![[Valid RSS]](images/valid-rss-rogers.png "Valid RSS")
This is a valid RSS feed.
This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.
line 33, column 0: (11 occurrences) [help]
<site xmlns="com-wordpress:feed-additions:1">153214340</site> <item>
line 47, column 0: (5 occurrences) [help]
<html><body><p>Imagine arriving at a conference and immediately feeling insp ...
line 47, column 0: (5 occurrences) [help]
<html><body><p>Imagine arriving at a conference and immediately feeling insp ...
line 52, column 0: (58 occurrences) [help]
<h2 id="universe-2024-where-innovation-meets-fun-food-and-connection-%f0%9f% ...
line 63, column 0: (3 occurrences) [help]
<div class="mod-vh position-relative" style="height: 0; padding-bottom: calc ...
line 64, column 0: (2 occurrences) [help]
<iframe loading="lazy" class="position-absolute top-0 left-0 width-full h ...
line 94, column 3: (58 occurrences) [help]
]]></content:encoded>
^
<td><em>Header image credit: <a href->Kingsley Mkpandiok</a></em></td>
<p><img fetchpriority="high" decoding="async" src="https://github.blog/wp-co ...
line 257, column 0: (40 occurrences) [help]
<p><img fetchpriority="high" decoding="async" src="https://github.blog/wp-co ...
line 257, column 0: (40 occurrences) [help]
<p><img fetchpriority="high" decoding="async" src="https://github.blog/wp-co ...
line 257, column 0: (40 occurrences) [help]
<p><img fetchpriority="high" decoding="async" src="https://github.blog/wp-co ...
line 265, column 0: (2 occurrences) [help]
<video class="wp-video-shortcode" id="video-77334-1" width="640" height="360 ...
line 265, column 0: (2 occurrences) [help]
<video class="wp-video-shortcode" id="video-77334-1" width="640" height="360 ...
line 305, column 0: (37 occurrences) [help]
<p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/ ...
line 409, column 0: (3 occurrences) [help]
<p><div class="content-button-wrap text-center"><a href="https://docs.github ...
<?xml version="1.0" encoding="UTF-8"?><rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:wfw="http://wellformedweb.org/CommentAPI/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:sy="http://purl.org/rss/1.0/modules/syndication/" xmlns:slash="http://purl.org/rss/1.0/modules/slash/" xmlns:georss="http://www.georss.org/georss" xmlns:geo="http://www.w3.org/2003/01/geo/wgs84_pos#" > <channel> <title>The GitHub Blog</title> <atom:link href="https://github.blog/feed/" rel="self" type="application/rss+xml" /> <link>https://github.blog/</link> <description>Updates, ideas, and inspiration from GitHub to help developers build and design software.</description> <lastBuildDate>Tue, 16 Apr 2024 16:31:29 +0000</lastBuildDate> <language>en-US</language> <sy:updatePeriod> hourly </sy:updatePeriod> <sy:updateFrequency> 1 </sy:updateFrequency> <generator>https://wordpress.org/?v=6.5.2</generator> <image> <url>https://github.blog/wp-content/uploads/2019/01/cropped-github-favicon-512.png?fit=32%2C32</url> <title>The GitHub Blog</title> <link>https://github.blog/</link> <width>32</width> <height>32</height></image> <site xmlns="com-wordpress:feed-additions:1">153214340</site> <item> <title>The world’s fair of software: Join us at GitHub Universe 2024</title> <link>https://github.blog/2024-04-16-the-worlds-fair-of-software-join-us-at-github-universe-2024/</link> <dc:creator><![CDATA[Jeimy Ruiz]]></dc:creator> <pubDate>Tue, 16 Apr 2024 16:00:39 +0000</pubDate> <category><![CDATA[Community]]></category> <category><![CDATA[GitHub Universe]]></category> <guid isPermaLink="false">https://github.blog/?p=77511</guid> <description><![CDATA[<p>It’s the 10th anniversary of our global developer event! Celebrate with us by picking up in-person tickets today. It’s bound to be our best one yet.</p><p>The post <a href="https://github.blog/2024-04-16-the-worlds-fair-of-software-join-us-at-github-universe-2024/">The world’s fair of software: Join us at GitHub Universe 2024</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>]]></description> <content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"><html><body><p>Imagine arriving at a conference and immediately feeling inspired: your agenda is packed with must-see GitHub Copilot sessions, booths are filled with experts from top tech companies, and you’re surrounded by thousands of fellow developers and leaders who are eager to connect.</p><p>That is the experience we’re curating for the 10th anniversary of our global developer event. This year, we’re going bigger and better with a stunning new venue as the foundation. We hope you’ll join us at the Fort Mason Center for Arts & Culture on the San Francisco Bay, from October 29-30, or virtually from anywhere in the world.</p><p>As the world’s fair of software, GitHub Universe 2024 will be an unparalleled gathering of the brightest minds, companies, and innovators in the industry. With sessions diving into AI, the developer experience (DevEx), and security, attendees will have an opportunity to explore the latest products, best practices, and insights shaping the future of software development.</p><p>Ready to be a part of this milestone event with us? In-person tickets are currently 35% off with our Super Early Bird discount, only from now until July 8.</p><div class="content-button-wrap text-center"><a href="https://githubuniverse.com/?utm_source=Blog&utm_medium=GitHub&utm_campaign=universe-blog" target="_self" class="btn-mktg">Get tickets</a></div><h2 id="universe-2024-where-innovation-meets-fun-food-and-connection-%f0%9f%8e%a8" id="universe-2024-where-innovation-meets-fun-food-and-connection-%f0%9f%8e%a8" >Universe 2024: Where innovation meets fun, food, and connection 🎨<a href="#universe-2024-where-innovation-meets-fun-food-and-connection-%f0%9f%8e%a8" class="heading-link pl-2 text-italic text-bold" aria-label="Universe 2024: Where innovation meets fun, food, and connection 🎨"></a></h2><p>We take your experience as a Universe attendee very seriously. From the moment you step through the colorful gates right down to the beverages we serve, our 10th anniversary event will blow your expectations out of the water.</p><p>Spread across a sprawling 13-acre waterfront compound, Universe will unfold across seven buildings and various outdoor areas.</p><p class="purple-text text-gradient-purple-coral mt-6 mb-6">With five stages hosting more than 100 sessions and 150 speakers, alongside a record-breaking 3,500 attendees (that’s over 50% more in-person attendees than last year!), this will be our biggest Universe yet.</p><p>During breakfast and lunch, you’ll indulge in food trucks, snacks, and beverages—all included in the price of your in-person ticket. And don’t forget to explore the GitHub Shop for the latest Universe swag and join us for lively happy hours sponsored by our partners.</p><a href="https://github.blog/2024-04-16-the-worlds-fair-of-software-join-us-at-github-universe-2024/#gallery-77511-1-slideshow">Click to view slideshow.</a><h2 id="everything-youll-learn-at-our-global-developer-event-%f0%9f%a7%a0" id="everything-youll-learn-at-our-global-developer-event-%f0%9f%a7%a0" >Everything you’ll learn at our global developer event 🧠<a href="#everything-youll-learn-at-our-global-developer-event-%f0%9f%a7%a0" class="heading-link pl-2 text-italic text-bold" aria-label="Everything you’ll learn at our global developer event 🧠"></a></h2><p>Attending Universe is an investment in your business and your career. It’s easier than ever to be in charge of your growth with our beginner, intermediate, and advanced session topics curated to what developers and enterprises care about most.</p><p>As an in-person attendee, you’ll also be able to take advantage of two ticket add-ons: <a href="https://examregistration.github.com/faq">GitHub Certification testing</a> and workshops, available onsite! Take what you learn during your sessions and practice them IRL alongside your industry peers.</p><p>You can secure your spot for workshops and certifications when you purchase your in-person ticket. Don’t miss out—these opportunities will go fast!</p><p>If you’re interested in attending Universe as a speaker instead, now is your chance! The call for sessions (CFS) is now open. Learn about the super cool perks Universe speakers get and <a href="https://reg.githubuniverse.com/flow/github/universe24/cfs/page/cfslandingpage">submit a session proposal</a> by May 10 to be considered. (And yes, you’ll get a speaker honorarium to cover travel costs if selected!)</p><div class="mod-vh position-relative" style="height: 0; padding-bottom: calc((9 / 16)*100%);"> <iframe loading="lazy" class="position-absolute top-0 left-0 width-full height-full" src="https://www.youtube.com/embed/95_RpiysEXo?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent" title="YouTube video player" allow="accelerometer; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen="" frameborder="0"></iframe> </div><p>Here’s a sneak peek of the themes we have in store.</p><h3 id="ai-content-track-%f0%9f%a4%96" id="ai-content-track-%f0%9f%a4%96" >AI content track 🤖<a href="#ai-content-track-%f0%9f%a4%96" class="heading-link pl-2 text-italic text-bold" aria-label="AI content track 🤖"></a></h3><p><strong>This track will delve into:</strong></p><ul><li>The impact of AI on software development life cycles. </li><li>Practical uses like automating pull requests and using AI code generation tools like GitHub Copilot for onboarding and productivity gains. </li><li>Optimizing AI outputs, crafting AI policies, and fostering responsible AI deployment while evolving skill sets for success in the AI era.</li></ul><h3 id="devex-content-track-%e2%9a%99%ef%b8%8f" id="devex-content-track-%e2%9a%99%ef%b8%8f" >DevEx content track ⚙️<a href="#devex-content-track-%e2%9a%99%ef%b8%8f" class="heading-link pl-2 text-italic text-bold" aria-label="DevEx content track ⚙️"></a></h3><p><strong>Learn about the following within this track:</strong></p><ul><li>How the GitHub platform enhances platform engineering teams’ autonomy and efficiency.</li><li>The significance of investing in developer experience for fostering innovation and efficiency within organizations.</li><li>Strategies for effectively engaging with open source communities.</li></ul><h3 id="security-content-track-%f0%9f%94%90" id="security-content-track-%f0%9f%94%90" >Security content track 🔐<a href="#security-content-track-%f0%9f%94%90" class="heading-link pl-2 text-italic text-bold" aria-label="Security content track 🔐"></a></h3><p><strong>Come away from this track with a better understanding of:</strong></p><ul><li>Transforming application security with AI-powered vulnerability fixes.</li><li>How to delegate the task of prioritizing and fixing security debt to AI.</li><li>Leveraging open source to enhance code security while mitigating potential vulnerabilities. </li></ul><h2 id="will-you-celebrate-10-years-of-github-universe-with-us-%f0%9f%a4%97" id="will-you-celebrate-10-years-of-github-universe-with-us-%f0%9f%a4%97" >Will you celebrate 10 years of GitHub Universe with us? 🤗<a href="#will-you-celebrate-10-years-of-github-universe-with-us-%f0%9f%a4%97" class="heading-link pl-2 text-italic text-bold" aria-label="Will you celebrate 10 years of GitHub Universe with us? 🤗"></a></h2><p>Whether you’re a leader interested in connecting with and learning from other industry executives, a manager hoping to propel your team’s productivity to new heights, or a developer looking to acquire new skills and further your career, Universe has something for you.</p><div class="post-content-cta"><p>Are you in? <a href="https://githubuniverse.com/?utm_source=Blog&utm_medium=GitHub&utm_campaign=universe-blog">Get your in-person tickets</a> 35% off while supplies last, or join us virtually for free!</p></div></body></html><p>The post <a href="https://github.blog/2024-04-16-the-worlds-fair-of-software-join-us-at-github-universe-2024/">The world’s fair of software: Join us at GitHub Universe 2024</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>]]></content:encoded> <post-id xmlns="com-wordpress:feed-additions:1">77511</post-id> </item> <item> <title>All In Africa: New cohort now open!</title> <link>https://github.blog/2024-04-11-all-in-africa-new-cohort-now-open/</link> <dc:creator><![CDATA[Sarah Oyetubo]]></dc:creator> <pubDate>Thu, 11 Apr 2024 16:13:41 +0000</pubDate> <category><![CDATA[Community]]></category> <category><![CDATA[All In]]></category> <category><![CDATA[open source]]></category> <category><![CDATA[skilling]]></category> <category><![CDATA[social impact]]></category> <guid isPermaLink="false">https://github.blog/?p=77473</guid> <description><![CDATA[<p>As we’re opening up the doors to our final class of this programmatic year, we’re also looking back at our recent graduates and the partners that helped make them a success.</p><p>The post <a href="https://github.blog/2024-04-11-all-in-africa-new-cohort-now-open/">All In Africa: New cohort now open!</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>]]></description> <content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"><html><body><div class="content-table-wrap"><table style="border: 1px black"><tbody><tr><td><em>Header image credit: <a href->Kingsley Mkpandiok</a></em></td></tr></tbody></table></div><p>Having equal opportunity to use and create technology is key to unlocking the potential of open source. At the heart of this is skilling—and that’s where GitHub’s All In program comes in. All In is a community dedicated to advancing diversity, equity, and inclusion within open source, which it achieves through close collaboration with corporate partners, industry leaders, researchers and foundations. This is broken down into two programs: <a href="https://github.blog/2023-10-12-ensuring-the-next-generation-of-open-source-leaders-are-truly-all-in/">All in for Students</a> and <a href="https://github.blog/2023-10-09-skilling-african-developers-through-all-in-africa/">All In Africa</a>. These programs meet open source contributors where they are, reaching people in various stages of their developer journey.</p><h2 id="congratulations-to-our-graduates" id="congratulations-to-our-graduates" >Congratulations to our graduates<a href="#congratulations-to-our-graduates" class="heading-link pl-2 text-italic text-bold" aria-label="Congratulations to our graduates"></a></h2><p>As we’re closing out our third year of programming, we are proud to present our latest graduates from the All In community. These graduates have shown a commitment to learning, a willingness to collaborate, and a passion for innovation that is truly inspiring. In the world of open source, we are constantly pushing boundaries, exploring new possibilities, and challenging the status quo. And our All In graduates have embraced this spirit wholeheartedly. As they move forward from this program, they have the skills, knowledge, and determination to make a difference, create change, and shape the future of technology. As our graduates reflect on this experience, here are a few things they had to say:</p><figure class="gh-full-blockquote mx-0 pl-6 mt-6 mt-md-7 mb-7 mb-md-8"><blockquote><p>This feels surreal—graduating from the first cohort of All in Africa last week, then my initial application for Outreachy program being approved this week. The All in Africa program has laid a good foundation for my journey in open source. Thanks to everyone who made this possible.</p></blockquote><figcaption class="text-mono color-fg-muted f5-mktg mt-3"> - Hamza Haji, All in Africa 2024 Graduate</figcaption></figure><figure class="gh-full-blockquote mx-0 pl-6 mt-6 mt-md-7 mb-7 mb-md-8"><blockquote><p>I have learnt to take opportunities more seriously. Many gems and resources have been dropped in all the video sessions we’ve had. I am no longer afraid of trying out new tech tools, whether it’s in my field or not. This program has been AWESOME.</p></blockquote><figcaption class="text-mono color-fg-muted f5-mktg mt-3"> - Ayomide Ogunlade, All in Africa 2024 Graduate</figcaption></figure><figure class="gh-full-blockquote mx-0 pl-6 mt-6 mt-md-7 mb-7 mb-md-8"><blockquote><p>All In Open Source definitely has helped me in unexpected ways. It helped me stay accountable with consistency, especially with the hackathons and modules spread across several months. And I remember going to an interactive workshop about interviews, and just being in that space helped me warm up for interviews I had the next day and the following day too. The peace of mind I got from that particular workshop helped me gain that bit of confidence for my interview at Fidelity Investments and ultimately, I did receive an offer from them!</p></blockquote><figcaption class="text-mono color-fg-muted f5-mktg mt-3"> - Ashley Hendrata, All In for Students 2024 Graduate</figcaption></figure><p>Congratulations to our graduates. The future is bright, and it is in your hands.</p><a href="https://github.blog/2024-04-11-all-in-africa-new-cohort-now-open/#gallery-77473-2-slideshow">Click to view slideshow.</a><h2 id="partnering-together-for-impact" id="partnering-together-for-impact" >Partnering together for impact<a href="#partnering-together-for-impact" class="heading-link pl-2 text-italic text-bold" aria-label="Partnering together for impact"></a></h2><p>Our partners provide support to participants every step of the way, helping ensure they go from successful students to accomplished graduates. This year was no exception. A special thanks to:</p><ul><li><strong><a href="https://www.cisco.com/">Cisco</a></strong> provided funding to ensure students had the resources and opportunities necessary to be successful. They’re helping us expand our offerings and improve our programming year after year. </li><li><strong><a href="https://www.develhope.co/en/">DevelHope</a></strong> ran a resume-building workshop, where they shared tips and suggestions on crafting a tech CV, looking for remote jobs, and acing technical interviews.</li><li><strong><a href="https://www.fidelity.com/">Fidelity Investments</a></strong> was a constant in the All In community this year due to their unwavering support in our programming. They hosted our second hackathon of the school year, served on our Careers In Tech panel, and provided students with internship opportunities. </li><li><strong><a href="https://mlh.io/">Major League Hacking (MLH)</a></strong> was critical to programming, providing the infrastructure and resources to ensure that our students had hands-on experiences with coding. They also helped students prepare for the next phase in their careers through Career Readiness Workshops. </li><li><strong><a href="https://www.onerefugee.org/">One Refugee</a></strong> was a new partner this year, and a natural fit as they support around 380 college students with refugee backgrounds in Utah and Idaho. We were able to connect our program offerings with their students, creating an even bigger impact.</li></ul><p>This year, we also had a new type of partnership launch: <a href="https://github.blog/2024-02-29-meet-kayla-a-college-student-and-open-source-ambassador/">All In for Students Ambassador Pilot program</a>. Four students from the inaugural class of the All In for Students cohort were paired with students whom they could work with on a smaller cohort level. Students were able to connect with their mentors weekly to answer questions about course material and open source in general. Having been through the program themselves, ambassadors could provide firsthand advice and guidance. A special thanks to this year’s ambassadors: <a href="https://github.com/Jerry0s">Jerry Ortega</a>, <a href="https://github.com/kaylapartee1">Kayla Partee</a>, <a href="https://github.com/Kwarner0126">Khalil Warner</a>, and <a href="https://github.com/zandondab">Bernard Zandonda</a>.</p><p>All In Africa is also supported by a network of regional ambassadors who bring a unique perspective and commitment to open source education. These community leaders have helped drive tailored networking opportunities such as mini meetups and virtual touchpoints, and have been points of contact for their respective areas. A big thank you to this year’s regional ambassadors: <a href="https://github.com/CatherineKiiru">Catherine Kiru</a>, <a href="https://github.com/antonio-pedro99">Antonio Pedro</a>, <a href="https://github.com/Kudzmat">Kudzayi Bamhare</a>, <a href="https://github.com/peculiaruc">Peculiar Umeh</a>, and <a href="https://github.com/romeoplat">Lomora Ronald</a>.</p><h2 id="whats-ahead" id="whats-ahead" >What’s ahead<a href="#whats-ahead" class="heading-link pl-2 text-italic text-bold" aria-label="What’s ahead"></a></h2><p>Do you see yourself helping shape the future of open source? Do you want to become part of a close-knit community of contributors with guidance from open source leaders and corporate partners? We have good news: enrollment for All in Africa is now open!</p><p><a href="https://forms.gle/u1HUXBEPWA6JAp3R7">Enroll here</a> or share this opportunity with eligible participants (must be based in Africa). Students will be accepted on a rolling basis, with a cap of 250 participants. If you’re interested in the <a href="https://allinopensource.org/access/students/">All In for Students program</a>, the next cohort will be launching in the coming months.</p><p>If you’re a company or organization interested in offering open source opportunities to All In participants, <a href="https://allinopensource.org/become-a-partner/">sign up</a> to become a partner or email <a href="mailto:info@allinopensource.org">info@allinopensource.org</a>.</p><p>Together, we can advance open source into a more diverse, equitable, and inclusive community. We can’t wait to see what this next generation of open source leaders will do!</p></body></html><p>The post <a href="https://github.blog/2024-04-11-all-in-africa-new-cohort-now-open/">All In Africa: New cohort now open!</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>]]></content:encoded> <post-id xmlns="com-wordpress:feed-additions:1">77473</post-id> </item> <item> <title>Helping policymakers weigh the benefits of open source AI</title> <link>https://github.blog/2024-04-10-helping-policymakers-weigh-the-benefits-of-open-source-ai/</link> <dc:creator><![CDATA[Peter Cihon]]></dc:creator> <pubDate>Wed, 10 Apr 2024 22:53:33 +0000</pubDate> <category><![CDATA[Policy]]></category> <category><![CDATA[open source]]></category> <guid isPermaLink="false">https://github.blog/?p=77448</guid> <description><![CDATA[<p>GitHub enables developer collaboration on innovative software projects, and we’re committed to ensuring policymakers understand developer needs when crafting AI regulation.</p><p>The post <a href="https://github.blog/2024-04-10-helping-policymakers-weigh-the-benefits-of-open-source-ai/">Helping policymakers weigh the benefits of open source AI</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>]]></description> <content:encoded><![CDATA[<p>Policymakers are increasingly focusing on software components of AI systems, and how developers are making AI model weights available for downstream use. GitHub enables developer collaboration on innovative software projects, and we’re committed to ensuring policymakers understand developer needs when crafting AI regulation. We support AI governance that empowers developers to build more responsibly, securely, and effectively, to accelerate human progress.</p><p>GitHub submitted a filing in response to the U.S. NTIA’s <a href="https://www.commerce.gov/news/press-releases/2024/02/ntia-solicits-comments-open-weight-ai-models">request for comment</a> on the potential risks, benefits, and policy implications of widely available model weights<strong>–</strong>and of open source AI, which makes not only weights available to developers, but also code and other components under terms allowing developers to inspect, modify, (re)distribute, and use AI components for any purpose. <a href="https://github.blog/wp-content/uploads/2024/04/NTIA-Submission-2024.pdf">Our submission can be found here</a>, but there are a few important ideas we want to highlight.</p><p><strong>Open source AI presents clear benefits</strong></p><p>It is important to consider the myriad benefits of open source AI. Open source is a public good, designed for all to use: hobbyists, professional developers, companies, governments, and anyone looking to make an impact with code. The broadly available nature of open source has already generated tremendous value to society accelerating innovation, competition, and the wide use of software and AI across the global economy. Open source AI advances the responsible development of AI systems, use of AI in research across disciplines, developer education, and government capacity.</p><p><strong>Evaluation and regulation should prioritize AI systems–not models</strong></p><p>Evaluation and regulation are better focused on the full AI system and policies governing use, rather than subcomponents, including AI models. Policies that focus on restricting the model are likely to inhibit beneficial use more than prevent criminal abuse. It also risks missing the forest for the tree: orchestration and safety software included in AI systems can expand or constrain AI capabilities. Current evidence does not support government restrictions on sharing AI models. Policymakers should instead, irrespective of model type, <a href="https://github.blog/2023-07-26-how-to-get-ai-regulation-right-for-open-source/">prioritize AI regulation for high-risk AI systems</a> and prepare plans to address abuse by bad actors. Security through obscurity is not a winning strategy.</p><p><strong>The path to societal resilience is not open or closed</strong></p><p>Governments have an important role to play in steering the technological frontier and building societal resilience that allows us to seize the benefits enabled by AI while reducing its risks. From accelerating needed AI measurement science and safety research, to supporting public education and protective measures, civic institutions are well-positioned to usher in a new era of AI governed by our values. The open availability, diversity, and diffusion of AI models can support this societal resilience and flourishing. With this in mind, GitHub looks forward to continuing policy collaboration to accelerate human progress.</p><hr /><p><iframe style="width: 718px; height: 700px;" src="https://github.blog/wp-content/uploads/2024/04/NTIA-Submission-2024.pdf" frameborder="0"></iframe></p><p>The post <a href="https://github.blog/2024-04-10-helping-policymakers-weigh-the-benefits-of-open-source-ai/">Helping policymakers weigh the benefits of open source AI</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>]]></content:encoded> <post-id xmlns="com-wordpress:feed-additions:1">77448</post-id> </item> <item> <title>GitHub Availability Report: March 2024</title> <link>https://github.blog/2024-04-10-github-availability-report-march-2024/</link> <dc:creator><![CDATA[Jakub Oleksy]]></dc:creator> <pubDate>Wed, 10 Apr 2024 20:15:17 +0000</pubDate> <category><![CDATA[Engineering]]></category> <category><![CDATA[Enterprise]]></category> <category><![CDATA[GitHub Availability Report]]></category> <guid isPermaLink="false">https://github.blog/?p=77425</guid> <description><![CDATA[<p>In March, we experienced two incidents that resulted in degraded performance across GitHub services. </p><p>The post <a href="https://github.blog/2024-04-10-github-availability-report-march-2024/">GitHub Availability Report: March 2024</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>]]></description> <content:encoded><![CDATA[<p>In March, we experienced two incidents that resulted in degraded performance across GitHub services.</p><p><strong>March 15 19:42 UTC (lasting 42 minutes)</strong></p><p>On March 15, GitHub experienced service degradation from 19:42 to 20:24 UTC due to a regression in the permissions system. This regression caused failures in GitHub Codespaces, GitHub Actions, and GitHub Pages. The problem stemmed from a framework upgrade that introduced MySQL query syntax that is incompatible with the database proxy service used in some production clusters. GitHub responded by rolling back the deployment and fixing a misconfiguration in development and CI environments to prevent similar issues in the future.</p><p><strong>March 11 22:45 UTC (lasting 2 hours and 3 minutes)</strong></p><p>On March 11, GitHub experienced service degradation from 22:45 to 00:48 UTC due to an inadvertent deployment of network configuration to the wrong environment. This led to intermittent errors in various services, including API requests, GitHub Copilot, GitHub secret scanning, and 2FA using GitHub Mobile. The issue was detected within 4 minutes, and a rollback was initiated immediately. The majority of impact was mitigated by 22:54 UTC. However, the rollback failed in one data center due to system-created configuration records missing a required field, causing 0.4% of requests to continue failing. Full rollback was successful after manual intervention to correct the configuration data, enabling full service restoration by 00:48 UTC. GitHub has implemented measures for safer configuration changes, such as prevention and automatic cleanup of obsolete configuration and faster issue detection, to prevent similar issues in the future.</p><hr /><p>Please follow our <a href="https://www.githubstatus.com/">status page</a> for real-time updates on status changes and post-incident recaps. To learn more about what we’re working on, check out the <a href="https://github.blog/category/engineering/">GitHub Engineering Blog</a>.</p><p>The post <a href="https://github.blog/2024-04-10-github-availability-report-march-2024/">GitHub Availability Report: March 2024</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>]]></content:encoded> <post-id xmlns="com-wordpress:feed-additions:1">77425</post-id> </item> <item> <title>4 ways GitHub engineers use GitHub Copilot</title> <link>https://github.blog/2024-04-09-4-ways-github-engineers-use-github-copilot/</link> <dc:creator><![CDATA[Holger Staudacher]]></dc:creator> <pubDate>Tue, 09 Apr 2024 19:00:02 +0000</pubDate> <category><![CDATA[Engineering]]></category> <category><![CDATA[AI Insights]]></category> <category><![CDATA[GitHub Copilot]]></category> <guid isPermaLink="false">https://github.blog/?p=77334</guid> <description><![CDATA[<p>GitHub Copilot increases efficiency for our engineers by allowing us to automate repetitive tasks, stay focused, and more.</p><p>The post <a href="https://github.blog/2024-04-09-4-ways-github-engineers-use-github-copilot/">4 ways GitHub engineers use GitHub Copilot</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>]]></description> <content:encoded><![CDATA[<p>Just recently, I was coding a new feature for <a href="https://github.blog/2023-12-29-github-copilot-chat-now-generally-available-for-organizations-and-individuals/">GitHub Copilot Chat</a>. My task was to enable the chat to recognize a user’s project dependencies, allowing it to provide magical answers when the user poses a question. While I could have easily listed the project dependencies and considered the task complete, I knew that <a href="https://github.blog/2023-07-17-prompt-engineering-guide-generative-ai-llms/">to extract top-notch responses from these large language models</a>, I needed to be careful to not overload the prompt to avoid confusing the model by providing too much context. This meant pre-processing the dependency list and selecting the most relevant ones to include in the chat prompt.</p><p>Creating machine-processable formats for the most prominent frameworks across various programming languages would have consumed days. It was during this time that I experienced one of those “Copilot moments.”</p><p>I simply queried the chat in my IDE:</p><p><code>Look at the data structure I have selected and create at least 10 examples that conform to the data structure. The data should cover the most prominent frameworks for the Go programming language.</code></p><p><em>Voilà</em>, there it was my initial batch of machine-processable dependencies. Just 30 minutes later, I had amassed a comprehensive collection of significant dependencies for nearly all supported languages, complete with parameterized unit tests. Completing a task that would likely have taken days without GitHub Copilot, in just 30 minutes, was truly remarkable.</p><p>This led me to ponder: what other “Copilot moments” might my colleagues here at GitHub have experienced? Thus, here are a few ways we use GitHub Copilot at GitHub.</p><h2 id="1-semi-automating-repetitive-tasks">1. Semi-automating repetitive tasks<a href="#1-semi-automating-repetitive-tasks" class="heading-link pl-2 text-italic text-bold" aria-label="1. Semi-automating repetitive tasks"></a></h2><p>Semi-automating repetitive tasks is a topic that resonates with a colleague of mine from another team. He mentions that they are tasked with developing and maintaining several live services, many of which utilize protocol buffers for data communication. During maintenance, they often encounter a situation where they need to increment ID numbers in the protobuf definitions, as illustrated in the code snippet below:</p><pre><code>protobuf google.protobuf.StringValue fetcher = 130 [(opts.cts_opt)={src:"Properties" key:"fetcher"}]; google.protobuf.StringValue proxy_enabled = 131 [(opts.cts_opt)={src:"Properties" key:"proxy_enabled"}]; google.protobuf.StringValue proxy_auth = 132 [(opts.cts_opt)={src:"Properties" key:"proxy_auth"}];</code></pre><p>He particularly appreciates having GitHub Copilot completions in the editor for these tasks. It serves as a significant time saver, eliminating the need to manually generate ID numbers. Instead, one can simply tab through the completion suggestions until the task is complete.</p><h2 id="2-avoid-getting-side-tracked">2. Avoid getting side tracked<a href="#2-avoid-getting-side-tracked" class="heading-link pl-2 text-italic text-bold" aria-label="2. Avoid getting side tracked"></a></h2><p>Here’s another intriguing use case I heard about from a colleague. He needed to devise a regular expression to capture a Markdown code block and extract the language identifier. Fully immersed in his work, he preferred not to interrupt his flow by switching to chat, even though it could have provided a solution. Instead, he employed a creative approach by formalizing his task in a code comment:</p><pre><code>// The string above contains a code block with a language identifier.// Create a regexp that matches the code block and captures the language identifier.// Use tagged capture groups for the language and the code. </code></pre><p>This prompted GitHub Copilot to generate the regular expression as the subsequent statement in his editor:</p><p><code>const re = /```(?<lang>\w+)(?<code>[\s\S]+?)```/;</code></p><p>With the comment deleted, the task was swiftly accomplished!</p><p><img fetchpriority="high" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/GitHub-engineers-use-GitHub-Copilot-Use-2.png?resize=1024%2C206" alt="Screenshot of GitHub engineer prompting GitHub Copilot, and GItHub Copilot returning a useful response " width="1024" height="206" class="alignnone size-full wp-image-77348 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/GitHub-engineers-use-GitHub-Copilot-Use-2.png?resize=1024%2C206?w=1152 1152w, https://github.blog/wp-content/uploads/2024/04/GitHub-engineers-use-GitHub-Copilot-Use-2.png?resize=1024%2C206?w=300 300w, https://github.blog/wp-content/uploads/2024/04/GitHub-engineers-use-GitHub-Copilot-Use-2.png?resize=1024%2C206?w=768 768w, https://github.blog/wp-content/uploads/2024/04/GitHub-engineers-use-GitHub-Copilot-Use-2.png?resize=1024%2C206?w=1024 1024w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /></p><h2 id="3-structuring-data-related-notes">3. Structuring data-related notes<a href="#3-structuring-data-related-notes" class="heading-link pl-2 text-italic text-bold" aria-label="3. Structuring data-related notes"></a></h2><p>During a pleasant coffee chat, one of our support engineers shared an incident she experienced with a colleague last week. It was a Friday afternoon, and they were attempting to troubleshoot an issue for a specific customer. Eventually, they pinpointed the solution by creating various notes in VSCode. At GitHub, we prioritize remote collaboration. Thus, merely resolving the task wasn’t sufficient; it was also essential to inform our colleagues about the process to ensure the best possible experience for future customer requests. Consequently, even after completing this exhaustive task, they needed to document how they arrived at the solution.</p><p>She initiated GitHub Copilot Chat and simply typed something along the lines of, “Organize my notes, structure them, and compile the data in the editor into Markdown tables.” Within seconds, the task was completed, allowing them to commence their well-deserved weekend.</p><h2 id="4-exploring-and-learning">4. Exploring and learning<a href="#4-exploring-and-learning" class="heading-link pl-2 text-italic text-bold" aria-label="4. Exploring and learning"></a></h2><p>Enhancing and acquiring new skills are integral aspects of every engineer’s journey. <a href="https://github.com/jnbrymn">John Berryman</a>, a colleague of mine, undertook the challenge of leveraging GitHub Copilot to tackle a non-trivial coding task in a completely unfamiliar programming language. His goal was to delve into Rust, so on a Sunday, he embarked on this endeavor with the assistance of GitHub Copilot Chat. The task he set out to accomplish was to develop a program capable of converting any numerical input into its written English equivalent. While initially seeming straightforward, this task presented various complexities such as handling <code>teen</code> numbers, naming conventions for tens, placement of “and” in the output, and more.</p><p>Twenty-three minutes and nine seconds later, he successfully produced a functional version written in Rust, despite having no prior experience with the language. Notably, he documented his entire process, recording himself throughout the endeavor.</p><div style="width: 640px;" class="wp-video"><!--[if lt IE 9]><script>document.createElement('video');</script><![endif]--><video class="wp-video-shortcode" id="video-77334-1" width="640" height="360" preload="metadata" controls="controls"><source type="video/mp4" src="https://github.blog/wp-content/uploads/2024/04/rust_from_scratch_720-1.mp4?_=1" /><a href="https://github.blog/wp-content/uploads/2024/04/rust_from_scratch_720-1.mp4">https://github.blog/wp-content/uploads/2024/04/rust_from_scratch_720-1.mp4</a></video></div><div class="chapter" style="max-width: 700px;margin: auto"><div class="wp-caption aligncenter"><div class="wp-caption-text"><em>Berryman uses an older, experimental version of GitHub Copilot to write a program in Rust.</em></div></div></div><h2 id="your-very-own-github-copilot-moment">Your very own GitHub Copilot moment<a href="#your-very-own-github-copilot-moment" class="heading-link pl-2 text-italic text-bold" aria-label="Your very own GitHub Copilot moment"></a></h2><p>I found it incredibly enlightening to discover how my fellow Hubbers utilize GitHub Copilot, and their innovative approaches inspired me to incorporate some of their ideas into my daily workflows. If you’re eager to explore GitHub Copilot firsthand, <a href="https://github.com/features/copilot">getting started</a> is a breeze. Simply install it into your preferred editor and ask away.</p><p>The post <a href="https://github.blog/2024-04-09-4-ways-github-engineers-use-github-copilot/">4 ways GitHub engineers use GitHub Copilot</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>]]></content:encoded> <post-id xmlns="com-wordpress:feed-additions:1">77334</post-id> </item> <item> <title>Explore the seasons of software development with four full years of data</title> <link>https://github.blog/2024-04-09-explore-the-seasons-of-software-development-with-four-full-years-of-data/</link> <dc:creator><![CDATA[Kevin Xu]]></dc:creator> <pubDate>Tue, 09 Apr 2024 15:00:38 +0000</pubDate> <category><![CDATA[Policy]]></category> <category><![CDATA[Innovation Graph]]></category> <category><![CDATA[open source]]></category> <guid isPermaLink="false">https://github.blog/?p=77332</guid> <description><![CDATA[<p>Discover the latest trends and insights on public software development activity on GitHub with the release of Q4 2023 data for the Innovation Graph.</p><p>The post <a href="https://github.blog/2024-04-09-explore-the-seasons-of-software-development-with-four-full-years-of-data/">Explore the seasons of software development with four full years of data</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>]]></description> <content:encoded><![CDATA[<p>With today’s Q4 2023 data release, the GitHub Innovation Graph now offers four full years of data on eight metrics–Git pushes, repositories, developers, organizations, programming languages, licenses, topics, and economy collaborators. We’ve also made some clarifying updates in response to community feedback we’ve heard since we launched. But first, let’s briefly bask in the glory of having four full years of quarterly data to explore by taking a quick look at some of the seasonal patterns that show up in the data.</p><p>Long-time visitors of the GitHub Innovation Graph will, of course, remember that the “hacktoberfest” topic prominently exhibits seasonal variation:</p><p><strong>Rank of topics globally</strong><br /><img decoding="async" src="https://github.blog/wp-content/uploads/2024/04/hacktoberfest.png?resize=1024%2C307" alt="A line chart of the ranking of the "hacktoberfest" topic over time, showing that the topic spikes upward in popularity in Q4 of each year, but declines in other quarters." width="1024" height="307" class="alignnone size-full wp-image-77333 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/hacktoberfest.png?resize=1024%2C307?w=2844 2844w, https://github.blog/wp-content/uploads/2024/04/hacktoberfest.png?resize=1024%2C307?w=300 300w, https://github.blog/wp-content/uploads/2024/04/hacktoberfest.png?resize=1024%2C307?w=768 768w, https://github.blog/wp-content/uploads/2024/04/hacktoberfest.png?resize=1024%2C307?w=1024 1024w, https://github.blog/wp-content/uploads/2024/04/hacktoberfest.png?resize=1024%2C307?w=1536 1536w, https://github.blog/wp-content/uploads/2024/04/hacktoberfest.png?resize=1024%2C307?w=2048 2048w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /></p><p>With the benefit of another full year of data, we’d like to highlight another popular cyclical developer pastime that might have flown under the radar for those who haven’t explored the underlying dataset files, as its lower ranking prevents it from appearing in our site’s summary charts: <a href="https://adventofcode.com/">Advent of Code</a>.</p><p><strong>Pushers and rank for the “advent-of-code” topic</strong></p><p><img decoding="async" src="https://github.blog/wp-content/uploads/2024/04/advent_of_code.png?w=1024&resize=1024%2C765" alt="Two line charts of the ranking and number of pushers for the "advent-of-code" topic over time, showing that the topic spikes upward in popularity in Q4 of each year, but declines in other quarters, with some quarters missing values because there was insufficient activity volume to satisfy the minimum reporting threshold." width="1024" height="765" class="alignnone size-large wp-image-77335 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/advent_of_code.png?w=1900 1900w, https://github.blog/wp-content/uploads/2024/04/advent_of_code.png?w=300 300w, https://github.blog/wp-content/uploads/2024/04/advent_of_code.png?w=768 768w, https://github.blog/wp-content/uploads/2024/04/advent_of_code.png?w=1024&resize=1024%2C765 1024w, https://github.blog/wp-content/uploads/2024/04/advent_of_code.png?w=1536 1536w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /></p><p><em>Dotted lines indicate where there are gaps between quarterly data points due to the activity not meeting our <a href="https://github.com/github/innovationgraph/blob/main/docs/datasheet.md#10-considerations-taken-for-responsible-and-ethical-data-collection">minimum threshold for reporting</a>.</em></p><p><a href="https://en.wikipedia.org/wiki/Advent_of_Code">Advent of Code</a> is an annual event founded and run by <a href="https://github.com/topaz">Eric Wastl</a>, where participants solve daily coding challenges from December 1 to December 25. Often, developers participate in Advent of Code as a reason to try learning a language they’re less familiar with, sometimes with the encouragement of <a href="https://community.sap.com/t5/welcome-corner-blog-posts/24-days-of-sap-community-door-09-advent-of-code/ba-p/13568271">developer advocate programs</a>. We can see this trend emerge in the following plots based on the Innovation Graph’s <a href="https://github.com/github/innovationgraph/blob/main/data/languages.csv">programming languages dataset</a>:</p><p><strong>Pushers and rank for the <a href="https://en.wikipedia.org/wiki/COBOL">COBOL programming language</a></strong></p><p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/cobol.png?resize=1024%2C762" alt="Two line charts of the ranking and number of pushers for the COBOL programming language over time, showing that the language spikes upward in popularity in Q4 of each year." width="1024" height="762" class="alignnone size-full wp-image-77338 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/cobol.png?resize=1024%2C762?w=2344 2344w, https://github.blog/wp-content/uploads/2024/04/cobol.png?resize=1024%2C762?w=300 300w, https://github.blog/wp-content/uploads/2024/04/cobol.png?resize=1024%2C762?w=768 768w, https://github.blog/wp-content/uploads/2024/04/cobol.png?resize=1024%2C762?w=1024 1024w, https://github.blog/wp-content/uploads/2024/04/cobol.png?resize=1024%2C762?w=1536 1536w, https://github.blog/wp-content/uploads/2024/04/cobol.png?resize=1024%2C762?w=2048 2048w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /></p><p>In case you missed it, these are the developers who, with the help of AI, will save us from the <a href="https://fortune.com/2023/09/26/github-ceo-wall-street-relies-software-developed-ai-next-financial-crisis-thomas-dohmke/">next financial crisis</a>.</p><p><strong>Pushers and rank for the <a href="https://en.wikipedia.org/wiki/Julia_(programming_language)">Julia programming language</a></strong></p><p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/julia.png?w=1024&resize=1024%2C763" alt="Two line charts of the ranking and number of pushers for the Julia programming language over time, showing that the language spikes upward in popularity in Q4 of each year." width="1024" height="763" class="alignnone size-large wp-image-77339 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/julia.png?w=2348 2348w, https://github.blog/wp-content/uploads/2024/04/julia.png?w=300 300w, https://github.blog/wp-content/uploads/2024/04/julia.png?w=768 768w, https://github.blog/wp-content/uploads/2024/04/julia.png?w=1024&resize=1024%2C763 1024w, https://github.blog/wp-content/uploads/2024/04/julia.png?w=1536 1536w, https://github.blog/wp-content/uploads/2024/04/julia.png?w=2048 2048w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /></p><p><strong>Pushers and rank for the <a href="https://en.wikipedia.org/wiki/ABAP">ABAP programming language</a></strong></p><p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/abap.png?resize=1024%2C768" alt="Two line charts of the ranking and number of pushers for the ABAP programming language over time, showing that the language spikes upward in popularity in Q4 of each year." width="1024" height="768" class="alignnone size-full wp-image-77341 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/abap.png?resize=1024%2C768?w=2330 2330w, https://github.blog/wp-content/uploads/2024/04/abap.png?resize=1024%2C768?w=300 300w, https://github.blog/wp-content/uploads/2024/04/abap.png?resize=1024%2C768?w=768 768w, https://github.blog/wp-content/uploads/2024/04/abap.png?resize=1024%2C768?w=1024 1024w, https://github.blog/wp-content/uploads/2024/04/abap.png?resize=1024%2C768?w=1536 1536w, https://github.blog/wp-content/uploads/2024/04/abap.png?resize=1024%2C768?w=2048 2048w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /></p><p><strong>Pushers and rank for the <a href="https://en.wikipedia.org/wiki/Elm_(programming_language)">Elm programming language</a></strong></p><p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/elm.png?w=1024&resize=1024%2C763" alt="Two line charts of the ranking and number of pushers for the Elm programming language over time, showing that the language spikes upward in popularity in Q4 of each year." width="1024" height="763" class="alignnone size-large wp-image-77342 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/elm.png?w=2342 2342w, https://github.blog/wp-content/uploads/2024/04/elm.png?w=300 300w, https://github.blog/wp-content/uploads/2024/04/elm.png?w=768 768w, https://github.blog/wp-content/uploads/2024/04/elm.png?w=1024&resize=1024%2C763 1024w, https://github.blog/wp-content/uploads/2024/04/elm.png?w=1536 1536w, https://github.blog/wp-content/uploads/2024/04/elm.png?w=2048 2048w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /></p><p><strong>Pushers and rank for the <a href="https://en.wikipedia.org/wiki/Erlang_(programming_language)">Erlang programming language</a></strong></p><p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/erlang.png?resize=1024%2C761" alt="Two line charts of the ranking and number of pushers for the Erlang programming language over time, showing that the language spikes upward in popularity in Q4 of each year." width="1024" height="761" class="alignnone size-full wp-image-77344 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/erlang.png?resize=1024%2C761?w=2344 2344w, https://github.blog/wp-content/uploads/2024/04/erlang.png?resize=1024%2C761?w=300 300w, https://github.blog/wp-content/uploads/2024/04/erlang.png?resize=1024%2C761?w=768 768w, https://github.blog/wp-content/uploads/2024/04/erlang.png?resize=1024%2C761?w=1024 1024w, https://github.blog/wp-content/uploads/2024/04/erlang.png?resize=1024%2C761?w=1536 1536w, https://github.blog/wp-content/uploads/2024/04/erlang.png?resize=1024%2C761?w=2048 2048w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /></p><p><strong>Pushers and rank for the <a href="https://en.wikipedia.org/wiki/Processing">Processing programming language</a></strong></p><p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/processing.png?resize=1024%2C764" alt="Two line charts of the ranking and number of pushers for the Processing programming language over time, showing that the language spikes upward in popularity in Q4 of each year." width="1024" height="764" class="alignnone size-full wp-image-77346 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/processing.png?resize=1024%2C764?w=2340 2340w, https://github.blog/wp-content/uploads/2024/04/processing.png?resize=1024%2C764?w=300 300w, https://github.blog/wp-content/uploads/2024/04/processing.png?resize=1024%2C764?w=768 768w, https://github.blog/wp-content/uploads/2024/04/processing.png?resize=1024%2C764?w=1024 1024w, https://github.blog/wp-content/uploads/2024/04/processing.png?resize=1024%2C764?w=1536 1536w, https://github.blog/wp-content/uploads/2024/04/processing.png?resize=1024%2C764?w=2048 2048w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /></p><p><strong>Pushers and rank for the <a href="https://en.wikipedia.org/wiki/Brainfuck">Brainf*ck programming language</a></strong></p><p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/brainfck.png?resize=1024%2C766" alt="Two line charts of the ranking and number of pushers for the Brainf*ck programming language over time, showing that the language spikes upward in popularity in Q4 of each year." width="1024" height="766" class="alignnone size-full wp-image-77347 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/brainfck.png?resize=1024%2C766?w=2334 2334w, https://github.blog/wp-content/uploads/2024/04/brainfck.png?resize=1024%2C766?w=300 300w, https://github.blog/wp-content/uploads/2024/04/brainfck.png?resize=1024%2C766?w=768 768w, https://github.blog/wp-content/uploads/2024/04/brainfck.png?resize=1024%2C766?w=1024 1024w, https://github.blog/wp-content/uploads/2024/04/brainfck.png?resize=1024%2C766?w=1536 1536w, https://github.blog/wp-content/uploads/2024/04/brainfck.png?resize=1024%2C766?w=2048 2048w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /></p><p><strong>Pushers and rank for <a href="https://en.wikipedia.org/wiki/LOLCODE">LOLCODE programming language</a></strong></p><p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/lolcode.png?resize=1024%2C757" alt="Two line charts of the ranking and number of pushers for the LOLCODE programming language over time, showing that the language spikes upward in popularity in Q4 of each year." width="1024" height="757" class="alignnone size-full wp-image-77349 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/lolcode.png?resize=1024%2C757?w=2348 2348w, https://github.blog/wp-content/uploads/2024/04/lolcode.png?resize=1024%2C757?w=300 300w, https://github.blog/wp-content/uploads/2024/04/lolcode.png?resize=1024%2C757?w=768 768w, https://github.blog/wp-content/uploads/2024/04/lolcode.png?resize=1024%2C757?w=1024 1024w, https://github.blog/wp-content/uploads/2024/04/lolcode.png?resize=1024%2C757?w=1536 1536w, https://github.blog/wp-content/uploads/2024/04/lolcode.png?resize=1024%2C757?w=2048 2048w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /></p><p><em>Dotted lines indicate where there are gaps between quarterly data points due to the activity not meeting our <a href="https://github.com/github/innovationgraph/blob/main/docs/datasheet.md#10-considerations-taken-for-responsible-and-ethical-data-collection">minimum threshold for reporting</a>.</em></p><p>Sometimes, it’s also interesting to see when cycles are broken, which we’re seeing with the steady rise of documentation:</p><p><strong><a href="https://innovationgraph.github.com/global-metrics/topics">Global ranking of the “documentation” topic</a></strong></p><p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/documentation.png?resize=1024%2C515" alt="A line chart of the ranking of the "documentation" topic over time, showing that the topic periodically oscillates in popularity from Q1 2020 until Q1 2023, at which point it appears to just continually rise in rank." width="1024" height="515" class="alignnone size-full wp-image-77351 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/documentation.png?resize=1024%2C515?w=2802 2802w, https://github.blog/wp-content/uploads/2024/04/documentation.png?resize=1024%2C515?w=300 300w, https://github.blog/wp-content/uploads/2024/04/documentation.png?resize=1024%2C515?w=768 768w, https://github.blog/wp-content/uploads/2024/04/documentation.png?resize=1024%2C515?w=1024 1024w, https://github.blog/wp-content/uploads/2024/04/documentation.png?resize=1024%2C515?w=1536 1536w, https://github.blog/wp-content/uploads/2024/04/documentation.png?resize=1024%2C515?w=2048 2048w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /></p><p>The seasonal variation in the “documentation” topic from Q1 2020 through Q4 2022 might be related to <a href="https://developers.google.com/season-of-docs">Google Season of Docs</a>, a program to help open source projects with documentation, which has been operating since at least <a href="https://developers.google.com/season-of-docs/docs/2019/timeline">2019</a>. However, we didn’t see the usual cyclical dip of the “documentation” topic during 2023, which might be explained by the release of chat-based generative AI interfaces like <a href="https://openai.com/blog/chatgpt">ChatGPT in November 2022</a> and several similar products shortly afterwards, including <a href="https://github.blog/2023-03-22-github-copilot-x-the-ai-powered-developer-experience/">GitHub Copilot Chat in March 2023</a>. While we recognize that it’s not a panacea, perhaps generative AI technologies are helping to reduce the friction around writing documentation to enable maintainers and contributors to update project documentation more widely and frequently.</p><h3 id="programming-languages-and-github-profile-readme-configuration-topics-are-now-excluded-from-the-topics-bump-charts">Programming languages and GitHub profile README configuration topics are now excluded from the Topics bump charts<a href="#programming-languages-and-github-profile-readme-configuration-topics-are-now-excluded-from-the-topics-bump-charts" class="heading-link pl-2 text-italic text-bold" aria-label="Programming languages and GitHub profile README configuration topics are now excluded from the Topics bump charts"></a></h3><p>In terms of changes to the graph’s functionality, the Topics bump charts on the <a href="https://innovationgraph.github.com/global-metrics/topics">global metric page</a> and individual economy pages no longer display programming languages or topics related to <a href="https://docs.github.com/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/managing-your-profile-readme">GitHub profile README configuration</a> (“config” and “github-config”). As you can tell from the preceding sentence and heading, we have no qualms against repeating largely the same information multiple times. However, our repetition in including programming language-related topics in the Topics bump charts (despite the Innovation Graph also having dedicated <a href="https://innovationgraph.github.com/global-metrics/programming-languages">Programming Languages bump charts</a>) had the unfortunate effect of taking up so much space in the chart that it prevented users from noticing interesting movements of other topics (including those of <strong><a href="https://en.wikipedia.org/wiki/Advent_of_Code">advent-of-code</a></strong>!). Additionally, we figured that few readers outside of the GitHub teams responsible for the feature would be interested in the adoption of GitHub profile README configuration files, so we’ve excluded those from rendering, too.</p><p><strong>Before:</strong></p><p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/topics_before.png?resize=1024%2C408" alt="A line plot of the rankings of topics over time, where the majority of the topics shown are programming languages, such as "python," "javascript," and "java."" width="1024" height="408" class="alignnone size-full wp-image-77352 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/topics_before.png?resize=1024%2C408?w=2754 2754w, https://github.blog/wp-content/uploads/2024/04/topics_before.png?resize=1024%2C408?w=300 300w, https://github.blog/wp-content/uploads/2024/04/topics_before.png?resize=1024%2C408?w=768 768w, https://github.blog/wp-content/uploads/2024/04/topics_before.png?resize=1024%2C408?w=1024 1024w, https://github.blog/wp-content/uploads/2024/04/topics_before.png?resize=1024%2C408?w=1536 1536w, https://github.blog/wp-content/uploads/2024/04/topics_before.png?resize=1024%2C408?w=2048 2048w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /></p><p><strong>After:</strong></p><p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/topics_after.png?resize=1024%2C405" alt="A line plot of the rankings of topics over time, where the topics shown are not programming languages, because they have been excluded from the chart. Instead, the topics are relate to non-language subject matter, such as "machine-learning," "tailwindcss," and "linux."" width="1024" height="405" class="alignnone size-full wp-image-77353 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/topics_after.png?resize=1024%2C405?w=2740 2740w, https://github.blog/wp-content/uploads/2024/04/topics_after.png?resize=1024%2C405?w=300 300w, https://github.blog/wp-content/uploads/2024/04/topics_after.png?resize=1024%2C405?w=768 768w, https://github.blog/wp-content/uploads/2024/04/topics_after.png?resize=1024%2C405?w=1024 1024w, https://github.blog/wp-content/uploads/2024/04/topics_after.png?resize=1024%2C405?w=1536 1536w, https://github.blog/wp-content/uploads/2024/04/topics_after.png?resize=1024%2C405?w=2048 2048w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /></p><h3 id="noassertion-changed-to-other-in-the-licenses-bump-charts">NOASSERTION changed to “Other” in the Licenses bump charts<a href="#noassertion-changed-to-other-in-the-licenses-bump-charts" class="heading-link pl-2 text-italic text-bold" aria-label="NOASSERTION changed to “Other” in the Licenses bump charts"></a></h3><p>As noted in <a href="https://github.com/github/innovationgraph/issues/2">feedback</a> we received shortly after the launch of the Innovation Graph, the <a href="https://spdx.github.io/spdx-spec/v2.3/package-information/#713-concluded-license-field">NOASSERTION</a> classification is likely confusing to most Innovation Graph visitors, so we’ve updated the rendering on the bump charts to display “Other” instead.</p><p><strong>Before:</strong></p><p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/licenses_before.png?resize=1024%2C502" alt="A line chart showing the rankings of licenses over time, focusing on the cryptic "NOASSERTION" license." width="1024" height="502" class="alignnone size-full wp-image-77354 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/licenses_before.png?resize=1024%2C502?w=1408 1408w, https://github.blog/wp-content/uploads/2024/04/licenses_before.png?resize=1024%2C502?w=300 300w, https://github.blog/wp-content/uploads/2024/04/licenses_before.png?resize=1024%2C502?w=768 768w, https://github.blog/wp-content/uploads/2024/04/licenses_before.png?resize=1024%2C502?w=1024 1024w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /></p><p><strong>After:</strong></p><p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/licenses_after.png?resize=1024%2C532" alt="A line chart showing the rankings of licenses over time, where the cryptic "NOASSERTION" license is instead rendered as "Other" -- a more meaningful term for most visitors of the Innovation Graph." width="1024" height="532" class="alignnone size-full wp-image-77355 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/licenses_after.png?resize=1024%2C532?w=1412 1412w, https://github.blog/wp-content/uploads/2024/04/licenses_after.png?resize=1024%2C532?w=300 300w, https://github.blog/wp-content/uploads/2024/04/licenses_after.png?resize=1024%2C532?w=768 768w, https://github.blog/wp-content/uploads/2024/04/licenses_after.png?resize=1024%2C532?w=1024 1024w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /></p><h3 id="clarification-the-repositories-developers-and-organizations-metrics-include-inactive-entities">Clarification: the repositories, developers, and organizations metrics include “inactive” entities<a href="#clarification-the-repositories-developers-and-organizations-metrics-include-inactive-entities" class="heading-link pl-2 text-italic text-bold" aria-label="Clarification: the repositories, developers, and organizations metrics include “inactive” entities"></a></h3><p>We’ve also added an explanatory note for the repositories, developers, and organizations metrics to highlight that these counts include inactive entities (for example, not just users who were active during a given quarter).</p><p>So, there you have it. We’ve now got four full years of data to explore. Countless more stories no doubt abound within the <a href="https://github.com/github/innovationgraph">data</a>, so don’t wait–<a href="https://docs.github.com/codespaces/developing-in-a-codespace/getting-started-with-github-codespaces-for-machine-learning">spin up a Jupyter Notebook via GitHub Codespaces</a>, ask <a href="https://support.microsoft.com/en-us/office/get-started-with-copilot-in-excel-d7110502-0334-4b4f-a175-a73abdfc118a">Microsoft 365 Copilot in Excel</a>, or use any of the <a href="https://github.com/topics/data-analysis">vast array of open source data analysis tools</a> out there to explore the files, and we can’t wait to see what you discover.</p><p>The post <a href="https://github.blog/2024-04-09-explore-the-seasons-of-software-development-with-four-full-years-of-data/">Explore the seasons of software development with four full years of data</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>]]></content:encoded> <post-id xmlns="com-wordpress:feed-additions:1">77332</post-id> </item> <item> <title>What is retrieval-augmented generation, and what does it do for generative AI?</title> <link>https://github.blog/2024-04-04-what-is-retrieval-augmented-generation-and-what-does-it-do-for-generative-ai/</link> <dc:creator><![CDATA[Nicole Choi]]></dc:creator> <pubDate>Thu, 04 Apr 2024 16:00:07 +0000</pubDate> <category><![CDATA[Engineering]]></category> <category><![CDATA[AI Insights]]></category> <category><![CDATA[generative AI]]></category> <category><![CDATA[GitHub Copilot Enterprise]]></category> <guid isPermaLink="false">https://github.blog/?p=77268</guid> <description><![CDATA[<p>Here’s how retrieval-augmented generation, or RAG, uses a variety of data sources to keep AI models fresh with up-to-date information and organizational knowledge.</p><p>The post <a href="https://github.blog/2024-04-04-what-is-retrieval-augmented-generation-and-what-does-it-do-for-generative-ai/">What is retrieval-augmented generation, and what does it do for generative AI?</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>]]></description> <content:encoded><![CDATA[<p>One of the hottest topics in AI right now is <strong>RAG, or retrieval-augmented generation</strong>, which is a retrieval method used by some AI tools to improve the quality and relevance of their outputs.</p><p><strong>Organizations want AI tools that use RAG</strong> because it makes those tools aware of proprietary data without the effort and expense of custom model training. RAG also keeps models up to date. When generating an answer without RAG, models can only draw upon data that existed when they were trained. With RAG, on the other hand, models can leverage a private database of newer information for more informed responses.</p><p>We talked to <a href="https://githubnext.com/">GitHub Next</a>’s Senior Director of Research, <a href="https://github.com/idan">Idan Gazit</a>, and Software Engineer, <a href="https://github.com/colin353">Colin Merkel</a>, to learn more about RAG and how it’s used in generative AI tools.</p><h2 id="why-everyones-talking-about-rag">Why everyone’s talking about RAG<a href="#why-everyones-talking-about-rag" class="heading-link pl-2 text-italic text-bold" aria-label="Why everyone’s talking about RAG"></a></h2><p>One of the reasons you should always verify outputs from a generative AI tool is because its training data <strong>has a knowledge cut-off date</strong>. While models are able to produce outputs that are tailored to a request, they can only reference information that existed at the time of their training. But with RAG, an AI tool can use data sources beyond its model’s training data to generate an output.</p><h3 id="the-difference-between-rag-and-fine-tuning">The difference between RAG and fine-tuning<a href="#the-difference-between-rag-and-fine-tuning" class="heading-link pl-2 text-italic text-bold" aria-label="The difference between RAG and fine-tuning"></a></h3><p>Most organizations currently don’t train their own AI models. Instead, they customize pre-trained models to their specific needs, often using RAG or <a href="https://github.blog/2024-02-28-customizing-and-fine-tuning-llms-what-you-need-to-know/#fine-tuning">fine-tuning</a>. Here’s a quick breakdown of how these two strategies differ.</p><p><strong>Fine-tuning</strong> requires adjusting a model’s weights, which results in a highly customized model that excels at a specific task. It’s a good option for organizations that rely on codebases written in a specialized language, especially if the language isn’t well-represented in the model’s original training data.</p><p><strong>RAG</strong>, on the other hand, doesn’t require weight adjustment. Instead, it retrieves and gathers information from a variety of data sources to augment a prompt, which results in an AI model generating a more contextually relevant response for the end user.</p><p>Some organizations start with RAG and then fine-tune their models to accomplish a more specific task. Other organizations find that RAG is a sufficient method for AI customization alone.</p><h2 id="how-ai-models-use-context">How AI models use context<a href="#how-ai-models-use-context" class="heading-link pl-2 text-italic text-bold" aria-label="How AI models use context"></a></h2><p>In order for an AI tool to generate helpful responses, it <a href="https://github.blog/2023-04-14-how-generative-ai-is-changing-the-way-developers-work/">needs the right context</a>. This is the same dilemma we face as humans when making a decision or solving a problem. It’s hard to do when you don’t have the right information to act on.</p><p>So, let’s talk more about context in the context (<img src="https://s.w.org/images/core/emoji/15.0.3/72x72/1f609.png" alt="😉" class="wp-smiley" style="height: 1em; max-height: 1em;" />) of generative AI:</p><ul><li>Today’s generative AI applications are powered by large language models (LLMs) that are structured as <strong>transformers</strong>, and all transformer LLMs have a <strong>context window</strong>— the amount of data that they can accept in a single prompt. Though context windows are limited in size, they can and will continue to grow larger as more powerful models are released.</p></li><li><p><strong>Input data</strong> will vary depending on the AI tool’s capabilities. For instance, when it comes to <strong>GitHub Copilot in the IDE</strong>, input data comprises all of the code in the file that you’re currently working on. This is made possible because of our <strong><a href="https://github.blog/2023-05-17-how-github-copilot-is-getting-better-at-understanding-your-code/">Fill-in-the-Middle</a> (FIM)</strong> paradigm, which makes GitHub Copilot aware of both the code before your cursor (the prefix) and after your cursor (the suffix).</p><p>GitHub Copilot also processes code from your other open tabs (a process we call <a href="https://github.blog/2023-05-17-how-github-copilot-is-getting-better-at-understanding-your-code/#improving-semantic-understanding">neighboring tabs</a>) to potentially find and add relevant information to the prompt. When there are a lot of open tabs, GitHub Copilot will scan the most recently reviewed ones.</p></li><li><p>Because of the context window’s limited size, the challenge of ML engineers is to figure out what input data to add to the prompt and in what order to generate the most relevant suggestion from the AI model. This task is known as <strong><a href="https://github.blog/2023-06-20-how-to-write-better-prompts-for-github-copilot/#whats-a-prompt-and-what-is-prompt-engineering:~:text=Prompts-,Prompt%20engineering,-Context">prompt engineering</a></strong>.</p></li></ul><h2 id="how-rag-enhances-an-ai-models-contextual-understanding">How RAG enhances an AI model’s contextual understanding<a href="#how-rag-enhances-an-ai-models-contextual-understanding" class="heading-link pl-2 text-italic text-bold" aria-label="How RAG enhances an AI model’s contextual understanding"></a></h2><p>With RAG, an LLM can go beyond training data and retrieve information from <strong>a variety of data sources, including customized ones</strong>.</p><p>When it comes to <strong>GitHub Copilot Chat within GitHub.com and in the IDE</strong>, input data can include your conversation with the chat assistant, whether it’s code or natural language, through a process called <a href="https://github.blog/2023-10-30-the-architecture-of-todays-llm-applications/#:~:text=or%20fine%2Dtuning.-,In%2Dcontext%20learning,-%2C%20sometimes%20referred">in-context learning</a>. It can also include data from <strong>indexed repositories</strong> (public or private), <strong>a collection of Markdown documentation</strong> across repositories (that we refer to as <a href="https://docs.github.com/enterprise-cloud@latest/copilot/github-copilot-enterprise/copilot-chat-in-github/managing-copilot-knowledge-bases">knowledge bases</a>), and results from integrated <strong>search engines</strong>. From these other sources, RAG will retrieve additional data to augment the initial prompt. As a result, it can generate a more relevant response.</p><p>The type of input data used by GitHub Copilot will depend on which GitHub Copilot plan you’re using.</p><p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/copilot-plans.png?w=1024&resize=1024%2C538" alt="Chart comparing what is included in three different GitHub Copilot plans: Individual, Business, and Enterprise. " width="1024" height="538" class="aligncenter size-large wp-image-77269 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/copilot-plans.png?w=4088 4088w, https://github.blog/wp-content/uploads/2024/04/copilot-plans.png?w=300 300w, https://github.blog/wp-content/uploads/2024/04/copilot-plans.png?w=768 768w, https://github.blog/wp-content/uploads/2024/04/copilot-plans.png?w=1024&resize=1024%2C538 1024w, https://github.blog/wp-content/uploads/2024/04/copilot-plans.png?w=1536 1536w, https://github.blog/wp-content/uploads/2024/04/copilot-plans.png?w=2048 2048w, https://github.blog/wp-content/uploads/2024/04/copilot-plans.png?w=3000 3000w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /></p><h2 id="rag-and-semantic-search">RAG and semantic search<a href="#rag-and-semantic-search" class="heading-link pl-2 text-italic text-bold" aria-label="RAG and semantic search"></a></h2><p><strong>Unlike keyword search or <a href="https://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax#using-boolean-operations">Boolean search operators</a></strong>, an ML-powered semantic search system uses its training data to understand the relationship between your keywords. So, rather than view, for example, “cats” and “kittens” as independent terms as you would in a keyword search, a semantic search system can understand, from its training, that those words are often associated with cute videos of the animal. Because of this, a search for just “cats and kittens” might rank a cute animal video as a top search result.</p><p><strong>How does semantic search improve the quality of RAG retrievals?</strong> When using a customized database or search engine as a RAG data source, semantic search can improve the context added to the prompt and overall relevance of the AI-generated output.</p><p>The semantic search process is at the heart of retrieval. “It surfaces great examples that often elicit great results,” Gazit says.</p><div style="width: 1920px;" class="wp-video"><video class="wp-video-shortcode" id="video-77268-2" width="1920" height="1080" preload="metadata" controls="controls"><source type="video/mp4" src="https://github.blog/wp-content/uploads/2024/02/BLOG2_chat-knowledge-base_002.mp4?_=2" /><a href="https://github.blog/wp-content/uploads/2024/02/BLOG2_chat-knowledge-base_002.mp4">https://github.blog/wp-content/uploads/2024/02/BLOG2_chat-knowledge-base_002.mp4</a></video></div><p style="text-align:center"><em>Developers can use Copilot Chat on GitHub.com to ask questions and receive answers about a codebase in natural language, or surface relevant documentation and existing solutions.</em></p><h2 id="rag-data-sources-where-rag-uses-semantic-search">RAG data sources: Where RAG uses semantic search<a href="#rag-data-sources-where-rag-uses-semantic-search" class="heading-link pl-2 text-italic text-bold" aria-label="RAG data sources: Where RAG uses semantic search"></a></h2><p>You’ve probably read dozens of articles (including some of our own) that talk about RAG, vector databases, and embeddings. And even if you haven’t, here’s something you should know: <strong>RAG doesn’t require embeddings or vector databases</strong>.</p><p>A RAG system can use semantic search to retrieve relevant documents, whether from an embedding-based retrieval system, traditional database, or search engine. The snippets from those documents are then formatted into the model’s prompt. We’ll provide a quick recap of vector databases and then, using GitHub Copilot Enterprise as an example, cover how <strong>RAG retrieves data from a variety of sources</strong>.</p><h3 id="vector-databases">Vector databases<a href="#vector-databases" class="heading-link pl-2 text-italic text-bold" aria-label="Vector databases"></a></h3><p><strong>Vector databases</strong> are optimized for storing embeddings of your repository code and documentation. They allow us to use novel search parameters to find matches between similar vectors.</p><p>To retrieve data from a vector database, code and documentation are converted into <strong>embeddings</strong>, a type of high-dimensional vector, to make them searchable by a RAG system.</p><p><strong>Here’s how RAG retrieves data from vector databases</strong>: while you code in your IDE, algorithms create embeddings for your code snippets, which are stored in a vector database. Then, an AI coding tool can search that database by <strong>embedding similarity</strong> to find snippets from across your codebase that are related to the code you’re currently writing and generate a coding suggestion. Those snippets are often highly relevant context, enabling an AI coding assistant to generate a more contextually relevant coding suggestion. GitHub Copilot Chat uses embedding similarity in the IDE and on GitHub.com, so it finds code and documentation snippets related to your query.</p><p>Embedding similarity is incredibly powerful because it identifies code that has subtle relationships to the code you’re editing.</p><p>“Embedding similarity might surface code that uses the same APIs, or code that performs a similar task to yours but that lives in another part of the codebase,” Gazit explains. “When those examples are added to a prompt, the model’s primed to produce responses that mimic the idioms and techniques that are native to your codebase—even though the model was not trained on your code.”</p><h3 id="general-text-search-and-search-engines">General text search and search engines<a href="#general-text-search-and-search-engines" class="heading-link pl-2 text-italic text-bold" aria-label="General text search and search engines"></a></h3><p>With a <strong>general text search</strong>, any documents that you want to be accessible to the AI model are indexed ahead of time and stored for later retrieval. For instance, RAG in GitHub Copilot Enterprise can retrieve data from files in an indexed repository and <a href="https://docs.github.com/enterprise-cloud@latest/copilot/github-copilot-enterprise/copilot-chat-in-github/managing-copilot-knowledge-bases">Markdown files across repositories</a>.</p><p><div class="content-button-wrap text-center"><a href="https://docs.github.com/copilot/github-copilot-enterprise/overview/github-copilot-enterprise-feature-set" target="_self" class="btn-mktg arrow-target-mktg">Learn more about GitHub Copilot Enterprise features<svg xmlns="http://www.w3.org/2000/svg" class="octicon arrow-symbol-mktg" width="24" height="24" viewBox="0 0 16 16" fill="none"><path fill="currentColor" d="M7.28033 3.21967C6.98744 2.92678 6.51256 2.92678 6.21967 3.21967C5.92678 3.51256 5.92678 3.98744 6.21967 4.28033L7.28033 3.21967ZM11 8L11.5303 8.53033C11.8232 8.23744 11.8232 7.76256 11.5303 7.46967L11 8ZM6.21967 11.7197C5.92678 12.0126 5.92678 12.4874 6.21967 12.7803C6.51256 13.0732 6.98744 13.0732 7.28033 12.7803L6.21967 11.7197ZM6.21967 4.28033L10.4697 8.53033L11.5303 7.46967L7.28033 3.21967L6.21967 4.28033ZM10.4697 7.46967L6.21967 11.7197L7.28033 12.7803L11.5303 8.53033L10.4697 7.46967Z"></path><path class="octicon-chevrow-stem" stroke="currentColor" d="M1.75 8H11" stroke-width="1.5" stroke-linecap="round"></path></svg></a></div><br /></p><p>RAG can also retrieve information from <strong>external and internal search engines</strong>. When integrated with an external search engine, RAG can search and retrieve information from the entire internet. When integrated with an internal search engine, it can also access information from within your organization, like an internal website or platform. Integrating both kinds of search engines supercharges RAG’s ability to provide relevant responses.</p><p>For instance, GitHub Copilot Enterprise integrates both Bing, an external search engine, and an <a href="https://github.blog/2023-05-08-github-code-search-is-generally-available/">internal search engine</a> built by GitHub into Copilot Chat on GitHub.com. Bing integration allows GitHub Copilot Chat to conduct a web search and retrieve up-to-date information, like about the latest Java release. But without a search engine searching internally, ”Copilot Chat on GitHub.com cannot answer questions about your private codebase unless you provide a specific code reference yourself,” explains Merkel, who helped to build GitHub’s internal search engine from scratch.</p><p><strong>Here’s how this works in practice.</strong> When a developer asks a question about a repository to GitHub Copilot Chat in GitHub.com, RAG in Copilot Enterprise uses the internal search engine to find relevant code or text from indexed files to answer that question. To do this, the internal search engine conducts a semantic search by analyzing the content of documents from the indexed repository, and then ranking those documents based on relevance. GitHub Copilot Chat then uses RAG, which also conducts a semantic search, to find and retrieve the most relevant snippets from the top-ranked documents. Those snippets are added to the prompt so GitHub Copilot Chat can generate a relevant response for the developer.</p><h2 id="key-takeaways-about-rag">Key takeaways about RAG<a href="#key-takeaways-about-rag" class="heading-link pl-2 text-italic text-bold" aria-label="Key takeaways about RAG"></a></h2><p>RAG offers an effective way to customize AI models, helping to ensure outputs are up to date with organizational knowledge and best practices, and the latest information on the internet.</p><p>GitHub Copilot uses a variety of methods to improve the quality of input data and contextualize an initial prompt, and that ability is enhanced with RAG. What’s more, the RAG retrieval method in GitHub Copilot Enterprise goes beyond vector databases and includes data sources like general text search and search engine integrations, which provides even more cost-efficient retrievals.</p><p>Context is everything when it comes to getting the most out of an AI tool. To improve the relevance and quality of a generative AI output, you need to improve the relevance and quality of the input.</p><p>As Gazit says, “Quality in, quality out.”</p><div class="post-content-cta"><p>Looking to bring the power of GitHub Copilot Enterprise to your organization? <a href="https://github.com/features/copilot/">Learn more</a> about GitHub Copilot Enterprise or <a href="https://github.com/features/copilot/plans">get started now</a>.</p></div><p>The post <a href="https://github.blog/2024-04-04-what-is-retrieval-augmented-generation-and-what-does-it-do-for-generative-ai/">What is retrieval-augmented generation, and what does it do for generative AI?</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>]]></content:encoded> <post-id xmlns="com-wordpress:feed-additions:1">77268</post-id> </item> <item> <title>Security research without ever leaving GitHub: From code scanning to CVE via Codespaces and private vulnerability reporting</title> <link>https://github.blog/2024-04-03-security-research-without-ever-leaving-github-from-code-scanning-to-cve-via-codespaces-and-private-vulnerability-reporting/</link> <dc:creator><![CDATA[Jorge Rosillo]]></dc:creator> <pubDate>Wed, 03 Apr 2024 14:26:50 +0000</pubDate> <category><![CDATA[Security]]></category> <category><![CDATA[GitHub Security Lab]]></category> <category><![CDATA[security research]]></category> <guid isPermaLink="false">https://github.blog/?p=77239</guid> <description><![CDATA[<p>This blog post is an in-depth walkthrough on how we perform security research leveraging GitHub features, including code scanning, CodeQL, and Codespaces.</p><p>The post <a href="https://github.blog/2024-04-03-security-research-without-ever-leaving-github-from-code-scanning-to-cve-via-codespaces-and-private-vulnerability-reporting/">Security research without ever leaving GitHub: From code scanning to CVE via Codespaces and private vulnerability reporting</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>]]></description> <content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"><html><body><p>Hello fellow readers! Have you ever wondered how the <a href="https://securitylab.github.com/">GitHub Security Lab</a> performs security research? In this post, you’ll learn how we leverage GitHub products and features such as code scanning, CodeQL, Codespaces, and private vulnerability reporting. By the time we conclude, you’ll have mastered the art of swiftly configuring a clean, temporary environment for the discovery, verification, and disclosure of vulnerabilities in open source software (OSS).</p><p>As you explore the contents of this post, you’ll notice we cover a wide array of GitHub tooling. If you have any feedback or questions, we encourage you to engage with our <a href="https://github.com/orgs/community/discussions">community discussions</a>. Rest assured, this post is designed to be accessible to readers regardless of their prior familiarity with the tools we’ve mentioned. So, let’s embark on this journey together!</p><h2 id="finding-an-interesting-target" id="finding-an-interesting-target" >Finding an interesting target<a href="#finding-an-interesting-target" class="heading-link pl-2 text-italic text-bold" aria-label="Finding an interesting target"></a></h2><p>The concept of an “interesting” target might have different meanings for each one of you based on the objective of your research. In order to find an “interesting” target, and also for this to be fun, you have to write down some filters first—unless you really want to dive into anything! From the language the project is written in, through the surface it unveils (is it an app? a framework?), every aspect is important to have a clear objective.</p><aside class="p-4 p-md-6 post-aside--large"><p class="h5-mktg gh-aside-title">Using GitHub Code Search</p><p>Many times, we need to search widely for the use of a specific method or library. Either to get inspiration to use it, or pwn it 😉, GitHub <a href="https://github.com/features/code-search">code search</a> is there for us. We can use this feature to search across all public GitHub repositories with language, path, and regular expression filters! For instance, see <a href="https://github.com/search?q=language%3AJava++NOT+is%3Aarchived+%22.readObject%28%29%3B%22&type=code">this search query</a> to find uses of <code>readObject</code> in Java files.</p></aside><p>For example, usually one of these aspects is the amount of people using the project (that is, the ones affected if a vulnerability occurred), which is provided by GitHub’s <a href="https://docs.github.com/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph">dependency network</a> (for example, <a href="https://github.com/pytorch/pytorch/network/dependents">pytorch/pytorch</a>), but it does not end there: we are also interested in how often the project is updated, the amount of <em>stars</em>, recent contributors, etc. Fortunately for us, some very smart people over at the Open Source Security Foundation (OpenSSF) already did some heavy work on this topic.</p><h3 id="openssf-criticality-score" id="openssf-criticality-score" >OpenSSF Criticality Score<a href="#openssf-criticality-score" class="heading-link pl-2 text-italic text-bold" aria-label="OpenSSF Criticality Score"></a></h3><p>The OpenSSF created the <a href="https://opensource.googleblog.com/2020/12/finding-critical-open-source-projects.html">Open Source Project Criticality Score</a>, which “defines the influence and importance of a project. It is a number between 0 (least-critical) and 1 (most-critical).” For further information on the specifics of the scoring algorithm, they can be found on the <a href="https://github.com/ossf/criticality_score">ossf/criticality_score</a> repository or <a href="https://openssf.org/blog/2023/07/28/understanding-and-applying-the-openssf-criticality-score-in-open-source-projects/">this post</a>. A few months after the launch, Google <a href="https://groups.google.com/g/wg-securing-critical-projects/c/QzvvmgtncOU">collected information for the top 100k GitHub repositories</a> and shared it in <a href="https://docs.google.com/spreadsheets/d/1uahUIUa82J6WetAqtxCM_qgH-YJOagH84AFniIhlAbg/edit#gid=650393321">this spreadsheet</a>.</p><p>Within the GitHub Security Lab, we are continuously analyzing OSS projects with the goal of keeping the software ecosystem safe, focusing on high-profile projects we all depend on and rely on. In order to find the former, we base our target lists on the OpenSSF criticality score.</p><h3 id="the-beginning-of-the-process" id="the-beginning-of-the-process" >The beginning of the process<a href="#the-beginning-of-the-process" class="heading-link pl-2 text-italic text-bold" aria-label="The beginning of the process"></a></h3><p>We published our <a href="https://github.blog/2023-12-13-securing-our-home-labs-frigate-code-review/">Code Review of Frigate</a> in which we exploited a deserialization of user-controlled data using PyYaml’s default <code>Loader</code>. It’s a great project to use as the running example in this blog post, given its >1.6 million downloads of <em>F<a href="https://github.com/blakeblackshear/frigate/pkgs/container/frigate">rigate container</a></em> at the time of writing and the ease of the setup process.</p><div class="content-table-wrap"><table style="border: 1px black"><tbody><tr><td><strong>The original issue</strong><br>We won’t be finding new vulnerabilities in this blog post. Instead, we will use the <em>deserialization of user-controlled data</em> <a href="https://github.com/blakeblackshear/frigate/security/advisories/GHSA-qp3h-4q62-p428">issue</a> we reported to illustrate this post.</td></tr></tbody></table></div><p>Looking at the spreadsheet above, Frigate is listed at ~16k with a 0.45024 score, which is not yet deemed critical (>0.8), but not bad for almost two years ago! If you are curious and want to learn a bit more about calculating criticality scores, go ahead and calculate <a href="https://github.com/blakeblackshear/frigate">Frigate</a>’s current score with <a href="https://github.com/ossf/criticality_score">ossf/criticality_score</a>.</p><h2 id="forking-the-project" id="forking-the-project" >Forking the project<a href="#forking-the-project" class="heading-link pl-2 text-italic text-bold" aria-label="Forking the project"></a></h2><p>Once we have identified our target, let’s fork the repository either via <a href="https://github.com/blakeblackshear/frigate/fork">GitHub’s UI</a> or <a href="https://cli.github.com/manual/gh_repo_fork">CLI</a>.</p><pre><code>gh repo fork blakeblackshear/frigate --default-branch-only</code></pre><p>Once forked, let’s go back to the state in which we performed the audit: (<code>sha=9185753322cc594b99509e9234c60647e70fae6f</code>)</p><p>Using GitHub’s API <em><a href="https://docs.github.com/rest/git/refs?apiVersion=2022-11-28#update-a-reference">update a reference</a></em>:</p><pre><code>gh api -X PATCH /repos/username/frigate/git/refs/heads/dev -F sha=9185753322cc594b99509e9234c60647e70fae6f -F force=true</code></pre><p>Or using <code>git</code>:</p><pre><code>git clone https://github.com/username/frigatecd frigategit checkout 9185753322cc594b99509e9234c60647e70fae6fgit push origin HEAD:dev --force</code></pre><p>Now we are ready to continue!</p><h2 id="code-scanning-and-codeql" id="code-scanning-and-codeql" >Code scanning and CodeQL<a href="#code-scanning-and-codeql" class="heading-link pl-2 text-italic text-bold" aria-label="Code scanning and CodeQL"></a></h2><p><a href="https://docs.github.com/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning">Code scanning</a> is GitHub’s solution to find, triage, and prioritize fixes for existing problems in your code.</p><figure id="attachment_77242" class="wp-caption aligncenter mx-0"><img loading="lazy" decoding="async" width="1600" height="1179" src="https://github.blog/wp-content/uploads/2024/04/frigate-code-scanning.png?w=1024&resize=1600%2C1179" alt="Code scanning alerts in the Security tab, provided by CodeQL" class="width-fit size-large wp-image-77242 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/frigate-code-scanning.png?w=1600 1600w, https://github.blog/wp-content/uploads/2024/04/frigate-code-scanning.png?w=300 300w, https://github.blog/wp-content/uploads/2024/04/frigate-code-scanning.png?w=768 768w, https://github.blog/wp-content/uploads/2024/04/frigate-code-scanning.png?w=1024&resize=1600%2C1179 1024w, https://github.blog/wp-content/uploads/2024/04/frigate-code-scanning.png?w=1536 1536w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /><figcaption class="text-mono color-fg-muted mt-14px f5-mktg">Code scanning alerts in the Security tab, provided by CodeQL</figcaption></figure><figure id="attachment_77243" class="wp-caption aligncenter mx-0"><img loading="lazy" decoding="async" width="1600" height="1162" src="https://github.blog/wp-content/uploads/2024/04/pull-request-alerts.png?w=1024&resize=1600%2C1162" alt="Pull request alerts" class="width-fit size-large wp-image-77243 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/pull-request-alerts.png?w=1600 1600w, https://github.blog/wp-content/uploads/2024/04/pull-request-alerts.png?w=300 300w, https://github.blog/wp-content/uploads/2024/04/pull-request-alerts.png?w=768 768w, https://github.blog/wp-content/uploads/2024/04/pull-request-alerts.png?w=1024&resize=1600%2C1162 1024w, https://github.blog/wp-content/uploads/2024/04/pull-request-alerts.png?w=1536 1536w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /><figcaption class="text-mono color-fg-muted mt-14px f5-mktg">Pull request alerts</figcaption></figure><p>When code scanning is “connected” with a static analysis tool like GitHub’s CodeQL, that’s when the magic happens, but we will get there in a moment.</p><p><a href="https://codeql.github.com/">CodeQL</a> is the static code analysis engine developed by GitHub to automate security checks. CodeQL performs semantic and dataflow analysis, “letting you query code as though it were data.” CodeQL’s learning curve at the start can be a little bit steep, but absolutely worth the effort, as its dataflow libraries allow for a solution to any kind of situation.</p><div class="content-table-wrap"><table style="border: 1px black"><tbody><tr><td><strong>Learning CodeQL</strong><br>If you are interested in learning more about the world of static analysis, with exercises and more, go ahead and follow <a href="https://github.com/sylwia-budzynska">@sylwia-budzynska</a>’s <em><a href="https://github.blog/2023-03-31-codeql-zero-to-hero-part-1-the-fundamentals-of-static-analysis-for-vulnerability-research/">CodeQL zero to hero</a></em> series. You may also want to join GitHub Security Lab’s <a href="http://gh.io/securitylabslack">Slack instance</a> to hang out with CodeQL engineers and the community.</td></tr></tbody></table></div><h3 id="creating-the-codeql-workflow-file" id="creating-the-codeql-workflow-file" >Creating the CodeQL workflow file<a href="#creating-the-codeql-workflow-file" class="heading-link pl-2 text-italic text-bold" aria-label="Creating the CodeQL workflow file"></a></h3><p>GitHub engineers are doing a fantastic job on making CodeQL analysis available in a <a href="https://docs.github.com/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#about-default-setup">one-click fashion</a>. However, to learn what’s going on behind the scenes (because we are researchers 😎), we are going to do the manual setup.</p><div class="content-table-wrap"><table style="border: 1px black"><tbody><tr><td><strong>Running CodeQL at scale</strong><br>In this case, we are using CodeQL on a per-repository basis. If you are interested in running CodeQL at scale to hunt zero day vulnerabilities and their variants across repositories, feel free to learn more about <a href="https://codeql.github.com/docs/codeql-for-visual-studio-code/running-codeql-queries-at-scale-with-mrva/">Multi-repository Variant Analysis</a>. In fact, the Security Lab has done <a href="https://github.com/GitHubSecurityLab/gh-mrva">some work</a> to run CodeQL on more than 1k repositories at once!</td></tr></tbody></table></div><p>In order to create the workflow file, follow these steps:</p><ol><li>Visit your fork<p>For security and simplicity reasons, we are going to remove the existing GitHub Actions workflows so we do not run unwanted workflows. To do so, we are going to use <a href="https://github.com/github/dev">github.dev</a> (GitHub’s <em>web-based editor</em>). For such code changes, that don’t require reviews, rebuild, or testing, simply browse to <code>/.github/workflows</code>, press the <code>.</code> (dot) key once and a VS Code editor will pop-up in your browser.</p><p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/actions-workflows.png?w=1024&resize=1024%2C727" alt="Removing GitHub Actions workflows from a project in GitHub.dev" width="1024" height="727" class="aligncenter size-large wp-image-77244 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/actions-workflows.png?w=1600 1600w, https://github.blog/wp-content/uploads/2024/04/actions-workflows.png?w=300 300w, https://github.blog/wp-content/uploads/2024/04/actions-workflows.png?w=768 768w, https://github.blog/wp-content/uploads/2024/04/actions-workflows.png?w=1024&resize=1024%2C727 1024w, https://github.blog/wp-content/uploads/2024/04/actions-workflows.png?w=1536 1536w, https://github.blog/wp-content/uploads/2024/04/actions-workflows.png?w=515 515w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /></p><p>And push the changes:</p><p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/push-changes.png?w=1024&resize=1024%2C727" alt='Push changes via the "Commit & Push" button on Github.dev.' width="1024" height="727" class="aligncenter size-large wp-image-77245 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/push-changes.png?w=1600 1600w, https://github.blog/wp-content/uploads/2024/04/push-changes.png?w=300 300w, https://github.blog/wp-content/uploads/2024/04/push-changes.png?w=768 768w, https://github.blog/wp-content/uploads/2024/04/push-changes.png?w=1024&resize=1024%2C727 1024w, https://github.blog/wp-content/uploads/2024/04/push-changes.png?w=1536 1536w, https://github.blog/wp-content/uploads/2024/04/push-changes.png?w=515 515w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /></p></li><li><p>Enable GitHub Actions (optional)</p><p>Head to the GitHub Actions tab and click on “I understand my workflows, go ahead and enable them.”Note that this might <strong>not</strong> appear if you deleted all workflows previously.</p></li><li><p>Head to the Security tab</p></li><li>Click on “Code Scanning”</li><li>Click “Configure scanning tool”</li><li><p>In CodeQL analysis, click “Set up” and then click “Advanced”</p><p>Now, you are guided to GitHub’s UI file editor with a custom workflow file (whose source is located at <a href="https://github.com/actions/starter-workflows/blob/main/code-scanning/codeql.yml">actions/starter-workflows</a>) for the <a href="https://github.com/github/codeql-action">CodeQL Action</a>. You can notice it is fully customized for this repository by looking at the <code>on.push.branches</code> and <code>strategy.matrix.language</code> values.</p></li></ol><div class="content-table-wrap"><table style="border: 1px black"><tbody><tr><td><p><strong>Actions documentation</strong><br>If you are not familiar with GitHub Actions, refer to the <a href="https://docs.github.com/actions/learn-github-actions">documentation</a> to understand the basics of a workflow.</p></td></tr></tbody></table></div><p>At first glance, we can see that there’s an <code>analyze</code> job that will run for each language defined in the workflow. The <code>analyze</code> job will:</p><ol><li>Clone the repository</li><li>Initialize CodeQL<p>In this step, <code>github/codeql-action/init</code> will download the latest release of CodeQL, or CodeQL packs, that are not available locally.</p></li><li><p>Autobuild</p><p>The autobuild step will try to automatically build the code present in the workspace (step 1) in order to populate a database for later analysis. If it’s not a compiled language, it will just succeed and continue.</p></li><li><p>Analyze</p><p>The CodeQL binary will be called to finalize the CodeQL database and run queries on it, which may take a few minutes.</p></li></ol><h3 id="advanced-configuration-using-security-labs-community-ql-packs" id="advanced-configuration-using-security-labs-community-ql-packs" >Advanced configuration using Security Lab’s Community QL Packs<a href="#advanced-configuration-using-security-labs-community-ql-packs" class="heading-link pl-2 text-italic text-bold" aria-label="Advanced configuration using Security Lab’s Community QL Packs"></a></h3><p>With CodeQL’s default configuration (default workflow), you will already find impactful issues. Our CodeQL team makes sure that these <a href="https://github.com/github/codeql">default queries</a> are designed to have a very low false positive rate so that developers can confidently add them to their CI/CD pipeline. However, if you are a security team like the GitHub Security Lab, you may prefer using a different set of audit models and queries that have a low false negative rate, or community-powered models customized for your specific target or methodology. With that in mind, we recently published our <a href="https://github.com/GitHubSecurityLab/CodeQL-Community-Packs">CodeQL Community Packs</a>, and using it is as easy as a one-liner in your workflow file.</p><p>As the README outlines, we just need to add a <code>packs</code> variable in the <em>Initialize CodeQL</em> step:</p><pre><code>- name: Initialize CodeQL uses: github/codeql-action/init@v2 with: languages: ${{ matrix.language }} packs: githubsecuritylab/codeql-${{ matrix.language }}-queries</code></pre><p>Once done, we are ready to save the file and browse the results! For more information on customizing the scan configuration, refer to the <a href="https://docs.github.com/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning">documentation</a>. The bit I find most interesting is <a href="https://docs.github.com/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#using-a-custom-configuration-file">Using a custom configuration file</a>.</p><h3 id="browsing-alerts" id="browsing-alerts" >Browsing alerts<a href="#browsing-alerts" class="heading-link pl-2 text-italic text-bold" aria-label="Browsing alerts"></a></h3><p>A few minutes in, the results are shown in the Security tab; let’s dig in!</p><figure id="attachment_77246" class="wp-caption aligncenter mx-0"><img loading="lazy" decoding="async" width="1021" height="182" src="https://github.blog/wp-content/uploads/2024/04/available-filters.png?w=1021&resize=1021%2C182" alt="Available filters for the repository alerts" class="width-fit size-large wp-image-77246 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/available-filters.png?w=1021&resize=1021%2C182 1021w, https://github.blog/wp-content/uploads/2024/04/available-filters.png?w=300 300w, https://github.blog/wp-content/uploads/2024/04/available-filters.png?w=768 768w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /><figcaption class="text-mono color-fg-muted mt-14px f5-mktg">Available filters for the repository alerts</figcaption></figure><h4 id="anatomy-of-a-code-scanning-alert" id="anatomy-of-a-code-scanning-alert" >Anatomy of a code scanning alert<a href="#anatomy-of-a-code-scanning-alert" class="heading-link pl-2 text-italic text-bold" aria-label="Anatomy of a code scanning alert"></a></h4><p>While you may think that running CodeQL locally would be easier, code scanning provides additional built-in mechanisms to avoid duplicated alerts, prioritize, or dismiss them. Also, the amount of information given by a single alert page can save you a lot of time!</p><figure id="attachment_77247" class="wp-caption aligncenter mx-0"><img loading="lazy" decoding="async" width="1600" height="1234" src="https://github.blog/wp-content/uploads/2024/04/deserialization-alert.png?w=1024&resize=1600%2C1234" alt="Code scanning alert for deserialization of user-controlled data found by CodeQL" class="width-fit size-large wp-image-77247 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/deserialization-alert.png?w=1600 1600w, https://github.blog/wp-content/uploads/2024/04/deserialization-alert.png?w=300 300w, https://github.blog/wp-content/uploads/2024/04/deserialization-alert.png?w=768 768w, https://github.blog/wp-content/uploads/2024/04/deserialization-alert.png?w=1024&resize=1600%2C1234 1024w, https://github.blog/wp-content/uploads/2024/04/deserialization-alert.png?w=1536 1536w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /><figcaption class="text-mono color-fg-muted mt-14px f5-mktg">Code scanning alert for deserialization of user-controlled data found by CodeQL</figcaption></figure><p>In a few seconds, this view answers a few questions: what, where, when, and how. Even though we can see a few lines surrounding the sink, we need to see the whole flow to determine whether we want to pursue the exploitation further. For that, click <code>Show paths</code>.</p><figure id="attachment_77248" class="wp-caption aligncenter mx-0"><img loading="lazy" decoding="async" width="1600" height="1306" src="https://github.blog/wp-content/uploads/2024/04/flow-steps.png?w=1024&resize=1600%2C1306" alt="Flow steps for the deserialization of user-controlled data alert" class="width-fit size-large wp-image-77248 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/flow-steps.png?w=1600 1600w, https://github.blog/wp-content/uploads/2024/04/flow-steps.png?w=300 300w, https://github.blog/wp-content/uploads/2024/04/flow-steps.png?w=768 768w, https://github.blog/wp-content/uploads/2024/04/flow-steps.png?w=1024&resize=1600%2C1306 1024w, https://github.blog/wp-content/uploads/2024/04/flow-steps.png?w=1536 1536w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /><figcaption class="text-mono color-fg-muted mt-14px f5-mktg">Code scanning alert for deserialization of user-controlled data found by CodeQL</figcaption></figure><p>In this view, we can see that the flow of the vulnerability begins from a user-controllable node (in CodeQL-fu, RemoteFlowSource), which flows without sanitizers to a known PyYaml’s sink.</p><h4 id="digging-into-the-alert" id="digging-into-the-alert" >Digging into the alert<a href="#digging-into-the-alert" class="heading-link pl-2 text-italic text-bold" aria-label="Digging into the alert"></a></h4><p>Looking at the alert page and the flow paths alone isn’t enough information to guess whether this will be exploitable. While <code>new_config</code> is clearly something we could control, we don’t know the specifics of the <code>Loader</code> that <code>yaml.load</code> is using. A custom <code>Loader</code> can inherit quite a few <a href="https://github.com/yaml/pyyaml/blob/155ec463f6a854ac14ccd5e2dda8017ce42a508a/lib/yaml/loader.py">kinds of Loaders</a>, so we need to make sure that the inherited <code>Loader</code> allows for custom constructors.</p><pre><code class="language-python">def load_config_with_no_duplicates(raw_config) -> dict: """Get config ensuring duplicate keys are not allowed.""" class PreserveDuplicatesLoader(yaml.loader.Loader): pass ... return yaml.load(raw_config, PreserveDuplicatesLoader)</code></pre><p>However, we know CodeQL uses dataflow for its queries, so it should already have checked the <code>Loader</code> type, right?</p><h4 id="the-community-helps-codeql-get-better" id="the-community-helps-codeql-get-better" >The community helps CodeQL get better<a href="#the-community-helps-codeql-get-better" class="heading-link pl-2 text-italic text-bold" aria-label="The community helps CodeQL get better"></a></h4><p>When we were writing the post about <a href="https://github.blog/2023-12-13-securing-our-home-labs-frigate-code-review/">Frigate’s audit</a>, we came across a new alert for the vulnerability we had just helped fix!</p><p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/bernie-fix-me.png?w=500&resize=500%2C500" alt='Meme of the politician Bernie Sanders with the caption, "I am once again asking you to fix me."' width="500" height="500" class="aligncenter size-large wp-image-77265 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/bernie-fix-me.png?w=500&resize=500%2C500 500w, https://github.blog/wp-content/uploads/2024/04/bernie-fix-me.png?w=150 150w, https://github.blog/wp-content/uploads/2024/04/bernie-fix-me.png?w=300 300w, https://github.blog/wp-content/uploads/2024/04/bernie-fix-me.png?w=400 400w, https://github.blog/wp-content/uploads/2024/04/bernie-fix-me.png?w=200 200w, https://github.blog/wp-content/uploads/2024/04/bernie-fix-me.png?w=90 90w, https://github.blog/wp-content/uploads/2024/04/bernie-fix-me.png?w=116 116w" sizes="(max-width: 500px) 100vw, 500px" data-recalc-dims="1" /></p><p>Our fix suggestion was to change the <code>Loader</code> from <code>yaml.loader.Loader</code> to <code>yaml.loader.SafeLoader</code>, but it turns out that although CodeQL was accounting for a few <a href="https://github.com/github/codeql/blob/679d64f0e8e7daaa1339f4fddf8919c22998165c/python/ql/lib/semmle/python/frameworks/Yaml.qll#L66">known safe loaders</a>, it was not accounting for classes inheriting these. Due to this, code scanning didn’t close the alert we reported.</p><p>The world of security is huge and evolving everyday. That is, supporting every source, sanitizer, and sink that exists for each one of the queries is impossible. Security requires collaboration between developers and security experts, and we encourage everyone who uses CodeQL to collaborate in any of the following forms to bring back to the community:</p><ul><li>Report the False Positives in <a href="https://github.com/github/codeql">github/codeql</a>: CodeQL engineers and members of the community are actively monitoring these. When we came across the false positive explained before, we opened <a href="https://github.com/github/codeql/issues/14685">github/codeql#14685</a>.</li><li>Suggest new models for the Security Lab’s <a href="https://github.com/GitHubSecurityLab/CodeQL-Community-Packs">CodeQL Community Packs</a>: Whether you’re inclined to contribute by crafting a pull request introducing novel models or queries or by opening an Issue to share your model or query concepts, you are already having a huge impact on the research community. Furthermore, the repository is also monitored by CodeQL engineers, so your suggestion might make it to the main repository impacting a huge amount of users and enterprises. Your engagement is more impactful than you might think.</li></ul><div class="content-table-wrap"><table style="border: 1px black"><tbody><tr><td><strong>CodeQL model editor</strong><br>If you are interested in learning about supporting new dependencies with CodeQL, please see the <a href="https://codeql.github.com/docs/codeql-for-visual-studio-code/using-the-codeql-model-editor/">CodeQL model editor</a>. The model editor is designed to help you model external dependencies of your codebase that are not supported by the standard CodeQL Libraries.</td></tr></tbody></table></div><p>Now that we are sure about the exploitability of the issue, we can move on to the exploitation phase.</p><h2 id="github-codespaces" id="github-codespaces" >GitHub Codespaces<a href="#github-codespaces" class="heading-link pl-2 text-italic text-bold" aria-label="GitHub Codespaces"></a></h2><p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2022/06/Codespaces-header.png?w=996&resize=996%2C526" alt="Codespaces banner" width="996" height="526" class="aligncenter size-large wp-image-65697 width-fit" srcset="https://github.blog/wp-content/uploads/2022/06/Codespaces-header.png?w=996&resize=996%2C526 996w, https://github.blog/wp-content/uploads/2022/06/Codespaces-header.png?w=300 300w, https://github.blog/wp-content/uploads/2022/06/Codespaces-header.png?w=768 768w, https://github.blog/wp-content/uploads/2022/06/Codespaces-header.png?w=400 400w, https://github.blog/wp-content/uploads/2022/06/Codespaces-header.png?w=516 516w" sizes="(max-width: 996px) 100vw, 996px" data-recalc-dims="1" /></p><p><a href="https://github.com/features/codespaces">Codespaces</a> is GitHub’s solution for cloud, instant and customizable development environments based on <a href="https://code.visualstudio.com/">Visual Studio Code</a>. In this post, we will be using Codespaces as our exploitation environment due to its safe (isolated) and ephemeral nature, as we are one click away from creating and deleting a codespace. Although this feature has its own <a href="https://docs.github.com/en/billing/managing-billing-for-github-codespaces/about-billing-for-github-codespaces">billing</a>, we will be using the free 120 core hours per month.</p><h3 id="creating-a-codespace" id="creating-a-codespace" >Creating a codespace<a href="#creating-a-codespace" class="heading-link pl-2 text-italic text-bold" aria-label="Creating a codespace"></a></h3><p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/new-codespace.png?w=1024&resize=1024%2C655" alt="Creating a new codespace on GitHub.dev with the click of a single button" width="1024" height="655" class="aligncenter size-large wp-image-77249 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/new-codespace.png?w=1600 1600w, https://github.blog/wp-content/uploads/2024/04/new-codespace.png?w=300 300w, https://github.blog/wp-content/uploads/2024/04/new-codespace.png?w=768 768w, https://github.blog/wp-content/uploads/2024/04/new-codespace.png?w=1024&resize=1024%2C655 1024w, https://github.blog/wp-content/uploads/2024/04/new-codespace.png?w=1536 1536w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /></p><p>I wasn’t kidding when I said “we are one click away from creating and deleting a codespace”—simply go to “Code” and click “Create codespace on dev.” Fortunately for us, Frigate maintainers have helpfully developed a custom devcontainer configuration for seamless integration with VSCode (and so, Codespaces).</p><div class="content-table-wrap"><table style="border: 1px black"><tbody><tr><td><strong>Customizing devcontainer configuration</strong><br>For more information about <code>.devcontainer</code> customization, refer to the <a href="https://docs.github.com/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers">documentation</a>.</td></tr></tbody></table></div><p>Once loaded, I suggest you close the current browser tab and instead connect to the Codespaces using VSCode along with the <a href="https://marketplace.visualstudio.com/items?itemName=ms-vscode.remote-explorer">Remote Explorer</a> extension. With that set up, we have a fully integrated environment with built-in port forwarding.</p><h3 id="set-up-for-debugging-and-exploitation" id="set-up-for-debugging-and-exploitation" >Set up for debugging and exploitation<a href="#set-up-for-debugging-and-exploitation" class="heading-link pl-2 text-italic text-bold" aria-label="Set up for debugging and exploitation"></a></h3><p>When performing security research, having a full setup ready for debugging can be a game changer. In most cases, exploiting the vulnerability requires analyzing how the application processes and reacts to your interactions, which can be <strong>impossible without debugging</strong>.</p><h4 id="debugging" id="debugging" >Debugging<a href="#debugging" class="heading-link pl-2 text-italic text-bold" aria-label="Debugging"></a></h4><p>Right after creating the codespace we can see that it failed:</p><figure id="attachment_77250" class="wp-caption aligncenter mx-0"><img loading="lazy" decoding="async" width="1032" height="388" src="https://github.blog/wp-content/uploads/2024/04/build-error.png?w=1024&resize=1032%2C388" alt="build error" class="width-fit size-large wp-image-77250 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/build-error.png?w=1032 1032w, https://github.blog/wp-content/uploads/2024/04/build-error.png?w=300 300w, https://github.blog/wp-content/uploads/2024/04/build-error.png?w=768 768w, https://github.blog/wp-content/uploads/2024/04/build-error.png?w=1024&resize=1032%2C388 1024w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /><figcaption class="text-mono color-fg-muted mt-14px f5-mktg">Build error</figcaption></figure><p>Given that there is an extensive <em>devcontainer</em> configuration, we can guess that it was not made for Codespaces, but for a <strong>local</strong> VSCode installation not meant to be used in the cloud. Clicking “View Creation Log” helps us find out that Docker is trying to find a non-existing device:</p><pre><code>ERROR: for frigate-devcontainer - Cannot start service devcontainer: error gathering device information while adding custom device "/dev/bus/usb": no such file or directory</code></pre><p>We need to head to the <code>docker-compose.yml</code> file (<code>/workspaces/frigate/docker-compose.yml</code>) and comment the following out:</p><ul><li>The <code>devices</code> property</li><li>The <code>deploy</code> property </li><li>The <code>/dev/bus/usb</code> volume</li></ul><p>Afterwards, we go to <code>/workspaces/frigate/.devcontainer/post_create.sh</code> and remove lines 5-9.</p><p>After the change, we can successfully rebuild the container:</p><figure id="attachment_77251" class="wp-caption aligncenter mx-0"><img loading="lazy" decoding="async" width="1600" height="1036" src="https://github.blog/wp-content/uploads/2024/04/rebuilding.png?w=1024&resize=1600%2C1036" alt="Rebuilding the container" class="width-fit size-large wp-image-77251 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/rebuilding.png?w=1600 1600w, https://github.blog/wp-content/uploads/2024/04/rebuilding.png?w=300 300w, https://github.blog/wp-content/uploads/2024/04/rebuilding.png?w=768 768w, https://github.blog/wp-content/uploads/2024/04/rebuilding.png?w=1024&resize=1600%2C1036 1024w, https://github.blog/wp-content/uploads/2024/04/rebuilding.png?w=1536 1536w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /><figcaption class="text-mono color-fg-muted mt-14px f5-mktg">Rebuilding the container</figcaption></figure><p>Once rebuilt, we can see 6 ports in the port forwarding section. However, Frigate API, the one we are targeting through nginx, is not active. To solve that, we can start debugging by heading to the “Run and Debug” (left) panel and click the green (play-like) button to start debugging Frigate.</p><p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/run-and-debug.png?w=1024&resize=1024%2C663" alt="Run and debug" width="1024" height="663" class="aligncenter size-large wp-image-77252 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/run-and-debug.png?w=1600 1600w, https://github.blog/wp-content/uploads/2024/04/run-and-debug.png?w=300 300w, https://github.blog/wp-content/uploads/2024/04/run-and-debug.png?w=768 768w, https://github.blog/wp-content/uploads/2024/04/run-and-debug.png?w=1024&resize=1024%2C663 1024w, https://github.blog/wp-content/uploads/2024/04/run-and-debug.png?w=1536 1536w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /></p><h4 id="exploitation" id="exploitation" >Exploitation<a href="#exploitation" class="heading-link pl-2 text-italic text-bold" aria-label="Exploitation"></a></h4><p>The built-in port forwarding feature allows us to use network-related software like <a href="https://portswigger.net/burp">Burp Suite</a> or <a href="https://caido.io/">Caido</a> right from our <strong>native</strong> host, so we can send the following request:</p><pre><code>POST /api/config/save HTTP/1.1Host: 127.0.0.1:53128Content-Length: 50 !!python/object/apply:os.popen- touch /tmp/pwned</code></pre><p>Using the debugging setup, we can analyze how <code>new_config</code> flows to <code>yaml.load</code> and creates the <code>/tmp/pwned</code> file.</p><p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/tmp-pwned.png?w=1024&resize=1024%2C663" alt="analyze how `new_config` flows to `yaml.load` and creates the `/tmp/pwned` file." width="1024" height="663" class="aligncenter size-large wp-image-77253 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/tmp-pwned.png?w=1600 1600w, https://github.blog/wp-content/uploads/2024/04/tmp-pwned.png?w=300 300w, https://github.blog/wp-content/uploads/2024/04/tmp-pwned.png?w=768 768w, https://github.blog/wp-content/uploads/2024/04/tmp-pwned.png?w=1024&resize=1024%2C663 1024w, https://github.blog/wp-content/uploads/2024/04/tmp-pwned.png?w=1536 1536w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /></p><p>Now that we have a valid exploit to prove the vulnerability, we are ready to report it to the project.</p><h2 id="private-vulnerability-reporting" id="private-vulnerability-reporting" >Private vulnerability reporting<a href="#private-vulnerability-reporting" class="heading-link pl-2 text-italic text-bold" aria-label="Private vulnerability reporting"></a></h2><p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/looking.png?w=640&resize=640%2C480" alt="Meme featuring an older woman lifting up her glasses and squinting at a laptop screen." width="640" height="480" class="aligncenter size-large wp-image-77254 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/looking.png?w=640&resize=640%2C480 640w, https://github.blog/wp-content/uploads/2024/04/looking.png?w=300 300w" sizes="(max-width: 640px) 100vw, 640px" data-recalc-dims="1" /></p><p>Reporting vulnerabilities in open source projects has never been an easy subject for many reasons: finding a private way of communicating with maintainers, getting their reply, and agreeing on so-many topics that a vulnerability covers is quite challenging on a text-based channel. That is what <a href="https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability">private vulnerability reporting</a> (PVR) solves: a single, private, interactive place in which security researchers and maintainers work together to make their software more secure, and their dependent consumers more aware.</p><div class="content-table-wrap"><table style="border: 1px black"><tbody><tr><td><strong>Closing the loop</strong><br>Published advisories resulting from private vulnerability reports can be included in the <a href="https://github.com/advisories">GitHub Advisory Database</a> to automatically disclose your report to end users using <a href="https://docs.github.com/code-security/dependabot">Dependabot</a>!</td></tr></tbody></table></div><p>Note that GitHub has chosen to introduce this feature in an opt-in manner, aligning with our developer-first philosophy. This approach grants project maintainers the autonomy to decide whether they wish to participate in this reporting experience. That said, tell your favorite maintainers to enable PVR! You can find inspiration in the <a href="https://github.com/mkdocs/mkdocs/issues/3418">issues we open</a> when we can’t find a secure and private way of reporting a vulnerability.</p><h3 id="sending-the-report" id="sending-the-report" >Sending the report<a href="#sending-the-report" class="heading-link pl-2 text-italic text-bold" aria-label="Sending the report"></a></h3><p>Once we validated the vulnerability and built a proof of concept (PoC), we can use <a href="https://github.blog/2023-04-19-private-vulnerability-reporting-now-generally-available/">private vulnerability reporting</a> to privately communicate with Frigate maintainers.</p><p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/report-a-vuln.png?w=1024&resize=1024%2C448" alt='Screenshot of the security advisories page in the frigate repository with the "Report a vulnerability" button highlighted.' width="1024" height="448" class="aligncenter size-large wp-image-77255 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/report-a-vuln.png?w=1600 1600w, https://github.blog/wp-content/uploads/2024/04/report-a-vuln.png?w=300 300w, https://github.blog/wp-content/uploads/2024/04/report-a-vuln.png?w=768 768w, https://github.blog/wp-content/uploads/2024/04/report-a-vuln.png?w=1024&resize=1024%2C448 1024w, https://github.blog/wp-content/uploads/2024/04/report-a-vuln.png?w=1536 1536w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /></p><p>This feature allows for special values like affected products, custom CVSS severity, linking a CWE and assigning credits with defined roles, ensuring precise documentation and proper recognition, crucial for a collaborative and effective security community.</p><p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/reporting-form.png?w=1024&resize=1024%2C803" alt="Screenshot of the form for reporting a vulnerability. The fields include title, description, affected products, severity, and weaknesses." width="1024" height="803" class="aligncenter size-large wp-image-77256 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/reporting-form.png?w=1600 1600w, https://github.blog/wp-content/uploads/2024/04/reporting-form.png?w=300 300w, https://github.blog/wp-content/uploads/2024/04/reporting-form.png?w=768 768w, https://github.blog/wp-content/uploads/2024/04/reporting-form.png?w=1024&resize=1024%2C803 1024w, https://github.blog/wp-content/uploads/2024/04/reporting-form.png?w=1536 1536w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /></p><p>Once reported, it allows for both ends (reporter and maintainer) to collaborate on a chat, and code together in a temporary private fork. On the maintainer side, they are one click away from <a href="https://docs.github.com/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory#requesting-a-cve-identification-number-optional">requesting a CVE</a>, which generally takes just two days to get created.</p><p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/cve-issued.png?w=1024&resize=1024%2C298" alt="Screenshot of a comment on a GitHub Issue stating that a CVE has been issued for the reported vulnerability. The comment includes the CVE's number a link to the CVE list." width="1024" height="298" class="aligncenter size-large wp-image-77257 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/cve-issued.png?w=1430 1430w, https://github.blog/wp-content/uploads/2024/04/cve-issued.png?w=300 300w, https://github.blog/wp-content/uploads/2024/04/cve-issued.png?w=768 768w, https://github.blog/wp-content/uploads/2024/04/cve-issued.png?w=1024&resize=1024%2C298 1024w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /></p><p>For more information on PVR, refer to the <a href="https://docs.github.com/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability">documentation</a>.</p><figure id="attachment_77258" class="wp-caption aligncenter mx-0"><img loading="lazy" decoding="async" width="1600" height="1596" src="https://github.blog/wp-content/uploads/2024/04/published-report.png?w=1024&resize=1600%2C1596" alt="Example of a published report" class="width-fit size-large wp-image-77258 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/published-report.png?w=1600 1600w, https://github.blog/wp-content/uploads/2024/04/published-report.png?w=150 150w, https://github.blog/wp-content/uploads/2024/04/published-report.png?w=300 300w, https://github.blog/wp-content/uploads/2024/04/published-report.png?w=768 768w, https://github.blog/wp-content/uploads/2024/04/published-report.png?w=1024&resize=1600%2C1596 1024w, https://github.blog/wp-content/uploads/2024/04/published-report.png?w=1536 1536w, https://github.blog/wp-content/uploads/2024/04/published-report.png?w=600 600w, https://github.blog/wp-content/uploads/2024/04/published-report.png?w=400 400w, https://github.blog/wp-content/uploads/2024/04/published-report.png?w=200 200w, https://github.blog/wp-content/uploads/2024/04/published-report.png?w=90 90w, https://github.blog/wp-content/uploads/2024/04/published-report.png?w=116 116w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /><figcaption class="text-mono color-fg-muted mt-14px f5-mktg">Example of a published report</figcaption></figure><h2 id="github-and-security-research" id="github-and-security-research" >GitHub and security research<a href="#github-and-security-research" class="heading-link pl-2 text-italic text-bold" aria-label="GitHub and security research"></a></h2><p>In today’s tech-driven environment, GitHub serves as a valuable resource for security researchers. With tools such as code scanning, Codespaces, and private vulnerability reporting seamlessly integrated into the platform, researchers can effectively identify and address vulnerabilities end to end.</p><p>This comprehensive strategy not only makes research easier but also enhances the global cybersecurity community. By offering a secure, collaborative, and efficient platform to spot and tackle potential threats, GitHub empowers both seasoned security professionals and aspiring researchers. It’s the go-to destination for boosting security and keeping up with the constantly changing threat landscape.</p><p>Happy coding and research!</p><div class="post-content-cta"><p>GitHub Security Lab’s mission is to inspire and enable the community to secure the open source software we all depend on. <a href="https://securitylab.github.com/">Learn more about their work</a>.</p></div></body></html><p>The post <a href="https://github.blog/2024-04-03-security-research-without-ever-leaving-github-from-code-scanning-to-cve-via-codespaces-and-private-vulnerability-reporting/">Security research without ever leaving GitHub: From code scanning to CVE via Codespaces and private vulnerability reporting</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>]]></content:encoded> <post-id xmlns="com-wordpress:feed-additions:1">77239</post-id> </item> <item> <title>Bringing enterprise-level security and even more power to GitHub-hosted runners</title> <link>https://github.blog/2024-04-02-bringing-enterprise-level-security-and-even-more-power-to-github-hosted-runners/</link> <dc:creator><![CDATA[Tanmayee Kamath]]></dc:creator> <pubDate>Tue, 02 Apr 2024 16:35:24 +0000</pubDate> <category><![CDATA[Product]]></category> <category><![CDATA[GitHub Actions]]></category> <category><![CDATA[GitHub-hosted runners]]></category> <guid isPermaLink="false">https://github.blog/?p=77210</guid> <description><![CDATA[<p>GitHub-hosted runners now support Azure private networking. Plus, we've added 2 vCPU Linux, 4 vCPU Windows, macOS L, macOS XL, and GPU hosted runners to our runner fleet.</p><p>The post <a href="https://github.blog/2024-04-02-bringing-enterprise-level-security-and-even-more-power-to-github-hosted-runners/">Bringing enterprise-level security and even more power to GitHub-hosted runners</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>]]></description> <content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"><html><body><p>GitHub’s journey towards enhancing enterprise readiness for GitHub Actions takes a significant leap forward with the introduction of Azure private networking for GitHub-hosted runners on GitHub Actions. This development builds upon our initial offering of <a href="https://github.blog/changelog/2023-06-21-github-hosted-larger-runners-for-actions-are-generally-available/">more powerful GitHub-hosted runners</a> equipped with Static IPs, marking a strategic move to cater to the complex networking and security needs of enterprise customers.</p><p>The value of utilizing hosted runners is two-fold. For individual developers, it maximizes their coding time by eliminating the overhead associated with infrastructure management. Simultaneously, for DevOps administrators, it significantly reduces the time and cost required to manage and maintain compute infrastructure for software life cycle automation, thereby streamlining operations and allowing teams to focus on innovation. The rollout of larger runners was not just an upgrade; it was the beginning of a comprehensive plan aimed at enterprise-grade readiness, providing robust virtual machines and features tailored for business needs. A great testament to this is <a href="https://github.blog/2023-09-26-how-github-uses-github-actions-and-actions-larger-runners-to-build-and-test-github-com/">how we, at GitHub, have transformed our CI system</a> to meet the scaling demands of our engineering teams and enabled them to confidently and quickly ship software with GitHub Actions and GitHub-hosted runners.</p><p>Today, we unveil the next chapter by generalizing Azure private networking, ensuring all runner tiers, starting from our 2-vCPU runners, now support auto-scaling, static IPs and private networking capabilities. Additionally, we’re generalizing larger macOS runners and introducing a brand new GPU runner in public beta. These enhancements are a testament to our commitment to simplifying the adoption of GitHub Actions across all project sizes and complexities; and empowering you to standardize on GitHub seamlessly and securely as your automation and CI/CD platform. Let’s explore these improvements together!</p><h2 id="azure-private-networking-for-github-hosted-runners-is-generally-available-%f0%9f%8e%89" id="azure-private-networking-for-github-hosted-runners-is-generally-available-%f0%9f%8e%89" >Azure private networking for GitHub-hosted runners is generally available 🎉<a href="#azure-private-networking-for-github-hosted-runners-is-generally-available-%f0%9f%8e%89" class="heading-link pl-2 text-italic text-bold" aria-label="Azure private networking for GitHub-hosted runners is generally available 🎉"></a></h2><p>We are excited to announce that Azure private networking for GitHub-hosted runners is now generally available. This feature allows you to run your actions workflows on GitHub-hosted runners that are connected to your Azure virtual network, without compromising on security or performance.</p><p>GitHub-hosted runners provide powerful compute in the cloud for running your CI/CD and automation workflows that are fully managed, eliminating the overhead of managing and maintaining your own infrastructure. However, we heard from enterprises having strict networking and security requirements that prevented them from using GitHub-hosted runners to their full potential, specifically:</p><ul><li>Secure access to private resources within their on-prem or cloud based locations, such as databases, artifactory, storage accounts, or APIs.</li><li>Enforce network security policies and outbound access rules on the runners to reduce data exfiltration risks.</li><li>Isolate their build traffic from the public internet and route it through their existing private network connections (for example, VPN or ExpressRoute).</li><li>Monitor network traffic for any malicious or unusual behavior as workflows run.</li></ul><p>With Azure private networking, you can easily create GitHub-hosted runners that are provisioned within your Azure virtual network and subnet of choice. Thereafter, your actions workflows can securely access Azure services like storage accounts, databases, and on-premises data sources, such as an artifactory through existing, pre-configured connections like <a href="https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways">VPN gateways</a> and <a href="https://learn.microsoft.com/en-us/azure/expressroute/expressroute-introduction">ExpressRoutes</a>. Additionally, security is front and center with this update. Any existing or new networking policies, such as <a href="https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview">Network Security Group (NSG)</a> or firewall rules, will automatically apply to GitHub-hosted runners giving platform administrators comprehensive control over network security, all managed within a single place.</p><p><img loading="lazy" decoding="async" class="aligncenter size-large wp-image-77216 width-fit" src="https://github.blog/wp-content/uploads/2024/04/new-network-configuration.png?w=1024&resize=1024%2C582" alt='Screenshot of the page for creating a new network configuration. The fields of the form are "configuration name," "Azure Virtual Network," and "services allowed." GitHub Actions is selected under "Services allowed."' width="1024" height="582" srcset="https://github.blog/wp-content/uploads/2024/04/new-network-configuration.png?w=1327 1327w, https://github.blog/wp-content/uploads/2024/04/new-network-configuration.png?w=300 300w, https://github.blog/wp-content/uploads/2024/04/new-network-configuration.png?w=768 768w, https://github.blog/wp-content/uploads/2024/04/new-network-configuration.png?w=1024&resize=1024%2C582 1024w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /></p><figure class="gh-full-blockquote mx-0 pl-6 mt-6 mt-md-7 mb-7 mb-md-8"><blockquote><p>At Deutsche Vermögensberatung (DVAG), we always focus on delivering great products to our customers. By executing our CI/CD workflows on GitHub-hosted runners, the burden of managing our own infrastructure has been lifted. This shift has provided our developers and DevOps administrators with precious time to dedicate to innovation, thus ultimately accelerating our products' time to market. One of the standout features of GitHub Actions is the ability to securely and privately integrate with Azure networking, which empowers us to establish secure and private connections from GitHub-hosted runners to our internal resources. With minimal administrative overhead we can effectively manage many resources including Kubernetes clusters, databases, and virtual machines.</p></blockquote><figcaption class="text-mono color-fg-muted f5-mktg mt-3"> - Florian Koch, Lead Developer IT Platform // Deutsche Vermögensberatung</figcaption></figure><h3 id="support-for-github-team-plan" id="support-for-github-team-plan" >Support for GitHub Team plan<a href="#support-for-github-team-plan" class="heading-link pl-2 text-italic text-bold" aria-label="Support for GitHub Team plan"></a></h3><p>Azure private networking is now supported with the GitHub Team plan, in addition to the GitHub Enterprise Cloud plan. With that, GitHub Team plan organization administrators have the ability to create and manage network configurations for their organization’s Github-hosted runners.</p><h3 id="new-azure-regions" id="new-azure-regions" >New Azure regions<a href="#new-azure-regions" class="heading-link pl-2 text-italic text-bold" aria-label="New Azure regions"></a></h3><p>At public beta, Azure private networking was supported across three primary regions: East US, East US2, and West US2. With general availability, we are adding support for 10 additional Azure regions based on your feedback. Newly added regions include Central US, West US, Norway East, France Central, Switzerland North, UK South, North Europe, Australia East, Southeast Asia, and South India.</p><h2 id="introducing-additional-runners-skus-%f0%9f%8e%89" id="introducing-additional-runners-skus-%f0%9f%8e%89" >Introducing additional runners SKUs 🎉<a href="#introducing-additional-runners-skus-%f0%9f%8e%89" class="heading-link pl-2 text-italic text-bold" aria-label="Introducing additional runners SKUs 🎉"></a></h2><p>We are excited to introduce the latest additions to the GitHub-hosted runner fleet, 2 vCPU Linux and 4 vCPU Windows runners, supporting auto-scaling and private networking features. Previously, our supported SKUs ranged from 4 vCPU (Linux only) to 64 vCPU, prompting substantial feedback requesting smaller SKUs with the same auto-scaling and private networking capabilities. These newly introduced smaller machines are geared to specifically support scenarios where smaller machine sizes suffice yet the demand for heightened security and performance persists. Additionally, we are thrilled to announce that Apple silicon (M1) hosted runners, specifically macOS L (12-core Intel) and macOS XL (M1 w/GPU hardware acceleration), which were <a href="https://github.blog/changelog/2023-10-02-github-actions-apple-silicon-m1-macos-runners-are-now-available-in-public-beta/">previously in public beta</a>, are now generally available.</p><h2 id="gpu-hosted-runners-available-in-public-beta-%f0%9f%8e%89" id="gpu-hosted-runners-available-in-public-beta-%f0%9f%8e%89" >GPU hosted runners available in public beta 🎉<a href="#gpu-hosted-runners-available-in-public-beta-%f0%9f%8e%89" class="heading-link pl-2 text-italic text-bold" aria-label="GPU hosted runners available in public beta 🎉"></a></h2><p>We’re delighted to unveil GPU hosted runners in public beta! This new runner empowers teams working with machine learning models, such as large language models (LLMs) or those requiring GPU graphic cards for game development, to run these more efficiently as part of their automation or CI/CD process. This allows teams to do complete application testing, including the ML components, with GitHub Actions.</p><p><img loading="lazy" decoding="async" class="aligncenter size-large wp-image-77218 width-fit" src="https://github.blog/wp-content/uploads/2024/04/runner-specifications.png?w=876&resize=876%2C551" alt="Screenshot of the page displaying different runner specifications." width="876" height="551" srcset="https://github.blog/wp-content/uploads/2024/04/runner-specifications.png?w=876&resize=876%2C551 876w, https://github.blog/wp-content/uploads/2024/04/runner-specifications.png?w=300 300w, https://github.blog/wp-content/uploads/2024/04/runner-specifications.png?w=768 768w" sizes="(max-width: 876px) 100vw, 876px" data-recalc-dims="1" /></p><p>Moreover, the GPU SKU comes equipped with auto-scaling and private networking features. We’re initially rolling out support for a 4-core SKU on Linux and Windows machines with 1 T4 GPU, and have more SKUs planned for later this year.</p><h2 id="whats-next" id="whats-next" >What’s next?<a href="#whats-next" class="heading-link pl-2 text-italic text-bold" aria-label="What’s next?"></a></h2><p>At GitHub, we are dedicated to continuous improvement, driven by your feedback, to ensure that our platform delivers an unparalleled user experience. Here’s a glimpse into some exciting enhancements on the horizon for GitHub-hosted Actions runners.</p><p>Reliability continues to be our top priority as we introduce new functionalities. We understand the profound impact any service disruption has on our users and are actively engaged in significant efforts to enhance the overall scalability and reliability of the GitHub Actions platform.</p><p>We’re focused on elevating the Azure private networking feature set, enabling the creation of network configurations encompassing multiple virtual networks. Additionally, we’re streamlining setup processes through scripting and implementing best practices for VNET peering to accommodate unsupported Azure regions. For customers not utilizing Azure, we’re developing private networking solutions tailored to address similar challenges surrounding private resource accessibility, outbound control, and network monitoring. These solutions will seamlessly integrate with other leading cloud providers, such as AWS and GCP.</p><p>In response to your valuable feedback, we’re refining our image capabilities. Soon, you will have the ability to craft custom VM images natively in GitHub Actions, bundling all necessary software and tools to expedite build and test procedures for even the most intricate or expansive projects. Furthermore, we’re committed to enhancing our runner SKUs to meet the evolving demands of our user base. This includes the introduction of additional GPU SKUs, ARM SKUs, and any other variants driven by customer demand.</p><h2 id="get-started" id="get-started" >Get started<a href="#get-started" class="heading-link pl-2 text-italic text-bold" aria-label="Get started"></a></h2><p>Azure private networking for GitHub-hosted runners is generally available starting today across GitHub Team and Enterprise Cloud plans. To get started, navigate to the ‘Hosted Compute Networking’ section within your Enterprise or Organization settings. For more details, consult our <a href="https://github.co/actions-azure-vnet">documentation</a>. To request support for additional Azure regions, please fill out this <a href="https://resources.github.com/private-networking-for-github-hosted-runners-with-azure-virtual-networks/">form</a>. Please note: Azure private networking for GitHub Codespaces continues to remain in beta.</p><p>The newly added 2 vCPU Linux and 4 vCPU Windows SKUs are generally available starting today across GitHub Team and Enterprise plans. To use these runners, create a GitHub-hosted runner by selecting the ‘2-core’ or ‘4-core’ size options in the runner creation flow. macOS L and macOS XL runners are also generally available across GitHub Team and Enterprise plans, and can be used by updating the runs-on key to use one of the <a href="https://docs.github.com/actions/using-github-hosted-runners/about-larger-runners/about-larger-runners#about-macos-larger-runners">GitHub-defined macOS runner labels</a>. To learn more about pricing for these SKUs, refer to our <a href="https://docs.github.com/billing/managing-billing-for-github-actions/about-billing-for-github-actions#per-minute-rates">documentation</a>.</p><p><strong>GPU hosted runners are available starting today in public beta across GitHub Team and Enterprise plans.</strong> To learn more about pricing for these runners, refer to our <a href="https://docs.github.com/en/billing/managing-billing-for-github-actions/about-billing-for-github-actions">documentation</a>. To share your feedback and help us find the right additional GPU SKUs to support, please fill out this <a href="https://forms.gle/9JQ3rtm1pX6RcEjt8">form</a>.</p><p>We’re eager to hear your feedback on any and all of these functionalities. Share your thoughts on our <a href="https://github.com/orgs/community/discussions/58739">GitHub Community Discussion</a>.</p></body></html><p>The post <a href="https://github.blog/2024-04-02-bringing-enterprise-level-security-and-even-more-power-to-github-hosted-runners/">Bringing enterprise-level security and even more power to GitHub-hosted runners</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>]]></content:encoded> <post-id xmlns="com-wordpress:feed-additions:1">77210</post-id> </item> <item> <title>Empowering women through open source</title> <link>https://github.blog/2024-03-28-empowering-women-through-open-source/</link> <dc:creator><![CDATA[Jiyon Yun]]></dc:creator> <pubDate>Thu, 28 Mar 2024 18:42:21 +0000</pubDate> <category><![CDATA[Open Source]]></category> <category><![CDATA[gender equality]]></category> <category><![CDATA[social impact]]></category> <category><![CDATA[women's empowerment]]></category> <guid isPermaLink="false">https://github.blog/?p=77177</guid> <description><![CDATA[<p>A discussion about how tech is aiding organizations fighting for gender equality, what it means to be a woman in tech and the world today, and advice on how we all move forward.</p><p>The post <a href="https://github.blog/2024-03-28-empowering-women-through-open-source/">Empowering women through open source</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>]]></description> <content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"><html><body><p>It’s not often we step outside of our careers and busy everyday lives and pause to say, “Hey, what is this all about? Am I fulfilled? Am I finding meaning in what I’m doing day to day?”</p><p>As the Head of Commercial Legal at GitHub, I have quite a unique role. Most of my career was spent in a law firm until I transitioned into tech. I came from a male-dominated workplace and saw tech as a new environment (though still male-dominated) where ideas flourished and folks were allowed to be themselves in a safe space.</p><p>But this month—March is Gender Equality Month and celebrates Women’s Day—gave a reason to pause and reflect on my own journey, as well as ask what people and organizations are doing every day to empower women. So, I sat down with <strong>Felicitas Heyne, co-founder of <a href="https://www.audiopedia.foundation/">Audiopedia Foundation</a></strong>, as well as <strong>Nadine Krish Spencer, Head of Product and Experience at <a href="https://www.chayn.co/">Chayn</a></strong>. We discussed how tech is aiding organizations fighting for gender equality, what it means to be a woman in tech and the world today, and what advice and learnings they’d like to share with others. I hope you find as much inspiration from their mission, work, and stories as I did.</p><p><strong>Jiyon Yun</strong><br><em>Head of Commercial Legal // GitHub</em></p><hr><h2 id="getting-to-know-audiopedia-foundation" id="getting-to-know-audiopedia-foundation" >Getting to know Audiopedia Foundation<a href="#getting-to-know-audiopedia-foundation" class="heading-link pl-2 text-italic text-bold" aria-label="Getting to know Audiopedia Foundation"></a></h2><p><strong>Jiyon (GitHub):</strong> The work Audiopedia Foundation is doing is truly remarkable, and I would love to hear in your own words why these efforts are so essential and how you came to help found this organization.</p><p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/03/Felicitas-Heyne.jpg?w=300&resize=300%2C200" alt="Photograph of Felicitas Heyne, a smiling Caucasian woman with blond hear, wearing dark-framed glasses and a bright red blazer." width="300" height="200" class="alignleft size-medium wp-image-77178 width-fit" srcset="https://github.blog/wp-content/uploads/2024/03/Felicitas-Heyne.jpg?w=5184 5184w, https://github.blog/wp-content/uploads/2024/03/Felicitas-Heyne.jpg?w=300&resize=300%2C200 300w, https://github.blog/wp-content/uploads/2024/03/Felicitas-Heyne.jpg?w=768 768w, https://github.blog/wp-content/uploads/2024/03/Felicitas-Heyne.jpg?w=1024 1024w, https://github.blog/wp-content/uploads/2024/03/Felicitas-Heyne.jpg?w=1536 1536w, https://github.blog/wp-content/uploads/2024/03/Felicitas-Heyne.jpg?w=2048 2048w, https://github.blog/wp-content/uploads/2024/03/Felicitas-Heyne.jpg?w=300&resize=300%2C2000 3000w" sizes="(max-width: 300px) 100vw, 300px" data-recalc-dims="1" /></p><p><strong>Felicitas (Audiopedia):</strong> Audiopedia Foundation works to empower women in the global south through access to information in an audio format. We work with NGOs around the world to bring different forms of tech—from solar-powered audio players to WhatsApp to loudspeakers—to local communities based on their unique needs.</p><p>I had never dreamt of leading an organization doing social impact work all over the globe. <strong>But I have a hard time realizing there is an injustice and not doing anything about it.</strong></p><p>I’ve always been passionate about empowering women and when we started to dive into the topic, we realized that 500 million women in the world are illiterate—and these are just the official numbers. There are also more than 7,000 languages in the world, half of which don’t even have a written language. We tried to come up with an idea to bring information to these women—including topics like health, economics, human rights—which sparked the idea of Audiopedia nine years ago.</p><h2 id="getting-to-know-chayn" id="getting-to-know-chayn" >Getting to know Chayn<a href="#getting-to-know-chayn" class="heading-link pl-2 text-italic text-bold" aria-label="Getting to know Chayn"></a></h2><p><strong>Jiyon (GitHub):</strong> I think we could all take away some learnings from Chayn—from your values to the way you operate. Could you tell me about Chayn’s mission?</p><p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/03/Nadine-Krish-Spencer-headshot.jpeg?w=279&resize=279%2C300" alt="A photograph of Nadine Krish Spencer, a woman with short, dark curly hair who is smiling and sitting in a yellow wingback armchair." width="279" height="300" class="alignleft size-medium wp-image-77181 width-fit" srcset="https://github.blog/wp-content/uploads/2024/03/Nadine-Krish-Spencer-headshot.jpeg?w=1276 1276w, https://github.blog/wp-content/uploads/2024/03/Nadine-Krish-Spencer-headshot.jpeg?w=279&resize=279%2C300 279w, https://github.blog/wp-content/uploads/2024/03/Nadine-Krish-Spencer-headshot.jpeg?w=768 768w, https://github.blog/wp-content/uploads/2024/03/Nadine-Krish-Spencer-headshot.jpeg?w=952 952w" sizes="(max-width: 279px) 100vw, 279px" data-recalc-dims="1" /></p><p><strong>Nadine (Chayn):</strong> Chayn is a tech-forward nonprofit that aims to support survivors of sexual abuse, assault, and domestic violence with healing. We use technology to further accelerate that mission.</p><p><strong>Jiyon:</strong> What really stood out for me about Chayn is how survivors are supporting other survivors. Can you speak a little bit more about that? How are women empowering other women to heal, find peace, and move forward?</p><p><strong>Nadine:</strong> It’s definitely a powerful part of our organization. <strong>We are all women in the organization at the moment and that’s different, especially if you come from the tech world.</strong></p><p>It was something that really drew me to Chayn and I thought, “Wow, I really want to see whether this survivor focus—we call it a trauma-informed way of working—is actually possible.” And to be totally transparent, we’re still figuring out the answer to that because we do have a lot of survivors on the team. It’s not something that people have to disclose, but it’s a constant awareness for us. And even if people aren’t survivors, quite often people close to them have experienced abuse. That adds an extra layer of understanding to the people we’re trying to reach and helps further our mission.</p><h2 id="the-role-of-tech-in-social-impact-work" id="the-role-of-tech-in-social-impact-work" >The role of tech in social impact work<a href="#the-role-of-tech-in-social-impact-work" class="heading-link pl-2 text-italic text-bold" aria-label="The role of tech in social impact work"></a></h2><p><strong>Jiyon:</strong> What is the role of tech and open source in helping social impact organizations tackle global issues?</p><p><strong>Felicitas</strong>: Tech is really a big opportunity to make a change. We’ve been doing development work for decades now and still, every third woman can’t read or write. These numbers haven’t changed despite all of the work from NGOs and that’s because the scalability and impact aren’t sufficient. But we can leapfrog this problem now with tech. <strong>That’s why tech is such a big opportunity. We can solve problems that we haven’t been able to solve for decades. And we can solve them quickly, so we don’t have to take another 300 years to reach gender equality.</strong></p><p><strong>Nadine:</strong> As somebody coming from the tech world, there was an assumption that moving into the charity or nonprofit sector might mean that it’s less progressive or less advanced in tech. But last year we were part of the <a href="https://socialimpact.github.com/tech-for-social-good/dpg-open-source-community-manager-program">DPG Open Source Community Manager Program</a> and worked with a community manager who we’ve now gone on to employ. It has been instrumental having somebody who really got it from the tech side; we had tried to set up our own tech volunteer program before, but we saw it as quite a heavy lift to manage a tech community. And I think what she has really helped us to see is that there are people out there who just want to come in and help, without having met you or even getting credit. They do it because they’ve got an itch they want to scratch or they see this as a way to contribute to social good, and that is really unique. <strong>I don’t know if another industry operates like that where strangers come in and essentially perform random acts of kindness.</strong></p><h2 id="sources-of-inspiration" id="sources-of-inspiration" >Sources of inspiration<a href="#sources-of-inspiration" class="heading-link pl-2 text-italic text-bold" aria-label="Sources of inspiration"></a></h2><p><strong>Jiyon:</strong> As a woman leader, what inspires you? Who inspires you?</p><p><strong>Felicitas</strong>: Any woman who’s willing and able to overcome obstacles. Becoming a victim is easy for a woman, but it’s very inspiring to see how women overcome and even grow from these challenges. Women are the largest untapped potential in the world in my point of view. We’ve had 2,000 years of patriarchy behind us, and I’d really love to see what would happen with 2,000 years of matriarchy ahead of us.</p><p>When we were in Morocco, we went to a women’s shelter and I listened to many women’s stories. As I listened to them, I had no idea how they could overcome and survive what they went through, but they were there, many with their children, moving forward. It was so impressive and I realized that anything I could do to make it easier for them and women like them is an obligation. <strong>I didn’t earn my privilege; it was mere luck. So, I have a strong need to help those who aren’t as privileged. It’s a question of justice in my eyes; inequality drives me crazy.</strong></p><h2 id="advice-for-women-in-tech" id="advice-for-women-in-tech" >Advice for women in tech<a href="#advice-for-women-in-tech" class="heading-link pl-2 text-italic text-bold" aria-label="Advice for women in tech"></a></h2><p><strong>Jiyon:</strong> If you looked back 5 years ago, 10 years ago, or when you were starting your career, what advice would you give women who aren’t in tech right now but who want to follow that path?</p><p><strong>Nadine:</strong> Tech holds the power to try and do things differently. And we’re at a point where it would be easy for women to retreat. In the same way that sometimes we retreat from other male-dominated spaces; the wider world of tech could become one of those places.</p><p>When I was in the commercial world, I tried my best as one of two women on a floor with maybe 100 men. I joined the company when it was only 35 people as a product manager and saw them scale to around 450 people by the time I left. Because I was able to climb so quickly as the company scaled, I struggled a lot with imposter syndrome.</p><p>People would tell me to “break down the imposter syndrome,” especially because I was a woman. But the idea of just “breaking it down” is really tough, and it made me think even more that I wasn’t cut out to do this, which was really hard to shake. But as the company grew and I was surrounded by more women, I actually realized <strong>the better advice is: find your allies</strong>. Having allies—of any gender—helps you start to shake the imposter syndrome naturally and you become a lot more confident when you’re not in a place of isolation.</p><h2 id="where-we-go-from-here" id="where-we-go-from-here" >Where we go from here<a href="#where-we-go-from-here" class="heading-link pl-2 text-italic text-bold" aria-label="Where we go from here"></a></h2><p><strong>Jiyon:</strong> What can women and other leaders do to contribute to and inspire change?</p><p><strong>Felicitas</strong>: The key is empathy. If you start to look to the global south, you very quickly realize that most of the things we take for granted in our lives aren’t granted for billions of people, especially women. <strong>It’s important to question your position in the world, recognize your privileges, and use your empathy to drive action.</strong></p><p><strong>Nadine:</strong> It’s really important to get some “balcony time” where you step out and look over what’s going on in your life and all around you. It’s really difficult to juggle everything in your day-to-day life and to just stop and reflect. And the second part is then to act on those realizations and start doing things for other people. It’s taking the time to acknowledge the people in your life and to say, <strong>“I see you there and I see how you’re showing up for other people.” Recognition and support are things we’ve got to do for each other.</strong></p><hr><p>Speaking with both Felicitas and Nadine moved me in a way I wasn’t expecting. It was a good reminder to take that “balcony time” and step outside of my every day, reflect on what I can do to impact others, and take steps to do that. I hope you found some inspiration from their stories as well.</p><div class="post-content-cta"><p>If you want to learn more or support these causes, visit Audiopedia Foundation’s <a href="https://www.audiopedia.foundation/">website</a> and <a href="https://github.com/OSEQorg">repository</a> and Chayn’s <a href="https://www.chayn.co/">website</a> and <a href="https://github.com/chaynhq">repository</a>. You can also contribute to Chayn’s <a href="https://github.com/chaynHQ/bloom-frontend">frontend</a>, <a href="https://github.com/chaynHQ/bloom-backend">backend</a>, and <a href="https://github.com/chaynHQ/soulmedicine">soulmedicine</a> work.</p></div></body></html><p>The post <a href="https://github.blog/2024-03-28-empowering-women-through-open-source/">Empowering women through open source</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>]]></content:encoded> <post-id xmlns="com-wordpress:feed-additions:1">77177</post-id> </item> </channel></rss> If you would like to create a banner that links to this page (i.e. this validation result), do the following:
Download the "valid RSS" banner.
Upload the image to your own server. (This step is important. Please do not link directly to the image on this server.)
Add this HTML to your page (change the image src attribute if necessary):
If you would like to create a text link instead, here is the URL you can use:
http://www.feedvalidator.org/check.cgi?url=https%3A//github.blog/feed/
