data, steps through which that data flows, and potentially dangerous sinks in which this data could end up. In fact, Java now covers more than three times the endpoints of previous CodeQL versions, and JavaScript analysis now supports most common templating languages.
"If you use CodeQL, you're likely familiar with the help text that displays in the code scanning UI when a default query generates an alert, which provides details about the problem. With the latest CodeQL CLI release, you can add P. These will be uploaded to GitHub and displayed in code scanning."
GitHub also touted many other security-related changes.
"The security conscious will also welcome the addition of the option to set an expiration date for personal access tokens, new and existing," GitHub said of last month's RC release."User renewals will be requested by email and can easily be regenerated with the same properties as the original. When using a personal access token with the GitHub API, a new GitHub-Authentication-Token-Expiration header is included in the response, which indicates the token's expiration date. For more information, see "Creating a personal access token" or check out the release notes for other security related changes."
The company also highlighted five other changes that don't pertain to security:
Get extra visual clarity with dark mode high contrast theme and other color enhancements to GitHub themes (#202).
Easier self-hosted runner auto-scaling with job lifecycle events and ephemeral (single job) runners (#165, #243).
Set expiration dates for Personal Access Tokens (PATs) to better scope token lifetimes and reduce risk (#219).
Scan for user-defined patterns with GitHub Advanced Security to identify secrets, credentials and other sensitive information in your repositories (#270).
We have upgraded the GitHub Enterprise Server operating system to Debian 10 (codenamed Buster) (#324).
About the Author
David Ramel is an editor and writer at Converge 360.