Browse Security News (216)

cindywang explains how GitHub Copilot agents can modernize legacy Java and .NET code inside Docker Sandbox microVMs, keeping host filesystem paths consistent while avoiding risky Docker socket mounts and tightening egress controls during dependency upgrades.

Allison announces `gh skill`, a new GitHub CLI command for discovering, installing, updating, and publishing portable “agent skills” for AI coding agents (including GitHub Copilot), with a focus on version pinning and supply-chain integrity.

Aviram Shemesh and Jennifer Rutzer explain how to build a cryptographic inventory and run an ongoing cryptographic posture management lifecycle, using Microsoft Security tooling (like Defender and GitHub Advanced Security), Azure services (like Key Vault and Network Watcher), and partner CPM solutions to improve quantum-safe readiness.

Allison announces new GitHub improvements: a rule insights dashboard to visualize repository ruleset evaluations (successes, failures, bypasses) and a unified filter bar across alert dismissal and bypass request pages for code scanning, Dependabot, and secret scanning.

Microsoft Threat Intelligence and the Microsoft Defender Security Research Team break down a Sapphire Sleet macOS intrusion chain that relies on social engineering and user-initiated AppleScript execution, and provide Defender detections, KQL hunting queries, and IOCs to help security teams spot and stop similar activity.

Allison outlines what changed in CodeQL 2.25.2 for GitHub code scanning, including Kotlin 2.3.20 support, multiple query accuracy tweaks (notably for C#), and updated security-severity scores for issues like XSS and log injection across several languages.

Phillip Misner and Stephen Finnigan explain how incident response changes for AI systems: non-determinism and high-volume output shift triage, containment, telemetry needs, and remediation verification, while many IR fundamentals (ownership, escalation, and communication) still apply.

Laura Jiang announces two Azure DevOps Advanced Security updates: CodeQL default setup to enable org-wide code scanning without per-repo pipeline configuration, and a combined alerts experience (with security campaigns) to triage and coordinate remediation across all repositories.

David Sanchez lays out a practical DevOps playbook for teams adopting AI coding agents (including GitHub Copilot Cloud Agent), focusing on readiness prerequisites, human–agent collaboration patterns, pipeline changes, governance, and security controls needed to keep quality and accountability intact as non-human contributors scale up.

Allison announces that Dependabot and code scanning can now use OpenID Connect (OIDC) for organization-level access to private registries, reducing reliance on long-lived secrets and enabling short-lived, dynamically issued credentials.

Allison announces new GitHub features that surface deployment and runtime context in repository properties and security alert pages, helping teams automate policy enforcement and prioritize Dependabot and code scanning alerts based on real production risk.

Rahul Bhandari (MSFT) and Tara Overfield summarize the April 2026 .NET and .NET Framework servicing releases, including the updated versions, links to release notes and installers, and the list of security CVEs addressed across supported .NET and .NET Framework versions.

Gloridel Morales announces April patches for Azure DevOps Server, summarizing key fixes (pull request completion reliability, safer sign-out redirect validation, and GitHub Enterprise Server PAT connection) and showing how to verify the patch is installed.

Allison announces a public preview feature that lets teams link GitHub code scanning alerts to GitHub Issues, making it easier to track and prioritize security remediation work in existing planning workflows.

Joseph Katsioloudes introduces Season 4 of GitHub’s Secure Code Game, a hands-on set of challenges where you exploit and fix vulnerabilities in an agentic AI assistant (ProdBot) to learn real-world AI-agent security risks like prompt-based tool misuse, memory poisoning, and sandbox escape.

Allison announces an update that lets GitHub organizations configure multiple private registries per package ecosystem for Dependabot and code scanning, including org-level OIDC authentication support via the UI and REST API.

Allison summarizes GitHub Secret Scanning updates that expand push protection defaults, improve enterprise fork coverage, and add new API capabilities for alert validity, provider filtering, scan history, and enterprise-wide dismissal request reporting.

Allison explains how GitHub’s SBOM export flow moved to an asynchronous model in the Dependency Graph UI and REST API, removing hard timeouts and adding a generate/fetch pattern for reliably downloading SBOM reports from large repositories.

Dorothy Pearce introduces GitHub’s free Code Security Risk Assessment, a one-click scan that uses CodeQL to surface vulnerabilities across up to 20 active repositories, and explains how the results help teams prioritize remediation (including where Copilot Autofix may apply).

Allison announces updates to GitHub Code Quality standard findings (public preview), including faster triage features like file-path search, bulk dismiss/reopen, and richer per-finding context, with fix suggestions generated by GitHub Copilot Autofix.