GitHub Code Scanning powered by CodeQL now supports dependency caching for Java, Go, and C# projects. This feature ensures that scans can deliver meaningful results even if registries are temporarily unavailable, while also reducing overall scanning time after the cache is established.
Dependency Caching Availability:
Default Setup: For repositories using GitHub-hosted runners, dependency caching is automatically enabled for both public and private repositories during scans.
Advanced Setup: Users with custom configurations can manually enable dependency caching as needed.
On December 13, 2023, we released CodeQL Action v3, which runs on the Node.js 20 runtime. In January 2024, we announced that CodeQL Action v2 would be retired at the same time as GitHub Enterprise Server (GHES) 3.11. This retirement period has elapsed and CodeQL Action v2 is now discontinued. It will no longer be updated or supported, and while we will not be deleting it except in the case of a security vulnerability, workflows using it may eventually break. New CodeQL analysis capabilities will only be available to users of v3.
Users of code scanning default setup do not need to take any action in order to automatically move to CodeQL Action v3.
Advanced setup
Users of code scanning advanced setup need to change their workflow files in order to start using CodeQL Action v3.
Users of GitHub.com and GitHub Enterprise Server 3.12 (and newer)
All users of GitHub code scanning (which by default uses the CodeQL analysis engine) on GitHub Actions on the following platforms should update their workflow files:
GitHub.com (including open source repositories, users of GitHub Teams and GitHub Enterprise Cloud)
GitHub Enterprise Server (GHES) 3.12 (and newer)
Users of the above-mentioned platforms should update their CodeQL workflow file(s) to refer to the new v3 version of the CodeQL Action. Note that the upcoming release of GitHub Enterprise Server 3.12 will ship with v3 of the CodeQL Action included.
Users of GitHub Enterprise Server 3.11 (and older)
GitHub Enterprise Server 3.11 (and older) is now retired. For more information on using the CodeQL Action on a retired GitHub Enterprise Server version, refer to the relevant sections of the CodeQL Action v2 retirement announcement.
Exactly what do I need to change?
To upgrade to CodeQL Action v3, open your CodeQL workflow file(s) in the .github directory of your repository and look for references to:
github/codeql-action/init@v2
github/codeql-action/autobuild@v2
github/codeql-action/analyze@v2
github/codeql-action/upload-sarif@v2
These entries need to be replaced with their v3 equivalents:
github/codeql-action/init@v3
github/codeql-action/autobuild@v3
github/codeql-action/analyze@v3
github/codeql-action/upload-sarif@v3
Can I use Dependabot to help me with this upgrade?
Yes, you can! For more details on how to configure Dependabot to automatically upgrade your Actions dependencies, please see this page.
✕
Wait! Don't Go Yet 🚀
Get our FREE eBook "10 Programming Tips That Changed Everything" when you subscribe!
CodeQL build-mode: none scans can now access private dependencies stored in private registries (e.g. Artifactory) for Java and C# projects. This makes your scans more comprehensive, ensuring you receive all important alerts regardless of where your dependencies are stored.
Previously, build-mode: none code scans with the default setup were unable to fetch code for dependent packages stored in private registries, which could result in incomplete analysis. Now, organization administrators can configure access credentials for private registries at the organization level. This enhancement allows CodeQL scans in child repositories to retrieve all necessary dependencies, enabling comprehensive code analysis when using the code scanning default setup.
This feature is currently in public preview for GitHub Advanced Security customers.
You can now enable code scanning in your GitHub Actions workflow files. By opting-in to this feature, you can enhance the security of repositories using GitHub Actions.
Actions analysis support includes a set of CodeQL queries developed by the GitHub Security Lab to capture common misconfigurations of workflow files that can lead to security vulnerabilities. You can now easily run these queries as part of Code Scanning’s default or advanced setup and use Copilot Autofix to get remediation suggestions on your findings.
You can opt-in to the public preview by selecting the “GitHub Actions” language via code scanning default setup, or by adding the actions language to your existing advanced setup. New repositories onboarding to default setup after today will start analyzing Actions workflows right away. Existing repositories will not be automatically opted-in as part of the public preview.
New REST API endpoints for code scanning allow you to request the generation of Copilot Autofix for code scanning alerts. These endpoints also provide the Autofix generation status, along with metadata and AI-generated descriptions for the fixes, and enable you to apply Autofix to a branch. This functionality can be particularly useful for addressing security vulnerabilities programmatically and for tracking the status of alerts with Copilot Autofixes in your system.
To generate Copilot Autofix, call the POST /repos/{owner}/{repo}/code-scanning/alerts/{number}/autofix endpoint.
Additionally, you can retrieve the Autofix and commit it by using the GET /repos/{owner}/{repo}/code-scanning/alerts/{number}/autofix endpoint followed by POST /repos/{owner}/{repo}/code-scanning/alerts/{number}/autofix/commits.
After this period, these endpoints will no longer be available. Instead, you can use the organization roles API to perform the same actions and much more.
Retirement Timeline
GitHub.com: 2025-12-31
GitHub Enterprise Server: Version 3.20
Replacements
The organization roles API offers enhanced capabilities for managing roles across an organization. Use the following endpoint as a replacement:
You can start transitioning to the organization roles API today on GitHub.com. For GitHub Enterprise Server users, the organization roles API will support the security manager role starting in version 3.16.
The metrics overview for CodeQL pull request alerts now includes enhanced tracking and reporting mechanisms, resulting in greater accuracy and more CodeQL pull request alerts and Copilot Autofixes displayed on the dashboard.
These changes retroactively affect the dashboard numbers, allowing you to effectively monitor your organization’s security posture.
With these insights, you can proactively identify and address security risks before they reach your default branch. The metrics overview for CodeQL pull request alerts helps you understand how effectively CodeQL prevents vulnerabilities in your organization. You can use these metrics to easily identify the repositories where action is needed to mitigate security risks.
The change is now generally available on GitHub Enterprise Cloud.
The enterprise and organization-level audit log events are now created when a code scanning alert is created, fixed, dismissed, reopened, or appeared in a new branch:
– code_scanning.alert_created – a code scanning alert was seen for the first time;
– code_scanning.alert_appeared_in_branch – an existing code scanning alert appeared in a branch;
– code_scanning.alert_closed_became_fixed – a code scanning alert was fixed;
– code_scanning.alert_reappeared – a code scanning alert that was previously fixed reappeared;
– code_scanning.alert_closed_by_user – a code scanning alert was manually dismissed;
– code_scanning.alert_reopened_by_user – a code scanning alert that was previously dismissed was reopened.
The new functionality, which will be included in GHES 3.17, provides more insight into the history of a code scanning alert for easier troubleshooting and analysis.
When configuring CodeQL security analysis using code scanning’s default setup, you can now specify whether to run the analysis on a standard GitHub-hosted runner, a larger GitHub-hosted runner, or a self-hosted runner. Previously, support for larger GitHub-hosted and self-hosted runners was limited to those with the code-scanningcustom label. Now, you can specify any custom label, ensuring the analysis runs on the desired machine(s).
For example, using a custom label you are able to assign more powerful runners to critical repositories for faster analyses, better spread the workload over GitHub-hosted and self-hosted runners, or run the analysis on a particular platform (like macOS).
The new setting is available today on GitHub.com, and can be configured both at the repository level and within code security configurations for deployments at scale. This new setting will also be included in GitHub Enterprise Server (GHES) version 3.16.
For organization owners, managing the security manager role is now easier and more flexible. These updates empower you to tailor security responsibilities and streamline role assignments to fit your needs:
Assign the security manager role to individual users: The security manager role can now be assigned directly to individual users, in addition to teams. This added flexibility ensures security responsibilities are allocated precisely where needed.
Streamlined role management in organization settings: Security manager assignment and configuration is now part of Settings > Organization roles at the organization level. This relocation centralizes and simplifies role management, making it intuitive to oversee security managers alongside other organizational roles.
Building on recent improvements
The addition of custom organization roles with repository permissions takes flexibility to the next level. With these updates, you can customize security roles to balance the right level of responsibility and access for your team. Here’s how you can leverage these features to meet your specific requirements:
Craft a security manager role with fewer permissions: The addition of repository permissions to custom organization roles means you can build custom security roles with a subset of security manager permissions, such as:
View secret scanning
Dismiss secret scanning
View code scanning
Dismiss code scanning
Delete code scanning analyses
View Dependabot alerts
Dismiss Dependabot alerts
This lets you assign security responsibilities without granting the full access of a security manager role.
Expand the security manager role with additional permissions: Using custom organization roles, you can enhance the security manager role by adding additional organization-level or repository-specific permissions. For example, you can grant audit log access or other highly requested capabilities to create a tailored role that fits your team’s specific needs.
These updates are now generally available on GitHub Enterprise Cloud and will be included in GitHub Enterprise Server 3.16.
You can now export security data for offline analysis, reporting, and archival purposes on the enterprise-level security overview pages. This includes:
Enterprise-level overview dashboard: Export alert-level data for all your scanning tools—including third-party scanning tools.
Enterprise-level risk page: Export repository-level data with aggregated counts of security alerts per repository for code scanning, Dependabot, and secret scanning.
Enterprise-level coverage page: Export repository-level data showing the enablement state for all Dependabot, code scanning, and secret scanning features.
Just like at the organization level, exports will respect all filters you’ve applied to the page, making it easy to for you to tailor downloads to your specific needs. Whether you’re focused on enterprise-wide insights or repository-level details, the data is now at your fingertips.
You can download all data where you have an appropriate level of access.
Now you can better manage and mitigate your security vulnerabilities with a new SAST vulnerabilities summary table, available directly on the security overview dashboard. This feature highlights your top 10 CodeQL and third-party open alerts by count, grouped by vulnerability type.
When prioritizing which alerts to address first, it’s crucial to consider various factors. One significant factor is the number of instances of a vulnerability across your codebase. The more areas of code affected by a vulnerability, the higher the potential risk for exploitation.
To access the new SAST vulnerabilities table, click your profile photo in the top-right corner of GitHub.com and select the organization or enterprise you want to view. For organizations, go to the Security tab and scroll to the bottom of the Detection view on the Overview dashboard. For enterprises, click Code Security in the sidebar, then select Overview and scroll to the bottom of the Detection view.
The SAST vulnerabilities summary is now generally available on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.16.
Security campaigns with Copilot Autofix are now in public preview. Available as part of GitHub Advanced Security, security campaigns rapidly reduce your backlog of application security debt. By using Copilot Autofix to generate contextual explanations and code suggestions for up to 1,000 historical code scanning alerts at a time, security campaigns help developers and security teams collaborate to fix vulnerabilities with speed and confidence.
Code scanning detection engines such as GitHub’s CodeQL are incredibly effective at automatically notifying developers about potential security vulnerabilities in their code in the form of code scanning alerts. Most developers fix these vulnerabilities with the help of Copilot Autofix when they’re flagged pull requests. However, in situations where these alerts aren’t remediated in a timely manner, security debt can build up and pose a serious risk to deployed applications. Using security campaigns, security teams and developers can easily collaborate to remediate and eradicate security debt at scale, with the help of Copilot Autofix.
A security campaign on GitHub can contain a large number of code scanning alerts, prioritized by your security team to be fixed within a chosen timeframe. When a campaign is created, Copilot Autofix automatically suggests fixes for all supported alerts, and developers who are most familiar with the code are notified. From there, they can review the fixes, open pull requests, and remediate the security debt.
Security teams can monitor the progress of the campaign and track the number of alerts that have been fixed. Using security campaigns, security and developer teams work together with Copilot Autofix to remove security debt in targeted efforts aimed at maximizing impact by focusing on the alerts that matter.
Security campaigns are available for users of GitHub Advanced Security on GitHub Enterprise Cloud. For more information about security campaigns, see About security campaigns in the GitHub documentation.
If you have any feedback on security campaigns: join the discussion in the GitHub Community.
✕
Wait! Don't Go Yet 🚀
Get our FREE eBook "10 Programming Tips That Changed Everything" when you subscribe!
Copilot Autofix now supports fix suggestions for problems detected by ESLint, a partner code scanning tool. Autofixes are available both in pull requests and for historical alerts.
ESLint is the first partner tool supported by Copilot Autofix. Support for additional partner tools, such as JFrog SAST and Black Duck’s Polaris™ platform powered by Coverity®, will be announced by future changelogs when available. To opt out of fix suggestions for third-party tools, you can disable this feature from the code scanning settings page.
In order for Copilot Autofix to pick up ESLint alerts, you need to enable ESLint as a code scanning tool in the target repository. For reference, you can select an updated starter workflow when setting up a new GitHub Actions workflow in your repository. You can use both ESLint scanning and the CodeQL analysis in the same repository.
When using Copilot Autofix for historical alerts, you can now choose the branch to which you want to commit an autofix. You can also decide whether to then open a pull request, check out the branch locally, or open it in GitHub Desktop.
Copilot Autofix provides automatic fix suggestions for code scanning alerts in your codebase.
This update integrates Autofix more closely within the developer workflow, so you can quickly iterate on fix suggestions and collaborate on those with your team.
