Release notes for the Splunk Add-on for GitHub¶
Version 3.2.0 of the Splunk Add-on for GitHub was released on July 03, 2025.
Compatibility¶
Version 3.2.0 of the Splunk Add-on for GitHub is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 9.1.x, 9.2.x, 9.3.x, 9.4.x, 10.x |
|---|---|
| CIM | 6.0.4 |
| Platforms | Platform independent |
| Vendor Products | GitHub Enterprise v3.2, v3.13, Github Enterprise Cloud |
New Features¶
- Added CIM support to the new events in sourcetype
github:cloud:audit. The new events are listed in the table below along with their supported CIM data models:
| event name (action) | CIM data model supported in this release |
|---|---|
| user.login | Authentication |
| checks.delete_logs | Change:Auditing_Changes |
| user.sign_in_from_unrecognized_device, user.new_device_used, repository_vulnerability_alert.resolve, external_group.scim_api_success, external_identity.scim_api_success, external_identity.scim_api_failure, user.creation_rate_limit_exceeded, external_group.scim_api_failure, repository_vulnerability_alert.create, secret_scanning_alert.validate, secret_scanning_alert.create, secret_scanning_push_protection.bypass, secret_scanning_alert.reopen, secret_scanning_alert.resolve, secret_scanning_push_protection_request.deny | Alerts |
| environment.create, codespaces.create, codespaces.allow_permissions, codespaces.destroy, public_key.create, public_key.delete, external_group.update, environment.delete, external_group.provision, external_group.delete, ip_allow_list_entry.destroy, ip_allow_list_entry.create, environment.remove_protection_rule, repository_vulnerability_alerts.disable, repository_ruleset.destroy, project_base_role.update, codespaces.export_environment, external_group.unlink, organization_role.destroy, organization_role.create, pages_protected_domain.delete, pages_protected_domain.create, organization_role.update, security_configuration.create, security_configuration.update, security_configuration.delete, repository_secret_scanning_push_protection.enable, repository_secret_scanning_non_provider_patterns.enabled, repository_secret_scanning_automatic_validity_checks.enabled, repository_secret_scanning_generic_secrets.enabled, repo.create_actions_secret, org.secret_scanning_custom_pattern_push_protection_enabled, oauth_access.regenerate, oauth_access.create, issue_comment.update, org.register_self_hosted_runner, pull_request_review.submit, pull_request_review_comment.create, pull_request_review_comment.update, pull_request_review_comment.delete, pull_request_review.delete, pull_request.converted_to_draft, pull_request.remove_review_request, protected_branch.policy_override, protected_branch.branch_allowances, pull_request.rebase, workflows.rerun_workflow_run, workflows.cancel_workflow_run, repository_invitation.create, integration_installation.repositories_removed, protected_branch.update_required_status_checks_enforcement_level, protected_branch.rejected_ref_update, required_status_check.create, required_status_check.destroy | Change:All_Changes |
| user_session.country_change, repo.add_member, user.logout, repo.remove_member, external_group.remove_member, external_identity.deprovision, external_group.add_member, external_identity.provision, external_identity.update, user_status.update, organization_role.revoke, organization_role.assign, user_status.destroy, oauth_access.regenerate, oauth_access.create | Change:Account_Management |
- Supported CIM version - 6.0.4
Breaking changes¶
- Removed Authentication DM tags from the event public_key.verify in sourcetype github:enterprise:audit
| event (vendor_action) | modified field | old value | new value |
|---|---|---|---|
| repo.remove_member, repo.add_member | object_category | Repository | User |
| repo.remove_member, repo.add_member | object_path | extracted from “repo” | - |
| repo.remove_member, repo.add_member | object | extracted from “repo” | extracted from “user” |
| repo.remove_member, repo.add_member | object_attrs | extracted from vendor_action | org: |
| repo.remove_member, repo.add_member | object_id | extracted from “repo_id” | extracted from “user_id” |
| repo.remove_member, repo.add_member | dest | extracted from “repo” | extracted from “business” |
| repository_vulnerability_alert.create | dest | extracted from “repo” | extracted from “business” |
| repository_vulnerability_alert.create | description | extracted from vendor_action | GitHub created a Dependabot alert because the repository uses a vulnerable dependency. |
| repository_vulnerability_alert.create | dest_type | Repository | business |
| repository_vulnerability_alert.create | id | extracted from “document_id“ | extracted from “alert_id” |
| repo.create_actions_secret | change_type | filesystem | security |
| repo.create_actions_secret | object_attrs | repo.create_actions_secret | org: |
| repo.create_actions_secret | object_path | complete value of “repo” | only the path till repo name |
| repo.create_actions_secret | dest | extracted from “repo” | extracted from “business” |
| org.secret_scanning_custom_pattern_push_protection_enabled | change_type | filesystem | security |
| org.secret_scanning_custom_pattern_push_protection_enabled | object_attrs | org.secret_scanning_custom_pattern_push_protection_enabled | custom_pattern |
| org.secret_scanning_custom_pattern_push_protection_enabled | dest | extracted from “org” | extracted from “business” |
Fixed issues¶
Version 3.2.0 of the Splunk Add-on for GitHub has the following fixed issues:
Known issues¶
Version 3.2.0 of the Splunk Add-on for GitHub has the following reported known issues. If no issues appear below, no issues have yet been reported:
Third-party libraries¶
The Splunk Add-on for GitHub version 3.2.0 uses the following third-party libraries:
Third-party libraries for Splunk Add-on for GitHub version 3.2.0