Bringing GraphQL to Octokit.NET

If you’ve built apps that connect with GitHub, you are no doubt familiar with Octokit. GitHub offers three official flavors of the easy-to-use Octokit library—one for Ruby, .NET, and Node.js—that work with the GitHub REST API v3. Back in September of 2016, we announced that we would move to GraphQL, the query language developed by Facebook, in part due to the ability to fetch all of the data we wanted in a single request. As a result, the GitHub API v4 is built on GraphQL instead of REST.

Introducing Octokit.NET in GraphQL

The Editor Tools Team is particularly excited about this move to GraphQL because loading lists of pull requests in Visual Studio through our extension can be time consuming for some projects. We’ve experimented with GraphQL APIs, but we wanted to make it as easy to use as the Octokit.NET library. As such, we are excited to announce the GraphQL flavor of the Octokit.NET library is now available.

Creating a GraphQL-based .NET API presents certain challenges. GraphQL is a query language best suited for dynamic languages. Developers that want to take advantage of GraphQL in statically compiled languages like .NET have to make some compromises, resulting in a much different experience.

This started as an experiment to see if we could use GraphQL’s self documenting functionality to generate a library that gets the benefit of static compilation while retaining the flexibility and spirit of GraphQL. In GitHub for Visual Studio, we perform many round trip queries when displaying pull requests. We’ve used this library in our extension, and it has helped us improve performance, most notably with pull request lists. Before, these lists took minutes to display and now load in under two seconds.

The syntax is designed to look as much like GraphQL as possible while still feeling familiar to .NET developers:

using Octokit.GraphQL;
using Octokit.GraphQL.Core;
using static Octokit.GraphQL.Variable;

var connection = new Connection("", YOUR_OAUTH_TOKEN); 

var query = new Query()
    .Select(repo => new

var vars = new Dictionary<string, object>
    { "owner", "octokit" },
    { "name", "" },

var result =  await Connection.Run(query, vars);

Console.WriteLine(result.Login + " & " + result.Name + " Rocks!");

If you want to use the GraphQL API in .NET and make queries in your statically compiled C# code, try out the new GitHub v4 Octokit.NET library.

We’re excited to hear from you. Are you a .NET developer? Is this something that you would find useful? Get in touch with us in our GitHub for Visual Studio repo or on Twitter (@GitHubVS).

Security vulnerability alerts for Python

Last year, we released security alerts that track security vulnerabilities in Ruby and JavaScript packages. Since then, we have identified millions of vulnerabilities and have prompted many patches.

We’re pleased to announce that we’ve shipped Python support. As of this week, Python users can now access the dependency graph and receive security alerts whenever their repositories depend on packages with known security vulnerabilities.

We’ve chosen to launch the new platform offering with a few recent vulnerabilities. Over the coming weeks, we will be adding more historical Python vulnerabilities to our database. Going forward, we will continue to monitor the NVD feed and other sources, and will send alerts on any newly disclosed vulnerabilities in Python packages.

How to start using Python security alerts

First, ensure that you have checked in a requirements.txt or Pipfile.lock file inside of repositories that have Python code.

Public repositories will automatically have your dependency graph and security alerts enabled. For private repositories, you’ll need to opt in to security alerts in your repository settings or by allow access in the dependency graph section of your repository’s “Insights” tab.

When vulnerability alerts are enabled, admins will receive security alerts by default. Admins can also add teams or individuals as recipients for security alerts by going into their repository’s settings page and navigating to the “Alerts” tab.

To configure the kind or frequency of notifications you receive, visit your profile’s notification settings page and select your preferred option.

Read the documentation to learn more.

Introducing GitHub Enterprise 2.14

For the first time, your team can connect to the power of the open source community—and find lots of ways to get more work done—with our latest Enterprise release.

Ready to start using these new tools? Upgrade your instance:

Download Enterprise 2.14

New developer tools

Now, if you have GitHub Business Cloud in addition to your Enterprise instance, you can tap into everything you love about open source from behind your firewall. Find public content and collaborate with the entire GitHub community without sacrificing security.

Learn more about unified search

Checks API (public beta)

The Checks API helps integrators build sophisticated tools for continuous integration, linting, and acceptance testing on GitHub. Previously, integrators could report success or failure of a build and include a link to more information using our Statuses API. With the new Checks API, they can specify more status information during builds and collect richer data, providing a more integrated experience for developers.

Learn more about the Checks API

Multiple issue templates

Project maintainers can now organize contributions and reduce noise for projects that have lots of collaborators with multiple issue templates and an improved setup process.

Learn more about issue templates

Ignore white space

When reviewing code, a diff with a number of white space changes can distract from the changes that matter. Now it’s easier to understand code updates from white space changes with an improved diff view. Change your view to automatically filter it out by clicking Diff settings.


Learn more about ignoring white space

Multiple required reviewers

As projects grow, you may want additional reviews for your team’s code changes. With the new multiple reviewer requirement, you can set how many reviewers are required for every pull request on a protected branch—so your organization’s important projects are protected from unwanted changes.


Learn more about multiple required reviewers

Easier administration

Automated support tickets

Now you can create a support ticket directly from Enterprise and send diagnostic information to get help faster. We’ve also created a new command—ghe-support-upload—to directly upload your support tickets with the output of commands.

Learn more about automated support tickets

Dormancy threshold configuration

Enterprise 2.14 adjusts the default threshold for developers who are considered dormant from 30 to 90 days, so developers can retain access longer—and admins can now configure the threshold to fit their team.

Learn more about dormancy thresholds

Anonymous git access

You can now opt in to configure anonymous git access to public repositories when your Enterprise environment is in private mode. This helps continuous integration tools and build machines seamlessly access code for testing or deploy pipelines—and makes it easier for them to distribute Go or Swift projects that use git for submodules.

Learn more about anonymous git access

Additional updates

  • Improved project permissions: With more granular permissions for your team’s projects and the ability to create public projects, it’s now easier to update who has access to projects in your organization.
  • User hovercards: Developers will now be able to see more information about project collaborators when they hover over their avatars—or most places you see their username—including information that’s specific to their interaction with them.
  • Jump to: Now developers can quickly navigate to team pages, repositories, and projects they recently visited when they click the GitHub search bar (or hit the “/” key) with our new “jump to” feature.
  • Personal and organization dashboard improvements: Developers will now see more activity posts and better organization of content with improvements to personal and organization dashboards.

To see the full list of updates, check out our release notes.

Download Enterprise 2.14

Learning from EFF’s report on censorship and online platforms

The Electronic Frontier Foundation (EFF) publishes an annual “Who Has Your Back Report” to evaluate which companies defend their users when the government comes knocking. Since 2011, the report has focused on government requests for user information. This year, the report takes on a different topic: government requests to take down information—in other words, censorship on online platforms.

As background, EFF explains how the prevalence of HTTPS and mixed-use social media sites have made it harder for governments themselves to directly censor content. As a result, governments are increasingly turning to online platforms to censor for them.

EFF used five criteria to rate how well companies (“some of the biggest online platforms that publicly host a large amount of user-generated content”) protect their users from unwarranted censorship:

  1. Transparency in reporting on government takedown requests based on violations of a law
  2. Transparency in reporting on governments takedown requests based on terms of service or other platform policy violations
  3. Meaningful notice to users
  4. Appeals process for users
  5. Limited geographic scope of takedowns

Based on EFF’s description of those criteria, GitHub meets each one. As we explain in our contribution to the UN’s free expression expert’s report on content moderation, we minimize censorship on our platform by providing transparency, notice, appeals, and geographically limited blocking when we find a takedown unavoidable.

Among EFF’s observations in the report are that companies that scored well “serve to provide examples of strong policy language for others hoping to raise the bar on content moderation policy” and that helping companies to review each other’s policies around content moderation “can serve as a guide for startups and others looking for examples of best practices.” A strong motivation behind open sourcing our policies is that we hope to contribute to industry best practices while offering those examples to startups and others who are looking for them. We recognize how important transparency is in how we develop our policies. We also recognize that being transparent about how we moderate content is essential to maintaining our community’s trust and our legitimacy as a platform.

We thank EFF for taking on online censorship in this year’s report. Get in touch with us through email or Twitter if you’re interested in collaboration toward raising the standard among companies involved in online content moderation.

Optimizing your open source project with GitHub Apps

Managing open source communities can be time consuming for maintainers who want to support projects but lack the resources to do so. GitHub is ready to help automate away all of your problems with GitHub Apps.

GitHub Apps allow developers to build custom workflows with GitHub’s REST and GraphQL APIs. There are also dozens of free, open source GitHub Apps available for public use.

Here are some existing open source apps that can be installed for free today to help automate away some of the pain points of maintaining an open source project. All of these apps are built with Probot, an open source framework for building GitHub Apps.

Open source apps

Sentiment Bot

Sentiment bot image

Sentiment Bot, which uses Google’s Perspective API to analyze sentiment, replies to toxic comments with a maintainer-designated reply and a link to the repository’s Code of Conduct. Use this app to help prevent toxic interactions from getting the best of your issue comments.

Sentiment Bot can alert your project’s maintainers to the situation, giving you the opportunity to determine next steps. You can even customize the threshold of toxicity at which the app will take action in order to best manage your community.


Welcome app screenshot

Welcome is a simple way to welcome new users to your community when they take their first actions in your project, such as their first issue, first pull request, or first successful merge.

Welcome allows you to effectively craft messages around what new members of your community need to know at each stage of the process by providing separate configuration options for all three welcome moments.


Stale app screenshot

Stale automatically closes issues and pull requests that accumulate in a project. This app lifts the burden of determining when work is not progressing.

Stale utilizes GitHub’s updated search qualifier to determine staleness; however, you can easily prevent it from closing issues and pull requests whenever there is an update, like a new comment. It is also highly customizable, enabling you to determine the length of time an issue should remain open until it is considered stale.


WIP gif

WIP, or Work In Progress, prevents the accidental merging of pull requests by setting pull requests’ status to pending if the title contains “wip” or “WIP”. This will block merging if you require the WIP status.


Install any of these apps by clicking on their link and then “Add to GitHub”. From there, you will need to determine where you want to install the app and what repositories you want it to act on.

After clicking “Install”, you will see a landing page specific to the app you installed, which may specify some next steps. For example, Stale requires a .github/stale.yml file in your repository before it will take action.

You can check out these apps and many others on or build your own. Have questions? Reach out to us at




Discover new ways to build better

Try Marketplace apps free for 14 days

Learn more