Congratulations!

[Valid RSS] This is a valid RSS feed.

Recommendations

This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.

Source: https://github.blog/feed/

  1. <?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
  2. xmlns:content="http://purl.org/rss/1.0/modules/content/"
  3. xmlns:wfw="http://wellformedweb.org/CommentAPI/"
  4. xmlns:dc="http://purl.org/dc/elements/1.1/"
  5. xmlns:atom="http://www.w3.org/2005/Atom"
  6. xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
  7. xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
  9. xmlns:georss="http://www.georss.org/georss"
  10. xmlns:geo="http://www.w3.org/2003/01/geo/wgs84_pos#"
  11. >
  12.  
  13. <channel>
  14. <title>The GitHub Blog</title>
  15. <atom:link href="https://github.blog/feed/" rel="self" type="application/rss+xml" />
  16. <link>https://github.blog/</link>
  17. <description>Updates, ideas, and inspiration from GitHub to help developers build and design software.</description>
  18. <lastBuildDate>Tue, 30 Apr 2024 16:35:21 +0000</lastBuildDate>
  19. <language>en-US</language>
  20. <sy:updatePeriod>
  21. hourly </sy:updatePeriod>
  22. <sy:updateFrequency>
  23. 1 </sy:updateFrequency>
  24. <generator>https://wordpress.org/?v=6.5.2</generator>
  25.  
  26. <image>
  27. <url>https://github.blog/wp-content/uploads/2019/01/cropped-github-favicon-512.png?fit=32%2C32</url>
  28. <title>The GitHub Blog</title>
  29. <link>https://github.blog/</link>
  30. <width>32</width>
  31. <height>32</height>
  32. </image>
  33. <site xmlns="com-wordpress:feed-additions:1">153214340</site> <item>
  34. <title>Where does your software (really) come from?</title>
  35. <link>https://github.blog/2024-04-30-where-does-your-software-really-come-from/</link>
  37. <dc:creator><![CDATA[Trevor Rosen]]></dc:creator>
  38. <pubDate>Tue, 30 Apr 2024 16:35:21 +0000</pubDate>
  39. <category><![CDATA[Security]]></category>
  40. <category><![CDATA[GitHub Actions]]></category>
  41. <category><![CDATA[GitHub CLI]]></category>
  42. <category><![CDATA[supply chain security]]></category>
  43. <guid isPermaLink="false">https://github.blog/?p=77757</guid>
  44.  
  45. <description><![CDATA[<p>GitHub is working with the OSS community to bring new supply chain security capabilities to the platform.</p>
  46. <p>The post <a href="https://github.blog/2024-04-30-where-does-your-software-really-come-from/">Where does your software (really) come from?</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
  47. ]]></description>
  48. <content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
  49. <html><body><p>Software is a funny, profound thing: each piece of it is an invisible machine, seemingly made of magic words, designed to run on the ultimate, <em>universal</em> machine. It&rsquo;s not alive, but it has a <em>lifecycle</em>. It starts out as source code&mdash;just text files, sitting in a repository somewhere&mdash;and then later (through some unique process) that source gets <em>built</em> into something else. A chunk of minified Javascript delivered to a web server, a container image full of framework code and business logic, a raw binary compiled for a specific processor architecture. That final stage of metamorphosis, that <em>something else</em> that source code becomes, is what we usually refer to as a &ldquo;software artifact,&rdquo;and after their creation artifacts tend to spend a good chunk of time at rest, waiting to be used. They do it in package registries (like npm, RubyGems, PyPI, MavenCentral, etc.) or in container registries (like GitHub Packages, Azure Container Registry, AWS ECR, etc.), as binaries attached to GitHub Releases, or just a ZIP file sitting in blob storage somewhere.</p>
  50. <p>Eventually, someone decides to pick up that artifact and <em>use it</em>. They unzip the package, execute the code, launch the container, install the driver, update the firmware&mdash;no matter the modality, suddenly the built thing is <em>running.</em> This is the culmination of a production lifecycle that can take many human-hours, cost lots of money, and (given that the modern world runs on software) can be as high-stakes as it gets.</p>
  51. <p><img fetchpriority="high" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/image-31.png?w=1024&#038;resize=1024%2C191" alt="Process diagram demonstrating the flow from producer to source to build package to consumer." width="1024" height="191" class="aligncenter size-large wp-image-77760 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/image-31.png?w=2576 2576w, https://github.blog/wp-content/uploads/2024/04/image-31.png?w=300 300w, https://github.blog/wp-content/uploads/2024/04/image-31.png?w=768 768w, https://github.blog/wp-content/uploads/2024/04/image-31.png?w=1024&#038;resize=1024%2C191 1024w, https://github.blog/wp-content/uploads/2024/04/image-31.png?w=1536 1536w, https://github.blog/wp-content/uploads/2024/04/image-31.png?w=2048 2048w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /></p>
  52. <p>And yet, in so many cases, we don&rsquo;t have a strong guarantee that the artifact that we <em>run</em> is most definitely the thing that we <em>built</em>. The details of that artifact&rsquo;s journey are lost, or at best are hazy; it&rsquo;s hard to connect the artifact back to the source code and build instructions from whence it came. This lack of visibility into the artifact&rsquo;s lifecycle is the source of many of today&rsquo;s most compelling security challenges. Throughout the SDLC there are opportunities to secure the flow of code transforming into artifacts&mdash;doing so helps remove the risk that threat actors will poison finalized software and create havoc.</p>
  53. <p>Some challenges in cybersecurity can feel almost impossible to successfully address, but this isn&rsquo;t one of them. Let&rsquo;s dig in with some background.</p>
  54. <h2 id="digests-and-signatures" id="digests-and-signatures" >Digests and signatures<a href="#digests-and-signatures" class="heading-link pl-2 text-italic text-bold" aria-label="Digests and signatures"></a></h2>
  55. <p>Say you have a file in your home directory, and you want to make sure that it&rsquo;s exactly the same tomorrow as it is today. What do you do? A good way to start is to generate a <em>digest</em> of the file by running it through a secure hashing algorithm. Here&rsquo;s how we can do that with OpenSSL, using the SHA-256 algorithm:</p>
  56. <pre><code>openssl dgst -sha256 ~/important-file.txt
  57. </code></pre>
  58. <p>Now, you&rsquo;ve got a <em>digest</em> (also called a <em>hash</em>), a 64-character string of letters and numbers representing a unique fingerprint for that file. Change literally anything in that file, and run the hash function again, and you&rsquo;ll get a different string. You can write down the digest somewhere and come back tomorrow and try the same process again. If you don&rsquo;t get the same digest string both times, something in the file has changed.</p>
  59. <p>Ok, so far, so good&mdash;we can determine whether something has been tampered with. What if we want to make a statement about the artifact? What if we want to say &ldquo;I saw this artifact today, and I (a system or a person) am guaranteeing that this particular thing is definitely the thing I saw.&rdquo; At that point, what you want is a software artifact <em>signature</em>; you want to take your digest string and run it through a cryptographic algorithm to produce <em>another</em> string representing the act of &ldquo;signing&rdquo; that fingerprint with a unique key. If you subsequently want someone else to be able to confirm your signature, you&rsquo;ll want to use <em>asymmetric</em> encryption: sign the digest with your private key and give out the corresponding public key so that anyone out there in the world who gets your file can verify it.</p>
  60. <p>You probably already know that asymmetric encryption is the basis for almost all trust on the internet. It&rsquo;s how you can securely interact with your bank, and how GitHub can securely deliver your repository contents. We use asymmetric encryption to power technologies, like TLS and SSH, to create trusted channels for communication, but we also use it to create a basis for trusting software via signatures.</p>
  61. <p>Operating systems like Windows, macOS, iOS, Android, etc. all have mechanisms for ensuring a trusted origin for executable software artifacts by enforcing the presence of a signature. These systems are incredibly important components of the modern software world, and building them is fiendishly difficult.</p>
  62. <h2 id="dont-just-sign-attest" id="dont-just-sign-attest" >Don&rsquo;t just sign&mdash;<em>attest</em><a href="#dont-just-sign-attest" class="heading-link pl-2 text-italic text-bold" aria-label="Don&rsquo;t just sign&mdash;&lt;em&gt;attest&lt;/em&gt;"></a></h2>
  63. <p>When thinking about how to expose more trustable information about a software artifact, a signature is a good start. It says &ldquo;some trusted system definitely saw this thing.&rdquo; But if you want to truly offer an evolutionary leap in the security of the SDLC as a whole, you need to go beyond mere signatures think in terms of <em>attestations</em>.</p>
  64. <p>An attestation is an assertion of fact, a statement made <em>about</em> an artifact or artifacts and <em>created by</em> some entity that can be authenticated. It can be authenticated because the statement is signed and the key that did the signing can be trusted.</p>
  65. <p>The most important and foundational kind of attestation is one that asserts facts about the origin and creation of the artifact&mdash;the source code it came from and build instructions that transmuted that source into an artifact. We call this a <em>provenance attestation</em>.</p>
  66. <p>The provenance attestation spec that we&rsquo;ve chosen comes from the <a href="https://slsa.dev">SLSA project</a>. SLSA is a great way to think about software supply chain security because it gives producers and consumers of software a common framework for reasoning about security guarantees and boundaries in a way that is agnostic of specific systems and tech stacks. SLSA offers a standardized schema for producing provenance attestations for software artifacts, based on the work done by the <a href="https://in-toto.io/">in-toto project</a>. in-toto is a CNCF-graduated project that exists to (among other things) provide a collection of standardized metadata schemas for relevant information about your supply chain and build process.</p>
  67. <h2 id="what-does-it-take-to-build-something-like-this" id="what-does-it-take-to-build-something-like-this" >What does it take to build something like this?<a href="#what-does-it-take-to-build-something-like-this" class="heading-link pl-2 text-italic text-bold" aria-label="What does it take to build something like this?"></a></h2>
  68. <p>As the largest global software development platform that hosts a lot of code and build pipelines, we&rsquo;ve been thinking about this a lot. There are a number of moving parts that it would take to build an attestation service.</p>
  69. <p>Doing so would mean having a way to:</p>
  70. <ul>
  71. <li>Issue certificates (essentially public keys bound to some authenticated identity).</li>
  72. <li>Make sure that those certificates can&rsquo;t be misused.</li>
  73. <li>Enable the secure signing of artifacts in a well-known context.</li>
  74. <li>Verify those signatures in a way the end-user can trust.</li>
  75. </ul>
  76. <p>This means setting up a <a href="https://en.wikipedia.org/wiki/Certificate_authority">Certificate Authority</a> (CA) and having some kind of client app you can use to authenticate the signatures associated with certs issued by that authority. In order to keep the certificates from being misused, you need to either 1) maintain <a href="https://en.wikipedia.org/wiki/Certificate_revocation_list">Certificate Revocation Lists</a> or 2) ensure that the signing certificate is short-lived, which means having a counter signature from some kind of timestamping authority (which can give an authoritative stamp that a cert was only used to produce a signature during the timeframe it was valid).</p>
  77. <p>This is where <a href="https://sigstore.dev">Sigstore</a> comes in. It&rsquo;s an open source project that offers both an X.<a href="https://github.com/sigstore/fulcio">509 CA</a> and a <a href="https://github.com/sigstore/timestamp-authority">timestamp authority</a> based on <a href="https://www.rfc-editor.org/rfc/rfc3161">RFC 3161</a>. And it also lets you do identity with <a href="https://www.microsoft.com/en-us/security/business/security-101/what-is-openid-connect-oidc">OIDC tokens</a>, which many CI systems <a href="https://docs.github.com/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#getting-started-with-oidc">already produce</a> and associate with their workloads.</p>
  78. <p>Sigstore does for software signatures what <a href="https://letsencrypt.org/">Let&rsquo;s Encrypt</a> has done for TLS certificates: make them simple, transparent, and easy to adopt. <a href="https://github.blog/2022-10-25-why-were-excited-about-the-sigstore-general-availability/">GitHub</a> helps oversee the governance of the Sigstore project via our seat on the Technical Steering Committee, are maintainers of the server applications and multiple client libraries, and (along with folks from Google, RedHat, and Stacklok) form the operations team for the <a href="https://www.google.com/url?q=https://docs.sigstore.dev/system_config/public_deployment/&amp;sa=D&amp;source=docs&amp;ust=1714152554138847&amp;usg=AOvVaw3ffGaZvXDyXL1sXm81nqRV">Sigstore Public Good Instance</a>, which exists to support public attestations for OSS projects.</p>
  79. <p>Sigstore requires a secure root of trust that complies with the standard laid out by <a href="https://theupdateframework.org/">The Update Framework</a> (TUF). This allows clients to keep up with rotations in the CA&rsquo;s underlying keys without needing to update their code. TUF exists to mitigate a large number of <a href="https://theupdateframework.github.io/specification/latest/#goals-to-protect-against-specific-attacks">attack vectors</a> that can come into play when working to update code in situ. It&rsquo;s used by lots of projects for updating things like long-running telemetry agents in place, delivering secure firmware updates, etc.</p>
  80. <p>With Sigstore in place, it&rsquo;s possible to create a tamper-proof paper trail linking artifacts back to CI. This is really important because signing software and capturing details of provenance in a way that can&rsquo;t be forged means that software consumers have the means to enforce their own rules regarding the origin of the code they&rsquo;re executing, and we&rsquo;re excited to share more with you on this in the coming days. Stay tuned!</p>
  81. <div class="post-content-cta"><p>Harness the power of GitHub Advanced Security. <a href="https://docs.github.com/en/code-security/getting-started/github-security-features">Learn more</a> or <a href="https://github.com/features/security">get started now</a>.</p>
  82. </div>
  83. </body></html>
  84. <p>The post <a href="https://github.blog/2024-04-30-where-does-your-software-really-come-from/">Where does your software (really) come from?</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
  85. ]]></content:encoded>
  89. <post-id xmlns="com-wordpress:feed-additions:1">77757</post-id> </item>
  90. <item>
  91. <title>Highlights from Git 2.45</title>
  92. <link>https://github.blog/2024-04-29-highlights-from-git-2-45/</link>
  94. <dc:creator><![CDATA[Taylor Blau]]></dc:creator>
  95. <pubDate>Mon, 29 Apr 2024 17:14:27 +0000</pubDate>
  96. <category><![CDATA[Open Source]]></category>
  97. <category><![CDATA[Git]]></category>
  98. <guid isPermaLink="false">https://github.blog/?p=77738</guid>
  99.  
  100. <description><![CDATA[<p>Git 2.45 is here with experimental support for reftables, and SHA-256 interoperability. Get our take on the latest here.</p>
  101. <p>The post <a href="https://github.blog/2024-04-29-highlights-from-git-2-45/">Highlights from Git 2.45</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
  102. ]]></description>
  103. <content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
  104. <html><body><p>The open source Git project just <a href="https://lore.kernel.org/git/xmqq8r0ww0sj.fsf@gitster.g/T/#u">released Git 2.45</a> with features and bug fixes from over 96 contributors, 38 of them new. We last caught up with you on the latest in Git back when <a href="https://github.blog/2024-02-23-highlights-from-git-2-44/">2.44 was released</a>.</p>
  105. <p>To celebrate this most recent release, here is GitHub&rsquo;s look at some of the most interesting features and changes introduced since last time.</p>
  106. <h2 id="preliminary-reftable-support" id="preliminary-reftable-support" >Preliminary reftable support<a href="#preliminary-reftable-support" class="heading-link pl-2 text-italic text-bold" aria-label="Preliminary reftable support"></a></h2>
  107. <p>Git 2.45 introduces preliminary support for a new reference storage backend called &ldquo;reftable,&rdquo; promising faster lookups, reads, and writes for repositories with any number of references.</p>
  108. <p>If you&rsquo;re unfamiliar with our previous coverage of the new reftable format, don&rsquo;t worry, this post will catch you up to speed (and then some!). But if you just want to play around with the new reference backend, you can initialize a new repository with <code>--ref-format=reftable</code> like so:</p>
  109. <pre><code>$ git init --ref-format=reftable /path/to/repo
  110. Initialized empty Git repository in /path/to/repo/.git
  111. $ cd /path/to/repo
  112. $ git commit --allow-empty -m 'hello reftable!'
  113. [main (root-commit) 2eb0810] hello reftable!
  114. $ ls -1 .git/reftable/
  115. 0x000000000001-0x000000000002-565c6bf0.ref
  116. tables.list
  117. $ cat .git/reftable/tables.list
  118. 0x000000000001-0x000000000002-565c6bf0.ref
  119. </code></pre>
  120. <p>With that out of the way, let&rsquo;s jump into the details. If you&rsquo;re new to this series, or didn&rsquo;t catch our initial coverage of the reftable feature, don&rsquo;t worry, here&rsquo;s a refresher. When we talk about <a href="https://git-scm.com/book/en/v2/Git-Internals-Git-References">references</a> in Git, we&rsquo;re referring to the branches and tags that make up your repository. In essence, a reference is nothing more than a name (like <code>refs/heads/my-feature</code>, or <code>refs/tags/v1.0.0</code>) and the object ID of the thing that reference points at.</p>
  121. <p>Git has historically stored references in your repository in one of two ways: either &ldquo;loose&rdquo; as a file inside of <code>$GIT_DIR/refs</code> (like <code>$GIT_DIR/refs/heads/my-feature</code>) or &ldquo;packed&rdquo; as an entry inside of the file at <code>$GIT_DIR/packed_refs</code>.</p>
  122. <p>For most repositories today, the existing reference backend works fine. For repositories with a truly gigantic number of references, however, the existing backend has some growing pains. For instance, storing a large number of references as &ldquo;loose&rdquo; can lead to directories with a large number of entries (slowing down lookups within that directory) and/or <a href="https://en.wikipedia.org/wiki/Inode#Potential_for_inode_exhaustion_and_solutions">inode exhaustion</a>. Likewise, storing all references in a single <code>packed_refs</code> file can become expensive to maintain, as even small reference updates require a significant I/O-cost to rewrite the entire <code>packed_refs</code> file on each update.</p>
  123. <p>That&rsquo;s where the reftable format comes in. Reftable is an entirely new format for storing Git references. Instead of storing loose references, or constantly updating a large <code>packed_refs</code> file, reftable implements a binary format for storing references that promises to achieve:</p>
  124. <ul>
  125. <li>Near constant-time lookup for individual references, and near constant-time verification that a given object ID is referred to by at least one reference.</li>
  126. <li>Efficient lookup of entire reference namespaces through prefix compression.</li>
  127. <li>Atomic reference updates that scale with the size of the reference update, not the number of overall references.</li>
  128. </ul>
  129. <p>The reftable format is incredibly detailed (curious readers can learn more about it in more detail by reading <a href="https://github.com/git/git/blob/v2.45.0/Documentation/technical/reftable.txt">the original specification</a>), but here&rsquo;s a high-level overview. A repository can have any number of reftables (stored as <code>*.ref</code> files), each of which is organized into variable-sized blocks. Blocks can store information about a collection of references, refer to the contents of other blocks when storing references across a collection of blocks, and more.</p>
  130. <p>The format is designed to both (a) take up a minimal amount of space (by storing reference names with prefix compression) and (b) support fast lookups, even when reading the <code>.ref</code> file(s) from a cold cache.</p>
  131. <p>Most importantly, the reftable format supports multiple <code>*.ref</code> files, meaning that each reference update transaction can be processed individually without having to modify existing <code>*.ref</code> files. A separate compaction process describes how to &ldquo;merge&rdquo; a range of adjacent <code>*.ref</code> files together into a single <code>*.ref</code> file to maintain read performance.</p>
  132. <p>The reftable format was originally designed by <a href="https://git.github.io/rev_news/2017/08/16/edition-30/#developer-spotlight-shawn-pearce">Shawn Pearce</a> for use in <a href="https://www.eclipse.org/jgit/">JGit</a> to better support the large number of references stored by <a href="https://www.gerritcodereview.com/">Gerrit</a>. Back in our <em><a href="https://github.blog/2022-01-24-highlights-from-git-2-35/">Highlights from Git 2.35</a></em> post, we covered that an implementation of the reftable format had landed in Git. In that version, Git did not yet know how to use the new reftable code in conjunction with its existing reference backend system, meaning that you couldn&rsquo;t yet create repositories that store references using reftable.</p>
  133. <p>In Git 2.45, support for a reftable-powered storage backend has been integrated into Git&rsquo;s generic reference backend system, meaning that you can play with reftable on your own repository by running:</p>
  134. <pre><code>$ git init --ref-format=reftable /path/to/repo
  135. </code></pre>
  136. <p>[<a href="https://github.com/git/git/compare/3c2a3fdc388747b9eaf4a4a4f2035c1c9ddb26d0...8a0bebdeaec60623c8a791b197d574bdd031a452">source</a>, <a href="https://github.com/git/git/compare/274400998b0a2da64d20e9fa95b288bf1403459c...c68ca7abd30b22404ce59d5133566729c07ffe8f">source</a>, <a href="https://github.com/git/git/compare/ce65a188b15bef0ef68e81d5b083e7dda34ab2c9...e0795e2c7912bc407e311b8cd3ae908bc354d8c9">source</a>, <a href="https://github.com/git/git/compare/066124da88a6d43d125b30a1bc8a66c2d8ef6423...43f70eaea0e3fa9d98c895e9341674a67262b657">source</a>, <a href="https://github.com/git/git/compare/7a01b444638a2704befcd4c24e1d441b818ae67b...60c4c425155c61a081cc035240ee649aa2cb2e37">source</a>, <a href="https://github.com/git/git/compare/330ed38a2df0d67e247edc7ea69175520ead469d...fffd981ec2d7965733a4a15f9071e3734f7654a6">source</a>, <a href="https://github.com/git/git/compare/dc97afdcb93ca683bf73b4ae2ff028c161206617...fcacc2b161b095c99dfd4e0b05dcc1ed8ca80a62">source</a>, <a href="https://github.com/git/git/compare/50b52cafae4250319944d49d65f1fa8d83aedd58...0068aa794696188d3c9bea62804780d44bee824f">source</a>, <a href="https://github.com/git/git/compare/847af43a3afb39394d5fe58192f94b993ca18f9f...d51d8cc36831bdabbbcec8553a7e83d9f5a3be4d">source</a>, <a href="https://github.com/git/git/compare/2b49e41155d826d40ede07dfd4d34a7a36f9f64b...a949ebd342440049a1ac77ca675f66884eae4187">source</a>]</p>
  137. <h2 id="preliminary-support-for-sha-1-and-sha-256-interoperability" id="preliminary-support-for-sha-1-and-sha-256-interoperability" >Preliminary support for SHA-1 and SHA-256 interoperability<a href="#preliminary-support-for-sha-1-and-sha-256-interoperability" class="heading-link pl-2 text-italic text-bold" aria-label="Preliminary support for SHA-1 and SHA-256 interoperability"></a></h2>
  138. <p>Returning readers of this series will be familiar with our ongoing coverage of the Git project&rsquo;s <a href="https://git-scm.com/docs/hash-function-transition">hash function transition</a>. If you&rsquo;re new around here, or need a refresher, don&rsquo;t worry!</p>
  139. <p>Git identifies objects (the blobs, trees, commits, and tags that make up your repository) by a <a href="https://en.wikipedia.org/wiki/Hash_function">hash</a> of their contents. Since its inception, Git has used the <a href="https://en.wikipedia.org/wiki/SHA-1">SHA-1 hash function</a> to hash and identify objects in a repository.</p>
  140. <p>However, the SHA-1 function has known collision attacks (e.g., <a href="https://shattered.io/">Shattered</a>, and <a href="https://sha-mbles.github.io/">Shambles</a>), meaning that a sufficiently motivated attacker can generate a colliding pair of SHA-1 inputs, which have the same SHA-1 hash despite containing different contents. (Many providers, like GitHub, use a SHA-1 implementation that detects and rejects inputs that contain the telltale signs of being part of a colliding pair attack. For more details, see our post, <em><a href="https://github.blog/2017-03-20-sha-1-collision-detection-on-github-com/">SHA-1 collision detection on GitHub.com</a></em>).</p>
  141. <p>Around this time, the Git project <a href="https://lore.kernel.org/git/20170304011251.GA26789@aiede.mtv.corp.google.com/">began discussing</a> a plan to transition from SHA-1 to a more secure hash function that was not susceptible to the same chosen-prefix attacks. The project decided on SHA-256 as the successor to Git&rsquo;s use of SHA-1 and work on supporting the new hash function began in earnest. In Git 2.29 (released in October 2020), Git gained experimental support for using SHA-256 instead of SHA-1 in specially-configured repositories. That feature was declared no longer experimental in Git 2.42 (released in August 2023).</p>
  142. <p>One of the goals of the hash function transition was to introduce support for repositories to interoperate between SHA-1 and SHA-256, meaning that repositories could in theory use one hash function locally, while pushing to another repository that uses a different hash function.</p>
  143. <p>Git 2.45 introduces experimental preliminary support for limited interoperability between SHA-1 and SHA-256. To do this, Git 2.45 introduces a new concept called the &ldquo;compatibility&rdquo; object format, and allows you to refer to objects by either their given hash, or their &ldquo;compatibility&rdquo; hash. An object&rsquo;s compatibility hash is the hash of an object as it would have been written under the compatibility hash function.</p>
  144. <p>To give you a better sense of how this new feature works, here&rsquo;s a short demo. To start, we&rsquo;ll initialize a repository in SHA-256 mode, and declare that SHA-1 is our compatibility hash function:</p>
  145. <pre><code>$ git init --object-format=sha256 /path/to/repo
  146. Initialized empty Git repository in /path/to/repo/.git
  147. $ cd /path/to/repo
  148. $ git config extensions.compatObjectFormat sha1
  149. </code></pre>
  150. <p>Then, we can create a simple commit with a single file (<code>README</code>) whose contents are &ldquo;Hello, world!&rdquo;:</p>
  151. <pre><code>$ echo 'Hello, world!' &gt;README
  152. $ git add README
  153. $ git commit -m "initial commit"
  154. [main (root-commit) 74dcba4] initial commit
  155. Author: A U Thor &lt;author@example.com&gt;
  156. 1 file changed, 1 insertion(+)
  157. create mode 100644 README
  158. </code></pre>
  159. <p>Now, we can ask Git to show us the contents of the commit object we just created with <code>cat-file</code>. As we&rsquo;d expect, the hash of the commit object, as well as its root tree are computed using SHA-256:</p>
  160. <pre><code>$ git rev-parse HEAD | git cat-file --batch
  161. 74dcba4f8f941a65a44fdd92f0bd6a093ad78960710ac32dbd4c032df66fe5c6 commit 202
  162. tree ace45d916e870ce0fadbb8fc579218d01361da4159d1e2b5949f176b1f743280
  163. author A U Thor &lt;author@example.com&gt; 1713990043 -0400
  164. committer C O Mitter &lt;committer@example.com&gt; 1713990043 -0400
  165.  
  166. initial commit
  167. </code></pre>
  168. <p>But we can also tell <code>git rev-parse</code> to output any object IDs using the compatibility hash function, allowing us to ask for the SHA-1 object ID of that same commit object. When we print its contents out using <code>cat-file</code>, its root tree OID is a different value (starting with <code>7dd4941980</code> instead of <code>ace45d916e</code>), this time computed using SHA-1 instead of SHA-256:</p>
  169. <pre><code>$ git rev-parse --output-object-format=sha1 HEAD
  170. 2a4f4a2182686157a2dc887c46693c988c912533
  171.  
  172. $ git rev-parse --output-object-format=sha1 HEAD | git cat-file --batch
  173. 2a4f4a2182686157a2dc887c46693c988c912533 commit 178
  174. tree 7dd49419807b37a3afd2f040891a64d69abb8df1
  175. author A U Thor &lt;author@example.com&gt; 1713990043 -0400
  176. committer C O Mitter &lt;committer@example.com&gt; 1713990043 -0400
  177.  
  178. initial commit
  179. </code></pre>
  180. <p>Support for this new feature is still considered experimental, and many features may not work quite as you expect them to. There is still much work ahead for full interoperability between SHA-1 and SHA-256 repositories, but this release delivers an important first step towards full interoperability support.</p>
  181. <p>[<a href="https://github.com/git/git/compare/c75fd8d8150afdf836b63a8e0534d9b9e3e111ba...7673ecd2dcdcf0aae01cccdb5c25f9b96160a8c0">source</a>]</p>
  182. <hr>
  183. <ul>
  184. <li>If you&rsquo;ve ever scripted around your repository, then you have no doubt used <code>git rev-list</code> to list commits or objects reachable from some set of inputs. <code>rev-list</code> can also come in handy when trying to diagnose repository corruption, including investigating missing objects.
  185. <p>In the past, you might have used something like <code>git rev-list --missing=print</code> to gather a list of objects which are reachable from your inputs, but are missing from the local repository. But what if there are missing objects at the tips of your reachability query itself? For instance, if the tip of some branch or tag is corrupt, then you&rsquo;re stuck:</p>
  186. <pre><code>$ git rev-parse HEAD | tr 'a-f1-9' '1-9a-f' &gt;.git/refs/heads/missing
  187. $ git rev-list --missing=print --all | grep '^?'
  188. fatal: bad object refs/heads/missing
  189. </code></pre>
  190. <p>Here, Git won&rsquo;t let you continue, since one of the inputs to the reachability query itself (<code>refs/heads/missing</code>, via <code>--all</code>) is missing. This can make debugging missing objects in the reachable parts of your history more difficult than necessary.</p>
  191. <p>But with Git 2.45, you can debug missing objects even when the tips of your reachability query are themselves missing, like so:</p>
  192. <pre><code>$ git rev-list --missing=print --all | grep '^?'
  193. ?70678e7afeacdcba1242793c3d3d28916a2fd152
  194. </code></pre>
  195. <p>[<a href="https://github.com/git/git/compare/2c206fc82abb3ae3d8a5fb5b3c07c1a933007f31...a4324babe679352a801310f8e30f3cbcd9c1f16b">source</a>]</p>
  196. </li>
  197. <li>
  198. <p>One of Git&rsquo;s lesser-known features are &ldquo;reference logs,&rdquo; or &ldquo;<a href="https://git-scm.com/docs/git-reflog">reflogs</a>&rdquo; for short. These reference logs are extremely useful when asking questions about the history of some reference, such as: &ldquo;what was main pointing at two weeks ago?&rdquo; or &ldquo;where was I before I started this rebase?&rdquo;.</p>
  199. <p>Each reference has its own corresponding reflog, and you can use the <code>git reflog</code> command to see the reflog for the currently checked-out reference, or for an arbitrary reference by running <code>git reflog refs/heads/some/branch</code>.</p>
  200. <p>If you want to see what branches have corresponding reflogs, you could look at the contents of .git/logs like so:</p>
  201. <pre><code>$ find .git/logs/refs/heads -type f | cut -d '/' -f 3-
  202. </code></pre>
  203. <p>But what if you&rsquo;re using reftable? In that case, the reflogs are stored in a binary format, leaving tools like <code>find</code> out of your reach.</p>
  204. <p>Git 2.45 introduced a new sub-command <code>git reflog list</code> to show which references have corresponding reflogs available to them, regardless of whether or not you are using reftable.</p>
  205. <p>[<a href="https://github.com/git/git/compare/221c3daef41bdd7eebd5f45d711e847d0a85aa86...d699d15c328b03fd822d3950f7ed76debef02c26">source</a>]</p>
  206. </li>
  207. <li>
  208. <p>If you&rsquo;ve ever looked closely at Git&rsquo;s diff output, you might have noticed the prefixes <code>a/</code> and <code>b/</code> used before file paths to indicate the before and after versions of each file, like so:</p>
  209. <pre><code>$ git diff HEAD^ -- GIT-VERSION-GEN
  210. diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN
  211. index dabd2b5b89..c92f98b3db 100755
  212. --- a/GIT-VERSION-GEN
  213. +++ b/GIT-VERSION-GEN
  214. @@ -1,7 +1,7 @@
  215. #!/bin/sh
  216.  
  217. GVF=GIT-VERSION-FILE
  218. -DEF_VER=v2.45.0-rc0
  219. +DEF_VER=v2.45.0-rc1
  220.  
  221. LF='
  222. '
  223. </code></pre>
  224. <p>In Git 2.45, you can now configure alternative prefixes by setting the <code>diff.srcPrefix</code> and <code>diff.dstPrefix</code> configuration options. This can come in handy if you want to make clear which side is which (by setting them to something like &ldquo;before&rdquo; and &ldquo;after,&rdquo; respectively). Or if you&rsquo;re viewing the output in your terminal, and your terminal supports hyperlinking to paths, you could change the prefix to <code>./</code> to allow you to click on filepaths within a diff output.</p>
  225. <p>[<a href="https://github.com/git/git/compare/1002f28a527d33893f7dab068dbac7011f84af65...178401dc25cf8c3f1a716b852b14dafa79367646">source</a>]</p>
  226. </li>
  227. <li>
  228. <p>When writing a commit message, Git will open your editor with a mostly blank file containing some instructions, like so:</p>
  229. <pre><code># Please enter the commit message for your changes. Lines starting
  230. # with '#' will be ignored, and an empty message aborts the commit.
  231. #
  232. # On branch main
  233. # Your branch is up to date with 'origin/main.
  234. </code></pre>
  235. <p><a href="https://github.com/git/git/compare/bcd45b4085f9269a536c8fb1963ac8380bfac0e8...eff80a9fd990de3605063050dae32f969ef18ba8">Since 2013</a>, Git has supported customizing the comment character to be something other than the default #. This can come in handy, for instance, if you&rsquo;re trying to refer to a GitHub issue by its numeric shorthand (e.g. <code>#12345</code>). If you write <code>#12345</code> at the beginning of a line in your commit message, Git will treat the entire line as a comment and ignore it.</p>
  236. <p>In Git 2.45, Git allows not just any single ASCII character, but any arbitrary multi-byte character or even an arbitrary string. Now, you can customize your commit message template by setting <code>core.commentString</code> (or <code>core.commentChar</code>, the two are synonyms for one another) to your heart&rsquo;s content.</p>
  237. <p>[<a href="https://github.com/git/git/compare/3256584c36f649abb2af58e7b190d3cf674ba56e...9ccf3e9b22b6843892319b189fd7aed37c451420">source</a>]</p>
  238. </li>
  239. <li>
  240. <p>Speaking of comments, <code>git config</code> learned a new option to help document your <code>.gitconfig</code> file. The <code>.gitconfig</code> file format allows for comments beginning with a <code>#</code> character, meaning that everything following that <code>#</code> until the next newline will be ignored.</p>
  241. <p>The <code>git config</code> command gained a new <code>--comment</code> option, which allows specifying an optional comment to leave at the end of the newly configured line, like so:</p>
  242. <pre><code>$ git config --comment 'to show the merge base' merge.conflictStyle diff3
  243. $ tail -n 2 .git/config
  244. [merge]
  245. conflictStyle = diff3 # to show the merge base
  246. </code></pre>
  247. <p>This can be helpful when tweaking some of Git&rsquo;s more esoteric settings to try and remember why you picked a particular value.</p>
  248. <p>[<a href="https://github.com/git/git/compare/7774cfed6261ce2900c84e55906da708c711d601...31399a6b6166cf76cc533bc9915878211607ed80">source</a>]</p>
  249. </li>
  250. <li>
  251. <p>Sometimes when you are rebasing or cherry-picking a series of commits, one or more of those commits become &ldquo;empty&rdquo; (i.e., because they contain a subset of changes that have already landed on your branch).</p>
  252. <p>When rebasing, you can use the <code>--empty</code> option to specify how to handle these commits. <code>--empty</code> supports a few options: &ldquo;drop&rdquo; (to ignore those commits), &ldquo;keep&rdquo; (to keep empty commits), or &ldquo;stop&rdquo; which will halt the rebase and ask for your input on how to proceed.</p>
  253. <p>Despite its similarity to <code>git rebase</code>, <code>git cherry-pick</code> never had an equivalent option to <code>--empty</code>. That meant that if you were cherry-picking a long sequence of commits, some of which became empty, you&rsquo;d have to type either <code>git cherry-pick --skip</code> (to drop the empty commit), or <code>git commit --allow-empty</code> (to keep the empty commit).</p>
  254. <p>In Git 2.45, <code>git cherry-pick</code> learned the same <code>--empty</code> option from <code>git rebase</code>, meaning that you can specify the behavior once at the beginning of your <code>cherry-pick</code> operation, instead of having to specify the same thing each time you encounter an empty commit.</p>
  255. <p>[<a href="https://github.com/git/git/compare/d988e80bd3a24387c74810b187a47813f8460699...ec79d763de617905bd9275de0b5941a160d6159b">source</a>]</p>
  256. </li>
  257. </ul>
  258. <h2 id="the-rest-of-the-iceberg" id="the-rest-of-the-iceberg" >The rest of the iceberg<a href="#the-rest-of-the-iceberg" class="heading-link pl-2 text-italic text-bold" aria-label="The rest of the iceberg"></a></h2>
  259. <p>That&rsquo;s just a sample of changes from the latest release. For more, check out the release notes for <a href="https://github.com/git/git/blob/v2.45.0/Documentation/RelNotes/2.45.0.txt">2.45</a>, or <a href="https://github.com/git/git/tree/v2.45.0/Documentation/RelNotes">any previous version</a> in <a href="https://github.com/git/git">the Git repository</a>.</p>
  260. </body></html>
  261. <p>The post <a href="https://github.blog/2024-04-29-highlights-from-git-2-45/">Highlights from Git 2.45</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
  262. ]]></content:encoded>
  266. <post-id xmlns="com-wordpress:feed-additions:1">77738</post-id> </item>
  267. <item>
  268. <title>GitHub Copilot Workspace: Welcome to the Copilot-native developer environment</title>
  269. <link>https://github.blog/2024-04-29-github-copilot-workspace/</link>
  271. <dc:creator><![CDATA[Thomas Dohmke]]></dc:creator>
  272. <pubDate>Mon, 29 Apr 2024 16:00:02 +0000</pubDate>
  273. <category><![CDATA[Product]]></category>
  274. <category><![CDATA[generative AI]]></category>
  275. <category><![CDATA[GitHub Copilot]]></category>
  276. <category><![CDATA[GitHub Enterprise]]></category>
  277. <guid isPermaLink="false">https://github.blog/?p=77597</guid>
  278.  
  279. <description><![CDATA[<p>We’re redefining the developer environment with GitHub Copilot Workspace - where any developer can go from idea, to code, to software all in natural language. </p>
  280. <p>The post <a href="https://github.blog/2024-04-29-github-copilot-workspace/">GitHub Copilot Workspace: Welcome to the Copilot-native developer environment</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
  281. ]]></description>
  282. <content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
  283. <html><body><div class="content-table-wrap"><table style="border: 1px black">
  284. <tbody>
  285. <tr>
  286. <td>We&rsquo;re redefining the developer environment with GitHub Copilot Workspace&ndash;where any developer can go from idea, to code, to software in natural language. <a href="https://githubnext.com/projects/copilot-workspace">Sign up here</a>. </td>
  287. </tr>
  288. </tbody>
  289. </table></div>
  290. <p>In the past two years, generative AI has foundationally changed the developer landscape largely as a tool embedded inside the developer environment. In 2022, we launched GitHub Copilot as an autocomplete pair programmer in the editor, <a href="https://github.blog/2022-09-07-research-quantifying-github-copilots-impact-on-developer-productivity-and-happiness/">boosting developer productivity by up to 55%</a>. Copilot is now the most widely adopted AI developer tool. In 2023, we released GitHub Copilot Chat&mdash;unlocking the power of natural language in coding, debugging, and testing&mdash;allowing developers to converse with their code in real time.</p>
  291. <p>After sharing <a href="https://github.blog/2023-11-08-universe-2023-copilot-transforms-github-into-the-ai-powered-developer-platform/">an early glimpse</a> at GitHub Universe last year, today, we are reimagining the nature of the developer experience itself with the technical preview of GitHub Copilot Workspace: the Copilot-native developer environment. Within Copilot Workspace, developers can now brainstorm, plan, build, test, and run code in natural language. This new task-centric experience leverages different Copilot-powered agents from start to finish, while giving developers full control over every step of the process.</p>
  292. <div class="mod-vh position-relative" style="height: 0; padding-bottom: calc((9 / 16)*100%);">
  293. <iframe loading="lazy" class="position-absolute top-0 left-0 width-full height-full" src="https://www.youtube.com/embed/pkotufZchjE?version=3&amp;rel=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;fs=1&amp;hl=en-US&amp;autohide=2&amp;wmode=transparent" title="YouTube video player" allow="accelerometer; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen="" frameborder="0"></iframe>
  294. </div>
  295. <p>Copilot Workspace represents a radically new way of building software with natural language, and is expressly <a href="https://github.blog/2024-01-17-a-developers-second-brain-reducing-complexity-through-partnership-with-ai/">designed</a> to deliver&ndash;not replace&ndash;developer creativity, faster and easier than ever before. With Copilot Workspace we will empower more experienced developers to operate as systems thinkers, and materially lower the barrier of entry for who can build software.</p>
  296. <p>Welcome to the first day of a new developer environment. Here&rsquo;s how it works:</p>
  297. <h3 id="it-all-starts-with-the-task" id="it-all-starts-with-the-task" >It all starts with the task&hellip;<a href="#it-all-starts-with-the-task" class="heading-link pl-2 text-italic text-bold" aria-label="It all starts with the task&hellip;"></a></h3>
  298. <p><img decoding="async" src="https://github.blog/wp-content/uploads/2024/04/octoacademy-projects.png?w=1024&#038;resize=1024%2C593" alt="It starts with a task. Open GitHub Copilot Workspace from a GitHub Issue, Pull Request, or Repository. (Screenshot of an issue in the octoacademy repository.)" width="1024" height="593" class="aligncenter size-large wp-image-77599 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/octoacademy-projects.png?w=1600 1600w, https://github.blog/wp-content/uploads/2024/04/octoacademy-projects.png?w=300 300w, https://github.blog/wp-content/uploads/2024/04/octoacademy-projects.png?w=768 768w, https://github.blog/wp-content/uploads/2024/04/octoacademy-projects.png?w=1024&#038;resize=1024%2C593 1024w, https://github.blog/wp-content/uploads/2024/04/octoacademy-projects.png?w=1536 1536w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /></p>
  299. <p>For developers, the greatest barrier to entry is almost always at the <a href="https://github.blog/2023-11-08-universe-2023-copilot-transforms-github-into-the-ai-powered-developer-platform/">beginning</a>. Think of how often you hit a wall in the first steps of a big project, feature request, or even bug report, simply because you don&rsquo;t know how to get started. GitHub Copilot Workspace meets developers right at the origin: a GitHub Repository or a GitHub Issue. By leveraging Copilot agents as a second brain, developers will have AI assistance from the very beginning of an idea.</p>
  300. <h3 id="workspace-builds-the-full-plan" id="workspace-builds-the-full-plan" >&hellip;Workspace builds the full plan<a href="#workspace-builds-the-full-plan" class="heading-link pl-2 text-italic text-bold" aria-label="&hellip;Workspace builds the full plan"></a></h3>
  301. <p><img decoding="async" src="https://github.blog/wp-content/uploads/2024/04/3-Plan-of-Action-Zoom-with-BG.png?w=1024&#038;resize=1024%2C607" alt="Progress from your task to a specification, outlining what you want to achieve with Copilot Workspace. The steps are editable, enabling you to iterate on ideas." width="1024" height="607" class="aligncenter size-large wp-image-77744 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/3-Plan-of-Action-Zoom-with-BG.png?w=3642 3642w, https://github.blog/wp-content/uploads/2024/04/3-Plan-of-Action-Zoom-with-BG.png?w=300 300w, https://github.blog/wp-content/uploads/2024/04/3-Plan-of-Action-Zoom-with-BG.png?w=768 768w, https://github.blog/wp-content/uploads/2024/04/3-Plan-of-Action-Zoom-with-BG.png?w=1024&#038;resize=1024%2C607 1024w, https://github.blog/wp-content/uploads/2024/04/3-Plan-of-Action-Zoom-with-BG.png?w=1536 1536w, https://github.blog/wp-content/uploads/2024/04/3-Plan-of-Action-Zoom-with-BG.png?w=2048 2048w, https://github.blog/wp-content/uploads/2024/04/3-Plan-of-Action-Zoom-with-BG.png?w=3000 3000w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /></p>
  302. <p>From there, Copilot Workspace offers a step-by-step plan to solve the issue based on its deep understanding of the codebase, issue replies, and more. It gives you everything you need to validate the plan, and test the code, in one streamlined list in natural language.</p>
  303. <h3 id="and-its-entirely-editable" id="and-its-entirely-editable" >And it&rsquo;s entirely editable&hellip;<a href="#and-its-entirely-editable" class="heading-link pl-2 text-italic text-bold" aria-label="And it&rsquo;s entirely editable&hellip;"></a></h3>
  304. <p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/copilot-workspace.png?w=1024&#038;resize=1024%2C593" alt="Then adjust your plan of action, adding steps, and general notes. Once the plan is implemented, you can view changes with a PR diff view and make edits as needed." width="1024" height="593" class="aligncenter size-large wp-image-77602 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/copilot-workspace.png?w=1600 1600w, https://github.blog/wp-content/uploads/2024/04/copilot-workspace.png?w=300 300w, https://github.blog/wp-content/uploads/2024/04/copilot-workspace.png?w=768 768w, https://github.blog/wp-content/uploads/2024/04/copilot-workspace.png?w=1024&#038;resize=1024%2C593 1024w, https://github.blog/wp-content/uploads/2024/04/copilot-workspace.png?w=1536 1536w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /></p>
  305. <p>Everything that GitHub Copilot Workspace proposes&mdash;from the plan to the code&mdash;is fully editable, allowing you to iterate until you&rsquo;re confident in the path ahead. You retain all of the autonomy, while Copilot Workspace lifts your cognitive strain.</p>
  306. <p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/4.1-Run-code-in-Copilot-Workspace-v3.png?w=1024&#038;resize=1024%2C604" alt="Once you're happy with the code, you can use the integrated terminal to run unit tests, builds and appropriate checks." width="1024" height="604" class="aligncenter size-large wp-image-77745 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/4.1-Run-code-in-Copilot-Workspace-v3.png?w=3660 3660w, https://github.blog/wp-content/uploads/2024/04/4.1-Run-code-in-Copilot-Workspace-v3.png?w=300 300w, https://github.blog/wp-content/uploads/2024/04/4.1-Run-code-in-Copilot-Workspace-v3.png?w=768 768w, https://github.blog/wp-content/uploads/2024/04/4.1-Run-code-in-Copilot-Workspace-v3.png?w=1024&#038;resize=1024%2C604 1024w, https://github.blog/wp-content/uploads/2024/04/4.1-Run-code-in-Copilot-Workspace-v3.png?w=1536 1536w, https://github.blog/wp-content/uploads/2024/04/4.1-Run-code-in-Copilot-Workspace-v3.png?w=2048 2048w, https://github.blog/wp-content/uploads/2024/04/4.1-Run-code-in-Copilot-Workspace-v3.png?w=3000 3000w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /></p>
  307. <p>And once you&rsquo;re satisfied with the plan, you can run your code directly in Copilot Workspace, jump into the underlying GitHub Codespace, and tweak all code changes until you are happy with the final result. You can also instantly share a workspace with your team via a link, so they can view your work and even try out their own iterations.</p>
  308. <p>All that&rsquo;s left then is to file your pull request, run your GitHub Actions, security code scanning, and ask your team members for human code review. And best of all, they can leverage your Copilot Workspace to see how you got from idea to code.</p>
  309. <div class="mod-vh position-relative" style="height: 0; padding-bottom: calc((9 / 16)*100%);">
  310. <iframe loading="lazy" class="position-absolute top-0 left-0 width-full height-full" src="https://www.youtube.com/embed/L5Xny6yehUg?version=3&amp;rel=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;fs=1&amp;hl=en-US&amp;autohide=2&amp;wmode=transparent" title="YouTube video player" allow="accelerometer; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen="" frameborder="0"></iframe>
  311. </div>
  312. <h3 id="also-github-copilot-workspace-is-mobile-compatible" id="also-github-copilot-workspace-is-mobile-compatible" >Also: GitHub Copilot Workspace is mobile compatible<a href="#also-github-copilot-workspace-is-mobile-compatible" class="heading-link pl-2 text-italic text-bold" aria-label="Also: GitHub Copilot Workspace is mobile compatible"></a></h3>
  313. <p>And because ideas can happen anywhere, GitHub Copilot Workspace was designed to be used from any device&mdash;empowering a real-world development environment that can work on a desktop, laptop, or on the go.</p>
  314. <div class="mod-vh position-relative" style="height: 0; padding-bottom: calc((9 / 16)*100%);">
  315. <iframe loading="lazy" class="position-absolute top-0 left-0 width-full height-full" src="https://www.youtube.com/embed/Zv6TuVzcRdY?version=3&amp;rel=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;fs=1&amp;hl=en-US&amp;autohide=2&amp;wmode=transparent" title="YouTube video player" allow="accelerometer; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen="" frameborder="0"></iframe>
  316. </div>
  317. <p>This is our mark on the future of the development environment: an intuitive, Copilot-powered infrastructure that makes it easier to get started, to learn, and ultimately to execute.</p>
  318. <h2 id="enabling-a-world-with-1b-developers" id="enabling-a-world-with-1b-developers" >Enabling a world with 1B developers<a href="#enabling-a-world-with-1b-developers" class="heading-link pl-2 text-italic text-bold" aria-label="Enabling a world with 1B developers"></a></h2>
  319. <p>Early last year, GitHub celebrated over <a href="https://github.blog/2023-01-25-100-million-developers-and-counting/">100 million developers</a> on our platform&mdash;and counting. As programming in natural language lowers the barrier of entry to who can build software, we are accelerating to a near future where <a href="https://www.sequoiacap.com/article/the-next-billion-developers-perspective/">one billion people</a> on GitHub will control a machine just as easily as they ride a bicycle. We&rsquo;ve constructed GitHub Copilot Workspace in pursuit of this horizon, as a conduit to help extend the economic opportunity and joy of building software to every human on the planet.</p>
  320. <p>At the same time, we live in a world dependent on&mdash;and in short supply of&mdash;professional developers. Around the world, developers add millions of lines of code every single day to evermore complex systems and are increasingly behind on maintaining the old ones. Just like any infrastructure in this world, we need real experts to maintain and renew the world&rsquo;s code. By quantifiably reducing boilerplate work, we will empower professional developers to increasingly operate as systems thinkers. We believe the step change in productivity gains that professional developers will experience by virtue of Copilot and now Copilot Workspace will only continue to <a href="https://github.blog/2023-06-27-the-economic-impact-of-the-ai-powered-developer-lifecycle-and-lessons-from-github-copilot/">increase labor demand</a>.</p>
  321. <p>That&rsquo;s the dual potential of GitHub Copilot: for the professional and hobbyist developer alike, channeling creativity into code just got a whole lot easier.</p>
  322. <div class="post-content-cta"><p><strong>Today, we begin the technical preview for GitHub Copilot Workspace.</strong><br /> <a href="https://githubnext.com/projects/copilot-workspace">Sign up now</a>. <br /> We can&rsquo;t wait to see what you will build from here.</p>
  323. </div>
  324. </body></html>
  325. <p>The post <a href="https://github.blog/2024-04-29-github-copilot-workspace/">GitHub Copilot Workspace: Welcome to the Copilot-native developer environment</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
  326. ]]></content:encoded>
  330. <post-id xmlns="com-wordpress:feed-additions:1">77597</post-id> </item>
  331. <item>
  332. <title>CodeQL zero to hero part 3: Security research with CodeQL</title>
  333. <link>https://github.blog/2024-04-29-codeql-zero-to-hero-part-3-security-research-with-codeql/</link>
  335. <dc:creator><![CDATA[Sylwia Budzynska]]></dc:creator>
  336. <pubDate>Mon, 29 Apr 2024 08:00:57 +0000</pubDate>
  337. <category><![CDATA[Security]]></category>
  338. <category><![CDATA[CodeQL]]></category>
  339. <category><![CDATA[GitHub Security Lab]]></category>
  340. <guid isPermaLink="false">https://github.blog/?p=77703</guid>
  341.  
  342. <description><![CDATA[<p>Learn how to use CodeQL for security research and improve your security research workflow.</p>
  343. <p>The post <a href="https://github.blog/2024-04-29-codeql-zero-to-hero-part-3-security-research-with-codeql/">CodeQL zero to hero part 3: Security research with CodeQL</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
  344. ]]></description>
  345. <content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
  346. <html><body><p>I&rsquo;ve written a bit in the past about static analysis (<a href="https://github.blog/2023-03-31-codeql-zero-to-hero-part-1-the-fundamentals-of-static-analysis-for-vulnerability-research/">CodeQL zero to hero part 1: Fundamentals of static analysis</a>) and basics of writing CodeQL queries (<a href="https://github.blog/2023-06-15-codeql-zero-to-hero-part-2-getting-started-with-codeql/">CodeQL zero to hero part 2: Getting started with CodeQL</a>). Today, I want to dig deeper about CodeQL and talk about variant analysis, writing a taint tracking query and various techniques for doing security research with CodeQL. As is with most IT skills, having practical, tangible experience with a tool will make it easier to remember and understand the concepts you learn, so this blog also contains challenges for each section. You will also find them in <a href="https://github.com/GitHubSecurityLab/codeql-zero-to-hero">GitHubSecurityLab/codeql-zero-to-hero</a>. Give them a try!</p>
  347. <p>I use CodeQL quite extensively in my security research workflow to find vulnerabilities. Most of my (as well as my fellow team members&rsquo;) <a href="https://securitylab.github.com/advisories/">disclosed vulnerabilities</a> will give you an idea what kind of vulnerabilities you can find using CodeQL. Let&rsquo;s jump in!</p>
  348. <h2 id="querying-for-specific-library-methods" id="querying-for-specific-library-methods" >Querying for specific library methods<a href="#querying-for-specific-library-methods" class="heading-link pl-2 text-italic text-bold" aria-label="Querying for specific library methods"></a></h2>
  349. <p>In the previous blog post we were matching function calls, functions, and method calls based on a name, for example, in this <a href="https://github.blog/2023-06-15-codeql-zero-to-hero-part-2-getting-started-with-codeql/#:~:text=Challenge%209%E2%80%94Find%20all%20functions%20with%20%E2%80%9Ccommand%E2%80%9D%20as%20part%20of%20its%20name">challenge</a>. It could happen though, that a certain method call is defined in several libraries, and we wanted to refine our results to only the method call from one specific library.</p>
  350. <p>For example, when auditing a new codebase, we might want to find calls to a specific library function or method, because we know it might be a new source or a sink (see <a href="https://github.blog/2023-03-31-codeql-zero-to-hero-part-1-the-fundamentals-of-static-analysis-for-vulnerability-research/#vulnerability-detection-sources-and-sinks">part one of this series</a>). We can do just that with static analysis and CodeQL. So, how do we write and query for specific library methods? Let&rsquo;s take our earlier example and say we are auditing a Django application for SQL injection and we are interested in <code>execute()</code> calls that come from, and only from, <code>django.db.connection.cursor()</code>.</p>
  351. <p>To execute custom SQL directly in django we need to grab the cursor object by calling <code>connection.cursor()</code> from the <code>django.db.connection</code>, on which we call <code>execute()</code>. Generally, it would look like this:</p>
  352. <pre><code>from django.conf.urls import url
  353. from django.db import connection
  354.  
  355.  
  356. def show_user(request, username):
  357.    with connection.cursor() as cursor:
  358.        cursor.execute("SELECT * FROM users WHERE username = %s" % username)
  359. </code></pre>
  360. <p>In CodeQL for Python, we use the <a href="https://codeql.github.com/codeql-standard-libraries/python/semmle/python/ApiGraphs.qll/module.ApiGraphs.html">API graphs</a> library to refer to external library functions and classes. For dynamic languages, we cannot uniquely determine the type of a given variable due to their dynamic nature, and, therefore, the API graph layer offers the mechanism to track types from their import to potential uses.</p>
  361. <p>We can find all  <code>execute</code> method calls from the <code>django.db</code> library with the following query.</p>
  362. <pre><code>/**
  363. * @id codeql-zero-to-hero/3-1
  364. * @severity error
  365. * @kind problem
  366. */
  367.  
  368. import python
  369. import semmle.python.ApiGraphs
  370.  
  371. from API::CallNode node
  372. where node =
  373.    API::moduleImport("django").getMember("db").getMember("connection").getMember("cursor").getReturn().getMember("execute").getACall()
  374.    and
  375.    node.getLocation().getFile().getRelativePath().regexpMatch("2/challenge-1/.*")
  376.  
  377. select node, "Call to django.db execute"
  378. </code></pre>
  379. <p>Let&rsquo;s walk through what is happening in the query.</p>
  380. <p>First, we set query <a href="https://codeql.github.com/docs/writing-codeql-queries/metadata-for-codeql-queries/">metadata</a>. The most interesting part of it is <code>@kind problem</code>. It means that the results for each node will contain the filename the sink was found in, and the string that we specify in the <code>select</code> clause. All in all, it makes the results display prettier.</p>
  381. <p>Then, we define that we are looking for <a href="https://codeql.github.com/codeql-standard-libraries/python/semmle/python/ApiGraphs.qll/type.ApiGraphs%24API%24CallNode.html"><code>API::CallNode</code></a>s, so nodes that are connected to the API graph (see docs for the <a href="https://codeql.github.com/codeql-standard-libraries/python/semmle/python/ApiGraphs.qll/module.ApiGraphs%24API.html">API</a> module) in the <code>from</code> clause.</p>
  382. <p>In the <code>where</code> clause, we filter for <code>nodes</code> coming from the <code>django</code> library with <code>API::moduleImport("django")</code>. Then, we find references to the <code>cursor</code> with <code>.getMember("db").getMember("connection").getMember("cursor")</code>. That would match <code>django.db.connection.cursor</code>. Since we call <code>execute</code> on the <code>cursor</code> object, we first need to use <code>getReturn()</code> predicate to get the node which represents the result of creating the cursor object&mdash;this returns us <code>django.db.connection.cursor()</code> (note the parentheses at the end). At last, we get the node representing the <code>execute</code> method with <code>getMember("execute")</code> and with <code>getACall()</code> we get the actual method call to the method represented by the <code>execute</code> node.</p>
  383. <p>It might look complicated at first, but it isn&rsquo;t really. After using it a few times it becomes quite intuitive.</p>
  384. <details>
  385. <summary><strong>Challenge 1&mdash;Find all method calls that are called &lsquo;execute&rsquo; and come from the <code>django.db</code> library</strong></summary>
  386. <p>Set up CodeQL using one of the methods presented in <a href="https://github.com/GitHubSecurityLab/codeql-zero-to-hero/blob/main/2/challenge-2/instructions.md">challenge 2</a> from CodeQL zero to hero part 2 to run the queries. Remember also to download and <a href="https://github.com/GitHubSecurityLab/codeql-zero-to-hero/blob/main/2/challenge-2/instructions.md#select-codeql-database">select a CodeQL database</a>&mdash;it can be the GitHubSecurityLab/codeql-zero-to-hero database, but you may also choose another project.</p>
  387. <p>Run the above query to find all method calls that are called <code>execute</code> and come from the <code>django.db</code> library.</p>
  388. <p>If the path is not displaying properly, you may need to change the view to <code>alerts</code>.</p>
  389. <p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/codeql-query-results.png?w=168&#038;resize=168%2C127" alt='Change the view on your CodeQL query results to "alert."' width="168" height="127" class="aligncenter size-large wp-image-77713 width-fit" data-recalc-dims="1"></p>
  390. </details>
  391. <details>
  392. <summary><strong>Challenge 2&mdash;Write a query to find all <code>os.system</code> method calls</strong></summary>
  393. <p>Now you know how to query for calls to functions from specific libraries. If <code>os.system</code> executes input coming from a user, it could lead to a command injection. Write a query to find calls to <code>os.system</code> and run it on the database you selected in the previous challenge.</p>
  394. <p>See solution in <a href="https://github.com/GitHubSecurityLab/codeql-zero-to-hero">GitHubSecurityLab/codeql-zero-to-hero</a>.</p>
  395. </details>
  396. <details>
  397. <summary><strong>Challenge 3&mdash;Write a query to find all Flask requests</strong></summary>
  398. <p>Flask is a popular Python web framework. Web frameworks very often introduce potential sources for untrusted data, <a href="https://flask.palletsprojects.com/en/3.0.x/api/#incoming-request-data">Flask request</a> being one of them. For example, a source of untrusted data could be:</p>
  399. <pre><code>
  400. username = request.args.get("username")
  401. </code></pre>
  402.  
  403. <p>Write a query to find <code>request.args</code></p>
  404. <p>See solution in <a href="https://github.com/GitHubSecurityLab/codeql-zero-to-hero">GitHubSecurityLab/codeql-zero-to-hero</a>.</p>
  405. </details>
  406. <aside class="p-4 p-md-6 post-aside--large"><p class="h5-mktg gh-aside-title">Get all QL types matching a given result</p><p>There are different types in CodeQL to represent different aspects of a codebase. For example, functions in CodeQL for Python have a Function type or string literals, which in CodeQL for Python have a Str type. If you are not certain with what QL types some results might have, you can use the <code>getAQlClass</code> predicate. As an example, we could add the <code>getAQlClass</code> predicate to the results of our previous query&mdash;all <code>django.db</code>&rsquo;s calls to execute.</p>
  407. <pre><code>
  408. /**
  409. * @id codeql-zero-to-hero/3-4
  410. * @severity error
  411. * @kind problem
  412. */
  413. import python
  414. import semmle.python.ApiGraphs
  415.  
  416. from API::CallNode node
  417. where node = API::moduleImport("django").getMember("db").getMember("connection").getMember("cursor").getReturn().getMember("execute").getACall()
  418. select node, "The node has type " + node.getAQlClass()
  419. </code></pre>
  420. <p>A single node will often have many QL classes, so if you run this query, you will see a lot of results, such as <code>MethodCallNode</code>, <code>ExecuteMethodCall</code> and <code>SqlExecution</code>. If you are having issues with querying what you might need, <code>getAQlClass</code> predicate can be a very helpful debugging tool to use, but remember not to use it in the final query, because using <code>getAQlClass</code> can affect query performance. In some languages, for example, Java, you may want to use the getAPrimaryQlClass predicate, which returns the primary CodeQL class to which a given element belongs. See also other ideas for debugging.</p>
  421. </aside>
  422. <details>
  423. <summary><strong>Challenge 4&mdash; Run the query with <code>getAQlClass</code> predicate</strong></summary>
  424. <p>Run the above query and observe the results&mdash;for example, <code>MethodCallNode</code>, <code>ExecuteMethodCall</code> and <code>SqlExecution</code>.<br>
  425. </p></details>
  426. </p><h2 id="taint-analysis-in-codeql-taint-tracking" id="taint-analysis-in-codeql-taint-tracking" >Taint analysis in CodeQL&mdash;taint tracking<a href="#taint-analysis-in-codeql-taint-tracking" class="heading-link pl-2 text-italic text-bold" aria-label="Taint analysis in CodeQL&mdash;taint tracking"></a></h2>
  427. <p>I <a href="https://github.blog/2023-06-15-codeql-zero-to-hero-part-2-getting-started-with-codeql/">briefly mentioned</a> how CodeQL implements taint analysis in part two of CodeQL zero to hero. There was also a challenge presenting how to run the built-in CodeQL queries using taint analysis, which you should definitely try out!</p>
  428. <p>Now that we went through the basics of CodeQL, we can write our own query that will find the flow from the source to the sink.</p>
  429. <p>But first, let&rsquo;s start with the differences between data flow analysis and taint flow analysis. Taint flow analysis allows us to track non-value preserving steps. Data flow analysis does not. For example, if a tainted string is concatenated with another string or if it is assigned to an attribute of an object, taint flow analysis will allow us to continue tracking it through the flow, while data flow analysis will not. See <a href="https://github.blog/2023-03-31-codeql-zero-to-hero-part-1-the-fundamentals-of-static-analysis-for-vulnerability-research/#data-flow-analysis-and-taint-tracking">CodeQL zero to hero part 1</a> for more information about data flow analysis and taint analysis.</p>
  430. <h3 id="local-data-flow" id="local-data-flow" >Local data flow<a href="#local-data-flow" class="heading-link pl-2 text-italic text-bold" aria-label="Local data flow"></a></h3>
  431. <p>Before we dig into taint analysis, we need to introduce two (sub)types of data flow analysis: local data flow and global data flow, as well as local taint flow and global taint flow.</p>
  432. <p>In CodeQL, local data flow refers to tracking the data flow locally, for example, within a single function. It is cheaper to compute than global data flow. Local taint flow (in CodeQL called local taint tracking) allows us to track non-value-preserving flow steps.</p>
  433. <p>For example, with local data flow, we could make our analysis more accurate by querying for all <code>django.db</code>&rsquo;s <code>execute</code> calls that do not take a string literal. If an <code>execute</code> call takes a string literal, for example:</p>
  434. <pre><code>cursor.execute("SELECT * FROM users WHERE username = 'johndoe'")
  435. </code></pre>
  436. <p>Or:</p>
  437. <pre><code>query = "SELECT * FROM users WHERE username = 'johndoe'"
  438. cursor.execute(query)
  439. </code></pre>
  440. <p>Then, it does not take any user input, and we already know it is not vulnerable to SQL injection and we might want to exclude these from our analysis.</p>
  441. <p>We could query for all <code>django.db</code>&rsquo;s <code>execute</code> calls that do not take a string literal, with the below query:</p>
  442. <pre><code>/**
  443. * @id codeql-zero-to-hero/3-5
  444. * @severity error
  445. * @kind problem
  446. */
  447. import python
  448. import semmle.python.ApiGraphs
  449.  
  450. class ExecuteCall extends DataFlow::CallCfgNode {
  451.        ExecuteCall() {
  452.        this = API::moduleImport("django").getMember("db").getMember("connection").getMember("cursor").getReturn().getMember("execute").getACall()
  453.        }
  454. }
  455.  
  456. predicate executeNotLiteral(DataFlow::CallCfgNode call) {
  457.        exists(DataFlow::ExprNode expr |
  458.                call instanceof ExecuteCall
  459.                and DataFlow::localFlow(expr, call.getArg(0))
  460.                and expr instanceof DataFlow::LocalSourceNode
  461.                and not expr.getNode().isLiteral()
  462.        )
  463. }
  464.  
  465. from DataFlow::CallCfgNode call
  466. where executeNotLiteral(call)
  467. select call, "Call to django.db execute with an argument that is not a literal"
  468. </code></pre>
  469. <p>To spice things up, this time I used a class and a predicate. A <a href="https://codeql.github.com/docs/ql-language-reference/types/#classes-1">class</a> allows you to define your own types in CodeQL. Types represent sets of values. A <a href="https://codeql.github.com/docs/ql-language-reference/predicates/">predicate</a> is like a function. It encapsulates a portion of logic in a program and makes it easier to test certain code. Classes and predicates were <a href="https://github.blog/2023-06-15-codeql-zero-to-hero-part-2-getting-started-with-codeql/#predicates">introduced</a> in the previous blog.</p>
  470. <p>Let&rsquo;s do our usual dance with explaining the query &#128131;:</p>
  471. <ul>
  472. <li>The class <code>ExecuteCall</code> represents <code>django.db</code>&rsquo;s <code>execute</code> method call that we modeled earlier.</li>
  473. <li>The predicate <code>executeNotLiteral</code> takes an input&mdash;a call control flow graph node <code>call</code>.</li>
  474. <li>In the predicate, we use the  <code>exists()</code> construct, which allows us to define local variables. Here we define an <code>ExprNode</code>, which is an expression.</li>
  475. <li>We specify that the <code>call</code> has to be any call node of type <code>ExecuteCall</code>.</li>
  476. <li>Then, we look for local flow between any expression <code>expr</code> and the first argument of <code>call.</code></li>
  477. <li>Next, we limit the expression <code>expr</code> to any local sources, for example, within a function.</li>
  478. <li>At last, with <code>not expr.getNode().isLiteral()</code> we limit the local sources to not be a literal of any kind: integer, string, etc.</li>
  479. <li>In the <code>from-where-select</code> query, we specify that we are looking for any call (<code>from DataFlow::CallCfgNode call</code>), then limit it to the conditions defined in the predicate (<code>where executeNotLiteral(call)</code>), and then select that call (<code>select call</code>).</li>
  480. </ul>
  481. <p>Note again that CodeQL is a declarative language&mdash;the order of specifying conditions does not matter. In the predicate, we first looked for a local flow from any expression to any first argument to <code>execute</code> and only afterwards we limited <code>expr</code> to be a <code>LocalSourceNode</code> and not a literal. That's not a problem; we can switch the order of conditions as we like.</p>
  482. <details>
  483. <summary><strong>Challenge 5&mdash;Run the local data flow query to find <code>execute</code> calls that do not take a string literal</strong></summary>
  484. <p>If we used, for example,  <code>grep</code> to find anything called <code>execute</code>, we might have found calls from other libraries that are also called <code>execute</code> and we wouldn&rsquo;t have been able to filter out the ones with a string literal.</p>
  485. </details>
  486. <h3 id="global-data-flow-and-global-taint-flow" id="global-data-flow-and-global-taint-flow" >Global data flow (and global taint flow)<a href="#global-data-flow-and-global-taint-flow" class="heading-link pl-2 text-italic text-bold" aria-label="Global data flow (and global taint flow)"></a></h3>
  487. <p>In CodeQL, global data flow refers to tracking the data flow throughout the whole codebase. We do this by using a taint tracking configuration, where we specify a source and a sink to find the flows between the two.</p>
  488. <p>Global taint flow is exactly what we use in most of our queries to find variants of vulnerabilities in codebases. You can see all the queries that we use in the <a href="https://github.com/github/codeql">github/codeql</a> repository. For example, CodeQL for Python stores all its security related queries in the <code>python/ql/src/Security/</code> folder and experimental queries in the <a href="https://github.com/github/codeql/tree/main/python/ql/src/experimental/Security">python/ql/src/experimental/Security</a> folder.</p>
  489. <p>In August 2023, a new, improved version of <a href="https://github.blog/changelog/2023-08-14-new-dataflow-api-for-writing-custom-codeql-queries/">taint tracking API was announced</a>, which means that we have two ways of writing the configuration. The older version will be deprecated within two or so years, so it&rsquo;s preferred that you use the new API. I&rsquo;m going to mention both versions in this blog post for clarity, because there are many older blog posts about CodeQL, which use the old configuration.</p>
  490. <h2 id="new-taint-tracking-api" id="new-taint-tracking-api" >New taint tracking API<a href="#new-taint-tracking-api" class="heading-link pl-2 text-italic text-bold" aria-label="New taint tracking API"></a></h2>
  491. <p>Let&rsquo;s start by looking at the way we write the new taint tracking configuration:</p>
  492. <pre><code>/**
  493. * @kind path-problem
  494. */
  495.  
  496. import python
  497. import semmle.python.dataflow.new.DataFlow
  498. import semmle.python.dataflow.new.TaintTracking
  499. import semmle.python.ApiGraphs
  500. import MyFlow::PathGraph
  501.  
  502. private module MyConfig implements DataFlow::ConfigSig {
  503.  predicate isSource(DataFlow::Node source) {
  504.    // Define your source nodes here.
  505.  }
  506.  
  507.  predicate isSink(DataFlow::Node sink) {
  508.    // Define your sink nodes here.
  509.  }
  510. }
  511.  
  512. module MyFlow = TaintTracking::Global&lt;MyConfig&gt;; // or DataFlow::Global&lt;..&gt;
  513.  
  514. from MyFlow::PathNode source, MyFlow::PathNode sink
  515. where MyFlow::flowPath(source, sink)
  516. select sink.getNode(), source, sink, "Sample TaintTracking query"
  517. </code></pre>
  518. <p>A few things to note:</p>
  519. <ul>
  520. <li>To be able to see the path between source and a sink, we add <code>@kind path-problem</code> in the <a href="https://codeql.github.com/docs/writing-codeql-queries/metadata-for-codeql-queries/">metadata</a>. This makes it a so-called &ldquo;path query.&rdquo;</li>
  521. <li>For results to be displayed properly, the <code>select</code> needs 3 nodes and a comment string, here implemented with <code>select sink.getNode(), source, sink, "Sample TaintTracking query"</code>.</li>
  522. <li>Note we also need to import the module that we create with <code>import MyFlow::PathGraph</code>.</li>
  523. </ul>
  524. <p>What is happening in the query:</p>
  525. <ol>
  526. <li>We create a new module <code>MyConfig</code> which implements <code>DataFlow::ConfigSig</code>. This means that it can be used as an input configuration for data flow and that we must define some predicates with certain names and numbers of arguments in the module. </li>
  527. <li>The required predicates are <code>isSource</code> and <code>isSink</code>. We define the sources in the <code>isSource</code> predicate and sinks in the <code>isSink</code> predicate. There are optional predicates, like <code>isBarrier</code> and <code>isAdditionalFlowStep</code>, which can be used to adjust what flow is considered (see more in the <a href="https://codeql.github.com/docs/codeql-language-guides/analyzing-data-flow-in-python/#using-global-data-flow">documentation</a>), but they are beyond the scope of this blog post.</li>
  528. <li>Next, we create a global TaintTracking computation, <code>MyFlow</code>, by parameterizing <code>TaintTracking::Global</code> using the sources and sinks we've defined in <code>MyConfig</code> in the line <code>module MyFlow = TaintTracking::Global&lt;MyConfig&gt;</code>.</li>
  529. <li>At last, we check that there is a flow path between the source and the sink with <code>where MyFlow::flowPath(source, sink).</code></li>
  530. </ol>
  531. <p>Now that we know the building blocks, let&rsquo;s try to use it. Let's say we want to find a SQL injection from any user input to <code>django.db</code> &rsquo;s <code>execute</code> sink.</p>
  532. <p>We could use a Flask request as a source. It is fairly easy to model. Then, we can reuse the <code>execute</code> sink we already modeled in the previous sections.</p>
  533. <p>The final query will look like this:</p>
  534. <pre><code>/**
  535. * @kind path-problem
  536. * @problem.severity error
  537. * @id githubsecuritylab/3-6
  538. */
  539.  
  540. import python
  541. import semmle.python.dataflow.new.DataFlow
  542. import semmle.python.dataflow.new.TaintTracking
  543. import semmle.python.ApiGraphs
  544. import semmle.python.dataflow.new.RemoteFlowSources
  545. import MyFlow::PathGraph
  546.  
  547. class ExecuteCall extends DataFlow::CallCfgNode {
  548.    ExecuteCall() {
  549.    this = API::moduleImport("django").getMember("db").getMember("connection").getMember("cursor").getReturn().getMember("execute").getACall()
  550.    }
  551. }
  552.  
  553. private module MyConfig implements DataFlow::ConfigSig {
  554.   predicate isSource(DataFlow::Node source) {
  555.     source = API::moduleImport("flask").getMember("request").asSource()
  556.   }
  557.  
  558.   predicate isSink(DataFlow::Node sink) {
  559.     exists(ExecuteCall ec |
  560.         sink = ec.getArg(0)
  561.        )
  562.   }
  563. }
  564.  
  565. module MyFlow = TaintTracking::Global&lt;MyConfig&gt;;
  566.  
  567. from MyFlow::PathNode source, MyFlow::PathNode sink
  568. where MyFlow::flowPath(source, sink)
  569. select sink.getNode(), source, sink, "execute sink called with untrusted data"
  570. </code></pre>
  571. <ul>
  572. <li>In the <code>isSource</code> predicate, we define our source to be an import of a Flask request. In a similar way as with the sink, we get the <code>flask</code> library and the references to the <code>request</code>. Then, with <code>asSource()</code>, we get the data flow node, where <code>flask.request</code> enters the database. Note that with <code>asSource()</code> we moved from the API graph to the data flow graph. </li>
  573. <li>In the <code>isSink</code> predicate, we define our sink to be the first argument to any <code>ExecuteCall</code> node with <code>exists(ExecuteCall ec | sink = ec.getArg(0))</code></li>
  574. </ul>
  575. <details>
  576. <summary><strong>Challenge 6&mdash;Run the taint tracking query to find flows from a Flask request to a django.db&rsquo;s <code>execute</code> sink</strong></summary>
  577. <p>Run the above query. If the path is not displaying properly, you may need to change the view to <code>alerts</code>.<br>
  578. <img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/codeql-query-alerts.png?w=452&#038;resize=452%2C332" alt='Change the view on your CodeQL query results to "alerts."' width="452" height="332" class="aligncenter size-large wp-image-77716 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/codeql-query-alerts.png?w=452&#038;resize=452%2C332 452w, https://github.blog/wp-content/uploads/2024/04/codeql-query-alerts.png?w=300 300w" sizes="(max-width: 452px) 100vw, 452px" data-recalc-dims="1" /><br>
  579. </p></details>
  580. <h3 id="old-taint-tracking-configuration" id="old-taint-tracking-configuration" >Old taint tracking configuration<a href="#old-taint-tracking-configuration" class="heading-link pl-2 text-italic text-bold" aria-label="Old taint tracking configuration"></a></h3>
  581. <p>We encourage you to use the new configuration, but for historical purposes we are including the old configuration here&mdash;there are many articles, conference talks, research papers about CodeQL, and some older CodeQL queries, which use the old configuration, and describing it shortly here should make it easier to understand how the older queries worked. The old configuration looks like this:</p>
  582. <pre><code>/*
  583. * @kind path-problem
  584. */
  585.  
  586. import python
  587. import semmle.python.dataflow.new.TaintTracking
  588.  
  589. class MyConfig extends TaintTracking::Configuration {
  590.  MyConfig() { this = "MyConfig" }
  591.  
  592.  override predicate isSource(DataFlow::Node source) {
  593.    ...
  594.  }
  595.  
  596.  override predicate isSink(DataFlow::Node sink) {
  597.    ...
  598.  }
  599. }
  600.  
  601. from MyConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
  602. where
  603.    config.hasFlowPath(source, sink)
  604. select sink.getNode(), source, sink, "Sample Taint Tracking query"
  605. </code></pre>
  606. <p>In the old taint tracking configuration, we have to import the taint tracking module and then create a new myConfig class by extending it.</p>
  607. <p>If you&rsquo;d like to reuse a query you see in an article that uses the old taint tracking configuration, it should be possible in most cases. For others, I suggest translating the query from the old taint tracking configuration into the new one. See the changes and how to translate them <a href="https://github.blog/changelog/2023-08-14-new-dataflow-api-for-writing-custom-codeql-queries/">here</a>.</p>
  608. <p>There were also a few changes in how the partial path graph is used. If this is something you expect to use in your query or during audit, please consult the <a href="https://codeql.github.com/docs/writing-codeql-queries/debugging-data-flow-queries-using-partial-flow/#partial-flow">documentation</a> for how to use these. Other questions? Please ask in the <a href="https://gh.io/securitylabslack">GitHub Security Lab server on Slack</a>.</p>
  609. <h2 id="variant-analysis" id="variant-analysis" >Variant analysis<a href="#variant-analysis" class="heading-link pl-2 text-italic text-bold" aria-label="Variant analysis"></a></h2>
  610. <p>Probably one of the most interesting aspects of CodeQL is variant analysis.</p>
  611. <p>Variant analysis is a process, in which a known issue, for example, a specific vulnerability, is taken as a base for finding other variants&mdash;occurrences&mdash;of that vulnerability in source code.</p>
  612. <p>On a few occasions when I was auditing a specific codebase and found one vulnerability, variant analysis helped me find other variants of that vulnerability that I might otherwise have missed (or it would take me much longer to find them). Once, I happened to audit a codebase that had over twenty variants of the same vulnerability. Having CodeQL report on all the variants and their flow paths was invaluable, even just to keep track of the vulnerabilities I already triaged.</p>
  613. <p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/variant-analysis.png?w=500&#038;resize=500%2C500" alt='Cartoon-style drawing of several different types of bugs, including a ladybug, a spider, and ant, and two other ill-defined bugs labeled "also a bug?" The entire drawing is entitled "Variant analysis"' width="500" height="500" class="aligncenter size-large wp-image-77717 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/variant-analysis.png?w=500&#038;resize=500%2C500 500w, https://github.blog/wp-content/uploads/2024/04/variant-analysis.png?w=150 150w, https://github.blog/wp-content/uploads/2024/04/variant-analysis.png?w=300 300w, https://github.blog/wp-content/uploads/2024/04/variant-analysis.png?w=400 400w, https://github.blog/wp-content/uploads/2024/04/variant-analysis.png?w=200 200w, https://github.blog/wp-content/uploads/2024/04/variant-analysis.png?w=90 90w, https://github.blog/wp-content/uploads/2024/04/variant-analysis.png?w=116 116w" sizes="(max-width: 500px) 100vw, 500px" data-recalc-dims="1" /></p>
  614. <p>As an example,let&rsquo;s say we have an application with a SQL injection. The source of the vulnerability comes from a function displaying information about a user, called <code>show_user()</code>, which takes unsafe, user-supplied input from a Flask (popular Python web framework) GET request parameter and uses it in <code>cursor.execute()</code> from the <code>MySQLdb</code> library without sanitization.</p>
  615. <pre><code>def show_user():
  616.    username = request.args.get("username")
  617.    with connection.cursor() as cursor:
  618.        cursor.execute("SELECT * FROM users WHERE username = '%s'" % username)
  619. </code></pre>
  620. <p>Variant analysis could be used to detect that specific vulnerability, <strong>and</strong> if there are other <em>variants</em> of SQL injection in the codebase. It makes auditing applications much quicker.</p>
  621. <p>A variant of this vulnerability could be another Flask GET request parameter in our example application&mdash;for example, a function displaying a specific product, called <code>show_product()</code> whose input ends up in another <code>cursor.execute()</code> from <code>MySQLdb</code> library sink somewhere else in the application. In this case, our &ldquo;base&rdquo; vulnerability is SQL injection originating from any Flask GET request parameter to any <code>execute</code> <code>MySQLdb</code> library sink within the same codebase. Using QL, we can &ldquo;model&rdquo; in CodeQL the Flask GET request parameter as source, and <code>cursor.execute()</code> from <code>MySQLdb</code> as a sink and check for connection (flow) between the two.</p>
  622. <p>So, what we are looking for are vulnerable patterns. Once this base vulnerability is modeled, we can use it to query not only this example application, but we can use that &ldquo;vulnerable pattern&rdquo; to also query any other Python application. We will be doing it later in the blog post.</p>
  623. <p>All in all, running variant analysis allows us to quickly identify issues in huge modern code bases with little effort. On top of that, we can run variant analysis at scale by scanning hundreds of repositories for such vulnerable patterns at the same time. GitHub developed a tool for it, called multi-repository variant analysis (<a href="https://github.blog/2023-03-09-multi-repository-variant-analysis-a-powerful-new-way-to-perform-security-research-across-github/">MRVA</a>), which can run a query for a specific vulnerability in a thousand projects at once. We will expand on MRVA later in the blog because it will likely become an essential tool in your toolbox for finding vulnerabilities at scale.</p>
  624. <p>To sum up: CodeQL is able to discern the code that is a source in a given codebase, the code that is a sink, and check if there is a connection between the two. To do that, it uses models of such sources and sinks, and is able to detect the flow between them using data flow analysis and taint analysis.</p>
  625. <h2 id="source-and-sink-models-in-codeql" id="source-and-sink-models-in-codeql" >Source and sink models in CodeQL<a href="#source-and-sink-models-in-codeql" class="heading-link pl-2 text-italic text-bold" aria-label="Source and sink models in CodeQL"></a></h2>
  626. <p>CodeQL, as well as many other static analysis tools, mark certain code in certain libraries as a source or as a sink. In CodeQL, we call that process &ldquo;modeling&rdquo; sources and sinks. It&rsquo;s a common approach used by many static analysis tools and generally, the more models of frameworks and libraries the tool supports, the better.</p>
  627. <p>CodeQL has a very rich library and framework support&mdash;many libraries and frameworks are already modeled in CodeQL, with their sources and sinks. There are hundreds of sources and sinks, categorized for each vulnerability type. By using specialized queries for each vulnerability type, CodeQL checks for a data flow path between these predefined sources and sinks. In this way, CodeQL is able to detect the majority of existing vulnerabilities in a codebase, as long as said vulnerabilities can be detected using static analysis.</p>
  628. <h3 id="sources" id="sources" >Sources<a href="#sources" class="heading-link pl-2 text-italic text-bold" aria-label="Sources"></a></h3>
  629. <p>How can CodeQL tell what is a source and what is not? For CodeQL to be able to detect that a Flask HTTP request is a source, the Flask framework has to be modeled in CodeQL and certain function calls have to be defined in CodeQL as sources. This is done in <code>qll</code> files (as opposed to <code>ql</code> files, which are used for queries). For example, you can see the models for flask in the <a href="https://github.com/github/codeql/blob/main/python/ql/lib/semmle/python/frameworks/Flask.qll">CodeQL repository</a>. Specifically, <a href="https://github.com/github/codeql/blob/e8423f858f7bca6f9ac0b1eec8a3a2d5780e99d9/python/ql/lib/semmle/python/frameworks/Flask.qll#L89">the flask request is defined here</a>.</p>
  630. <pre><code>API::Node request() { result =
  631. API::moduleImport("flask").getMember("request") }
  632. </code></pre>
  633. <p>Since many vulnerabilities have common sources, but different sinks, there was introduced a type called <code>RemoteFlowSource</code> in CodeQL for Python, which contains all predefined sources.</p>
  634. <p>The Flask request that we introduced earlier is modeled as <a href="https://github.com/github/codeql/blob/e8423f858f7bca6f9ac0b1eec8a3a2d5780e99d9/python/ql/lib/semmle/python/frameworks/Flask.qll#L356-L360">a remote flow source here</a>.</p>
  635. <pre><code>private class FlaskRequestSource extends RemoteFlowSource::Range {
  636.  FlaskRequestSource() { this = request().asSource() }
  637.  
  638.  override string getSourceType() { result = "flask.request" }
  639. }
  640. </code></pre>
  641. <p>This is very interesting for us security researchers &#128161;, because we can query for all RemoteFlowSources in an application to get a quick overview of all places that user input enters an application. This can help us map the attack surface. We will use it later in the blog and in the challenges.</p>
  642. <h3 id="sinks" id="sinks" >Sinks<a href="#sinks" class="heading-link pl-2 text-italic text-bold" aria-label="Sinks"></a></h3>
  643. <p>When frameworks and libraries are modeled, certain code is categorized as certain types of sinks. In CodeQL for Python, we have a type for sinks for each vulnerability&mdash;there&rsquo;s a type for SQL injection sinks, for path injection, for deserialization, and others. The sinks, for example, <a href="https://github.com/github/codeql/blob/9e9be4fc5e7f4b4778594a4443c8528af0ea080d/python/ql/lib/semmle/python/Concepts.qll#L359-L362">SqlExecution</a>, are defined in the <a href="https://github.com/github/codeql/blob/main/python/ql/lib/semmle/python/Concepts.qll">Concepts</a> module.</p>
  644. <pre><code>class SqlExecution extends DataFlow::Node instanceof SqlExecution::Range {
  645.  /** Gets the argument that specifies the SQL statements to be executed. */
  646.  DataFlow::Node getSql() { result = super.getSql() }
  647. }
  648. </code></pre>
  649. <p>Most database libraries in Python follow the <a href="https://peps.python.org/pep-0249/">PEP249 Specification</a> (Python Database API Specification), so instead of modeling each database library separately, the CodeQL for Python team implemented a model for PEP249 which all database libraries implement in their models. For example, <a href="https://github.com/github/codeql/blob/9e9be4fc5e7f4b4778594a4443c8528af0ea080d/python/ql/lib/semmle/python/frameworks/MySQLdb.qll"><code>MySQLdb</code> library is modeled here</a>, by extending the PEP249 module.</p>
  650. <p>The <code>cursor.execute</code> method is modeled in <a href="https://github.com/github/codeql/blob/9e9be4fc5e7f4b4778594a4443c8528af0ea080d/python/ql/lib/semmle/python/frameworks/PEP249.qll#L70-L82">the PEP249 module here</a>. However, the case with having a PEP specification for several libraries is not that usual.</p>
  651. <pre><code>private class ExecuteMethodCall extends SqlExecution::Range, API::CallNode {
  652.  ExecuteMethodCall() {
  653.    exists(API::Node start |
  654.      start instanceof DatabaseCursor or start instanceof DatabaseConnection
  655.    |
  656.      this = start.getMember(getExecuteMethodName()).getACall()
  657.    )
  658.  }
  659.  
  660.  override DataFlow::Node getSql() {
  661.    result in [this.getArg(0), this.getArgByName(getSqlKwargName()),]
  662.  }
  663. }
  664. </code></pre>
  665. <p>As we can see, it extends  <code>SqlExecution</code>. Again, this can be interesting for us researchers. &#128161;</p>
  666. <h2 id="security-research-methodology-with-codeql-approaching-a-new-target" id="security-research-methodology-with-codeql-approaching-a-new-target" >Security research methodology with CodeQL&mdash;approaching a new target<a href="#security-research-methodology-with-codeql-approaching-a-new-target" class="heading-link pl-2 text-italic text-bold" aria-label="Security research methodology with CodeQL&mdash;approaching a new target"></a></h2>
  667. <p>Now that we learned about the building blocks of CodeQL, we can move on to doing our own research with CodeQL.</p>
  668. <p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/security-research-with-codeql.png?w=1024&#038;resize=1024%2C576" alt="Diagram outlining the different components of doing security research with CodeQL." width="1024" height="576" class="aligncenter size-large wp-image-77718 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/security-research-with-codeql.png?w=1600 1600w, https://github.blog/wp-content/uploads/2024/04/security-research-with-codeql.png?w=300 300w, https://github.blog/wp-content/uploads/2024/04/security-research-with-codeql.png?w=768 768w, https://github.blog/wp-content/uploads/2024/04/security-research-with-codeql.png?w=1024&#038;resize=1024%2C576 1024w, https://github.blog/wp-content/uploads/2024/04/security-research-with-codeql.png?w=1536 1536w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /></p>
  669. <p>There&rsquo;s no &ldquo;one size fits all&rdquo; approach to code review methodology, but there are common actions that we usually do when approaching a new target during an audit. In this section, I want to look at general methodology used during security research and how to use CodeQL in each of its phases. Check out also the <a href="https://github.blog/2024-04-03-security-research-without-ever-leaving-github-from-code-scanning-to-cve-via-codespaces-and-private-vulnerability-reporting/">blog post</a> about doing research with GitHub tools written by my colleague, Jorge Rosillo. It&rsquo;s a case study which names tools and techniques that you can use for security research.</p>
  670. <p>In CodeQL zero to hero part 2, we mentioned that CodeQL can help us with manual audits by answering questions:</p>
  671. <ul>
  672. <li>What is my attack surface? Where should I start my audit?</li>
  673. <li>What are the sources (unsafe user-supplied input) in my code base?</li>
  674. <li>What are the sinks (dangerous functions)?</li>
  675. <li>Do the sources end up in any dangerous or untrusted functionality?</li>
  676. <li>Which parts of code are high in bug density and could be vulnerable?</li>
  677. </ul>
  678. <p>Let&rsquo;s have a look at how CodeQL can help us answer these questions.</p>
  679. <h3 id="quick-look-with-code-scanning" id="quick-look-with-code-scanning" >Quick look with code scanning<a href="#quick-look-with-code-scanning" class="heading-link pl-2 text-italic text-bold" aria-label="Quick look with code scanning"></a></h3>
  680. <p>The easiest way to get started with approaching a new target with CodeQL is to enable code scanning on it.</p>
  681. <p>Code scanning will run the security queries that are in the <a href="https://docs.github.com/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/built-in-codeql-query-suites#about-codeql-query-suites"><code>default</code></a> suite (in the default automated setup, that we used in challenge 1), that is most of the queries that are in the <code>&lt;language&gt;/ql/src/Security/</code> folder.</p>
  682. <p>If you prefer, you can enable the <a href="https://docs.github.com/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/built-in-codeql-query-suites#security-extended-query-suite"><code>security-extended</code></a> suite, which includes queries with lower precision and severity. This will give you an idea of what could be exploitable and any interesting points in the code that you could investigate further. If something has caught your attention, you could write queries to find other similar sources, sinks or patterns.</p>
  683. <p>If you&rsquo;d like even more inspiration, GitHub Security Lab has you covered&mdash; we decided to share some of our audit queries in <a href="https://github.com/GitHubSecurityLab/CodeQL-Community-Packs/">GitHubSecurityLab/CodeQL-Community-Packs</a>. Follow the instructions to enable them in your code scanning setup.</p>
  684. <p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/open-issues.png?w=1024&#038;resize=1024%2C611" alt="Screenshot of open issues resulting from the CodeQL query suite." width="1024" height="611" class="aligncenter size-large wp-image-77719 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/open-issues.png?w=1600 1600w, https://github.blog/wp-content/uploads/2024/04/open-issues.png?w=300 300w, https://github.blog/wp-content/uploads/2024/04/open-issues.png?w=768 768w, https://github.blog/wp-content/uploads/2024/04/open-issues.png?w=1024&#038;resize=1024%2C611 1024w, https://github.blog/wp-content/uploads/2024/04/open-issues.png?w=1536 1536w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /></p>
  685. <h3 id="run-specific-queries-or-parts-of-queries" id="run-specific-queries-or-parts-of-queries" >Run specific queries or parts of queries<a href="#run-specific-queries-or-parts-of-queries" class="heading-link pl-2 text-italic text-bold" aria-label="Run specific queries or parts of queries"></a></h3>
  686. <p>After having an initial look at the target with code scanning, we can move on to reviewing the target for specific types of vulnerabilities with CodeQL in your <a href="https://github.com/GitHubSecurityLab/codeql-zero-to-hero/blob/main/2/challenge-2/instructions.md">local preferred CodeQL setup</a>.</p>
  687. <p>A good start is to run the queries in the <code>&lt;language&gt;/ql/src/Security/</code> folder separately as we did in the previous blog post. You could also edit the queries, if you are looking for something specific.</p>
  688. <p>You can also run several queries at once (or all of them) locally, by right clicking a folder with queries, for example, the Security folder, and then selecting &ldquo;Run queries in selected files.&rdquo;</p>
  689. <p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/run-queries_e4391c.png?w=751&#038;resize=751%2C1024" alt="" width="751" height="1024" class="aligncenter size-large wp-image-77734 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/run-queries_e4391c.png?w=902 902w, https://github.blog/wp-content/uploads/2024/04/run-queries_e4391c.png?w=220 220w, https://github.blog/wp-content/uploads/2024/04/run-queries_e4391c.png?w=768 768w, https://github.blog/wp-content/uploads/2024/04/run-queries_e4391c.png?w=751&#038;resize=751%2C1024 751w" sizes="(max-width: 751px) 100vw, 751px" data-recalc-dims="1" /></p>
  690. <details>
  691. <summary><strong>Challenge 7&mdash;Run all queries from the Security and experimental folders</strong></summary>
  692. <p>You will need to use the VS Code CodeQL Starter Workspace for this challenge. See <a href="https://github.com/GitHubSecurityLab/codeql-zero-to-hero/blob/main/2/challenge-2/instructions.md#option-b-local-installation">setup</a>. </p>
  693. <p>CodeQL for Python stores all its security related queries in <code>python/ql/src/Security/</code> folder and experimental queries in <code>python/ql/src/experimental/Security</code>. The folder structure might differ a bit for other languages, for example Ruby in <code>ruby/ql/src/queries/security</code> or  C# in <code>csharp/ql/src/Security Features</code>. </p>
  694. </details>
  695. <h3 id="find-all-sources-with-the-remoteflowsource-type" id="find-all-sources-with-the-remoteflowsource-type" >Find all sources with the RemoteFlowSource type<a href="#find-all-sources-with-the-remoteflowsource-type" class="heading-link pl-2 text-italic text-bold" aria-label="Find all sources with the RemoteFlowSource type"></a></h3>
  696. <p>In the previous section, we mentioned that all sources of untrusted data are modeled as <code>RemoteFlowSource</code> type. The source models can give us an overview of a codebase&rsquo;s attack surface and give starting points to research.</p>
  697. <p>We can use that type to query for all sources of untrusted data in a codebase and all entry points to an application. Using CodeQL for Python, we can query a CodeQL database like so:</p>
  698. <pre><code>/**
  699. * @kind problem
  700. * @problem.severity error
  701. * @id githubsecuritylab/3-8
  702. */
  703. import python
  704. import semmle.python.dataflow.new.RemoteFlowSources
  705.  
  706. from RemoteFlowSource rfs
  707. select rfs, "A remote flow source"
  708. </code></pre>
  709. <p>Getting all the possible sources is an easy way to start an audit of an application. Remember that if you want to limit what files are scanned for sources, you can use the built-in predicates such as <code>getLocation</code>, as we did in the previous blog.</p>
  710. <details>
  711. <summary><strong>Challenge 8&mdash;Query for remote flow sources</strong></summary>
  712. <p>Find all the sources in the provided database using the <code>RemoteFlowSource</code> type.</p>
  713. <p>Feel free to choose a different project to query on; maybe you&rsquo;ll find something interesting? To download a CodeQL database for any open source project on GitHub, check <a href="https://github.com/GitHubSecurityLab/codeql-zero-to-hero/blob/main/2/challenge-2/instructions.md#select-codeql-database"> setup instructions</a>.</p>
  714. </details>
  715. <h3 id="find-all-sinks-for-a-specific-vulnerability-type" id="find-all-sinks-for-a-specific-vulnerability-type" >Find all sinks for a specific vulnerability type<a href="#find-all-sinks-for-a-specific-vulnerability-type" class="heading-link pl-2 text-italic text-bold" aria-label="Find all sinks for a specific vulnerability type"></a></h3>
  716. <p>In a similar way as with sources, we could query for all SQL injection sinks within a codebase. It&rsquo;s especially useful if it happens that an application uses more than one database library. We could do it by using the <code>Quick evaluation</code> functionality introduced earlier. Go to the <code>SqlInjection.ql</code> query located in <code>python/ql/src/Security/CWE-089/SqlInjection.ql</code> and move your mouse cursor over the module <code>SqlInjectionQuery</code> in the second import statement.</p>
  717. <p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/sql-injection-query.png?w=848&#038;resize=848%2C219" alt="Screenshot of an SQL injection query" width="848" height="219" class="aligncenter size-large wp-image-77721 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/sql-injection-query.png?w=848&#038;resize=848%2C219 848w, https://github.blog/wp-content/uploads/2024/04/sql-injection-query.png?w=300 300w, https://github.blog/wp-content/uploads/2024/04/sql-injection-query.png?w=768 768w" sizes="(max-width: 848px) 100vw, 848px" data-recalc-dims="1" /></p>
  718. <p>This module is where most of the logic for the query is defined. Right click on the <code>SqlInjectionQuery</code> and choose the &ldquo;Go to definition&rdquo; option. This will move you to the file with the module.</p>
  719. <p>Let&rsquo;s say we are interested in all SQL injection sinks. These are all included by the <code>isSink</code> predicate. If you look just above the <code>isSink</code>predicate over line 22, you will see the &ldquo;Quick evaluation: isSink&rdquo; option. Click it and you should see all the SQL injection sinks in a given database. Alternatively, you can right click and then choose &ldquo;CodeQL: Quick evaluation&rdquo;. If you are having issues with running the query, make sure that you have a Python CodeQL database selected (see <a href="https://github.com/GitHubSecurityLab/codeql-zero-to-hero/blob/main/2/challenge-2/instructions.md">setup</a>).</p>
  720. <p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/configuration.png?w=643&#038;resize=643%2C141" alt="Screenshot of the configuration for a SQL injection query" width="643" height="141" class="aligncenter size-large wp-image-77722 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/configuration.png?w=643&#038;resize=643%2C141 643w, https://github.blog/wp-content/uploads/2024/04/configuration.png?w=300 300w" sizes="(max-width: 643px) 100vw, 643px" data-recalc-dims="1" /></p>
  721. <p>This way of querying for sinks is faster, but not as flexible. We cannot really edit the queries, unless we wanted to edit the <code>SqlInjectionQuery</code> module.</p>
  722. <p>Another way we could get all the sinks is by querying for the <code>SqlExecution</code> type in the codebase. We could query for all SQL injection sinks like below.</p>
  723. <pre><code>/**
  724. * @kind problem
  725. * @problem.severity error
  726. * @id githubsecuritylab/3-9
  727. */
  728.  
  729. import python
  730. import semmle.python.Concepts
  731.  
  732. from SqlExecution sink
  733. select sink, "Potential SQL injection sink"
  734. </code></pre>
  735. <p>Many of the sinks we use in CodeQL for Python, including <a href="https://github.com/github/codeql/blob/9e9be4fc5e7f4b4778594a4443c8528af0ea080d/python/ql/lib/semmle/python/Concepts.qll#L359-L362">SqlExecution</a>, are defined in the <a href="https://github.com/github/codeql/blob/main/python/ql/lib/semmle/python/Concepts.qll">Concepts</a> module, for example, <code>CodeExecution</code>, <code>XPathConstruction,</code> and more. The advantage of using this method is that it is done in a separate file and this way you could add any conditions to the query, if you want to.</p>
  736. <details>
  737. <summary><strong>Challenge 9&mdash;Query for SQL injection sinks</strong></summary>
  738. <p>Find all the SQL injection sinks. See what other sinks are available in Concepts and try to query for them.</p>
  739. <p>Feel free to choose a different project to query on.</p>
  740. </details>
  741. <p>Some of the queries do not use the <code>Concepts</code> module, for example, the cleartext logging query, defined in <a href="https://github.com/github/codeql/blob/main/python/ql/src/Security/CWE-312/CleartextLogging.ql">CleartextLogging.ql</a>. In that case, you would have to look into the implementation of the query in the qll files: <a href="https://github.com/github/codeql/blob/main/python/ql/lib/semmle/python/security/dataflow/CleartextLoggingQuery.qll">CleartextLoggingQuery.qll</a> and <a href="https://github.com/github/codeql/blob/main/python/ql/lib/semmle/python/security/dataflow/CleartextLoggingCustomizations.qll">CleartextLoggingCustomizations.qll</a>. In <a href="https://github.com/github/codeql/blob/main/python/ql/lib/semmle/python/security/dataflow/CleartextLoggingCustomizations.qll">CleartextLoggingCustomizations.qll</a>, we can see several kinds of sinks: first, there is LoggingAsSink sink, which uses the <code>Logging</code> sinks that are defined in the Concepts module, but there is also another sink class defined&mdash;<code>PrintedDataAsSink</code>. See below for a shortened version of the code from the link.</p>
  742. <pre><code>/** A piece of data logged, considered as a flow sink. */
  743.  class LoggingAsSink extends Sink {
  744.    LoggingAsSink() { this = any(Logging write).getAnInput() }
  745.  }
  746.  
  747.  /** A piece of data printed, considered as a flow sink. */
  748.  class PrintedDataAsSink extends Sink {
  749.    PrintedDataAsSink() {
  750.      (
  751.        this = API::builtin("print").getACall().getArg(_)
  752.        or
  753.        this =
  754.          API::moduleImport("sys")
  755.              .getMember(["stdout", "stderr"])
  756.              .getMember("write")
  757.              .getACall()
  758.              .getArg(0)
  759.      ) and
  760.      not exists(Module loggingInit |
  761.        loggingInit.getName() = "logging.__init__" and
  762.        this.getScope().getEnclosingModule() = loggingInit and
  763.        not exists(loggingInit.getFile().getRelativePath())
  764.      )
  765.    }
  766.  }
  767. }
  768. </code></pre>
  769. <p>Note that there are very few sinks implemented this way for Python&mdash;most sinks are in <code>Concepts.qll</code>. The sinks implement the Range design pattern, which allows for both easy extension and refinement of classes.</p>
  770. <p>Many languages use the Concepts module, for example, Go&rsquo;s <code>Concepts</code> is defined <a href="https://github.com/github/codeql/blob/main/go/ql/lib/semmle/go/Concepts.qll">here</a>. Note though, that even though a language uses Concepts, you may still need to look into the implementation of a particular path query to find their sinks, just like in the case with CleartextLogging query.</p>
  771. <h3 id="find-calls-to-all-external-apis-untrusted-functionality" id="find-calls-to-all-external-apis-untrusted-functionality" >Find calls to all external APIs (untrusted functionality)<a href="#find-calls-to-all-external-apis-untrusted-functionality" class="heading-link pl-2 text-italic text-bold" aria-label="Find calls to all external APIs (untrusted functionality)"></a></h3>
  772. <p>&ldquo;<a href="https://github.com/github/codeql/blob/main/python/ql/src/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.ql">CWE-20 Untrusted APIs</a>&rdquo; query is a special query that is very interesting for security researchers. It detects if data from untrusted sources is used by any external APIs. By &ldquo;external APIs&rdquo; we understand anything that is outside of a codebase&mdash;calls to methods from libraries and others. Any code that is not defined in our codebase is considered untrusted and could be interesting from a security researcher&rsquo;s point of view. In that way, this query covers sinks from many vulnerability categories at once. It is also very useful to identify third- party APIs that may require modeling if we want the taint tracking analyzer to continue the analysis after it.</p>
  773. <p><a href="https://twitter.com/frycos">@frycos</a> presented how he found a pre-authentication remote code execution in 20 minutes using this query in this <a href="https://frycos.github.io/vulns4free/2022/12/02/rce-in-20-minutes.html">article</a>.</p>
  774. <details>
  775. <summary><strong>Challenge 10&mdash;Run CWE-20 Untrusted APIs query</strong></summary>
  776. <p>Run the CWE-20 Untrusted APIs query on a repo of your choice. For Python in the VS Code CodeQL Starter Workspace, it is located in <code>vscode-codeql-starter/ql/python/ql/src/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.ql</code>.</p>
  777. <p>Try to choose a new project, download its database from GitHub (see setup) and run this query on it.</p>
  778. </details>
  779. <h3 id="next-steps" id="next-steps" >Next steps<a href="#next-steps" class="heading-link pl-2 text-italic text-bold" aria-label="Next steps"></a></h3>
  780. <p>After you have identified any interesting areas, the next step would be to verify them. If you suspect that the vulnerability you&rsquo;ve found could be a candidate for variant analysis, you might want to use QL to model it and see if there are other variants of the vulnerability in that codebase or other codebases.</p>
  781. <p>Sometimes it might be hard to decide whether to model a vulnerability using CodeQL, or not. Generally, I advise you to have a look at security research using CodeQL that was published by the security community. More on that in the &ldquo;Community research with CodeQL&rdquo; section.</p>
  782. <h2 id="multi-repository-variant-analysis-mrva" id="multi-repository-variant-analysis-mrva" >Multi-repository variant analysis (MRVA)<a href="#multi-repository-variant-analysis-mrva" class="heading-link pl-2 text-italic text-bold" aria-label="Multi-repository variant analysis (MRVA)"></a></h2>
  783. <p>We mentioned the tool <a href="https://codeql.github.com/docs/codeql-for-visual-studio-code/running-codeql-queries-at-scale-with-mrva/">MRVA</a> in the &ldquo;variant analysis&rdquo; section. <a href="https://github.blog/2023-03-09-multi-repository-variant-analysis-a-powerful-new-way-to-perform-security-research-across-github/">MRVA</a> is a tool which can run a given CodeQL query against a thousand projects at once. You can run any CodeQL query using MRVA, be it prewritten or your own. As you can see, it&rsquo;s a very powerful tool for doing security research at scale. For example, you could run the prewritten SQL injection query against the top 1,000 Python projects or any other security query and then choose the top 1,000 projects for that language.</p>
  784. <p>Say you have created a new query to find variants of a certain vulnerability&mdash;it could be Log4Shell, for example. If the vulnerability you modeled is novel, by using MRVA, you may be able to detect tens of vulnerabilities across hundreds of open source projects all within a few clicks. Thanks to these features, using CodeQL together with MRVA has become popular with security researchers.</p>
  785. <p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/queryql.png?w=956&#038;resize=956%2C633" alt="Screenshot of the query.ql Variant Analysis Results" width="956" height="633" class="aligncenter size-large wp-image-77723 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/queryql.png?w=956&#038;resize=956%2C633 956w, https://github.blog/wp-content/uploads/2024/04/queryql.png?w=300 300w, https://github.blog/wp-content/uploads/2024/04/queryql.png?w=768 768w" sizes="(max-width: 956px) 100vw, 956px" data-recalc-dims="1" /></p>
  786. <p>Let&rsquo;s try to run MRVA with an existing query.</p>
  787. <details>
  788. <summary><strong>Challenge 11&mdash;Run MRVA using one of the security queries</strong></summary>
  789. <p>Set up MRVA using instructions <a href="https://codeql.github.com/docs/codeql-for-visual-studio-code/running-codeql-queries-at-scale-with-mrva/#controller-repository">here</a>. Select top 10 repositories in the CodeQL extension tab. Choose one of the prewritten queries in your favorite language, right-click in the query file, and select CodeQL: Run Variant Analysis to start variant analysis. If you don&rsquo;t find anything using that query, it&rsquo;s likely because the project is already secured against that vulnerability. If you prefer, run one of the bigger lists with 100 or 1,000 repositories. </p>
  790. <p><em>Note: if you do find true positive vulnerabilities, make sure to verify them first and then report them using the coordinated disclosure process. See our <a href="https://github.blog/2022-02-09-coordinated-vulnerability-disclosure-cvd-open-source-projects/">guide</a> for reporting vulnerabilities to open source.</em></p>
  791. </details>
  792. <p>MRVA comes with predefined lists of top 10, top 100 and top 1,000 projects available on GitHub for any language, but you can also add your own list of projects. MRVA allows you to create your own list of projects using GitHub&rsquo;s code search functionality. See how to use it <a href="https://codeql.github.com/docs/codeql-for-visual-studio-code/running-codeql-queries-at-scale-with-mrva/#using-github-code-search-to-add-repositories-to-a-custom-list">here</a>.</p>
  793. <h2 id="community-research-with-codeql" id="community-research-with-codeql" >Community research with CodeQL<a href="#community-research-with-codeql" class="heading-link pl-2 text-italic text-bold" aria-label="Community research with CodeQL"></a></h2>
  794. <p>There has been a lot of great security research published with CodeQL and I&rsquo;d like to highlight some of it in this section. I hope it inspires you in your own research.</p>
  795. <div class="content-table-wrap"><table style="border: 1px black">
  796. <tbody>
  797. <tr>
  798. <td>Note: Many resources mention the LGTM platform, which was <a href="https://github.blog/2022-08-15-the-next-step-for-lgtm-com-github-code-scanning/">deprecated</a> in 2022 after the launch of code scanning. You can use the VS Code Starter Workspace setup to run the same queries as in the articles, or use MRVA to run the query against multiple projects at once.</td>
  799. </tr>
  800. </tbody>
  801. </table></div>
  802. <h4 id="python" id="python" >Python<a href="#python" class="heading-link pl-2 text-italic text-bold" aria-label="Python"></a></h4>
  803. <ul>
  804. <li><a href="https://frycos.github.io/vulns4free/2022/12/02/rce-in-20-minutes.html">Pre-Auth RCE with CodeQL in Under 20 Minutes</a><br>
  805. Writeup by <a href="https://twitter.com/frycos">@frycos</a> in which they describe how they found a pre-authentication remote code execution in 20 minutes in pgAdmin using the CWE-20 Untrusted API query.</li>
  806. <li><a href="https://jorgectf.github.io/blog/post/practical-codeql-introduction/">Practical Introduction to CodeQL</a><br>
  807. Practical writeup of how <a href="https://twitter.com/jorge_ctf">@jorgectf</a> wrote new QL queries for detecting XXE, LDAP injection, and regular expression injection, which were later rewarded in the CodeQL bug bounty program and merged into the CodeQL repository upstream.</li>
  808. </ul>
  809. <h4 id="java" id="java" >Java<a href="#java" class="heading-link pl-2 text-italic text-bold" aria-label="Java"></a></h4>
  810. <ul>
  811. <li><a href="https://securitylab.github.com/research/apache-dubbo/">Apache Dubbo: All roads lead to RCE</a><br>
  812. A deep dive into auditing Apache Dubbo with CodeQL by <a href="https://twitter.com/pwntester">@pwntester</a>. It includes analyzing Dubbo architecture, identifying sources, and modeling the ones that weren&rsquo;t reported by CodeQL. Thirteen new deserialization vulnerabilities were reported as a result of the research.  <a href="https://twitter.com/pwntester">@pwntester</a> also created a CodeQL workshop with a step by step guide to write the queries that he wrote for auditing Dubbo. See the v<a href="https://www.youtube.com/watch?v=-bJ2Ioi7Icg">ideo</a> and accompanying <a href="https://github.com/github/codeql-dubbo-workshop/tree/master">repository</a>.</li>
  813. <li><a href="https://mogwailabs.de/en/blog/2021/09/vulnerability-digging-with-codeql/">Vulnerability digging with CodeQL</a><br>
  814. Writeup about modeling a Java deserialization vulnerability in CodeQL by <a href="https://twitter.com/mtimo44">@mtimo44</a> and <a href="https://twitter.com/h0ng10">@h0ng10</a>.</li>
  815. </ul>
  816. <h4 id="c-c" id="c-c" >C/C++<a href="#c-c" class="heading-link pl-2 text-italic text-bold" aria-label="C/C++"></a></h4>
  817. <ul>
  818. <li><a href="https://securitylab.github.com/research/bug-hunting-codeql-rsyslog/">Bug Hunting with CodeQL in Rsyslog</a><br>
  819. Beginner-friendly step by step process of finding vulnerabilities using CodeQL in Rsyslog by <a href="https://twitter.com/agustingianni">@agustingianni</a>.</li>
  820. <li><a href="https://medium.com/csg-govtech/hunting-bugs-in-accel-ppp-with-codeql-8370e297e18f">Hunting bugs in Accel-PPP with CodeQL</a> by Chloe Ong and <a href="https://medium.com/csg-govtech/removing-false-positives-in-codeql-2b9f9f02cd99">Removing False Positives in CodeQL</a> by Kar Wei Loh.<br>
  821. The two researchers worked together to find memory corruption bugs in Accel-PPP. The first article is an in-depth writeup about looking for the bugs and the thought process, writing CodeQL and the challenges they&rsquo;ve encountered. The second article shows how they refined the CodeQL query to provide more precise results.</li>
  822. <li><a href="https://github.com/google/security-research/blob/master/pocs/cpus/spectre-gadgets/README.md">Finding Gadgets for CPU Side-Channels with Static Analysis Tools</a><br>
  823. Research by <a href="https://twitter.com/pwningsystems">@pwningsystems</a> and <a href="https://twitter.com/fkaasan">@fkaasan</a> into finding useful gadgets in CPU side-channel exploitation.</li>
  824. </ul>
  825. <h2 id="reach-out" id="reach-out" >Reach out!<a href="#reach-out" class="heading-link pl-2 text-italic text-bold" aria-label="Reach out!"></a></h2>
  826. <p>If CodeQL and this post helped you to find a vulnerability, we would love to hear about it! Reach out to us on <a href="https://gh.io/securitylabslack">GitHub Security Lab on Slack</a> or tag us <a href="https://twitter.com/GHSecurityLab">@ghsecuritylab</a> on X.</p>
  827. <p>If you have any questions, issues with challenges or with writing a CodeQL query, feel free to join and ask on the <a href="https://gh.io/securitylabslack">GitHub Security Lab server on Slack</a>. The Slack server is open to anyone and gives you access to ask questions about issues with CodeQL, CodeQL modeling or anything else CodeQL related, and receive answers from a number of CodeQL engineers and security researchers from GitHub Security Lab (me included!). If you prefer to stay off Slack, feel free to ask any questions in <a href="https://github.com/github/codeql/discussions">CodeQL repository discussions</a> or in <a href="https://github.com/github/securitylab/discussions">GitHub Security Lab repository discussions</a>.</p>
  828. </body></html>
  829. <p>The post <a href="https://github.blog/2024-04-29-codeql-zero-to-hero-part-3-security-research-with-codeql/">CodeQL zero to hero part 3: Security research with CodeQL</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
  830. ]]></content:encoded>
  834. <post-id xmlns="com-wordpress:feed-additions:1">77703</post-id> </item>
  835. <item>
  836. <title>GitHub Actions, Arm64, and the future of automotive software development</title>
  837. <link>https://github.blog/2024-04-26-github-actions-arm64-and-the-future-of-automotive-software-development/</link>
  839. <dc:creator><![CDATA[Clay Nelson]]></dc:creator>
  840. <pubDate>Fri, 26 Apr 2024 15:33:43 +0000</pubDate>
  841. <category><![CDATA[Enterprise]]></category>
  842. <category><![CDATA[GitHub Actions]]></category>
  843. <category><![CDATA[GitHub Enterprise]]></category>
  844. <category><![CDATA[GitHub-hosted runners]]></category>
  845. <guid isPermaLink="false">https://github.blog/?p=77619</guid>
  846.  
  847. <description><![CDATA[<p>Learn how GitHub's Enterprise Cloud, GitHub Actions, and Arm's latest Automotive Enhanced processors, work together to usher in a new era of efficient, scalable, and flexible automotive software creation.</p>
  848. <p>The post <a href="https://github.blog/2024-04-26-github-actions-arm64-and-the-future-of-automotive-software-development/">GitHub Actions, Arm64, and the future of automotive software development</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
  849. ]]></description>
  850. <content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
  851. <html><body><h2 id="automotive-software-development-moves-to-the-cloud" id="automotive-software-development-moves-to-the-cloud" >Automotive software development moves to the cloud<a href="#automotive-software-development-moves-to-the-cloud" class="heading-link pl-2 text-italic text-bold" aria-label="Automotive software development moves to the cloud"></a></h2>
  852. <p>We are at an inflection point for automotive embedded development to move to the cloud. In an era where software has not just eaten the world but is continuously redefining it through AI, the cloud emerges not just as a platform but as the foundational fabric for software engineering. With AI&rsquo;s increasing demand for computational power driving unprecedented changes in silicon, both at the edge and in the cloud, the need for agile, scalable, and continuously optimized development environments has never been more critical. As the home of the world&rsquo;s developers, GitHub is the platform to build the next generation of automotive and embedded development environments in the cloud.</p>
  853. <h3 id="traditional-embedded-development-challenges" id="traditional-embedded-development-challenges" >Traditional embedded development challenges<a href="#traditional-embedded-development-challenges" class="heading-link pl-2 text-italic text-bold" aria-label="Traditional embedded development challenges"></a></h3>
  854. <p>Improving the developer experience is at the heart of what GitHub does. We&rsquo;re dedicated to making coding as smooth as possible by reducing unnecessary complexity. The traditional process for developers working with embedded systems has plenty of friction to remove. Historically, software development has been very hardware-dependent with developers maintaining some combination of test hardware connected to their development machines or an in-house testing farm. There weren&rsquo;t many alternatives because so much was proprietary.</p>
  855. <p>In recent years, a series of technical advancements have significantly influenced the foundational architectures within the field. Despite these changes, many traditional methods and operational processes remain in use. Key developments include the adoption of more powerful multipurpose processors, the establishment of open standards for the lower-level software stack such as <a href="http://SOAFEE.io">SOAFEE.io</a> for cloud native architecture at the edge, and the increased reliance on open-source resources, facilitating reuse across different domains. These innovations have provided developers with the opportunity to fundamentally rethink their approaches to development, enabling more efficient and flexible strategies.</p>
  856. <p>As the rate of these technical trends and foundational change increases, teams are finding it increasingly difficult to deliver application commitments without significant cost of maintaining these in-house development and test environments.</p>
  857. <div class="post-content-cta"><p>See how <a href="https://www.soafee.io/about/charter">Scalable Open Architecture For Embedded Edge (SOAFEE)</a>, an industry-led collaboration between companies across the automotive and technology sectors, is working to radically simplify vehicle software solutions.</p>
  858. </div>
  859. <h2 id="virtualization-for-embedded-and-automotive-development" id="virtualization-for-embedded-and-automotive-development" >Virtualization for embedded and automotive development<a href="#virtualization-for-embedded-and-automotive-development" class="heading-link pl-2 text-italic text-bold" aria-label="Virtualization for embedded and automotive development"></a></h2>
  860. <p>While virtualization has become a cornerstone of enterprise development, its integration into embedded systems has proceeded at a more cautious pace. The complexities inherent in embedded systems&mdash;spanning a vast array of processors, operating systems, and specialized software&mdash;pose unique challenges not encountered in the more homogeneous environments of data centers and IT networks. Embedded systems require a nuanced approach to virtualization that goes beyond simply accommodating mainstream operating systems like Windows and Linux on standard Intel architectures.</p>
  861. <p>In a significant development that reflects the evolving landscape of embedded systems, in March 2024, <a href="https://newsroom.arm.com/blog/automotive-enhanced-ip-portfolio">Arm unveiled its new Automotive Enhanced (AE) processors</a>. These cutting-edge processors are designed to boost AI capabilities within the automotive sector, ensuring <a href="https://newsroom.arm.com/blog/isa-parity">ISA (Instruction Set Architecture) compatibility</a>. This advancement is poised to revolutionize the way applications are developed and deployed, enabling developers to create software in the cloud and seamlessly transition it to the edge, such as in vehicles, without the need for extensive reconfiguration or modification. This leap forward promises to accelerate the time-to-market for new applications, bridging the gap between cloud development environments and the nuanced world of embedded systems .</p>
  862. <p>This transition exemplifies how advancements in processor technology and virtualization are converging to address the unique challenges of embedded development, paving the way for more integrated and efficient systems across industries. Developers will be able to write, build, and test code in the cloud and then run their applications in virtualized environments with digital twins that mirror their processor targets, even if those targets haven&rsquo;t even been delivered in the silicon.</p>
  863. <h2 id="cloud-based-continuous-integration-platform" id="cloud-based-continuous-integration-platform" >Cloud-based continuous integration platform<a href="#cloud-based-continuous-integration-platform" class="heading-link pl-2 text-italic text-bold" aria-label="Cloud-based continuous integration platform"></a></h2>
  864. <p>Continuous integration (CI), a cornerstone of agile methodologies for over two decades, automates the build, test, and deployment processes. This automation accelerates feedback loops, enabling timely verification that the software meets the intended requirements. It also minimizes integration risks and enhances the early detection of defects and security vulnerabilities. While surveys indicate that many embedded development teams have adopted CI as a practice, managing the development environments across multiple hardware configurations and deployment targets is costly and complex.</p>
  865. <p>Implementing CI/CD in a cloud environment leverages the well-established advantages of cloud computing for embedded engineering teams, significantly enhancing their ability to deliver high-quality products within tight market timelines.</p>
  866. <ul>
  867. <li><strong>Enhanced Scalability.</strong> Cloud-based CI allows teams to dynamically allocate resources and optimize compute spend. Teams can execute workloads in parallel in order to support multiple hardware and software configurations simultaneously. Developers can also participate across geographic regions or even across organizational boundaries within the supply chain.</li>
  868. <li><strong>Reduced Complexity.</strong> Standardizing on cloud-based CI reduces environment setup and tear down times and promotes consistency. Workflows can easily be shared across teams. </li>
  869. <li><strong>Improved Quality.</strong> When compute resources are too constrained or managing the CI environment is brittle, teams may optimize locally onto too narrow a piece of the development. Reducing this friction and thereby increasing the end to end feedback loops can improve quality. </li>
  870. </ul>
  871. <p>To deliver cloud-based embedded developer environments for the design and build time that feed into the runtime virtualized and simulated targets, GitHub needed to update our infrastructure. In October 2023, GitHub <a href="https://github.blog/changelog/2023-10-30-accelerate-your-ci-cd-with-arm-based-hosted-runners-in-github-actions/">announced native Arm64 support for our hosted CI/CD workflow engine, GitHub Actions</a>. Supporting this platform is important because Arm&rsquo;s family of processor designs are central to many uses in the embedded and automotive world.</p>
  872. <p>This promises to free embedded developers from being tied to the desktop. By moving jobs to the cloud, development teams will be able to focus more on coding time and less on infrastructure management. We also recently <a href="https://github.blog/2024-04-02-bringing-enterprise-level-security-and-even-more-power-to-github-hosted-runners/">announced the public beta of GPU hosted runners</a> that will enable teams building machine learning models to do complete application testing, including the ML components within GitHub Actions.</p>
  873. <h2 id="conclusion" id="conclusion" >Conclusion<a href="#conclusion" class="heading-link pl-2 text-italic text-bold" aria-label="Conclusion"></a></h2>
  874. <p>The convergence of cloud technologies, advanced virtualization, and cutting-edge processor innovations represents a transformative shift in automotive software development. To further advance and support these transformations across the industry, GitHub has recently joined SOAFEE.io, as well as maintaining our membership in the Connected Vehicle Systems Alliance (COVESA) and supporting Microsoft&rsquo;s commitment to the Eclipse Software Defined Vehicle project.</p>
  875. <p>GitHub Enterprise Cloud, along with Arm&rsquo;s latest AE processors, heralds a new era where development and testing transcend traditional boundaries, leveraging the cloud&rsquo;s vast resources for more efficient, scalable, and flexible software creation. This paradigm shift towards cloud-based development and virtualized testing environments not only addresses the complexities and limitations of embedded system design but also dramatically reduces the overhead associated with physical hardware dependencies. By enabling developers to seamlessly transition applications from the cloud to the edge without extensive rework, the automotive industry stands on the brink of a significant acceleration in innovation and time-to-market for new technologies.</p>
  876. <p>GitHub&rsquo;s introduction of native Arm64 support and the public beta of GPU hosted runners on its CI/CD platform, GitHub Actions, further underscores this transition. These advancements ensure that the embedded and automotive development communities can fully harness the cloud&rsquo;s potential, facilitating a shift from local, hardware-constrained development processes to a more agile, cloud-centric approach. As a result, developers can focus more on innovation and less on the intricacies of hardware management, propelling the automotive sector into a future where software development is more integrated, dynamic, and responsive to the rapidly evolving demands of technology and consumers. This transition not only signifies a leap forward in how automotive software is developed but also reflects a broader trend towards the cloud as the backbone of modern software engineering across industries.</p>
  877. <div class="post-content-cta"><p><a href="https://docs.github.com/en/actions/using-github-hosted-runners">Learn more about GitHub-hosted runners</a> and look for the public beta for Arm-hosted runners coming later this year.</p>
  878. </div>
  879. </body></html>
  880. <p>The post <a href="https://github.blog/2024-04-26-github-actions-arm64-and-the-future-of-automotive-software-development/">GitHub Actions, Arm64, and the future of automotive software development</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
  881. ]]></content:encoded>
  885. <post-id xmlns="com-wordpress:feed-additions:1">77619</post-id> </item>
  886. <item>
  887. <title>Securing millions of developers through 2FA</title>
  888. <link>https://github.blog/2024-04-24-securing-millions-of-developers-through-2fa/</link>
  890. <dc:creator><![CDATA[Mike Hanley]]></dc:creator>
  891. <pubDate>Wed, 24 Apr 2024 15:00:53 +0000</pubDate>
  892. <category><![CDATA[Security]]></category>
  893. <category><![CDATA[2FA]]></category>
  894. <category><![CDATA[GitHub.com]]></category>
  895. <category><![CDATA[supply chain security]]></category>
  896. <guid isPermaLink="false">https://github.blog/?p=77576</guid>
  897.  
  898. <description><![CDATA[<p>We’ve dramatically increased 2FA adoption on GitHub as part of our responsibility to make the software ecosystem more secure. Read on to learn how we secured millions of developers and why we’re urging more organizations to join us in these efforts.</p>
  899. <p>The post <a href="https://github.blog/2024-04-24-securing-millions-of-developers-through-2fa/">Securing millions of developers through 2FA</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
  900. ]]></description>
  901. <content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
  902. <html><body><p>Though technology has advanced significantly to combat the proliferation of sophisticated security threats, the reality is that <strong>preventing the next cyberattack depends on getting the security basics right, and efforts to secure the software ecosystem must protect the developers who design, build, and maintain the software we all depend on</strong>.</p>
  903. <p>As the home to the world&rsquo;s largest developer community, GitHub is in a unique position to help improve the security of the software supply chain. In May 2022, we <a href="https://github.blog/2022-05-04-software-security-starts-with-the-developer-securing-developer-accounts-with-2fa/">introduced</a> an initiative to raise the bar for supply chain security by addressing the first link in that chain&mdash;the security of developers. Because strong multi-factor authentication remains one of the best defenses against account takeover and subsequent supply chain compromise, we set an ambitious goal to require users who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023.</p>
  904. <p>What followed was a year&rsquo;s worth of investments in research and design around the <a href="https://github.blog/2022-12-14-raising-the-bar-for-software-security-next-steps-for-github-com-2fa/">implementation</a> of these requirements, to optimize for a seamless experience for developers, followed by a <a href="https://github.blog/2023-03-09-raising-the-bar-for-software-security-github-2fa-begins-march-13/">gradual rollout</a> to ensure successful user onboarding as we continued to scale our requirements. While our efforts to ensure developers can be as secure as possible on GitHub.com don&rsquo;t end here, today, we&rsquo;re sharing the results of the first phase of our 2FA enrollment, with a call for more organizations to implement similar requirements across their own platforms. Let&rsquo;s dive in.</p>
  905. <h2 id="results-%f0%9f%9a%80" id="results-%f0%9f%9a%80" >Results &#128640;<a href="#results-%f0%9f%9a%80" class="heading-link pl-2 text-italic text-bold" aria-label="Results &#128640;"></a></h2>
  906. <p>We&rsquo;re proud of the initial achievements from the 2023 initiative, and the impact they&rsquo;ll have on ensuring the software ecosystem is more secure. We saw:</p>
  907. <ul>
  908. <li>Dramatic increase in 2FA adoption on GitHub.com, focused on users who have the most critical impact on the software supply chain. </li>
  909. <li>Users adopting more secure means of 2FA, including passkeys.</li>
  910. <li>Net reduction in 2FA-related support ticket volume, something we credit to heavy up-front user research and design as well as customer support process improvements. </li>
  911. <li>Other organizations like <a href="https://blog.rubygems.org/2022/06/13/making-packages-more-secure.html">RubyGems</a>, <a href="https://blog.pypi.org/posts/2023-05-25-securing-pypi-with-2fa/">PyPI</a>, and <a href="https://aws.amazon.com/blogs/security/security-by-design-aws-to-enhance-mfa-requirements-in-2024/">AWS</a> joined us in raising the bar for the entire software supply chain, proving that large increases in 2FA adoption aren&rsquo;t an insurmountable challenge.</li>
  912. </ul>
  913. <h3 id="2fa-adoption" id="2fa-adoption" >2FA adoption<a href="#2fa-adoption" class="heading-link pl-2 text-italic text-bold" aria-label="2FA adoption"></a></h3>
  914. <p>Since we began rolling out mandatory 2FA in March 2023, we&rsquo;ve seen an <strong>opt-in rate of nearly 95%</strong> across code contributors who received the 2FA requirement in 2023, and enrollments continue to trickle in. Moreover, this has led to a <strong>54% increase in 2FA adoption</strong> among all active contributors<sup id="fnref-77576-1"><a href="#fn-77576-1" class="jetpack-footnote" title="Read footnote.">1</a></sup> on GitHub.com.</p>
  915. <p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/image2.png?w=1024&#038;resize=1024%2C412" alt="Graph showing the upward trend of total registered 2FA users from May 2023 to March 2024." width="1024" height="412" class="aligncenter size-large wp-image-77587 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/image2.png?w=1999 1999w, https://github.blog/wp-content/uploads/2024/04/image2.png?w=300 300w, https://github.blog/wp-content/uploads/2024/04/image2.png?w=768 768w, https://github.blog/wp-content/uploads/2024/04/image2.png?w=1024&#038;resize=1024%2C412 1024w, https://github.blog/wp-content/uploads/2024/04/image2.png?w=1536 1536w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /></p>
  916. <h3 id="stronger-and-more-reliable-authentication" id="stronger-and-more-reliable-authentication" >Stronger and more reliable authentication<a href="#stronger-and-more-reliable-authentication" class="heading-link pl-2 text-italic text-bold" aria-label="Stronger and more reliable authentication"></a></h3>
  917. <p>A key area of focus for this initiative was encouraging users to adopt more secure means of 2FA, especially <a href="https://github.blog/2023-09-21-passkeys-are-generally-available/">passkeys</a> which currently offer the strongest mix of security and usability. Since we released passkeys to public beta in <a href="https://github.blog/2023-07-12-introducing-passwordless-authentication-on-github-com/">July 2023</a>, <strong>nearly 1.4 million passkeys have been registered on GitHub.com</strong>. Even more impressive, passkeys rapidly overtook other forms of Webauthn-backed 2FA in day-to-day usage.</p>
  918. <p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/image5.png?w=1024&#038;resize=1024%2C400" alt="Graph showing Webauthn authentication success by type (passkey versus other) from July 2023 to March 2024. Passkeys surpassed all other types in November 2023, and the gap has widened since then." width="1024" height="400" class="aligncenter size-large wp-image-77588 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/image5.png?w=1999 1999w, https://github.blog/wp-content/uploads/2024/04/image5.png?w=300 300w, https://github.blog/wp-content/uploads/2024/04/image5.png?w=768 768w, https://github.blog/wp-content/uploads/2024/04/image5.png?w=1024&#038;resize=1024%2C400 1024w, https://github.blog/wp-content/uploads/2024/04/image5.png?w=1536 1536w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /></p>
  919. <p>While we&rsquo;re bullish on passkeys, it&rsquo;s also important that GitHub continues to offer flexibility, reliability, and security in the ways developers around the world can authenticate to the platform, particularly for those who may not have access to such technology. We continue to support SMS as a 2FA option for those who may not be able to adopt other factors, but have intentionally made design choices in our 2FA onboarding workflows to encourage users to adopt more secure alternatives where possible. This work <strong>reduced the overall share of SMS as a second factor by almost 25%</strong> between early 2023 and early 2024. We see a lot of room ahead to continue driving passkey adoption, while also driving down use of less-secure factor types, and foresee a future where passkeys are the first choice for the majority of developers on the GitHub platform.</p>
  920. <p>Finally, as a result of our improved enrollment experience and passkey rollout, our data shows that it&rsquo;s <strong>47% more likely users will configure two or more forms of 2FA</strong>. Each additional factor makes it far less likely that a given user will lose all their factors and end up locked out, resulting in a smoother and more reliable user experience.</p>
  921. <p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/image1.png?w=1024&#038;resize=1024%2C400" alt="Graph showing the number of users with 2 or more 2FA methods from April 2023 to March 2024. The line began trending rapidly upward in November 2023, becoming almost exponential in early 2024." width="1024" height="400" class="aligncenter size-large wp-image-77589 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/image1.png?w=1999 1999w, https://github.blog/wp-content/uploads/2024/04/image1.png?w=300 300w, https://github.blog/wp-content/uploads/2024/04/image1.png?w=768 768w, https://github.blog/wp-content/uploads/2024/04/image1.png?w=1024&#038;resize=1024%2C400 1024w, https://github.blog/wp-content/uploads/2024/04/image1.png?w=1536 1536w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /></p>
  922. <h3 id="user-experience-and-support" id="user-experience-and-support" >User experience and support<a href="#user-experience-and-support" class="heading-link pl-2 text-italic text-bold" aria-label="User experience and support"></a></h3>
  923. <p>Knowing we needed to help developers employ strong account security while maintaining our promise of a seamless user experience, we invested in a number of improvements including refreshed 2FA onboarding flows, adding <a href="https://github.blog/2022-01-25-secure-your-github-account-github-mobile-2fa/">GitHub Mobile 2FA</a>, and more user options in terms of primary 2FA factors. While one would reasonably expect an increase in 2FA-related support tickets as the relative usage increased on the platform, we saw the opposite. Because of the significant investments in user experience and design ahead of the rollout, we saw a <strong>one-third reduction in 2FA-related support tickets</strong>.</p>
  924. <p>Further, additional internal workflow optimization and automation for GitHub Support teams led to a <strong>54% reduction in 2FA account recovery support tickets that require significant human intervention</strong>. Today, <strong>more than 75% of account recovery tickets come through the in-product workflow</strong>, which collects recovery details from users and automatically checks for risk factors, as well as scenarios we know are safe (like doing account recovery while you&rsquo;re still signed in). This data collection and vetting dramatically reduces the time it takes for GitHub Support teams to review these recovery attempts, allowing locked out users to safely get back to their accounts faster than ever and enabling GitHub to scale 2FA enrollment to millions of users.</p>
  925. <p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/image4.png?w=1024&#038;resize=1024%2C400" alt="Graph comparing 2FA account recovery tickets with tickets involving automated review from May 2023 to March 2024. The line representing automated review surpassed the line representing account recovery tickets around October 2023 and has stayed there ever since. " width="1024" height="400" class="aligncenter size-large wp-image-77590 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/image4.png?w=1999 1999w, https://github.blog/wp-content/uploads/2024/04/image4.png?w=300 300w, https://github.blog/wp-content/uploads/2024/04/image4.png?w=768 768w, https://github.blog/wp-content/uploads/2024/04/image4.png?w=1024&#038;resize=1024%2C400 1024w, https://github.blog/wp-content/uploads/2024/04/image4.png?w=1536 1536w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /></p>
  926. <p>We also introduced a <a href="https://github.blog/changelog/2023-01-11-second-factor-validation-after-2fa-setup">2FA verification checkup</a> that occurs 28 days after 2FA setup, to ensure users have an opportunity to verify their configuration. This checkup was a fail-safe that helped <strong>25% of users successfully reconfigure their accounts</strong> if they made a mistake or lost a factor, thereby avoiding account lockout for the user and significantly reducing account recovery support volume for GitHub.</p>
  927. <p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/image3.png?w=1024&#038;resize=1024%2C400" alt="Screenshot of the dialog box prompting a user to verify their 2FA settings." width="1024" height="400" class="aligncenter size-large wp-image-77591 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/image3.png?w=1999 1999w, https://github.blog/wp-content/uploads/2024/04/image3.png?w=300 300w, https://github.blog/wp-content/uploads/2024/04/image3.png?w=768 768w, https://github.blog/wp-content/uploads/2024/04/image3.png?w=1024&#038;resize=1024%2C400 1024w, https://github.blog/wp-content/uploads/2024/04/image3.png?w=1536 1536w" sizes="(max-width: 1000px) 100vw, 1000px" data-recalc-dims="1" /></p>
  928. <h3 id="ecosystem-impact" id="ecosystem-impact" >Ecosystem impact<a href="#ecosystem-impact" class="heading-link pl-2 text-italic text-bold" aria-label="Ecosystem impact"></a></h3>
  929. <p>While our primary focus was to secure the developers on GitHub.com, we have also been intentionally transparent with our approach to the rollout to inspire more organizations to take up the call after GitHub and <a href="https://github.blog/2022-02-01-top-100-npm-package-maintainers-require-2fa-additional-security/">npm</a> to require their own 2FA requirements. Every user account with 2FA successfully enabled is one fewer vector for attackers to compromise organizations or important open source software. Over the last two years, we&rsquo;ve been encouraged to see <strong><a href="https://blog.rubygems.org/2022/06/13/making-packages-more-secure.html">RubyGems</a>, <a href="https://blog.pypi.org/posts/2023-05-25-securing-pypi-with-2fa/">PyPI</a>, and <a href="https://aws.amazon.com/blogs/security/security-by-design-aws-to-enhance-mfa-requirements-in-2024/">AWS</a> join our efforts to drive increased usage of 2FA to secure our shared ecosystem and software supply chain</strong>.</p>
  930. <h2 id="looking-forward-%f0%9f%94%ad" id="looking-forward-%f0%9f%94%ad" >Looking forward &#128301;<a href="#looking-forward-%f0%9f%94%ad" class="heading-link pl-2 text-italic text-bold" aria-label="Looking forward &#128301;"></a></h2>
  931. <p>Now that it&rsquo;s 2024, you might be asking, &ldquo;Why didn&rsquo;t I get a 2FA requirement?&rdquo; While we&rsquo;re ecstatic at the progress we made in 2023 to enroll millions of developers in 2FA, the job of securing the software supply chain and the developers responsible for it doesn&rsquo;t end. Our initial work <a href="https://docs.github.com/authentication/securing-your-account-with-two-factor-authentication-2fa/about-mandatory-two-factor-authentication">prioritized distinct user groups</a> based on the impact of their user privileges or specific actions they took.</p>
  932. <aside class="post-aside--small float-sm-right col-sm-5 col-md-6 col-lg-5 my-5 my-sm-2 ml-sm-4 ml-lg-6"><p class="h6-mktg gh-aside-title">Protecting Accounts Without 2FA</p><p>Those who are not required to enable 2FA still benefit from layered protections such as <a href="https://github.blog/changelog/2019-07-01-verified-devices/">verified devices</a> and <a href="https://github.blog/changelog/2018-07-31-new-improvements-and-best-practices-for-account-security-and-recoverability/">compromised password prevention</a>.</p>
  933. </aside>
  934. <p>There is also still important industry-wide work ahead to support users that may not have access to a phone or control over the software of the computer they use to adopt 2FA. As a global platform, we believe that <em>everyone</em> should have access to tools that make software development easier and more secure, and our efforts to enforce strong authentication for as many developers as possible is ongoing. We&rsquo;ll continue to find solutions to protect developers, the projects they&rsquo;re working on, and the communities they participate in, working hard to take a balanced approach that greatly improves the security of the entire software supply chain without restricting those with different setups or environments around the world.</p>
  935. <p>Looking ahead, we&rsquo;re evaluating how we can require even more GitHub.com users to enroll in 2FA during 2024, while continuing to monitor and improve the user experience. We&rsquo;re investigating additional account security features, such as session and token binding, that will enable developers and their organizations to better manage the risk of account compromise, with or without 2FA. We also want to continue to drive adoption of the most secure factors available to developers on the platform, such as passkeys or security keys, and help developers &ldquo;move up&rdquo; to more secure authenticator types. Throughout this, making security easy and effective <a href="https://github.blog/2021-02-24-hello-from-githubs-new-chief-security-officer/">remains a top priority</a>&mdash;after all, security that isn&rsquo;t usable isn&rsquo;t security at all.</p>
  936. <h2 id="a-call-to-action-%f0%9f%93%a3" id="a-call-to-action-%f0%9f%93%a3" >A call to action &#128227;<a href="#a-call-to-action-%f0%9f%93%a3" class="heading-link pl-2 text-italic text-bold" aria-label="A call to action &#128227;"></a></h2>
  937. <p>We all have a role to play in securing the software ecosystem, and platforms must commit to being both a responsible consumer of software and contributor back to it. <strong>GitHub chose to take on 2FA at scale because we believe it&rsquo;s the right thing to do to protect the entire ecosystem and we believe it&rsquo;s vital that other organizations join us</strong>. Our work here shows that it&rsquo;s possible to raise the bar for security significantly without negatively impacting users&rsquo; experiences. We encourage other organizations to strongly consider making 2FA requirements on their own platforms where possible.</p>
  938. <p>If you&rsquo;d like to learn more about <em>how</em> we rolled out 2FA for millions of developers, look forward to a follow-up post that takes a deeper dive into our work in the coming weeks.</p>
  939. <p>If you&rsquo;d like to join us in this effort, <a href="https://docs.github.com/authentication/securing-your-account-with-two-factor-authentication-2fa">enable 2FA on your own account</a>, <a href="https://docs.github.com/authentication/authenticating-with-a-passkey">adopt passkeys</a>, or <a href="https://docs.github.com/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization">require 2FA for your organization</a>.</p>
  940. <p><em>Note: If you or your organization are implementing internal 2FA-related policy, please note that our requirements are not designed to cover all GitHub.com users. Read more about our current enrollment criteria <a href="https://docs.github.com/authentication/securing-your-account-with-two-factor-authentication-2fa/about-mandatory-two-factor-authentication">here</a> and consider <a href="https://docs.github.com/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization">requiring 2FA for your organization</a>.</em></p>
  941. <div class="post-content-cta"><p>
  942. <strong>Want to learn more about how GitHub can help you easily secure your code?</strong></p>
  943. <p>At <a href="https://githubuniverse.com/">GitHub Universe 2024</a>, we&rsquo;ll explore cutting-edge research and best practices in developer-first security&mdash;empowering you to ship secure code fast.</p>
  944. <p>Our Super Early Bird sale ends soon! <a href="https://githubuniverse.com/?utm_source=Blog&amp;utm_medium=GitHub&amp;utm_campaign=universe-blog">Buy your tickets now</a>.</p>
  945. </div>
  946. <div class="footnotes">
  947. <hr>
  948. <ol>
  949. <li id="fn-77576-1">
  950. Note that all active contributors includes users that made contributions, which didn&rsquo;t specifically qualify them for 2FA requirements, such as issue comments.&nbsp;<a href="#fnref-77576-1" title="Return to main content.">&#8617;</a>
  951. </li>
  952. </ol>
  953. </div>
  954. </body></html>
  955. <p>The post <a href="https://github.blog/2024-04-24-securing-millions-of-developers-through-2fa/">Securing millions of developers through 2FA</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
  956. ]]></content:encoded>
  960. <post-id xmlns="com-wordpress:feed-additions:1">77576</post-id> </item>
  961. <item>
  962. <title>Using open source to help the earth</title>
  963. <link>https://github.blog/2024-04-22-using-open-source-to-help-the-earth/</link>
  965. <dc:creator><![CDATA[Paull Young]]></dc:creator>
  966. <pubDate>Mon, 22 Apr 2024 15:00:46 +0000</pubDate>
  967. <category><![CDATA[Open Source]]></category>
  968. <category><![CDATA[Earth Day]]></category>
  969. <category><![CDATA[social impact]]></category>
  970. <category><![CDATA[sustainability]]></category>
  971. <guid isPermaLink="false">https://github.blog/?p=77565</guid>
  972.  
  973. <description><![CDATA[<p>This Earth Day, we discuss how tech and open source are helping two organizations combat the effects of a changing climate.</p>
  974. <p>The post <a href="https://github.blog/2024-04-22-using-open-source-to-help-the-earth/">Using open source to help the earth</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
  975. ]]></description>
  976. <content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
  977. <html><body><p>When I start something new, I love to jump right in and get my feet wet (though, preferably in the Great Barrier Reef). As the new Environmental Sustainability lead at GitHub, this meant within the first few days of my job I was hearing directly from some of the incredible organizations that are leveraging tech to protect the environment.</p>
  978. <p>Coming from Australia, my love for the ocean runs deep, as does my concern for how a changing climate is changing life for all of us around the world. So, I was thrilled to have a chance to speak with <strong>Kakani Katija, Principal Engineer at the <a href="https://www.mbari.org/">Monterey Bay Aquarium Research Institute (MBARI)</a></strong>, to see how her team is using open source to research our changing oceans.</p>
  979. <p>Moving above ground, I also spoke with co-founders, <strong>Lassor Feasley, CEO, and Scott Schwartz, CTO at <a href="https://www.renewables.org/">Renewables.org</a></strong>. There&rsquo;s huge potential for solutions that both mitigate carbon and accelerate green power, as well as support the adaptation and resilience of communities that are going to feel the impact of climate change. Renewables.org encompasses this idea, and is using tech to bring it to life.</p>
  980. <p>The future of our changing climate is tied inextricably to tech, and these leaders are showing how we can use open source to fight back.</p>
  981. <p><strong>Paull Young</strong><br>
  982. <em>Environmental Sustainability Senior Program Manager // GitHub</em></p>
  983. <hr>
  984. <h2 id="diving-into-monterey-bay-aquarium-research-institute" id="diving-into-monterey-bay-aquarium-research-institute" >Diving into Monterey Bay Aquarium Research Institute<a href="#diving-into-monterey-bay-aquarium-research-institute" class="heading-link pl-2 text-italic text-bold" aria-label="Diving into Monterey Bay Aquarium Research Institute"></a></h2>
  985. <p><strong>Paull (GitHub):</strong> Kakani, I would love for you to tell us about MBARI&rsquo;s <a href="https://www.mbari.org/data/fathomnet/">FathomNet</a> project and the work you&rsquo;re currently doing.</p>
  986. <p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/Kakani-Katija.jpg?w=300&#038;resize=300%2C233" alt="Headshot photograph of Kakani Katija. She is standing on a beach with the ocean visible behind her." width="300" height="233" class="alignleft size-medium wp-image-77568 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/Kakani-Katija.jpg?w=2040 2040w, https://github.blog/wp-content/uploads/2024/04/Kakani-Katija.jpg?w=300&#038;resize=300%2C233 300w, https://github.blog/wp-content/uploads/2024/04/Kakani-Katija.jpg?w=768 768w, https://github.blog/wp-content/uploads/2024/04/Kakani-Katija.jpg?w=1024 1024w, https://github.blog/wp-content/uploads/2024/04/Kakani-Katija.jpg?w=1536 1536w" sizes="(max-width: 300px) 100vw, 300px" data-recalc-dims="1" /></p>
  987. <p><strong>Kakani (MBARI):</strong> MBARI cares about building technology and approaches that allow us to study a changing ocean. FathomNet, in particular, is really focused on how to monitor biological systems at scale in the ocean. This is incredibly important when talking about sustainability and climate change, as we have no idea how the blue economy and blue energy projects that are being pushed into the ocean will impact these existing biological communities. We hope that FathomNet will unleash the power of AI in the ocean, enabling the future of conservation, exploration, and discovery.</p>
  988. <p><strong>Paull:</strong> I saw that you&rsquo;ll be coming out with a mobile game soon&mdash;what&rsquo;s the story behind that and how does it tap into the work you&rsquo;re already doing?</p>
  989. <p><strong>Kakani:</strong> We have actually created a game that will be launching in May called <a href="https://www.fathomverse.game/">FathomVerse</a>. We&rsquo;ll be pushing data with machine-generated proposals to players who will identify what these different images are, and then community consensus labels will be created and pushed to FathomNet.</p>
  990. <p>This was created because there are a limited number of experts in the world that can identify an animal down to a species or genus level from a visual or an image. But there are actually quite a few individuals in the world&mdash;from ocean enthusiasts to people who took a marine biology course&mdash;that could identify things that would have value to the research community.</p>
  991. <p><strong>Paull:</strong> Do you need any training for that or can anyone download it and help contribute to your mission?</p>
  992. <p><strong>Kakani:</strong> You&rsquo;ll get training through the game and feedback throughout. FathomNet is a source of labeled data and this is mixed in with the unlabeled data in the game. So, you&rsquo;ll get instant feedback when you&rsquo;re right or wrong or miss something, but then you&rsquo;ll also receive delayed feedback on how you compared to the rest of the community consensus.</p>
  993. <p><strong>Paull:</strong> I love this. It&rsquo;s the nature of open source data that&rsquo;s underpinning this entire game and experience.</p>
  994. <h2 id="reflecting-on-renewables-org" id="reflecting-on-renewables-org" >Reflecting on Renewables.org<a href="#reflecting-on-renewables-org" class="heading-link pl-2 text-italic text-bold" aria-label="Reflecting on Renewables.org"></a></h2>
  995. <p><strong>Paull (GitHub):</strong> What&rsquo;s happening with Renewables.org is really exciting; can you tell me more about what your mission is and how your model works?</p>
  996. <p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/Lassor-Feasley.png?w=300&#038;resize=300%2C300" alt="Headshot photograph of Lassor Feasley, a man with short dark hair wearing a tan sweater over a black collared shirt." width="300" height="300" class="alignleft size-medium wp-image-77569 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/Lassor-Feasley.png?w=500 500w, https://github.blog/wp-content/uploads/2024/04/Lassor-Feasley.png?w=150 150w, https://github.blog/wp-content/uploads/2024/04/Lassor-Feasley.png?w=300&#038;resize=300%2C300 300w, https://github.blog/wp-content/uploads/2024/04/Lassor-Feasley.png?w=400 400w, https://github.blog/wp-content/uploads/2024/04/Lassor-Feasley.png?w=200 200w, https://github.blog/wp-content/uploads/2024/04/Lassor-Feasley.png?w=90 90w, https://github.blog/wp-content/uploads/2024/04/Lassor-Feasley.png?w=116 116w" sizes="(max-width: 300px) 100vw, 300px" data-recalc-dims="1" /></p>
  997. <p><strong>Lassor (Renewables.org):</strong> Renewables.org is the online solar investing nonprofit that&rsquo;s so far helped finance about a dozen solar projects across the Global South, including India and Africa. We&rsquo;ve chosen to finance projects in these regions because they&rsquo;re the places where you have the highest carbon impact per dollar&mdash;there&rsquo;s literally no other product or investment we&rsquo;ve evaluated that has a higher carbon impact.</p>
  998. <p>Anyone can come to our site and buy a $25 share in one of our projects, and we pay it back monthly over five years. So, if you buy one panel, you&rsquo;ll start earning back your investment 42 cents at a time and you get fully repaid over five years. As you earn those repayments back, you can either withdraw them back to your personal account or use them to subsidize the purchase of even more panels and have an even greater investment.</p>
  999. <p>This idea came about with one of our board level co-founders, Premal Shah. He&rsquo;s famous for having helped build <a href="http://Kiva.org">Kiva.org</a>&mdash;a very popular anti-poverty microfinance crowdfunding website.</p>
  1000. <p><strong>Paull:</strong> I know you&rsquo;re still in the earlier stages of your organization and the implementation of open source, but what do those next steps look like?</p>
  1001. <p><img loading="lazy" decoding="async" src="https://github.blog/wp-content/uploads/2024/04/Scott-Schwartz-1.jpg?w=300&#038;resize=300%2C300" alt="Headshot photograph of Scott Schwartz, who is wearing a white collared shirt under a grey blazer jacket. He is smiling and standing underneath a palm tree." width="300" height="300" class="alignleft size-medium wp-image-77570 width-fit" srcset="https://github.blog/wp-content/uploads/2024/04/Scott-Schwartz-1.jpg?w=594 594w, https://github.blog/wp-content/uploads/2024/04/Scott-Schwartz-1.jpg?w=150 150w, https://github.blog/wp-content/uploads/2024/04/Scott-Schwartz-1.jpg?w=300&#038;resize=300%2C300 300w, https://github.blog/wp-content/uploads/2024/04/Scott-Schwartz-1.jpg?w=400 400w, https://github.blog/wp-content/uploads/2024/04/Scott-Schwartz-1.jpg?w=200 200w, https://github.blog/wp-content/uploads/2024/04/Scott-Schwartz-1.jpg?w=90 90w, https://github.blog/wp-content/uploads/2024/04/Scott-Schwartz-1.jpg?w=116 116w" sizes="(max-width: 300px) 100vw, 300px" data-recalc-dims="1" /></p>
  1002. <p><strong>Scott (Renewables.org):</strong> We&rsquo;ve been identifying open source data we&rsquo;d like to integrate into the site&mdash;things like <a href="https://github.com/electricitymaps/electricitymaps-contrib">electricity maps</a>&mdash;and we&rsquo;re currently getting solar irradiation data from <a href="https://openweathermap.org/">OpenWeather</a>.</p>
  1003. <p>We&rsquo;re now planning for scale and would like to move towards an API-first setup for the site. Currently, we&rsquo;re using the standard features within GitHub (source control, issue tracking), but GitHub Copilot has come in handy as it&rsquo;s been many years since I worked with PHP and to say I&rsquo;m rusty would be generous.</p>
  1004. <h2 id="the-role-and-culture-of-open-source-in-sustainability" id="the-role-and-culture-of-open-source-in-sustainability" >The role and culture of open source in sustainability<a href="#the-role-and-culture-of-open-source-in-sustainability" class="heading-link pl-2 text-italic text-bold" aria-label="The role and culture of open source in sustainability"></a></h2>
  1005. <p><strong>Paull:</strong> Why is open source so important to the work that MBARI&rsquo;s FathomNet is doing and how are you engaging with that community?</p>
  1006. <p><strong>Kakani:</strong> Open data is incredibly important because data is collected in silos in the oceanographic community. It&rsquo;s often limited to individual groups or institutions that have access to the ocean through advanced robotics, research vessels, or something similar. <strong>But by making data public and more available following the FAIR data principles, we can democratize access to the ocean.</strong> So, that&rsquo;s one of the reasons why FathomNet exists&mdash;as a mechanism for people to evaluate imagery that&rsquo;s being collected and generate a data set of ocean life that we can build upon as a community and grow over time.</p>
  1007. <p><strong>Paull:</strong> Do you see any culture shifts happening where this type of data is trending more towards open source?</p>
  1008. <p><strong>Kakani:</strong> There is a **shift happening where people are starting to recognize that working in open source and making the data open and available is far more valuable to more people. **But it&rsquo;s a cultural change that takes time. I think we&rsquo;re kind of in that middle ground where there are still a lot of people waiting to see what happens before they&rsquo;re going to fully throw themselves and their data into the pipeline and process.</p>
  1009. <p>I&rsquo;m hopeful that what we&rsquo;ve done with FathomNet already and now with this game, we&rsquo;ll be able to create massive engagement at scale that will help get us over that fence and get a lot of people contributing within our community.</p>
  1010. <p><strong>Paull:</strong> How do you imagine open source will further the work Renewables.org is already doing?</p>
  1011. <p><strong>Lassor:</strong> We have created a methodology in open source around how we prove that these are the highest carbon impact per dollar solar projects that we could possibly fund. And the methodology has three parts:</p>
  1012. <ol>
  1013. <li>How much more carbon intensive is the project we&rsquo;re investing in than a typical U.S.-based project (usually two or three times)?</li>
  1014. <li>How much more sunshine is there each year (typically there&rsquo;s about 20% more)? </li>
  1015. <li>How many watts do you build per dollar (two or three times more watts for every dollar that you invest)? </li>
  1016. </ol>
  1017. <p>This comes out to about five times more carbon impact invested per dollar on Renewables.org than if you invested the same money in the United States.</p>
  1018. <p><strong>Scott:</strong> We&rsquo;ve been committed to <strong>making our calculator open source because trust is built with transparency, but also, if the community has a better way to estimate impact, we want to hear it!</strong> We want people to have faith in the platform and in the numbers that we&rsquo;re producing, and the community is great at vetting and improving this work.</p>
  1019. <h2 id="how-developers-and-communities-shape-your-work" id="how-developers-and-communities-shape-your-work" >How developers and communities shape your work<a href="#how-developers-and-communities-shape-your-work" class="heading-link pl-2 text-italic text-bold" aria-label="How developers and communities shape your work"></a></h2>
  1020. <p><strong>Paull:</strong> How have users or people interested in these topics shaped the work that you do?</p>
  1021. <p><strong>Kakani:</strong> We&rsquo;ve had more than a thousand unique players beta test FathomVerse, the game, and <strong>what we keep hearing is that they&rsquo;re really excited about this positive use of AI</strong>.There&rsquo;s a lot of negativity around AI and how information is being extracted as new models are trained. But because we&rsquo;re so transparent about where the source of the data is coming from, what its use is, and also what the goal is, game players have had a really positive response.</p>
  1022. <p><strong>Lassor:</strong> We learned a lot from Kiva.org&mdash;they have an incredibly engaged community that wants a huge amount of transparency. <strong>One thing that we learned from them before we even got started is that climate and sustainability related investments are the most in-demand feature.</strong> That&rsquo;s part of what gave us the confidence to do this.</p>
  1023. <p>There are different groups on Kiva.org that collaborate to fund certain types of loans, and the largest and most active one is called <a href="https://www.kiva.org/team/join/climatepilots">Climate Pilots</a>. And we&rsquo;ve been able to engage that community and recruit some of the very first Renewables.org users. We&rsquo;ve also been able to more broadly draw marketing insights by watching them and responding to what their needs are.</p>
  1024. <hr>
  1025. <p>From the sun to the depths of the ocean, the utilization of tech and open source in a changing climate is far-reaching. These two organizations show us just how big of an impact we can make by leveraging tech for good. To get involved with FathomNet, visit their <a href="https://www.mbari.org/data/fathomnet/">website</a> or <a href="https://github.com/fathomnet">repository</a>. To support Renewables.org&rsquo;s work, check out their <a href="https://www.renewables.org/invest">website</a> or add comments to their <a href="https://docs.google.com/spreadsheets/d/1vrzaPgeRQ81fnB96diU-gBqpAdlNa6RPuHEdvHf8Sqg/edit?usp=sharing">impact multiplier</a>.</p>
  1026. <aside class="p-4 p-md-6 post-aside--large"><p class="h5-mktg gh-aside-title">This is just a slice of open source innovation that is helping the Earth.</p><p>Check out our new series, Coding Sustainability, to learn how The Ocean Cleanup uses innovative technology and data-driven approaches to tackle the Great Pacific Garbage Patch.</p>
  1027. <p><iframe loading="lazy" width="560" height="315" src="https://www.youtube.com/embed/n5z4YcP5R18?si=GzwMiSumRVInuOHy" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe></p>
  1028.  
  1029. </aside>
  1030. </p></body></html>
  1031. <p>The post <a href="https://github.blog/2024-04-22-using-open-source-to-help-the-earth/">Using open source to help the earth</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
  1032. ]]></content:encoded>
  1036. <post-id xmlns="com-wordpress:feed-additions:1">77565</post-id> </item>
  1037. <item>
  1038. <title>A short guide to mastering keyboard shortcuts on GitHub</title>
  1039. <link>https://github.blog/2024-04-19-a-short-guide-to-mastering-keyboard-shortcuts-on-github/</link>
  1041. <dc:creator><![CDATA[Sara Verdi]]></dc:creator>
  1042. <pubDate>Fri, 19 Apr 2024 16:37:20 +0000</pubDate>
  1043. <category><![CDATA[Product]]></category>
  1044. <category><![CDATA[Github]]></category>
  1045. <category><![CDATA[Insider]]></category>
  1046. <category><![CDATA[productivity]]></category>
  1047. <category><![CDATA[tips]]></category>
  1048. <guid isPermaLink="false">https://github.blog/?p=77552</guid>
  1049.  
  1050. <description><![CDATA[<p>Say goodbye to constant mouse clicking and hello to seamless navigation with GitHub shortcuts. </p>
  1051. <p>The post <a href="https://github.blog/2024-04-19-a-short-guide-to-mastering-keyboard-shortcuts-on-github/">A short guide to mastering keyboard shortcuts on GitHub</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
  1052. ]]></description>
  1053. <content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
  1054. <html><body><div class="content-table-wrap"><table style="border: 1px black">
  1055. <tbody>
  1056. <tr>
  1057. <td>This is abridged content from November 2023&rsquo;s <em>Insider</em> newsletter. Like what you see? Sign up for the newsletter to receive complete, unabridged content in your inbox twice a month. <a href="https://resources.github.com/newsletter/">Sign up now &gt; </a></td>
  1058. </tr>
  1059. </tbody>
  1060. </table></div>
  1061. <p>Did you know that just about every page on GitHub has a keyboard shortcut? In this blog post, we&rsquo;ll uncover the world of <a href="https://docs.github.com/get-started/using-github/keyboard-shortcuts">GitHub keyboard shortcuts</a> and how they can help you navigate and perform actions swiftly. &#9000;&#65039;</p>
  1062. <p>After reading this post, you&rsquo;ll be able to:</p>
  1063. <p>&#128161; <strong>Master the shortcuts.</strong> You might be asking, how can I access said shortcuts? Simply by typing &ldquo;?&rdquo; on any Github page!* These shortcuts will empower you to perform various actions across the site without relying on your mouse.</p>
  1064. <p>&#128295; <strong>Customize your experience.</strong> You can tailor your shortcut experience by enabling or disabling character key shortcuts according to your preferences, all within your accessibility settings. For more information, see &ldquo;<a href="https://docs.github.com/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-user-account-settings/managing-accessibility-settings">Managing accessibility settings</a>.&rdquo;</p>
  1065. <p>&#127913; <strong>Make magic.</strong> With the <a href="https://docs.github.com/get-started/using-github/github-command-palette">GitHub Command Palette</a>, you can effortlessly navigate, search, and execute commands on GitHub&mdash;all without the need to memorize multiple keyboard combinations. To open the command palette, type in this combination:</p>
  1066. <ul>
  1067. <li><strong>Windows and Linux:</strong> &ldquo;Ctrl+K&rdquo; or &ldquo;Ctrl+Alt+K&rdquo;</li>
  1068. <li><strong>Mac:</strong> &ldquo;Command+K&rdquo; or &ldquo;Command+Option+K&rdquo;</li>
  1069. </ul>
  1070. <p><em>Please note: not all shortcuts are available on every page. When you open the shortcut window (<kbd>?</kbd>), it will provide you with the available keyboard shortcuts.</em></p>
  1071. <figure id="attachment_77559"  class="wp-caption aligncenter mx-0"><img loading="lazy" decoding="async" width="600" height="338" src="https://github.blog/wp-content/uploads/2024/04/ezgif.com-gif-maker.gif?w=600&#038;resize=600%2C338" alt="Gif of a laptop with someone pressing keys and giving the thumbs up." class="width-fit size-large wp-image-77559 width-fit" data-recalc-dims="1"><figcaption class="text-mono color-fg-muted mt-14px f5-mktg">A gif of the author playing around with the notifications keyboard shortcut&mdash;and loving it!</figcaption></figure>
  1072. <h2 id="ready-to-give-your-mouse-a-break-lets-dive-into-some-top-keyboard-shortcuts-to-get-you-started" id="ready-to-give-your-mouse-a-break-lets-dive-into-some-top-keyboard-shortcuts-to-get-you-started" >Ready to give your mouse a break? Let&rsquo;s dive into some top keyboard shortcuts to get you started.<a href="#ready-to-give-your-mouse-a-break-lets-dive-into-some-top-keyboard-shortcuts-to-get-you-started" class="heading-link pl-2 text-italic text-bold" aria-label="Ready to give your mouse a break? Let&rsquo;s dive into some top keyboard shortcuts to get you started."></a></h2>
  1073. <h3 id="%f0%9f%9a%80-navigation" id="%f0%9f%9a%80-navigation" >&#128640; Navigation<a href="#%f0%9f%9a%80-navigation" class="heading-link pl-2 text-italic text-bold" aria-label="&#128640; Navigation"></a></h3>
  1074. <p>Tap these keys to navigate your way around our platform with ease:</p>
  1075. <p><kbd>T</kbd>: Quick access to &ldquo;File Finder.&rdquo;</p>
  1076. <p><kbd>W</kbd>: Close the currently open tab or pull request.</p>
  1077. <p><kbd>S</kbd>: Focus on the site search bar.</p>
  1078. <p><kbd>G</kbd>, <kbd>P</kbd>: Jump to your profile.</p>
  1079. <h3 id="%f0%9f%93%82-repository-navigation" id="%f0%9f%93%82-repository-navigation" >&#128194; Repository navigation<a href="#%f0%9f%93%82-repository-navigation" class="heading-link pl-2 text-italic text-bold" aria-label="&#128194; Repository navigation"></a></h3>
  1080. <p>These shortcuts will guide you through your repositories:</p>
  1081. <p><kbd>G</kbd>, <kbd>I</kbd>: Jump to your issues.</p>
  1082. <p><kbd>G</kbd>, <kbd>P</kbd>: Navigate to your pull requests.</p>
  1083. <p><kbd>G</kbd>, <kbd>B</kbd>: Head to your repository.</p>
  1084. <p><kbd>G</kbd>, <kbd>C</kbd>: Visit your repository&rsquo;s code.</p>
  1085. <h3 id="%f0%9f%93%9d-issues-and-pull-requests" id="%f0%9f%93%9d-issues-and-pull-requests" >&#128221; Issues and pull requests<a href="#%f0%9f%93%9d-issues-and-pull-requests" class="heading-link pl-2 text-italic text-bold" aria-label="&#128221; Issues and pull requests"></a></h3>
  1086. <p>Spin up issues and pull requests with one single keystroke:</p>
  1087. <p><kbd>C</kbd>: Create a new issue.</p>
  1088. <p><kbd>Y</kbd>: Close an issue or pull request.</p>
  1089. <p><kbd>R</kbd>: Reopen a closed issue or pull request.</p>
  1090. <p><kbd>K</kbd>: Move up the discussion timeline.</p>
  1091. <p><kbd>J</kbd>: Move down the discussion timeline.</p>
  1092. <h3 id="%f0%9f%94%8d-search" id="%f0%9f%94%8d-search" >&#128269; Search<a href="#%f0%9f%94%8d-search" class="heading-link pl-2 text-italic text-bold" aria-label="&#128269; Search"></a></h3>
  1093. <p>Quickly spin up a search bar to find what you need right when you need it:</p>
  1094. <p><kbd>/</kbd>: Start a quick search.</p>
  1095. <p><kbd>S</kbd>: Focus on the site search bar.</p>
  1096. <p><kbd>F</kbd>: Search within the code in a repository.</p>
  1097. <p><kbd>T</kbd>: File finder for code search.</p>
  1098. <p><kbd>W</kbd>: View code in a workspace.</p>
  1099. <h3 id="%f0%9f%93%8e-notifications" id="%f0%9f%93%8e-notifications" >&#128206; Notifications<a href="#%f0%9f%93%8e-notifications" class="heading-link pl-2 text-italic text-bold" aria-label="&#128206; Notifications"></a></h3>
  1100. <p>Stay on top of your projects with a hop on over to your notifications:</p>
  1101. <p><kbd>G</kbd>, <kbd>N</kbd>: Go to your notifications.</p>
  1102. <h3 id="%f0%9f%93%a4-create-and-submit" id="%f0%9f%93%a4-create-and-submit" >&#128228; Create and submit<a href="#%f0%9f%93%a4-create-and-submit" class="heading-link pl-2 text-italic text-bold" aria-label="&#128228; Create and submit"></a></h3>
  1103. <p>Spin up a new repository or view your issues in a flash:</p>
  1104. <p><kbd>N</kbd>: Create a new repository.</p>
  1105. <p><kbd>I</kbd>: Go to your issues.</p>
  1106. <p><kbd>P</kbd>: Navigate to your pull requests.</p>
  1107. <p><kbd>B</kbd>: Visit your repository.</p>
  1108. <h3 id="%f0%9f%94%92-security" id="%f0%9f%94%92-security" >&#128274; Security<a href="#%f0%9f%94%92-security" class="heading-link pl-2 text-italic text-bold" aria-label="&#128274; Security"></a></h3>
  1109. <p>Keep abreast of your security posture by navigating to your settings with ease:</p>
  1110. <p><kbd>G</kbd>, <kbd>S</kbd>: Navigate to your security settings.</p>
  1111. <p>With these keyboard shortcuts under your belt, you&rsquo;ll become a GitHub power user in no time. And remember, you don&rsquo;t have to commit all of these to memory&mdash;the <a href="https://docs.github.com/get-started/using-github/github-command-palette">GitHub Command Palette</a> has all that covered for you.</p>
  1112. <p>Want to know what other GitHub users&rsquo; favorite keyboard shortcuts are? Take a look through the comments on this <a href="https://www.linkedin.com/posts/github_githubdev-keyboard-shortcut-activity-7108860082779484160-sgap/?utm_source=share&amp;utm_medium=member_desktop">video</a>. And to further boost your productivity on GitHub, you can explore GitHub Actions&mdash;an integrated automation and CI/CD service within your repositories. GitHub Actions streamlines code-related tasks and development by defining event-triggered workflows; check it out today! Get started with <a href="https://github.com/features/actions">GitHub Actions</a>.</p>
  1113. <div class="post-content-cta"><p>Want to receive content like this twice a month, right in your inbox? <a href="https://resources.github.com/newsletter/">Sign up for the newsletter now &gt;</a></p>
  1114. </div>
  1115. </body></html>
  1116. <p>The post <a href="https://github.blog/2024-04-19-a-short-guide-to-mastering-keyboard-shortcuts-on-github/">A short guide to mastering keyboard shortcuts on GitHub</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
  1117. ]]></content:encoded>
  1121. <post-id xmlns="com-wordpress:feed-additions:1">77552</post-id> </item>
  1122. <item>
  1123. <title>A policy proposal on our approach to deepfake tools and responsible AI</title>
  1124. <link>https://github.blog/2024-04-18-a-policy-proposal-on-our-approach-to-deepfake-tools-and-responsible-ai/</link>
  1126. <dc:creator><![CDATA[Jesse Geraci]]></dc:creator>
  1127. <pubDate>Thu, 18 Apr 2024 17:30:32 +0000</pubDate>
  1128. <category><![CDATA[Policy]]></category>
  1129. <category><![CDATA[acceptable use]]></category>
  1130. <category><![CDATA[AI]]></category>
  1131. <category><![CDATA[GitHub Policy]]></category>
  1132. <category><![CDATA[responsible AI]]></category>
  1133. <guid isPermaLink="false">https://github.blog/?p=77541</guid>
  1134.  
  1135. <description><![CDATA[<p>We’re asking for feedback on a proposed Acceptable Use Policy update to address the use of synthetic and manipulated media tools for non-consensual intimate imagery and disinformation while protecting valuable research.</p>
  1136. <p>The post <a href="https://github.blog/2024-04-18-a-policy-proposal-on-our-approach-to-deepfake-tools-and-responsible-ai/">A policy proposal on our approach to deepfake tools and responsible AI</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
  1137. ]]></description>
  1138. <content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
  1139. <html><body><p>We are proposing an addition to our <a href="https://docs.github.com/en/site-policy/acceptable-use-policies/github-misinformation-and-disinformation">Acceptable Use Policies on Misinformation and Disinformation</a> to address the development of synthetic and manipulated media tools for the creation of non-consensual intimate imagery (NCII) and disinformation. We have opened <a href="https://github.com/github/site-policy/pull/926">a pull request</a> for public comment on the proposed change, which reads as follows:</p>
  1140. <blockquote><p>
  1141.  <strong>Synthetic and Manipulated Media Tools</strong><br>
  1142.    GitHub does not allow any projects that are designed for, encourage, promote, support, or suggest in any way the use of synthetic or manipulated media for the creation of non-consensual intimate imagery or any content that would constitute misinformation or disinformation under this policy.
  1143. </p></blockquote>
  1144. <h2 id="why-are-we-proposing-this-change" id="why-are-we-proposing-this-change" >Why are we proposing this change?<a href="#why-are-we-proposing-this-change" class="heading-link pl-2 text-italic text-bold" aria-label="Why are we proposing this change?"></a></h2>
  1145. <p>Artificial intelligence (AI) has rapidly progressed beyond the realm of science fiction. One of its most impressive capabilities is the ability to generate realistic looking images, audio, and video, which has substantial benefits for creativity and innovation, but also introduces new vectors of abuse. As we move into a significant year for global elections, we have observed rising concern for the use of <a href="https://www.theverge.com/policy/24098798/2024-election-ai-generated-disinformation">AI-generated disinformation</a> such as deepfake videos, images, and robocalls. Additionally, several high-profile cases of the use of deepfake technology to generate NCII have prompted a wave of <a href="https://statescoop.com/deepfakes-presidential-election-ai-2024/">state</a> and <a href="https://time.com/6590711/deepfake-protection-federal-bill/">federal</a> legislative proposals. As a code collaboration platform that could be used to share the tools to make synthetic or manipulated media, we must take responsible measures to address these harms while protecting valuable research.</p>
  1146. <p>At GitHub, we have always adapted our policies to reflect new technologies and their impacts. This proposed change addresses concerns about the use of technology to create deepfakes for election disinformation, harassment, and other deceptive misuses, while enabling legitimate uses of this technology.</p>
  1147. <h2 id="how-are-we-thinking-about-this" id="how-are-we-thinking-about-this" >How are we thinking about this?<a href="#how-are-we-thinking-about-this" class="heading-link pl-2 text-italic text-bold" aria-label="How are we thinking about this?"></a></h2>
  1148. <p>Our mission is to accelerate human progress through developer collaboration. One way we further that goal is by making a vast amount of source code available to the public. The more source code available, the more the world can learn from it, secure it, and build off it. So, whenever we make changes to our <a href="https://docs.github.com/site-policy/acceptable-use-policies/github-acceptable-use-policies">Acceptable Use Policies</a>, we think hard about how our policies will affect the public availability of code on our platform.</p>
  1149. <p>There is always some educational value to sharing code, and removing code from the public removes important information that can be used to address critical challenges, understand key concepts, and enable important innovation. For example, security researchers gain enormous value from examining the source code that generates exploits, which allows them to develop tools that can detect malware and create counter measures for it, but such software also has the potential to be abused. We publicly addressed these questions <a href="https://github.blog/2021-06-04-updates-to-our-policies-regarding-exploits-malware-and-vulnerability-research/">a few years ago</a> when we updated our policies on <a href="https://docs.github.com/site-policy/acceptable-use-policies/github-active-malware-or-exploits">malware</a>, where we disallow actively harmful projects but allow dual-use content that is shared for the purpose of security research. We want to take a similar approach here.</p>
  1150. <p>GitHub is a home for all developers. If you are developing synthetic and manipulated media tools that contribute to the world&rsquo;s knowledge, we want that research and creative energy here in this community. It is important for this research to happen in the open where others can learn from it. At the same time, we cannot tolerate tools on our platform designed to create harmful non-consensual intimate imagery or whose purpose is to develop synthetic media intended to misinform and spread disinformation. Through enforcing this policy, we will differentiate between harmful misuse and legitimate dual or general use and consider proportionate responses to possible abuse.</p>
  1151. <h2 id="next-steps" id="next-steps" >Next steps<a href="#next-steps" class="heading-link pl-2 text-italic text-bold" aria-label="Next steps"></a></h2>
  1152. <p>You can review our proposed Acceptable Use Policy addition in the <a href="https://github.com/github/site-policy">site-policy repository</a>, where we continually develop and make updates to our policies collaboratively with the community. We invite all stakeholders to <a href="https://github.com/github/site-policy/pull/926">comment</a> for the 30-day period from now until May 20, and look forward to learning from and engaging with the broader community on these important topics.</p>
  1153. </body></html>
  1154. <p>The post <a href="https://github.blog/2024-04-18-a-policy-proposal-on-our-approach-to-deepfake-tools-and-responsible-ai/">A policy proposal on our approach to deepfake tools and responsible AI</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
  1155. ]]></content:encoded>
  1159. <post-id xmlns="com-wordpress:feed-additions:1">77541</post-id> </item>
  1160. <item>
  1161. <title>The world&#8217;s fair of software: Join us at GitHub Universe 2024</title>
  1162. <link>https://github.blog/2024-04-16-the-worlds-fair-of-software-join-us-at-github-universe-2024/</link>
  1164. <dc:creator><![CDATA[Jeimy Ruiz]]></dc:creator>
  1165. <pubDate>Tue, 16 Apr 2024 16:00:39 +0000</pubDate>
  1166. <category><![CDATA[Community]]></category>
  1167. <category><![CDATA[GitHub Universe]]></category>
  1168. <guid isPermaLink="false">https://github.blog/?p=77511</guid>
  1169.  
  1170. <description><![CDATA[<p>It’s the 10th anniversary of our global developer event! Celebrate with us by picking up in-person tickets today. It’s bound to be our best one yet.</p>
  1171. <p>The post <a href="https://github.blog/2024-04-16-the-worlds-fair-of-software-join-us-at-github-universe-2024/">The world&#8217;s fair of software: Join us at GitHub Universe 2024</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
  1172. ]]></description>
  1173. <content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
  1174. <html><body><p>Imagine arriving at a conference and immediately feeling inspired: your agenda is packed with must-see GitHub Copilot sessions, booths are filled with experts from top tech companies, and you&rsquo;re surrounded by thousands of fellow developers and leaders who are eager to connect.</p>
  1175. <p>That is the experience we&rsquo;re curating for the 10th anniversary of our global developer event. This year, we&rsquo;re going bigger and better with a stunning new venue as the foundation. We hope you&rsquo;ll join us at the Fort Mason Center for Arts &amp; Culture on the San Francisco Bay, from October 29-30, or virtually from anywhere in the world.</p>
  1176. <p>As the world&rsquo;s fair of software, GitHub Universe 2024 will be an unparalleled gathering of the brightest minds, companies, and innovators in the industry. With sessions diving into AI, the developer experience (DevEx), and security, attendees will have an opportunity to explore the latest products, best practices, and insights shaping the future of software development.</p>
  1177. <p>Ready to be a part of this milestone event with us? In-person tickets are currently 35% off with our Super Early Bird discount, only from now until July 8.</p>
  1178. <div class="content-button-wrap text-center"><a href="https://githubuniverse.com/?utm_source=Blog&#038;utm_medium=GitHub&#038;utm_campaign=universe-blog" target="_self" class="btn-mktg">Get tickets</a></div>
  1179. <h2 id="universe-2024-where-innovation-meets-fun-food-and-connection-%f0%9f%8e%a8" id="universe-2024-where-innovation-meets-fun-food-and-connection-%f0%9f%8e%a8" >Universe 2024: Where innovation meets fun, food, and connection &#127912;<a href="#universe-2024-where-innovation-meets-fun-food-and-connection-%f0%9f%8e%a8" class="heading-link pl-2 text-italic text-bold" aria-label="Universe 2024: Where innovation meets fun, food, and connection &#127912;"></a></h2>
  1180. <p>We take your experience as a Universe attendee very seriously. From the moment you step through the colorful gates right down to the beverages we serve, our 10th anniversary event will blow your expectations out of the water.</p>
  1181. <p>Spread across a sprawling 13-acre waterfront compound, Universe will unfold across seven buildings and various outdoor areas.</p>
  1182. <p class="purple-text text-gradient-purple-coral mt-6 mb-6">With five stages hosting more than 100 sessions and 150 speakers, alongside a record-breaking 3,500 attendees (that&rsquo;s over 50% more in-person attendees than last year!), this will be our biggest Universe yet.</p>
  1183. <p>During breakfast and lunch, you&rsquo;ll indulge in food trucks, snacks, and beverages&mdash;all included in the price of your in-person ticket. And don&rsquo;t forget to explore the GitHub Shop for the latest Universe swag and join us for lively happy hours sponsored by our partners.</p>
  1184. <a href="https://github.blog/2024-04-16-the-worlds-fair-of-software-join-us-at-github-universe-2024/#gallery-77511-1-slideshow">Click to view slideshow.</a>
  1185. <h2 id="everything-youll-learn-at-our-global-developer-event-%f0%9f%a7%a0" id="everything-youll-learn-at-our-global-developer-event-%f0%9f%a7%a0" >Everything you&rsquo;ll learn at our global developer event &#129504;<a href="#everything-youll-learn-at-our-global-developer-event-%f0%9f%a7%a0" class="heading-link pl-2 text-italic text-bold" aria-label="Everything you&rsquo;ll learn at our global developer event &#129504;"></a></h2>
  1186. <p>Attending Universe is an investment in your business and your career. It&rsquo;s easier than ever to be in charge of your growth with our beginner, intermediate, and advanced session topics curated to what developers and enterprises care about most.</p>
  1187. <p>As an in-person attendee, you&rsquo;ll also be able to take advantage of two ticket add-ons: <a href="https://examregistration.github.com/faq">GitHub Certification testing</a> and workshops, available onsite! Take what you learn during your sessions and practice them IRL alongside your industry peers.</p>
  1188. <p>You can secure your spot for workshops and certifications when you purchase your in-person ticket. Don&rsquo;t miss out&mdash;these opportunities will go fast!</p>
  1189. <p>If you&rsquo;re interested in attending Universe as a speaker instead, now is your chance! The call for sessions (CFS) is now open. Learn about the super cool perks Universe speakers get and <a href="https://reg.githubuniverse.com/flow/github/universe24/cfs/page/cfslandingpage">submit a session proposal</a> by May 10 to be considered. (And yes, you&rsquo;ll get a speaker honorarium to cover travel costs if selected!)</p>
  1190. <div class="mod-vh position-relative" style="height: 0; padding-bottom: calc((9 / 16)*100%);">
  1191. <iframe loading="lazy" class="position-absolute top-0 left-0 width-full height-full" src="https://www.youtube.com/embed/95_RpiysEXo?version=3&amp;rel=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;fs=1&amp;hl=en-US&amp;autohide=2&amp;wmode=transparent" title="YouTube video player" allow="accelerometer; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen="" frameborder="0"></iframe>
  1192. </div>
  1193. <p>Here&rsquo;s a sneak peek of the themes we have in store.</p>
  1194. <h3 id="ai-content-track-%f0%9f%a4%96" id="ai-content-track-%f0%9f%a4%96" >AI content track &#129302;<a href="#ai-content-track-%f0%9f%a4%96" class="heading-link pl-2 text-italic text-bold" aria-label="AI content track &#129302;"></a></h3>
  1195. <p><strong>This track will delve into:</strong></p>
  1196. <ul>
  1197. <li>The impact of AI on software development life cycles. </li>
  1198. <li>Practical uses like automating pull requests and using AI code generation tools like GitHub Copilot for onboarding and productivity gains. </li>
  1199. <li>Optimizing AI outputs, crafting AI policies, and fostering responsible AI deployment while evolving skill sets for success in the AI era.</li>
  1200. </ul>
  1201. <h3 id="devex-content-track-%e2%9a%99%ef%b8%8f" id="devex-content-track-%e2%9a%99%ef%b8%8f" >DevEx content track &#9881;&#65039;<a href="#devex-content-track-%e2%9a%99%ef%b8%8f" class="heading-link pl-2 text-italic text-bold" aria-label="DevEx content track &#9881;&#65039;"></a></h3>
  1202. <p><strong>Learn about the following within this track:</strong></p>
  1203. <ul>
  1204. <li>How the GitHub platform enhances platform engineering teams&rsquo; autonomy and efficiency.</li>
  1205. <li>The significance of investing in developer experience for fostering innovation and efficiency within organizations.</li>
  1206. <li>Strategies for effectively engaging with open source communities.</li>
  1207. </ul>
  1208. <h3 id="security-content-track-%f0%9f%94%90" id="security-content-track-%f0%9f%94%90" >Security content track &#128272;<a href="#security-content-track-%f0%9f%94%90" class="heading-link pl-2 text-italic text-bold" aria-label="Security content track &#128272;"></a></h3>
  1209. <p><strong>Come away from this track with a better understanding of:</strong></p>
  1210. <ul>
  1211. <li>Transforming application security with AI-powered vulnerability fixes.</li>
  1212. <li>How to delegate the task of prioritizing and fixing security debt to AI.</li>
  1213. <li>Leveraging open source to enhance code security while mitigating potential vulnerabilities. </li>
  1214. </ul>
  1215. <h2 id="will-you-celebrate-10-years-of-github-universe-with-us-%f0%9f%a4%97" id="will-you-celebrate-10-years-of-github-universe-with-us-%f0%9f%a4%97" >Will you celebrate 10 years of GitHub Universe with us? &#129303;<a href="#will-you-celebrate-10-years-of-github-universe-with-us-%f0%9f%a4%97" class="heading-link pl-2 text-italic text-bold" aria-label="Will you celebrate 10 years of GitHub Universe with us? &#129303;"></a></h2>
  1216. <p>Whether you&rsquo;re a leader interested in connecting with and learning from other industry executives, a manager hoping to propel your team&rsquo;s productivity to new heights, or a developer looking to acquire new skills and further your career, Universe has something for you.</p>
  1217. <div class="post-content-cta"><p>Are you in? <a href="https://githubuniverse.com/?utm_source=Blog&amp;utm_medium=GitHub&amp;utm_campaign=universe-blog">Get your in-person tickets</a> 35% off while supplies last, or join us virtually for free!</p>
  1218. </div>
  1219. </body></html>
  1220. <p>The post <a href="https://github.blog/2024-04-16-the-worlds-fair-of-software-join-us-at-github-universe-2024/">The world&#8217;s fair of software: Join us at GitHub Universe 2024</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
  1221. ]]></content:encoded>
  1225. <post-id xmlns="com-wordpress:feed-additions:1">77511</post-id> </item>
  1226. </channel>
  1227. </rss>
  1228.  

If you would like to create a banner that links to this page (i.e. this validation result), do the following:

  1. Download the "valid RSS" banner.

  2. Upload the image to your own server. (This step is important. Please do not link directly to the image on this server.)

  3. Add this HTML to your page (change the image src attribute if necessary):

If you would like to create a text link instead, here is the URL you can use:

http://www.feedvalidator.org/check.cgi?url=https%3A//github.blog/feed/

Home · About · News · Docs · Terms

 
Copyright © 2002-9 Sam Ruby, Mark Pilgrim, Joseph Walton, and Phil Ringnalda