GitHub Engineering

Why it matters: This bridges security gaps in infrastructure-as-code and scripts that traditional static analysis misses. By integrating AI-driven detections and automated fixes into the PR workflow, engineers can resolve vulnerabilities faster and maintain high security standards without leaving their tools.

GitHub is introducing AI-powered security detections to complement CodeQL's deep semantic static analysis.
The new system expands security coverage to ecosystems like Shell/Bash, Dockerfiles, Terraform (HCL), and PHP.
Detections are integrated directly into the pull request workflow, surfacing risks like SQL injection and insecure crypto early.
Copilot Autofix provides review-ready remediation suggestions, reducing average resolution time from 1.29 hours to 0.66 hours.
Internal testing across 170,000 findings resulted in over 80% positive developer feedback.
The hybrid detection model is part of GitHub's agentic platform, aiming to evolve toward deeper AI-augmented analysis.

#security #mlp #sre

Read original

GitHub EngineeringMar 19, 2026

Rethinking open source mentorship in the AI era

Why it matters: AI is flooding open source with plausible but often shallow contributions. Engineers must adapt mentorship and review strategies using frameworks like the 3 Cs to prevent maintainer burnout and ensure the long-term sustainability of the software ecosystem.

AI-generated pull requests have significantly lowered the cost of code creation while increasing the review and debugging burden on maintainers.
Traditional signals of contributor quality, such as code cleanliness and turnaround time, are no longer reliable indicators of project understanding.
The '3 Cs' framework (Comprehension, Context, Continuity) provides a strategic lens for maintainers to filter and prioritize mentorship efforts.
Projects are adopting new policies like requiring approved issues before PR submissions and mandatory AI-usage disclosures to manage contribution volume.
The emergence of AGENTS.md allows maintainers to provide machine-readable instructions specifically for AI coding agents and LLMs.
Strategic mentorship remains the primary 'multiplier effect' for scaling open source communities and preventing maintainer burnout.

#culture #mlp

Read original

GitHub EngineeringMar 19, 2026

How Squad runs coordinated AI agents inside your repository

Why it matters: Squad simplifies multi-agent AI development by moving orchestration into the repository. By using versioned markdown for memory and independent specialist agents, it provides a transparent, scalable way to automate complex coding tasks without heavy external infrastructure.

Squad is an open-source CLI tool that initializes a preconfigured AI agent team (lead, frontend, backend, and tester) directly within a project repository.
It utilizes a 'drop-box' pattern for shared memory, where architectural decisions and project history are stored in versioned markdown files for persistence and legibility.
The system employs repository-native orchestration, using a thin coordinator to route tasks to specialists that run in parallel with independent context windows.
An internal review protocol ensures code quality by having a separate tester agent validate implementations, preventing the original author agent from reviewing its own work.
Agent identities and memories are defined by plain-text 'charters' and 'history' files stored in the .squad/ directory, making the AI's context portable and versionable.

#mlp #dist

Read original

GitHub EngineeringMar 17, 2026

 Investing in the people shaping open source and securing the future together

Why it matters: Open source maintainers face increasing burnout from automated security reports and AI-driven exploits. This investment provides the funding, AI tools, and reporting infrastructure needed to secure the global software supply chain without overwhelming the people who build it.

GitHub joins a $12.5M industry commitment to the Linux Foundation’s Alpha-Omega initiative to integrate AI into open source security workflows.
The Secure Open Source Fund is expanding with $5.5M in Azure credits and new partnerships to provide maintainers with training and expertise.
Enhancements to Private Vulnerability Reporting (PVR) aim to reduce maintainer burnout by filtering low-quality security reports.
Eligible maintainers get free access to GitHub Copilot Pro and advanced security tools like automated code scanning and secret protection.
GitHub is open-sourcing its AI-powered security research framework to empower maintainers against increasingly sophisticated AI-driven exploits.

#security #culture

Read original

GitHub EngineeringMar 16, 2026

GitHub for Beginners: Getting started with GitHub Actions

Why it matters: GitHub Actions enables engineers to automate development workflows directly within their repositories. Understanding these fundamentals allows teams to implement CI/CD, improve code quality through automated testing, and reduce manual overhead for project management tasks.

GitHub Actions is a built-in CI/CD and automation platform that uses YAML files to automate repetitive tasks and deployment processes.
Workflows are triggered by specific GitHub events such as code pushes, pull requests, or issue creation.
A workflow consists of one or more jobs that execute on a runner, which can be a GitHub-hosted or self-hosted virtual machine.
Each job contains a series of steps, which are either shell commands or prebuilt actions from the GitHub Marketplace.
Workflow files are stored in the .github/workflows directory and require specific permissions to interact with repository resources.

#sre #culture

Read original

GitHub EngineeringMar 12, 2026

Continuous AI for accessibility: How GitHub transforms feedback into inclusion

Why it matters: This demonstrates how to use AI and automation to solve 'tragedy of the commons' issues like accessibility that cross team boundaries. It provides a blueprint for building agentic workflows that enhance human productivity and ensure critical user feedback is never lost in the backlog.

GitHub implemented an event-driven workflow using GitHub Actions and Copilot to centralize and automate accessibility feedback management.
The system uses LLMs via the GitHub Models API to analyze raw feedback, map it to WCAG standards, and assign severity scores automatically.
A human-in-the-loop approach ensures AI-generated summaries and technical details are verified before being routed to specific engineering teams.
By treating feedback as a data pipeline, the system identifies cross-cutting issues that lack clear ownership, improving overall platform inclusion.
The workflow automates repetitive tasks like technical documentation and team routing, allowing engineers to focus on implementing fixes.
The architecture supports continuous improvement by feeding human corrections back into AI prompts to refine future analysis accuracy.

#mlp #frontend #culture

Read original

GitHub EngineeringMar 12, 2026

GitHub availability report: February 2026

Why it matters: This report highlights how complex dependencies—like telemetry, caching, and security policies—can trigger cascading failures. It provides valuable lessons on the importance of robust monitoring, automated rollbacks, and the need for resilient proxy layers in large-scale distributed systems.

GitHub experienced six major incidents in February 2026, impacting Actions, Codespaces, Dependabot, and Git operations.
A significant outage was caused by telemetry loss that triggered incorrect security policies, blocking access to critical VM metadata.
Cache write amplification and simultaneous rewrites led to cascading failures and connection exhaustion in the Git HTTPS proxy.
Database failovers to read-only instances and authorization claim changes in networking dependencies caused service degradations.
Incorrect network configurations in the LFS service resulted in repository archive download errors for objects using Git LFS.
GitHub is implementing improved monitoring, automated rollbacks, and self-throttling mechanisms to increase system resilience.

#sre #dist #security

Read original

GitHub EngineeringMar 11, 2026

Addressing GitHub’s recent availability issues

Why it matters: This post highlights how rapid scaling and architectural coupling can turn localized issues into platform-wide outages. It provides lessons on managing cache TTLs, the risks of latent configuration errors in failover systems, and the necessity of robust load-shedding mechanisms.

Rapid usage growth and architectural coupling caused localized issues to cascade across GitHub's critical services.
A 10x increase in API traffic from client apps combined with a cache TTL reduction overwhelmed core authentication database clusters.
A telemetry gap triggered security policies that blocked VM metadata access, leading to a global GitHub Actions outage.
Latent configuration issues in Redis failover mechanisms left clusters without writable primaries, requiring manual mitigation.
GitHub is redesigning its user cache system and segmenting database clusters to accommodate significantly higher traffic volumes.
Engineering teams are prioritizing the isolation of critical dependencies to prevent shared infrastructure failures from impacting Git and Actions.

#sre #dist

Read original

GitHub EngineeringMar 10, 2026

The era of “AI as text” is over. Execution is the new interface.

Why it matters: This shift transforms AI from a chat interface into programmable infrastructure. By embedding execution engines into apps, developers can build resilient, context-aware systems that handle complex multi-step tasks without brittle, hard-coded logic or custom orchestration layers.

The GitHub Copilot SDK enables developers to embed agentic execution and planning directly into their own applications.
Shift from hard-coded scripts to intent-based delegation where agents plan, modify files, and recover from errors autonomously.
Integration with the Model Context Protocol (MCP) allows agents to access structured runtime data like API schemas and dependency graphs.
AI capabilities are moving beyond the IDE into background services, desktop apps, and event-driven systems.
The SDK provides a production-tested orchestration layer, reducing the need for teams to build homegrown AI stacks from scratch.

#mlp #dist

Read original

GitHub EngineeringMar 9, 2026

Under the hood: Security architecture of GitHub Agentic Workflows

Why it matters: As AI agents integrate into CI/CD, they introduce risks like prompt injection and credential theft. This architecture provides a blueprint for running non-deterministic agents safely within trusted environments by enforcing strict isolation, secret redaction, and governed execution.

GitHub Agentic Workflows implement a layered security model consisting of substrate, configuration, and planning layers to mitigate risks from non-deterministic agent behavior.
The architecture enforces a zero-trust approach for secrets by isolating agents in dedicated containers with restricted egress and no direct access to environment variables or API keys.
A trusted Model Context Protocol (MCP) gateway manages server authentication and communication, preventing agents from leaking credentials via prompt injection or malicious inputs.
Network isolation is achieved through private networking between agents and a firewall, with all LLM calls routed through a secure API proxy to prevent data exfiltration.
The safe outputs subsystem ensures all repository writes are staged and vetted, preventing agents from making unauthorized or malicious commits to the codebase.

#security #mlp

Read original

Page 7 of 15

Prev 1...5 6 7 8 9...15 Next