Jessie A Ellis
Jan 20, 2026 20:26
GitHub releases new APIs and artifact monitoring instruments enabling enterprises to hint software program from supply code by means of manufacturing deployment with cryptographic verification.
GitHub rolled out a big safety improve on January 20, 2026, introducing new APIs and tooling that permit improvement groups monitor construct artifacts from supply code all the best way to manufacturing environments—even when these artifacts dwell outdoors GitHub’s ecosystem.
The discharge addresses a persistent blind spot in enterprise software program safety: figuring out precisely what code is operating in manufacturing and whether or not it matches what was truly constructed. With software program provide chain assaults changing into more and more refined, that visibility hole has develop into a legal responsibility.
What’s Truly New
Three core capabilities make up the discharge. First, new REST API endpoints permit groups to create storage information (capturing the place artifacts dwell in package deal registries) and deployment information (monitoring the place code is operating and related runtime dangers like web publicity or delicate knowledge processing). These APIs work with exterior CI/CD instruments and cloud monitoring techniques, not simply GitHub Actions.
Second, a brand new “Linked artifacts view” within the group Packages tab consolidates all artifact knowledge—attestations, storage areas, deployment historical past—right into a single dashboard. For groups utilizing GitHub’s artifact attestations, every artifact will get cryptographically certain to its supply repository and construct workflow.
Third, production-context filtering now works throughout Dependabot alerts, code scanning alerts, and safety campaigns. Groups can filter by artifact registry, deployment standing, and runtime threat, then mix these filters with EPSS and CVSS scores to prioritize what truly issues.
The SLSA Connection
The cryptographic binding piece is what permits SLSA Construct Degree 3 compliance—a provide chain safety framework that requires verifiable provenance for construct artifacts. Reasonably than trusting {that a} container picture got here from a particular commit, groups can mathematically confirm it. The system surfaces construct provenance attestations, attested SBOMs, and customized attestations by means of the artifact view.
Integration Companions at Launch
Microsoft Defender for Cloud (presently in public preview) handles deployment and runtime knowledge integration. JFrog Artifactory supplies storage and promotion context. Each supply native integrations requiring no extra configuration. For groups utilizing different tooling, the REST APIs settle for information from any supply.
GitHub’s attest-build-provenance motion can mechanically generate storage information when publishing artifacts, decreasing handbook overhead for groups already within the GitHub Actions ecosystem.
Why This Issues for Enterprise Groups
Code-to-cloud traceability has develop into a compliance requirement in regulated industries and a sensible necessity in all places else. Realizing whether or not a flagged vulnerability truly made it to manufacturing—versus sitting in an unused department—essentially modifications remediation priorities. Safety groups waste important time chasing vulnerabilities in code that by no means ships.
The timing aligns with broader trade strikes towards software program provide chain verification. With the function now dwell, groups can begin constructing deployment information and testing the filtering capabilities instantly. Dialogue threads are energetic in GitHub Group for groups working by means of implementation particulars.
Picture supply: Shutterstock