GitHub Actions workflow security analysis with CodeQL is now generally available

GitHub code scanning now offers enhanced security protection for your GitHub Actions workflow files through CodeQL analysis, which is now generally available. This feature enables you to identify and remediate security vulnerabilities in your Actions workflows through automated code scanning, helping prevent potential security issues before they impact your CI/CD pipeline. CodeQL automatically analyzes your workflows to detect common security vulnerabilities, including missing required permissions, dangerous inputs without proper validation, and script injection vulnerabilities.

During the public preview period, we’ve helped secure over 158,000 repositories, detecting more than 800,000 potential vulnerabilities in Actions workflows, with approximately 15% of these issues being fixed by repository maintainers. This strong adoption demonstrates the value of automated security analysis for CI/CD workflows that use GitHub Actions.

For repositories using code scanning’s default setup, we will now automatically enable Actions workflow analysis when workflow files are detected in the default branch. For repositories using advanced setup, simply add the actions language to your existing configuration to enable this protection.

We’ve also added Copilot autofix functionality for the actions/missing-workflow-permissions query, one of the most frequent findings in Actions workflows. When this vulnerability is detected, you’ll receive automated fix suggestions to implement the principle of least privilege in your workflows, making remediation faster and easier.

To improve analysis quality, we’ve moved the actions/unversioned-immutable-action query to the extended query suite, allowing for more targeted and comprehensive analysis. If you’re using default setup, you can configure your scanning options to include extended queries. For repositories with advanced setup, you can specify this query suite in your CodeQL configuration. You can find more information about this change in the CodeQL release notes for 2.20.6.

Code scanning’s analysis of GitHub Actions workflow files will be available in GitHub Enterprise Server 3.18.

Learn more about configuring code scanning, securing your use of Actions, and vulnerabilities identified with CodeQL.

Dependabot now lets you schedule update frequencies with cron expressions

Dependabot users can now schedule custom update frequencies by using cron expressions in schedule.interval in the Dependabot configuration file. This enhances the predefined intervals (daily, weekly, and monthly) and provides a more generic and robust solution. This gives Dependabot users the ability to define custom schedules that meet their specific needs.

For help writing a cron expression, try this tool.

To learn more about using cron expressions to schedule Dependabot updates in the dependabot.yml file, check out GitHub’s Dependabot schedule.interval docs.

To engage with the Dependabot community on the topic of cron-based update scheduling, join the conversation.

See more

Reminder for changes to npm replication feeds APIs

This is a follow-up to our previous announcement about npm replication APIs.

The new replication feed APIs are now live. While the legacy feeds will remain available—with limitations and scheduled brownout periods—until May 29, 2025, we strongly encourage all users to begin transitioning to the new APIs as soon as possible.

To access the updated feeds ahead of the deprecation, include the npm-replication-opt-in header with a value of true in your requests. This will route your traffic to the new APIs, bypassing the legacy feeds and avoiding any disruptions during brownout phases.

Please note that starting May 29, 2025, the legacy feeds will be fully deprecated. After this date, all requests to the replication feeds will automatically be served by the new APIs, regardless of header usage.

This change is part of our ongoing efforts to improve the performance and reliability of our services. We appreciate your understanding and cooperation during this transition.

Check out the migration guide and join the discussion in GitHub Community.

See more
View all changes