📌 Security Releases Bulletin – June 2025 Edition

[ghostinhershell]

👋 Hey Security Community!

Welcome to the June 2025 edition of the Code Security Release Bulletin! Each month we’ll provide a roundup of the latest security-focused updates, enhancements, and product releases across GitHub’s security ecosystem.

June brought a wave of security updates designed to solve longstanding pain points, empower teams to work safer and smarter, and reflect the feedback we’ve heard from you—our community. This isn’t just a list of fixes: it’s a set of tools and enhancements that help you do your best work, with confidence in your supply chain and application security.

Releases from this Month

Organization-Level Dependabot Access

You can now grant organization-wide access to Dependabot, making onboarding new repositories effortless.

Imagine onboarding a dozen new projects—Dependabot can now be enabled with a single setting, reducing manual steps and ensuring every repo is protected from day one.
Read more

---

Custom Roles for Secret Scanning Alert Dismissal

Delegate and review secret alert dismissals using custom roles—because security workflows should fit your team, not the other way around.

Thanks to your feedback, organizations can now empower the right people to review and approve secret scanning dismissals, distributing responsibility without sacrificing oversight.
Read more

---

Release Asset Digests for Supply Chain Trust

You can now verify the integrity of every release asset with exposed cryptographic digests.

Whether you’re deploying to production or sharing builds with a partner, quickly check that what you download is what was published—no more second-guessing supply chain authenticity.
Read more

---

Build-Free CodeQL for C/C++

Enable static analysis for C/C++ repositories at scale, without the build headaches.

Teams managing many C/C++ projects can roll out CodeQL scanning without wrestling with complex build setups, catching vulnerabilities faster and with less friction.
Read more

---

Enhanced CodeQL Metrics & Copilot Autofixes

See the impact of your security work with improved metrics and actionable insights.

Security leads can now track the effectiveness of CodeQL and Copilot autofixes—use these metrics to prioritize, measure, and celebrate remediation progress.
Read more

---

Private Registries for Go CodeQL Scans

Scan Go dependencies from private registries—your analysis is now as comprehensive as your codebase.

No more gaps: ensure that private Go modules are included in security scans, closing a common blind spot for modern teams.
Read more

---

Delegated Alert Dismissal for Secret Protection (GA)

Empower teams to act quickly on secret scanning alerts, while maintaining centralized visibility.

Large organizations can now delegate secret management, meaning teams can resolve issues directly and keep projects moving—without losing audit trails.
Read more

---

CodeQL: Broader Language Support

Swift 6.1.1 & 6.1.2 and improved Go coverage are now available for CodeQL scans.

Stay secure on the latest language versions—no need to pause for tool updates.
Read more
Read more

---

Mean Time to Remediate Metric for CodeQL PR Alerts

Understand and improve your team’s response times with actionable “mean time to remediate” metrics, now in the security dashboard.

Use this data to drive continuous improvement, set goals, and celebrate wins as your team closes vulnerabilities faster.
Read more

---

Dependency Graph Defaults to Off for New Public Repos

You have more control over your supply chain data—dependency graphs are now opt-in for new public repositories.

This change addresses privacy concerns raised by the community, giving you the power to decide when and how your dependencies are exposed.
Read more

---

Dependabot Compute Migration to GitHub Actions (Upcoming)

Dependabot’s compute is moving to GitHub Actions, paving the way for deeper integration and scalability.

Stay tuned for a smoother, more transparent Dependabot experience—no action required today, but expect improved performance soon.
Read more

---

Enforce Kubernetes Admission Policies with Artifact Attestations

Bring supply chain security into your Kubernetes clusters with OPA Gatekeeper integration.

Automate artifact verification and enforce policy compliance before workloads are admitted—a direct response to requests from platform engineers and security teams.
Read more

---

Dependabot Metrics Page (Private Preview)

Prioritize vulnerabilities more effectively with the new Dependabot metrics page (private preview for GHA security users).

Visualize and act on Dependabot’s findings at scale, helping you focus remediation efforts where they count most.
Read more

---

Dependabot Support for Gradle Lockfiles (GA)

Automate dependency updates for Java projects using Gradle lockfiles, now fully supported.

Less manual work, fewer surprises in your builds, and a more secure supply chain for JVM teams.
Read more

---

Secret Scanning REST API Improvements (GA)

New API fields give you more context and control when responding to leaked secrets.

Use first_location_detected and has_more_locations in your automation to streamline triage and incident response.
Read more

---

Configurable Secret Scanning Patterns for Push Protection (Public Preview)

Fine-tune which secrets are blocked on push, striking the right balance for your workflows.

Responding to requests for more flexibility, you can now decide which patterns are enforced, reducing false positives while protecting what matters most.
Read more

---

Closing Thoughts

Every update this month started with a user story—a challenge you shared, a bottleneck you flagged, or a new way you wanted to work. With each release, our goal is to build a safer, more empowering developer experience. As always, your feedback shapes what comes next. Thank you for being part of this journey.

What problem can we help you solve next? Let us know.

Join the Discussion!

We value your feedback! Join us here in the Code Security Community to discuss these releases, ask questions, and stay informed on the latest security updates. You can click on the release that interests you or comment down below!

Thanks for keeping up with GitHub Code Security! Stay secure and happy coding! 🚀🔐
🔗 github.com/security | 🔗 The Changelog | 🔗 The GitHub Blog - Security

[anggi135]

Thanks, saya sangat menunggu rilis terbaru ini.

[FckYrShit56]

R

[mirothedj]

I don't understand how so many tainted folders and files from the July 4th attack are still all over and passing as sha25y secured there are 8 million fake nodes that I know of alone

[marcostolosa]

Some really useful updates this month.

The release asset digests are a big win for supply chain trust, checking binaries during malware analysis gets a lot simpler when the digest is exposed up front. The build-free CodeQL for C/C++ also stands out; most orgs have legacy code that never gets scanned because builds are painful, so this should help close a real gap.

On the defensive side, the new MTTR metrics and better CodeQL insights are practical for tracking how fast teams actually respond. And bringing attestations into Kubernetes admission policies makes sense, it raises the bar for anyone trying to slip in tampered workloads.

Overall, these feel like changes that hit real pain points we see in the field.

[ghostinhershell]

Really appreciate the feedback, thanks for reading @marcostolosa!

[investmentplatform494-collab]

my lost WhatsApp account 3216862374