Trending News: Introducing sub-issues: Enhancing issue management on GitHub9 business leaders on what’s possible with Google AIWhat the heck is MCP and why is everyone talking about it?The AI Paradox: Untangling Employee Hesitation to Unleash Agentic AIBeyond CAD: How nTop Uses AI and Accelerated Computing to Enhance Product Design6 highlights from Google Cloud Next 25Pixel 9a’s 3 big design updatesAnnouncing up to 85% price reductions for Amazon S3 Express One ZoneHow we’re making security easier for the average developerA short film program to explore AI on screenPixel 9a is available now.The Agentic Maturity Model: A 4-Step Roadmap for CIOs to Succeed in the Agentic Era(AI)ways a Cut Above: GeForce RTX 50 Series Accelerates New DaVinci Resolve 20 Studio Video Editing SoftwareMyth and Mystery Await: GeForce NOW Brings ‘South of Midnight’ to the Cloud at LaunchPixel 9a is available nowServing up tennis history with magazine archives and NotebookLMNVIDIA Celebrates Partners of the Year Advancing AI in Europe, Middle East and AfricaOur investment in AI-powered solutions for the electric gridHow to request a change to a CVE record‘Black Women in Artificial Intelligence’ Founder Talks AI Education and EmpowermentGoogle Cloud Next 25: New AI capabilities to transform your businessSalesforce Brings Agentic AI to the Field Service Sector to Tackle Scheduling, Reporting, and On-the-Job TroubleshootingHow Agentforce Automates Field Service Tasks, Easing Skilled Labor Shortage StrainTradespeople, Techs Waste Nearly a Full Day’s Work Weekly on Paperwork, 81% Think AI Agents Can HelpNVIDIA Brings Agentic AI Reasoning to Enterprises With Google CloudIronwood: The first Google TPU for the age of inferenceGoogle Cloud: the platform for scientific discoveryGoogle Workspace adds new AI tools to Docs, Sheets, Chat and more.Check out the latest features from Google Agentspace at Google Cloud Next.New video, image, speech and music generative AI tools are coming to Vertex AI.Here’s what’s new with our Google Cloud AI Hypercomputer.Google Cloud Next 25The AI magic behind Sphere’s upcoming ‘The Wizard of Oz’ experienceIntroducing Amazon Nova Sonic: Human-like voice conversations for generative AI applicationsAWS announces Pixtral Large 25.02 model in Amazon Bedrock serverlessDeep Research is now available on Gemini 2.5 Pro Experimental.We’re introducing a new way to analyze geospatial data.Found means fixed: Reduce security debt at scale with GitHub security campaigns‘Bazooka Innovation’ for Professional Services: How Certinia and Agentforce Drive Customer SuccessAdding AI to Workflows? Here’s What Indeed Has LearnedAmazon Bedrock Guardrails enhances generative AI application safety with new capabilitiesVisit Brazil’s Piratini Palace virtually on Google Arts & Culture.The AI opportunity for Europe’s climate goalsGit turns 20: A Q&A with Linus TorvaldsAmazon Nova Reel 1.1: Featuring up to 2-minutes multi-shot videosAWS Weekly Review: Amazon EKS, Amazon OpenSearch, Amazon API Gateway, and more (April 7, 2025)The Changing Role of Developers in the Age of AI Agents“Bazooka Innovation” for Professional Services: How Certinia and Agentforce are Driving Customer SuccessBringing multimodal search to AI ModeNew AI-powered experiments from Google Arts & Culture Artists in Residence5 ways to use Gemini Live with camera and screen sharingNew ways AI helps keep business information trustworthyQuantum computing education for global policy leaders25 startups using AI to transform healthcareNational Robotics Week — Latest Physical AI Research, Breakthroughs and ResourcesCopado and Agentforce: Automating Release Notes and Accelerating Production DeploymentsCelebrating Microsoft’s 50 yearsVibe coding with GitHub Copilot: Agent mode and MCP support rolling out to all VS Code usersSay Hello to Your New Colleague, the AI AgentYour AI CompanionThe latest AI news we announced in MarchStart building with Gemini 2.5 Pro.How Enterprise General Intelligence (EGI) Will Form a New Business ImperativeThese new features help you easily get started creating YouTube Shorts.3 ways to level up your studying with NotebookLMLocalhost dangers: CORS and DNS rebindingWhy Customers Say Unified Data Is Critical for AI AgentsThe Kindergarten Test: How AI Will Free Workers from DrudgeryNintendo Switch 2 Leveled Up With NVIDIA AI-Powered DLSS and 4K GamingNVIDIA Showcases Real-Time AI and Intelligent Media Workflows at NABFrom Browsing to Buying: How AI Agents Enhance Online ShoppingDiscover STEM stories from the Science Museum Group on Google Arts & Culture.4 ways media and entertainment companies are using GeminiRead Google DeepMind’s new paper on responsible artificial general intelligence (AGI).No Foolin’: GeForce NOW Gets 21 Games in AprilDiscover STEM stories from the Science Museum Group on Google Arts & CultureGoogle’s pro-innovation proposals for the UK copyright frameworkA practical approach to creative content and AI trainingNew in NotebookLM: Discover sources from around the webA New Definition of Smart: Agentic AI’s Impact on Critical ThinkingSpeed Demon: NVIDIA Blackwell Takes Pole Position in Latest MLPerf Inference ResultsNVIDIA’s Jacob Liberman on Bringing Agentic AI to EnterprisesA palace of art online: Discover the Farnesina CollectionHere’s how to watch this year’s Coachella music festival on YouTube.NVIDIA GeForce RTX 50 Series Accelerates Adobe Premiere Pro and Media Encoder’s 4:2:2 Color SamplingFinding answers, building hopeMeet the AWS News Blog team!How we built the new family of Gemini Robotics modelsGitHub found 39M secret leaks in 2024. Here’s what we’re doing to helpImmersive ads are expanding, starting with a new partnership between Ad Manager and Roblox.Amazon API Gateway now supports dual-stack (IPv4 and IPv6) endpointsAccelerate operational analytics with Amazon Q Developer in Amazon OpenSearch ServiceIndustrial Ecosystem Adopts Mega NVIDIA Omniverse Blueprint to Train Physical AI in Digital TwinsAWS Weekly Roundup: Amazon Bedrock, Amazon QuickSight, AWS Amplify, and more (March 31, 2025)Google Slides now uses Imagen 3 and adds other new visual tools.GitHub for Beginners: How to get LLMs to do what you wantThe Rise of AI Developer Tools: A New Era in Code and CollaborationThe newest recipients of Google.org’s AI Opportunity FundHere’s how we’re helping developers build safer apps more efficiently on Google Play and Android.Listen to our podcast episode all about Gemini 2.5.
Sun. Apr 13th, 2025
Trending News: Introducing sub-issues: Enhancing issue management on GitHub9 business leaders on what’s possible with Google AIWhat the heck is MCP and why is everyone talking about it?The AI Paradox: Untangling Employee Hesitation to Unleash Agentic AIBeyond CAD: How nTop Uses AI and Accelerated Computing to Enhance Product Design6 highlights from Google Cloud Next 25Pixel 9a’s 3 big design updatesAnnouncing up to 85% price reductions for Amazon S3 Express One ZoneHow we’re making security easier for the average developerA short film program to explore AI on screenPixel 9a is available now.The Agentic Maturity Model: A 4-Step Roadmap for CIOs to Succeed in the Agentic Era(AI)ways a Cut Above: GeForce RTX 50 Series Accelerates New DaVinci Resolve 20 Studio Video Editing SoftwareMyth and Mystery Await: GeForce NOW Brings ‘South of Midnight’ to the Cloud at LaunchPixel 9a is available nowServing up tennis history with magazine archives and NotebookLMNVIDIA Celebrates Partners of the Year Advancing AI in Europe, Middle East and AfricaOur investment in AI-powered solutions for the electric gridHow to request a change to a CVE record‘Black Women in Artificial Intelligence’ Founder Talks AI Education and EmpowermentGoogle Cloud Next 25: New AI capabilities to transform your businessSalesforce Brings Agentic AI to the Field Service Sector to Tackle Scheduling, Reporting, and On-the-Job TroubleshootingHow Agentforce Automates Field Service Tasks, Easing Skilled Labor Shortage StrainTradespeople, Techs Waste Nearly a Full Day’s Work Weekly on Paperwork, 81% Think AI Agents Can HelpNVIDIA Brings Agentic AI Reasoning to Enterprises With Google CloudIronwood: The first Google TPU for the age of inferenceGoogle Cloud: the platform for scientific discoveryGoogle Workspace adds new AI tools to Docs, Sheets, Chat and more.Check out the latest features from Google Agentspace at Google Cloud Next.New video, image, speech and music generative AI tools are coming to Vertex AI.Here’s what’s new with our Google Cloud AI Hypercomputer.Google Cloud Next 25The AI magic behind Sphere’s upcoming ‘The Wizard of Oz’ experienceIntroducing Amazon Nova Sonic: Human-like voice conversations for generative AI applicationsAWS announces Pixtral Large 25.02 model in Amazon Bedrock serverlessDeep Research is now available on Gemini 2.5 Pro Experimental.We’re introducing a new way to analyze geospatial data.Found means fixed: Reduce security debt at scale with GitHub security campaigns‘Bazooka Innovation’ for Professional Services: How Certinia and Agentforce Drive Customer SuccessAdding AI to Workflows? Here’s What Indeed Has LearnedAmazon Bedrock Guardrails enhances generative AI application safety with new capabilitiesVisit Brazil’s Piratini Palace virtually on Google Arts & Culture.The AI opportunity for Europe’s climate goalsGit turns 20: A Q&A with Linus TorvaldsAmazon Nova Reel 1.1: Featuring up to 2-minutes multi-shot videosAWS Weekly Review: Amazon EKS, Amazon OpenSearch, Amazon API Gateway, and more (April 7, 2025)The Changing Role of Developers in the Age of AI Agents“Bazooka Innovation” for Professional Services: How Certinia and Agentforce are Driving Customer SuccessBringing multimodal search to AI ModeNew AI-powered experiments from Google Arts & Culture Artists in Residence5 ways to use Gemini Live with camera and screen sharingNew ways AI helps keep business information trustworthyQuantum computing education for global policy leaders25 startups using AI to transform healthcareNational Robotics Week — Latest Physical AI Research, Breakthroughs and ResourcesCopado and Agentforce: Automating Release Notes and Accelerating Production DeploymentsCelebrating Microsoft’s 50 yearsVibe coding with GitHub Copilot: Agent mode and MCP support rolling out to all VS Code usersSay Hello to Your New Colleague, the AI AgentYour AI CompanionThe latest AI news we announced in MarchStart building with Gemini 2.5 Pro.How Enterprise General Intelligence (EGI) Will Form a New Business ImperativeThese new features help you easily get started creating YouTube Shorts.3 ways to level up your studying with NotebookLMLocalhost dangers: CORS and DNS rebindingWhy Customers Say Unified Data Is Critical for AI AgentsThe Kindergarten Test: How AI Will Free Workers from DrudgeryNintendo Switch 2 Leveled Up With NVIDIA AI-Powered DLSS and 4K GamingNVIDIA Showcases Real-Time AI and Intelligent Media Workflows at NABFrom Browsing to Buying: How AI Agents Enhance Online ShoppingDiscover STEM stories from the Science Museum Group on Google Arts & Culture.4 ways media and entertainment companies are using GeminiRead Google DeepMind’s new paper on responsible artificial general intelligence (AGI).No Foolin’: GeForce NOW Gets 21 Games in AprilDiscover STEM stories from the Science Museum Group on Google Arts & CultureGoogle’s pro-innovation proposals for the UK copyright frameworkA practical approach to creative content and AI trainingNew in NotebookLM: Discover sources from around the webA New Definition of Smart: Agentic AI’s Impact on Critical ThinkingSpeed Demon: NVIDIA Blackwell Takes Pole Position in Latest MLPerf Inference ResultsNVIDIA’s Jacob Liberman on Bringing Agentic AI to EnterprisesA palace of art online: Discover the Farnesina CollectionHere’s how to watch this year’s Coachella music festival on YouTube.NVIDIA GeForce RTX 50 Series Accelerates Adobe Premiere Pro and Media Encoder’s 4:2:2 Color SamplingFinding answers, building hopeMeet the AWS News Blog team!How we built the new family of Gemini Robotics modelsGitHub found 39M secret leaks in 2024. Here’s what we’re doing to helpImmersive ads are expanding, starting with a new partnership between Ad Manager and Roblox.Amazon API Gateway now supports dual-stack (IPv4 and IPv6) endpointsAccelerate operational analytics with Amazon Q Developer in Amazon OpenSearch ServiceIndustrial Ecosystem Adopts Mega NVIDIA Omniverse Blueprint to Train Physical AI in Digital TwinsAWS Weekly Roundup: Amazon Bedrock, Amazon QuickSight, AWS Amplify, and more (March 31, 2025)Google Slides now uses Imagen 3 and adds other new visual tools.GitHub for Beginners: How to get LLMs to do what you wantThe Rise of AI Developer Tools: A New Era in Code and CollaborationThe newest recipients of Google.org’s AI Opportunity FundHere’s how we’re helping developers build safer apps more efficiently on Google Play and Android.Listen to our podcast episode all about Gemini 2.5.
Sun. Apr 13th, 2025

How we’re making security easier for the average developer


Let’s be honest—most security tools can be pretty painful to use.

These tools usually aren’t designed with you, the developer, in mind—even if it’s you, not the security team, who is often responsible for remediating issues. The worst part? You frequently need to switch back and forth between your tool and your dev environment, or add a clunky integration.

And oftentimes the alerts aren’t very actionable. You may need to spend time researching on your own. Or worse, false positives can pull you away from building the next thing. Alert fatigue creeps in, and you find yourself paying less and less attention as the vulnerabilities stack up.

We’re trying to make this better at GitHub by building security into your workflows so you can commit better code. From Secret Protection to Code Security to Dependabot and Copilot Autofix, we’re working to go beyond detection to help you prioritize and remediate problems—with a little help from AI.

We’re going to show you how to write more secure code on GitHub, all in less than 10 minutes.

At commit and before the pull request: Secret Protection

You’ve done some work and you’re ready to commit your code to GitHub. But there’s a problem: You’ve accidentally left an API key in your code.

Even if you’ve never left a secret in your code before, there’s a good chance you will someday. Leaked secrets are one of the most common, and most damaging, forms of software vulnerability. In 2024, developers across GitHub simplified the process by using Secret Protection, detecting more than 39 million secret leaks.

Let’s start with some context. Traditionally, it could take months to uncover the forgotten API key because security reviews would take place only after a new feature is finished. It might not even be discovered until someone exploited it in the wild. In that case, you’d have to return to the code, long after you’d moved on to working on other features, and rewrite it.

But GitHub Secret Protection, formerly known as Secret Scanning, can catch many types of secrets before they can cause you real pain. Secret Protection runs when you push code to your repository and will warn you if it finds something suspicious. You will know right away that something is wrong and can fix it while the code is fresh in your mind. Push protection—which blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block—shows you exactly where the secret is so you can fix it before there’s any chance of it falling into the wrong hands. If the secret is part of a test environment or the alert is a false positive, you can easily bypass the alert, so it will never slow you down unnecessarily.

What you don’t have to do is jump to another application or three to read about a vulnerability alert or issue assignment.

After commit: Dependabot

OK, so now you’ve committed some code. Chances are it contains one or more open source dependencies.

Open source is crucial for your day-to-day development work, but a single vulnerability in a transient dependency—that is to say, your dependencies’ dependencies—could put your organization at risk (which isn’t something you want coming up in a performance review).

Dependabot, our free tool for automated software supply chain security, helps surface vulnerabilities in your dependencies in code you’ve committed. And once again, it finds problems right away—not when the security team has a chance to review a completed feature. If a fix already exists, Dependabot will create a pull request for you, enabling you to fix issues without interrupting your workflow.

Dependabot now features data to help you prioritize fixes. Specifically, alerts now include Exploit Prediction Scoring System (EPSS) data from the global Forum of Incident Response and Security Teams to help you prioritize alerts based on exploit likelihood. Only 10% of vulnerability alerts have an EPSS score above 0.95%, so you can focus on fixing this smaller subset of more urgent vulnerabilities. It can really make your backlog easier to manage and keep you from spending time on low-risk issues.

At the pull request: Code Security

You’ve committed some code, you’re confident you haven’t leaked any secrets, and you’re not relying on dependencies with known vulnerabilities. So, naturally, you create a pull request. Traditionally, you might be expected to run some linters and security scanning tools yourself, probably switching between a number of disparate tools. Thanks to our automation platform GitHub Actions, all of this happens as soon as you file your pull request.

You can run a variety of different security tools using Actions or our security scanning service GitHub Code Security (formerly known as Code Scanning). Our semantic static analysis engine CodeQL transforms your code into a database that you can query to surface known vulnerabilities and their unknown variations, potentially unsafe coding practices, and other code quality issues.

You can write your own CodeQL queries, but GitHub provides thousands of queries that cover the most critical types of vulnerabilities. These queries have been selected for their high level of accuracy, ensuring a low false positive rate for the user.

But we don’t just flag problems. We now recommend solutions for 90% of alert types in JavaScript, Typescript, Java, and Python thanks to GitHub Copilot Autofix, a new feature available for free on public repositories or as part of GitHub Code Security for private repositories.

Let’s say you’ve got a pesky SQL injection vulnerability (it happens all the time). Copilot Autofix will create a pull request for you with a suggested fix, so you can quickly patch a vulnerability. You no longer need to be a security expert to find a fix. We’ve found that teams using Autofix remediate vulnerabilities up to 60% faster, significantly reducing Mean Time to Remediation (MTTR).

This is what we mean when we say “found means fixed.” We don’t want to put more work on your already overloaded kanban board. Our security tools are designed for remediation, not just detection.

Take this with you

Keep in mind you probably won’t need to touch all those security tools every time you commit or file a pull request. They’ll only pop up when they’re needed and will otherwise stay out of your way, quietly scanning for trouble in the background.

When they do show up, they show up with good reason. It’s much less work to handle vulnerabilities at the point of commit or pull request than it is to wait until months or years later. And with actionable solutions right at your fingertips, you won’t need to spend as much time going back and forth with your security team.

Writing secure code takes effort. But by integrating security protections and automatic suggestions natively into your development workflow, we’re making shifting left easier and less time consuming than the status quo.

Find secrets exposed in your organization with the secret risk assessment >

Tags:

Written by

Blog Article: Here

    • Ascendant Bot

    Related Posts

    Introducing sub-issues: Enhancing issue management on GitHub
    Introducing sub-issues: Enhancing issue management on GitHub

    Explore the iterative development journey of GitHub’s sub-issues feature. Learn how we leveraged sub-issues to build and refine sub-issues, breaking down larger tasks into smaller, manageable ones.

    The post Introducing sub-issues: Enhancing issue management on GitHub appeared first on The GitHub Blog.

    Continue reading
    What the heck is MCP and why is everyone talking about it?
    What the heck is MCP and why is everyone talking about it?

    Everyone’s talking about MCP these days when it comes to large language models (LLMs)—here’s what you need to know.

    The post What the heck is MCP and why is everyone talking about it? appeared first on The GitHub Blog.

    Continue reading

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    You Missed

    Engineering GitHub GitHub Issues How GitHub builds GitHub NVIDIA Hopper Architecture

    Introducing sub-issues: Enhancing issue management on GitHub

    Introducing sub-issues: Enhancing issue management on GitHub
    Google Google Cloud

    9 business leaders on what’s possible with Google AI

    9 business leaders on what’s possible with Google AI
    agentic AI GitHub GitHub Copilot LLM LLMs Model Context Protocol Open Source Open Standards

    What the heck is MCP and why is everyone talking about it?

    What the heck is MCP and why is everyone talking about it?
    Salesforce Uncategorized

    The AI Paradox: Untangling Employee Hesitation to Unleash Agentic AI

    The AI Paradox: Untangling Employee Hesitation to Unleash Agentic AI
    Artificial Intelligence Enterprise software Generative AI In the NVIDIA Studio Into the Omniverse NVIDIA Inception

    Beyond CAD: How nTop Uses AI and Accelerated Computing to Enhance Product Design

    Beyond CAD: How nTop Uses AI and Accelerated Computing to Enhance Product Design
    Google Google Cloud

    6 highlights from Google Cloud Next 25

    6 highlights from Google Cloud Next 25