Jessie A Ellis
Jan 20, 2026 20:26
GitHub releases new APIs and artifact monitoring instruments enabling enterprises to hint software program from supply code by means of manufacturing deployment with cryptographic verification.
GitHub rolled out a major safety improve on January 20, 2026, introducing new APIs and tooling that allow improvement groups observe construct artifacts from supply code all the best way to manufacturing environments—even when these artifacts stay outdoors GitHub’s ecosystem.
The discharge addresses a persistent blind spot in enterprise software program safety: figuring out precisely what code is operating in manufacturing and whether or not it matches what was truly constructed. With software program provide chain assaults turning into more and more refined, that visibility hole has turn out to be a legal responsibility.
What’s Truly New
Three core capabilities make up the discharge. First, new REST API endpoints permit groups to create storage data (capturing the place artifacts stay in bundle registries) and deployment data (monitoring the place code is operating and related runtime dangers like web publicity or delicate knowledge processing). These APIs work with exterior CI/CD instruments and cloud monitoring techniques, not simply GitHub Actions.
Second, a brand new “Linked artifacts view” within the group Packages tab consolidates all artifact knowledge—attestations, storage areas, deployment historical past—right into a single dashboard. For groups utilizing GitHub’s artifact attestations, every artifact will get cryptographically sure to its supply repository and construct workflow.
Third, production-context filtering now works throughout Dependabot alerts, code scanning alerts, and safety campaigns. Groups can filter by artifact registry, deployment standing, and runtime danger, then mix these filters with EPSS and CVSS scores to prioritize what truly issues.
The SLSA Connection
The cryptographic binding piece is what allows SLSA Construct Stage 3 compliance—a provide chain safety framework that requires verifiable provenance for construct artifacts. Quite than trusting {that a} container picture got here from a particular commit, groups can mathematically confirm it. The system surfaces construct provenance attestations, attested SBOMs, and customized attestations by means of the artifact view.
Integration Companions at Launch
Microsoft Defender for Cloud (at the moment in public preview) handles deployment and runtime knowledge integration. JFrog Artifactory gives storage and promotion context. Each supply native integrations requiring no extra configuration. For groups utilizing different tooling, the REST APIs settle for data from any supply.
GitHub’s attest-build-provenance motion can routinely generate storage data when publishing artifacts, lowering guide overhead for groups already within the GitHub Actions ecosystem.
Why This Issues for Enterprise Groups
Code-to-cloud traceability has turn out to be a compliance requirement in regulated industries and a sensible necessity in every single place else. Figuring out whether or not a flagged vulnerability truly made it to manufacturing—versus sitting in an unused department—essentially adjustments remediation priorities. Safety groups waste vital time chasing vulnerabilities in code that by no means ships.
The timing aligns with broader trade strikes towards software program provide chain verification. With the function now stay, groups can begin constructing deployment data and testing the filtering capabilities instantly. Dialogue threads are lively in GitHub Group for groups working by means of implementation particulars.
Picture supply: Shutterstock
