compliance

Subscribe to all “compliance” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

Push Rules are now generally available, and updates to custom properties

You can now restrict pushes into your private and internal repositories and their forks, with push rules – a new type of ruleset. Push rules enable you to limit updates to sensitive files like actions workflows, and help to enforce code hygiene by keeping unwanted objects out of your repositories.

In addition, organization owners can now allow repository property values to be set when repositories are created. This ensures appropriate rules are enforced from the moment of creation and improves discoverability of new repositories.

Push Rules

Organization and repository owners can now configure rules that govern what changes can be pushed to their repository, by attributes of the files changed – including their paths, extensions and sizes.

Screenshot showing the list of new push rules with options configured

Available push rules

  • Restrict file paths
    • This rule allows you to define files or file paths that cannot be pushed to. An example of when you might use this is if you wanted to limit changes to your Actions workflows in .github/workflows/**/*
  • Restrict file path length
    • You can limit the path length of folder and file names.
  • Restrict file extensions
    • You can keep binaries out of your repositories using this rule. By adding a list of extensions, you can exclude exe jar and more from entering the repository.
  • Restrict file size
    • Limit the size of files allowed to be pushed. Note: current GitHub limits are still enforced.

Push rules are available on GitHub Team plans for private repositories, and coverage extends to not just the repository, but also all forks of that repository. Additionally, GitHub Enterprise Cloud customers can set push rules on internal repositories and across organizations with custom repository properties. You can also access rule insights to see how push rules are applied across your repositories.

Additional details

  • Delegated bypass for push rules, currently in beta, allows your development teams to stay compliant with internal policies and keep a clean git history. Developers can easily request exceptions to push rules, that are reviewed and audited all within GitHub.
  • To ensure best performance push rules are designed to handle up to 1000 reference updates for branches and tags per push.

For more information, see the Push Rule documentation and to get started you can visit the ruleset-recipes repository to import an example push ruleset.

Custom properties

Organization owners can now allow their users to set custom properties during repository creation. Previously, this was only available to repository administrators or those with permissions to edit custom repository properties. By selecting Allow repository actors to set this property for your custom property, you can ensure repositories have properties attached from the start.

Screenshot of new repo being set up with a custom repository property

We want to hear from you

Questions or suggestions? Join the conversation in the community discussion.

See more

GitHub Copilot Compliance: SOC 2, Type 1 Report and ISO/IEC 27001:2013 Certification Scope

We are excited to announce that compliance reports are now available for GitHub Copilot Business and Copilot Enterprise. Specifically, GitHub has published a SOC 2 Type I report for Copilot Business (including code completion in the IDE, and chat in the IDE, CLI, and Mobile). This Type 1 report demonstrates that Copilot Business has the controls in place necessary to protect the security of the service. We will include Copilot Business and Copilot Enterprise in our next SOC 2 Type 2 report coming in late 2024, covering April 1 to September 30, 2024.

Additionally, Copilot Business and Copilot Enterprise are now included in the scope of GitHub’s Information Security Management System, as reflected in our ISO 27001 certificate updated on May 9, 2024. This certification demonstrates that Copilot Business and Copilot Enterprise are developed and operated using the same security processes and standards as the rest of GitHub’s products.

Together, these reports reflect GitHub’s commitment to demonstrate our high bar for security and compliance to our customers. To learn more, please review our documentation on how to access compliance reports and certifications for your enterprise or for your organization.

See more

New and Updated ISO and CSA STAR Certifications Are Now Available

The 2023 updates to our ISO/IEC 27001:2013 certificate can be downloaded now. In addition, we have completed the processes for ISO/IEC 27701:2019 (PII Processor), ISO/IEC 27018:2019, and CSA STAR certifications. Those certificates can also be downloaded now.

  • For enterprises, administrators may download this report by navigating to the Compliance tab of the enterprise account: https://github.com/enterprises/"your-enterprise"/settings/compliance.
  • For organizations, owners may find these reports under Security > Compliance settings tab of their organization: https://github.com/organizations/"your-org"/settings/compliance.

For detailed guidance on accessing these reports, read our compliance documentation for organizations and enterprises.

Check out the GitHub blog for more information.

See more

ISO/IEC 27001:2013 Certification Now Available

Our newly available ISO/IEC 27001:2013 Certification report can be downloaded now.

  • For enterprises, administrators may download this report by navigating to the Compliance tab of the enterprise account: https://github.com/enterprises/"your-enterprise"/settings/compliance.
  • For organizations, owners may find these reports under 'Security' > Authentication Security settings tab of their organization: https://github.com/organizations/"your-org"/settings/security.
  • For everyone else, you may download this report at any time by navigating to the GitHub security page, https://github.com/security.

To learn more about this new report, check out our blog post.

See more