GitHub adds donation button, token scanning, and Enterprise tools

GitHub, the code hosting platform Microsoftacquired for $7.5 billion in stock last year, today at its Satellite conference in Berlin unveiled improvements it says are intended to make software development on GitHub “more interconnected” and “more inclusive.” Perhaps the highlight is GitHub Sponsors, an integration that enables users to donate to open source projects and project contributors with the click of a button. It’s complemented by security features including enhanced vulnerability alerts, dependency monitoring, and token scanning, along with enhancements to GitHub Enterprise.

First, it shared a few metrics. GitHub has 36 million users across nearly 200 countries (a quarter of whom signed up in the past year), and those users are adding roughly three million new repositories every month. In fact, there are 48% more repositories this year compared with the same time last year, and 41% more organizations signed up for GitHub this year compared with May 2018. On the subject of organizations, GitHub says that adoption of its enterprise products has increased by a factor of two, and that 50% of the Fortune Global 100, 60% of the Fortune Global 10, and 62% of the Fortune US 50 now use GitHub Enterprise.

GitHub Sponsors

Sponsors, which debuts in beta today, manifests on the frontend as a Sponsor button at the top of repositories containing a .github/FUNDING.yml file in the master branch. Clicking the Sponsor button opens a natively rendered view showcasing the profiles of project developers and maintainers, and optionally a list of funding platforms like Open Collective, Tidelift, Ko-fi, and Patreon and custom links to alternative funding models.

Alternatively, when a developer answers a question, triages an issue, or merges code on GitHub, users can head to their profile or hover over their username to sponsor their work, or navigate to the new Community Contributors hovercard and fund contributors to projects’ transitive dependencies from there.

Sponsors will be fee-free for the first 12 months and available to any open source project contributors of code, documentation, leadership, mentorship, or design around the world. It’s launching concurrently with the Sponsors Matching Fund (in beta), a program that’ll see GitHub meet sponsorship donations dollar-for-dollar up to $5,000 during a developer’s first year in Sponsors.

GitHub says it’ll begin to charge payment processing fees a year after Sponsors’ general availability, but also pledges never to take a cut of donations. Furthermore, the company says that it’s convened an advisory panel comprised of “leaders from a range of open source projects” to explore operational challenges faced by open source teams.

“The world runs on open source,” wrote GitHub product manager Devon Zuegel in a blog post. “None of it would be possible without the global team of maintainers, designers, programmers, researchers, teachers, writers, leaders — and more — who devote themselves to pushing technology forward. These extraordinary developers can now receive funding from the community that depends on their work, seamlessly through their GitHub profiles.”

Security

On the security front, GitHub today shared that it’s issued nearly 27 million security vulnerability alerts in the past year and helped to remediate more than 3.5 million vulnerabilities. Moreover, the company says that it’s discovered and flagged more than 28 million tokens in public repositories since September 2018.

To support those and other ongoing efforts, GitHub revealed that it acquired Dependabot, a third-party tool that automatically opens pull requests to update dependencies in popular programming languages like Ruby, Python, JavaScript, and Java, for an undisclosed amount. Additionally, the company says that it’ll roll out the rest of Dependabot’s monitoring features in beta over the coming months, which deliver security alerts for dependencies to maintainers.

GitHub also made dependency insights, a dashboard of auditing and reporting tools that enables developers to drill in on vulnerabilities and open source licenses, generally available to the hundreds of thousands of businesses and organizations which subscribe to GitHub Enterprise Cloud. In related news, security notifications that flag exploits and bugs in dependencies are now broadly available in GitHub Enterprise Server, and GitHub says it partnered with open source security and license compliance management platform WhiteSource to “broaden” and “deepen” its coverage of and remediation suggestions for potential vulnerabilities in .NET, Java, JavaScript, Python, and Ruby dependencies.

Additionally, GitHub revealed that maintainer security advisories and security policy, which offers a private place for developers to discuss and publish security advisories to select users within GitHub without risking an information breach, is now available in beta. A new security policy in repository and issue flows enables project maintainers to guide users through to process of reporting security vulnerabilities, and organizations can create security policies for their entire organization that automatically applies to every repository within the organization.

And lastly, GitHub says it’s partnered with cloud services and APIs to deploy token scanning, which identifies tokens and cryptographic secrets so that they can be revoked before malicious hackers abuse them. Token scanning is enabled on all public repositories and detects tokens from Alibaba Cloud, Amazon Web Services, Microsoft Azure, Google Cloud, Mailgun, Slack, Stripe, and Twilio.

GitHub Enterprise Cloud

GitHub took the opportunity this morning to provide an update on GitHub Enterprise. Now, fine-grained permissions, which let admins grant access and editing privileges to individual users, repositories, and organizations, are generally available. They join a new enterprise account type, which GitHub says lets Enterprise customers manage users, policy, and billing “more cohesively.”

Also in tow with the GitHub Enterprise refresh are two new user roles — Triage and Maintain — and team synchronization (in beta), which enables maintainers to add groups from an identity provider to a team within GitHub and automatically keep membership in sync. Meanwhile, the new audit log API (also in beta) lets GitHub Enterprise Cloud admins access audit log events using GitHub’s GraphQL API.

Two new additional Enterprise features launch in beta today: Internal repos and organization insights. The former allows Enterprises to keep internal code accessible to employees while restricting access to outside collaborators (like contractors), while organization insights seeks to help customers understand how their organization is collaborating on GitHub with activity metrics and analytics.

Lastly, GitHub Enterprise users can now draft pull requests and set statuses (e.g., “out of the office”) on their profiles.

我来评几句
登录后评论

已发表评论数()

相关站点

+订阅
热门文章