GitHub Enterprise Server 3.5 released with Dependabot and more, but cloud version gets features first

GitHub Enterprise Server, the self-hosted version of the code shack’s platform, has hit version 3.5. The company said there are over 60 new features, including Dependabot, a service which automatically updates the packages used by a repository.

The packages on which other packages depend are somewhat hidden from the developer, so that security issues or bugs can easily be missed. Dependabot can trigger alerts when a vulnerable dependency is discovered or checked in, and also has an option keep versions up to date automatically.

GitHub acquired Dependabot in May 2019  and it has been part of the cloud hosted GitHub for some time, but arrived in public beta in Enterprise Server 3.4 three months ago.

A Dependabot alert (pic from GitHub blog)

Enterprise Server 3.5 has its own big feature in beta though, which is Container Registry, for the storage and management of container images in Docker or OCI (Open Container Initiative) format, allowing admins to configure permissions and visibility for container images, and to integrate containers with GitHub Actions, a workflow automation feature. The beta of Container Registry was in cloud-hosted GitHub in September 2020.

Actions itself is enhanced in this release, with templates (now called reusable workflows) generally available and more options for self-hosted runners, which run the Actions. Other new features include server statistics, and  an IP allow list (primarily for restricting traffic during maintenance).

New security features include the ability to block code pushes that include secrets such as passwords or private keys, a security overview report, and improvements to CodeQL, which lets you search code for vulnerabilities.

Reasons for choosing the self-hosted version of GitHub may include compliance, security concerns about multi-tenant applications, and  freedom from concern over GitHub outages. The downside, aside from the admin burden, is that features trail behind relative to the cloud option. A user recently enquired, for example, whether Codespaces, hosted developer environments, might come to Enterprise.

“We have don’t have a timeline for self hosted codespaces just yet, but we’re thinking about this scenario,” said product manager Tanmayee Kamath, hinting the solution might be more along the lines of linking the cloud version to on-premises data rather than providing a complete self-hosted solution.