At its Satellite conference in Berlin today, GitHub — the code hosting platform Microsoft acquired for $7.5 billion in stock last year — unveiled improvements it says are intended to make software development on GitHub “more interconnected” and “more inclusive.” Perhaps the highlight is GitHub Sponsors, an integration that enables users to donate to open source projects and project contributors with the click of a button. It’s complemented by security features that include enhanced vulnerability alerts, dependency monitoring, and token scanning, along with enhancements to GitHub Enterprise.
First, GitHub shared a few metrics. It has 36 million users across nearly 200 countries (a quarter of whom signed up in the past year), and those users are adding roughly 3 million new repositories every month. In fact, there are 48% more repositories this year compared with the same time last year, and 41% more organizations signed up for GitHub this year compared with May 2018. On the subject of organizations, GitHub says that adoption of its enterprise products has increased by a factor of two and that 50% of the Fortune Global 100, 60% of the Fortune Global 10, and 62% of the Fortune US 50 now use GitHub Enterprise.
GitHub Sponsors
Sponsors, which debuts in beta today, manifests on the frontend as a Sponsor button at the top of repositories containing a .github/FUNDING.yml file in the master branch. Clicking the Sponsor button opens a natively rendered view showcasing the profiles of project developers and maintainers — and optionally a list of funding platforms, like Open Collective, Tidelift, Ko-fi, and Patreon, and custom links to alternative funding models.
June 5th: The AI Audit in NYC
Join us next week in NYC to engage with top executive leaders, delving into strategies for auditing AI models to ensure fairness, optimal performance, and ethical compliance across diverse organizations. Secure your attendance for this exclusive invite-only event.
Alternatively, when a developer answers a question, triages an issue, or merges code on GitHub, users can head to that developer’s profile or hover over their username to sponsor their work or navigate to the new Community Contributors hovercard and fund project contributors’ transitive dependencies from there.
Sponsors will be fee-free for the first 12 months and available to any open source project contributors of code, documentation, leadership, mentorship, or design around the world. It’s launching concurrently with the Sponsors Matching Fund (in beta), a program that will see GitHub meet sponsorship donations dollar for dollar up to $5,000 during a developer’s first year in Sponsors.
GitHub says it will begin to charge payment processing fees a year after Sponsors’ general availability, but it also pledges to never take a cut of donations. Furthermore, the company says it has convened an advisory panel comprised of “leaders from a range of open source projects” to explore operational challenges faced by open source teams.
“The world runs on open source,” wrote GitHub product manager Devon Zuegel in a blog post. “None of it would be possible without the global team of maintainers, designers, programmers, researchers, teachers, writers, leaders — and more — who devote themselves to pushing technology forward. These extraordinary developers can now receive funding from the community that depends on their work, seamlessly through their GitHub profiles.”
Security
On the security front, GitHub today shared that it has issued nearly 27 million security vulnerability alerts in the past year and helped to remediate more than 3.5 million vulnerabilities. Moreover, the company says it has discovered and flagged more than 28 million tokens in public repositories since September 2018.
To support these and other ongoing efforts, GitHub revealed that it has acquired Dependabot, a third-party tool that automatically opens pull requests to update dependencies in popular programming languages, like Ruby, Python, JavaScript, and Java, for an undisclosed amount. Additionally, the company says that over the coming months it will roll out in beta the rest of Dependabot’s monitoring features, which deliver security alerts for dependencies to maintainers.
GitHub also made dependency insights, a dashboard of auditing and reporting tools that enables developers to drill in on vulnerabilities and open source licenses, generally available to the hundreds of thousands of businesses and organizations that subscribe to GitHub Enterprise Cloud. In related news, security notifications that flag exploits and bugs in dependencies are now broadly available in GitHub Enterprise Server, and GitHub says it partnered with open source security and license compliance management platform WhiteSource to “broaden” and “deepen” its coverage of and remediation suggestions for potential vulnerabilities in .NET, Java, JavaScript, Python, and Ruby dependencies.
Additionally, GitHub revealed that maintainer security advisories and security policy, which offers a private place for developers to discuss and publish security advisories to select users within GitHub without risking an information breach, is now available in beta. A new security policy in repository and issue flows enables project maintainers to guide users through the process of reporting security vulnerabilities, and organizations can create security policies that automatically apply to every repository within the organization.
Lastly, GitHub says it has partnered with cloud services and APIs to deploy token scanning, which identifies tokens and cryptographic secrets so they can be revoked before malicious hackers abuse them. Token scanning is enabled on all public repositories and detects tokens from Alibaba Cloud, Amazon Web Services, Microsoft Azure, Google Cloud, Mailgun, Slack, Stripe, and Twilio.
GitHub Enterprise Cloud
GitHub took the opportunity this morning to provide an update on GitHub Enterprise. Fine-grained permissions, which let admins grant access and editing privileges to individual users, repositories, and organizations, are now generally available. They join a new enterprise account type, which GitHub says lets Enterprise customers manage users, policy, and billing “more cohesively.”
Also in tow with the GitHub Enterprise refresh are two new user roles — Triage and Maintain — and team synchronization (in beta), which enables maintainers to add groups from an identity provider to a team within GitHub and automatically keep membership in sync. Meanwhile, the new audit log API (also in beta) lets GitHub Enterprise Cloud admins access audit log events using GitHub’s GraphQL API.
Two additional Enterprise features launch in beta today: internal repos and organization insights. Internal repos allows enterprises to keep internal code accessible to employees while restricting access to outside collaborators (like contractors), and organization insights uses activity metrics and analytics to help customers understand how their organization is collaborating on GitHub.
Lastly, GitHub Enterprise users can now draft pull requests and set statuses (e.g., “out of the office”) on their profiles.
