New 'Security Manager' Role Leads GitHub Enterprise Server 3.3 Security Push

The new GitHub Enterprise Server 3.3 release focuses on security, with a new "security manager" role leading several changes made in the same of safety.

GitHub Enterprise Server is an organization's private, cloud-hosted or on-premises copy of the GitHub software development platform/code repository contained within a virtual appliance.

The security focus for v3.3 is nothing new, as GitHub Advanced Security was enhanced in this year's earlier release of v3.0, which was described by the Microsoft-owned company as "the biggest ever change to Enterprise Server."

For example, that February v3.0 release introduced code scanning. "It's a developer-first, GitHub-native approach to easily find security vulnerabilities before they reach production," GitHub said. "Powered by the world's most powerful code analysis engine, CodeQL, it automates security as an integral part of the developer workflow."

The v3.3 release improves other CodeQL functionality (part of Advanced Security) and also adds the security manager role in a beta program, which according to documentation "can give your security team the least access they need to your organization."

Concerning that "least access" functionality, the associated GitHub issue for the new role states: "This new role is intended to be used by members of a security team. It will remove the need for security team members to be organization owners, which is a common workaround but provides these team members with more permissions than they would like (such as the ability to delete any repository)."

animated gif showing picking and assigning a security role
[Click on image for larger view, animated GIF view.] Choosing a Security Role in Animated Action (source: GitHub).

In addition to being a beta offering, this feature is not available for organizations using legacy per-repository billing plans.

"Security manager is an organization-level role that organization owners can assign to any team in an organization," GitHub said. "When applied, it gives every member of the team permissions to manage security alerts and settings across your organization, as well as read permissions for all repositories in the organization."

Specifically, those permissions ("only the permissions required to effectively manage security") include:

  • Read access on all repositories in the organization, in addition to any existing repository access
  • Write access on all security alerts in the organization
  • Access to the organization's security overview
  • The ability to configure security settings at the organization level, including the ability to enable or disable GitHub Advanced Security
  • The ability to configure security settings at the repository level, including the ability to enable or disable GitHub Advanced Security

Along with the security role being introduced in beta, another such early-look program is also related to security: Dependabot Security Updates, which maintain project security by opening pull requests that update all dependencies to non-vulnerable versions.

As far as the aforementioned CodeQL changes, GitHub explained more in a recap of November changes.

"CodeQL had a big month," it said. "To start, we've added support for more Python libraries and frameworks and more Java and JavaScript libraries and frameworks, which means that CodeQL code scanning can now detect more potential sources of untrusted user data, steps through which that data flows, and potentially dangerous sinks in which this data could end up. In fact, Java now covers more than three times the endpoints of previous CodeQL versions, and JavaScript analysis now supports most common templating languages.

"If you use CodeQL, you're likely familiar with the help text that displays in the code scanning UI when a default query generates an alert, which provides details about the problem. With the latest CodeQL CLI release, you can add P. These will be uploaded to GitHub and displayed in code scanning."

GitHub also touted many other security-related changes.

"The security conscious will also welcome the addition of the option to set an expiration date for personal access tokens, new and existing," GitHub said of last month's RC release."User renewals will be requested by email and can easily be regenerated with the same properties as the original. When using a personal access token with the GitHub API, a new GitHub-Authentication-Token-Expiration header is included in the response, which indicates the token's expiration date. For more information, see "Creating a personal access token" or check out the release notes for other security related changes."

The company also highlighted five other changes that don't pertain to security:

  • Get extra visual clarity with dark mode high contrast theme and other color enhancements to GitHub themes (#202).
    animated gif showing picking another theme
    [Click on image for larger view, animated GIF view.] Managing GitHub Themes in Animated Action (source: GitHub).
  • Easier self-hosted runner auto-scaling with job lifecycle events and ephemeral (single job) runners (#165, #243).
  • Set expiration dates for Personal Access Tokens (PATs) to better scope token lifetimes and reduce risk (#219).
  • Scan for user-defined patterns with GitHub Advanced Security to identify secrets, credentials and other sensitive information in your repositories (#270).
  • We have upgraded the GitHub Enterprise Server operating system to Debian 10 (codenamed Buster) (#324).
  • About the Author

    David Ramel is an editor and writer for Converge360.

    comments powered by Disqus


    • AI for GitHub Collaboration? Maybe Not So Much

      No doubt GitHub Copilot has been a boon for developers, but AI might not be the best tool for collaboration, according to developers weighing in on a recent social media post from the GitHub team.

    • Visual Studio 2022 Getting VS Code 'Command Palette' Equivalent

      As any Visual Studio Code user knows, the editor's command palette is a powerful tool for getting things done quickly, without having to navigate through menus and dialogs. Now, we learn how an equivalent is coming for Microsoft's flagship Visual Studio IDE, invoked by the same familiar Ctrl+Shift+P keyboard shortcut.

    • .NET 9 Preview 3: 'I've Been Waiting 9 Years for This API!'

      Microsoft's third preview of .NET 9 sees a lot of minor tweaks and fixes with no earth-shaking new functionality, but little things can be important to individual developers.

    • Data Anomaly Detection Using a Neural Autoencoder with C#

      Dr. James McCaffrey of Microsoft Research tackles the process of examining a set of source data to find data items that are different in some way from the majority of the source items.

    • What's New for Python, Java in Visual Studio Code

      Microsoft announced March 2024 updates to its Python and Java extensions for Visual Studio Code, the open source-based, cross-platform code editor that has repeatedly been named the No. 1 tool in major development surveys.

    Subscribe on YouTube