Skip to content
Inside GitHub’s roadmap for agentic development — join the product roadmap webinar

March ‘26 enterprise roundup

In case you missed it…

Published via GitHub Executive Insights | Authored by Dave Burnison

Welcome to the March, 2026 edition of the GitHub Monthly Enterprise Roundup (MER). The common thread across the March enterprise roundup is moving from “AI as a helpful autocomplete” to governed, measurable, auditable AI that can take on real work (planning, coding, triage, CI/CD reasoning) while strengthening the guardrails enterprises rely on (policy, review, access, incident response). Why read this roundup? Because it highlights the practical changes that will most affect developer productivity and software quality: agentic workflows that automate non-trivial engineering work, expanded Copilot governance/telemetry to prove value and manage risk, and enterprise-scale controls to standardize how code is reviewed, secured, and operated across hundreds or thousands of repos. This month’s most prominent themes:

  • Agentic development becomes real: Copilot coding agent, Copilot CLI (now GA), and GitHub Agentic Workflows shift AI from suggestions to delegated execution with human approvals and enterprise controls.

  • Governance and measurability for AI: Enterprise AI Controls/agent control plane plus expanded Copilot metrics (org-level dashboards, CLI activity, PR throughput/time-to-merge) enable responsible adoption and ROI tracking.

  • Quality and compliance at scale: repository rules (required reviewer rule GA), code review reliability/performance improvements, and the new GitHub Code Quality org dashboard help leaders drive consistent engineering standards.

  • Security operations and supply chain hardening: incident-response credential management, CodeQL improvements, secret-scanning metadata, and Dependabot/npm enhancements reduce time-to-detect and time-to-fix.

The audience for the MER is anyone in enterprise software development so, there is a wide range of information here. We don't expect you to read every word. Skim through the sections that apply to how you use GitHub and dig into links that are the most relevant to you. Since some readers may skip over entire sections, you may see the same link appear in multiple sections such as a link that applies to both Code Security and CI/CD. Any one person will not read every link in this post but, across your team, every link may be read by at least one of your team members. Pass this MER along to your colleagues or pass along specific links that will be beneficial to others. Want to get notified of when the next MER is available? Go to GitHub Enterprise on LinkedIn and click on the "Follow" button. In addition to MER notifications you'll be notified when other enterprise focused content becomes available. Contents at a Glance

  • Enterprise Management & Governance

  • GitHub platform

  • Developer skills

  • AI & ML – GitHub Copilot

  • CI/CD

  • Security

  • GitHub Code Quality

  • Legend

Enterprise Management & Governance

We have been listening to our enterprise customers for years. We are excited to share product updates and new guidance to assist those who manage GitHub for hundreds if not thousands of stakeholders. This month's updates demonstrate how we are acting on your feedback to address the issues in multiple areas you face managing GitHub Enterprise at scale. In the area of GitHub Copilot, we are providing more guidance on managing usage of the GitHub Copilot CLI (which is now Generally Available) as well as expanding the available usage metrics. General

  • 🚢 Enterprise-wide credential management tools for incident response - New enterprise-wide tools enable administrators to rapidly audit and revoke compromised credentials across the entire organization during a security incident, dramatically reducing the time to contain a breach and limit exposure across large, complex GitHub deployments.

  • 🚢 Enterprise-defined custom organization roles are generally available - Large organizations can centrally standardize access governance across all their GitHub organizations using custom roles—improving compliance, consistency, and administrative scale without changing how roles work or are assigned.

  • 🚢 GitHub Apps can now utilize public preview Enterprise Teams APIs via fine-grained permissions - This update enables enterprises to securely automate large‑scale team management by letting GitHub Apps replace legacy personal access tokens with least‑privilege, enterprise‑level API access—unlocking safer governance and more scalable integrations across organizations.

  • 🚢 Enterprise team support in organization APIs - Organization owners within GitHub Enterprise can now discover and interact with both enterprise teams and organization teams through existing organization API endpoints - eliminating multi‑endpoint workarounds, reducing permission complexity, and unlocking cleaner automation at scale.ac

  • 🚢 Custom properties and rule insights improvements - Enhancements to custom properties and rule insights give enterprise administrators better visibility into how governance policies are applied across repositories, streamlining compliance reporting and making it easier to identify and remediate policy gaps at scale.

  • 🚢 Required reviewer rule now generally available - The required reviewer rule is now GA, allowing enterprise teams to enforce mandatory code review policies at the repository ruleset level—ensuring critical branches always receive the oversight needed for compliance and code quality standards.

  • 🚢 API access to billing usage reports in public preview - Enterprise account administrators can now programmatically retrieve billing usage data via API, enabling finance and platform teams to automate cost reporting, build custom dashboards, and integrate GitHub spend data into broader cloud cost management workflows.

  • 🚢 GitHub Code Quality: Organization-level dashboard in public preview - Get a centralized, permission-aware view of code health across all your repositories—so you can quickly spot risk, compare quality signals, and focus teams on the areas that matter most before issues scale.

  • 🚢 Updated GitHub status page experience - The refreshed GitHub status page delivers a more informative and accessible incident reporting experience, enabling enterprise operations teams to more quickly assess platform health and communicate impact to stakeholders during outages.

  • 🚢 Show profile names (first and last name) alongside user handles - Enterprise and organization administrators can now configure GitHub to display full profile names next to usernames, improving team member identification across large organizations and reducing friction in code review and collaboration at scale.

GitHub Copilot & AI

  • 🚢 Enterprise AI Controls & agent control plane now generally available - Enterprise AI Controls and the agent control plane are now GA, giving enterprise administrators a unified interface to audit, govern, and control all AI agent activity—including detailed session logs, custom agent configurations, MCP registry allowlists, and delegated admin roles—providing the compliance and security oversight essential for responsible AI adoption at scale.

  • 🚢 Organization-level Copilot usage metrics dashboard available in public preview - Organization owners can now access a dedicated Copilot usage metrics dashboard at the organization level rather than only enterprise-wide, enabling more granular insights into AI tool adoption and ROI for individual teams within a larger organization.

  • 🚢 Copilot usage metrics now includes enterprise-level GitHub Copilot CLI activity - Enterprise administrators can now track daily active CLI users, session counts, and token usage for GitHub Copilot CLI directly within the Copilot usage metrics dashboard, providing the complete cross-environment visibility needed to measure and optimize AI tool adoption across the entire organization.

  • 🚢 Copilot metrics report URLs update - The download URLs returned by the GitHub Copilot usage metrics API now come from a new endpoint. Your report data, the API contract, and the response schema haven’t changed.

  • 🚢 Copilot Content Exclusion REST API in public preview - Enterprise and organization administrators can now programmatically manage Copilot content exclusion rules via REST API with GET and SET operations, making it straightforward to automate governance policies that control which repository content Copilot can access across the entire enterprise.

  • 🚢 Copilot coding agent supports code referencing - The Copilot coding agent now provides code references with its suggestions, giving enterprise teams the transparency and accountability they need to trust AI-generated code and meet compliance and attribution requirements.

  • 📄 Copilot customization cheat sheet - This page explains how to deliberately shape GitHub Copilot’s behavior so it consistently reflects your team’s standards, workflows, and architectural expectations instead of relying on ad‑hoc prompting. It helps development leaders and enterprise teams understand which customization mechanism to use for governance, reuse, and scale—so AI assistance becomes predictable, auditable, and aligned with how your organization actually builds software. Knowing this lets you move from individual productivity gains to repeatable, organization‑wide impact with Copilot.

  • 📄 Administering Copilot CLI for your enterprise - This page explains how enterprise administrators can govern Copilot CLI access, models, and capabilities without blocking developers from using AI effectively at the command line. It shows which enterprise AI controls actually apply to Copilot CLI, how policy decisions ripple across organizations, and how audit logging and seat assignment affect real-world access. If you care about balancing developer velocity with security, compliance, and consistency at scale, this guidance helps you avoid surprises and misconfigurations before they slow teams down.

  • 📄 Using hooks with Copilot CLI for predictable, policy-compliant execution – Learn how to put guardrails around AI-assisted command-line work so developers can move fast without introducing security, compliance, or operational risk. See how teams can gain visibility into prompts and tool usage, automatically block dangerous commands, and encode organizational policies directly into everyday workflows. If you’re responsible for scaling Copilot CLI safely across an enterprise, this is the missing link between developer productivity and governance.

GitHub Platform

  • 📅 GitHub Roadmap Webinar, Q1 2026 March 25, 2026 - Join GitHub’s chief product officer for a Q1 2026 roadmap session outlining how GitHub is evolving into a fully AI-powered SDLC platform. This 60-minute session connects recently shipped innovations with near-term roadmap investments across GitHub and GitHub Copilot. Through product walkthroughs, you’ll see how agentic capabilities are accelerating developer workflows, how intelligent AI features are improving quality and efficiency, and how platform-level governance investments provide the visibility and control organizations need to adopt AI confidently at scale. You’ll hear directly from the GitHub product team on how these capabilities work together as an integrated platform—delivering velocity, quality, and governance without compromising developer choice.

  • 🚢 Repository dashboard is now generally available - The repository dashboard graduates to GA with advanced search, filtering by custom properties, saved queries, and an "Admin Access" view, giving enterprise teams a powerful, centralized way to discover and manage repositories across their entire organization.

  • 🚢 New repository settings for configuring pull request access - New granular repository settings give teams finer control over who can create and manage pull requests, enabling enterprise organizations to enforce access governance policies that match their security posture and development workflows.

  • 🚢 Improved pull request Files changed – February 5 updates - This update closes critical gaps in enterprise-grade code review by enforcing CODEOWNERS requirements, dramatically accelerating large pull request performance, and making reviews more reliable across devices—changes that directly impact review velocity, compliance, and developer productivity at scale.

Developer Skills General developer expertise based on our own experience and the collective experience of our customers and partners. It's time to start diving into how AI is going to work alongside you to make you a better, more productive developer, not replace you.

  • 📢 How AI is reshaping developer choice (and Octoverse data proves it) - Octoverse 2025 data shows that AI compatibility has emerged as the new primary driver of technology adoption—with TypeScript surging to become GitHub's most-used language precisely because AI tools generate more reliable code in strongly typed systems. The post introduces the concept of an "AI convenience loop," where the better AI works with a given technology, the faster that technology's community grows, documentation improves, and ecosystem investment concentrates. For engineering leaders making stack decisions, this analysis is essential for understanding how AI is fundamentally rewiring the long-term calculus of technology choice.

  • 📺 Tim Rogers on the future of Copilot and AI Agents | Octoverse 2025 (4:55) – Join Tim Rogers, Principal Product Manager for GitHub Copilot, as he reacts to the findings in the 2025 Octoverse report. Tim dives deep into the rapid adoption of AI agents, how they are reshaping developer workflows beyond just writing code, security concerns with AI and the future of agents.

  • “One of the fundamental limitations that we really have as humans is the fact that we can only really do one thing at a time, and we’re just quickly context switching between different things. And the thing that I’m super excited about with agents that can work in the background and don’t just depend on me being there all the time, is that they’re kind of a hack that allows us to override that fundamental human limitation and work in a totally different way to become multi-core developers rather than single core developers.”, Tim Rogers

  • 📺 Xavier René-Corail: how AI is changing the "shift left" mindset (5:29) - Join Xavier René-Corail, Senior Director at GitHub Security, as he reacts to the security findings in the Octoverse 2025 report. From improving fix times with Dependabot to the risks of broken access control, Xavier breaks down what the data means for developers. He also discusses the role of AI in shifting security left and why human code review remains critical.

  • 📺 How global tech talent is advancing with GitHub Copilot | GitHub x Andela (2:48) - "If you do not learn, you get left behind." See how the Andela network is using GitHub Copilot certifications to stay ahead in a changing tech landscape. From junior engineers to PMs, discover why learning AI tools is the key to unlocking new career opportunities. Andela's mission is to connect brilliance with opportunity, aiming to ensure opportunities are equally distributed and that the skilled talent around the world is not wasted. Andela has grown to network with over 130 companies and has trained 3,000 technologists globally.

AI & ML - GitHub Copilot

Recent advancements and feature updates for GitHub Copilot, with a particular focus on the GitHub Copilot CLI and the GitHub Copilot coding agent. GitHub Copilot coding agent

  • 📢 & 📺 What’s new with GitHub Copilot coding agent (12:59) - GitHub Copilot’s coding agent is no longer just an assistant—it’s becoming a delegated digital assistant that can independently ship higher‑quality pull requests while you focus on architecture and outcomes. New capabilities like model selection, self‑review, built‑in security scanning, custom team agents, and seamless CLI handoff directly address enterprise concerns around code quality, security, and consistency at scale. If you lead or build software in an organization where time, trust, and governance matter, this post shows why agentic AI is now a practical—and increasingly unavoidable—part of modern development workflows.

  • 📢 Automate repository tasks with GitHub Agentic Workflows - GitHub Agentic Workflows (now in technical preview) let you describe automation goals in plain Markdown rather than complex YAML, with AI coding agents like Copilot, Claude, or Codex handling execution within secure, sandboxed environments. These workflows can autonomously triage issues, update documentation, analyze CI failures, and improve test coverage—running on schedule, on event, or manually—while requiring human approval for any write operations. This represents a major shift from rule-based automation to AI-driven continuous improvement, unlocking automation scenarios previously too judgment-intensive to automate. Check out this video for an example: 📺 Introducing GitHub Agentic Workflows | intent-driven repository automation (1:10).

  • 🚢 GitHub Agentic Workflows are now in technical preview - This technical preview enables orchestration of complex, multi-step automation tasks via agent-like entities within GitHub, signaling a major leap toward autonomous software development pipelines that enterprise teams can adopt and govern at scale.

  • 📢 Multi-agent workflows often fail. Here's how to engineer ones that don't. - Most failures in multi-agent AI systems trace back to missing structure—ambiguous interfaces, inconsistent data formatting, and the absence of typed contracts between agents—rather than limitations in the underlying models. This engineering guide provides three concrete patterns for building reliable agent systems: specialized roles over generalization, structured communication protocols, and modular debugging through clear agent boundaries. For teams moving from prototyping to running multi-agent systems in production, this post delivers the distributed-systems mindset required to engineer for reliability at scale.

  • 🚢 Copilot coding agent model picker for Copilot Business and Enterprise - Copilot Business and Enterprise subscribers can now select which AI model powers the coding agent, giving enterprise architects greater control over cost, performance, and compliance trade-offs across their AI-augmented development workflows.

  • 🚢 Claude and Codex now available for Copilot Business & Pro users - Anthropic's Claude and OpenAI Codex are now available as coding agents for Copilot Business and Pro users, with enterprise and organization-level admin controls via the new agent control plane—giving development leaders a rich multi-agent ecosystem with the governance visibility required for responsible, large-scale AI adoption.

  • 🚢 Use Copilot coding agent with Windows projects - The Copilot coding agent now supports Windows-based development projects, opening AI-driven autonomous coding capabilities to enterprise teams building .NET, C++, and other Windows-native applications at scale.

  • 🚢 Copilot coding agent supports code referencing - The Copilot coding agent now provides code references with its suggestions, giving enterprise teams the transparency and accountability they need to trust AI-generated code and meet compliance and attribution requirements.

GitHub Copilot CLI

  • 🚢 GitHub Copilot CLI is now generally available - GitHub Copilot CLI graduates from preview to GA as a fully autonomous, terminal-native coding agent supporting multistep workflows, model selection, undo, and enterprise policy controls—making the command line a first-class environment for AI-powered software development.

  • 📢 From idea to pull request: A practical guide to building with GitHub Copilot CLI - This post shows how GitHub Copilot CLI lets you turn high‑level intent into reviewable, testable pull requests directly from the terminal—without breaking flow or giving up control. For enterprise teams, it’s a concrete look at how AI can reduce the time spent on scaffolding, mechanical changes, and early iteration while preserving human review, design judgment, and governance. If you care about accelerating delivery without compromising quality or accountability, this is a workflow you need to understand.

  • 📄 Researching with GitHub Copilot CLI - This capability turns the CLI into a deep, citation-backed research assistant that can investigate complex technical questions across your codebase, GitHub repositories, and the web, then produce a comprehensive, shareable Markdown report. For enterprise developers and engineering leaders, this means faster, more reliable decisions on architecture, dependencies, and unfamiliar systems—without relying on adhoc searches or undocumented assumptions. Knowing this lets you replace shallow answers with durable, auditable research artifacts that can be reviewed, shared, and reused across teams.

  • 📄 Automating tasks with Copilot CLI and GitHub Actions – Learn how to embed AI-driven reasoning directly into your CI/CD workflows by running GitHub Copilot CLI as part of GitHub Actions, turning routine automation into context-aware decision making. See how teams can automatically generate insights, summaries, and other artifacts from their repositories without human prompts, using the same pipelines that already govern quality and delivery. If you’re responsible for scaling developer productivity or enforcing consistency at speed, this is about moving AI from an individual productivity tool into a repeatable, auditable part of your engineering system.

  • 📄 Using hooks with Copilot CLI for predictable, policy-compliant execution – Learn how to put guardrails around AI-assisted command-line work so developers can move fast without introducing security, compliance, or operational risk. See how teams can gain visibility into prompts and tool usage, automatically block dangerous commands, and encode organizational policies directly into everyday workflows. If you’re responsible for scaling Copilot CLI safely across an enterprise, this is the missing link between developer productivity and governance.

  • 🚢 Copilot usage metrics now includes enterprise-level GitHub Copilot CLI activity - Enterprise administrators can now track daily active CLI users, session counts, and token usage for GitHub Copilot CLI directly within the Copilot usage metrics dashboard, providing the complete cross-environment visibility needed to measure and optimize AI tool adoption across the entire organization.

GitHub Copilot SDK

  • 🌐 The era of “AI as text” is over. Execution is the new interface. | LinkedIn - The next phase of AI in software development is shifting from chat-style assistance to agents that can plan, execute, and adapt real work inside your systems, not just suggest text. For enterprise teams, this matters because it changes how you design applications, automate workflows, and scale AI safely—moving orchestration, error handling, and execution from fragile scripts and prompts into a production-grade execution layer. If you’re building or modernizing software with AI, this reframes what’s possible and where you should invest to avoid reinventing core infrastructure.

  • 📺 How I built an AI Python tutor with the GitHub Copilot SDK (11:07) - April Gittens teaches Python on livestream, but what happens when viewers get stuck on practice exercises offline? To solve this, she built a dedicated learning platform featuring a custom AI tutor. In this video, watch how she uses the GitHub Copilot SDK to create an assistant that gives helpful hints instead of just handing out the answers.

IDE Related GitHub Copilot Updates

  • 🚢 Claude Opus 4.6 is now available in Visual Studio, JetBrains IDEs, Xcode, and Eclipse - Anthropic's most powerful model is now accessible directly within the four most popular enterprise IDEs, giving development teams a versatile, high-intelligence AI coding assistant without any workflow disruption.

  • 🚢 New features and improvements in GitHub Copilot in JetBrains IDEs - JetBrains developers gain access to Agent Skills in public preview alongside inline chat enhancements and reliability improvements, enabling enterprise teams to build repeatable, domain-specific Copilot automations directly within the IDEs they already use.

  • 🚢 MCP Registry and more improvements in Copilot in Eclipse - Eclipse developers can now browse and install MCP servers from a centralized, curated registry with enterprise allowlist controls, streamlining secure integration of external tools and APIs into Copilot-powered workflows across large development organizations.

  • 🚢 Delegate tasks to Copilot coding agent from Visual Studio - Visual Studio developers can now assign tasks directly to the Copilot coding agent without leaving their IDE, enabling seamless AI-assisted development that keeps enterprise teams in their preferred environment while leveraging autonomous coding capabilities.

  • 🚢 Assign issues to Copilot coding agent from Raycast - Teams using Raycast can now delegate GitHub issues to the Copilot coding agent with a single action, expanding the reach of AI-powered development workflows into the productivity tools enterprise developers already rely on daily.

  • 🚢 GitHub Copilot support in Zed generally available - Developers using the modern, high-performance Zed editor can now access GitHub Copilot's full AI coding capabilities in GA, ensuring enterprise teams adopting next-generation tooling can still leverage Copilot's productivity benefits.

GitHub Copilot - New Models

Additional GitHub Copilot Updates

  • 📄 Copilot customization cheat sheet - This page explains how to deliberately shape GitHub Copilot’s behavior so it consistently reflects your team’s standards, workflows, and architectural expectations instead of relying on ad‑hoc prompting. It helps development leaders and enterprise teams understand which customization mechanism to use for governance, reuse, and scale—so AI assistance becomes predictable, auditable, and aligned with how your organization actually builds software. Knowing this lets you move from individual productivity gains to repeatable, organization‑wide impact with Copilot.

  • 📅 KUWC: Instructions, custom agents, prompts, skills - oh my! March 26, 2026 - See a practical walkthrough of how to tailor GitHub Copilot to the way your team actually builds. Copilot can be customized in a lot of ways, so it’s easy to wonder what to use when: instructions vs. prompts, custom agents, and where Skills fit into the picture. We’ll break down the options, share guidance on when each approach makes sense, and show real examples so you can apply them quickly. Expect demos that cover how to align Copilot with your standards, architecture, and preferred patterns, so you can get more consistent results, reduce rework, and keep your team moving.

  • 🚢 Copilot metrics is now generally available - The unified Copilot usage metrics dashboard and API are now GA with fine-grained permissions, data residency support, and comprehensive coverage across IDEs, models, and environments—giving engineering leaders the enterprise-grade analytics they need to measure, report on, and drive Copilot adoption at scale.

  • 🚢 Organization-level Copilot usage metrics dashboard available in public preview - Organization owners can now access a dedicated Copilot usage metrics dashboard at the org level rather than only enterprise-wide, enabling more granular insights into AI tool adoption and ROI for individual teams within a larger organization.

  • 🚢 Copilot metrics now includes plan mode - Copilot usage metrics now accurately break out plan mode telemetry from the broader "Custom" category, enabling enterprise teams to precisely measure adoption of AI-driven planning workflows across JetBrains, Eclipse, Xcode, and VS Code Insiders and make data-driven decisions about agentic feature rollouts.

  • 🚢 Improved web search in Copilot on github.com - Enhanced web search integration in Copilot on GitHub.com delivers more accurate, current information directly in the developer workflow, helping enterprise teams quickly access up-to-date documentation, API references, and community solutions without context switching.

  • 🚢 Pull request throughput and time to merge available in Copilot usage metrics API - Engineering leaders can now programmatically measure the direct impact of Copilot adoption on pull request velocity and merge times, providing data-driven evidence for justifying and optimizing AI tool investments across enterprise development teams.

CI/CD

Continuous Integration & Continuous Deployment with GitHub Actions. If you are involved in managing and authoring GitHub Actions workflows you'll want to dive into these updates to see how were are addressing enterprise needs in the areas of scalability, debugging, security and bringing AI to GitHub Actions with Agentic Workflows and the GitHub Copilot CLI.

  • 📄 Automating tasks with Copilot CLI and GitHub Actions – Learn how to embed AI-driven reasoning directly into your CI/CD workflows by running GitHub Copilot CLI as part of GitHub Actions, turning routine automation into context-aware decision making. See how teams can automatically generate insights, summaries, and other artifacts from their repositories without human prompts, using the same pipelines that already govern quality and delivery. If you’re responsible for scaling developer productivity or enforcing consistency at speed, this is about moving AI from an individual productivity tool into a repeatable, auditable part of your engineering system.

  • 🚢 GitHub Agentic Workflows are now in technical preview - This technical preview enables orchestration of complex, multi-step automation tasks via agent-like entities within GitHub, signaling a major leap toward autonomous software development pipelines that enterprise teams can adopt and govern at scale.

  • 🚢 GitHub Actions now supports uploading and downloading non-zipped artifacts - GitHub Actions workflows can now upload and download artifacts without ZIP compression by setting “archive” to “false” in upload-artifact v7+, eliminating the "double-zip" problem and enabling direct browser-viewable artifacts—simplifying CI/CD pipeline logic and improving the developer experience for enterprise teams managing complex build workflows.

  • 🚢 macos-26 is now generally available for GitHub-hosted runners - The macOS 26 runner image is now GA for GitHub Actions on both Apple Silicon and Intel architectures, giving enterprise mobile and macOS development teams access to the latest Xcode tooling and OS capabilities in their CI/CD pipelines.

  • 🚢 Workflow dispatch API now returns run IDs - The workflow dispatch API now immediately returns the run ID of the triggered workflow, eliminating complex polling workarounds and enabling enterprise platform teams to build more reliable, traceable CI/CD automation and pipeline orchestration integrations.

Security

Application security with GitHub, ensuring the code that lives in GitHub and the dependencies that go into the solutions you build are secure and do not contain any secrets.

  • 📅 GitHub AppSec Office Hours March 26, 2026 - Every month, GitHub security experts will share the latest GitHub Advanced Security updates, practical best practices for AppSec and answer any of your questions! This is an open office hour style session, designed for beginners and experienced teams alike. Bring your questions, real use cases, and current challenges for live guidance and discussion. Learn how to shift left and secure your code while keeping development fast and smooth.

  • 📺 Xavier René-Corail: how AI is changing the "shift left" mindset (5:29) - Join Xavier René-Corail, Senior Director at GitHub Security, as he reacts to the security findings in the Octoverse 2025 report. From improving fix times with Dependabot to the risks of broken access control, Xavier breaks down what the data means for developers. He also discusses the role of AI in shifting security left and why human code review remains critical.

Code Security

Secret Protection

  • 🚢 Secret scanning improvements to extended metadata checks - Extended metadata checks for secret scanning now deliver richer contextual insights about exposed secrets, enabling enterprise security teams to rapidly assess actual exposure risk and accelerate remediation decisions with confidence.

Supply Chain Security

  • 📢 Securing the AI software supply chain: Security results across 67 open source projects - Through its Secure Open Source Fund, GitHub audited 67 critical open source projects at the heart of the AI software stack. Coordinated patches and security training for maintainers across foundational projects like Python, pandas, SciPy, and Node.js have materially reduced transitive risk for enterprises building on these foundations. For teams building AI-powered applications, this post underscores why supply chain security demands sustained investment rather than ad hoc fixes—especially as AI components become embedded throughout enterprise software.

  • 🚢 npm bulk trusted publishing config and script security now generally available - Bulk configuration for npm trusted publishing and enhanced lifecycle script security are now GA, allowing enterprise platform teams to systematically enforce secure package publishing practices and reduce supply chain attack surface across their entire npm ecosystem.

  • 🚢 Track additional Dependabot configuration changes in audit logs - Two new audit log event types now capture when Dependabot vulnerability updates and self-hosted runner configurations are toggled on or off, giving enterprise security and compliance teams the full configuration change history needed for investigations and regulatory requirements.

  • 🚢 Dependabot can group updates by dependency name across multiple directories - Reduce pull request noise and streamline supply‑chain maintenance by consolidating identical dependency upgrades across an entire repository into a single, reviewable change—an especially high‑leverage improvement for monorepos and multi‑service codebases.

Additional Security Updates

GitHub Code Quality

GitHub Code Quality is now available in public preview! It turns every pull request into an opportunity to improve. With in-context findings, one-click Copilot fixes, and reliability and maintainability scores, you spend less time chasing nits and more time building. Check out the documentation to learn more.

  • 🚢 GitHub Code Quality: Organization-level dashboard in public preview - Get a centralized, permission-aware view of code health across all your repositories—so you can quickly spot risk, compare quality signals, and focus teams on the areas that matter most before issues scale.

  • 🚢 GitHub Code Quality enterprise policy - This update gives enterprise administrators finer-grained control to enable code quality insights independently of security policies, allowing teams to improve maintainability and reliability without unintended licensing, cost, or governance side effects.

Legend

This legend represents the icons used above and links each icon to its corresponding resource page. These are the primary sources we review each month when compiling the Monthly Enterprise Roundup. Note that not every resource will appear in every edition.

That’s it for the March '26 edition of the MER. Follow GitHub Enterprise on LinkedIn to see when the next round of key updates become available.

We want to hear from you! Did you find this curated list of updates from GitHub helpful? Do you have suggestions on how we can provide the information that is going to be the most useful and timely for your role? Provide your feedback in the GitHub Community: March ‘26 enterprise roundup.

Share