GitHub Adds Dependabot Pre-Commit Support and 28 New Secret Scanning Detectors
GitHub has shipped two major supply chain security features: Dependabot now parses .pre-commit-config.yaml files and opens PRs to update hook versions, while secret scanning gains 28 new detectors from 15 providers including Snowflake, Supabase, and Vercel. Push protection is now enabled by default for 39 secret types.
GitHub has shipped two supply chain security features that address common gaps in how development teams manage their dependency and credential hygiene. Dependabot now supports pre-commit hook configurations, and secret scanning has been expanded with 28 new detectors from 15 security-sensitive service providers.
Dependabot for Pre-Commit
Pre-commit hooks — automated checks that run before code is committed — have become a standard part of development workflows for linting, formatting, and security scanning. The hooks are configured in a .pre-commit-config.yaml file that pins each hook to a specific version of its source repository. Until now, keeping those versions current was a manual process that most teams neglected.
Dependabot now parses pre-commit configuration files, checks each hook's source repository for new releases, and opens pull requests to update the rev field. The feature supports tag-based and SHA-based version pinning, grouped updates (updating multiple hooks in a single PR), and repositories hosted on GitHub, GitLab, and Bitbucket. This has been one of the most requested Dependabot features since 2020.
Secret Scanning Expansion
The 28 new secret detectors cover tokens and API keys from providers including Snowflake, Supabase, Vercel, Lark, PostHog, Airtable, Databricks, Heroku, and Shopify. More significantly, 39 detectors now have push protection enabled by default — meaning that if a developer attempts to push a commit containing a recognized secret pattern, the push is blocked before the secret reaches the remote repository.
Push protection is the most effective form of secret scanning because it prevents exposure entirely, rather than detecting secrets after they've already been pushed (and potentially cached by CI systems, mirrored to forks, or indexed by search engines). GitHub reports that push protection has prevented over 10 million secret exposures since its introduction.
Validity Checks
Secret scanning now performs validity checks for additional token types, including DeepSeek API keys and npm access tokens. Validity checks make an API call to the service provider to determine whether a detected token is still active, helping teams prioritize remediation of live credentials over already-rotated ones.
Related Articles
GitHub Expands Developer Platform with Actions Artifacts v5 and Copilot Extensions GA
GitHub has shipped Actions Artifacts v5 with immutable storage and artifact attestation for tamper-proof build outputs, alongside the general availability of Copilot Extensions that let third-party tools integrate directly into the Copilot chat experience. The platform also expanded GitHub Models with seven new providers.
Docker Engine 29.3 Ships with Native gRPC Support and BuildKit v0.28
Docker Engine 29.3.0 introduces native gRPC support on listening sockets, BuildKit v0.28.0, and a new bind-create-src option for flexible volume mounting. The release lowers the minimum API version to v1.40 for broader backward compatibility and fixes DNS configuration corruption during daemon reloads.
GitLab Patches 15 Security Flaws Including Critical XSS in Markdown Processing
GitLab has released critical security patches in versions 18.9.2, 18.8.6, and 18.7.6 fixing 15 vulnerabilities, including a high-severity cross-site scripting flaw with a CVSS score of 8.7 that could enable session hijacking through crafted Markdown. Three additional high-severity denial-of-service bugs also received fixes.