Enterprise Managed Users can now enable secret scanning on their user namespace repositories. Owners of user repositories will receive secret scanning alerts when a supported secret is detected in their repository. User namespace repositories can also enable push protection.
In the enterprise level list of secret scanning alerts, enterprise owners can view all secrets detected in user namespace repositories. Enterprise owners can temporarily access user namespace repositories to view the secret details.
User namespace repositories are included in the security risk and coverage pages.
Secret scanning will also be supported on Enterprise Server personal repositories starting on GHES 3.13.
In early November we announced a set of changes to improve troubleshooting SCIM activity at scale for enterprise managed users. Today, we are making each of those changes generally available. No updates were required during the public beta period. The following restates the beta changes that are now GA.
Enterprise audit log fields:
New field external_group.update_display_name: Our logs will now capture and report any changes made to an external group's display name.
New field external_group.add_member: When a team member is added to an external group, this action will be audit logged.
New field external_group.remove_member: When a team member is removed from an external group, this action will be audit logged.
Enhancements to external_group.update and external_identity.update to ensure consistency whenever an external group or identity is updated.
The SSO page for each user also now includes SCIM metadata for that user in addition to existing SAML metadata. Check out what's new by filling in this url https://github.com/enterprises/your-enterprise/people/username/sso with your enterprise and a valid username.
Team membership synchronization status checks GitHub's understanding of identity groups against the current members of linked teams. This allows us to flag mismatches for administrators related to license allocation or other concerns.
Organization owners can now create and assign custom organization roles, which grant members and teams specific sets of privileges within the organization. Like custom repository roles, organization roles are made up of one or more fine-grained permissions, such as “read audit logs” or “manage repository rulesets”, and apply to the organization itself rather than the repository. This feature is available in all Enterprise Cloud organizations and will come to GitHub Enterprise Server by version 3.13.
Roles can be assigned by an organization owner only, to prevent accidental escalation of privileges, and can be assigned to users and teams. Multiple organization roles can be assigned directly to a user or team. Users and teams inherit roles from the teams they are a part of.
More organization permissions will be built over time, similar to how repository permissions were added as well. If you have a specific permission you’d like to see added please get in touch with your account team or let us know in the discussion below. Everything you can see in the organization settings menu is an option, and we’ll be working with teams across GitHub to get those permissions created.
To learn more about custom organization roles, see “About custom organization roles“, and for the REST APIs to manage and assign these roles programmatically see “Organization roles“. For feedback and suggestions for organization permissions, please join the discussion within GitHub Community.
✕
Wait! Don't Go Yet 🚀
Get our FREE eBook "10 Programming Tips That Changed Everything" when you subscribe!
GitHub Enterprise Cloud customers with Enterprise Managed Users (EMU) now have access to additional administrative capabilities for SCIM information. Troubleshooting user management at scale can take time and effort. To make this easier on administrators, we have added several new audit log fields, external identity metadata, and a new team membership synchronization status. The audit log field updates include the following:
New field external_group.update_display_name: Our logs will now capture and report any changes made to an external group’s display name.
New field external_group.add_member: When a team member is added to an external group, this action will be audit logged.
New field external_group.remove_member: When a team member is removed from an external group, this action will be audit logged.
Enhancements to external_group.update and external_identity.update to ensure consistency whenever an external group or identity is updated.
The SSO page for each user also now includes SCIM metadata for that user in addition to existing SAML metadata. Check out what’s new by filling in this url https://github.com/enterprises/your-enterprise/people/username/sso with your enterprise and a valid username.
Team membership synchronization status checks GitHub’s understanding of identity groups against the current members of linked teams. This allows us to flag mismatches for administrators related to license allocation or other concerns.
The "GitHub EMU Connector" is maintained and supported by our partner, Ping Identity. Ping additionally maintains their own release notes for this connector.
✕
Wait! Don't Go Yet 🚀
Get our FREE eBook "10 Programming Tips That Changed Everything" when you subscribe!
GitHub Enterprise Cloud customers with enterprise managed users (EMU) can now integrate with Ping Federate as a formally supported SSO and SCIM identity provider in public beta. To get started, download the Ping Federate "GitHub EMU Connector 1.0" from the add-ons tab on the download page, under the "SaaS Connectors" heading. Add the connector to your Ping Federate installation and consult the Ping Federate documentation in addition to GitHub's SAML SSO and SCIM documentation for configuration.
The "GitHub EMU Connector" is maintained and supported by our partner, Ping Identity. Ping additionally maintains their own release notes for this connector.
✕
Wait! Don't Go Yet 🚀
Get our FREE eBook "10 Programming Tips That Changed Everything" when you subscribe!
Organizations on github.com with an enterprise plan can now create 5 custom repository roles, an increase from the previous limit of 3. This increase will also appear in GitHub Enterprise Server 3.9.
You can now create access tokens with limited scope using the new granular access tokens functionality in npm. With granular access tokens, you can:
Restrict which packages and/or scopes a token has access to
Grant tokens access to specific organizations for user management
Set a token expiration date
Limit token access based on IP address ranges
Select between read and/or write access
Tokens with least privileges protects your npm packages from accidental or malicious misuse of your token. These tokens also allow you to manage your npm org and teams from a CI/CD pipeline. Granular access tokens are specifically built for automation and do not require 2FA. We recommend using granular access tokens with least privileges while you automate publishing and org management activities.
✕
Wait! Don't Go Yet 🚀
Get our FREE eBook "10 Programming Tips That Changed Everything" when you subscribe!
Enterprise owners can join organizations in their enterprise via the enterprise account Organizations page: https://github.com/enterprises/<enterprise> as either a member or an admin. This feature has graduated from beta to general availability.
Enterprise owners can now remove enterprise members from their GitHub Enterprise via the People view within their enterprise account: https://github.com/enterprises/<enterprise>/people. This feature has graduated from beta to general availability.
Enterprises that use Enterprise Managed Users (EMUs) to authenticate their accounts via Azure Active Directory can now use Azure AD location-based Conditional Access policies to protect the use of PATs and SSH keys. This requires the use of a new OpenID Connect-based application rather than a SAML integration. To learn more, read about enforcing Azure AD Conditional Access for PATs and SSH keys.
Note: this feature is currently in public beta for new and existing Azure AD EMU enterprises.
Enterprise owners can now prevent organization owners from inviting outside collaborators to repositories in their enterprise. The "Repository outside collaborators" policy includes an additional option, "Enterprise admins only", which restricts the ability to invite outside collaborators only to users with admin permissions to the enterprise. For more info, see "Enforcing a policy for inviting outside collaborators to repositories".
✕
Wait! Don't Go Yet 🚀
Get our FREE eBook "10 Programming Tips That Changed Everything" when you subscribe!
GitHub Enterprise owners can now remove enterprise members from their GitHub Enterprise via the People view within their enterprise account: https://github.com/enterprises/<enterprise>/people.
Enterprise owners can now join organizations within their enterprise via the enterprise account Organizations page: https://github.com/enterprises/<enterprise>.
