diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md index 8041ca6b4529..9a8b41397f84 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md @@ -1,6 +1,6 @@ --- title: Enabling secret scanning features -shortTitle: Enable secret scanning features +shortTitle: Enable features allowTitleToDifferFromFilename: true intro: 'Learn how to enable {% data variables.product.prodname_secret_scanning %} to detect secrets that are already visible in a repository, as well as push protection to proactively secure you against leaking additional secrets by blocking pushes containing secrets.' product: '{% data reusables.gated-features.secret-scanning %}' diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md index 6dd0553b9b8c..8397f42bf3a5 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md @@ -16,7 +16,7 @@ topics: - Advanced Security - Alerts - Repositories -shortTitle: Managing alerts +shortTitle: Manage alerts children: - /about-alerts - /viewing-alerts diff --git a/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/index.md b/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/index.md index 8cbdd7d96ba4..5144b122f615 100644 --- a/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/index.md +++ b/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/index.md @@ -1,6 +1,6 @@ --- title: Troubleshooting secret scanning and push protection -shortTitle: Troubleshoot secret scanning +shortTitle: Troubleshoot intro: 'If you have problems with {% data variables.product.prodname_secret_scanning %} or push protection, you can use these tips to help resolve issues.' product: '{% data reusables.gated-features.secret-scanning %}' versions: diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md index e63738b1921c..09dba6e19c7e 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md @@ -10,27 +10,33 @@ topics: - Advanced Security - Alerts - Repositories -shortTitle: Delegated bypass +shortTitle: About delegated bypass --- ## About delegated bypass for push protection {% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} -{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} +By default, when push protection is enabled for a repository, anyone with write access can still push a secret to the repository, provided that they specify a reason for bypassing push protection. -When you enable push protection, by default, anyone with write access to the repository can choose to bypass the protection by specifying a reason for allowing the push containing a secret. With delegated bypass, only specific roles and teams can bypass push protection. All other contributors are instead obligated to make a request for "bypass privileges", which is sent to a designated group of reviewers who either approve or deny the request to bypass push protection. +With delegated bypass for push protection, you can: -If the request to bypass push protection is approved, the contributor can push the commit containing the secret. If the request is denied, the contributor must remove the secret from the commit (or commits) containing the secret before pushing again. +* **Choose** which individuals, roles, and teams can bypass push protection. +* Introduce a **review and approval** cycle for pushes containing secrets from all other contributors. -To configure delegated bypass, organization owners or repository administrators must change the "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}" setting in the UI from **Anyone with write access** to **Specific roles and teams**. +{% ifversion push-protection-delegated-bypass-file-upload-support %}Delegated bypass applies to files created, edited, and uploaded on {% data variables.product.prodname_dotcom %}.{% endif %} -Organization owners or repository administrators are then prompted to create a "bypass list". The bypass list comprises the specific roles and teams, such as the security team or repository administrators, who oversee requests from non-members to bypass push protection. For more information, see "[Configuring delegated bypass for an organization](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection#configuring-delegated-bypass-for-an-organization)" and "[Configuring delegated bypass for a repository](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection#configuring-delegated-bypass-for-a-repository)." +To set up delegated bypass, organization owners or repository administrators create a list of users with bypass privileges. This designated list of users can then: +* Bypass push protection, by specifying a reason for bypassing the block. +* Manage (approve or deny) bypass requests coming from all other contributors. These requests are located in the "Push protection bypass" page in the **Security** tab of the repository. -{% ifversion push-protection-bypass-fine-grained-permissions %} Alternatively, instead of creating a bypass list, you can grant specific organization members the ability to review and manage bypass requests using fine-grained permissions. For more information, see "[Using fine-grained permissions to control who can review and manage bypass requests](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection#using-fine-grained-permissions-to-control-who-can-review-and-manage-bypass-requests)."{% endif %} +The following types of users can always bypass push protection without having to request bypass privileges: +* Organization owners +* Security managers +* Users in teams, default roles, or custom roles that have been added to the bypass list.{% ifversion push-protection-bypass-fine-grained-permissions %} +* Users who are assigned (either directly or via a team) a custom role with the "review and manage secret scanning bypass requests" fine-grained permission.{% endif %} -Members {% ifversion push-protection-bypass-fine-grained-permissions %}with permission to review (approve or deny) bypass requests can manage these {% else %}of the bypass list can review and manage {% endif %}requests through the "Push protection bypass" page in the **Security** tab of the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection)." +## Next steps -{% data reusables.secret-scanning.push-protection-delegated-bypass-note %} - -For information about enabling delegated bypass, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)." +* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)" +* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection)" diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md index 6546c4d8f392..8736fdd06d6d 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md @@ -6,7 +6,7 @@ intro: 'You can control the ability to bypass push protection by setting up a re product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' - ghes: '*' + ghes: '>=3.14' ghec: '*' topics: - Secret scanning diff --git a/data/reusables/secret-scanning/what-is-scanned.md b/data/reusables/secret-scanning/what-is-scanned.md index 57d883051026..2ea2839fcd47 100644 --- a/data/reusables/secret-scanning/what-is-scanned.md +++ b/data/reusables/secret-scanning/what-is-scanned.md @@ -7,7 +7,7 @@ Additionally, {% data variables.product.prodname_secret_scanning %} scans:{% ifv * Titles, descriptions, and comments in {% data variables.product.prodname_discussions %}{% endif %}{% ifversion secret-scanning-enhancements-wikis %} * Wikis{% endif %} -{% ifversion fpt or ghec %} +{% ifversion ghec %} This additional scanning is free for public repositories. {% endif %}