Skip to content

Recent activity for authentication credentials

In addition to seeing your browser session activity, you can now view activity for your SSH keys and OAuth tokens as well.

SSH key activity

Find the most recent activity for each key in the SSH keys section of your account settings.

SSH keys overview

OAuth token activity

For OAuth tokens, check out the Applications section of your account settings.

OAuth applications overview

As always, we recommend that you keep an eye on these credentials and remove any keys or tokens that you no longer need.

Showcasing interesting projects in Explore


We love watching trending repositories on GitHub every day. All kinds of interesting projects bubble up and there is always something new to catch your eye. We want to collect repositories we find interesting into categories for you.

Showcases are a new way to discover related repositories on GitHub. We take the most interesting trending repositories and curate lists to explore by topic. A lot like the staff shelf at your local book store.

On a showcase page, you'll find the full list of repositories that we're showcasing, including why we think they're special. On the right you will have a place to search all showcases, view related showcases, and any newly created showcases.

You can browse the showcase listing page to read through them all. You can also subscribe to the atom feed and stay up-to-date.

Thanks for reading and happy Exploring! :telescope:

Update on Julie Horvath's Departure

This weekend, GitHub employee Julie Horvath spoke publicly about negative experiences she had at GitHub that contributed to her resignation. I am deeply saddened by these developments and want to comment on what GitHub is doing to address them.

We know we have to take action and have begun a full investigation. While that’s ongoing, and effective immediately, the relevant founder has been put on leave, as has the referenced GitHub engineer. The founder’s wife discussed in the media reports has never had hiring or firing power at GitHub and will no longer be permitted in the office.

GitHub has grown incredibly fast over the past two years, bringing a new set of challenges. Nearly a year ago we began a search for an experienced HR Lead and that person came on board in January 2014. We still have work to do. We know that. However, making sure GitHub employees are getting the right feedback and have a safe way to voice their concerns is a primary focus of the company.

As painful as this experience has been, I am super thankful to Julie for her contributions to GitHub. Her hard work building Passion Projects has made a huge positive impact on both GitHub and the tech community at large, and she's done a lot to help us become a more diverse company. I would like to personally apologize to Julie. It’s certain that there were things we could have done differently. We wish Julie well in her future endeavors.

Chris Wanstrath
CEO & Co-Founder

Repository metadata and plugin support for GitHub Pages

We've added several commonly requested features, making GitHub Pages an even better place to host websites for you and your projects.

Repository metadata

First, Jekyll sites on GitHub Pages now have access to some useful repository information such as the latest SHA1; the project title, owner, and description; common URLs like the download and clone URL; and the exact version of various dependencies used to build your site like Jekyll or Ruby.

Within pages and posts, repository information is available within the site.github namespace, and can be displayed, for example, using {{ site.github.project_title }}.

See the project metadata documentation for the complete list.

@mentions, emoji, and redirects

Second, GitHub Pages now supports three Jekyll plugins:

  • Jemoji and jekyll-mentions enable emoji and @mentions in your Jekyll posts and pages to work just like you'd expect when interacting with a repository on

  • Jekyll-redirect-from provides an easy way to redirect visitors to the proper url when the filename changes for a post or a page.

For more information on using plugins with GitHub Pages, see the GitHub Pages plugin documentation.

Happy documenting!

Denial of Service Attacks

On Tuesday, March 11th, GitHub was largely unreachable for roughly 2 hours as the result of an evolving distributed denial of service (DDoS) attack. I know that you rely on GitHub to be available all the time, and I'm sorry we let you down. I'd like to explain what happened, how we responded to it, and what we're doing to reduce the impact of future attacks like this.


Over the last year, we have seen a large number and variety of denial of service attacks against various parts of the GitHub infrastructure. There are two broad types of attack that we think about when we're building our mitigation strategy: volumetric and complex.

We have designed our DDoS mitigation capabilities to allow us to respond to both volumetric and complex attacks.

Volumetric Attacks

Volumetric attacks are intended to exhaust some resource through the sheer weight of the attack. This type of attack has been seen with increasing frequency lately through UDP based amplification attacks using protocols like DNS, SNMP, or NTP. The only way to withstand an attack like this is to have more available network capacity than the sum of all of the attacking nodes or to filter the attack traffic before it reaches your network.

Dealing with volumetric attacks is a game of numbers. Whoever has more capacity wins. With that in mind, we have taken a few steps to allow us to defend against these types of attacks.

We operate our external network connections at very low utilization. Our internet transit circuits are able to handle almost an order of magnitude more traffic than our normal daily peak. We also continually evaluate opportunities to expand our network capacity. This helps to give us some headroom for larger attacks, especially since they tend to ramp up over a period of time to their ultimate peak throughput.

In addition to managing the capacity of our own network, we've contracted with a leading DDoS mitigation service provider. A simple Hubot command can reroute our traffic to their network which can handle terabits per second. They're able to absorb the attack, filter out the malicious traffic, and forward the legitimate traffic on to us for normal processing.

Complex Attacks

Complex attacks are also designed to exhaust resources, but generally by performing expensive operations rather than saturating a network connection. Examples of these are things like SSL negotiation attacks, requests against computationally intensive parts of web applications, and the "Slowloris" attack. These kinds of attacks often require significant understanding of the application architecture to mitigate, so we prefer to handle them ourselves. This allows us to make the best decisions when choosing countermeasures and tuning them to minimize the impact on legitimate traffic.

First, we devote significant engineering effort to hardening all parts of our computing infrastructure. This involves things like tuning Linux network buffer sizes, configuring load balancers with appropriate timeouts, applying rate limiting within our application tier, and so on. Building resilience into our infrastructure is a core engineering value for us that requires continuous iteration and improvement.

We've also purchased and installed a software and hardware platform for detecting and mitigating complex DDoS attacks. This allows us to perform detailed inspection of our traffic so that we can apply traffic filtering and access control rules to block attack traffic. Having operational control of the platform allows us to very quickly adjust our countermeasures to deal with evolving attacks.

Our DDoS mitigation partner is also able to assist with these types of attacks, and we use them as a final line of defense.

So what happened?

At 21:25 UTC we began investigating reports of connectivity problems to We opened an incident on our status site at 21:29 UTC to let customers know we were aware of the problem and working to resolve it.

As we began investigating we noticed an apparent backlog of connections at our load balancing tier. When we see this, it typically corresponds with a performance problem with some part of our backend applications.

After some investigation, we discovered that we were seeing several thousand HTTP requests per second distributed across thousands of IP addresses for a crafted URL. These requests were being sent to the non-SSL HTTP port and were then being redirected to HTTPS, which was consuming capacity in our load balancers and in our application tier. Unfortunately, we did not have a pre-configured way to block these requests and it took us a while to deploy a change to block them.

By 22:35 UTC we had blocked the malicious request and the site appeared to be operating normally.

Despite the fact that things appeared to be stabilizing, we were still seeing a very high number of SSL connections on our load balancers. After some further investigation, we determined that this was an additional vector that the attack was using in an effort to exhaust our SSL processing capacity. We were able to respond quickly using our mitigation platform, but the countermeasures required significant tuning to reduce false positives which impacted legitimate customers. This resulted in approximately 25 more minutes of downtime between 23:05-23:30 UTC.

By 23:34 UTC, the site was fully operational. The attack continued for quite some time even once we had successfully mitigated it, but there were no further customer impacts.

What did we learn?

The vast majority of attacks that we've seen in the last several months have been volumetric in terms of bandwidth, and we'd grown accustomed to using throughput as a way of confirming that we were under attack. This attack did not generate significantly more bandwidth but it did generate significantly more packets per second. It didn't look like what we had grown to expect an attack to look like and we did not have the monitoring we needed to detect it as quickly as we would have liked.

Once we had identified the problem, it took us much longer than we'd like to mitigate it. We had the ability to mitigate attacks of this nature in our load balancing tier and in our DDoS mitigation platform, but they were not configured in advance. It took us valuable minutes to configure, test, and tune these countermeasures which resulted in a longer than necessary downtime.

We're happy that we were able to successfully mitigate the attack but we have a lot of room to improve in terms of how long the process takes.

Next steps?

  1. We have already made adjustments to our monitoring to better detect and alert us of traffic pattern changes that are indicative of an attack. In addition, our robots are now able to automatically enable mitigation for the specific traffic pattern that we saw during the attack. These changes should dramatically reduce the amount of time it takes to respond to a wide variety of attacks in the future and reduce their impact on our service.
  2. We are investigating ways that we can simulate attacks in a controlled way so that we can test our countermeasures on a regular basis to build additional confidence in both our mitigation tools and to improve our response time in bringing them to bear.
  3. We are talking to some 3rd party security consultants to review our DDoS detection and mitigation capability. We do a good job mitigating attacks we've seen before, but we'd like to more proactively plan for attacks that we haven't yet encountered.
  4. Hubot is able to route our traffic through our mitigation partner and to apply templates to operate our mitigation platform for known attack types. We've leveled him up with some new templates for attacks like this one so that he can help us recover faster in the future.


This attack was painful, and even though we were able to successfully mitigate the effects of it, it took us far too long. We know that you depend on GitHub and our entire company is focused on living up to the trust you place in us. I take problems like this personally. We will do whatever it takes to improve how we respond to problems to ensure that you can rely on GitHub being available when you need us.

Thanks for your support!

Passion Projects Short Documentary: Timoni West

We're now 11 installments into our talk series Passion Projects, which we created to help surface and celebrate the work of incredible women in the tech industry.

We sat down with past speaker Timoni West to talk a little more about her background in design and more specifically, the role the Internet is playing in making data available and consumable for everyday people.

Since filming, Timoni has started working with Alphaworks.

Timezone-aware contribution graphs

Today we've made your contribution graphs timezone-aware. GitHub is used everywhere and we want to reflect that in our features. If you happen to work from Japan, Australia or Ulan Bator, we want to count your contributions from your perspective.

When counting commits, we use the timezone information present in the timestamps for those commits. Pull requests and issues opened on the web will use the timezone of your browser. If you use the API you can also specify your timezone.

We don't want to mess up your current contribution streaks, so only contributions after Monday 10 March 2014 (Temps Universel Coordonné) will be timezone-aware.

Enjoy your time(zone)!

Use all your favorite tools with GitHub

To build and ship great software, you need to use the best tools available. From homegrown systems to third-party applications, integrating those tools with GitHub means better collaboration around projects, higher code quality, automated testing, easy deployments, and streamlined production operations.

Today there are thousands of applications and services that work with GitHub. Tools like Asana help you and your team stay on top of recent code changes by linking GitHub commits and issues to relevant project tasks. Services like CircleCI and Code Climate integrate with GitHub to test the quality of your code. You can even deploy code from a GitHub repository to services like Heroku and Amazon Web Services.


Integrations like these help improve testing at Airbnb, track code review at Harry's, and support continuous integration at Infinum. Do you have a favorite application or service that helps you and your team write code? Chances are it works with GitHub already. Check out some of the most popular tools that work with GitHub to help you build better software. Don't see your favorite integration? Let us know!


Announcing the GitHub Developer Program

Whether you're just getting started or have been building applications on the GitHub API for years, the GitHub Developer Program is all about making sure you have the right resources to build the best possible integrations for our incredible community.

Providing developers with a great API has always been an important part of GitHub. Over time, the API we've offered has evolved – adding increased flexibility, greater capabilities, and more endpoints. Launching the Developer Program today represents the next chapter in this story.

Developer Program

By joining the Developer Program, you'll receive ongoing notifications about changes to our API. You'll be eligible to receive early access on select feature releases, and can request a development license for GitHub Enterprise. You can also submit your work for consideration on the integrations page.

Visit our developer website to learn more about the program and to register as a member.

OctoTales • DeNA

Fresh from the streets of Tokyo, Japan, we're excited to share our latest video in the OctoTales series. This episode features DeNA, creators of the mobile gaming platform, Mobage.

DeNA has been using GitHub Enterprise since 2012 to build and ship software across offices in seven countries. DeNA's team of developers relies on real-world user research and a culture of collaboration to build a platform that brings 40 million users together through mobile games.

If you would like to be a part of the OctoTales series, tell us your story at


DeNAは2012年から7カ国にあるオフィス間のコラボレーションのためにGitHub Enterpriseを利用しています。DeNAで活躍している開発者の皆さまはユーザーリサーチとコラボレーションの文化を基礎にしてモバイルゲームを通じて4千万人のユーザーが繋がるプラットフォームを構築しています。

OctoTalesに参加したい企業は までご連絡をください。

Enhanced OAuth security for SSH keys

We just added more granular permissions so third party applications can specifically request read-only access, read/write access, or full admin access to your public SSH keys.

You're in control

As always, when an application requests access to your account, you get to decide whether to grant that access or not.

screen shot 2014-02-24 at 4 16 32 pm

Revoke with ease

In addition to these finer-grained permissions, we're also making it easier to revoke SSH access to your data. If an OAuth application creates an SSH key in your account, we'll automatically delete that key when you revoke the application's access.


To help you track security events that affect you, we'll still email you any time a new key is added to your account. And of course, you can audit and delete your SSH keys any time you like.

You can read about the new changes in more detail on the GitHub Developer site.

Rendered Prose Diffs

Today we are making it easier to review and collaborate on prose documents. Commits and pull requests including prose files now feature source and rendered views.


Click the "rendered" button to see the changes as they'll appear in the rendered document. Rendered prose view is handy when you're adding, removing, and editing text:

Replace a paragraph

Editing text

Or working with more complex structures like tables:

Edit Table

Non-text changes appear with a low-key dotted underline. Hover over the text to see what has changed:

HREF change

Building great software is about more than code. Whether you're writing docs, planning development, or blogging what you've learned, better prose makes for better products. Go forth and write together!

Free Public Speaking Workshop For Women

We're hosting our first ever free public speaking workshop for women in San Francisco! If you're interested in leveling up your public speaking skills, join us on Saturday, February 22nd for a day of inspiring talks from women who rock, workshopping with incredible mentors from the tech community, and (only if you're up for it) getting on stage to deliver your first lightning talk.


Conferences are notable not only for the prominent people on stage, but also for those who are missing.

— Sarah Millstein in Putting An End To Conferences Dominated By White Men

Changing the ratio starts with increasing the visibility of those people who are missing from tech conference lineups. With this workshop, we're hoping to give you the tools not only to feel comfortable talking about the work you do, but help you to increase your own visibility within the community.

Meet Our Keynote Speakers:

  • Denise Jacobs, Speaker, Author, Creativity Evangelist, Passionate Diversity Advocate
  • Diana Kimball, Expert Novice, Bright Soul, and Harvard MBA Set Out on Making the World A Better Place

Our Awesome Mentors For The Day:

  • Ana Hevesi, Community Developer at StackExchange, Conference Organizer, Brilliant Wordsmith, So Damn Well-Spoken
  • Andi Galpern, Expert Web Designer, Rockin' Musician, and Passionate Tech Educator
  • Alexis Finch, Sketch Artist, Has Probably Seen More Conference Talks Than Ted Himself, Badass Women's Advocate
  • Alice Lee, Designer and Illustrator at Dropbox, Super Talented Letterer, and Organizer of Origins
  • Anita Sarkeesian, Creator and Host of Feminist Frequency, Pop Culture Trope Expert , Probably the Most Hilarious Human Alive
  • Angelina Fabbro, Engineer/Developer and Developer Advocate at Mozilla. Writes Code/Writes Words About Code/Speaks About Code
  • Ash Huang, Designer at Pinterest, Really Quite Handy with Gifs IRL
  • C J Silverio, Cats, Weightlifting, and Node.js, Not Necessarily In That Order.
  • Divya Manian, Crazy Talented Speaker, Avid Coder, and Armchair Anarchist
  • Garann Means, JavaScript Developer, Incredible Writer, Proud Austin-ite, and Beyond Powerful Speaker
  • Emily Nakashima, Resides in the East Bay, Programs at GitHub
  • Jackie Balzer, Writes CSS Like It's Her Job (It Is), Leads An Army of CSS Badasses at Behance
  • Jen Myers, Former Passion Projects Speaker, Dev Bootcamp Instructor, Fantastic Keynoter, and Starter of Brilliant Things
  • Jesse Toth, Developer at GitHub, Cal CS Grad
  • Jessica Dillon, Lover, Fighter, Javascript Writer
  • Jessica Lord, Open Sourcerer, Former Code For America Fellow, Changing The Way The World Interacts With GitHub/Code/Javascript
  • Julie Ann Horvath, Passion Projects Creator, Developer, and Designer of Websites and Also Slides
  • Kelly Shearon, All Things Marketing and Content Strategy at GitHub, Could Write You Under A Table, Super Cool Mom
  • Luz Bratcher, Helvetica-loving UX designer at Design Commission, Event Admin for Seattle Creative Mornings
  • Mina Markham, Badass Lady Dev, Girl Develop It Founder/Instructor, Generally Rad Person
  • Netta Marshall, Lead Designer at Watsi, Formerly Rdio, Professional Ninja, Owner Of Best Website Footer On The Internet
  • Raquel Vélez, Hacker of The Web (node.js), Robotics Engineer, Polyglot, (Cal)Techer
  • Sara Pyle, Supportocat at GitHub, Amateur Shapeshifter, and Professional Superhero
  • Sonya Green, Chief Empathy Officer, Leads Support at GitHub
  • Tatiana Simonian, VP of Music at Nielsen, Formerly Music at Twitter and Disney
  • Willo O'Brien, Heart-Centered Entrepreneur, Speaker, Coach, Seriously Positive Person

The Pertinent Details:

  • GitHub’s First Public Speaking Workshop For Women
  • At GitHub HQ in San Francisco, CA
  • Saturday, February 22nd, from 11:00am-4:00pm
  • Food, beverages, moral support and also plenty of fun provided.
  • You must register interest here if you'd like to attend. The last day to register interest is Sunday, February 16th. You will be notified on Monday, February 17th if* you've been selected to participate.

*Because we can only host so many people in our space, we're using a lottery system to select participants to ensure the process is fair and balanced.

If you can't make our workshop but are interested in leveling up as a speaker, here's a few resources:

If you're a conference organizer who is looking for some resources to help diversify your lineups this year, these are all great places to start:

Video from Passion Projects Talk #10 with Dana McCallum

Dana McCallum joined us in January of 2013 for the 10th installment of our Passion Projects talk series. Dana's talk revealed how she brought her non-tech passions to life through programming. Check out the full video of her talk and our panel discussion below.

Photos from the event

Thanks to everyone who came out for Dana's talk, including our musical performance for the evening, Running in the Fog.

passionproj_danamccallum-5138 passionproj_danamccallum-5122 passionproj_danamccallum-5754 passionproj_danamccallum-5175 passionproj_danamccallum-5234 passionproj_danamccallum-5740 passionproj_danamccallum-5741 passionproj_danamccallum-5791 passionproj_danamccallum-5783

Photos courtesy of our fab photog :sparkles: Mona Brooks :sparkles: of Mona Brooks Photography.

Webhooks level up

Webhooks are by far our most widely adopted integration, but they've always been buried in a big list of external services. Today, we're making some major improvements in the way you configure, customize, and debug your webhooks.

First, webhooks are a lot more prominent in your repository settings page.


You can now configure webhooks directly in your repository settings, instead of having to use the API. You can also choose specific events and a payload format (JSON!).

new webhook

Once you've configured a hook, the new deliveries section helps you track, troubleshoot, and re-send a webhook event payload.


If you've never used webhooks, we've even got a brand new guide to help you get started. Happy integrating! :sparkles:

Something went wrong with that request. Please try again.