Jessie A Ellis
Jan 20, 2026 20:26
GitHub releases new APIs and artifact monitoring instruments enabling enterprises to hint software program from supply code by way of manufacturing deployment with cryptographic verification.
GitHub rolled out a major safety improve on January 20, 2026, introducing new APIs and tooling that permit improvement groups monitor construct artifacts from supply code all the way in which to manufacturing environments—even when these artifacts stay exterior GitHub’s ecosystem.
The discharge addresses a persistent blind spot in enterprise software program safety: figuring out precisely what code is working in manufacturing and whether or not it matches what was really constructed. With software program provide chain assaults changing into more and more refined, that visibility hole has turn out to be a legal responsibility.
What’s Truly New
Three core capabilities make up the discharge. First, new REST API endpoints permit groups to create storage data (capturing the place artifacts stay in bundle registries) and deployment data (monitoring the place code is working and related runtime dangers like web publicity or delicate knowledge processing). These APIs work with exterior CI/CD instruments and cloud monitoring techniques, not simply GitHub Actions.
Second, a brand new “Linked artifacts view” within the group Packages tab consolidates all artifact knowledge—attestations, storage areas, deployment historical past—right into a single dashboard. For groups utilizing GitHub’s artifact attestations, every artifact will get cryptographically sure to its supply repository and construct workflow.
Third, production-context filtering now works throughout Dependabot alerts, code scanning alerts, and safety campaigns. Groups can filter by artifact registry, deployment standing, and runtime danger, then mix these filters with EPSS and CVSS scores to prioritize what really issues.
The SLSA Connection
The cryptographic binding piece is what permits SLSA Construct Degree 3 compliance—a provide chain safety framework that requires verifiable provenance for construct artifacts. Relatively than trusting {that a} container picture got here from a particular commit, groups can mathematically confirm it. The system surfaces construct provenance attestations, attested SBOMs, and customized attestations by way of the artifact view.
Integration Companions at Launch
Microsoft Defender for Cloud (at the moment in public preview) handles deployment and runtime knowledge integration. JFrog Artifactory gives storage and promotion context. Each provide native integrations requiring no extra configuration. For groups utilizing different tooling, the REST APIs settle for data from any supply.
GitHub’s attest-build-provenance motion can mechanically generate storage data when publishing artifacts, lowering handbook overhead for groups already within the GitHub Actions ecosystem.
Why This Issues for Enterprise Groups
Code-to-cloud traceability has turn out to be a compliance requirement in regulated industries and a sensible necessity all over the place else. Realizing whether or not a flagged vulnerability really made it to manufacturing—versus sitting in an unused department—basically adjustments remediation priorities. Safety groups waste vital time chasing vulnerabilities in code that by no means ships.
The timing aligns with broader business strikes towards software program provide chain verification. With the characteristic now stay, groups can begin constructing deployment data and testing the filtering capabilities instantly. Dialogue threads are energetic in GitHub Neighborhood for groups working by way of implementation particulars.
Picture supply: Shutterstock
