Jessie A Ellis
Jan 20, 2026 20:26
GitHub releases new APIs and artifact monitoring instruments enabling enterprises to hint software program from supply code by way of manufacturing deployment with cryptographic verification.
GitHub rolled out a big safety improve on January 20, 2026, introducing new APIs and tooling that permit growth groups observe construct artifacts from supply code all the best way to manufacturing environments—even when these artifacts dwell exterior GitHub’s ecosystem.
The discharge addresses a persistent blind spot in enterprise software program safety: figuring out precisely what code is operating in manufacturing and whether or not it matches what was truly constructed. With software program provide chain assaults changing into more and more refined, that visibility hole has grow to be a legal responsibility.
What’s Really New
Three core capabilities make up the discharge. First, new REST API endpoints enable groups to create storage data (capturing the place artifacts dwell in bundle registries) and deployment data (monitoring the place code is operating and related runtime dangers like web publicity or delicate knowledge processing). These APIs work with exterior CI/CD instruments and cloud monitoring methods, not simply GitHub Actions.
Second, a brand new “Linked artifacts view” within the group Packages tab consolidates all artifact knowledge—attestations, storage places, deployment historical past—right into a single dashboard. For groups utilizing GitHub’s artifact attestations, every artifact will get cryptographically certain to its supply repository and construct workflow.
Third, production-context filtering now works throughout Dependabot alerts, code scanning alerts, and safety campaigns. Groups can filter by artifact registry, deployment standing, and runtime danger, then mix these filters with EPSS and CVSS scores to prioritize what truly issues.
The SLSA Connection
The cryptographic binding piece is what allows SLSA Construct Degree 3 compliance—a provide chain safety framework that requires verifiable provenance for construct artifacts. Fairly than trusting {that a} container picture got here from a particular commit, groups can mathematically confirm it. The system surfaces construct provenance attestations, attested SBOMs, and customized attestations by way of the artifact view.
Integration Companions at Launch
Microsoft Defender for Cloud (at present in public preview) handles deployment and runtime knowledge integration. JFrog Artifactory supplies storage and promotion context. Each provide native integrations requiring no extra configuration. For groups utilizing different tooling, the REST APIs settle for data from any supply.
GitHub’s attest-build-provenance motion can routinely generate storage data when publishing artifacts, lowering handbook overhead for groups already within the GitHub Actions ecosystem.
Why This Issues for Enterprise Groups
Code-to-cloud traceability has grow to be a compliance requirement in regulated industries and a sensible necessity all over the place else. Understanding whether or not a flagged vulnerability truly made it to manufacturing—versus sitting in an unused department—essentially modifications remediation priorities. Safety groups waste vital time chasing vulnerabilities in code that by no means ships.
The timing aligns with broader trade strikes towards software program provide chain verification. With the characteristic now dwell, groups can begin constructing deployment data and testing the filtering capabilities instantly. Dialogue threads are energetic in GitHub Group for groups working by way of implementation particulars.
Picture supply: Shutterstock
