Tl;dr - Starting August 8th, we will be enforcing some default security settings across all Google-owned GitHub organizations. We don’t anticipate these changes having any negative impact on anyone's workflows, and in general work should continue as it has.
In an effort to increase security for open source development happening in Google-owned GitHub repositories, we will start enforcing the following settings on all Google-owned repositories, beginning August 8.
Dependency Graph Generation - This tool scans the language-specific packaging files in your repositories, and populates a “Dependency Graph” page that lists them (example). This enables one-click SBOM generation based on that information. This feature was already enabled on most repositories.
Dependabot and Dependabot Alerts - This tool alerts you to vulnerable dependencies and creates pull requests to update any out-of-date dependencies in your project. This feature was already enabled on most repositories.
Code Scanning - This tool scans your code base and incoming PRs for possible issues in the code (through static analysis) and reports them back to you. This feature is VERY configurable and has a ton of options, but we are just enabling the default settings. We expect in this configuration for the alerts to be very high signal.
Secret Scanning and Push Protection - This tool scans your code and looks for anything that may be a “secret” and warns you about it. This will also run on “git push” and block any PRs that appear to have secrets in them. We know that Google Cloud Credentials that hit GitHub are exploited in under 60 minutes, so we are turning these features on to help keep us all safe from simple accidents. (There are a handful of valid use cases for pushing secrets to a public repo—such as for testing, etc.—for those cases GitHub has provided details on how to bypass push protection.)
We will begin enabling features starting on August 8th and they should be deployed everywhere by the end of the week. If you suspect that one of these changes has caused a huge workflow interruption for your team and you are a Googler, please file a ticket at go/github-request and we will take a look. If not, please file a ticket with your affected project and ask the project owners to escalate to us.