Dependabot and code scanning now support OpenID Connect (OIDC) authentication for private registries configured at the organization level, eliminating the need to store long-lived credentials as repository secrets.

What’s new

Organization administrators can configure OIDC-based credentials for private registries across their organization. With OIDC-based authentication, you can dynamically obtain short-lived credentials from your cloud identity provider, just like GitHub Actions workflows using OIDC federation. This builds on earlier support for OIDC authentication in repository-level dependabot.yml configuration files and extends it to the organization level, so you can centrally manage registry access for all repositories in your org.

Supported registries

  • AWS CodeArtifact
  • Azure DevOps Artifacts
  • JFrog Artifactory

Within the next four weeks, we will add support for Cloudsmith and Google Artifact Registry.

This feature is now generally available on github.com and will ship in GitHub Enterprise Server 3.22.

Learn more about configuring OIDC for Dependabot and code scanning at the organization level. You can also join the community discussion.