Security News

Microsoft says it's investigating claims that its GitHub account has been hacked, and while some say the leaked files appear to be legitimate, it's unlikely that they contain any sensitive information. Data breach monitoring and prevention service Under the Breach reported on Thursday that a hacker claimed to have obtained 500 GB of source code from Microsoft's private GitHub repositories.

GitHub has made available two new security features for open and private repositories: code scanning and secret scanning. The code scanning feature, available for set up in every GitHub repository, is powered by CodeQL, a semantic code analysis engine that GitHub has made available last year.

Deque Systems, a leading software company specializing in digital accessibility, introduced axe Linter, an automated GitHub-based app which checks source code for common accessibility issues, automatically finding and suggesting fixes. Developers can supplement existing accessibility testing efforts by using axe Linter to catch accessibility problems early in the development process, significantly reducing future testing and remediation efforts.

The aim, said the code repo house, is to help developers suss out potential security vulnerabilities ahead of time, and to do so at a scale that will work for both small and large projects. The feature, based on the code-checking tools GitHub bought last year when it gobbled up UK-based Semmle, automatically graphs and scans code when a new push request is made and checks it for a number of common errors that can cause security vulnerabilities.

GitHub on Wednesday announced two new security features designed to help developers identify vulnerabilities and potential secrets in their code. These new security features, code scanning and secret scanning, are currently in beta.

GitHub has released technical information on six vulnerabilities identified by one of its security researchers in the WebAudio component of Chrome. The researcher started looking for Chrome vulnerabilities while he was working for Semmle, which GitHub acquired last year for its code analysis platform.

GitHub has warned users that they may be targeted in a fairly sophisticated phishing campaign that the company has dubbed "Sawfish." GitHub has pointed out that this phishing campaign has several noteworthy aspects.

GitHub users beware: online criminals have launched a phishing campaign to try and gain access to your accounts. They could create a GitHub personal access token, which allows the user to access their GitHub account using the Security Assertion Markup Language.

GitHub this week announced that it has paid out over $1 million in rewards to the security researchers participating in its bug bounty program on HackerOne. The security bug bounty program was launched on the hacker-powered platform in 2016, but GitHub has been accepting vulnerability reports since February 2014.

On Wednesday, AMD confirmed intellectual property related to its graphics processors was stolen last year, though insisted the leaked files will not damage its business nor compromise product security. Two days ago, AMD issued two Digital Millennium Copyright Act takedown notices to GitHub, directing the Microsoft-owned code storage biz to remove five repositories - an original repo and four copies - that contained confidential internal hardware source code for its Navi family of GPUs.