From 5139a87e93e3d4c0a4c236bebf299ce91a8054dc Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Tue, 2 Jul 2024 13:22:51 +0000 Subject: [PATCH 001/282] create first map topic to test --- .../managing-secret-scanning-alerts/index.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 content/code-security/secret-scanning/managing-secret-scanning-alerts/index.md diff --git a/content/code-security/secret-scanning/managing-secret-scanning-alerts/index.md b/content/code-security/secret-scanning/managing-secret-scanning-alerts/index.md new file mode 100644 index 000000000000..5b2aabd06a11 --- /dev/null +++ b/content/code-security/secret-scanning/managing-secret-scanning-alerts/index.md @@ -0,0 +1,19 @@ +--- +title: Managing alerts for secret scanning and push protection +shortTitle: Manage secret scanning alerts +allowTitleToDifferFromFilename: true +intro: 'Learn how to view, evaluate and resolve alerts for secrets checked in to your repository.' +product: '{% data reusables.gated-features.secret-scanning %}' +redirect_from: + - /github/administering-a-repository/managing-alerts-from-secret-scanning + - /code-security/secret-security/managing-alerts-from-secret-scanning + - /code-security/secret-scanning/managing-alerts-from-secret-scanning +versions: + fpt: '*' + ghes: '*' + ghec: '*' +topics: + - Secret scanning + - Advanced Security + - Repositories +--- \ No newline at end of file From 0bdc04e61f25e31bb114187770fece0699de2432 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Tue, 2 Jul 2024 13:43:53 +0000 Subject: [PATCH 002/282] adding to index.md file --- content/code-security/secret-scanning/index.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 927350e49ab1..5fa2442d0ea4 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -30,4 +30,5 @@ children: - /working-with-push-protection - /pushing-a-branch-blocked-by-push-protection - /troubleshooting-secret-scanning + - /managing-alerts-from-secret-scanning --- From f16c05e24654531b728d15e7dcf9e353913da29a Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Wed, 3 Jul 2024 17:10:26 +0200 Subject: [PATCH 003/282] add map topic for advanced features --- content/code-security/secret-scanning/index.md | 1 + .../index.md | 15 +++++++++++++++ 2 files changed, 16 insertions(+) create mode 100644 content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 5fa2442d0ea4..74ee8245d678 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -31,4 +31,5 @@ children: - /pushing-a-branch-blocked-by-push-protection - /troubleshooting-secret-scanning - /managing-alerts-from-secret-scanning + - /using-advanced-secret-scanning-and-push-protection-features --- diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md new file mode 100644 index 000000000000..97ebaf0dde23 --- /dev/null +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md @@ -0,0 +1,15 @@ +--- +title: Using advanced secret scanning and push protection features +shortTitle: Advanced features +allowTitleToDifferFromFilename: true +intro: 'Learn how use advanced features for {% data variables.product.prodname_secret_scanning_caps %} and push protection.' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +topics: + - Secret scanning + - Advanced Security + - Repositories +--- From cda98f19ca9ffb9fdbf6ad7ccac3a6ffe5d060ef Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Thu, 4 Jul 2024 14:20:09 +0100 Subject: [PATCH 004/282] Delete content/code-security/secret-scanning/managing-secret-scanning-alerts/index.md --- .../managing-secret-scanning-alerts/index.md | 19 ------------------- 1 file changed, 19 deletions(-) delete mode 100644 content/code-security/secret-scanning/managing-secret-scanning-alerts/index.md diff --git a/content/code-security/secret-scanning/managing-secret-scanning-alerts/index.md b/content/code-security/secret-scanning/managing-secret-scanning-alerts/index.md deleted file mode 100644 index 5b2aabd06a11..000000000000 --- a/content/code-security/secret-scanning/managing-secret-scanning-alerts/index.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: Managing alerts for secret scanning and push protection -shortTitle: Manage secret scanning alerts -allowTitleToDifferFromFilename: true -intro: 'Learn how to view, evaluate and resolve alerts for secrets checked in to your repository.' -product: '{% data reusables.gated-features.secret-scanning %}' -redirect_from: - - /github/administering-a-repository/managing-alerts-from-secret-scanning - - /code-security/secret-security/managing-alerts-from-secret-scanning - - /code-security/secret-scanning/managing-alerts-from-secret-scanning -versions: - fpt: '*' - ghes: '*' - ghec: '*' -topics: - - Secret scanning - - Advanced Security - - Repositories ---- \ No newline at end of file From fa3fb094ce60e4bcabfae12156b03a71322caf04 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Thu, 4 Jul 2024 14:20:28 +0100 Subject: [PATCH 005/282] Update content/code-security/secret-scanning/index.md --- content/code-security/secret-scanning/index.md | 1 - 1 file changed, 1 deletion(-) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 74ee8245d678..f22cad513adf 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -30,6 +30,5 @@ children: - /working-with-push-protection - /pushing-a-branch-blocked-by-push-protection - /troubleshooting-secret-scanning - - /managing-alerts-from-secret-scanning - /using-advanced-secret-scanning-and-push-protection-features --- From 37a812d62537d293f10cbdcda6a0d9412cef8dec Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 15:50:58 +0200 Subject: [PATCH 006/282] Update index.md --- content/code-security/secret-scanning/index.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index f22cad513adf..1187a0a8b4e1 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -31,4 +31,5 @@ children: - /pushing-a-branch-blocked-by-push-protection - /troubleshooting-secret-scanning - /using-advanced-secret-scanning-and-push-protection-features + - /secret-scanning-partnership-program --- From 1f77a34583f389f5369413a02776fc948e7f5eb1 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 16:06:19 +0200 Subject: [PATCH 007/282] add new map topic --- .../Secret scanning partnership program/index.md | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 content/code-security/secret-scanning/Secret scanning partnership program/index.md diff --git a/content/code-security/secret-scanning/Secret scanning partnership program/index.md b/content/code-security/secret-scanning/Secret scanning partnership program/index.md new file mode 100644 index 000000000000..3e693f2adcd2 --- /dev/null +++ b/content/code-security/secret-scanning/Secret scanning partnership program/index.md @@ -0,0 +1,10 @@ +--- +title: Secret scanning partnership program +intro: 'As a service provider, you can partner with {% data variables.product.prodname_dotcom %} to have your secret token formats secured through secret scanning, which searches for accidental commits of your secret format and can be sent to a service provider''s verify endpoint.' +versions: + fpt: '*' + ghec: '*' +topics: + - API +shortTitle: Partner program +--- From cff02de222615280201cbef066046f3895113370 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 16:12:30 +0200 Subject: [PATCH 008/282] argh --- .../index.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename content/code-security/secret-scanning/{Secret scanning partnership program => secret-scanning-partnership-program}/index.md (100%) diff --git a/content/code-security/secret-scanning/Secret scanning partnership program/index.md b/content/code-security/secret-scanning/secret-scanning-partnership-program/index.md similarity index 100% rename from content/code-security/secret-scanning/Secret scanning partnership program/index.md rename to content/code-security/secret-scanning/secret-scanning-partnership-program/index.md From 76885f0846625632f65af5a246bee0c56df8dcc4 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 16:23:07 +0200 Subject: [PATCH 009/282] renamed 1 files --- .../secret-scanning-partner-program.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename content/code-security/secret-scanning/{ => secret-scanning-partnership-program}/secret-scanning-partner-program.md (100%) diff --git a/content/code-security/secret-scanning/secret-scanning-partner-program.md b/content/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program.md similarity index 100% rename from content/code-security/secret-scanning/secret-scanning-partner-program.md rename to content/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program.md From 545eba670569c33acaa8d1742644f0d4661be158 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 16:23:14 +0200 Subject: [PATCH 010/282] set redirect_from on 1 files --- content/code-security/secret-scanning/index.md | 2 +- .../secret-scanning-partnership-program/index.md | 3 +++ .../secret-scanning-partner-program.md | 1 + 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 1187a0a8b4e1..e3176e066d2e 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -16,7 +16,6 @@ topics: - Repositories children: - /about-secret-scanning - - /secret-scanning-partner-program - /configuring-secret-scanning-for-your-repositories - /defining-custom-patterns-for-secret-scanning - /about-the-regular-expression-generator-for-custom-patterns @@ -33,3 +32,4 @@ children: - /using-advanced-secret-scanning-and-push-protection-features - /secret-scanning-partnership-program --- + diff --git a/content/code-security/secret-scanning/secret-scanning-partnership-program/index.md b/content/code-security/secret-scanning/secret-scanning-partnership-program/index.md index 3e693f2adcd2..cdf66c1e9353 100644 --- a/content/code-security/secret-scanning/secret-scanning-partnership-program/index.md +++ b/content/code-security/secret-scanning/secret-scanning-partnership-program/index.md @@ -7,4 +7,7 @@ versions: topics: - API shortTitle: Partner program +children: + - /secret-scanning-partner-program --- + diff --git a/content/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program.md b/content/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program.md index 742fc7fd79d6..5cd936006122 100644 --- a/content/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program.md +++ b/content/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program.md @@ -6,6 +6,7 @@ redirect_from: - /partnerships/secret-scanning - /developers/overview/secret-scanning - /developers/overview/secret-scanning-partner-program + - /code-security/secret-scanning/secret-scanning-partner-program versions: fpt: '*' ghec: '*' From 649f8ed052a292d0bee58569ce3805296a9b662e Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 16:36:10 +0200 Subject: [PATCH 011/282] add more topics --- .../secret-scanning-partner-program.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program.md b/content/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program.md index 5cd936006122..a8adbf25d73f 100644 --- a/content/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program.md +++ b/content/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program.md @@ -12,6 +12,8 @@ versions: ghec: '*' topics: - API + - Secret scanning + - Advanced Security shortTitle: Partner program --- From 70779492f438b74af321c59cb22d8cd20658cca5 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 16:43:11 +0200 Subject: [PATCH 012/282] add new map topic --- content/code-security/secret-scanning/index.md | 1 + .../index.md | 15 +++++++++++++++ 2 files changed, 16 insertions(+) create mode 100644 content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/index.md diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 1187a0a8b4e1..91a05da35ceb 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -31,5 +31,6 @@ children: - /pushing-a-branch-blocked-by-push-protection - /troubleshooting-secret-scanning - /using-advanced-secret-scanning-and-push-protection-features + - /troubleshooting-secret-scanning-and-push-protection - /secret-scanning-partnership-program --- diff --git a/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/index.md b/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/index.md new file mode 100644 index 000000000000..d5dceeaa2a76 --- /dev/null +++ b/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/index.md @@ -0,0 +1,15 @@ +--- +title: Troubleshooting secret scanning and push protection +shortTitle: Troubleshoot secret scanning +intro: 'If you have problems with {% data variables.product.prodname_secret_scanning %} or push protection, you can use these tips to help resolve issues.' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +type: how_to +topics: + - Secret scanning + - Advanced Security + - Troubleshooting +--- From 89944ad0800a7ea914214ace2a773418eeae0c96 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 16:51:36 +0200 Subject: [PATCH 013/282] renamed 1 files --- .../troubleshooting-secret-scanning.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename content/code-security/secret-scanning/{ => troubleshooting-secret-scanning-and-push-protection}/troubleshooting-secret-scanning.md (100%) diff --git a/content/code-security/secret-scanning/troubleshooting-secret-scanning.md b/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md similarity index 100% rename from content/code-security/secret-scanning/troubleshooting-secret-scanning.md rename to content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md From 891669119dfc738d382c04387fcfd901102cff6a Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 16:51:42 +0200 Subject: [PATCH 014/282] set redirect_from on 1 files --- content/code-security/secret-scanning/index.md | 2 +- .../index.md | 3 +++ .../troubleshooting-secret-scanning.md | 2 ++ data/learning-tracks/code-security.yml | 2 +- 4 files changed, 7 insertions(+), 2 deletions(-) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 91a05da35ceb..b249216ecd32 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -29,8 +29,8 @@ children: - /push-protection-for-users - /working-with-push-protection - /pushing-a-branch-blocked-by-push-protection - - /troubleshooting-secret-scanning - /using-advanced-secret-scanning-and-push-protection-features - /troubleshooting-secret-scanning-and-push-protection - /secret-scanning-partnership-program --- + diff --git a/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/index.md b/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/index.md index d5dceeaa2a76..8cbdd7d96ba4 100644 --- a/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/index.md +++ b/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/index.md @@ -12,4 +12,7 @@ topics: - Secret scanning - Advanced Security - Troubleshooting +children: + - /troubleshooting-secret-scanning --- + diff --git a/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md b/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md index 829a21c7246e..17b73d4f1ddf 100644 --- a/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md +++ b/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md @@ -12,6 +12,8 @@ topics: - Secret scanning - Advanced Security - Troubleshooting +redirect_from: + - /code-security/secret-scanning/troubleshooting-secret-scanning --- {% data reusables.secret-scanning.enterprise-enable-secret-scanning %} diff --git a/data/learning-tracks/code-security.yml b/data/learning-tracks/code-security.yml index bd2bb21f1bd0..82650c37c290 100644 --- a/data/learning-tracks/code-security.yml +++ b/data/learning-tracks/code-security.yml @@ -132,7 +132,7 @@ secret_scanning: {% ifversion secret-scanning-push-protection %}/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection{% endif %} - - /code-security/secret-scanning/troubleshooting-secret-scanning + - /code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning security_alerts: title: Explore and manage security alerts description: Learn where to find and resolve security alerts. From ebd865f15027961855419fbd2d2da7717c0916e6 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 16:58:14 +0200 Subject: [PATCH 015/282] updated intro to make it different from the folder intro --- .../troubleshooting-secret-scanning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md b/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md index 17b73d4f1ddf..0624bb862cf6 100644 --- a/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md +++ b/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md @@ -1,7 +1,7 @@ --- title: Troubleshooting secret scanning shortTitle: Troubleshoot secret scanning -intro: 'If you have problems with {% data variables.product.prodname_secret_scanning %}, you can use these tips to help resolve issues.' +intro: 'When using {% data variables.product.prodname_secret_scanning %} to detect secrets in your repository, or about to be committed into your repository, you may need to troubleshoot unexpected issues.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' From 13f16747ec28294fcaf4d3f00118440af6583e6a Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 17:13:04 +0200 Subject: [PATCH 016/282] Update content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com> --- .../troubleshooting-secret-scanning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md b/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md index 0624bb862cf6..9572785a2cdf 100644 --- a/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md +++ b/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md @@ -1,7 +1,7 @@ --- title: Troubleshooting secret scanning shortTitle: Troubleshoot secret scanning -intro: 'When using {% data variables.product.prodname_secret_scanning %} to detect secrets in your repository, or about to be committed into your repository, you may need to troubleshoot unexpected issues.' +intro: 'When using {% data variables.product.prodname_secret_scanning %} to detect secrets in your repository, or secrets about to be committed into your repository, you may need to troubleshoot unexpected issues.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' From 09deb20f16ad7846e626a431ee73cb9fa9c0e9fb Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 21:04:19 +0200 Subject: [PATCH 017/282] add new map topic + index --- .../generic-secret-detection/index.md | 13 +++++++++++++ .../index.md | 2 ++ 2 files changed, 15 insertions(+) create mode 100644 content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/index.md diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/index.md new file mode 100644 index 000000000000..e4152f64710b --- /dev/null +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/index.md @@ -0,0 +1,13 @@ +--- +title: Generic secret detection +shortTitle: Generic secret detection +allowTitleToDifferFromFilename: true +intro: 'TODO' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + feature: secret-scanning-ai-generic-secret-detection +topics: + - Secret scanning + - Advanced Security + - Repositories +--- diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md index 97ebaf0dde23..721a71fd428a 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md @@ -12,4 +12,6 @@ topics: - Secret scanning - Advanced Security - Repositories +children: + - /generic-secret-detection --- From a8fcd79a0087c15e8038cdbfef9ac93cf2a980ed Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 21:09:41 +0200 Subject: [PATCH 018/282] adding custom patterns map topic --- .../custom-patterns/index.md | 14 ++++++++++++++ .../index.md | 1 + 2 files changed, 15 insertions(+) create mode 100644 content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md new file mode 100644 index 000000000000..e6f34a7173d6 --- /dev/null +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md @@ -0,0 +1,14 @@ +--- +title: Custom patterns +shortTitle: Custom patterns +allowTitleToDifferFromFilename: true +intro: 'TODO' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + ghes: '*' + ghec: '*' +topics: + - Secret scanning + - Advanced Security + - Repositories +--- diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md index 721a71fd428a..3c14e4a17e94 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md @@ -14,4 +14,5 @@ topics: - Repositories children: - /generic-secret-detection + - /custom-patterns --- From 0314f53db35cc129b84ae73515a0debe8e902677 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 21:12:01 +0200 Subject: [PATCH 019/282] add map topic for delegated bypass --- .../delegated-bypass-for-push-protection/index.md | 15 +++++++++++++++ .../index.md | 1 + 2 files changed, 16 insertions(+) create mode 100644 content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md new file mode 100644 index 000000000000..deda1f34fcd1 --- /dev/null +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md @@ -0,0 +1,15 @@ +--- +title: Delegated bypass for push protection +shortTitle: Delegated bypass +allowTitleToDifferFromFilename: true +intro: 'TODO' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +topics: + - Secret scanning + - Advanced Security + - Repositories +--- diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md index 3c14e4a17e94..0335fc4e61fa 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md @@ -15,4 +15,5 @@ topics: children: - /generic-secret-detection - /custom-patterns + - /delegated-bypass-for-push-protection --- From 1f6477ac4d64bfbac66515979b3c0d033d6b00d0 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 21:29:02 +0200 Subject: [PATCH 020/282] renamed 1 files --- ...about-the-detection-of-generic-secrets-with-secret-scanning.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename content/code-security/secret-scanning/{ => using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection}/about-the-detection-of-generic-secrets-with-secret-scanning.md (100%) diff --git a/content/code-security/secret-scanning/about-the-detection-of-generic-secrets-with-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning.md similarity index 100% rename from content/code-security/secret-scanning/about-the-detection-of-generic-secrets-with-secret-scanning.md rename to content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning.md From b3a6560ddaa511968352136cff0fb57bb4102850 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 21:29:19 +0200 Subject: [PATCH 021/282] set redirect_from on 1 files --- content/code-security/secret-scanning/index.md | 1 - ...-the-detection-of-generic-secrets-with-secret-scanning.md | 2 ++ .../generic-secret-detection/index.md | 5 ++++- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 39f4e2aa6c5d..226c3d83a978 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -22,7 +22,6 @@ children: - /generating-regular-expressions-for-custom-patterns-with-ai - /managing-alerts-from-secret-scanning - /secret-scanning-patterns - - /about-the-detection-of-generic-secrets-with-secret-scanning - /enabling-ai-powered-generic-secret-detection - /push-protection-for-repositories-and-organizations - /push-protection-for-users diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning.md index fd62a76201c1..522a1e7c8a02 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning.md @@ -10,6 +10,8 @@ topics: - Secret scanning - Advanced Security - AI +redirect_from: + - /code-security/secret-scanning/about-the-detection-of-generic-secrets-with-secret-scanning --- diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/index.md index e4152f64710b..2b8619076df4 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/index.md @@ -2,7 +2,7 @@ title: Generic secret detection shortTitle: Generic secret detection allowTitleToDifferFromFilename: true -intro: 'TODO' +intro: TODO product: '{% data reusables.gated-features.secret-scanning %}' versions: feature: secret-scanning-ai-generic-secret-detection @@ -10,4 +10,7 @@ topics: - Secret scanning - Advanced Security - Repositories +children: + - /about-the-detection-of-generic-secrets-with-secret-scanning --- + From ccbaf4c1f8230be715b3f7054f83941e61943f6d Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 21:35:24 +0200 Subject: [PATCH 022/282] renamed 1 files --- .../enabling-ai-powered-generic-secret-detection.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename content/code-security/secret-scanning/{ => using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection}/enabling-ai-powered-generic-secret-detection.md (100%) diff --git a/content/code-security/secret-scanning/enabling-ai-powered-generic-secret-detection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection.md similarity index 100% rename from content/code-security/secret-scanning/enabling-ai-powered-generic-secret-detection.md rename to content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection.md From 8bbffe01d21e409c5c3fdedb8ac48e274568bc14 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 21:35:31 +0200 Subject: [PATCH 023/282] set redirect_from on 1 files --- content/code-security/secret-scanning/index.md | 1 - .../enabling-ai-powered-generic-secret-detection.md | 2 ++ .../generic-secret-detection/index.md | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 226c3d83a978..1c928cd6c0a4 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -22,7 +22,6 @@ children: - /generating-regular-expressions-for-custom-patterns-with-ai - /managing-alerts-from-secret-scanning - /secret-scanning-patterns - - /enabling-ai-powered-generic-secret-detection - /push-protection-for-repositories-and-organizations - /push-protection-for-users - /working-with-push-protection diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection.md index a0a2d6489f69..a726134ee1ec 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection.md @@ -9,6 +9,8 @@ topics: - Secret scanning - Advanced Security - AI +redirect_from: + - /code-security/secret-scanning/enabling-ai-powered-generic-secret-detection --- {% data reusables.secret-scanning.generic-secret-detection-ai %} diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/index.md index 2b8619076df4..2c18e9b932a6 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/index.md @@ -12,5 +12,6 @@ topics: - Repositories children: - /about-the-detection-of-generic-secrets-with-secret-scanning + - /enabling-ai-powered-generic-secret-detection --- From 91e1651c2a4a877c438f7ec0feb69caf85ceeb1a Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 21:39:49 +0200 Subject: [PATCH 024/282] fix link --- .../enabling-ai-powered-generic-secret-detection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection.md index a726134ee1ec..c53fee5c4459 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection.md @@ -31,5 +31,5 @@ For information on how to view alerts for generic secrets that have been detecte ## Further reading -* [AUTOTITLE](/code-security/secret-scanning/about-the-detection-of-generic-secrets-with-secret-scanning) +* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning) * [AUTOTITLE](/code-security/secret-scanning/about-secret-scanning) From 7232782a2bb66a113adfdccca71884a00f2d79af Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 21:42:27 +0200 Subject: [PATCH 025/282] renamed 1 files --- .../defining-custom-patterns-for-secret-scanning.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename content/code-security/secret-scanning/{ => using-advanced-secret-scanning-and-push-protection-features/custom-patterns}/defining-custom-patterns-for-secret-scanning.md (100%) diff --git a/content/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md similarity index 100% rename from content/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning.md rename to content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md From 2142c6da739488dcee9ad99c1606c6d0f12e7ef4 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 21:42:34 +0200 Subject: [PATCH 026/282] set redirect_from on 1 files --- content/code-security/secret-scanning/index.md | 1 - .../defining-custom-patterns-for-secret-scanning.md | 1 + .../custom-patterns/index.md | 5 ++++- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 1c928cd6c0a4..5533ea7f4381 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -17,7 +17,6 @@ topics: children: - /about-secret-scanning - /configuring-secret-scanning-for-your-repositories - - /defining-custom-patterns-for-secret-scanning - /about-the-regular-expression-generator-for-custom-patterns - /generating-regular-expressions-for-custom-patterns-with-ai - /managing-alerts-from-secret-scanning diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md index b29c3d13253e..0616faf486ce 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md @@ -5,6 +5,7 @@ intro: 'You can define your own custom patterns to extend the capabilities of {% product: '{% data reusables.gated-features.secret-scanning %}' redirect_from: - /code-security/secret-security/defining-custom-patterns-for-secret-scanning + - /code-security/secret-scanning/defining-custom-patterns-for-secret-scanning versions: ghes: '*' ghec: '*' diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md index e6f34a7173d6..26b40cfc5892 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md @@ -2,7 +2,7 @@ title: Custom patterns shortTitle: Custom patterns allowTitleToDifferFromFilename: true -intro: 'TODO' +intro: TODO product: '{% data reusables.gated-features.secret-scanning %}' versions: ghes: '*' @@ -11,4 +11,7 @@ topics: - Secret scanning - Advanced Security - Repositories +children: + - /defining-custom-patterns-for-secret-scanning --- + From b0ef45d6ef57bbe72976ff5fe64088a93ec3cf9c Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 5 Jul 2024 08:30:48 +0200 Subject: [PATCH 027/282] renamed 1 files --- .../about-the-regular-expression-generator-for-custom-patterns.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename content/code-security/secret-scanning/{ => using-advanced-secret-scanning-and-push-protection-features/custom-patterns}/about-the-regular-expression-generator-for-custom-patterns.md (100%) diff --git a/content/code-security/secret-scanning/about-the-regular-expression-generator-for-custom-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-the-regular-expression-generator-for-custom-patterns.md similarity index 100% rename from content/code-security/secret-scanning/about-the-regular-expression-generator-for-custom-patterns.md rename to content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-the-regular-expression-generator-for-custom-patterns.md From 8c83f377842986b463074a5fb87784dde192fbf7 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 5 Jul 2024 08:31:07 +0200 Subject: [PATCH 028/282] set redirect_from on 1 files --- content/code-security/secret-scanning/index.md | 1 - ...bout-the-regular-expression-generator-for-custom-patterns.md | 2 ++ .../custom-patterns/index.md | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 5533ea7f4381..25932b358f5e 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -17,7 +17,6 @@ topics: children: - /about-secret-scanning - /configuring-secret-scanning-for-your-repositories - - /about-the-regular-expression-generator-for-custom-patterns - /generating-regular-expressions-for-custom-patterns-with-ai - /managing-alerts-from-secret-scanning - /secret-scanning-patterns diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-the-regular-expression-generator-for-custom-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-the-regular-expression-generator-for-custom-patterns.md index fa61ea51e259..9eb2ee340fec 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-the-regular-expression-generator-for-custom-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-the-regular-expression-generator-for-custom-patterns.md @@ -11,6 +11,8 @@ topics: - Advanced Security - Secret scanning - AI +redirect_from: + - /code-security/secret-scanning/about-the-regular-expression-generator-for-custom-patterns --- diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md index 26b40cfc5892..8fbdbb75d1f9 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md @@ -13,5 +13,6 @@ topics: - Repositories children: - /defining-custom-patterns-for-secret-scanning + - /about-the-regular-expression-generator-for-custom-patterns --- From e68fbe95d645343120eef59c6bc476f81d56910b Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 5 Jul 2024 09:22:26 +0200 Subject: [PATCH 029/282] renamed 1 files --- .../generating-regular-expressions-for-custom-patterns-with-ai.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename content/code-security/secret-scanning/{ => using-advanced-secret-scanning-and-push-protection-features/custom-patterns}/generating-regular-expressions-for-custom-patterns-with-ai.md (100%) diff --git a/content/code-security/secret-scanning/generating-regular-expressions-for-custom-patterns-with-ai.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai.md similarity index 100% rename from content/code-security/secret-scanning/generating-regular-expressions-for-custom-patterns-with-ai.md rename to content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai.md From 7291b8b9e1c2795614b2366f21759aaf7ae809f1 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 5 Jul 2024 09:22:33 +0200 Subject: [PATCH 030/282] set redirect_from on 1 files --- content/code-security/secret-scanning/index.md | 1 - ...enerating-regular-expressions-for-custom-patterns-with-ai.md | 2 ++ .../custom-patterns/index.md | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 25932b358f5e..1aaca7e75c2e 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -17,7 +17,6 @@ topics: children: - /about-secret-scanning - /configuring-secret-scanning-for-your-repositories - - /generating-regular-expressions-for-custom-patterns-with-ai - /managing-alerts-from-secret-scanning - /secret-scanning-patterns - /push-protection-for-repositories-and-organizations diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai.md index 1980dddad50a..12190d6d5035 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai.md @@ -10,6 +10,8 @@ topics: - Advanced Security - Secret scanning - AI +redirect_from: + - /code-security/secret-scanning/generating-regular-expressions-for-custom-patterns-with-ai --- {% data reusables.secret-scanning.beta-custom-pattern-regular-expression-generator %} diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md index 8fbdbb75d1f9..9fe3ec769110 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md @@ -14,5 +14,6 @@ topics: children: - /defining-custom-patterns-for-secret-scanning - /about-the-regular-expression-generator-for-custom-patterns + - /generating-regular-expressions-for-custom-patterns-with-ai --- From 5c6aa949bf2c46b26872067abc0bd060664ba862 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 5 Jul 2024 09:27:23 +0200 Subject: [PATCH 031/282] add new article about metrics --- ...ing-custom-patterns-for-secret-scanning.md | 21 -------------- .../custom-patterns/index.md | 2 +- .../metrics-for-custom-patterns.md | 29 +++++++++++++++++++ 3 files changed, 30 insertions(+), 22 deletions(-) create mode 100644 content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md index 0616faf486ce..2f67f6e55f57 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md @@ -189,24 +189,3 @@ When you save a change to a custom pattern, this closes all the {% data variable 1. To the right of the custom pattern you want to remove, click {% octicon "trash" aria-label="Remove pattern" %}. 1. Review the confirmation, and select a method for dealing with any open alerts relating to the custom pattern. 1. Click **Yes, delete this pattern**. - -{% ifversion secret-scanning-custom-patterns-metrics %} - -## Metrics for custom patterns - -Organization owners and people with admin permissions can see an overview of the activity for custom patterns. The overview includes alert and push protection activity for the custom pattern during the last 30 days. - -{% note %} - -**Note:** Metrics for custom patterns are in public beta and subject to change. - -{% endnote %} - -### Viewing metrics for custom patterns - -{% data reusables.secret-scanning.view-custom-pattern %} -1. Under "{% data variables.product.prodname_secret_scanning_caps %}", click the custom pattern you want to view. - -The metrics are displayed under the custom pattern's name. - -{% endif %} diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md index 9fe3ec769110..4a197149da8c 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md @@ -15,5 +15,5 @@ children: - /defining-custom-patterns-for-secret-scanning - /about-the-regular-expression-generator-for-custom-patterns - /generating-regular-expressions-for-custom-patterns-with-ai + - /metrics-for-custom-patterns --- - diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md new file mode 100644 index 000000000000..32e46f9c4f59 --- /dev/null +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md @@ -0,0 +1,29 @@ +--- +title: Metrics for custom patterns +shortTitle: Custom pattern metrics +intro: 'TODO' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + feature: secret-scanning-custom-patterns-metrics +type: how_to +topics: + - Advanced Security + - Secret scanning +--- + +## Metrics for custom patterns + +Organization owners and people with admin permissions can see an overview of the activity for custom patterns. The overview includes alert and push protection activity for the custom pattern during the last 30 days. + +{% note %} + +**Note:** Metrics for custom patterns are in public beta and subject to change. + +{% endnote %} + +## Viewing metrics for custom patterns + +{% data reusables.secret-scanning.view-custom-pattern %} +1. Under "{% data variables.product.prodname_secret_scanning_caps %}", click the custom pattern you want to view. + +The metrics are displayed under the custom pattern's name. From 065e95007b1d3027526cd18b79889615e06d6f1c Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 5 Jul 2024 10:00:57 +0200 Subject: [PATCH 032/282] more work on custom patterns --- ...tion-for-repositories-and-organizations.md | 70 ---------------- ...ing-custom-patterns-for-secret-scanning.md | 81 +++++++++++++++---- .../custom-patterns/index.md | 1 + .../managing-custom-patterns.md | 34 ++++++++ .../secret-scanning/view-custom-pattern.md | 4 +- 5 files changed, 102 insertions(+), 88 deletions(-) create mode 100644 content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md diff --git a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md index 9d10a0acb3a9..94b9ca4ddd02 100644 --- a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md +++ b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md @@ -122,76 +122,6 @@ You can use the organization settings page for "Code security and analysis" to e {% data reusables.repositories.navigate-to-ghas-settings %} {% data reusables.advanced-security.secret-scanning-push-protection-repo %} -{% ifversion secret-scanning-push-protection-custom-patterns %} - -## Enabling push protection for a custom pattern - -You can enable {% data variables.product.prodname_secret_scanning %} as a push protection for custom patterns stored at {% ifversion ghec or ghes %}the enterprise, organization, or repository level{% else%} the organization or repository level{% endif %}. - -{% ifversion ghec or ghes %} - -### Enabling push protection for a custom pattern stored in an enterprise - -{% data reusables.secret-scanning.push-protection-enterprise-note %} - -Before enabling push protection for a custom pattern at enterprise level, you must also{% ifversion custom-pattern-dry-run-ga %} test your custom patterns using dry runs. {% data reusables.secret-scanning.dry-runs-enterprise-permissions %}{% else %} test your custom patterns in a repository before defining them for your entire enterprise, as there is no dry-run functionality. That way, you can avoid creating excess false-positive {% data variables.secret-scanning.alerts %}.{% endif %} - -{% data reusables.enterprise-accounts.access-enterprise %} -{% data reusables.enterprise-accounts.policies-tab %}{% ifversion security-feature-enablement-policies %} -{% data reusables.enterprise-accounts.code-security-and-analysis-policies %} -1. Under "Code security and analysis", click **Security features**.{% else %} -{% data reusables.enterprise-accounts.advanced-security-policies %} -{% data reusables.enterprise-accounts.advanced-security-security-features %}{% endif %} -{% data reusables.advanced-security.secret-scanning-edit-custom-pattern %} - - {% ifversion custom-pattern-dry-run-ga %} - >[!NOTE] At the enterprise level, you can only edit and enable push protection for custom patterns that you created. - {%- endif %} - -1. To enable push protection for your custom pattern, scroll down to "Push Protection", and click **Enable**. - - {% data reusables.secret-scanning.custom-pattern-push-protection-enable-button %} - - ![Screenshot of the custom pattern page with the button to enable push protection highlighted with a dark orange outline.](/assets/images/help/repository/secret-scanning-custom-pattern-enable-push-protection.png) - -{% endif %} - -### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection in an organization for a custom pattern - -Before enabling push protection for a custom pattern at organization level, you must ensure that you enable {% data variables.product.prodname_secret_scanning %} for the repositories that you want to scan in your organization. To enable {% data variables.product.prodname_secret_scanning %} on all repositories in your organization, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)." - -{% data reusables.profile.access_org %} -{% data reusables.profile.org_settings %} -{% data reusables.organizations.security-and-analysis %} - -{% ifversion security-configurations %} - {% data reusables.security-configurations.changed-org-settings-global-settings-callout %} For next steps on managing custom patterns for your organization with {% data variables.product.prodname_global_settings %}, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#defining-custom-patterns)." For information on enabling push protection for specific custom patterns, reference the following steps. -{% endif %} - -{% data reusables.repositories.navigate-to-ghas-settings %} -{% data reusables.advanced-security.secret-scanning-edit-custom-pattern %} -1. To enable push protection for your custom pattern, scroll down to "Push Protection", and click **Enable**. -{% indented_data_reference reusables.secret-scanning.push-protection-org-notes spaces=3 %} - - ![Screenshot of the "Push protection" section of the custom pattern page. A button, labeled "Enable", is outlined in dark orange.](/assets/images/help/repository/secret-scanning-custom-pattern-enable-push-protection.png) - -### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection in a repository for a custom pattern - -Before enabling push protection for a custom pattern at repository level, you must define the custom pattern for the repository, and test it in the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)." - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-settings %} -{% data reusables.repositories.navigate-to-code-security-and-analysis %} -{% data reusables.repositories.navigate-to-ghas-settings %} -{% data reusables.advanced-security.secret-scanning-edit-custom-pattern %} -1. To enable push protection for your custom pattern, scroll down to "Push Protection", and click **Enable**. - - {% data reusables.secret-scanning.custom-pattern-push-protection-enable-button %} - - ![Screenshot of the "Push protection" section of the custom pattern page. A button, labeled "Enable", is outlined in dark orange.](/assets/images/help/repository/secret-scanning-custom-pattern-enable-push-protection.png) - -{% endif %} - {% ifversion push-protection-delegated-bypass %} ## Enabling delegated bypass for push protection diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md index 2f67f6e55f57..19443b0f83b7 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md @@ -169,23 +169,72 @@ Before defining a custom pattern, you must ensure that you enable secret scannin After your pattern is created, {% data variables.product.prodname_secret_scanning %} scans for any secrets in repositories within your enterprise's organizations with {% data variables.product.prodname_GH_advanced_security %} enabled, including their entire Git history on all branches. Organization owners and repository administrators will be alerted to any secrets found, and can review the alert in the repository where the secret is found. For more information on viewing {% data variables.secret-scanning.alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." -## Editing a custom pattern +{% ifversion secret-scanning-push-protection-custom-patterns %} -When you save a change to a custom pattern, this closes all the {% data variables.secret-scanning.alerts %} that were created using the previous version of the pattern. -{% data reusables.secret-scanning.view-custom-pattern %} -1. Under "{% data variables.product.prodname_secret_scanning_caps %}", to the right of the custom pattern you want to edit, click {% octicon "pencil" aria-label="Edit pattern" %}. -{%- ifversion custom-pattern-dry-run-ga %} -1. When you're ready to test your edited custom pattern, to identify matches without creating alerts, click **Save and dry run**. -{%- endif %} -1. When you have reviewed and tested your changes, click **Publish changes**.{% ifversion secret-scanning-push-protection-custom-patterns %} -{% data reusables.advanced-security.secret-scanning-enable-push-protection-custom-pattern %} -1. Optionally, to disable push protection for your custom pattern, click **Disable**. +## Enabling push protection for a custom pattern + +You can enable {% data variables.product.prodname_secret_scanning %} as a push protection for custom patterns stored at {% ifversion ghec or ghes %}the enterprise, organization, or repository level{% else%} the organization or repository level{% endif %}. + +{% ifversion ghec or ghes %} + +### Enabling push protection for a custom pattern stored in an enterprise + +{% data reusables.secret-scanning.push-protection-enterprise-note %} + +Before enabling push protection for a custom pattern at enterprise level, you must also{% ifversion custom-pattern-dry-run-ga %} test your custom patterns using dry runs. {% data reusables.secret-scanning.dry-runs-enterprise-permissions %}{% else %} test your custom patterns in a repository before defining them for your entire enterprise, as there is no dry-run functionality. That way, you can avoid creating excess false-positive {% data variables.secret-scanning.alerts %}.{% endif %} + +{% data reusables.enterprise-accounts.access-enterprise %} +{% data reusables.enterprise-accounts.policies-tab %}{% ifversion security-feature-enablement-policies %} +{% data reusables.enterprise-accounts.code-security-and-analysis-policies %} +1. Under "Code security and analysis", click **Security features**.{% else %} +{% data reusables.enterprise-accounts.advanced-security-policies %} +{% data reusables.enterprise-accounts.advanced-security-security-features %}{% endif %} +{% data reusables.advanced-security.secret-scanning-edit-custom-pattern %} + + {% ifversion custom-pattern-dry-run-ga %} + >[!NOTE] At the enterprise level, you can only edit and enable push protection for custom patterns that you created. + {%- endif %} + +1. To enable push protection for your custom pattern, scroll down to "Push Protection", and click **Enable**. - ![Screenshot of the custom pattern page with the button to disable push protection highlighted with a dark orange outline.](/assets/images/help/repository/secret-scanning-disable-push-protection-custom-pattern.png){% endif %} + {% data reusables.secret-scanning.custom-pattern-push-protection-enable-button %} -## Removing a custom pattern + ![Screenshot of the custom pattern page with the button to enable push protection highlighted with a dark orange outline.](/assets/images/help/repository/secret-scanning-custom-pattern-enable-push-protection.png) -{% data reusables.secret-scanning.view-custom-pattern %} -1. To the right of the custom pattern you want to remove, click {% octicon "trash" aria-label="Remove pattern" %}. -1. Review the confirmation, and select a method for dealing with any open alerts relating to the custom pattern. -1. Click **Yes, delete this pattern**. +{% endif %} + +### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection in an organization for a custom pattern + +Before enabling push protection for a custom pattern at organization level, you must ensure that you enable {% data variables.product.prodname_secret_scanning %} for the repositories that you want to scan in your organization. To enable {% data variables.product.prodname_secret_scanning %} on all repositories in your organization, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)." + +{% data reusables.profile.access_org %} +{% data reusables.profile.org_settings %} +{% data reusables.organizations.security-and-analysis %} + +{% ifversion security-configurations %} + {% data reusables.security-configurations.changed-org-settings-global-settings-callout %} For next steps on managing custom patterns for your organization with {% data variables.product.prodname_global_settings %}, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#defining-custom-patterns)." For information on enabling push protection for specific custom patterns, reference the following steps. +{% endif %} + +{% data reusables.repositories.navigate-to-ghas-settings %} +{% data reusables.advanced-security.secret-scanning-edit-custom-pattern %} +1. To enable push protection for your custom pattern, scroll down to "Push Protection", and click **Enable**. +{% indented_data_reference reusables.secret-scanning.push-protection-org-notes spaces=3 %} + + ![Screenshot of the "Push protection" section of the custom pattern page. A button, labeled "Enable", is outlined in dark orange.](/assets/images/help/repository/secret-scanning-custom-pattern-enable-push-protection.png) + +### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection in a repository for a custom pattern + +Before enabling push protection for a custom pattern at repository level, you must define the custom pattern for the repository, and test it in the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)." + +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.sidebar-settings %} +{% data reusables.repositories.navigate-to-code-security-and-analysis %} +{% data reusables.repositories.navigate-to-ghas-settings %} +{% data reusables.advanced-security.secret-scanning-edit-custom-pattern %} +1. To enable push protection for your custom pattern, scroll down to "Push Protection", and click **Enable**. + + {% data reusables.secret-scanning.custom-pattern-push-protection-enable-button %} + + ![Screenshot of the "Push protection" section of the custom pattern page. A button, labeled "Enable", is outlined in dark orange.](/assets/images/help/repository/secret-scanning-custom-pattern-enable-push-protection.png) + +{% endif %} diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md index 4a197149da8c..ccf24a9934e2 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md @@ -13,6 +13,7 @@ topics: - Repositories children: - /defining-custom-patterns-for-secret-scanning + - /managing-custom-patterns - /about-the-regular-expression-generator-for-custom-patterns - /generating-regular-expressions-for-custom-patterns-with-ai - /metrics-for-custom-patterns diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md new file mode 100644 index 000000000000..4f699e006278 --- /dev/null +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md @@ -0,0 +1,34 @@ +--- +title: Managing custom patterns for secret +shortTitle: Manage custom patterns +intro: 'TODO' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + ghes: '*' + ghec: '*' +type: how_to +topics: + - Advanced Security + - Secret scanning +--- + +## Editing a custom pattern + +When you save a change to a custom pattern, this closes all the {% data variables.secret-scanning.alerts %} that were created using the previous version of the pattern. +{% data reusables.secret-scanning.view-custom-pattern %} +1. Under "{% data variables.product.prodname_secret_scanning_caps %}", to the right of the custom pattern you want to edit, click {% octicon "pencil" aria-label="Edit pattern" %}. +{%- ifversion custom-pattern-dry-run-ga %} +1. When you're ready to test your edited custom pattern, to identify matches without creating alerts, click **Save and dry run**. +{%- endif %} +1. When you have reviewed and tested your changes, click **Publish changes**.{% ifversion secret-scanning-push-protection-custom-patterns %} +{% data reusables.advanced-security.secret-scanning-enable-push-protection-custom-pattern %} +1. Optionally, to disable push protection for your custom pattern, click **Disable**. + + ![Screenshot of the custom pattern page with the button to disable push protection highlighted with a dark orange outline.](/assets/images/help/repository/secret-scanning-disable-push-protection-custom-pattern.png){% endif %} + +## Removing a custom pattern + +{% data reusables.secret-scanning.view-custom-pattern %} +1. To the right of the custom pattern you want to remove, click {% octicon "trash" aria-label="Remove pattern" %}. +1. Review the confirmation, and select a method for dealing with any open alerts relating to the custom pattern. +1. Click **Yes, delete this pattern**. diff --git a/data/reusables/secret-scanning/view-custom-pattern.md b/data/reusables/secret-scanning/view-custom-pattern.md index 01fb785318be..be93ccf9d8cd 100644 --- a/data/reusables/secret-scanning/view-custom-pattern.md +++ b/data/reusables/secret-scanning/view-custom-pattern.md @@ -1,3 +1,3 @@ 1. Navigate to where the custom pattern was created. A custom pattern can be created in a repository, organization, or enterprise account. - * For a repository or organization, display the "Security & analysis" settings for the repository or organization where the custom pattern was created. For more information, see "[Defining a custom pattern for a repository](#defining-a-custom-pattern-for-a-repository)" or "[Defining a custom pattern for an organization](#defining-a-custom-pattern-for-an-organization)". - * For an enterprise, under "Policies" display the "Advanced Security" area, and then click **Security features**. For more information, see "[Defining a custom pattern for an enterprise account](#defining-a-custom-pattern-for-an-enterprise-account)" above. + * For a repository or organization, display the "Security & analysis" settings for the repository or organization where the custom pattern was created. For more information, see "[Defining a custom pattern for a repository](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)" or "[Defining a custom pattern for an organization](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization)". + * For an enterprise, under "Policies" display the "Advanced Security" area, and then click **Security features**. For more information, see "[Defining a custom pattern for an enterprise account](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-enterprise-account)." From be742c0e2d6ef3ec213a6fbeaedef9e366eb9c3f Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 5 Jul 2024 10:24:54 +0200 Subject: [PATCH 033/282] move content between articles --- ...ing-custom-patterns-for-secret-scanning.md | 72 +------------------ .../managing-custom-patterns.md | 70 ++++++++++++++++++ ...ret-scanning-add-custom-pattern-details.md | 2 +- 3 files changed, 72 insertions(+), 72 deletions(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md index 19443b0f83b7..e311257f0d2b 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md @@ -46,7 +46,7 @@ For simple tokens you will usually only need to specify a secret format. The oth ### Using the regular expression generator -{% data reusables.secret-scanning.regular-expression-generator-overview %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-the-regular-expression-generator-for-custom-patterns)" and "[AUTOTITLE](/code-security/secret-scanning/generating-regular-expressions-for-custom-patterns-with-ai)." +{% data reusables.secret-scanning.regular-expression-generator-overview %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-the-regular-expression-generator-for-custom-patterns)" and "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai)." {% endif %} @@ -168,73 +168,3 @@ Before defining a custom pattern, you must ensure that you enable secret scannin {% indented_data_reference reusables.secret-scanning.push-protection-enterprise-note spaces=3 %}{% endif %} After your pattern is created, {% data variables.product.prodname_secret_scanning %} scans for any secrets in repositories within your enterprise's organizations with {% data variables.product.prodname_GH_advanced_security %} enabled, including their entire Git history on all branches. Organization owners and repository administrators will be alerted to any secrets found, and can review the alert in the repository where the secret is found. For more information on viewing {% data variables.secret-scanning.alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." - -{% ifversion secret-scanning-push-protection-custom-patterns %} - -## Enabling push protection for a custom pattern - -You can enable {% data variables.product.prodname_secret_scanning %} as a push protection for custom patterns stored at {% ifversion ghec or ghes %}the enterprise, organization, or repository level{% else%} the organization or repository level{% endif %}. - -{% ifversion ghec or ghes %} - -### Enabling push protection for a custom pattern stored in an enterprise - -{% data reusables.secret-scanning.push-protection-enterprise-note %} - -Before enabling push protection for a custom pattern at enterprise level, you must also{% ifversion custom-pattern-dry-run-ga %} test your custom patterns using dry runs. {% data reusables.secret-scanning.dry-runs-enterprise-permissions %}{% else %} test your custom patterns in a repository before defining them for your entire enterprise, as there is no dry-run functionality. That way, you can avoid creating excess false-positive {% data variables.secret-scanning.alerts %}.{% endif %} - -{% data reusables.enterprise-accounts.access-enterprise %} -{% data reusables.enterprise-accounts.policies-tab %}{% ifversion security-feature-enablement-policies %} -{% data reusables.enterprise-accounts.code-security-and-analysis-policies %} -1. Under "Code security and analysis", click **Security features**.{% else %} -{% data reusables.enterprise-accounts.advanced-security-policies %} -{% data reusables.enterprise-accounts.advanced-security-security-features %}{% endif %} -{% data reusables.advanced-security.secret-scanning-edit-custom-pattern %} - - {% ifversion custom-pattern-dry-run-ga %} - >[!NOTE] At the enterprise level, you can only edit and enable push protection for custom patterns that you created. - {%- endif %} - -1. To enable push protection for your custom pattern, scroll down to "Push Protection", and click **Enable**. - - {% data reusables.secret-scanning.custom-pattern-push-protection-enable-button %} - - ![Screenshot of the custom pattern page with the button to enable push protection highlighted with a dark orange outline.](/assets/images/help/repository/secret-scanning-custom-pattern-enable-push-protection.png) - -{% endif %} - -### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection in an organization for a custom pattern - -Before enabling push protection for a custom pattern at organization level, you must ensure that you enable {% data variables.product.prodname_secret_scanning %} for the repositories that you want to scan in your organization. To enable {% data variables.product.prodname_secret_scanning %} on all repositories in your organization, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)." - -{% data reusables.profile.access_org %} -{% data reusables.profile.org_settings %} -{% data reusables.organizations.security-and-analysis %} - -{% ifversion security-configurations %} - {% data reusables.security-configurations.changed-org-settings-global-settings-callout %} For next steps on managing custom patterns for your organization with {% data variables.product.prodname_global_settings %}, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#defining-custom-patterns)." For information on enabling push protection for specific custom patterns, reference the following steps. -{% endif %} - -{% data reusables.repositories.navigate-to-ghas-settings %} -{% data reusables.advanced-security.secret-scanning-edit-custom-pattern %} -1. To enable push protection for your custom pattern, scroll down to "Push Protection", and click **Enable**. -{% indented_data_reference reusables.secret-scanning.push-protection-org-notes spaces=3 %} - - ![Screenshot of the "Push protection" section of the custom pattern page. A button, labeled "Enable", is outlined in dark orange.](/assets/images/help/repository/secret-scanning-custom-pattern-enable-push-protection.png) - -### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection in a repository for a custom pattern - -Before enabling push protection for a custom pattern at repository level, you must define the custom pattern for the repository, and test it in the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)." - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-settings %} -{% data reusables.repositories.navigate-to-code-security-and-analysis %} -{% data reusables.repositories.navigate-to-ghas-settings %} -{% data reusables.advanced-security.secret-scanning-edit-custom-pattern %} -1. To enable push protection for your custom pattern, scroll down to "Push Protection", and click **Enable**. - - {% data reusables.secret-scanning.custom-pattern-push-protection-enable-button %} - - ![Screenshot of the "Push protection" section of the custom pattern page. A button, labeled "Enable", is outlined in dark orange.](/assets/images/help/repository/secret-scanning-custom-pattern-enable-push-protection.png) - -{% endif %} diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md index 4f699e006278..0ca27fdbc09d 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md @@ -32,3 +32,73 @@ When you save a change to a custom pattern, this closes all the {% data variable 1. To the right of the custom pattern you want to remove, click {% octicon "trash" aria-label="Remove pattern" %}. 1. Review the confirmation, and select a method for dealing with any open alerts relating to the custom pattern. 1. Click **Yes, delete this pattern**. + +{% ifversion secret-scanning-push-protection-custom-patterns %} + +## Enabling push protection for a custom pattern + +You can enable {% data variables.product.prodname_secret_scanning %} as a push protection for custom patterns stored at {% ifversion ghec or ghes %}the enterprise, organization, or repository level{% else%} the organization or repository level{% endif %}. + +{% ifversion ghec or ghes %} + +### Enabling push protection for a custom pattern stored in an enterprise + +{% data reusables.secret-scanning.push-protection-enterprise-note %} + +Before enabling push protection for a custom pattern at enterprise level, you must also{% ifversion custom-pattern-dry-run-ga %} test your custom patterns using dry runs. {% data reusables.secret-scanning.dry-runs-enterprise-permissions %}{% else %} test your custom patterns in a repository before defining them for your entire enterprise, as there is no dry-run functionality. That way, you can avoid creating excess false-positive {% data variables.secret-scanning.alerts %}.{% endif %} + +{% data reusables.enterprise-accounts.access-enterprise %} +{% data reusables.enterprise-accounts.policies-tab %}{% ifversion security-feature-enablement-policies %} +{% data reusables.enterprise-accounts.code-security-and-analysis-policies %} +1. Under "Code security and analysis", click **Security features**.{% else %} +{% data reusables.enterprise-accounts.advanced-security-policies %} +{% data reusables.enterprise-accounts.advanced-security-security-features %}{% endif %} +{% data reusables.advanced-security.secret-scanning-edit-custom-pattern %} + + {% ifversion custom-pattern-dry-run-ga %} + >[!NOTE] At the enterprise level, you can only edit and enable push protection for custom patterns that you created. + {%- endif %} + +1. To enable push protection for your custom pattern, scroll down to "Push Protection", and click **Enable**. + + {% data reusables.secret-scanning.custom-pattern-push-protection-enable-button %} + + ![Screenshot of the custom pattern page with the button to enable push protection highlighted with a dark orange outline.](/assets/images/help/repository/secret-scanning-custom-pattern-enable-push-protection.png) + +{% endif %} + +### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection in an organization for a custom pattern + +Before enabling push protection for a custom pattern at organization level, you must ensure that you enable {% data variables.product.prodname_secret_scanning %} for the repositories that you want to scan in your organization. To enable {% data variables.product.prodname_secret_scanning %} on all repositories in your organization, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)." + +{% data reusables.profile.access_org %} +{% data reusables.profile.org_settings %} +{% data reusables.organizations.security-and-analysis %} + +{% ifversion security-configurations %} + {% data reusables.security-configurations.changed-org-settings-global-settings-callout %} For next steps on managing custom patterns for your organization with {% data variables.product.prodname_global_settings %}, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#defining-custom-patterns)." For information on enabling push protection for specific custom patterns, reference the following steps. +{% endif %} + +{% data reusables.repositories.navigate-to-ghas-settings %} +{% data reusables.advanced-security.secret-scanning-edit-custom-pattern %} +1. To enable push protection for your custom pattern, scroll down to "Push Protection", and click **Enable**. +{% indented_data_reference reusables.secret-scanning.push-protection-org-notes spaces=3 %} + + ![Screenshot of the "Push protection" section of the custom pattern page. A button, labeled "Enable", is outlined in dark orange.](/assets/images/help/repository/secret-scanning-custom-pattern-enable-push-protection.png) + +### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection in a repository for a custom pattern + +Before enabling push protection for a custom pattern at repository level, you must define the custom pattern for the repository, and test it in the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)." + +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.sidebar-settings %} +{% data reusables.repositories.navigate-to-code-security-and-analysis %} +{% data reusables.repositories.navigate-to-ghas-settings %} +{% data reusables.advanced-security.secret-scanning-edit-custom-pattern %} +1. To enable push protection for your custom pattern, scroll down to "Push Protection", and click **Enable**. + + {% data reusables.secret-scanning.custom-pattern-push-protection-enable-button %} + + ![Screenshot of the "Push protection" section of the custom pattern page. A button, labeled "Enable", is outlined in dark orange.](/assets/images/help/repository/secret-scanning-custom-pattern-enable-push-protection.png) + +{% endif %} diff --git a/data/reusables/advanced-security/secret-scanning-add-custom-pattern-details.md b/data/reusables/advanced-security/secret-scanning-add-custom-pattern-details.md index eeb175416e8b..8fb34723f3e0 100644 --- a/data/reusables/advanced-security/secret-scanning-add-custom-pattern-details.md +++ b/data/reusables/advanced-security/secret-scanning-add-custom-pattern-details.md @@ -1,6 +1,6 @@ 1. Enter the details for your new custom pattern. You must at least provide the name for your pattern, and a regular expression for the format of your secret pattern. 1. In the "Pattern name" field, type a name for your pattern. - 1. In the "Secret format" field, type a regular expression for the format of your secret pattern.{% ifversion secret-scanning-custom-pattern-ai-generated %} Alternatively, you can use the generator to generate a regular expression for you. For more information, see "[AUTOTITLE](/code-security/secret-scanning/generating-regular-expressions-for-custom-patterns-with-ai)."{% endif %} + 1. In the "Secret format" field, type a regular expression for the format of your secret pattern.{% ifversion secret-scanning-custom-pattern-ai-generated %} Alternatively, you can use the generator to generate a regular expression for you. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai)."{% endif %} 1. You can click **More options {% octicon "chevron-down" aria-label="down" %}** to provide other surrounding content or additional match requirements for the secret format. 1. Provide a sample test string to make sure your configuration is matching the patterns you expect. From 6d0e26bb116ac544350743abac680e59de33e944 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 5 Jul 2024 11:55:04 +0200 Subject: [PATCH 034/282] fixing TODOs and updating links --- .../custom-patterns/managing-custom-patterns.md | 6 ++++-- .../custom-patterns/metrics-for-custom-patterns.md | 4 +++- .../delegated-bypass-for-push-protection/index.md | 2 +- .../index.md | 2 +- data/learning-tracks/code-security.yml | 4 ++-- 5 files changed, 11 insertions(+), 7 deletions(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md index 0ca27fdbc09d..60f4242c4c92 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md @@ -1,7 +1,7 @@ --- -title: Managing custom patterns for secret +title: Managing custom patterns for secret scanning shortTitle: Manage custom patterns -intro: 'TODO' +intro: 'You can view, edit, and remove custom patterns, as well as enable push protection for custom patterns.' product: '{% data reusables.gated-features.secret-scanning %}' versions: ghes: '*' @@ -12,6 +12,8 @@ topics: - Secret scanning --- +TODO + ## Editing a custom pattern When you save a change to a custom pattern, this closes all the {% data variables.secret-scanning.alerts %} that were created using the previous version of the pattern. diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md index 32e46f9c4f59..eb63079f0de5 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md @@ -1,7 +1,7 @@ --- title: Metrics for custom patterns shortTitle: Custom pattern metrics -intro: 'TODO' +intro: 'You can view alert metrics for custom patterns at the repository, organization, and enterprise levels, from within {% data variables.product.product_name %}.' product: '{% data reusables.gated-features.secret-scanning %}' versions: feature: secret-scanning-custom-patterns-metrics @@ -11,6 +11,8 @@ topics: - Secret scanning --- +TODO + ## Metrics for custom patterns Organization owners and people with admin permissions can see an overview of the activity for custom patterns. The overview includes alert and push protection activity for the custom pattern during the last 30 days. diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md index deda1f34fcd1..71df8e2fafd6 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md @@ -2,7 +2,7 @@ title: Delegated bypass for push protection shortTitle: Delegated bypass allowTitleToDifferFromFilename: true -intro: 'TODO' +intro: 'With delegated bypass, contributors can propose bypassing a block and members of the bypass list can review those bypass requests to allow or deny the content.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md index 0335fc4e61fa..8e9ebb3bb039 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md @@ -2,7 +2,7 @@ title: Using advanced secret scanning and push protection features shortTitle: Advanced features allowTitleToDifferFromFilename: true -intro: 'Learn how use advanced features for {% data variables.product.prodname_secret_scanning_caps %} and push protection.' +intro: 'TODO.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' diff --git a/data/learning-tracks/code-security.yml b/data/learning-tracks/code-security.yml index 82650c37c290..113f87c0ca8a 100644 --- a/data/learning-tracks/code-security.yml +++ b/data/learning-tracks/code-security.yml @@ -117,7 +117,7 @@ secret_scanning: /code-security/secret-scanning/configuring-secret-scanning-for-your-repositories - >- {% ifversion not fpt - %}/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning{% + %}/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning{% endif %} - /code-security/secret-scanning/managing-alerts-from-secret-scanning - /code-security/secret-scanning/secret-scanning-patterns @@ -132,7 +132,7 @@ secret_scanning: {% ifversion secret-scanning-push-protection %}/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection{% endif %} - - /code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning + - /code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md security_alerts: title: Explore and manage security alerts description: Learn where to find and resolve security alerts. From 2437b7d162a0b021b2477f417714340672ccfa3f Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 5 Jul 2024 14:23:18 +0200 Subject: [PATCH 035/282] complete work on custom patterns --- ...he-regular-expression-generator-for-custom-patterns.md | 6 +++--- .../defining-custom-patterns-for-secret-scanning.md | 4 ++++ ...ing-regular-expressions-for-custom-patterns-with-ai.md | 2 +- .../custom-patterns/managing-custom-patterns.md | 7 ++++--- .../custom-patterns/metrics-for-custom-patterns.md | 8 +------- ...scanning-generate-regular-expression-custom-pattern.md | 2 +- data/reusables/secret-scanning/link-to-push-protection.md | 2 +- 7 files changed, 15 insertions(+), 16 deletions(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-the-regular-expression-generator-for-custom-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-the-regular-expression-generator-for-custom-patterns.md index 9eb2ee340fec..0c42e2838d8e 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-the-regular-expression-generator-for-custom-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-the-regular-expression-generator-for-custom-patterns.md @@ -37,7 +37,7 @@ The model returns up to three regular expressions for you to review. You can cli Some results may be quite similar, and some results may not find every instance of the secret that the pattern is intended to detect. It is also possible that the regular expression generator may produce results which are invalid or inappropriate. -When you click **Use result** on a regular expression, the expression and any examples inputted will be copied over to the main custom pattern form. There, you can perform a dry run of the pattern to see how it performs across your repository or organization.{% ifversion secret-scanning-custom-pattern-ai-generated %} For more information on how to define a custom pattern for your repository or organization, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." {% endif %} +When you click **Use result** on a regular expression, the expression and any examples inputted will be copied over to the main custom pattern form. There, you can perform a dry run of the pattern to see how it performs across your repository or organization.{% ifversion secret-scanning-custom-pattern-ai-generated %} For more information on how to define a custom pattern for your repository or organization, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." {% endif %} ## Improving performance for the {% data variables.secret-scanning.custom-pattern-regular-expression-generator %} @@ -63,7 +63,7 @@ Note that the {% data variables.secret-scanning.custom-pattern-regular-expressio ## Next steps -* [AUTOTITLE](/code-security/secret-scanning/generating-regular-expressions-for-custom-patterns-with-ai) +* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai) * [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning) {% endif %} @@ -75,6 +75,6 @@ Note that the {% data variables.secret-scanning.custom-pattern-regular-expressio {% endif %} {% ifversion secret-scanning-custom-pattern-ai-generated %} -* [AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning) +* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning) * [AUTOTITLE](/code-security/secret-scanning/about-secret-scanning) {% endif %} diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md index e311257f0d2b..5a1aa2124df1 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md @@ -168,3 +168,7 @@ Before defining a custom pattern, you must ensure that you enable secret scannin {% indented_data_reference reusables.secret-scanning.push-protection-enterprise-note spaces=3 %}{% endif %} After your pattern is created, {% data variables.product.prodname_secret_scanning %} scans for any secrets in repositories within your enterprise's organizations with {% data variables.product.prodname_GH_advanced_security %} enabled, including their entire Git history on all branches. Organization owners and repository administrators will be alerted to any secrets found, and can review the alert in the repository where the secret is found. For more information on viewing {% data variables.secret-scanning.alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." + +## Further reading + +* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns)" diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai.md index 12190d6d5035..fdbfe203164f 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai.md @@ -51,4 +51,4 @@ redirect_from: ## Further reading -* "[AUTOTITLE](/code-security/secret-scanning/about-the-regular-expression-generator-for-custom-patterns)" +* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-the-regular-expression-generator-for-custom-patterns)" diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md index 60f4242c4c92..b04e5ed74f03 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md @@ -12,11 +12,12 @@ topics: - Secret scanning --- -TODO +Custom patterns are user-defined patterns that you can use to identify secrets that are not detected by the default patterns supported by {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." ## Editing a custom pattern When you save a change to a custom pattern, this closes all the {% data variables.secret-scanning.alerts %} that were created using the previous version of the pattern. + {% data reusables.secret-scanning.view-custom-pattern %} 1. Under "{% data variables.product.prodname_secret_scanning_caps %}", to the right of the custom pattern you want to edit, click {% octicon "pencil" aria-label="Edit pattern" %}. {%- ifversion custom-pattern-dry-run-ga %} @@ -39,7 +40,7 @@ When you save a change to a custom pattern, this closes all the {% data variable ## Enabling push protection for a custom pattern -You can enable {% data variables.product.prodname_secret_scanning %} as a push protection for custom patterns stored at {% ifversion ghec or ghes %}the enterprise, organization, or repository level{% else%} the organization or repository level{% endif %}. +You can enable {% data variables.product.prodname_secret_scanning %} as a push protection for custom patterns stored at {% ifversion ghec or ghes %}the enterprise, organization, or repository level{% else %} the organization or repository level{% endif %}. {% ifversion ghec or ghes %} @@ -90,7 +91,7 @@ Before enabling push protection for a custom pattern at organization level, you ### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection in a repository for a custom pattern -Before enabling push protection for a custom pattern at repository level, you must define the custom pattern for the repository, and test it in the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)." +Before enabling push protection for a custom pattern at repository level, you must define the custom pattern for the repository, and test it in the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)." {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-settings %} diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md index eb63079f0de5..ae45e17f4d7d 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md @@ -11,17 +11,11 @@ topics: - Secret scanning --- -TODO - ## Metrics for custom patterns Organization owners and people with admin permissions can see an overview of the activity for custom patterns. The overview includes alert and push protection activity for the custom pattern during the last 30 days. -{% note %} - -**Note:** Metrics for custom patterns are in public beta and subject to change. - -{% endnote %} +> [!NOTE] Metrics for custom patterns are in public beta and subject to change. ## Viewing metrics for custom patterns diff --git a/data/reusables/advanced-security/secret-scanning-generate-regular-expression-custom-pattern.md b/data/reusables/advanced-security/secret-scanning-generate-regular-expression-custom-pattern.md index d3185001c942..f82f22059244 100644 --- a/data/reusables/advanced-security/secret-scanning-generate-regular-expression-custom-pattern.md +++ b/data/reusables/advanced-security/secret-scanning-generate-regular-expression-custom-pattern.md @@ -3,7 +3,7 @@ {% note %} - **Note:** You can enter a regular expression manually instead of using the generator, by typing a regular expression for the format of your secret pattern in the "Secret format" field. For more information, see "[Defining a custom pattern for a repository](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)" or "[Defining a custom pattern for an organization](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization)." + **Note:** You can enter a regular expression manually instead of using the generator, by typing a regular expression for the format of your secret pattern in the "Secret format" field. For more information, see "[Defining a custom pattern for a repository](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)" or "[Defining a custom pattern for an organization](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization)." {% endnote %} diff --git a/data/reusables/secret-scanning/link-to-push-protection.md b/data/reusables/secret-scanning/link-to-push-protection.md index eb0f3fee21ad..5975dd27ff60 100644 --- a/data/reusables/secret-scanning/link-to-push-protection.md +++ b/data/reusables/secret-scanning/link-to-push-protection.md @@ -1 +1 @@ -You can configure {% data variables.product.prodname_secret_scanning %} to check pushes for custom patterns before commits are merged into the default branch. For more information, see "[Enabling push protection for a custom pattern](/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-push-protection-for-a-custom-pattern)." +You can configure {% data variables.product.prodname_secret_scanning %} to check pushes for custom patterns before commits are merged into the default branch. For more information, see "[Enabling push protection for a custom pattern](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns#enabling-push-protection-for-a-custom-pattern)." From 9f06589c409e49bd783ef1f782a667c568c65d13 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 5 Jul 2024 14:31:38 +0200 Subject: [PATCH 036/282] fix more links --- ...out-the-detection-of-generic-secrets-with-secret-scanning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning.md index 522a1e7c8a02..6ced8e219b0e 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning.md @@ -76,7 +76,7 @@ Generic secret detection has been subject to Responsible AI Red Teaming and {% d ## Next steps -* [AUTOTITLE](/code-security/secret-scanning/enabling-ai-powered-generic-secret-detection) +* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection) * [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning) {% endif %} From 73b229132631fe212a832be6d4dce07b91d18ded Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 5 Jul 2024 15:34:38 +0200 Subject: [PATCH 037/282] removed remaining TODOs --- .../custom-patterns/index.md | 2 +- .../generic-secret-detection/index.md | 3 +-- .../index.md | 2 +- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md index ccf24a9934e2..bb8f6e9f7b49 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md @@ -2,7 +2,7 @@ title: Custom patterns shortTitle: Custom patterns allowTitleToDifferFromFilename: true -intro: TODO +intro: 'You can extend the capabilities of {% data variables.product.prodname_secret_scanning %} by instructing the feature to search for your own patterns. These patterns, which can range from your servce API keys to connection strings into cloud resources, are referred to as custom patterns.' product: '{% data reusables.gated-features.secret-scanning %}' versions: ghes: '*' diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/index.md index 2c18e9b932a6..7604bae5926b 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/index.md @@ -2,7 +2,7 @@ title: Generic secret detection shortTitle: Generic secret detection allowTitleToDifferFromFilename: true -intro: TODO +intro: 'You can use AI in combination with {% data variables.product.prodname_secret_scanning %} to detect unstructured passwords in git content.' product: '{% data reusables.gated-features.secret-scanning %}' versions: feature: secret-scanning-ai-generic-secret-detection @@ -14,4 +14,3 @@ children: - /about-the-detection-of-generic-secrets-with-secret-scanning - /enabling-ai-powered-generic-secret-detection --- - diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md index 8e9ebb3bb039..0ca68429c6da 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md @@ -2,7 +2,7 @@ title: Using advanced secret scanning and push protection features shortTitle: Advanced features allowTitleToDifferFromFilename: true -intro: 'TODO.' +intro: 'Learn more about advanced capabilities of {% data variables.secret-scanning.partner_alerts_caps %} and push protection, and assess whether your organization or repository could benefit from using these features.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' From 8e88bd9d7482fe4831cc30d3007ade9f710cae49 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 5 Jul 2024 16:56:35 +0200 Subject: [PATCH 038/282] made a start on delegated bypass --- .../managing-custom-patterns.md | 2 +- ...out-delegated-bypass-for-push-protection.md | 18 ++++++++++++++++++ ...ing-delegated-bypass-for-push-protection.md | 0 .../index.md | 4 +++- ...ging-requests- to-bypass-push-protection.md | 0 5 files changed, 22 insertions(+), 2 deletions(-) create mode 100644 content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md create mode 100644 content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md create mode 100644 content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests- to-bypass-push-protection.md diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md index b04e5ed74f03..457469577649 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md @@ -1,5 +1,5 @@ --- -title: Managing custom patterns for secret scanning +title: Managing custom patterns shortTitle: Manage custom patterns intro: 'You can view, edit, and remove custom patterns, as well as enable push protection for custom patterns.' product: '{% data reusables.gated-features.secret-scanning %}' diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md new file mode 100644 index 000000000000..7c65ea9807bd --- /dev/null +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md @@ -0,0 +1,18 @@ +--- +title: About delegated bypass for push protection +intro: 'TODO' +product: '{% data reusables.gated-features.push-protection-for-repos %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +type: overview +topics: + - Secret scanning + - Advanced Security + - Alerts + - Repositories +shortTitle: Delegated bypass +--- + +TODO diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md index 71df8e2fafd6..8a491ed5b5b0 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md @@ -2,7 +2,7 @@ title: Delegated bypass for push protection shortTitle: Delegated bypass allowTitleToDifferFromFilename: true -intro: 'With delegated bypass, contributors can propose bypassing a block and members of the bypass list can review those bypass requests to allow or deny the content.' +intro: 'With delegated bypass, contributors can propose bypassing a blocked push and members of the bypass list can review those bypass requests to allow or deny the content.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' @@ -12,4 +12,6 @@ topics: - Secret scanning - Advanced Security - Repositories +children: + - /about-delegated-bypass-for-push-protection --- diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests- to-bypass-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests- to-bypass-push-protection.md new file mode 100644 index 000000000000..e69de29bb2d1 From 17d09a98f54a8da334ef736a4cabbcaea88fa25d Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 5 Jul 2024 16:59:35 +0200 Subject: [PATCH 039/282] fix for failing checks --- ...ging-requests- to-bypass-push-protection.md | 0 ...aging-requests-to-bypass-push-protection.md | 18 ++++++++++++++++++ 2 files changed, 18 insertions(+) delete mode 100644 content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests- to-bypass-push-protection.md create mode 100644 content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests- to-bypass-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests- to-bypass-push-protection.md deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md new file mode 100644 index 000000000000..f79f79599877 --- /dev/null +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md @@ -0,0 +1,18 @@ +--- +title: Managing requests to bypass push protection +intro: 'TODO' +product: '{% data reusables.gated-features.push-protection-for-repos %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +type: how_to +topics: + - Secret scanning + - Advanced Security + - Alerts + - Repositories +shortTitle: Manage bypass requests +--- + +TODO From 846399ef943ceb2c74e47f6472f92edebe623303 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 5 Jul 2024 17:13:03 +0200 Subject: [PATCH 040/282] fix more failing tests --- .../delegated-bypass-for-push-protection/index.md | 2 ++ data/learning-tracks/code-security.yml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md index 8a491ed5b5b0..490367114797 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md @@ -14,4 +14,6 @@ topics: - Repositories children: - /about-delegated-bypass-for-push-protection + - /enabling-delegated-bypass-for-push-protection + - /managing-requests-to-bypass-push-protection --- diff --git a/data/learning-tracks/code-security.yml b/data/learning-tracks/code-security.yml index 113f87c0ca8a..daa509a42e9f 100644 --- a/data/learning-tracks/code-security.yml +++ b/data/learning-tracks/code-security.yml @@ -132,7 +132,7 @@ secret_scanning: {% ifversion secret-scanning-push-protection %}/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection{% endif %} - - /code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md + - /code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning security_alerts: title: Explore and manage security alerts description: Learn where to find and resolve security alerts. From c069ab52474f78f74d1ef8fb3a4b4d45be4bd9eb Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 5 Jul 2024 17:20:49 +0200 Subject: [PATCH 041/282] I am going nuts --- ...ing-delegated-bypass-for-push-protection.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md index e69de29bb2d1..89a0c70e2d65 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md @@ -0,0 +1,18 @@ +--- +title: Enabling delegated bypass for push protection +intro: 'TODO' +product: '{% data reusables.gated-features.push-protection-for-repos %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +type: overview +topics: + - Secret scanning + - Advanced Security + - Alerts + - Repositories +shortTitle: Delegated bypass +--- + +TODO From e35c958dadf2a529e28ddcf0f0283b1da0db3ce6 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 5 Jul 2024 17:41:01 +0200 Subject: [PATCH 042/282] move content across articles --- ...tion-for-repositories-and-organizations.md | 75 ------------------- ...ng-delegated-bypass-for-push-protection.md | 51 +++++++++++-- ...ging-requests-to-bypass-push-protection.md | 32 +++++++- 3 files changed, 73 insertions(+), 85 deletions(-) diff --git a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md index 94b9ca4ddd02..6424e4b38d24 100644 --- a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md +++ b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md @@ -122,81 +122,6 @@ You can use the organization settings page for "Code security and analysis" to e {% data reusables.repositories.navigate-to-ghas-settings %} {% data reusables.advanced-security.secret-scanning-push-protection-repo %} -{% ifversion push-protection-delegated-bypass %} - -## Enabling delegated bypass for push protection - -{% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} - -Delegated bypass for push protection lets you control who can bypass push protection and which blocked pushes should be allowed. - -When you enable push protection, by default, anyone with write access to the repository can choose to bypass the protection by specifying a reason for allowing the push containing a secret. With delegated bypass, contributors to a repository are instead obligated to request "bypass privileges." The request is sent to a designated group of reviewers, who either approve or deny the request to bypass push protection. - -If the request to bypass push protection is approved, the contributor can push the commit containing the secret. If the request is denied, the contributor must remove the secret from the commit (or commits) containing the secret before pushing again. - -To configure delegated bypass, organization owners or repository administrators first create a "bypass list". The bypass list comprises specific roles and teams, such as the security team or repository administrators, who oversee requests from non-members to bypass push protection. For more information, see "[Configuring delegated bypass for an organization](#configuring-delegated-bypass-for-an-organization)" and "[Configuring delegated bypass for a repository](#configuring-delegated-bypass-for-a-repository)." - -Members of the bypass list view and manage requests through the "Push protection bypass" page in the **Security** tab of the repository. For more information, see "[Managing requests to bypass push protection](#managing-requests-to-bypass-push-protection)." - -Members of the bypass list are still protected from accidentally pushing secrets to a repository. When a member of the bypass list attempts to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. Members of the bypass list do not have to request bypass privileges from other members in order to override the block. - -### Configuring delegated bypass for an organization - -{% data reusables.organizations.navigate-to-org %} -{% data reusables.organizations.org_settings %} -{% data reusables.organizations.security-and-analysis %} -{% ifversion security-configurations %} - {% data reusables.security-configurations.changed-org-settings-global-settings-callout %} -{% endif %} -{% data reusables.repositories.navigate-to-ghas-settings %} -1. Under "Push protection", to the right of "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}", select the dropdown menu, then click **Specific roles or teams**. -1. Under "Bypass list", click **Add role or team**. - >[!NOTE] You can't add secret teams to the bypass list. -1. In the dialog box, select the roles and teams that you want to add to the bypass list, then click **Add selected**. - -### Configuring delegated bypass for a repository - ->[!NOTE] If an organization owner configures delegated bypass at the organization-level, the repository-level settings are disabled. - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-settings %} -{% data reusables.repositories.navigate-to-code-security-and-analysis %} -{% data reusables.repositories.navigate-to-ghas-settings %} -1. Under "Push protection", to the right of "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}", select the dropdown menu, then click **Specific roles or teams**. -1. Under "Bypass list", click **Add role or team**. - >[!NOTE] You can't add secret teams to the bypass list. -1. In the dialog box, select the roles and teams that you want to add to the bypass list, then click **Add selected**. - -## Managing requests to bypass push protection - -You can view and manage all requests for bypass privileges on the "Push protection bypass" page, located under the **Security** tab of the repository. - -You can filter requests by approver (member of the bypass list), requester (contributor making the request), timeframe, and status. The following statuses are assigned to a request: - -|Status|Description| -|---------|-----------| -|`Cancelled`| The request has been cancelled by the contributor.| -|`Completed`|The request has been approved and the commit(s) have been pushed to the repository.| -|`Denied`|The request has been reviewed and denied.| -|`Expired`| The request has expired. Requests are valid for 7 days. | -|`Open`| The request has either not yet been reviewed, or has been approved but the commit(s) have not been pushed to the repository. | - -When a contributor requests bypass privileges to push a commit containing a secret, members of the bypass list all receive an email notification containing a link to the request. Members of the bypass list then have 7 days to review and either approve or deny the request before the request expires. - -The contributor is notified of the decision by email and must take the required action. If the request is approved, the contributor can push the commit containing the secret to the repository. If the request is denied, the contributor must remove the secret from the commit in order to successfully push the commit to the repository. - -### Managing requests to bypass push protection at the repository-level - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-security %} -{% data reusables.repositories.bypass-requests-settings %} -1. Select the **All statuses** dropdown menu, then click **Open** to view requests that are awaiting review. -1. Click the request that you want to review. -1. Review the details of the request. -1. To allow the contributor to push the commit containing the secret, click **Approve bypass request**. Or, to require the contributor to remove the secret from the commit, click **Deny bypass request**. - -{% endif %} - ## Further reading * "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection)" diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md index 89a0c70e2d65..360c49ea795a 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md @@ -3,16 +3,55 @@ title: Enabling delegated bypass for push protection intro: 'TODO' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: - fpt: '*' - ghes: '*' - ghec: '*' -type: overview + feature: push-protection-delegated-bypass +type: how_to topics: - Secret scanning - Advanced Security - Alerts - Repositories -shortTitle: Delegated bypass +shortTitle: Enable delegated bypass --- -TODO +## Enabling delegated bypass for push protection + +{% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} + +Delegated bypass for push protection lets you control who can bypass push protection and which blocked pushes should be allowed. + +When you enable push protection, by default, anyone with write access to the repository can choose to bypass the protection by specifying a reason for allowing the push containing a secret. With delegated bypass, contributors to a repository are instead obligated to request "bypass privileges." The request is sent to a designated group of reviewers, who either approve or deny the request to bypass push protection. + +If the request to bypass push protection is approved, the contributor can push the commit containing the secret. If the request is denied, the contributor must remove the secret from the commit (or commits) containing the secret before pushing again. + +To configure delegated bypass, organization owners or repository administrators first create a "bypass list". The bypass list comprises specific roles and teams, such as the security team or repository administrators, who oversee requests from non-members to bypass push protection. For more information, see "[Configuring delegated bypass for an organization](#configuring-delegated-bypass-for-an-organization)" and "[Configuring delegated bypass for a repository](#configuring-delegated-bypass-for-a-repository)." + +Members of the bypass list view and manage requests through the "Push protection bypass" page in the **Security** tab of the repository. For more information, see "[Managing requests to bypass push protection](#managing-requests-to-bypass-push-protection)." + +Members of the bypass list are still protected from accidentally pushing secrets to a repository. When a member of the bypass list attempts to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. Members of the bypass list do not have to request bypass privileges from other members in order to override the block. + +### Configuring delegated bypass for an organization + +{% data reusables.organizations.navigate-to-org %} +{% data reusables.organizations.org_settings %} +{% data reusables.organizations.security-and-analysis %} +{% ifversion security-configurations %} + {% data reusables.security-configurations.changed-org-settings-global-settings-callout %} +{% endif %} +{% data reusables.repositories.navigate-to-ghas-settings %} +1. Under "Push protection", to the right of "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}", select the dropdown menu, then click **Specific roles or teams**. +1. Under "Bypass list", click **Add role or team**. + >[!NOTE] You can't add secret teams to the bypass list. +1. In the dialog box, select the roles and teams that you want to add to the bypass list, then click **Add selected**. + +### Configuring delegated bypass for a repository + +>[!NOTE] If an organization owner configures delegated bypass at the organization-level, the repository-level settings are disabled. + +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.sidebar-settings %} +{% data reusables.repositories.navigate-to-code-security-and-analysis %} +{% data reusables.repositories.navigate-to-ghas-settings %} +1. Under "Push protection", to the right of "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}", select the dropdown menu, then click **Specific roles or teams**. +1. Under "Bypass list", click **Add role or team**. + >[!NOTE] You can't add secret teams to the bypass list. +1. In the dialog box, select the roles and teams that you want to add to the bypass list, then click **Add selected**. diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md index f79f79599877..2d593217119b 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md @@ -3,9 +3,7 @@ title: Managing requests to bypass push protection intro: 'TODO' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: - fpt: '*' - ghes: '*' - ghec: '*' + feature: push-protection-delegated-bypass type: how_to topics: - Secret scanning @@ -15,4 +13,30 @@ topics: shortTitle: Manage bypass requests --- -TODO +## Managing requests to bypass push protection + +You can view and manage all requests for bypass privileges on the "Push protection bypass" page, located under the **Security** tab of the repository. + +You can filter requests by approver (member of the bypass list), requester (contributor making the request), timeframe, and status. The following statuses are assigned to a request: + +|Status|Description| +|---------|-----------| +|`Cancelled`| The request has been cancelled by the contributor.| +|`Completed`|The request has been approved and the commit(s) have been pushed to the repository.| +|`Denied`|The request has been reviewed and denied.| +|`Expired`| The request has expired. Requests are valid for 7 days. | +|`Open`| The request has either not yet been reviewed, or has been approved but the commit(s) have not been pushed to the repository. | + +When a contributor requests bypass privileges to push a commit containing a secret, members of the bypass list all receive an email notification containing a link to the request. Members of the bypass list then have 7 days to review and either approve or deny the request before the request expires. + +The contributor is notified of the decision by email and must take the required action. If the request is approved, the contributor can push the commit containing the secret to the repository. If the request is denied, the contributor must remove the secret from the commit in order to successfully push the commit to the repository. + +### Managing requests to bypass push protection at the repository-level + +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.sidebar-security %} +{% data reusables.repositories.bypass-requests-settings %} +1. Select the **All statuses** dropdown menu, then click **Open** to view requests that are awaiting review. +1. Click the request that you want to review. +1. Review the details of the request. +1. To allow the contributor to push the commit containing the secret, click **Approve bypass request**. Or, to require the contributor to remove the secret from the commit, click **Deny bypass request**. From df3e6572f5844cf89ea263d838bfc6489678fa5c Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 8 Jul 2024 14:13:25 +0200 Subject: [PATCH 043/282] work --- .../push-protection-for-repositories-and-organizations.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md index 6424e4b38d24..8679f7522a4e 100644 --- a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md +++ b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md @@ -122,6 +122,8 @@ You can use the organization settings page for "Code security and analysis" to e {% data reusables.repositories.navigate-to-ghas-settings %} {% data reusables.advanced-security.secret-scanning-push-protection-repo %} +TODO: add sentence about delegated bypass and link to new articles. + ## Further reading * "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection)" From 8dcc31f48efde65554dbb81436657dceae533079 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 8 Jul 2024 14:22:47 +0200 Subject: [PATCH 044/282] add link to further reading --- .../defining-custom-patterns-for-secret-scanning.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md index 5a1aa2124df1..2e539d0b803b 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md @@ -172,3 +172,4 @@ After your pattern is created, {% data variables.product.prodname_secret_scannin ## Further reading * "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns)" +* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns)" From fc0ea3da3ef8814d07a70a42e9ba7b79d0f356f2 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 8 Jul 2024 14:51:39 +0200 Subject: [PATCH 045/282] more work on delegated bypass --- .../about-delegated-bypass-for-push-protection.md | 10 ++++++---- .../enabling-delegated-bypass-for-push-protection.md | 8 +++++--- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md index 7c65ea9807bd..be950951ed82 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md @@ -3,9 +3,7 @@ title: About delegated bypass for push protection intro: 'TODO' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: - fpt: '*' - ghes: '*' - ghec: '*' + feature: push-protection-delegated-bypass type: overview topics: - Secret scanning @@ -15,4 +13,8 @@ topics: shortTitle: Delegated bypass --- -TODO +TODO: + +## About delegated bypass for push protection + +{% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md index 360c49ea795a..b97a77b340d4 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md @@ -1,6 +1,6 @@ --- title: Enabling delegated bypass for push protection -intro: 'TODO' +intro: 'You can enable ' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: feature: push-protection-delegated-bypass @@ -17,7 +17,7 @@ shortTitle: Enable delegated bypass {% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} -Delegated bypass for push protection lets you control who can bypass push protection and which blocked pushes should be allowed. +Delegated bypass for push protection lets you control who can bypass push protection and which blocked pushes should be allowed. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." When you enable push protection, by default, anyone with write access to the repository can choose to bypass the protection by specifying a reason for allowing the push containing a secret. With delegated bypass, contributors to a repository are instead obligated to request "bypass privileges." The request is sent to a designated group of reviewers, who either approve or deny the request to bypass push protection. @@ -25,7 +25,7 @@ If the request to bypass push protection is approved, the contributor can push t To configure delegated bypass, organization owners or repository administrators first create a "bypass list". The bypass list comprises specific roles and teams, such as the security team or repository administrators, who oversee requests from non-members to bypass push protection. For more information, see "[Configuring delegated bypass for an organization](#configuring-delegated-bypass-for-an-organization)" and "[Configuring delegated bypass for a repository](#configuring-delegated-bypass-for-a-repository)." -Members of the bypass list view and manage requests through the "Push protection bypass" page in the **Security** tab of the repository. For more information, see "[Managing requests to bypass push protection](#managing-requests-to-bypass-push-protection)." +Members of the bypass list view and manage requests through the "Push protection bypass" page in the **Security** tab of the repository. For more information, see "[Managing requests to bypass push protection](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection)." Members of the bypass list are still protected from accidentally pushing secrets to a repository. When a member of the bypass list attempts to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. Members of the bypass list do not have to request bypass privileges from other members in order to override the block. @@ -53,5 +53,7 @@ Members of the bypass list are still protected from accidentally pushing secrets {% data reusables.repositories.navigate-to-ghas-settings %} 1. Under "Push protection", to the right of "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}", select the dropdown menu, then click **Specific roles or teams**. 1. Under "Bypass list", click **Add role or team**. + >[!NOTE] You can't add secret teams to the bypass list. + 1. In the dialog box, select the roles and teams that you want to add to the bypass list, then click **Add selected**. From 8d34e2de8b912b8e87540ab5665e2fbc764c51ae Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 8 Jul 2024 20:53:14 +0200 Subject: [PATCH 046/282] more work on delegated bypass --- .../about-delegated-bypass-for-push-protection.md | 8 ++++++-- ...abling-delegated-bypass-for-push-protection.md | 15 ++++----------- ...managing-requests-to-bypass-push-protection.md | 11 +++++++++-- .../push-protection-delegated-bypass-intro.md | 1 + .../push-protection-delegated-bypass-overview.md | 9 +++++++++ 5 files changed, 29 insertions(+), 15 deletions(-) create mode 100644 data/reusables/secret-scanning/push-protection-delegated-bypass-intro.md create mode 100644 data/reusables/secret-scanning/push-protection-delegated-bypass-overview.md diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md index be950951ed82..eb091f9bc453 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md @@ -13,8 +13,12 @@ topics: shortTitle: Delegated bypass --- -TODO: - ## About delegated bypass for push protection {% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} + +{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} + +{% data reusables.secret-scanning.push-protection-delegated-bypass-overview %} + +For information about enabling delegated bypass, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)." diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md index b97a77b340d4..e4e51cc1dcb5 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md @@ -1,7 +1,8 @@ --- title: Enabling delegated bypass for push protection -intro: 'You can enable ' +intro: 'You can enable delegated bypass for your organization or repositotory so that you have full control over who can bypass blocks, and which blocks are allowed.' product: '{% data reusables.gated-features.push-protection-for-repos %}' +permissions: 'Organization owners and repository administrators can enable delegated bypass for push protection for their organization and repository, respectively.' versions: feature: push-protection-delegated-bypass type: how_to @@ -17,17 +18,9 @@ shortTitle: Enable delegated bypass {% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} -Delegated bypass for push protection lets you control who can bypass push protection and which blocked pushes should be allowed. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." +{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." -When you enable push protection, by default, anyone with write access to the repository can choose to bypass the protection by specifying a reason for allowing the push containing a secret. With delegated bypass, contributors to a repository are instead obligated to request "bypass privileges." The request is sent to a designated group of reviewers, who either approve or deny the request to bypass push protection. - -If the request to bypass push protection is approved, the contributor can push the commit containing the secret. If the request is denied, the contributor must remove the secret from the commit (or commits) containing the secret before pushing again. - -To configure delegated bypass, organization owners or repository administrators first create a "bypass list". The bypass list comprises specific roles and teams, such as the security team or repository administrators, who oversee requests from non-members to bypass push protection. For more information, see "[Configuring delegated bypass for an organization](#configuring-delegated-bypass-for-an-organization)" and "[Configuring delegated bypass for a repository](#configuring-delegated-bypass-for-a-repository)." - -Members of the bypass list view and manage requests through the "Push protection bypass" page in the **Security** tab of the repository. For more information, see "[Managing requests to bypass push protection](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection)." - -Members of the bypass list are still protected from accidentally pushing secrets to a repository. When a member of the bypass list attempts to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. Members of the bypass list do not have to request bypass privileges from other members in order to override the block. +To enable this feature, you first need to create a bypass list to add roles and teams who will manage request to bypass push protection. This step is included in the sections below. ### Configuring delegated bypass for an organization diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md index 2d593217119b..063eb8f66346 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md @@ -1,7 +1,8 @@ --- title: Managing requests to bypass push protection -intro: 'TODO' +intro: 'As a member of the bypass list for an organization or repository, you can process bypass requests from other members of the organization or repository.' product: '{% data reusables.gated-features.push-protection-for-repos %}' +permissions: 'Members of the bypass listcan process requests from non-members to bypass push protection.' versions: feature: push-protection-delegated-bypass type: how_to @@ -15,7 +16,13 @@ shortTitle: Manage bypass requests ## Managing requests to bypass push protection -You can view and manage all requests for bypass privileges on the "Push protection bypass" page, located under the **Security** tab of the repository. +{% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} + +{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." + +Members of the bypass list can view and manage all requests for bypass privileges on the "Push protection bypass" page, located under the **Security** tab of the repository. + +> [!NOTE] Members of the bypass list are still protected from accidentally pushing secrets to a repository. When a member of the bypass list attempts to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. Members of the bypass list do not have to request bypass privileges from other members in order to override the block. You can filter requests by approver (member of the bypass list), requester (contributor making the request), timeframe, and status. The following statuses are assigned to a request: diff --git a/data/reusables/secret-scanning/push-protection-delegated-bypass-intro.md b/data/reusables/secret-scanning/push-protection-delegated-bypass-intro.md new file mode 100644 index 000000000000..812d54293d28 --- /dev/null +++ b/data/reusables/secret-scanning/push-protection-delegated-bypass-intro.md @@ -0,0 +1 @@ +Delegated bypass for push protection lets you control who can bypass push protection and which blocked pushes should be allowed. diff --git a/data/reusables/secret-scanning/push-protection-delegated-bypass-overview.md b/data/reusables/secret-scanning/push-protection-delegated-bypass-overview.md new file mode 100644 index 000000000000..274a575f4d4f --- /dev/null +++ b/data/reusables/secret-scanning/push-protection-delegated-bypass-overview.md @@ -0,0 +1,9 @@ +When you enable push protection, by default, anyone with write access to the repository can choose to bypass the protection by specifying a reason for allowing the push containing a secret. With delegated bypass, contributors to a repository are instead obligated to request "bypass privileges." The request is sent to a designated group of reviewers, who either approve or deny the request to bypass push protection. + +If the request to bypass push protection is approved, the contributor can push the commit containing the secret. If the request is denied, the contributor must remove the secret from the commit (or commits) containing the secret before pushing again. + +To configure delegated bypass, organization owners or repository administrators need to first create a "bypass list". The bypass list comprises specific roles and teams, such as the security team or repository administrators, who oversee requests from non-members to bypass push protection. For more information, see "[Configuring delegated bypass for an organization](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection#configuring-delegated-bypass-for-an-organization)" and "[Configuring delegated bypass for a repository](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection#configuring-delegated-bypass-for-a-repository)." + +Members of the bypass list view and manage requests through the "Push protection bypass" page in the **Security** tab of the repository. For more information, see "[Managing requests to bypass push protection](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection)." + +Members of the bypass list are still protected from accidentally pushing secrets to a repository. When a member of the bypass list attempts to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. Members of the bypass list do not have to request bypass privileges from other members in order to override the block. From 1cdfcc872024f298e440adfd0b06ec3fa8731d99 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 8 Jul 2024 20:57:16 +0200 Subject: [PATCH 047/282] fix TODO --- .../about-delegated-bypass-for-push-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md index eb091f9bc453..3674812d5a61 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md @@ -1,6 +1,6 @@ --- title: About delegated bypass for push protection -intro: 'TODO' +intro: 'With delegated bypass, you can control which teams or roles have the ability to bypass push protection in your organization or repository.' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: feature: push-protection-delegated-bypass From dde39a721d7146cd0914e140a3ad895ea722a2e8 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 8 Jul 2024 21:09:54 +0200 Subject: [PATCH 048/282] fix typo --- .../enabling-delegated-bypass-for-push-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md index e4e51cc1dcb5..667edff41dd2 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md @@ -1,6 +1,6 @@ --- title: Enabling delegated bypass for push protection -intro: 'You can enable delegated bypass for your organization or repositotory so that you have full control over who can bypass blocks, and which blocks are allowed.' +intro: 'You can enable delegated bypass for your organization or repository so that you have full control over who can bypass blocks, and which blocks are allowed.' product: '{% data reusables.gated-features.push-protection-for-repos %}' permissions: 'Organization owners and repository administrators can enable delegated bypass for push protection for their organization and repository, respectively.' versions: From 08aa48d234fe62ee5c9111dcac4cb17ce5be861c Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 8 Jul 2024 21:20:39 +0200 Subject: [PATCH 049/282] fix failing test hopefully --- .../push-protection-for-repositories-and-organizations.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md index 8679f7522a4e..f96fba943791 100644 --- a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md +++ b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md @@ -30,7 +30,7 @@ shortTitle: Push protection for repositories {% ifversion push-protection-delegated-bypass %} -By default, anyone with write access to the repository can choose to bypass push protection by specifying one of the bypass reasons outlined in the table. If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see "[Enabling delegated bypass for push protection](#enabling-delegated-bypass-for-push-protection)." +By default, anyone with write access to the repository can choose to bypass push protection by specifying one of the bypass reasons outlined in the table. If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see "[Enabling delegated bypass for push protection](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)." {% endif %} @@ -122,8 +122,6 @@ You can use the organization settings page for "Code security and analysis" to e {% data reusables.repositories.navigate-to-ghas-settings %} {% data reusables.advanced-security.secret-scanning-push-protection-repo %} -TODO: add sentence about delegated bypass and link to new articles. - ## Further reading * "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection)" From 8fbe293db71fd4085135c2ae65c4c301da2a2520 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 8 Jul 2024 21:45:12 +0200 Subject: [PATCH 050/282] made a start --- .../index.md | 1 + ...-secret-scanning-for-non-provider-patterns.md | 16 ++++++++++++++++ .../non-provider-patterns/index.md | 15 +++++++++++++++ 3 files changed, 32 insertions(+) create mode 100644 content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md create mode 100644 content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md index 0ca68429c6da..85f8f4a6ad12 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md @@ -13,6 +13,7 @@ topics: - Advanced Security - Repositories children: + - /non-provider-patterns - /generic-secret-detection - /custom-patterns - /delegated-bypass-for-push-protection diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md new file mode 100644 index 000000000000..af6bdc4bc1a6 --- /dev/null +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md @@ -0,0 +1,16 @@ +--- +title: Enabling secret scanning for non provider patterns +intro: 'TODO' +product: '{% data reusables.gated-features.push-protection-for-repos %}' +versions: + feature: secret-scanning-non-provider-patterns +type: how_to +topics: + - Secret scanning + - Advanced Security + - Alerts + - Repositories +shortTitle: Enable for non-provider patterns +--- + +TODO diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md new file mode 100644 index 000000000000..b22c0aa5c30d --- /dev/null +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md @@ -0,0 +1,15 @@ +--- +title: Non provider patterns +shortTitle: Non-provider patterns +allowTitleToDifferFromFilename: true +intro: 'TODO.' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + feature: secret-scanning-non-provider-patterns +topics: + - Secret scanning + - Advanced Security + - Repositories +children: + - /enabling-secret-scanning-for-non-provider-patterns +--- From 3bb16bc6393a8f7c62050d1d574c35334e387ea9 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 8 Jul 2024 21:51:47 +0200 Subject: [PATCH 051/282] add hyphen --- .../enabling-secret-scanning-for-non-provider-patterns.md | 3 ++- .../non-provider-patterns/index.md | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md index af6bdc4bc1a6..42fa784ee3bb 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md @@ -1,5 +1,6 @@ --- -title: Enabling secret scanning for non provider patterns +title: Enabling secret scanning for non-provider patterns +allowTitleToDifferFromFilename: true intro: 'TODO' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md index b22c0aa5c30d..c0ab1f1bed0a 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md @@ -1,5 +1,5 @@ --- -title: Non provider patterns +title: Non-provider patterns shortTitle: Non-provider patterns allowTitleToDifferFromFilename: true intro: 'TODO.' From b8fccec4f84ce076c6a7be2d5e32fe2271c2597a Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 8 Jul 2024 22:00:18 +0200 Subject: [PATCH 052/282] made a start on procedural section --- ...ing-secret-scanning-for-your-repositories.md | 17 +---------------- ...secret-scanning-for-non-provider-patterns.md | 13 ++++++++++++- 2 files changed, 13 insertions(+), 17 deletions(-) diff --git a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md index 47b87aecc5e8..9094ac6586b2 100644 --- a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md +++ b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md @@ -82,22 +82,7 @@ You can also use the REST API to enable validity checks for partner patterns for {% endif %} -{% ifversion secret-scanning-non-provider-patterns %} - -### Enabling scanning for non-provider patterns - -{% data reusables.secret-scanning.non-provider-patterns-beta %} - -You can enable scanning for non-provider patterns. Non-provider patterns correspond to secrets such as private keys and they have a higher ratio of false positives. - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-settings %} -{% data reusables.repositories.navigate-to-code-security-and-analysis %} -1. Under {% data variables.product.prodname_secret_scanning_caps %}, select the checkbox next to "Scan for non-provider patterns". - -For more information about non-provider patterns, see "{% ifversion fpt or ghec %}[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-secret-scanning-alerts){% endif %}." - -{% endif %} +TODO: removed non-provider pattern enablement here. {% ifversion secret-scanning-enable-by-default-for-public-repos %} diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md index 42fa784ee3bb..f39b8f757e07 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md @@ -14,4 +14,15 @@ topics: shortTitle: Enable for non-provider patterns --- -TODO +## Enabling scanning for non-provider patterns + +{% data reusables.secret-scanning.non-provider-patterns-beta %} + +You can enable scanning for non-provider patterns. Non-provider patterns correspond to secrets such as private keys and they have a higher ratio of false positives. + +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.sidebar-settings %} +{% data reusables.repositories.navigate-to-code-security-and-analysis %} +1. Under {% data variables.product.prodname_secret_scanning_caps %}, select the checkbox next to "Scan for non-provider patterns". + +For more information about non-provider patterns, see "{% ifversion fpt or ghec %}[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-secret-scanning-alerts){% endif %}." From a816d8499b43b78694061964902e15494249495b Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 8 Jul 2024 22:04:36 +0200 Subject: [PATCH 053/282] fix linter text by adding appropriate versioning --- .../defining-custom-patterns-for-secret-scanning.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md index 2e539d0b803b..4eb763efa02c 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md @@ -171,5 +171,5 @@ After your pattern is created, {% data variables.product.prodname_secret_scannin ## Further reading -* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns)" -* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns)" +* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns)" {% ifversion secret-scanning-custom-patterns-metrics %} +* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns)"{% endif %} From a3c58f7c4cb5f4868c73de97c5164fa999b83e60 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 8 Jul 2024 22:25:06 +0200 Subject: [PATCH 054/282] fix broken links --- .../configuring-secret-scanning-for-your-repositories.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md index 9094ac6586b2..868d5aea2086 100644 --- a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md +++ b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md @@ -54,7 +54,7 @@ A repository administrator can choose to disable {% data variables.product.prodn You can enable the following additional {% data variables.product.prodname_secret_scanning %} feature{% ifversion ghec or ghes %}s{% endif %} through your repository's "Code security and analysis" settings: * **Push protection**. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-secret-scanning-as-a-push-protection-for-a-repository)."{% ifversion secret-scanning-validity-check-partner-patterns %} * **Validity checks for partner patterns**. For more infomation, see "[Enabling validity checks for partner patterns](#enabling-validity-checks-for-partner-patterns)."{% endif %}{% ifversion secret-scanning-non-provider-patterns %} -* **Scanning for non-provider patterns**. For more information, see "[Enabling scanning for non-provider patterns](#enabling-scanning-for-non-provider-patterns)."{% endif %}{% ifversion secret-scanning-ai-generic-secret-detection%} +* **Scanning for non-provider patterns**. For more information, see "[Enabling scanning for non-provider patterns](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns)."{% endif %}{% ifversion secret-scanning-ai-generic-secret-detection%} * **AI-powered generic secret detection**. For more information, see "[AUTOTITLE](/code-security/secret-scanning/enabling-ai-powered-generic-secret-detection)."{% endif %}{% ifversion secret-scanning-push-protection-custom-patterns %} * **Scanning for custom patterns**. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)."{% endif %} From 7339dbc52b2c168843b043d71d17622fa35f679e Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 09:56:35 +0200 Subject: [PATCH 055/282] fix TODOs --- .../enabling-secret-scanning-for-non-provider-patterns.md | 2 +- .../non-provider-patterns/index.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md index f39b8f757e07..3824c2ad9778 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md @@ -1,7 +1,7 @@ --- title: Enabling secret scanning for non-provider patterns allowTitleToDifferFromFilename: true -intro: 'TODO' +intro: 'You can enable {% data variables.product.prodname_secret_scanning %} for non-provider patterns at repository and organization level.' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: feature: secret-scanning-non-provider-patterns diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md index c0ab1f1bed0a..7981affb0035 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md @@ -2,7 +2,7 @@ title: Non-provider patterns shortTitle: Non-provider patterns allowTitleToDifferFromFilename: true -intro: 'TODO.' +intro: 'Non-provider patterns, such as private keys are patterns with a high false positive ratio. By default, {% data variables.product.prodname_secret_scanning %} doesn''t scans for this pattern type, but you can override this behavior.' product: '{% data reusables.gated-features.secret-scanning %}' versions: feature: secret-scanning-non-provider-patterns From d16aeaf25eb36b4edae682ea31ad91526f668181 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 10:20:46 +0200 Subject: [PATCH 056/282] tidying up loose ends --- .../configuring-secret-scanning-for-your-repositories.md | 2 -- .../enabling-secret-scanning-for-non-provider-patterns.md | 6 +++++- .../non-provider-patterns/index.md | 2 +- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md index 868d5aea2086..938e3b44602a 100644 --- a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md +++ b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md @@ -82,8 +82,6 @@ You can also use the REST API to enable validity checks for partner patterns for {% endif %} -TODO: removed non-provider pattern enablement here. - {% ifversion secret-scanning-enable-by-default-for-public-repos %} ## Enabling {% data variables.secret-scanning.user_alerts %} for all your {% ifversion ghec %}user-owned {% endif %}public repositories diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md index 3824c2ad9778..916ef7ed1949 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md @@ -1,7 +1,7 @@ --- title: Enabling secret scanning for non-provider patterns allowTitleToDifferFromFilename: true -intro: 'You can enable {% data variables.product.prodname_secret_scanning %} for non-provider patterns at repository and organization level.' +intro: 'You can enable {% data variables.product.prodname_secret_scanning %} for non-provider patterns at the repository and organization levels.' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: feature: secret-scanning-non-provider-patterns @@ -26,3 +26,7 @@ You can enable scanning for non-provider patterns. Non-provider patterns corresp 1. Under {% data variables.product.prodname_secret_scanning_caps %}, select the checkbox next to "Scan for non-provider patterns". For more information about non-provider patterns, see "{% ifversion fpt or ghec %}[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-secret-scanning-alerts){% endif %}." + +## Further reading + +* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)" diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md index 7981affb0035..5d0ff4b4417a 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md @@ -2,7 +2,7 @@ title: Non-provider patterns shortTitle: Non-provider patterns allowTitleToDifferFromFilename: true -intro: 'Non-provider patterns, such as private keys are patterns with a high false positive ratio. By default, {% data variables.product.prodname_secret_scanning %} doesn''t scans for this pattern type, but you can override this behavior.' +intro: 'Non-provider patterns, such as private keys are patterns with a high false positive ratio. By default, {% data variables.product.prodname_secret_scanning %} doesn''t scans for this type of pattern, but you can override the default behavior.' product: '{% data reusables.gated-features.secret-scanning %}' versions: feature: secret-scanning-non-provider-patterns From 1a8bdc8f8f9e4da6d9f7017251d1e4b8540d8711 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 10:24:49 +0200 Subject: [PATCH 057/282] typos typos --- .../non-provider-patterns/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md index 5d0ff4b4417a..4a97751ff251 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md @@ -2,7 +2,7 @@ title: Non-provider patterns shortTitle: Non-provider patterns allowTitleToDifferFromFilename: true -intro: 'Non-provider patterns, such as private keys are patterns with a high false positive ratio. By default, {% data variables.product.prodname_secret_scanning %} doesn''t scans for this type of pattern, but you can override the default behavior.' +intro: 'Non-provider patterns, such as private keys, are patterns with a high false positive ratio. By default, {% data variables.product.prodname_secret_scanning %} doesn''t scan for this type of pattern, but you can override the default behavior.' product: '{% data reusables.gated-features.secret-scanning %}' versions: feature: secret-scanning-non-provider-patterns From 78974ea6aa1f10c9118abbb1b08d587900b12d6c Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 10:37:37 +0200 Subject: [PATCH 058/282] add new introductory map topic --- .../secret-scanning/introduction/index.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 content/code-security/secret-scanning/introduction/index.md diff --git a/content/code-security/secret-scanning/introduction/index.md b/content/code-security/secret-scanning/introduction/index.md new file mode 100644 index 000000000000..f2fdc0ea8586 --- /dev/null +++ b/content/code-security/secret-scanning/introduction/index.md @@ -0,0 +1,15 @@ +--- +title: Introduction to secret scanning +shortTitle: Secret scanning +allowTitleToDifferFromFilename: true +intro: 'Learn about {% data variables.product.prodname_secret_scanning_caps %} can keep your repositories secure by scanning them for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally.' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +type: overview +topics: + - Secret scanning + - Advanced Security +--- From c1b01b2945da6fb15ff405cfc5662c9832958b7e Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 10:46:43 +0200 Subject: [PATCH 059/282] add link to global index file --- content/code-security/secret-scanning/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 39f4e2aa6c5d..86fb7c347429 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -15,6 +15,7 @@ topics: - Advanced Security - Repositories children: + - /introduction - /about-secret-scanning - /configuring-secret-scanning-for-your-repositories - /defining-custom-patterns-for-secret-scanning @@ -32,4 +33,3 @@ children: - /troubleshooting-secret-scanning-and-push-protection - /secret-scanning-partnership-program --- - From f16b789db3c834e6671994e4fca9a7dfbbd2cbe2 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 11:19:34 +0200 Subject: [PATCH 060/282] renamed 1 files --- .../secret-scanning/{ => introduction}/about-secret-scanning.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename content/code-security/secret-scanning/{ => introduction}/about-secret-scanning.md (100%) diff --git a/content/code-security/secret-scanning/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md similarity index 100% rename from content/code-security/secret-scanning/about-secret-scanning.md rename to content/code-security/secret-scanning/introduction/about-secret-scanning.md From 29cffd185047a8901db7c037330299b3bfb628b9 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 11:19:40 +0200 Subject: [PATCH 061/282] set redirect_from on 1 files --- content/code-security/secret-scanning/index.md | 2 +- .../secret-scanning/introduction/about-secret-scanning.md | 1 + content/code-security/secret-scanning/introduction/index.md | 3 +++ data/learning-tracks/code-security.yml | 2 +- 4 files changed, 6 insertions(+), 2 deletions(-) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 86fb7c347429..021bf02f7c99 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -16,7 +16,6 @@ topics: - Repositories children: - /introduction - - /about-secret-scanning - /configuring-secret-scanning-for-your-repositories - /defining-custom-patterns-for-secret-scanning - /about-the-regular-expression-generator-for-custom-patterns @@ -33,3 +32,4 @@ children: - /troubleshooting-secret-scanning-and-push-protection - /secret-scanning-partnership-program --- + diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index e16760f2f972..a225b8cafe4b 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -8,6 +8,7 @@ redirect_from: - /articles/about-token-scanning-for-private-repositories - /github/administering-a-repository/about-secret-scanning - /code-security/secret-security/about-secret-scanning + - /code-security/secret-scanning/about-secret-scanning versions: fpt: '*' ghes: '*' diff --git a/content/code-security/secret-scanning/introduction/index.md b/content/code-security/secret-scanning/introduction/index.md index f2fdc0ea8586..aa04863ab51f 100644 --- a/content/code-security/secret-scanning/introduction/index.md +++ b/content/code-security/secret-scanning/introduction/index.md @@ -12,4 +12,7 @@ type: overview topics: - Secret scanning - Advanced Security +children: + - /about-secret-scanning --- + diff --git a/data/learning-tracks/code-security.yml b/data/learning-tracks/code-security.yml index 82650c37c290..83ed5fd783d5 100644 --- a/data/learning-tracks/code-security.yml +++ b/data/learning-tracks/code-security.yml @@ -112,7 +112,7 @@ secret_scanning: Set up secret scanning to guard against accidental check-ins of tokens, passwords, and other secrets to your repository. guides: - - /code-security/secret-scanning/about-secret-scanning + - /code-security/secret-scanning/introduction/about-secret-scanning - >- /code-security/secret-scanning/configuring-secret-scanning-for-your-repositories - >- From e1bdfa4e55679622b1caf99c449e9857c5d682ea Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 11:22:38 +0200 Subject: [PATCH 062/282] renamed 1 files --- .../about-push-protection.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename content/code-security/secret-scanning/{push-protection-for-repositories-and-organizations.md => introduction/about-push-protection.md} (100%) diff --git a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md b/content/code-security/secret-scanning/introduction/about-push-protection.md similarity index 100% rename from content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md rename to content/code-security/secret-scanning/introduction/about-push-protection.md From 019575f97e54edcebae1d1636ce238250a691483 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 11:22:45 +0200 Subject: [PATCH 063/282] set redirect_from on 1 files --- content/code-security/secret-scanning/index.md | 1 - .../secret-scanning/introduction/about-push-protection.md | 1 + content/code-security/secret-scanning/introduction/index.md | 1 + 3 files changed, 2 insertions(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 021bf02f7c99..2c1e8ab0e989 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -24,7 +24,6 @@ children: - /secret-scanning-patterns - /about-the-detection-of-generic-secrets-with-secret-scanning - /enabling-ai-powered-generic-secret-detection - - /push-protection-for-repositories-and-organizations - /push-protection-for-users - /working-with-push-protection - /pushing-a-branch-blocked-by-push-protection diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index 9d10a0acb3a9..eb8598f9b1be 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -9,6 +9,7 @@ versions: redirect_from: - /early-access/code-security/secret-scanning/protecting-pushes-with-secret-scanning - /code-security/secret-scanning/protecting-pushes-with-secret-scanning + - /code-security/secret-scanning/push-protection-for-repositories-and-organizations type: how_to topics: - Secret scanning diff --git a/content/code-security/secret-scanning/introduction/index.md b/content/code-security/secret-scanning/introduction/index.md index aa04863ab51f..dc0e73a93330 100644 --- a/content/code-security/secret-scanning/introduction/index.md +++ b/content/code-security/secret-scanning/introduction/index.md @@ -14,5 +14,6 @@ topics: - Advanced Security children: - /about-secret-scanning + - /about-push-protection --- From 355dce11eeae6993ae2f4eea783b70efe7803747 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 11:34:37 +0200 Subject: [PATCH 064/282] renamed 1 files --- .../supported-secret-scanning-patterns.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename content/code-security/secret-scanning/{secret-scanning-patterns.md => introduction/supported-secret-scanning-patterns.md} (100%) diff --git a/content/code-security/secret-scanning/secret-scanning-patterns.md b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md similarity index 100% rename from content/code-security/secret-scanning/secret-scanning-patterns.md rename to content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md From 22b650c9a13ee6e2dedef5cdca9a311c8f47f851 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 11:34:44 +0200 Subject: [PATCH 065/282] set redirect_from on 1 files --- content/code-security/secret-scanning/index.md | 1 - content/code-security/secret-scanning/introduction/index.md | 1 + .../introduction/supported-secret-scanning-patterns.md | 1 + data/learning-tracks/code-security.yml | 2 +- 4 files changed, 3 insertions(+), 2 deletions(-) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 2c1e8ab0e989..e17e515d5b34 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -21,7 +21,6 @@ children: - /about-the-regular-expression-generator-for-custom-patterns - /generating-regular-expressions-for-custom-patterns-with-ai - /managing-alerts-from-secret-scanning - - /secret-scanning-patterns - /about-the-detection-of-generic-secrets-with-secret-scanning - /enabling-ai-powered-generic-secret-detection - /push-protection-for-users diff --git a/content/code-security/secret-scanning/introduction/index.md b/content/code-security/secret-scanning/introduction/index.md index dc0e73a93330..51fab7975460 100644 --- a/content/code-security/secret-scanning/introduction/index.md +++ b/content/code-security/secret-scanning/introduction/index.md @@ -15,5 +15,6 @@ topics: children: - /about-secret-scanning - /about-push-protection + - /supported-secret-scanning-patterns --- diff --git a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md index 595f8fb25366..a61596619c08 100644 --- a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md +++ b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md @@ -12,6 +12,7 @@ topics: - Advanced Security redirect_from: - /code-security/secret-scanning/secret-scanning-partners + - /code-security/secret-scanning/secret-scanning-patterns layout: inline --- diff --git a/data/learning-tracks/code-security.yml b/data/learning-tracks/code-security.yml index 83ed5fd783d5..5130dbaff551 100644 --- a/data/learning-tracks/code-security.yml +++ b/data/learning-tracks/code-security.yml @@ -120,7 +120,7 @@ secret_scanning: %}/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning{% endif %} - /code-security/secret-scanning/managing-alerts-from-secret-scanning - - /code-security/secret-scanning/secret-scanning-patterns + - /code-security/secret-scanning/introduction/supported-secret-scanning-patterns - >- {% ifversion secret-scanning-push-protection %}/code-security/secret-scanning/push-protection-for-repositories-and-organizations{% From f24c26e85b25b29d3f213a9588b5302bfa9c0ddf Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 11:42:32 +0200 Subject: [PATCH 066/282] add brand new article --- .../introduction/about-push-protection.md | 4 ++-- .../about-secret-scanning-for-partners.md | 12 ++++++++++++ .../secret-scanning/introduction/index.md | 2 +- .../supported-secret-scanning-patterns.md | 3 ++- 4 files changed, 17 insertions(+), 4 deletions(-) create mode 100644 content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index eb8598f9b1be..86d6a86609e0 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -1,5 +1,5 @@ --- -title: Push protection for repositories and organizations +title: About push protection intro: 'With push protection for repositories and organizations, {% data variables.product.prodname_secret_scanning %} blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block.' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: @@ -16,7 +16,7 @@ topics: - Advanced Security - Alerts - Repositories -shortTitle: Push protection for repositories +shortTitle: Push protection --- {% data reusables.secret-scanning.enterprise-enable-secret-scanning %} diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md new file mode 100644 index 000000000000..f8cfb53571e3 --- /dev/null +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md @@ -0,0 +1,12 @@ +--- +title: About secret scanning for partners +intro: 'TODO' +versions: + fpt: '*' + ghes: '*' +type: overview +topics: + - Secret scanning + - Advanced Security +shortTitle: Secret scanning for partners +--- diff --git a/content/code-security/secret-scanning/introduction/index.md b/content/code-security/secret-scanning/introduction/index.md index 51fab7975460..506adc128991 100644 --- a/content/code-security/secret-scanning/introduction/index.md +++ b/content/code-security/secret-scanning/introduction/index.md @@ -15,6 +15,6 @@ topics: children: - /about-secret-scanning - /about-push-protection + - /about-secret-scanning-for-partners - /supported-secret-scanning-patterns --- - diff --git a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md index a61596619c08..d71229db6467 100644 --- a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md +++ b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md @@ -1,5 +1,5 @@ --- -title: Secret scanning patterns +title: Supported secret scanning patterns intro: 'Lists of supported secrets and the partners that {% data variables.product.company_short %} works with to prevent fraudulent use of secrets that were committed accidentally.' product: '{% data reusables.gated-features.secret-scanning %}' versions: @@ -14,6 +14,7 @@ redirect_from: - /code-security/secret-scanning/secret-scanning-partners - /code-security/secret-scanning/secret-scanning-patterns layout: inline +shortTitle: Supported patterns --- {% data reusables.secret-scanning.enterprise-enable-secret-scanning %} From 3e7b72a819900666964291a8a40a273a7063b7c1 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 12:00:46 +0200 Subject: [PATCH 067/282] trying to fix failing test --- data/learning-tracks/code-security.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/learning-tracks/code-security.yml b/data/learning-tracks/code-security.yml index 5130dbaff551..0a5af6655346 100644 --- a/data/learning-tracks/code-security.yml +++ b/data/learning-tracks/code-security.yml @@ -123,7 +123,7 @@ secret_scanning: - /code-security/secret-scanning/introduction/supported-secret-scanning-patterns - >- {% ifversion secret-scanning-push-protection - %}/code-security/secret-scanning/push-protection-for-repositories-and-organizations{% + %}/code-security/secret-scanning/introduction/about-push-protection{% endif %} - >- {% ifversion secret-scanning-push-protection-for-users From 242b01db770a2e90f15c153e031826d04ac273c4 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 12:57:27 +0200 Subject: [PATCH 068/282] Update content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md Co-authored-by: Felicity Chapman --- .../custom-patterns/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md index bb8f6e9f7b49..dcf801802381 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md @@ -2,7 +2,7 @@ title: Custom patterns shortTitle: Custom patterns allowTitleToDifferFromFilename: true -intro: 'You can extend the capabilities of {% data variables.product.prodname_secret_scanning %} by instructing the feature to search for your own patterns. These patterns, which can range from your servce API keys to connection strings into cloud resources, are referred to as custom patterns.' +intro: 'You can extend the capabilities of {% data variables.product.prodname_secret_scanning %} to search for your own patterns. These custom patterns can range from your service API keys to connection strings into cloud resources.' product: '{% data reusables.gated-features.secret-scanning %}' versions: ghes: '*' From e47882cd1d8edbc092624267df54aee33a74ffcb Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 12:58:21 +0200 Subject: [PATCH 069/282] Update content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md Co-authored-by: Felicity Chapman --- .../custom-patterns/metrics-for-custom-patterns.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md index ae45e17f4d7d..619db12b1b08 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md @@ -1,7 +1,7 @@ --- title: Metrics for custom patterns shortTitle: Custom pattern metrics -intro: 'You can view alert metrics for custom patterns at the repository, organization, and enterprise levels, from within {% data variables.product.product_name %}.' +intro: 'You can view alert metrics for custom patterns at the repository, organization, and enterprise levels.' product: '{% data reusables.gated-features.secret-scanning %}' versions: feature: secret-scanning-custom-patterns-metrics From a149295589587ac3bb98132fd2b1b074083ce5c5 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 13:00:05 +0200 Subject: [PATCH 070/282] Update content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md Co-authored-by: Felicity Chapman --- .../index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md index 0ca68429c6da..9741aca909b2 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md @@ -2,7 +2,7 @@ title: Using advanced secret scanning and push protection features shortTitle: Advanced features allowTitleToDifferFromFilename: true -intro: 'Learn more about advanced capabilities of {% data variables.secret-scanning.partner_alerts_caps %} and push protection, and assess whether your organization or repository could benefit from using these features.' +intro: 'Learn how you can customize {% data variables.secret-scanning.partner_alerts %} to meet the needs of your company..' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' From 8c2349d67d3c78224b6e77cd0c7efadfa530386e Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 13:01:32 +0200 Subject: [PATCH 071/282] Update content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md Co-authored-by: Felicity Chapman --- .../delegated-bypass-for-push-protection/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md index 490367114797..c22caaba1162 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md @@ -2,7 +2,7 @@ title: Delegated bypass for push protection shortTitle: Delegated bypass allowTitleToDifferFromFilename: true -intro: 'With delegated bypass, contributors can propose bypassing a blocked push and members of the bypass list can review those bypass requests to allow or deny the content.' +intro: 'You can control the ability to bypass push protection by setting up a reviewers group to assess requests. When a contributor proposes bypassing protections, any member of the bypass list can approve or block the request. product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' From 22491eb1116f54c29605fcedad4e7ad353cae400 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 14:00:55 +0200 Subject: [PATCH 072/282] hopefully fix failing test --- src/fixtures/fixtures/versionless-redirects.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/fixtures/fixtures/versionless-redirects.txt b/src/fixtures/fixtures/versionless-redirects.txt index 9340d6a358ea..2ed338b1ff8d 100644 --- a/src/fixtures/fixtures/versionless-redirects.txt +++ b/src/fixtures/fixtures/versionless-redirects.txt @@ -378,7 +378,7 @@ # FPT versioning for these files was removed as part of github/docs-content#5642 -/enterprise-cloud@latest/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning +/enterprise-cloud@latest/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning - /code-security/secret-security/defining-custom-patterns-for-secret-scanning - /code-security/secret-scanning/defining-custom-patterns-for-secret-scanning From 204899db9d17d2e117da34d8ce780e8d8ddb962e Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 14:17:40 +0200 Subject: [PATCH 073/282] Update src/fixtures/fixtures/versionless-redirects.txt --- src/fixtures/fixtures/versionless-redirects.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/fixtures/fixtures/versionless-redirects.txt b/src/fixtures/fixtures/versionless-redirects.txt index 2ed338b1ff8d..9340d6a358ea 100644 --- a/src/fixtures/fixtures/versionless-redirects.txt +++ b/src/fixtures/fixtures/versionless-redirects.txt @@ -378,7 +378,7 @@ # FPT versioning for these files was removed as part of github/docs-content#5642 -/enterprise-cloud@latest/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning +/enterprise-cloud@latest/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning - /code-security/secret-security/defining-custom-patterns-for-secret-scanning - /code-security/secret-scanning/defining-custom-patterns-for-secret-scanning From 1ec9ea0366e3f2b88a66882421e7fce100b64736 Mon Sep 17 00:00:00 2001 From: Felicity Chapman Date: Tue, 9 Jul 2024 13:27:05 +0100 Subject: [PATCH 074/282] Update index.md to add missing quote --- .../delegated-bypass-for-push-protection/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md index c22caaba1162..6546c4d8f392 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md @@ -2,7 +2,7 @@ title: Delegated bypass for push protection shortTitle: Delegated bypass allowTitleToDifferFromFilename: true -intro: 'You can control the ability to bypass push protection by setting up a reviewers group to assess requests. When a contributor proposes bypassing protections, any member of the bypass list can approve or block the request. +intro: 'You can control the ability to bypass push protection by setting up a reviewers group to assess requests. When a contributor proposes bypassing protections, any member of the bypass list can approve or block the request.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' From 16c85818a076e8eedf69909b67060ab14bf81027 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 14:30:07 +0200 Subject: [PATCH 075/282] Update content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md --- .../delegated-bypass-for-push-protection/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md index c22caaba1162..6546c4d8f392 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md @@ -2,7 +2,7 @@ title: Delegated bypass for push protection shortTitle: Delegated bypass allowTitleToDifferFromFilename: true -intro: 'You can control the ability to bypass push protection by setting up a reviewers group to assess requests. When a contributor proposes bypassing protections, any member of the bypass list can approve or block the request. +intro: 'You can control the ability to bypass push protection by setting up a reviewers group to assess requests. When a contributor proposes bypassing protections, any member of the bypass list can approve or block the request.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' From 8c4dd85a4aff516c3da2f69f000ab9f4ad989840 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 14:36:00 +0200 Subject: [PATCH 076/282] make a start on this article --- .../introduction/about-secret-scanning-for-partners.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md index f8cfb53571e3..a8eab359dd61 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md @@ -10,3 +10,9 @@ topics: - Advanced Security shortTitle: Secret scanning for partners --- + +## About {% data variables.secret-scanning.partner_alerts %} + +When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." + +You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories. From f1a1c988ee9d08373580b7624a15a74ec20d78ee Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 14:38:31 +0200 Subject: [PATCH 077/282] trying to fix the failing test again --- src/fixtures/fixtures/versionless-redirects.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/fixtures/fixtures/versionless-redirects.txt b/src/fixtures/fixtures/versionless-redirects.txt index 9340d6a358ea..2ed338b1ff8d 100644 --- a/src/fixtures/fixtures/versionless-redirects.txt +++ b/src/fixtures/fixtures/versionless-redirects.txt @@ -378,7 +378,7 @@ # FPT versioning for these files was removed as part of github/docs-content#5642 -/enterprise-cloud@latest/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning +/enterprise-cloud@latest/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning - /code-security/secret-security/defining-custom-patterns-for-secret-scanning - /code-security/secret-scanning/defining-custom-patterns-for-secret-scanning From d601e9ebd7b2543958401ded39412d3868c5e779 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 15:15:50 +0200 Subject: [PATCH 078/282] Update content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md Co-authored-by: Felicity Chapman --- .../about-delegated-bypass-for-push-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md index 3674812d5a61..95e974880a04 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md @@ -1,6 +1,6 @@ --- title: About delegated bypass for push protection -intro: 'With delegated bypass, you can control which teams or roles have the ability to bypass push protection in your organization or repository.' +intro: 'You can control which teams or roles have the ability to bypass push protection in your organization or repository.' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: feature: push-protection-delegated-bypass From be948a1adaa47e0e77c36c8b2ca2fb7dbd3d2f64 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 15:16:13 +0200 Subject: [PATCH 079/282] Update data/reusables/secret-scanning/push-protection-delegated-bypass-intro.md Co-authored-by: Felicity Chapman --- .../secret-scanning/push-protection-delegated-bypass-intro.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/reusables/secret-scanning/push-protection-delegated-bypass-intro.md b/data/reusables/secret-scanning/push-protection-delegated-bypass-intro.md index 812d54293d28..cffdc83e633d 100644 --- a/data/reusables/secret-scanning/push-protection-delegated-bypass-intro.md +++ b/data/reusables/secret-scanning/push-protection-delegated-bypass-intro.md @@ -1 +1 @@ -Delegated bypass for push protection lets you control who can bypass push protection and which blocked pushes should be allowed. +Delegated bypass for push protection lets you define contributors who can bypass push protection and adds an approval process for other contributors. From a590917fcae6acd538a5f9ca582971a7a26bf625 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 15:22:14 +0200 Subject: [PATCH 080/282] Update content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md Co-authored-by: Felicity Chapman --- .../enabling-delegated-bypass-for-push-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md index 667edff41dd2..12fe1b29473e 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md @@ -1,6 +1,6 @@ --- title: Enabling delegated bypass for push protection -intro: 'You can enable delegated bypass for your organization or repository so that you have full control over who can bypass blocks, and which blocks are allowed.' +intro: 'You can use delegated bypass for your organization or repository to control who can push commits that contain secrets identified by {% data variables.product.prodname_secret_scanning %}.' product: '{% data reusables.gated-features.push-protection-for-repos %}' permissions: 'Organization owners and repository administrators can enable delegated bypass for push protection for their organization and repository, respectively.' versions: From fac345218e0ccb08fa017cb4f01587770276a135 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 18:01:24 +0200 Subject: [PATCH 081/282] more work --- .../introduction/about-secret-scanning-for-partners.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md index a8eab359dd61..bb92155920a2 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md @@ -13,6 +13,12 @@ shortTitle: Secret scanning for partners ## About {% data variables.secret-scanning.partner_alerts %} -When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." +TODO: Provide high-level overview of partner program + +**Partner patterns.** Used to detect potential secrets in all public repositories as well as public npm packages. You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories. + +When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." + +For more information about the partnership program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." From 9f4a97972c27d1a15dd55b8b72087dd376429403 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Wed, 10 Jul 2024 08:48:13 +0000 Subject: [PATCH 082/282] new map topic, new index, enable article --- .../index.md | 15 ++++++++++ ...anning-for-your-user-owned-repositories.md | 28 +++++++++++++++++++ 2 files changed, 43 insertions(+) create mode 100644 content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md create mode 100644 content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md new file mode 100644 index 000000000000..49133826ef0e --- /dev/null +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md @@ -0,0 +1,15 @@ +--- +title: Working with secret scanning and push protection +shortTitle: Work with secret scanning +allowTitleToDifferFromFilename: true +intro: 'TODO' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +topics: + - Secret scanning + - Advanced Security + - Repositories +--- diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md new file mode 100644 index 000000000000..3e55f4e4b5fa --- /dev/null +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md @@ -0,0 +1,28 @@ +--- +title: Enabling secret scanning alerts for your user-owned repositories +shortTitle: Secret scanning alerts for user-owned repositories +intro: 'TODO' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: secret-scanning-enable-by-default-for-public-repos +type: how_to +topics: + - Secret scanning + - Advanced Security + - Troubleshooting +redirect_from: + - /TODO +--- + +## About {% data variables.secret-scanning.user_alerts %} for all your {% ifversion ghec %}user-owned {% endif %}public repositories + +You can enable {% data variables.product.prodname_secret_scanning %} for all of your existing {% ifversion ghec %}user-owned {% endif %}public repositories through your personal account settings. + +>! NOTE +> As of March 11, 2024, {% data variables.product.prodname_secret_scanning %} and push protection will be enabled by default for all new {% ifversion ghec %}user-owned {% endif %}public repositories that you create. You can still choose to disable these features for an individual repository in the repository's "Code security and analysis" settings page. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-public-repositories)". + +## Enabling {% data variables.secret-scanning.user_alerts %} for all your {% ifversion ghec %}user-owned {% endif %}public repositories + +{% data reusables.user-settings.access_settings %} +{% data reusables.user-settings.security-analysis %} +1. Under "Code security and analysis", to the right of "{% data variables.product.prodname_secret_scanning_caps %}", click **Disable all** or **Enable all**. +{% data reusables.secret-scanning.push-protection-optional-enable %} From 9e8dd32ec43c2cc4a7dc888576b9299e118a8c7b Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Wed, 10 Jul 2024 08:55:42 +0000 Subject: [PATCH 083/282] renamed 1 files --- .../push-protection-for-users.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename content/code-security/secret-scanning/{ => working-with-secret-scanning-and-push-protection}/push-protection-for-users.md (100%) diff --git a/content/code-security/secret-scanning/push-protection-for-users.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md similarity index 100% rename from content/code-security/secret-scanning/push-protection-for-users.md rename to content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md From 4b9f5c083029b146ce6cfc920b722fc76c2b4358 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Wed, 10 Jul 2024 08:55:45 +0000 Subject: [PATCH 084/282] set redirect_from on 1 files --- content/code-security/secret-scanning/index.md | 2 +- .../index.md | 5 ++++- .../push-protection-for-users.md | 2 ++ 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 86fb7c347429..ac614c571887 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -26,10 +26,10 @@ children: - /about-the-detection-of-generic-secrets-with-secret-scanning - /enabling-ai-powered-generic-secret-detection - /push-protection-for-repositories-and-organizations - - /push-protection-for-users - /working-with-push-protection - /pushing-a-branch-blocked-by-push-protection - /using-advanced-secret-scanning-and-push-protection-features - /troubleshooting-secret-scanning-and-push-protection - /secret-scanning-partnership-program --- + diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md index 49133826ef0e..0308ee875537 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md @@ -2,7 +2,7 @@ title: Working with secret scanning and push protection shortTitle: Work with secret scanning allowTitleToDifferFromFilename: true -intro: 'TODO' +intro: TODO product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' @@ -12,4 +12,7 @@ topics: - Secret scanning - Advanced Security - Repositories +children: + - /push-protection-for-users --- + diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md index 46de326d8004..c15343611c02 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md @@ -10,6 +10,8 @@ topics: - Advanced Security - Alerts - User account +redirect_from: + - /code-security/secret-scanning/push-protection-for-users --- ## About push protection for users From 425d942c8a7836da02a385cd0c8b3431288f86d6 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Wed, 10 Jul 2024 09:05:50 +0000 Subject: [PATCH 085/282] create new article cmd line - add redirect to index --- .../index.md | 3 +++ ...with-push-protection-from-the-command-line.md | 16 ++++++++++++++++ 2 files changed, 19 insertions(+) create mode 100644 content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md index 0308ee875537..d2de1faaf09d 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md @@ -13,6 +13,9 @@ topics: - Advanced Security - Repositories children: + - /secret-scanning-for-your-user-owned-repositories - /push-protection-for-users +redirect_from: + - /code-security/secret-scanning/working-with-push-protection --- diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md new file mode 100644 index 000000000000..d4ceeb505c27 --- /dev/null +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md @@ -0,0 +1,16 @@ +--- +title: Working with push protection from the command line +shortTitle: Push protection from the command line +intro: 'TODO' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +type: how_to +topics: + - Secret scanning + - Advanced Security + - Alerts + - Repositories +--- From 214380526a8e0a255bcb18b72ce6048f001db6f3 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Wed, 10 Jul 2024 12:16:48 +0000 Subject: [PATCH 086/282] more edits --- .../code-security/secret-scanning/index.md | 1 + .../index.md | 2 + ...anning-for-your-user-owned-repositories.md | 3 +- ...h-push-protection-from-the-command-line.md | 153 +++++++++++++++++- 4 files changed, 157 insertions(+), 2 deletions(-) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index ac614c571887..159014016d05 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -28,6 +28,7 @@ children: - /push-protection-for-repositories-and-organizations - /working-with-push-protection - /pushing-a-branch-blocked-by-push-protection + - /working-with-secret-scanning-and-push-protection - /using-advanced-secret-scanning-and-push-protection-features - /troubleshooting-secret-scanning-and-push-protection - /secret-scanning-partnership-program diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md index d2de1faaf09d..ea975f0e4e14 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md @@ -15,7 +15,9 @@ topics: children: - /secret-scanning-for-your-user-owned-repositories - /push-protection-for-users + - /working-with-push-protection-from-the-command-line redirect_from: - /code-security/secret-scanning/working-with-push-protection + - /code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection --- diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md index 3e55f4e4b5fa..87d634f155de 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md @@ -3,7 +3,8 @@ title: Enabling secret scanning alerts for your user-owned repositories shortTitle: Secret scanning alerts for user-owned repositories intro: 'TODO' product: '{% data reusables.gated-features.secret-scanning %}' -versions: secret-scanning-enable-by-default-for-public-repos +versions: + feature: secret-scanning-enable-by-default-for-public-repos type: how_to topics: - Secret scanning diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md index d4ceeb505c27..8c415c04b2b7 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md @@ -1,6 +1,6 @@ --- title: Working with push protection from the command line -shortTitle: Push protection from the command line +shortTitle: Work with push protection from the command line intro: 'TODO' product: '{% data reusables.gated-features.secret-scanning %}' versions: @@ -14,3 +14,154 @@ topics: - Alerts - Repositories --- + +## About push protection from the command line + +Push protection prevents you from accidentally committing secrets to a repository by blocking pushes containing supported secrets. + +When you attempt to push a supported secret from the command line to a repository secured by push protection, {% data variables.product.prodname_dotcom %} will block the push. + +You should either: + +* **Remove** the secret from your branch. For more information, see "[Resolving a blocked push from the command line](#resolving-a-blocked-push-from-the-command-line)." +* **Follow a provided URL** {% ifversion push-protection-delegated-bypass %}to see what options are available to you{% endif %} to allow the push. For more information, see "[Bypassing push protection when working from the command line](#bypassing-push-protection-when-working-from-the-command-line)"{% ifversion push-protection-delegated-bypass %} and "[Requesting bypass privileges when working from the command line](#requesting-bypass-privileges-when-working-from-the-command-line){% endif %}." + +Up to five detected secrets will be displayed at a time on the command line. If a particular secret has already been detected in the repository and an alert already exists, {% data variables.product.prodname_dotcom %} will not block that secret. + +{% data reusables.secret-scanning.push-protection-remove-secret %} For more information about remediating blocked secrets, see "[Resolving a blocked push from the command line](#resolving-a-blocked-push-from-the-command-line)." + +If you confirm a secret is real and that you intend to fix it later, you should aim to remediate the secret as soon as possible. For example, you might revoke the secret and remove the secret from the repository's commit history. Real secrets that have been exposed must be revoked to avoid unauthorized access. You might consider first rotating the secret before revoking it. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository)." + +{% data reusables.secret-scanning.push-protection-multiple-branch-note %} + +In some cases, you may need to bypass the block on a secret. {% ifversion push-protection-delegated-bypass %} Whether or not you are able to bypass the block depends on the permissions that have been set for you by your repository administrator or organization owner. + +You may be able to bypass the block by specifying a reason for allowing the push. {% endif %} For more information on how to bypass push protection and push a blocked secret, see "[Bypassing push protection when working from the command line](#bypassing-push-protection-when-working-from-the-command-line)." + +{% ifversion push-protection-delegated-bypass %} Alternatively, you may be required to submit a request for "bypass privileges" in order to push the secret. For information on how to request permission to bypass push protection and push the blocked secret, see "[Requesting bypass privileges when working with the command line](#requesting-bypass-privileges-when-working-with-the-command-line)." + +{% endif %} + +## Resolving a blocked push from the command line + +To resolve a blocked push, you must remove the secret from all of the commits it appears in. +* If the secret was introduced by your latest commit, see "[Removing a secret introduced by the latest commit on your branch](#removing-a-secret-introduced-by-the-latest-commit-on-your-branch)." +* If the secret appears in multiple earlier commits, see "[Removing a secret introduced by an earlier commit on your branch](#removing-a-secret-introduced-by-an-earlier-commit-on-your-branch)." + +### Removing a secret introduced by the latest commit on your branch + +If the blocked secret was introduced by the latest commit on your branch, you can follow the guidance below. + +1. Remove the secret from your code. +1. To commit the changes, run `git commit --amend`. This updates the original commit that introduced the secret instead of creating a new commit. +1. Push your changes with `git push`. + +### Removing a secret introduced by an earlier commit on your branch + +You can also remove the secret if the secret appears in an earlier commit in the Git history. To do so, you will need to identify which commit first introduced the secret and modify the commit history with an interactive rebase. + +1. Examine the error message that displayed when you tried to push your branch, which lists all of the commits that contain the secret. + + ```text + remote: —— {% data variables.product.prodname_dotcom %} {% data variables.product.pat_generic_title_case %} —————————————————————— + remote: locations: + remote: - commit: 8728dbe67 + remote: path: README.md:4 + remote: - commit: 03d69e5d3 + remote: path: README.md:4 + remote: - commit: 8053f7b27 + remote: path: README.md:4 + ``` + +1. Next, run `git log` to see a full history of all the commits on your branch, along with their corresponding timestamps. + + ```text + test-repo (test-branch)]$ git log + commit 8053f7b27 (HEAD -> main) + Author: Octocat <1000+octocat@users.noreply.github.com + Date: Tue Jan 30 13:03:37 2024 +0100 + + my fourth commit message + + commit 03d69e5d3 + Author: Octocat <1000+octocat@users.noreply.github.com> + Date: Tue Jan 30 13:02:59 2024 +0100 + + my third commit message + + commit 8728dbe67 + Author: Octocat <1000+octocat@users.noreply.github.com + Date: Tue Jan 30 13:01:36 2024 +0100 + + my second commit message + + commit 6057cbe51 + Author: Octocat <1000+octocat@users.noreply.github.com + Date: Tue Jan 30 12:58:24 2024 +0100 + + my first commit message + +1. Focusing only on the commits that contain the secret, use the output of `git log` to identify which commit comes _earliest_ in your Git history. + * In the example, commit `8728dbe67` was the first commit to contain the secret. +1. Start an interactive rebase with `git rebase -i ~1`. + * For ``, use the commit identified in step 3. For example, `git rebase -i 8728dbe67~1`. +1. In the editor, choose to edit the commit identified in step 3 by changing `pick` to `edit` on the first line of the text. + + ```text + edit 8728dbe67 my second commit message + pick 03d69e5d3 my third commit message + pick 8053f7b27 my fourth commit message + ``` + +1. Save and close the editor to start the interactive rebase. +1. Remove the secret from your code. +1. Commit your changes using `git commit --amend`. +1. Run `git rebase --continue` to finish the rebase. +1. Push your changes with `git push`. + +## Bypassing push protection when working from the command line + +If {% data variables.product.prodname_dotcom %} blocks a secret that you believe is safe to push, you {% ifversion push-protection-delegated-bypass %}may be able to {% else %}can {% endif %}bypass the block by specifying a reason for allowing the secret to be pushed. + +{% data reusables.secret-scanning.push-protection-allow-secrets-alerts %} + +{% data reusables.secret-scanning.push-protection-allow-email %} + +{% ifversion push-protection-delegated-bypass %} + +If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to push the blocked secret. For more information, see "[Requesting bypass privileges when working from the command line](#requesting-bypass-privileges-when-working-from-the-command-line)." + +{% endif %} + +{% data reusables.secret-scanning.push-protection-visit-URL %} +{% data reusables.secret-scanning.push-protection-choose-allow-secret-options %} +{% data reusables.secret-scanning.push-protection-public-repos-bypass %} +1. Click **Allow me to push this secret**. +1. Reattempt the push on the command line within three hours. If you have not pushed within three hours, you will need to repeat this process. + +{% ifversion push-protection-delegated-bypass %} + +## Requesting bypass privileges when working from the command line + +{% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} + +If your push has been blocked by push protection and you believe the secret is safe to push, you can request permission to bypass the block. Your request is sent to a designated group of reviewers, who will either approve or deny the request. + +Requests expire after 7 days. + +{% data reusables.secret-scanning.push-protection-visit-URL %} +{% data reusables.secret-scanning.push-protection-bypass-request-add-comment %} +{% data reusables.secret-scanning.push-protection-submit-bypass-request %} +{% data reusables.secret-scanning.push-protection-bypass-request-check-email %} + +{% data reusables.secret-scanning.push-protection-bypass-request-decision-email %} + +If your request is approved, you can push the commit (or commits) containing the secret to the repository, as well as any future commits that contain the same secret. + +If your request is denied, you will need to remove the secret from all commits containing the secret before pushing again. For information on how to remove a blocked secret, see "[Resolving a blocked push from the command line](#resolving-a-blocked-push-from-the-command-line)." + +{% endif %} + +## Further reading + +* TODO From 264263a00566ade2dd4460272f978b5aaab8f1f4 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Mon, 15 Jul 2024 13:30:07 +0100 Subject: [PATCH 087/282] fix linter --- .../index.md | 4 +- ...g-with-push-protection-in-the-github-ui.md | 163 ++++++++++++++++++ 2 files changed, 165 insertions(+), 2 deletions(-) create mode 100644 content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md index ea975f0e4e14..8a1abc5f94d9 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md @@ -2,7 +2,7 @@ title: Working with secret scanning and push protection shortTitle: Work with secret scanning allowTitleToDifferFromFilename: true -intro: TODO +intro: 'TODO' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' @@ -16,8 +16,8 @@ children: - /secret-scanning-for-your-user-owned-repositories - /push-protection-for-users - /working-with-push-protection-from-the-command-line + - /working-with-push-protection-in-the-github-ui redirect_from: - /code-security/secret-scanning/working-with-push-protection - /code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection --- - diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md new file mode 100644 index 000000000000..02e9ac957eba --- /dev/null +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md @@ -0,0 +1,163 @@ +--- +title: Working with push protection in the GitHub UI +shortTitle: Work with push protection in the GitHub UI +intro: 'TODO' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +type: how_to +topics: + - Secret scanning + - Advanced Security + - Alerts + - Repositories +--- + +## About push protection in the {% data variables.product.prodname_dotcom %} UI + +Push protection prevents you from accidentally committing secrets to a repository by blocking commits containing supported secrets. + +{% data reusables.secret-scanning.push-protection-web-ui-choice %} + +You should either: + +* **Remove** the secret from the commit. For more information, see "[Resolving a blocked commit in the {% data variables.product.prodname_dotcom %} UI](#resolving-a-blocked-commit-in-the-github-ui)." +* **Review** the instructions in the dialog box {% ifversion push-protection-delegated-bypass %}to see what options are available to you{% endif %} to allow the push. For more information, see "[Bypassing push protection when working in the {% data variables.product.prodname_dotcom %} UI](#bypassing-push-protection-when-working-in-the-github-ui)"{% ifversion push-protection-delegated-bypass %} and "[Requesting bypass privileges when working in the {% data variables.product.prodname_dotcom %} UI](#requesting-bypass-privileges-when-working-in-the-github-ui){% endif %}." + +{% ifversion push-protection-block-uploads %} + +{% data variables.product.prodname_dotcom %} will also block the commit if you attempt to upload files containing supported secrets. The dialog box will show you which files contain the secret. You should remove the secret from the files before attempting to upload the files again. + +{% data reusables.secret-scanning.push-protection-web-UI-uploads-beta %} + +{% endif %} + +{% data variables.product.prodname_dotcom %} will only display one detected secret at a time in the web UI. If a particular secret has already been detected in the repository and an alert already exists, {% data variables.product.prodname_dotcom %} will not block that secret. + +Organization owners can provide a custom link that will be displayed when a push is blocked. This custom link can contain resources and advice specific to your organization. For example, the custom link can point to a README file with information about the organization's secret vault, which teams and individuals to escalate questions to, or the organization's approved policy for working with secrets and rewriting commit history. + +You may be able to bypass the block by specifying a reason for allowing the secret to be committed. For more information on how to bypass push protection and commit the blocked secret, see "[Bypassing push protection when working in the {% data variables.product.prodname_dotcom %} UI](#bypassing-push-protection-when-working-in-the-github-ui)." + +{% ifversion push-protection-delegated-bypass %} Alternatively, you may be required to submit a request for "bypass privileges" in order to commit the secret. For information on how to request permission to bypass push protection and allow the secret, see "[Requesting bypass privileges when working in the {% data variables.product.prodname_dotcom %} UI](#requesting-bypass-privileges-when-working-in-the-github-ui)." + +{% endif %} + +## Resolving a blocked push from the command line + +TODO +To resolve a blocked push, you must remove the secret from all of the commits it appears in. +* If the secret was introduced by your latest commit, see "[Removing a secret introduced by the latest commit on your branch](#removing-a-secret-introduced-by-the-latest-commit-on-your-branch)." +* If the secret appears in multiple earlier commits, see "[Removing a secret introduced by an earlier commit on your branch](#removing-a-secret-introduced-by-an-earlier-commit-on-your-branch)." + +### Removing a secret introduced by the latest commit on your branch + +If the blocked secret was introduced by the latest commit on your branch, you can follow the guidance below. + +1. Remove the secret from your code. +1. To commit the changes, run `git commit --amend`. This updates the original commit that introduced the secret instead of creating a new commit. +1. Push your changes with `git push`. + +### Removing a secret introduced by an earlier commit on your branch + +You can also remove the secret if the secret appears in an earlier commit in the Git history. To do so, you will need to identify which commit first introduced the secret and modify the commit history with an interactive rebase. + +1. Examine the error message that displayed when you tried to push your branch, which lists all of the commits that contain the secret. + + ```text + remote: —— {% data variables.product.prodname_dotcom %} {% data variables.product.pat_generic_title_case %} —————————————————————— + remote: locations: + remote: - commit: 8728dbe67 + remote: path: README.md:4 + remote: - commit: 03d69e5d3 + remote: path: README.md:4 + remote: - commit: 8053f7b27 + remote: path: README.md:4 + ``` + +1. Next, run `git log` to see a full history of all the commits on your branch, along with their corresponding timestamps. + + ```text + test-repo (test-branch)]$ git log + commit 8053f7b27 (HEAD -> main) + Author: Octocat <1000+octocat@users.noreply.github.com + Date: Tue Jan 30 13:03:37 2024 +0100 + + my fourth commit message + + commit 03d69e5d3 + Author: Octocat <1000+octocat@users.noreply.github.com> + Date: Tue Jan 30 13:02:59 2024 +0100 + + my third commit message + + commit 8728dbe67 + Author: Octocat <1000+octocat@users.noreply.github.com + Date: Tue Jan 30 13:01:36 2024 +0100 + + my second commit message + + commit 6057cbe51 + Author: Octocat <1000+octocat@users.noreply.github.com + Date: Tue Jan 30 12:58:24 2024 +0100 + + my first commit message + +1. Focusing only on the commits that contain the secret, use the output of `git log` to identify which commit comes _earliest_ in your Git history. + * In the example, commit `8728dbe67` was the first commit to contain the secret. +1. Start an interactive rebase with `git rebase -i ~1`. + * For ``, use the commit identified in step 3. For example, `git rebase -i 8728dbe67~1`. +1. In the editor, choose to edit the commit identified in step 3 by changing `pick` to `edit` on the first line of the text. + + ```text + edit 8728dbe67 my second commit message + pick 03d69e5d3 my third commit message + pick 8053f7b27 my fourth commit message + ``` + +1. Save and close the editor to start the interactive rebase. +1. Remove the secret from your code. +1. Commit your changes using `git commit --amend`. +1. Run `git rebase --continue` to finish the rebase. +1. Push your changes with `git push`. + +## Bypassing push protection when working in the {% data variables.product.prodname_dotcom %} UI + +If {% data variables.product.prodname_dotcom %} blocks a secret that you believe is safe to commit, you {% ifversion push-protection-delegated-bypass %}may be able to {% else %}can {% endif %}bypass the block by specifying a reason for allowing the secret. + +{% data reusables.secret-scanning.push-protection-allow-secrets-alerts %} + +{% data reusables.secret-scanning.push-protection-allow-email %} + +1. In dialog box that appeared when {% data variables.product.prodname_dotcom %} blocked your commit, review the name and location of the secret. +{% data reusables.secret-scanning.push-protection-choose-allow-secret-options %} +{% data reusables.secret-scanning.push-protection-public-repos-bypass %} +1. Click **Allow secret**. + +{% ifversion push-protection-delegated-bypass %} + +## Requesting bypass privileges when working in the {% data variables.product.prodname_dotcom %} UI + +{% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} + +If your push has been blocked by push protection and you believe the secret is safe to push, you can request permission to bypass the block. Your request is sent to a designated group of reviewers, who will either approve or deny the request. + +Requests expire after 7 days. + +{% data reusables.secret-scanning.push-protection-visit-URL %} +{% data reusables.secret-scanning.push-protection-bypass-request-add-comment %} +{% data reusables.secret-scanning.push-protection-submit-bypass-request %} +{% data reusables.secret-scanning.push-protection-bypass-request-check-email %} + +{% data reusables.secret-scanning.push-protection-bypass-request-decision-email %} + +If your request is approved, you can push the commit (or commits) containing the secret to the repository, as well as any future commits that contain the same secret. + +If your request is denied, you will need to remove the secret from all commits containing the secret before pushing again. For information on how to remove a blocked secret, see "[Resolving a blocked push from the command line](#resolving-a-blocked-push-from-the-command-line)." + +{% endif %} + +## Further reading + +* TODO From c8bf36d79636b5454d0d8d51840075e08d2edb68 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Mon, 15 Jul 2024 16:53:18 +0100 Subject: [PATCH 088/282] finishing UI section --- ...g-with-push-protection-in-the-github-ui.md | 87 ++----------------- 1 file changed, 8 insertions(+), 79 deletions(-) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md index 02e9ac957eba..fe9a8770db96 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md @@ -44,83 +44,11 @@ You may be able to bypass the block by specifying a reason for allowing the secr {% endif %} -## Resolving a blocked push from the command line +## Resolving a blocked commit in the {% data variables.product.prodname_dotcom %} UI -TODO -To resolve a blocked push, you must remove the secret from all of the commits it appears in. -* If the secret was introduced by your latest commit, see "[Removing a secret introduced by the latest commit on your branch](#removing-a-secret-introduced-by-the-latest-commit-on-your-branch)." -* If the secret appears in multiple earlier commits, see "[Removing a secret introduced by an earlier commit on your branch](#removing-a-secret-introduced-by-an-earlier-commit-on-your-branch)." - -### Removing a secret introduced by the latest commit on your branch - -If the blocked secret was introduced by the latest commit on your branch, you can follow the guidance below. - -1. Remove the secret from your code. -1. To commit the changes, run `git commit --amend`. This updates the original commit that introduced the secret instead of creating a new commit. -1. Push your changes with `git push`. - -### Removing a secret introduced by an earlier commit on your branch - -You can also remove the secret if the secret appears in an earlier commit in the Git history. To do so, you will need to identify which commit first introduced the secret and modify the commit history with an interactive rebase. - -1. Examine the error message that displayed when you tried to push your branch, which lists all of the commits that contain the secret. - - ```text - remote: —— {% data variables.product.prodname_dotcom %} {% data variables.product.pat_generic_title_case %} —————————————————————— - remote: locations: - remote: - commit: 8728dbe67 - remote: path: README.md:4 - remote: - commit: 03d69e5d3 - remote: path: README.md:4 - remote: - commit: 8053f7b27 - remote: path: README.md:4 - ``` - -1. Next, run `git log` to see a full history of all the commits on your branch, along with their corresponding timestamps. - - ```text - test-repo (test-branch)]$ git log - commit 8053f7b27 (HEAD -> main) - Author: Octocat <1000+octocat@users.noreply.github.com - Date: Tue Jan 30 13:03:37 2024 +0100 - - my fourth commit message - - commit 03d69e5d3 - Author: Octocat <1000+octocat@users.noreply.github.com> - Date: Tue Jan 30 13:02:59 2024 +0100 - - my third commit message - - commit 8728dbe67 - Author: Octocat <1000+octocat@users.noreply.github.com - Date: Tue Jan 30 13:01:36 2024 +0100 - - my second commit message - - commit 6057cbe51 - Author: Octocat <1000+octocat@users.noreply.github.com - Date: Tue Jan 30 12:58:24 2024 +0100 - - my first commit message - -1. Focusing only on the commits that contain the secret, use the output of `git log` to identify which commit comes _earliest_ in your Git history. - * In the example, commit `8728dbe67` was the first commit to contain the secret. -1. Start an interactive rebase with `git rebase -i ~1`. - * For ``, use the commit identified in step 3. For example, `git rebase -i 8728dbe67~1`. -1. In the editor, choose to edit the commit identified in step 3 by changing `pick` to `edit` on the first line of the text. - - ```text - edit 8728dbe67 my second commit message - pick 03d69e5d3 my third commit message - pick 8053f7b27 my fourth commit message - ``` +{% data reusables.secret-scanning.push-protection-web-ui-choice %} -1. Save and close the editor to start the interactive rebase. -1. Remove the secret from your code. -1. Commit your changes using `git commit --amend`. -1. Run `git rebase --continue` to finish the rebase. -1. Push your changes with `git push`. +To resolve a blocked commit in the web UI, you need to remove the secret from the file. Once you remove the secret, you will be able to commit your changes. ## Bypassing push protection when working in the {% data variables.product.prodname_dotcom %} UI @@ -141,20 +69,21 @@ If {% data variables.product.prodname_dotcom %} blocks a secret that you believe {% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} -If your push has been blocked by push protection and you believe the secret is safe to push, you can request permission to bypass the block. Your request is sent to a designated group of reviewers, who will either approve or deny the request. +If your commit has been blocked by push protection, you can request permission to bypass the block. The request is sent to a designated group of reviewers, who will either approve or deny the request. Requests expire after 7 days. -{% data reusables.secret-scanning.push-protection-visit-URL %} +1. In dialog box that appeared when {% data variables.product.prodname_dotcom %} blocked your commit, review the name and location of the secret. +1. Click **Start request**. The request will open in a new tab. {% data reusables.secret-scanning.push-protection-bypass-request-add-comment %} {% data reusables.secret-scanning.push-protection-submit-bypass-request %} {% data reusables.secret-scanning.push-protection-bypass-request-check-email %} {% data reusables.secret-scanning.push-protection-bypass-request-decision-email %} -If your request is approved, you can push the commit (or commits) containing the secret to the repository, as well as any future commits that contain the same secret. +If your request is approved, you can commit the changes containing the secret to the file. You can also commit any future changes that contain the same secret. -If your request is denied, you will need to remove the secret from all commits containing the secret before pushing again. For information on how to remove a blocked secret, see "[Resolving a blocked push from the command line](#resolving-a-blocked-push-from-the-command-line)." +If your request is denied, you will need to remove the secret from the file before you can commit your changes. {% endif %} From 89966b8644871f59064dd2ec4ba933060b1a5f0f Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Mon, 15 Jul 2024 16:54:28 +0100 Subject: [PATCH 089/282] removing old article --- .../code-security/secret-scanning/index.md | 2 - .../working-with-push-protection.md | 161 ------------------ 2 files changed, 163 deletions(-) delete mode 100644 content/code-security/secret-scanning/working-with-push-protection.md diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 159014016d05..6ed4b56d7499 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -26,11 +26,9 @@ children: - /about-the-detection-of-generic-secrets-with-secret-scanning - /enabling-ai-powered-generic-secret-detection - /push-protection-for-repositories-and-organizations - - /working-with-push-protection - /pushing-a-branch-blocked-by-push-protection - /working-with-secret-scanning-and-push-protection - /using-advanced-secret-scanning-and-push-protection-features - /troubleshooting-secret-scanning-and-push-protection - /secret-scanning-partnership-program --- - diff --git a/content/code-security/secret-scanning/working-with-push-protection.md b/content/code-security/secret-scanning/working-with-push-protection.md deleted file mode 100644 index aad21451649b..000000000000 --- a/content/code-security/secret-scanning/working-with-push-protection.md +++ /dev/null @@ -1,161 +0,0 @@ ---- -title: Working with push protection -intro: 'Push protection proactively secures you against leaked secrets in your repositories by blocking pushes containing secrets. To push a commit containing a secret, you must specify a reason for bypassing the block{% ifversion push-protection-delegated-bypass %}, or, if required, request bypass privileges to bypass the block{% endif %}.' -product: '{% data reusables.gated-features.push-protection-for-repos %}' -versions: - fpt: '*' - ghes: '*' - ghec: '*' -type: how_to -topics: - - Secret scanning - - Advanced Security - - Alerts - - Repositories -shortTitle: Work with push protection ---- - -## About working with push protection - -Push protection prevents you from accidentally committing secrets to a repository by blocking pushes containing supported secrets. - -You can work with push protection from the command line or from the web UI. - -For more information on working with push protection, including how to bypass the block if necessary, see "[Using push protection from the command line](#using-push-protection-from-the-command-line)" and "[Using push protection from the web UI](#using-push-protection-from-the-web-ui)" in this article. - -## Using push protection from the command line - -{% data reusables.secret-scanning.push-protection-command-line-choice %} - -Up to five detected secrets will be displayed at a time on the command line. If a particular secret has already been detected in the repository and an alert already exists, {% data variables.product.prodname_dotcom %} will not block that secret. - -{% data reusables.secret-scanning.push-protection-remove-secret %} For more information about remediating blocked secrets, see "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection#resolving-a-blocked-push-on-the-command-line)." - -If you confirm a secret is real and that you intend to fix it later, you should aim to remediate the secret as soon as possible. For example, you might revoke the secret and remove the secret from the repository's commit history. Real secrets that have been exposed must be revoked to avoid unauthorized access. You might consider first rotating the secret before revoking it. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository)." - -{% data reusables.secret-scanning.push-protection-multiple-branch-note %} - -In some cases, you may need to bypass the block on a secret. {% ifversion push-protection-delegated-bypass %} Whether or not you are able to bypass the block depends on the permissions that have been set for you by your repository administrator or organization owner. - -You may be able to bypass the block by specifying a reason for allowing the push. {% endif %} For more information on how to bypass push protection and push a blocked secret, see "[Bypassing push protection when working with the command line](#bypassing-push-protection-when-working-with-the-command-line)." - -{% ifversion push-protection-delegated-bypass %} Alternatively, you may be required to submit a request for "bypass privileges" in order to push the secret. For information on how to request permission to bypass push protection and push the blocked secret, see "[Requesting bypass privileges when working with the command line](#requesting-bypass-privileges-when-working-with-the-command-line)." - -{% endif %} - -### Bypassing push protection when working with the command line - -If {% data variables.product.prodname_dotcom %} blocks a secret that you believe is safe to push, you {% ifversion push-protection-delegated-bypass %}may be able to {% else %}can {% endif %}bypass the block by specifying a reason for allowing the secret to be pushed. - -{% data reusables.secret-scanning.push-protection-allow-secrets-alerts %} - -{% data reusables.secret-scanning.push-protection-allow-email %} - -{% ifversion push-protection-delegated-bypass %} - -If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to push the blocked secret. For more information, see "[Requesting bypass privileges when working with the command line](#requesting-bypass-privileges-when-working-with-the-command-line)." - -{% endif %} - -{% data reusables.secret-scanning.push-protection-visit-URL %} -{% data reusables.secret-scanning.push-protection-choose-allow-secret-options %} -{% data reusables.secret-scanning.push-protection-public-repos-bypass %} -1. Click **Allow me to push this secret**. -1. Reattempt the push on the command line within three hours. If you have not pushed within three hours, you will need to repeat this process. - -{% ifversion push-protection-delegated-bypass %} - -### Requesting bypass privileges when working with the command line - -{% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} - -If your push has been blocked by push protection and you believe the secret is safe to push, you can request permission to bypass the block. Your request is sent to a designated group of reviewers, who will either approve or deny the request. - -Requests expire after 7 days. - -{% data reusables.secret-scanning.push-protection-visit-URL %} -{% data reusables.secret-scanning.push-protection-bypass-request-add-comment %} -{% data reusables.secret-scanning.push-protection-submit-bypass-request %} -{% data reusables.secret-scanning.push-protection-bypass-request-check-email %} - -{% data reusables.secret-scanning.push-protection-bypass-request-decision-email %} - -If your request is approved, you can push the commit (or commits) containing the secret to the repository, as well as any future commits that contain the same secret. - -If your request is denied, you will need to remove the secret from all commits containing the secret before pushing again. For information on how to remove a blocked secret, see "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection#resolving-a-blocked-push-on-the-command-line)." - -{% endif %} - -## Using push protection from the web UI - -{% data reusables.secret-scanning.push-protection-web-ui-choice %} - -For a blocked commit, you can remove the secret from the file using the web UI. Once you remove the secret, you will be able to commit your changes. - -{% ifversion push-protection-block-uploads %} - -{% data variables.product.prodname_dotcom %} will also block the commit if you attempt to upload files containing supported secrets. The dialog box will show you which files contain the secret. You should remove the secret from the files before attempting to upload the files again. - -{% data reusables.secret-scanning.push-protection-web-UI-uploads-beta %} - -{% endif %} - -{% data variables.product.prodname_dotcom %} will only display one detected secret at a time in the web UI. If a particular secret has already been detected in the repository and an alert already exists, {% data variables.product.prodname_dotcom %} will not block that secret. - -Organization owners can provide a custom link that will be displayed when a push is blocked. This custom link can contain resources and advice specific to your organization. For example, the custom link can point to a README file with information about the organization's secret vault, which teams and individuals to escalate questions to, or the organization's approved policy for working with secrets and rewriting commit history. - -You may be able to bypass the block by specifying a reason for allowing the secret. For more information on how to bypass push protection and commit the blocked secret, see "[Bypassing push protection when working with the web UI](#bypassing-push-protection-when-working-with-the-web-ui)." - -{% ifversion push-protection-delegated-bypass %} Alternatively, you may be required to submit a request for "bypass privileges" in order to commit your changes. For information on how to request permission to bypass push protection and allow the commit containing the secret, see "[Requesting bypass privileges when working with the web UI](#requesting-bypass-privileges-when-working-with-the-web-ui)."{% endif %} - -### Bypassing push protection when working with the web UI - -{% data reusables.secret-scanning.push-protection-remove-secret %} For more information about remediating blocked secrets, see "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection#resolving-a-blocked-push-in-the-web-ui)." - -If you confirm a secret is real and that you intend to fix it later, you should aim to remediate the secret as soon as possible. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository)." - -If {% data variables.product.prodname_dotcom %} blocks a secret that you believe is safe to commit, you {% ifversion push-protection-delegated-bypass %}may be able to {% else %}can {% endif %}bypass the block by specifying a reason for allowing the secret. - -{% data reusables.secret-scanning.push-protection-allow-secrets-alerts %} - -{% data reusables.secret-scanning.push-protection-allow-email %} - -{% ifversion push-protection-delegated-bypass %} - -If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to commit your changes. For more information, see "[Requesting bypass privileges when working with the web UI](#requesting-bypass-privileges-when-working-with-the-web-ui)." - -{% endif %} - -1. In dialog box that appeared when {% data variables.product.prodname_dotcom %} blocked your commit, review the name and location of the secret. -{% data reusables.secret-scanning.push-protection-choose-allow-secret-options %} -{% data reusables.secret-scanning.push-protection-public-repos-bypass %} -1. Click **Allow secret**. - -{% ifversion push-protection-delegated-bypass %} - -### Requesting bypass privileges when working with the web UI - -{% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} - -If your commit has been blocked by push protection, you can request permission to bypass the block. The request is sent to a designated group of reviewers, who will either approve or deny the request. - -Requests expire after 7 days. - -1. In dialog box that appeared when {% data variables.product.prodname_dotcom %} blocked your commit, review the name and location of the secret. -1. Click **Start request**. The request will open in a new tab. -{% data reusables.secret-scanning.push-protection-bypass-request-add-comment %} -{% data reusables.secret-scanning.push-protection-submit-bypass-request %} -{% data reusables.secret-scanning.push-protection-bypass-request-check-email %} - -{% data reusables.secret-scanning.push-protection-bypass-request-decision-email %} - -If your request is approved, you can commit the changes containing the secret to the file. You can also commit any future changes that contain the same secret. - -If your request is denied, you will need to remove the secret from the file before you can commit your changes. - -{% endif %} - -## Further reading - -* "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection)" -* "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)" From 65d6b1cf43ab8a054424af881943a9caa1b02952 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Mon, 15 Jul 2024 16:55:25 +0100 Subject: [PATCH 090/282] removing second article --- ...ing-a-branch-blocked-by-push-protection.md | 117 ------------------ 1 file changed, 117 deletions(-) delete mode 100644 content/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection.md diff --git a/content/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection.md b/content/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection.md deleted file mode 100644 index 6a40a2960f41..000000000000 --- a/content/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection.md +++ /dev/null @@ -1,117 +0,0 @@ ---- -title: Pushing a branch blocked by push protection -intro: 'Push protection proactively protects you against leaked secrets in your repositories. You can resolve blocked pushes and, once the detected secret is removed, you can push changes to your working branch from the command line or the web UI.' -product: '{% data reusables.gated-features.push-protection-users-and-repos %}' -versions: - fpt: '*' - ghes: '*' - ghec: '*' -type: how_to -topics: - - Secret scanning - - Advanced Security - - Alerts - - Repositories -shortTitle: Push a blocked branch ---- - -## About push protection - -Push protection helps to prevent security leaks by scanning for secrets before you push changes to your repository. - -When you try to push a secret to a repository secured by push protection, {% data variables.product.prodname_dotcom %} blocks the push. You must remove the secret from your branch before pushing again. For more information on how to resolve a blocked push, see "[Resolving a blocked push on the command line](#resolving-a-blocked-push-on-the-command-line)" and "[Resolving a blocked commit in the web UI](#resolving-a-blocked-commit-in-the-web-ui)" in this article. - -If you believe it's safe to allow the secret, you {% ifversion push-protection-delegated-bypass %}may {% endif %}have the option to bypass the protection. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)." - -For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." - -## Resolving a blocked push on the command line - -{% data reusables.secret-scanning.push-protection-command-line-choice %} - -{% data reusables.secret-scanning.push-protection-multiple-branch-note %} - -### Removing a secret introduced by the latest commit on your branch - -If the blocked secret was introduced by the latest commit on your branch, you can follow the guidance below. - -1. Remove the secret from your code. -1. To commit the changes, run `git commit --amend`. This updates the original commit that introduced the secret instead of creating a new commit. -1. Push your changes with `git push`. - -### Removing a secret introduced by an earlier commit on your branch - -You can also remove the secret if the secret appears in an earlier commit in the Git history. To do so, you will need to identify which commit first introduced the secret and modify the commit history with an interactive rebase. - -1. Examine the error message that displayed when you tried to push your branch, which lists all of the commits that contain the secret. - - ```text - remote: —— {% data variables.product.prodname_dotcom %} {% data variables.product.pat_generic_title_case %} —————————————————————— - remote: locations: - remote: - commit: 8728dbe67 - remote: path: README.md:4 - remote: - commit: 03d69e5d3 - remote: path: README.md:4 - remote: - commit: 8053f7b27 - remote: path: README.md:4 - ``` - -1. Next, run `git log` to see a full history of all the commits on your branch, along with their corresponding timestamps. - - ```text - test-repo (test-branch)]$ git log - commit 8053f7b27 (HEAD -> main) - Author: Octocat <1000+octocat@users.noreply.github.com - Date: Tue Jan 30 13:03:37 2024 +0100 - - my fourth commit message - - commit 03d69e5d3 - Author: Octocat <1000+octocat@users.noreply.github.com> - Date: Tue Jan 30 13:02:59 2024 +0100 - - my third commit message - - commit 8728dbe67 - Author: Octocat <1000+octocat@users.noreply.github.com - Date: Tue Jan 30 13:01:36 2024 +0100 - - my second commit message - - commit 6057cbe51 - Author: Octocat <1000+octocat@users.noreply.github.com - Date: Tue Jan 30 12:58:24 2024 +0100 - - my first commit message - -1. Focusing only on the commits that contain the secret, use the output of `git log` to identify which commit comes _earliest_ in your Git history. - * In the example, commit `8728dbe67` was the first commit to contain the secret. -1. Start an interactive rebase with `git rebase -i ~1`. - * For ``, use the commit identified in step 3. For example, `git rebase -i 8728dbe67~1`. -1. In the editor, choose to edit the commit identified in step 3 by changing `pick` to `edit` on the first line of the text. - - ```text - edit 8728dbe67 my second commit message - pick 03d69e5d3 my third commit message - pick 8053f7b27 my fourth commit message - ``` - -1. Save and close the editor to start the interactive rebase. -1. Remove the secret from your code. -1. Commit your changes using `git commit --amend`. -1. Run `git rebase --continue` to finish the rebase. -1. Push your changes with `git push`. - -## Resolving a blocked commit in the web UI - -{% data reusables.secret-scanning.push-protection-web-ui-choice %} - -To resolve a blocked commit in the web UI, you need to remove the secret from the file. Once you remove the secret, you will be able to commit your changes. - -Alternatively, if you determine that it's safe to allow the secret, use the options displayed in the dialog box to bypass push protection. For more information about bypassing push protection from the web UI, see "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection#bypassing-push-protection-when-working-with-the-web-ui)." - -# Further reading - -* "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)" -* "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)"{% ifversion secret-scanning-push-protection-for-users %} -* "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-users)"{% endif %} From 17fa7a7b40d8237245433cc9b1f4b60e30de6aa9 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Mon, 15 Jul 2024 17:04:12 +0100 Subject: [PATCH 091/282] removing from index --- content/code-security/secret-scanning/index.md | 1 - 1 file changed, 1 deletion(-) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 6ed4b56d7499..622c992bdbf6 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -26,7 +26,6 @@ children: - /about-the-detection-of-generic-secrets-with-secret-scanning - /enabling-ai-powered-generic-secret-detection - /push-protection-for-repositories-and-organizations - - /pushing-a-branch-blocked-by-push-protection - /working-with-secret-scanning-and-push-protection - /using-advanced-secret-scanning-and-push-protection-features - /troubleshooting-secret-scanning-and-push-protection From 10aea3c9a599ca715f1a8119e6121a9fc51e2234 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Tue, 16 Jul 2024 09:38:11 +0100 Subject: [PATCH 092/282] minor edits --- ...h-push-protection-from-the-command-line.md | 22 +++------------- ...g-with-push-protection-in-the-github-ui.md | 26 +++++++------------ 2 files changed, 14 insertions(+), 34 deletions(-) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md index 8c415c04b2b7..c3e2c97bd5e6 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md @@ -1,5 +1,5 @@ --- -title: Working with push protection from the command line +title: Working with push protection from the command line shortTitle: Work with push protection from the command line intro: 'TODO' product: '{% data reusables.gated-features.secret-scanning %}' @@ -24,24 +24,14 @@ When you attempt to push a supported secret from the command line to a repositor You should either: * **Remove** the secret from your branch. For more information, see "[Resolving a blocked push from the command line](#resolving-a-blocked-push-from-the-command-line)." -* **Follow a provided URL** {% ifversion push-protection-delegated-bypass %}to see what options are available to you{% endif %} to allow the push. For more information, see "[Bypassing push protection when working from the command line](#bypassing-push-protection-when-working-from-the-command-line)"{% ifversion push-protection-delegated-bypass %} and "[Requesting bypass privileges when working from the command line](#requesting-bypass-privileges-when-working-from-the-command-line){% endif %}." +* **Follow a provided URL** {% ifversion push-protection-delegated-bypass %}to see what options are available to you{% endif %} to allow the push. For more information, see "[Bypassing push protection when working from the command line](#bypassing-push-protection-when-working-from-the-command-line){% ifversion push-protection-delegated-bypass %}" and "[Requesting bypass privileges when working from the command line](#requesting-bypass-privileges-when-working-from-the-command-line){% endif %}." Up to five detected secrets will be displayed at a time on the command line. If a particular secret has already been detected in the repository and an alert already exists, {% data variables.product.prodname_dotcom %} will not block that secret. -{% data reusables.secret-scanning.push-protection-remove-secret %} For more information about remediating blocked secrets, see "[Resolving a blocked push from the command line](#resolving-a-blocked-push-from-the-command-line)." - If you confirm a secret is real and that you intend to fix it later, you should aim to remediate the secret as soon as possible. For example, you might revoke the secret and remove the secret from the repository's commit history. Real secrets that have been exposed must be revoked to avoid unauthorized access. You might consider first rotating the secret before revoking it. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository)." {% data reusables.secret-scanning.push-protection-multiple-branch-note %} -In some cases, you may need to bypass the block on a secret. {% ifversion push-protection-delegated-bypass %} Whether or not you are able to bypass the block depends on the permissions that have been set for you by your repository administrator or organization owner. - -You may be able to bypass the block by specifying a reason for allowing the push. {% endif %} For more information on how to bypass push protection and push a blocked secret, see "[Bypassing push protection when working from the command line](#bypassing-push-protection-when-working-from-the-command-line)." - -{% ifversion push-protection-delegated-bypass %} Alternatively, you may be required to submit a request for "bypass privileges" in order to push the secret. For information on how to request permission to bypass push protection and push the blocked secret, see "[Requesting bypass privileges when working with the command line](#requesting-bypass-privileges-when-working-with-the-command-line)." - -{% endif %} - ## Resolving a blocked push from the command line To resolve a blocked push, you must remove the secret from all of the commits it appears in. @@ -127,11 +117,7 @@ If {% data variables.product.prodname_dotcom %} blocks a secret that you believe {% data reusables.secret-scanning.push-protection-allow-email %} -{% ifversion push-protection-delegated-bypass %} - -If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to push the blocked secret. For more information, see "[Requesting bypass privileges when working from the command line](#requesting-bypass-privileges-when-working-from-the-command-line)." - -{% endif %} +If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to push the blocked secret. For more information, see "[Requesting bypass privileges when working from the command line](/enterprise-cloud@latest/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line#requesting-bypass-privileges-when-working-from-the-command-line)" in the {% data variables.product.prodname_ghe_cloud %} documentation. {% data reusables.secret-scanning.push-protection-visit-URL %} {% data reusables.secret-scanning.push-protection-choose-allow-secret-options %} @@ -164,4 +150,4 @@ If your request is denied, you will need to remove the secret from all commits c ## Further reading -* TODO +* [AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md index fe9a8770db96..ee2320af5303 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md @@ -17,32 +17,24 @@ topics: ## About push protection in the {% data variables.product.prodname_dotcom %} UI -Push protection prevents you from accidentally committing secrets to a repository by blocking commits containing supported secrets. - -{% data reusables.secret-scanning.push-protection-web-ui-choice %} - -You should either: - -* **Remove** the secret from the commit. For more information, see "[Resolving a blocked commit in the {% data variables.product.prodname_dotcom %} UI](#resolving-a-blocked-commit-in-the-github-ui)." -* **Review** the instructions in the dialog box {% ifversion push-protection-delegated-bypass %}to see what options are available to you{% endif %} to allow the push. For more information, see "[Bypassing push protection when working in the {% data variables.product.prodname_dotcom %} UI](#bypassing-push-protection-when-working-in-the-github-ui)"{% ifversion push-protection-delegated-bypass %} and "[Requesting bypass privileges when working in the {% data variables.product.prodname_dotcom %} UI](#requesting-bypass-privileges-when-working-in-the-github-ui){% endif %}." +When you are creating and editing files in the {% data variables.product.prodname_dotcom %} UI, push protection prevents you from accidentally committing secrets to a repository by blocking commits containing supported secrets. {% ifversion push-protection-block-uploads %} -{% data variables.product.prodname_dotcom %} will also block the commit if you attempt to upload files containing supported secrets. The dialog box will show you which files contain the secret. You should remove the secret from the files before attempting to upload the files again. +{% data variables.product.prodname_dotcom %} will also block the commit if you attempt to upload files containing supported secrets. {% data reusables.secret-scanning.push-protection-web-UI-uploads-beta %} {% endif %} -{% data variables.product.prodname_dotcom %} will only display one detected secret at a time in the web UI. If a particular secret has already been detected in the repository and an alert already exists, {% data variables.product.prodname_dotcom %} will not block that secret. - -Organization owners can provide a custom link that will be displayed when a push is blocked. This custom link can contain resources and advice specific to your organization. For example, the custom link can point to a README file with information about the organization's secret vault, which teams and individuals to escalate questions to, or the organization's approved policy for working with secrets and rewriting commit history. +You should either: -You may be able to bypass the block by specifying a reason for allowing the secret to be committed. For more information on how to bypass push protection and commit the blocked secret, see "[Bypassing push protection when working in the {% data variables.product.prodname_dotcom %} UI](#bypassing-push-protection-when-working-in-the-github-ui)." +* **Remove** the secret from the commit. For more information, see "[Resolving a blocked commit in the {% data variables.product.prodname_dotcom %} UI](#resolving-a-blocked-commit-in-the-github-ui)." +* **Review** the instructions in the dialog box {% ifversion push-protection-delegated-bypass %}to see what options are available to you{% endif %} to allow the push. For more information, see "[Bypassing push protection when working in the {% data variables.product.prodname_dotcom %} UI](#bypassing-push-protection-when-working-in-the-github-ui){% ifversion push-protection-delegated-bypass %}" and "[Requesting bypass privileges when working in the {% data variables.product.prodname_dotcom %} UI](#requesting-bypass-privileges-when-working-in-the-github-ui){% endif %}." -{% ifversion push-protection-delegated-bypass %} Alternatively, you may be required to submit a request for "bypass privileges" in order to commit the secret. For information on how to request permission to bypass push protection and allow the secret, see "[Requesting bypass privileges when working in the {% data variables.product.prodname_dotcom %} UI](#requesting-bypass-privileges-when-working-in-the-github-ui)." +{% data variables.product.prodname_dotcom %} will only display one detected secret at a time in the web UI. If a particular secret has already been detected in the repository and an alert already exists, {% data variables.product.prodname_dotcom %} will not block that secret. -{% endif %} +Organization owners can provide a custom link that will be displayed when a push is blocked. This custom link can contain resources and advice specific to your organization. For example, the custom link can point to a README file with information about the organization's secret vault, which teams and individuals to escalate questions to, or the organization's approved policy for working with secrets and rewriting commit history. ## Resolving a blocked commit in the {% data variables.product.prodname_dotcom %} UI @@ -63,6 +55,8 @@ If {% data variables.product.prodname_dotcom %} blocks a secret that you believe {% data reusables.secret-scanning.push-protection-public-repos-bypass %} 1. Click **Allow secret**. +If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to push the blocked secret. For more information, see "[Requesting bypass privileges when working from the command line](/enterprise-cloud@latest/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui#requesting-bypass-privileges-when-working-in-the-github-ui)" in the {% data variables.product.prodname_ghe_cloud %} documentation. + {% ifversion push-protection-delegated-bypass %} ## Requesting bypass privileges when working in the {% data variables.product.prodname_dotcom %} UI @@ -89,4 +83,4 @@ If your request is denied, you will need to remove the secret from the file befo ## Further reading -* TODO +* [AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line) From b6eabae0ed15dc9d75ed8ff7739c3041e5eca8ec Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Tue, 16 Jul 2024 10:17:00 +0100 Subject: [PATCH 093/282] adding intros --- .../index.md | 2 +- .../secret-scanning-for-your-user-owned-repositories.md | 5 ++--- .../working-with-push-protection-from-the-command-line.md | 2 +- .../working-with-push-protection-in-the-github-ui.md | 2 +- 4 files changed, 5 insertions(+), 6 deletions(-) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md index 8a1abc5f94d9..fea26a8e2b33 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md @@ -2,7 +2,7 @@ title: Working with secret scanning and push protection shortTitle: Work with secret scanning allowTitleToDifferFromFilename: true -intro: 'TODO' +intro: '{% data variables.product.prodname_secret_scanning_caps %} scans for and detects secrets that have been checked into a repository. Push protection proactively secures you against leaking secrets by blocking pushes containing secrets.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md index 87d634f155de..ca93c2894dc1 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md @@ -1,9 +1,8 @@ --- -title: Enabling secret scanning alerts for your user-owned repositories +title: Enabling secret scanning alerts for your user-owned repositories shortTitle: Secret scanning alerts for user-owned repositories intro: 'TODO' -product: '{% data reusables.gated-features.secret-scanning %}' -versions: +versions: feature: secret-scanning-enable-by-default-for-public-repos type: how_to topics: diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md index c3e2c97bd5e6..0e87b1988e8c 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md @@ -1,7 +1,7 @@ --- title: Working with push protection from the command line shortTitle: Work with push protection from the command line -intro: 'TODO' +intro: 'Push protection proactively secures you against leaked secrets in your repositories by blocking pushes containing secrets.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md index ee2320af5303..22f5716935d5 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md @@ -1,7 +1,7 @@ --- title: Working with push protection in the GitHub UI shortTitle: Work with push protection in the GitHub UI -intro: 'TODO' +intro: 'Push protection proactively secures you against leaked secrets in your repositories by blocking commits containing secrets.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' From 94b19a4d1dbdf8ca71484353cd72e2801ea4f40b Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Tue, 16 Jul 2024 11:29:18 +0100 Subject: [PATCH 094/282] fix test --- .../secret-scanning-for-your-user-owned-repositories.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md index ca93c2894dc1..407a25ff7b17 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md @@ -2,6 +2,7 @@ title: Enabling secret scanning alerts for your user-owned repositories shortTitle: Secret scanning alerts for user-owned repositories intro: 'TODO' +allowTitleToDifferFromFilename: true versions: feature: secret-scanning-enable-by-default-for-public-repos type: how_to From 0db4f0aefff0af03455524eb46d793272e7a4c2d Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Tue, 16 Jul 2024 11:38:23 +0100 Subject: [PATCH 095/282] fix learning tracks --- data/learning-tracks/code-security.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/data/learning-tracks/code-security.yml b/data/learning-tracks/code-security.yml index 82650c37c290..4b518db729c1 100644 --- a/data/learning-tracks/code-security.yml +++ b/data/learning-tracks/code-security.yml @@ -127,10 +127,14 @@ secret_scanning: endif %} - >- {% ifversion secret-scanning-push-protection-for-users - %}/code-security/secret-scanning/push-protection-for-users{% endif %} + %}/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users{% endif %} - >- {% ifversion secret-scanning-push-protection - %}/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection{% + %}/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line{% + endif %} + - >- + {% ifversion secret-scanning-push-protection + %}/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui{% endif %} - /code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning security_alerts: From fd163c783a1de07f159d490c5170050783f96934 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 18 Jul 2024 12:18:40 +0100 Subject: [PATCH 096/282] Update content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md Co-authored-by: Felicity Chapman --- .../non-provider-patterns/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md index 4a97751ff251..8ee2edb91607 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md @@ -2,7 +2,7 @@ title: Non-provider patterns shortTitle: Non-provider patterns allowTitleToDifferFromFilename: true -intro: 'Non-provider patterns, such as private keys, are patterns with a high false positive ratio. By default, {% data variables.product.prodname_secret_scanning %} doesn''t scan for this type of pattern, but you can override the default behavior.' +intro: '{% data variables.product.prodname_secret_scanning_caps %} can also alert you to the potential use of other types of secret in code, for example: HTTP authentication headers, connection strings, and private keys. These non-provider patterns are more difficult to detect reliably so this feature is not enabled by default.' product: '{% data reusables.gated-features.secret-scanning %}' versions: feature: secret-scanning-non-provider-patterns From a8d121e7719007f9b7e73f6912ad6d2a4ec2bf41 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 18 Jul 2024 12:18:55 +0100 Subject: [PATCH 097/282] Update content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md Co-authored-by: Felicity Chapman --- .../enabling-secret-scanning-for-non-provider-patterns.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md index 916ef7ed1949..6106ed66d6f5 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md @@ -1,7 +1,7 @@ --- title: Enabling secret scanning for non-provider patterns allowTitleToDifferFromFilename: true -intro: 'You can enable {% data variables.product.prodname_secret_scanning %} for non-provider patterns at the repository and organization levels.' +intro: 'You can enable {% data variables.product.prodname_secret_scanning %} to detect additional potential secrets at the repository and organization levels.' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: feature: secret-scanning-non-provider-patterns From 6580b3d80f4329f72fba2078f8ebb94b626a6fab Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 18 Jul 2024 13:44:04 +0100 Subject: [PATCH 098/282] apply Felicitys suggestion --- .../enabling-secret-scanning-for-non-provider-patterns.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md index 916ef7ed1949..2e416174c092 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md @@ -20,12 +20,18 @@ shortTitle: Enable for non-provider patterns You can enable scanning for non-provider patterns. Non-provider patterns correspond to secrets such as private keys and they have a higher ratio of false positives. +For more information about non-provider patterns, see "{% ifversion fpt or ghec %}[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-secret-scanning-alerts){% endif %}." + +### Enabling detection of non-provider patterns for a repository + {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-settings %} {% data reusables.repositories.navigate-to-code-security-and-analysis %} 1. Under {% data variables.product.prodname_secret_scanning_caps %}, select the checkbox next to "Scan for non-provider patterns". -For more information about non-provider patterns, see "{% ifversion fpt or ghec %}[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-secret-scanning-alerts){% endif %}." +### Enabling detection of non-provider patterns for an organization + +You can enable scanning for non-provider patterns at the organization level. For more information, see "[Configuring global secret scanning settings](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#configuring-global-secret-scanning-settings)." ## Further reading From bdc538b5eac3976016045f55a7cff32760223330 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 18 Jul 2024 13:56:21 +0100 Subject: [PATCH 099/282] apply required versioning --- ...abling-secret-scanning-for-non-provider-patterns.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md index 2d21bf860b60..2da05bbaa359 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md @@ -1,7 +1,7 @@ --- title: Enabling secret scanning for non-provider patterns allowTitleToDifferFromFilename: true -intro: 'You can enable {% data variables.product.prodname_secret_scanning %} to detect additional potential secrets at the repository and organization levels.' +intro: 'You can enable {% data variables.product.prodname_secret_scanning %} to detect additional potential secrets at the {% ifversion security-configurations %}repository and organization levels{% else %} repository level{% endif %}.' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: feature: secret-scanning-non-provider-patterns @@ -22,17 +22,25 @@ You can enable scanning for non-provider patterns. Non-provider patterns corresp For more information about non-provider patterns, see "{% ifversion fpt or ghec %}[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-secret-scanning-alerts){% endif %}." +{% ifversion security-configurations %} + ### Enabling detection of non-provider patterns for a repository +{%endif %} + {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-settings %} {% data reusables.repositories.navigate-to-code-security-and-analysis %} 1. Under {% data variables.product.prodname_secret_scanning_caps %}, select the checkbox next to "Scan for non-provider patterns". +{% ifversion security-configurations %} + ### Enabling detection of non-provider patterns for an organization You can enable scanning for non-provider patterns at the organization level. For more information, see "[Configuring global secret scanning settings](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#configuring-global-secret-scanning-settings)." +{% endif %} + ## Further reading * "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)" From 194c7c21eeb5507a9ffc3948384d104fd544f110 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 18 Jul 2024 13:56:56 +0100 Subject: [PATCH 100/282] remove superfluous space --- .../enabling-secret-scanning-for-non-provider-patterns.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md index 2da05bbaa359..f34762c6bff5 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md @@ -1,7 +1,7 @@ --- title: Enabling secret scanning for non-provider patterns allowTitleToDifferFromFilename: true -intro: 'You can enable {% data variables.product.prodname_secret_scanning %} to detect additional potential secrets at the {% ifversion security-configurations %}repository and organization levels{% else %} repository level{% endif %}.' +intro: 'You can enable {% data variables.product.prodname_secret_scanning %} to detect additional potential secrets at the {% ifversion security-configurations %}repository and organization levels{% else %}repository level{% endif %}.' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: feature: secret-scanning-non-provider-patterns From 212ea5c72445f78ed540441b7a99ff237064d3c9 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 18 Jul 2024 15:03:25 +0100 Subject: [PATCH 101/282] Update content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md Co-authored-by: Felicity Chapman --- .../managing-requests-to-bypass-push-protection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md index 063eb8f66346..4ed5edcad5a5 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md @@ -18,9 +18,9 @@ shortTitle: Manage bypass requests {% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} -{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." +{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} -Members of the bypass list can view and manage all requests for bypass privileges on the "Push protection bypass" page, located under the **Security** tab of the repository. +An organization owner or repository administrator defines which roles and teams are included in a bypass list. Members of the bypass list can view and manage all requests for bypass privileges on the "Push protection bypass" page, located under the **Security** tab of the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection." > [!NOTE] Members of the bypass list are still protected from accidentally pushing secrets to a repository. When a member of the bypass list attempts to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. Members of the bypass list do not have to request bypass privileges from other members in order to override the block. From 261cf0b8262dfed801681d162baab95031837492 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 18 Jul 2024 15:05:44 +0100 Subject: [PATCH 102/282] Update content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md Co-authored-by: Felicity Chapman --- .../managing-requests-to-bypass-push-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md index 4ed5edcad5a5..ae4724e610e2 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md @@ -1,6 +1,6 @@ --- title: Managing requests to bypass push protection -intro: 'As a member of the bypass list for an organization or repository, you can process bypass requests from other members of the organization or repository.' +intro: 'As a member of the bypass list for an organization or repository, you can review bypass requests from other members of the organization or repository.' product: '{% data reusables.gated-features.push-protection-for-repos %}' permissions: 'Members of the bypass listcan process requests from non-members to bypass push protection.' versions: From 452df4db810709f847fc32dd12427fdea51c4572 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 18 Jul 2024 15:31:26 +0100 Subject: [PATCH 103/282] add Felicitys suggestion --- .../enabling-delegated-bypass-for-push-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md index 12fe1b29473e..6d6d6e031653 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md @@ -20,7 +20,7 @@ shortTitle: Enable delegated bypass {% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." -To enable this feature, you first need to create a bypass list to add roles and teams who will manage request to bypass push protection. This step is included in the sections below. +When you enable this feature, you will create a bypass list of roles and teams who can manage requests to bypass push protection. If you don't already have appropriate teams or roles to use, you should create additional teams before you start. ### Configuring delegated bypass for an organization From 332ad21934c74c38d8b863af5692400ad59ee68d Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 18 Jul 2024 15:33:16 +0100 Subject: [PATCH 104/282] moved note as suggested --- .../enabling-delegated-bypass-for-push-protection.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md index 6d6d6e031653..20c95220e062 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md @@ -22,6 +22,8 @@ shortTitle: Enable delegated bypass When you enable this feature, you will create a bypass list of roles and teams who can manage requests to bypass push protection. If you don't already have appropriate teams or roles to use, you should create additional teams before you start. +>[!NOTE] You can't add secret teams to the bypass list. + ### Configuring delegated bypass for an organization {% data reusables.organizations.navigate-to-org %} @@ -33,7 +35,6 @@ When you enable this feature, you will create a bypass list of roles and teams w {% data reusables.repositories.navigate-to-ghas-settings %} 1. Under "Push protection", to the right of "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}", select the dropdown menu, then click **Specific roles or teams**. 1. Under "Bypass list", click **Add role or team**. - >[!NOTE] You can't add secret teams to the bypass list. 1. In the dialog box, select the roles and teams that you want to add to the bypass list, then click **Add selected**. ### Configuring delegated bypass for a repository From 43e02c7d9ef173345d5fd501abf63d75c5e0d8b5 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 18 Jul 2024 15:33:58 +0100 Subject: [PATCH 105/282] Update content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md Co-authored-by: Felicity Chapman --- .../managing-requests-to-bypass-push-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md index ae4724e610e2..3a3437f5c062 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md @@ -2,7 +2,7 @@ title: Managing requests to bypass push protection intro: 'As a member of the bypass list for an organization or repository, you can review bypass requests from other members of the organization or repository.' product: '{% data reusables.gated-features.push-protection-for-repos %}' -permissions: 'Members of the bypass listcan process requests from non-members to bypass push protection.' +permissions: 'Members of the bypass list can process requests from non-members to bypass push protection.' versions: feature: push-protection-delegated-bypass type: how_to From 170eddcacf1723dad028fee324cff197a9884094 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 18 Jul 2024 15:39:12 +0100 Subject: [PATCH 106/282] addressed more comments add added missing parenthesis --- .../push-protection-for-repositories-and-organizations.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md index f96fba943791..6fad831be8e0 100644 --- a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md +++ b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md @@ -126,3 +126,4 @@ You can use the organization settings page for "Code security and analysis" to e * "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection)" * "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)" +* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)" From 6300de58ca0210bfb297ca36f8a4d90de67a39ea Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 18 Jul 2024 15:41:23 +0100 Subject: [PATCH 107/282] addressed more comments --- ...ging-requests-to-bypass-push-protection.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md index 3a3437f5c062..87d5907ec178 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md @@ -20,10 +20,20 @@ shortTitle: Manage bypass requests {% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} -An organization owner or repository administrator defines which roles and teams are included in a bypass list. Members of the bypass list can view and manage all requests for bypass privileges on the "Push protection bypass" page, located under the **Security** tab of the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection." +An organization owner or repository administrator defines which roles and teams are included in a bypass list. Members of the bypass list can view and manage all requests for bypass privileges on the "Push protection bypass" page, located under the **Security** tab of the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)." > [!NOTE] Members of the bypass list are still protected from accidentally pushing secrets to a repository. When a member of the bypass list attempts to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. Members of the bypass list do not have to request bypass privileges from other members in order to override the block. +### Managing requests to bypass push protection at the repository-level + +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.sidebar-security %} +{% data reusables.repositories.bypass-requests-settings %} +1. Select the **All statuses** dropdown menu, then click **Open** to view requests that are awaiting review. +1. Click the request that you want to review. +1. Review the details of the request. +1. To allow the contributor to push the commit containing the secret, click **Approve bypass request**. Or, to require the contributor to remove the secret from the commit, click **Deny bypass request**. + You can filter requests by approver (member of the bypass list), requester (contributor making the request), timeframe, and status. The following statuses are assigned to a request: |Status|Description| @@ -37,13 +47,3 @@ You can filter requests by approver (member of the bypass list), requester (cont When a contributor requests bypass privileges to push a commit containing a secret, members of the bypass list all receive an email notification containing a link to the request. Members of the bypass list then have 7 days to review and either approve or deny the request before the request expires. The contributor is notified of the decision by email and must take the required action. If the request is approved, the contributor can push the commit containing the secret to the repository. If the request is denied, the contributor must remove the secret from the commit in order to successfully push the commit to the repository. - -### Managing requests to bypass push protection at the repository-level - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-security %} -{% data reusables.repositories.bypass-requests-settings %} -1. Select the **All statuses** dropdown menu, then click **Open** to view requests that are awaiting review. -1. Click the request that you want to review. -1. Review the details of the request. -1. To allow the contributor to push the commit containing the secret, click **Approve bypass request**. Or, to require the contributor to remove the secret from the commit, click **Deny bypass request**. From 329a2d27ac4c6e6a310757cb3b8693788a46210e Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 18 Jul 2024 15:42:18 +0100 Subject: [PATCH 108/282] add heading --- .../managing-requests-to-bypass-push-protection.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md index 87d5907ec178..65ee3f08cf71 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md @@ -34,6 +34,8 @@ An organization owner or repository administrator defines which roles and teams 1. Review the details of the request. 1. To allow the contributor to push the commit containing the secret, click **Approve bypass request**. Or, to require the contributor to remove the secret from the commit, click **Deny bypass request**. +### Filtering by request status + You can filter requests by approver (member of the bypass list), requester (contributor making the request), timeframe, and status. The following statuses are assigned to a request: |Status|Description| From ed4809755a1d5adb87f66b2a46db188ae0579a40 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 18 Jul 2024 16:01:07 +0100 Subject: [PATCH 109/282] add versioning to fix test failure --- .../push-protection-for-repositories-and-organizations.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md index 6fad831be8e0..8685f584d085 100644 --- a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md +++ b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md @@ -125,5 +125,5 @@ You can use the organization settings page for "Code security and analysis" to e ## Further reading * "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection)" -* "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)" -* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)" +* "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)"{% ifversion push-protection-delegated-bypass %} +* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)"{% endif %} From 6de98b640f2c5bb5370159f00c309907f38811df Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 19 Jul 2024 08:34:27 +0100 Subject: [PATCH 110/282] address anoter comment --- .../managing-requests-to-bypass-push-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md index 65ee3f08cf71..2308595dd8f9 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md @@ -29,7 +29,7 @@ An organization owner or repository administrator defines which roles and teams {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-security %} {% data reusables.repositories.bypass-requests-settings %} -1. Select the **All statuses** dropdown menu, then click **Open** to view requests that are awaiting review. +1. Select the **All statuses** dropdown menu, then click **Open** to view requests that are awaiting review, or that have been approved but for which the commits haven't been pushed yet. 1. Click the request that you want to review. 1. Review the details of the request. 1. To allow the contributor to push the commit containing the secret, click **Approve bypass request**. Or, to require the contributor to remove the secret from the commit, click **Deny bypass request**. From 394780335694c7195bcd4530a7619fa9c91b7c0a Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 19 Jul 2024 08:40:15 +0100 Subject: [PATCH 111/282] improve --- .../managing-requests-to-bypass-push-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md index 2308595dd8f9..8dbb251678ac 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md @@ -29,7 +29,7 @@ An organization owner or repository administrator defines which roles and teams {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-security %} {% data reusables.repositories.bypass-requests-settings %} -1. Select the **All statuses** dropdown menu, then click **Open** to view requests that are awaiting review, or that have been approved but for which the commits haven't been pushed yet. +1. Select the **All statuses** dropdown menu, then click **Open** to view requests that are awaiting review, or that have been approved but for which the commits haven't been pushed to the repository yet. 1. Click the request that you want to review. 1. Review the details of the request. 1. To allow the contributor to push the commit containing the secret, click **Approve bypass request**. Or, to require the contributor to remove the secret from the commit, click **Deny bypass request**. From 45cfbe39e8bc52344b105b4ad72349991191c30c Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 19 Jul 2024 12:25:57 +0100 Subject: [PATCH 112/282] fix failing test --- content/code-security/secret-scanning/index.md | 1 - .../index.md | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 14ed25efca8c..049fdbfd735f 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -18,7 +18,6 @@ children: - /introduction - /configuring-secret-scanning-for-your-repositories - /managing-alerts-from-secret-scanning - - /secret-scanning-patterns - /push-protection-for-repositories-and-organizations - /push-protection-for-users - /working-with-push-protection diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md index b9ce661324e4..1d7041f27b6f 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md @@ -2,7 +2,7 @@ title: Using advanced secret scanning and push protection features shortTitle: Advanced features allowTitleToDifferFromFilename: true -intro: 'Learn how you can customize {% data variables.secret-scanning.partner_alerts %} to meet the needs of your company..' +intro: 'Learn how you can customize {% data variables.secret-scanning.partner_alerts %} to meet the needs of your company.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' From 14a60c49edaf9bb95c0a6c9d4cca19b673359ded Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 19 Jul 2024 12:29:06 +0100 Subject: [PATCH 113/282] fix failing test --- content/code-security/secret-scanning/index.md | 1 - 1 file changed, 1 deletion(-) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 049fdbfd735f..4a89e1e35d5a 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -18,7 +18,6 @@ children: - /introduction - /configuring-secret-scanning-for-your-repositories - /managing-alerts-from-secret-scanning - - /push-protection-for-repositories-and-organizations - /push-protection-for-users - /working-with-push-protection - /pushing-a-branch-blocked-by-push-protection From a5873041dd0fb5993e0ecef7e437f1a45538cce7 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 19 Jul 2024 12:36:54 +0100 Subject: [PATCH 114/282] fix another failing test --- .../introduction/about-secret-scanning-for-partners.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md index bb92155920a2..a1372cd50cea 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md @@ -19,6 +19,6 @@ TODO: Provide high-level overview of partner program You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories. -When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." +When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." For more information about the partnership program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." From c5a9eb6b038387e633980ae8a39300dc59513514 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 19 Jul 2024 12:43:04 +0100 Subject: [PATCH 115/282] add missing redirect --- ...generating-regular-expressions-for-custom-patterns-with-ai.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai.md index b8144155c074..d0bd68b2a1d1 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai.md @@ -12,6 +12,7 @@ topics: - AI redirect_from: - /code-security/secret-scanning/generating-regular-expressions-for-custom-patterns-with-ai + - /code-security/secret-scanning/about-generating-regular-expressions-with-ai.md --- ## Generating a regular expression for a repository with AI From 32ddc5db1142b002cce18502c65e4d30446b8b53 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 19 Jul 2024 12:49:37 +0100 Subject: [PATCH 116/282] add to the correct article duh --- .../about-generating-regular-expressions-with-ai.md | 1 + ...generating-regular-expressions-for-custom-patterns-with-ai.md | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-generating-regular-expressions-with-ai.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-generating-regular-expressions-with-ai.md index 740a14bba5fa..f40e85f4a19e 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-generating-regular-expressions-with-ai.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-generating-regular-expressions-with-ai.md @@ -13,6 +13,7 @@ topics: - AI redirect_from: - /code-security/secret-scanning/about-the-regular-expression-generator-for-custom-patterns + - /code-security/secret-scanning/about-generating-regular-expressions-with-ai.md --- diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai.md index d0bd68b2a1d1..b8144155c074 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai.md @@ -12,7 +12,6 @@ topics: - AI redirect_from: - /code-security/secret-scanning/generating-regular-expressions-for-custom-patterns-with-ai - - /code-security/secret-scanning/about-generating-regular-expressions-with-ai.md --- ## Generating a regular expression for a repository with AI From 5135608acf9cac6e28672274a21ffd55859ffd57 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 19 Jul 2024 14:35:22 +0100 Subject: [PATCH 117/282] more work --- .../introduction/about-push-protection.md | 81 ++----------------- 1 file changed, 6 insertions(+), 75 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index b93ebabf710e..910baeae25b4 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -1,6 +1,6 @@ --- title: About push protection -intro: 'With push protection for repositories and organizations, {% data variables.product.prodname_secret_scanning %} blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block.' +intro: 'TODO.' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: fpt: '*' @@ -19,22 +19,14 @@ topics: shortTitle: Push protection --- -{% data reusables.secret-scanning.enterprise-enable-secret-scanning %} +Push protection is a {% data variables.product.prodname_secret_scanning %} that ## About push protection for repositories and organizations {% data reusables.secret-scanning.pre-push-protection %} {% data reusables.secret-scanning.push-protection-overview %} {% data reusables.secret-scanning.push-protection-custom-pattern %} {% ifversion secret-scanning-push-protection-custom-patterns %}For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."{% endif %} -{% data reusables.secret-scanning.push-protection-bypass %} - -{% data reusables.secret-scanning.bypass-reasons-and-alerts %} - -{% ifversion push-protection-delegated-bypass %} - By default, anyone with write access to the repository can choose to bypass push protection by specifying one of the bypass reasons outlined in the table. If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see "[Enabling delegated bypass for push protection](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)." -{% endif %} - {% ifversion secret-scanning-bypass-filter %} On the {% data variables.product.prodname_secret_scanning %} alerts page for a repository or organization, you can apply the `bypassed:true` filter to easily see which alerts are the result of a user bypassing push protection. For more information on viewing these alerts, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." @@ -57,74 +49,13 @@ If you are an organization owner or security manager, you can view metrics on ho {% endnote %} {% endif %} -For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." - -## Enabling {% data variables.product.prodname_secret_scanning %} as a push protection - -For you to use {% data variables.product.prodname_secret_scanning %} as a push protection in public repositories, the {% ifversion secret-scanning-enterprise-level %}enterprise,{% endif %} organization{% ifversion secret-scanning-enterprise-level %},{% endif %} or repository needs to have {% data variables.product.prodname_secret_scanning %} enabled.{% ifversion secret-scanning-push-protection-private-internal %} To use {% data variables.product.prodname_secret_scanning %} as a push protection in private or internal repositories,{% ifversion secret-scanning-user-owned-repos %} or in user-owned repositories{% ifversion ghec %} for {% data variables.product.prodname_emus %}{% endif %},{% endif %} the enterprise or organization also needs to have {% data variables.product.prodname_GH_advanced_security %} enabled.{% endif %} For more information, see {% ifversion secret-scanning-enterprise-level %}"[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise),"{% endif %} "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)," "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)," and "[AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security)." - -Organization owners, security managers, and repository administrators can also enable push protection for {% data variables.product.prodname_secret_scanning %} via the API. For more information, see "[AUTOTITLE](/rest/repos#update-a-repository)" and expand the "Properties of the `security_and_analysis` object" section. - -Organization owners can provide a custom link that will be displayed when a push is blocked. This custom link can contain organization-specific resources and advice, such as directions on using a recommended secrets vault or who to contact for questions relating to the blocked secret. - -{% ifversion secret-scanning-enable-by-default-for-public-repos %} - -You can also enable push protection for all of your existing {% ifversion ghec %}user-owned {% endif %} public repositories through your personal account settings. For any new public repositories you create, push protection will be enabled by default. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#enabling-secret-scanning-alerts-for-users-for-all-your-public-repositories)." - -{% endif %} - -{% ifversion secret-scanning-enterprise-level-api %} -Enterprise administrators can also enable or disable {% data variables.product.prodname_secret_scanning %} as a push protection for the enterprise via the API. For more information, see "[AUTOTITLE](/rest/enterprise-admin/code-security-and-analysis)."{% endif %} - -{% note %} - -**Note:** When you fork a repository with {% data variables.product.prodname_secret_scanning %} as a push protection enabled, this is not enabled by default on the fork. You can enable it on the fork the same way you enable it on a standalone repository. - -{% endnote %} - -{% ifversion secret-scanning-enterprise-level %} - -### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection for your enterprise - -{% data reusables.enterprise-accounts.access-enterprise %} -{% data reusables.enterprise-accounts.settings-tab %} -1. In the left sidebar, click **Code security and analysis**. -{% data reusables.advanced-security.secret-scanning-push-protection-enterprise %} -{% endif %} - -### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection for an organization - -{% ifversion security-configurations-ga %} -You can find a set of repositories and enable or disable {% data variables.product.prodname_secret_scanning %} as a push protection for them all at the same time. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)." - -{% elsif security-configurations-beta-and-pre-beta %} - -You can use the organization settings page for "Code security and analysis" to enable or disable {% data variables.product.prodname_secret_scanning %} as a push protection for all existing repositories in an organization. - -{% data reusables.organizations.navigate-to-org %} -{% data reusables.organizations.org_settings %} -{% data reusables.organizations.security-and-analysis %} - -{% ifversion security-configurations-beta-only %} - {% data reusables.security-configurations.changed-org-settings-security-configurations-callout %} For next steps on enabling push protection and other security features at scale with {% data variables.product.prodname_security_configurations %}, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)." -{% endif %} - -{% data reusables.repositories.navigate-to-ghas-settings %} -{% data reusables.advanced-security.secret-scanning-push-protection-org %} - -{% data reusables.security.note-securing-your-org %} -{% endif %} +For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md#supported-secrets)." -### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection for a repository +## About push protection for users. -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-settings %} -{% data reusables.repositories.navigate-to-code-security-and-analysis %} -{% data reusables.repositories.navigate-to-ghas-settings %} -{% data reusables.advanced-security.secret-scanning-push-protection-repo %} +TODO Add link to enabling article, which is new. ## Further reading * "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection)" -* "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)"{% ifversion push-protection-delegated-bypass %} -* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)"{% endif %} +* "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)" From 22a3f70cc773447db5a4c399167f653007f9b516 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 19 Jul 2024 14:43:21 +0100 Subject: [PATCH 118/282] transfer updates from the other PR --- ...g-secret-scanning-for-your-repositories.md | 22 +----- ...-folders-and-files-from-secret-scanning.md | 71 +++++++++++++++++++ .../index.md | 1 + data/learning-tracks/code-security.yml | 2 + 4 files changed, 75 insertions(+), 21 deletions(-) create mode 100644 content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md diff --git a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md index 938e3b44602a..cd465ce7ff61 100644 --- a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md +++ b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md @@ -102,27 +102,7 @@ You can enable {% data variables.product.prodname_secret_scanning %} for all of ## Excluding directories from {% data variables.secret-scanning.user_alerts %} -You can configure a _secret_scanning.yml_ file to exclude directories from {% data variables.product.prodname_secret_scanning %}, including when you use push protection. For example, you can exclude directories that contain tests or randomly generated content. - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.files.add-file %} -1. In the file name field, type _.github/secret_scanning.yml_. -1. Under **Edit new file**, type `paths-ignore:` followed by the paths you want to exclude from {% data variables.product.prodname_secret_scanning %}. - - ``` yaml - paths-ignore: - - "foo/bar/*.js" - ``` - - You can use special characters, such as `*` to filter paths. For more information about filter patterns, see "[Workflow syntax for GitHub Actions](/actions/reference/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet)." - - {% note %} - - **Notes:** - * If there are more than 1,000 entries in `paths-ignore`, {% data variables.product.prodname_secret_scanning %} will only exclude the first 1,000 directories from scans. - * If `secret_scanning.yml` is larger than 1 MB, {% data variables.product.prodname_secret_scanning %} will ignore the entire file. - - {% endnote %} +You can configure a `secret_scanning.yml` file to exclude directories from {% data variables.product.prodname_secret_scanning %}, including when you use push protection. For more information, see "[AUTOTITLE](/code-security/secret-scanning/excluding-folders-and-files-from-secret-scanning)." You can also ignore individual alerts from {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md new file mode 100644 index 000000000000..f07b77edbbfc --- /dev/null +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md @@ -0,0 +1,71 @@ +--- +title: Excluding folders and files from secret scanning +intro: 'You can customize {% data variables.product.prodname_secret_scanning %} to exclude directories or files from analysis, by configuring a `secret_scanning.yml` file in your repository.' +product: '{% data reusables.gated-features.secret-scanning %}' +shortTitle: Exclude folders and files +versions: + fpt: '*' + ghes: '*' + ghec: '*' +type: how_to +topics: + - Secret scanning + - Advanced Security + - Repositories +--- + +## About {% data variables.product.prodname_secret_scanning %} + +{% data variables.product.prodname_secret_scanning_caps %} automatically detects tokens or credentials that have been checked into a {% ifversion ghec %}user-owned {% endif %}public repository. You can view {% ifversion fpt or ghec %}{% data variables.secret-scanning.user_alerts %}{% else %}alerts{% endif %} for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-users)." + +## About excluding directories from {% data variables.secret-scanning.user_alerts %} + +You may have a reason to commit a secret to a repository, such as when you want to provide a fake secret in documentation, or in an example application. In these scenarios, you can quickly dismiss the alert and document the reasons. However, there may be cases where you want to ignore a directory entirely to avoid creating false positive alerts at scale. For example, you might have a monolithic application with several integrations containing a file of dummy keys that could set off numerous false alerts to triage. + +You can configure a `secret_scanning.yml` file to exclude directories from {% data variables.product.prodname_secret_scanning %}, including when you use push protection. + +## Excluding directories from {% data variables.secret-scanning.user_alerts %} + +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.files.add-file %} +1. In the file name field, type _.github/secret_scanning.yml_. +1. Under **Edit new file**, type `paths-ignore:` followed by the paths you want to exclude from {% data variables.product.prodname_secret_scanning %}. + + ``` yaml copy + paths-ignore: + - "docs/**" + ``` + + This tells {% data variables.product.prodname_secret_scanning %} to ignore everything in the `docs` directory. You can use this example file as a template to add the files and folders you’d like to exclude from your own repositories. + + You can also use special characters, such as `*` to filter paths. For more information about filter patterns, see "[Workflow syntax for GitHub Actions](/actions/reference/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet)." + + ``` yaml copy + paths-ignore: + - "foo/bar/*.js" + ``` + + {% note %} + + **Notes:** + * If there are more than 1,000 entries in `paths-ignore`, {% data variables.product.prodname_secret_scanning %} will only exclude the first 1,000 directories from scans. + * If `secret_scanning.yml` is larger than 1 MB, {% data variables.product.prodname_secret_scanning %} will ignore the entire file. + + {% endnote %} + +## Verifying that the folder is excluded from {% data variables.product.prodname_secret_scanning %} + +1. Open a file in a directory that you have excluded from secret scanning +1. Paste a pre-invalidated secret, or a test secret. +1. Commit the change. +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.sidebar-security %} There should be no new open alerts for the secret you just introduced into the `README.md` file. + +## Best practices + +Best practices include: + +* Minimizing the number of directories excluded and being as precise as possible when defining exclusions. This ensures that the instructions are as clear as possible, and that exclusions work as intended. +* Explaining why a particular file or folder is excluded in a comment in the `secret_scanning.yml` file. As with regular code, using comments clarifies your intend, making it easier for others to understand the desired behavior. +* Reviewing the `secret_scanning.yml` file on a regular basis. Some exclusions may no longer apply with time, and it is good practice to keep the file clean and current. The use of comments, as advised above, can help with this. +* Informing the security team what files and folders you've excluded, and why. Good communication is vital in ensuring that everyone is on the same page, and understands why specific folders or files are excluded. diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md index b9ce661324e4..76c0002b6ec9 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md @@ -13,6 +13,7 @@ topics: - Advanced Security - Repositories children: + - /excluding-folders-and-files-from-secret-scanning - /non-provider-patterns - /generic-secret-detection - /custom-patterns diff --git a/data/learning-tracks/code-security.yml b/data/learning-tracks/code-security.yml index daa509a42e9f..9d28c71c5780 100644 --- a/data/learning-tracks/code-security.yml +++ b/data/learning-tracks/code-security.yml @@ -115,6 +115,8 @@ secret_scanning: - /code-security/secret-scanning/about-secret-scanning - >- /code-security/secret-scanning/configuring-secret-scanning-for-your-repositories + - >- + /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md - >- {% ifversion not fpt %}/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning{% From 48a892344e90e9e17816ebb5b814140f31af0568 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Fri, 19 Jul 2024 14:48:02 +0100 Subject: [PATCH 119/282] Update content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md --- .../excluding-folders-and-files-from-secret-scanning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md index f07b77edbbfc..615d45ac73ab 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md @@ -59,7 +59,7 @@ You can configure a `secret_scanning.yml` file to exclude directories from {% da 1. Paste a pre-invalidated secret, or a test secret. 1. Commit the change. {% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-security %} There should be no new open alerts for the secret you just introduced into the `README.md` file. +{% data reusables.repositories.sidebar-security %} There should be no new open alerts for the secret you just introduced into the file. ## Best practices From fc654ddebaf00aaaf81f9b6a5f0b389cc14fb983 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 19 Jul 2024 15:29:46 +0100 Subject: [PATCH 120/282] more updates --- .../configuring-secret-scanning-for-your-repositories.md | 2 +- .../excluding-folders-and-files-from-secret-scanning.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md index cd465ce7ff61..8f6d95f42788 100644 --- a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md +++ b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md @@ -102,7 +102,7 @@ You can enable {% data variables.product.prodname_secret_scanning %} for all of ## Excluding directories from {% data variables.secret-scanning.user_alerts %} -You can configure a `secret_scanning.yml` file to exclude directories from {% data variables.product.prodname_secret_scanning %}, including when you use push protection. For more information, see "[AUTOTITLE](/code-security/secret-scanning/excluding-folders-and-files-from-secret-scanning)." +You can configure a `secret_scanning.yml` file to exclude directories from {% data variables.product.prodname_secret_scanning %}, including when you use push protection. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning)." You can also ignore individual alerts from {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md index f07b77edbbfc..615d45ac73ab 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md @@ -59,7 +59,7 @@ You can configure a `secret_scanning.yml` file to exclude directories from {% da 1. Paste a pre-invalidated secret, or a test secret. 1. Commit the change. {% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-security %} There should be no new open alerts for the secret you just introduced into the `README.md` file. +{% data reusables.repositories.sidebar-security %} There should be no new open alerts for the secret you just introduced into the file. ## Best practices From 7bb2334a44acf382153aef823b229aaeae519236 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 19 Jul 2024 15:34:09 +0100 Subject: [PATCH 121/282] oops --- data/learning-tracks/code-security.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/learning-tracks/code-security.yml b/data/learning-tracks/code-security.yml index 9d28c71c5780..1fb864610383 100644 --- a/data/learning-tracks/code-security.yml +++ b/data/learning-tracks/code-security.yml @@ -116,7 +116,7 @@ secret_scanning: - >- /code-security/secret-scanning/configuring-secret-scanning-for-your-repositories - >- - /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md + /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning - >- {% ifversion not fpt %}/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning{% From 45f4d60217af224411f5e313f00cf3b3f53142dd Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 19 Jul 2024 17:07:10 +0100 Subject: [PATCH 122/282] more work on new high level articles --- .../secret-scanning/introduction/about-push-protection.md | 4 +++- .../introduction/about-secret-scanning-for-partners.md | 6 +++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index 910baeae25b4..33ab8c01f646 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -19,7 +19,9 @@ topics: shortTitle: Push protection --- -Push protection is a {% data variables.product.prodname_secret_scanning %} that +Push protection is a {% data variables.product.prodname_secret_scanning %} feature that checks commits for highly identifiable secrets before these commits are pushed to a repository. + +You can apply push protection at repository/organization level, and for your user account on {% data variables.product.prodname_dotcom %}. ## About push protection for repositories and organizations diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md index a1372cd50cea..29cbf313f2c6 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md @@ -3,7 +3,7 @@ title: About secret scanning for partners intro: 'TODO' versions: fpt: '*' - ghes: '*' + ghec: '*' type: overview topics: - Secret scanning @@ -13,6 +13,10 @@ shortTitle: Secret scanning for partners ## About {% data variables.secret-scanning.partner_alerts %} +Partner alerts are alerts that are sent to the secret providers whenever a secret leak is reported for one of their secrets. {% data variables.product.product_name %} currently scans public repositories and public npm packages for secrets issued by specific service providers and alerts the relevant service provider whenever a secret is detected in a commit. For more information about {% data variables.secret-scanning.partner_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-partners)." + +{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} + TODO: Provide high-level overview of partner program **Partner patterns.** Used to detect potential secrets in all public repositories as well as public npm packages. From 59620faeb0a7fccd9a9c111a8ef593fbed1848b0 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 19 Jul 2024 17:38:07 +0100 Subject: [PATCH 123/282] Update content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md Co-authored-by: Felicity Chapman --- .../secret-scanning-for-your-user-owned-repositories.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md index 407a25ff7b17..8a591ec76f29 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md @@ -1,7 +1,7 @@ --- title: Enabling secret scanning alerts for your user-owned repositories shortTitle: Secret scanning alerts for user-owned repositories -intro: 'TODO' +intro: 'You can protect yourself from accidentally leaking secrets from your {% ifversion ghec %}user-owned {% endif %}public repositories using {% data variables.product.prodname_secret_scanning %} and push protection.' allowTitleToDifferFromFilename: true versions: feature: secret-scanning-enable-by-default-for-public-repos From bc6f8ec065984df67bec4f9ad7df89d7b0130656 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 19 Jul 2024 17:38:30 +0100 Subject: [PATCH 124/282] Update content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md Co-authored-by: Felicity Chapman --- .../working-with-push-protection-from-the-command-line.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md index 0e87b1988e8c..38386ca776ff 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md @@ -1,6 +1,6 @@ --- title: Working with push protection from the command line -shortTitle: Work with push protection from the command line +shortTitle: Push protection on the command line intro: 'Push protection proactively secures you against leaked secrets in your repositories by blocking pushes containing secrets.' product: '{% data reusables.gated-features.secret-scanning %}' versions: From f64d6b8cbd904f2e4b88e59245bf76d450b52592 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 19 Jul 2024 17:39:18 +0100 Subject: [PATCH 125/282] Update content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md Co-authored-by: Felicity Chapman --- .../working-with-push-protection-from-the-command-line.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md index 38386ca776ff..7ee0b6c7ea91 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md @@ -32,7 +32,7 @@ If you confirm a secret is real and that you intend to fix it later, you should {% data reusables.secret-scanning.push-protection-multiple-branch-note %} -## Resolving a blocked push from the command line +## Resolving a blocked push To resolve a blocked push, you must remove the secret from all of the commits it appears in. * If the secret was introduced by your latest commit, see "[Removing a secret introduced by the latest commit on your branch](#removing-a-secret-introduced-by-the-latest-commit-on-your-branch)." From c78e9f7a76d56a53ac4ffb368d009eae9b2e7d4e Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 19 Jul 2024 17:39:32 +0100 Subject: [PATCH 126/282] Update content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md Co-authored-by: Felicity Chapman --- .../working-with-push-protection-in-the-github-ui.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md index 22f5716935d5..c01b5cfdef57 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md @@ -36,7 +36,7 @@ You should either: Organization owners can provide a custom link that will be displayed when a push is blocked. This custom link can contain resources and advice specific to your organization. For example, the custom link can point to a README file with information about the organization's secret vault, which teams and individuals to escalate questions to, or the organization's approved policy for working with secrets and rewriting commit history. -## Resolving a blocked commit in the {% data variables.product.prodname_dotcom %} UI +## Resolving a blocked commit {% data reusables.secret-scanning.push-protection-web-ui-choice %} From 819f7b64e70e340b35275de4fefdce244a914225 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 19 Jul 2024 17:39:58 +0100 Subject: [PATCH 127/282] Update content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md Co-authored-by: Felicity Chapman --- .../working-with-push-protection-in-the-github-ui.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md index c01b5cfdef57..6754ad5d3859 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md @@ -42,7 +42,7 @@ Organization owners can provide a custom link that will be displayed when a push To resolve a blocked commit in the web UI, you need to remove the secret from the file. Once you remove the secret, you will be able to commit your changes. -## Bypassing push protection when working in the {% data variables.product.prodname_dotcom %} UI +## Bypassing push protection If {% data variables.product.prodname_dotcom %} blocks a secret that you believe is safe to commit, you {% ifversion push-protection-delegated-bypass %}may be able to {% else %}can {% endif %}bypass the block by specifying a reason for allowing the secret. From c6343f05331b5029d1c78af5a1726d0db98c3638 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 19 Jul 2024 17:40:06 +0100 Subject: [PATCH 128/282] Update content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md Co-authored-by: Felicity Chapman --- .../working-with-push-protection-in-the-github-ui.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md index 6754ad5d3859..bf22d85d64e5 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md @@ -59,7 +59,7 @@ If you don't see the option to bypass the block, the repository administrator or {% ifversion push-protection-delegated-bypass %} -## Requesting bypass privileges when working in the {% data variables.product.prodname_dotcom %} UI +## Requesting bypass privileges {% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} From 16eccb2d11b5672ab6479c31990f333f65a87d64 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 19 Jul 2024 17:40:47 +0100 Subject: [PATCH 129/282] Update content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md Co-authored-by: Felicity Chapman --- .../working-with-push-protection-from-the-command-line.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md index 7ee0b6c7ea91..04fd3e50d208 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md @@ -109,7 +109,7 @@ You can also remove the secret if the secret appears in an earlier commit in the 1. Run `git rebase --continue` to finish the rebase. 1. Push your changes with `git push`. -## Bypassing push protection when working from the command line +## Bypassing push protection If {% data variables.product.prodname_dotcom %} blocks a secret that you believe is safe to push, you {% ifversion push-protection-delegated-bypass %}may be able to {% else %}can {% endif %}bypass the block by specifying a reason for allowing the secret to be pushed. From 600476ac66bada2ad4599cce4c3c97a0a0581762 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 19 Jul 2024 17:49:13 +0100 Subject: [PATCH 130/282] Update content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md Co-authored-by: Felicity Chapman --- .../working-with-push-protection-from-the-command-line.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md index 04fd3e50d208..f009fb0b5fc7 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md @@ -127,7 +127,7 @@ If you don't see the option to bypass the block, the repository administrator or {% ifversion push-protection-delegated-bypass %} -## Requesting bypass privileges when working from the command line +## Requesting bypass privileges {% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} From 380beba0242138aab52ec69936100e2f59ecae17 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 19 Jul 2024 17:49:30 +0100 Subject: [PATCH 131/282] Update content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md Co-authored-by: Felicity Chapman --- .../secret-scanning-for-your-user-owned-repositories.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md index 8a591ec76f29..e8a558314196 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md @@ -18,7 +18,7 @@ redirect_from: You can enable {% data variables.product.prodname_secret_scanning %} for all of your existing {% ifversion ghec %}user-owned {% endif %}public repositories through your personal account settings. ->! NOTE +> [! NOTE] > As of March 11, 2024, {% data variables.product.prodname_secret_scanning %} and push protection will be enabled by default for all new {% ifversion ghec %}user-owned {% endif %}public repositories that you create. You can still choose to disable these features for an individual repository in the repository's "Code security and analysis" settings page. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-public-repositories)". ## Enabling {% data variables.secret-scanning.user_alerts %} for all your {% ifversion ghec %}user-owned {% endif %}public repositories From dfc2848dda561b231ad6796db817e52b43a18621 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 19 Jul 2024 17:49:46 +0100 Subject: [PATCH 132/282] Update content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md Co-authored-by: Felicity Chapman --- .../working-with-push-protection-in-the-github-ui.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md index bf22d85d64e5..d887b50628d8 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md @@ -1,7 +1,7 @@ --- title: Working with push protection in the GitHub UI shortTitle: Work with push protection in the GitHub UI -intro: 'Push protection proactively secures you against leaked secrets in your repositories by blocking commits containing secrets.' +intro: 'Learn your options for unblocking your commit when {% data variables.product.prodname_secret_scanning %} detects a secret in your changes.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' From cb5ece49325e55c69e0a5e6b6060e9c7d43588a3 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 19 Jul 2024 18:37:44 +0100 Subject: [PATCH 133/282] a bit more work --- .../about-secret-scanning-for-partners.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md index 29cbf313f2c6..610e2ddaa2de 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md @@ -13,16 +13,17 @@ shortTitle: Secret scanning for partners ## About {% data variables.secret-scanning.partner_alerts %} -Partner alerts are alerts that are sent to the secret providers whenever a secret leak is reported for one of their secrets. {% data variables.product.product_name %} currently scans public repositories and public npm packages for secrets issued by specific service providers and alerts the relevant service provider whenever a secret is detected in a commit. For more information about {% data variables.secret-scanning.partner_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-partners)." +{% data variables.product.product_name %} scans public repositories and public npm packages for secrets issued by specific service providers and alerts the relevant service provider whenever a secret is detected in a commit. -{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} +{% data variables.product.prodname_secret_scanning %} generates partner alerts when it detects secrets from providers who joined our partnership program. For information about the partnership program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." -TODO: Provide high-level overview of partner program +You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories. -**Partner patterns.** Used to detect potential secrets in all public repositories as well as public npm packages. +Partner alerts are not displayed on {% data variables.product.prodname_dotcom %}. Instead, partner alerts are directly sent to the secret providers whenever a secret leak is reported for one of their secrets. -You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories. +For more information about {% data variables.secret-scanning.partner_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-partners)." +{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." -For more information about the partnership program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." +TODO: apply scannability techniques From 42310e314afa58ab0ac061bd76d9e39e9124ed77 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 19 Jul 2024 21:19:31 +0100 Subject: [PATCH 134/282] apply some review feedback --- .../secret-scanning-for-your-user-owned-repositories.md | 3 +++ .../working-with-push-protection-from-the-command-line.md | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md index e8a558314196..c6c464c837da 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md @@ -18,9 +18,12 @@ redirect_from: You can enable {% data variables.product.prodname_secret_scanning %} for all of your existing {% ifversion ghec %}user-owned {% endif %}public repositories through your personal account settings. + > [! NOTE] > As of March 11, 2024, {% data variables.product.prodname_secret_scanning %} and push protection will be enabled by default for all new {% ifversion ghec %}user-owned {% endif %}public repositories that you create. You can still choose to disable these features for an individual repository in the repository's "Code security and analysis" settings page. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-public-repositories)". + + ## Enabling {% data variables.secret-scanning.user_alerts %} for all your {% ifversion ghec %}user-owned {% endif %}public repositories {% data reusables.user-settings.access_settings %} diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md index f009fb0b5fc7..d5ab99d2dafa 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md @@ -36,7 +36,7 @@ If you confirm a secret is real and that you intend to fix it later, you should To resolve a blocked push, you must remove the secret from all of the commits it appears in. * If the secret was introduced by your latest commit, see "[Removing a secret introduced by the latest commit on your branch](#removing-a-secret-introduced-by-the-latest-commit-on-your-branch)." -* If the secret appears in multiple earlier commits, see "[Removing a secret introduced by an earlier commit on your branch](#removing-a-secret-introduced-by-an-earlier-commit-on-your-branch)." +* If the secret appears in earlier commits, see "[Removing a secret introduced by an earlier commit on your branch](#removing-a-secret-introduced-by-an-earlier-commit-on-your-branch)." ### Removing a secret introduced by the latest commit on your branch From 1854f25db49571237856c8d391315bffa9265f95 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 19 Jul 2024 21:20:55 +0100 Subject: [PATCH 135/282] apply review feedback 2 --- .../working-with-push-protection-in-the-github-ui.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md index d887b50628d8..b96ffaec2185 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md @@ -1,6 +1,6 @@ --- title: Working with push protection in the GitHub UI -shortTitle: Work with push protection in the GitHub UI +shortTitle: Push protection in the GitHub UI intro: 'Learn your options for unblocking your commit when {% data variables.product.prodname_secret_scanning %} detects a secret in your changes.' product: '{% data reusables.gated-features.secret-scanning %}' versions: From 61b63d6d906f3d52f811a2538eab9093fe9601c9 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 19 Jul 2024 21:27:43 +0100 Subject: [PATCH 136/282] removing old content from old article --- ...ng-secret-scanning-for-your-repositories.md | 18 ------------------ ...th-push-protection-from-the-command-line.md | 2 +- 2 files changed, 1 insertion(+), 19 deletions(-) diff --git a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md index 47b87aecc5e8..38371c85a2a5 100644 --- a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md +++ b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md @@ -99,24 +99,6 @@ For more information about non-provider patterns, see "{% ifversion fpt or ghec {% endif %} -{% ifversion secret-scanning-enable-by-default-for-public-repos %} - -## Enabling {% data variables.secret-scanning.user_alerts %} for all your {% ifversion ghec %}user-owned {% endif %}public repositories - -You can enable {% data variables.product.prodname_secret_scanning %} for all of your existing {% ifversion ghec %}user-owned {% endif %}public repositories through your personal account settings. -{% note %} - -**Note**: As of March 11, 2024, {% data variables.product.prodname_secret_scanning %} and push protection will be enabled by default for all new {% ifversion ghec %}user-owned {% endif %}public repositories that you create. You can still choose to disable these features for an individual repository in the repository's "Code security and analysis" settings page. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-public-repositories)". - -{% endnote %} - -{% data reusables.user-settings.access_settings %} -{% data reusables.user-settings.security-analysis %} -1. Under "Code security and analysis", to the right of "{% data variables.product.prodname_secret_scanning_caps %}", click **Disable all** or **Enable all**. -{% data reusables.secret-scanning.push-protection-optional-enable %} - -{% endif %} - ## Excluding directories from {% data variables.secret-scanning.user_alerts %} You can configure a _secret_scanning.yml_ file to exclude directories from {% data variables.product.prodname_secret_scanning %}, including when you use push protection. For example, you can exclude directories that contain tests or randomly generated content. diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md index d5ab99d2dafa..0c6167175062 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md @@ -1,7 +1,7 @@ --- title: Working with push protection from the command line shortTitle: Push protection on the command line -intro: 'Push protection proactively secures you against leaked secrets in your repositories by blocking pushes containing secrets.' +intro: 'Learn your options for unblocking your push from the command line to {% data variables.product.prodname_dotcom %} if {% data variables.product.prodname_secret_scanning %} detects a secret in your changes.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' From 54440bcbfaa94cf6c8dc608d1c72f6bb5051d2fd Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 22 Jul 2024 16:44:53 +0100 Subject: [PATCH 137/282] more work --- .../introduction/about-push-protection.md | 30 ++++++++++++++----- .../push-protection-overview.md | 2 +- 2 files changed, 23 insertions(+), 9 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index 33ab8c01f646..faeaa0f556d9 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -21,21 +21,22 @@ shortTitle: Push protection Push protection is a {% data variables.product.prodname_secret_scanning %} feature that checks commits for highly identifiable secrets before these commits are pushed to a repository. -You can apply push protection at repository/organization level, and for your user account on {% data variables.product.prodname_dotcom %}. +{% data reusables.secret-scanning.pre-push-protection %} {% data reusables.secret-scanning.push-protection-overview %} -## About push protection for repositories and organizations +{% ifversion secret-scanning-push-protection-for-users %} -{% data reusables.secret-scanning.pre-push-protection %} {% data reusables.secret-scanning.push-protection-overview %} {% data reusables.secret-scanning.push-protection-custom-pattern %} {% ifversion secret-scanning-push-protection-custom-patterns %}For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."{% endif %} +You can enable push protection: -By default, anyone with write access to the repository can choose to bypass push protection by specifying one of the bypass reasons outlined in the table. If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see "[Enabling delegated bypass for push protection](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)." +* At repository/organization level, if you are a repository administrator or an organization owner For more information, see +* For your account on {% data variables.product.prodname_dotcom %}, as a user. -{% ifversion secret-scanning-bypass-filter %} +## About push protection for repositories and organizations -On the {% data variables.product.prodname_secret_scanning %} alerts page for a repository or organization, you can apply the `bypassed:true` filter to easily see which alerts are the result of a user bypassing push protection. For more information on viewing these alerts, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." +{% else %} -{% endif %} +If you are a repository administrator or an organization owner, you can enable push protection at repository/organization level. -You can monitor security alerts to discover when users are bypassing push protections and creating alerts. For more information, see "[AUTOTITLE](/code-security/getting-started/auditing-security-alerts)." +{% endif %} {% ifversion security-overview-push-protection-metrics-page %} @@ -51,12 +52,25 @@ If you are an organization owner or security manager, you can view metrics on ho {% endnote %} {% endif %} +By default, anyone with write access to the repository can choose to bypass push protection by specifying one of the bypass reasons outlined in the table. If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see "[Enabling delegated bypass for push protection](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)." + +You can monitor security alerts to discover when users are bypassing push protections and creating alerts. For more information, see "[AUTOTITLE](/code-security/getting-started/auditing-security-alerts)." + For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md#supported-secrets)." +{% ifversion secret-scanning-push-protection-for-users %} + ## About push protection for users. +{% endif %} + TODO Add link to enabling article, which is new. +## Next steps + +Mention custom patterns at the end? +{% data reusables.secret-scanning.push-protection-custom-pattern %} {% ifversion secret-scanning-push-protection-custom-patterns %}For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."{% endif %} + ## Further reading * "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection)" diff --git a/data/reusables/secret-scanning/push-protection-overview.md b/data/reusables/secret-scanning/push-protection-overview.md index 72c31dfbf92d..09f4bf7aca5d 100644 --- a/data/reusables/secret-scanning/push-protection-overview.md +++ b/data/reusables/secret-scanning/push-protection-overview.md @@ -1 +1 @@ -When you enable push protection for your organization or repository, {% data variables.product.prodname_secret_scanning %} also checks pushes for supported secrets. {% data variables.product.prodname_secret_scanning_caps %} lists any secrets it detects so the author can review the secrets and remove them or, if {% ifversion push-protection-delegated-bypass %} permitted{%else%}needed{% endif %}, allow those secrets to be pushed. +When you enable push protection for your organization or repository, {% data variables.product.prodname_secret_scanning %} also checks pushes for supported secrets. {% data variables.product.prodname_secret_scanning_caps %} lists any secrets it detects so the author can review the secrets and remove them or, if {% ifversion push-protection-delegated-bypass %} permitted{% else %}needed{% endif %}, allow those secrets to be pushed. From c33b8da0229e8346c1de21700738df3f32bdaa80 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Mon, 22 Jul 2024 16:39:34 +0000 Subject: [PATCH 138/282] create index file --- .../index.md | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md new file mode 100644 index 000000000000..a24ef0ce6089 --- /dev/null +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md @@ -0,0 +1,20 @@ +--- +title: Managing alerts from secret scanning +intro: 'You can view, evaluate and resolve alerts for secrets checked in to your repository.' +product: '{% data reusables.gated-features.secret-scanning %}' +redirect_from: + - /github/administering-a-repository/managing-alerts-from-secret-scanning + - /code-security/secret-security/managing-alerts-from-secret-scanning + - /code-security/secret-scanning/managing-alerts-from-secret-scanning +versions: + fpt: '*' + ghes: '*' + ghec: '*' +type: how_to +topics: + - Secret scanning + - Advanced Security + - Alerts + - Repositories +shortTitle: Managing alerts +--- \ No newline at end of file From 40620d076136fd182120ebb470d3e83d031d6b03 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Mon, 22 Jul 2024 16:46:39 +0000 Subject: [PATCH 139/282] adding empty children, updating index file --- .../managing-alerts-from-secret-scanning/about-alerts.md | 0 .../evaluating-alerts.md | 0 .../managing-alerts-from-secret-scanning/index.md | 8 +++++++- .../monitoring-alerts.md | 0 .../resolving-alerts.md | 0 .../viewing-alerts.md | 0 6 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md create mode 100644 content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md create mode 100644 content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md create mode 100644 content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md create mode 100644 content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md index a24ef0ce6089..582c69e084ef 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md @@ -17,4 +17,10 @@ topics: - Alerts - Repositories shortTitle: Managing alerts ---- \ No newline at end of file +children: + - /about-alerts + - /viewing-alerts + - /evaluating-alerts + - /resolving-alerts + - /monitoring-alerts +--- diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md new file mode 100644 index 000000000000..e69de29bb2d1 From 2d86dea83ba5c61d8f157eca252e0448d05e20e4 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Mon, 22 Jul 2024 17:37:09 +0000 Subject: [PATCH 140/282] filling out articles --- .../evaluating-alerts.md | 101 ++++++++++++++++++ .../resolving-alerts.md | 50 +++++++++ .../viewing-alerts.md | 54 ++++++++++ 3 files changed, 205 insertions(+) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md index e69de29bb2d1..f9b95cbea138 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md @@ -0,0 +1,101 @@ +--- +title: Evaluating alerts from secret scanning +intro: 'You can view alerts for secrets checked in to your repository and you can use filters to help you prioritize alerts.' +permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view secret scanning alerts for the repository.' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +type: how_to +topics: + - Secret scanning + - Advanced Security + - Alerts + - Repositories +shortTitle: Evaluate alerts +--- + +## About evaluating alerts + +There are some additional features that can help you to evaluate alerts in order to better prioritize and manage them. You can: + +* Check the validity of a secret, to see if the secret is still active. {% ifversion fpt or ghes %}**Applies to {% data variables.product.company_short %} tokens only**.{% endif %} For more information, see "[Checking a secret's validity](#checking-a-secrets-validity)."{% ifversion secret-scanning-validity-check-partner-patterns %} +* Perform an "on-demand" validity check, to get the most up to date validiation status. For more information, see "[Performing an on-demand-validity-check](#performing-an-on-demand-validity-check)."{% endif %}{% ifversion secret-scanning-github-token-metadata %} +* Review a token's metadata. **Applies to {% data variables.product.company_short %} tokens only**. For example, to see when the token was last used. For more information, see "[Reviewing {% data variables.product.company_short %} token metadata](#reviewing-github-token-metadata)."{% endif %} + +## Checking a secret's validity + +{% ifversion secret-scanning-validity-check-partner-patterns %} + +{% data reusables.secret-scanning.validity-check-partner-patterns-beta %} + +{% endif %} + +Validity checks help you prioritize alerts by telling you which secrets are `active` or `inactive`. An `active` secret is one that could still be exploited, so these alerts should be reviewed and remediated as a priority. + +By default, {% data variables.product.company_short %} checks the validity of {% data variables.product.company_short %} tokens and displays the validitation status of the token in the alert view. + +{% ifversion fpt %} + +Organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %} can also enable validity checks for partner patterns. For more information, see "[Checking a secret's validity](/enterprise-cloud@latest/code-security/secret-scanning/managing-alerts-from-secret-scanning#checking-a-secrets-validity)" in the {% data variables.product.prodname_ghe_cloud %} documentation. + +{% endif %} + +{% ifversion secret-scanning-validity-check-partner-patterns %} + +You can additionally choose to enable validity checks for partner patterns. Once enabled, {% data variables.product.company_short %} will periodically check the validity of a detected credential by sending the secret directly to the provider, as part of {% data variables.product.company_short %}'s formal secret scanning partnership program. {% data variables.product.company_short %} typically makes GET requests to check the validity of the credential, picks the least intrusive endpoints, and selects endpoints that don't return any personal information. + +{% data variables.product.company_short %} displays the validation status of the secret in the alert view. + +{% endif %} + +{% data reusables.secret-scanning.validity-check-table %} + +{% ifversion secret-scanning-validity-check-partner-patterns %} + +{% data reusables.gated-features.partner-pattern-validity-check-ghas %} + +For information on how to enable validity checks for partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#enabling-validity-checks-for-partner-patterns)," and for information on which partner patterns are currently supported, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#high-confidence-patterns)." + +{% endif %} + +You can use the REST API to retrieve a list of the most recent validation status for each of your tokens. For more information, see "[AUTOTITLE](/rest/secret-scanning)" in the REST API documentation. You can also use webhooks to be notified of activity relating to a {% data variables.product.prodname_secret_scanning %} alert. For more information, see the `secret_scanning_alert` event in "[AUTOTITLE](/webhooks/webhook-events-and-payloads?actionType=created#secret_scanning_alert)." + +{% ifversion secret-scanning-validity-check-partner-patterns %} + +## Performing an on-demand validity check + +Once you have enabled validity checks for partner patterns for your repository, you can perform an "on-demand" validity check for any supported secret by clicking {% octicon "sync" aria-hidden="true" %} **Verify secret** in the alert view. {% data variables.product.company_short %} will send the pattern to the relevant partner and display the validation status of the secret in the alert view. + +![Screenshot of the UI showing a {% data variables.product.prodname_secret_scanning %} alert. A button, labeled "Verify secret" is highlighted with an orange outline.](/assets/images/help/security/secret-scanning-verify-secret.png) + +{% endif %} + +{% ifversion secret-scanning-github-token-metadata %} + +## Reviewing {% data variables.product.company_short %} token metadata + +> [!NOTE] +> Metadata for {% data variables.product.company_short %} tokens is currently in public beta and subject to change. + +In the view for an active {% data variables.product.company_short %} token alert, you can review certain metadata about the token. This metadata may help you identify the token and decide what remediation steps to take. + +Tokens, like {% data variables.product.pat_generic %} and other credentials, are considered personal information. For more information about using {% data variables.product.company_short %} tokens, see [GitHub's Privacy Statement](/free-pro-team@latest/site-policy/privacy-policies/github-privacy-statement) and [Acceptable Use Policies](/free-pro-team@latest/site-policy/acceptable-use-policies/github-acceptable-use-policies). + + ![Screenshot of the UI for a {% data variables.product.company_short %} token, showing the token metadata.](/assets/images/help/repository/secret-scanning-github-token-metadata.png) + + Metadata for {% data variables.product.company_short %} tokens is available for active tokens in any repository with secret scanning enabled. If a token has been revoked or its status cannot be validated, metadata will not be available. {% data variables.product.company_short %} auto-revokes {% data variables.product.company_short %} tokens in public repositories, so metadata for {% data variables.product.company_short %} tokens in public repositories is unlikely to be available. The following metadata is available for active {% data variables.product.company_short %} tokens: + +|Metadata|Description| +|-------------------------|--------------------------------------------------------------------------------| +|Secret name| The name given to the {% data variables.product.company_short %} token by its creator| +|Secret owner| The {% data variables.product.company_short %} handle of the token's owner| +|Created on| Date the token was created| +|Expired on| Date the token expired| +|Last used on| Date the token was last used| +|Access| Whether the token has organization access| + +{% ifversion secret-scanning-user-owned-repos %}{% data reusables.secret-scanning.secret-scanning-user-owned-repo-access %} If access is granted, {% data variables.product.prodname_dotcom %} will notify the owner of the repository containing the leaked secret, report the action in the repository owner and enterprise audit logs, and enable access for 2 hours.{% ifversion ghec %} For more information, see "[AUTOTITLE](/admin/managing-accounts-and-repositories/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise)."{% endif %}{% endif %} + +{% endif %} diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md index e69de29bb2d1..449ea0e96af3 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md @@ -0,0 +1,50 @@ +--- +title: Resolving alerts from secret scanning +intro: 'You can should fix and close alerts for secrets checked in to your repository and you can use filters to help you prioritize alerts.' +permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view secret scanning alerts for the repository.' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +type: how_to +topics: + - Secret scanning + - Advanced Security + - Alerts + - Repositories +shortTitle: Evaluate alerts +--- + +## Fixing alerts + +Once a secret has been committed to a repository, you should consider the secret compromised. {% data variables.product.prodname_dotcom %} recommends the following actions for compromised secrets: + +* For a compromised {% data variables.product.prodname_dotcom %} {% data variables.product.pat_generic %}, delete the compromised token, create a new token, and update any services that use the old token. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)." +{%- ifversion token-audit-log %} + * {% ifversion ghec %}If your organization is owned by an enterprise account, identify{% else %}Identify{% endif %} any actions taken by the compromised token on your enterprise's resources. For more information, see "[AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token)." +{%- endif %} +* For all other secrets, first verify that the secret committed to {% data variables.product.product_name %} is valid. If so, create a new secret, update any services that use the old secret, and then delete the old secret. + +{% ifversion fpt or ghec %} + +> [!NOTE] +> If a secret is detected in a public repository on {% data variables.product.prodname_dotcom_the_website %} and the secret also matches a partner pattern, an alert is generated and the potential secret is reported to the service provider. For details of partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." + +{% endif %} + +## Closing alerts + +> [!NOTE] +>{% data variables.product.prodname_secret_scanning_caps %} doesn't automatically close alerts when the corresponding token has been removed from the repository. You must manually close these alerts in the alert list on {% data variables.product.prodname_dotcom %}. + +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.sidebar-security %} +1. In the left sidebar, under "Vulnerability alerts", click **{% data variables.product.prodname_secret_scanning_caps %}**. +1. Under "{% data variables.product.prodname_secret_scanning_caps %}", click the alert you want to view. +1. To dismiss an alert, select the "Close as" dropdown menu and click a reason for resolving an alert. + + ![Screenshot of a {% data variables.product.prodname_secret_scanning %} alert. A dropdown menu, titled "Close as", is expanded and highlighted in a dark orange outline.](/assets/images/help/repository/secret-scanning-dismiss-alert-web-ui-link-partner-documentation.png) + +1. Optionally, in the "Comment" field, add a dismissal comment. The dismissal comment will be added to the alert timeline and can be used as justification during auditing and reporting. You can view the history of all dismissed alerts and dismissal comments in the alert timeline. You can also retrieve or set a comment by using the {% data variables.product.prodname_secret_scanning_caps %} API. The comment is contained in the `resolution_comment` field. For more information, see "[AUTOTITLE](/rest/secret-scanning#update-a-secret-scanning-alert)" in the REST API documentation. +1. Click **Close alert**. diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md index e69de29bb2d1..f43a3de7348f 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md @@ -0,0 +1,54 @@ +--- +title: Viewing and filtering alerts from secret scanning +intro: 'You can view alerts for secrets checked in to your repository and you can use filters to help you prioritize alerts.' +permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view secret scanning alerts for the repository.' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +type: how_to +topics: + - Secret scanning + - Advanced Security + - Alerts + - Repositories +shortTitle: View alerts +--- + +## Viewing alerts + +Alerts for {% data variables.product.prodname_secret_scanning %} are displayed under the **Security** tab of the repository. + +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.sidebar-security %} +1. In the left sidebar, under "Vulnerability alerts", click **{% data variables.product.prodname_secret_scanning_caps %}**. {% ifversion secret-scanning-non-provider-patterns %} +1. Optionally, toggle to "Other" to see alerts for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %} or generic secrets detected using AI{% endif %}.{% endif %} +1. Under "{% data variables.product.prodname_secret_scanning_caps %}", click the alert you want to view. + {% ifversion secret-scanning-user-owned-repos %} + + > [!NOTE] + > {% data reusables.secret-scanning.secret-scanning-user-owned-repo-access %} + + {% endif %} + +## Filtering alerts + +You can apply various filters to the alerts list to help you find the alerts you're interested in. You can use the dropdown menus above the alerts list, or input the qualifiers listed in the table into the search bar. + +|Qualifier|Description| +|---------|-----------| +|`is:open`|Displays open alerts.| +|`is:closed`|Displays closed alerts.| +| {% ifversion secret-scanning-bypass-filter %} | +|`bypassed: true`|Displays alerts for secrets where push protection has been bypassed. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)."| +| {% endif %} | +|`validity:active`| Displays alerts for secrets that are still active. {% ifversion fpt %}Applies to {% data variables.product.company_short %} tokens only.{% endif %} For more information about validity statuses, see "[Checking a secret's validity](#checking-a-secrets-validity)."| +|`validity:inactive`| Displays alerts for secrets that are no longer active.| +|`validity:unknown`| Displays alerts for secrets where the validity status of the secret is unknown.| +|`secret-type:SECRET-NAME`| Displays alerts for a specific secret type, for example, `secret-type:github_personal_access_token`. For a list of supported secret types, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secret)." | +|`provider:PROVIDER-NAME`|Displays alerts for a specific provider, for example, `provider:github`. For a list of supported partners, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."| +| {% ifversion secret-scanning-non-provider-patterns %} | +|`confidence:high`| Displays alerts for high-confidence secrets, which relate to supported secrets and custom patterns. For a list of supported high-confidence patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#high-confidence-patterns)." | +|`confidence:other`| Displays alerts for non-provider patterns, such as private keys{% ifversion secret-scanning-ai-generic-secret-detection %}, and AI-detected generic secrets, such as passwords{% endif %}. For a list of supported non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns)." {% ifversion secret-scanning-ai-generic-secret-detection %}For more information about AI-detected generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/about-the-detection-of-generic-secrets-with-secret-scanning)."{% endif %}| +| {% endif %} | From b340d5ddfb407621eb738be1c0775c5a6039738a Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Mon, 22 Jul 2024 20:15:31 +0000 Subject: [PATCH 141/282] more edits --- .../monitoring-alerts.md | 53 +++++++++++++++++++ .../resolving-alerts.md | 6 +-- 2 files changed, 56 insertions(+), 3 deletions(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md index e69de29bb2d1..9884c11164df 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md @@ -0,0 +1,53 @@ +--- +title: Monitoring alerts from secret scanning +intro: 'Learn how and when {% data variables.product.product_name %} will notify you about a secret scanning alert.' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +type: how_to +topics: + - Secret scanning + - Advanced Security + - Alerts + - Repositories +shortTitle: Monitor alerts +--- + +## Configuring notifications for {% data variables.secret-scanning.alerts %} + +In addition to Notifications are different for incremental scans and historical scans. + +### Incremental scans + +{% data reusables.secret-scanning.secret-scanning-configure-notifications %} + +{% data reusables.repositories.navigate-to-repo %} +1. To start watching the repository, select **{% octicon "eye" aria-hidden="true" %} Watch**. + + ![Screenshot of the repository's main page. A dropdown menu, titled "Watch", is highlighted with an orange outline.](/assets/images/help/repository/repository-watch-dropdown.png) + +1. In the dropdown menu, click **All Activity**. Alternatively, to only subscribe to security alerts, click **Custom**, then click **Security alerts**. +1. Navigate to the notification settings for your personal account. These are available at [https://github.com/settings/notifications](https://github.com/settings/notifications). +1. On your notification settings page, under "Subscriptions", then under "Watching", select the **Notify me** dropdown. +1. Select "Email" as a notification option, then click **Save**. + + ![Screenshot of the notification settings for a user account. An element header, titled "Subscriptions", and a sub-header, titled "Watching", are shown. A checkbox, titled "Email", is highlighted with an orange outline.](/assets/images/help/notifications/repository-watching-notification-options.png) + +{% data reusables.notifications.watch-settings %} + +### Historical scans + +For historical scans, {% data variables.product.product_name %} notifies the following users: + +* Organization owners, enterprise owners, and security managers—whenever a historical scan is complete, even if no secrets are found. +* Repository administrators, security managers, and users with custom roles with read/write access—whenever a historical scan detects a secret, and according to their notification preferences. + +We do _not_ notify commit authors. + +{% data reusables.notifications.watch-settings %} + +## Auditing responses to secret scanning alerts + +{% data reusables.secret-scanning.audit-secret-scanning-events %} diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md index 449ea0e96af3..5635a4ecbfa5 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md @@ -1,7 +1,7 @@ --- title: Resolving alerts from secret scanning -intro: 'You can should fix and close alerts for secrets checked in to your repository and you can use filters to help you prioritize alerts.' -permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view secret scanning alerts for the repository.' +intro: 'After reviewing the details of alert, you should fix and then close the alert.' +permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can dismiss secret scanning alerts for the repository.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' @@ -13,7 +13,7 @@ topics: - Advanced Security - Alerts - Repositories -shortTitle: Evaluate alerts +shortTitle: Resolve alerts --- ## Fixing alerts From ce4e0da55e3025df3805812f85ed178dd2ca1773 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Tue, 23 Jul 2024 07:58:04 +0100 Subject: [PATCH 142/282] removing SS for your user-owned repos from new map topic and putting back --- ...g-secret-scanning-for-your-repositories.md | 18 +++++++++++ .../index.md | 1 - ...anning-for-your-user-owned-repositories.md | 32 ------------------- 3 files changed, 18 insertions(+), 33 deletions(-) delete mode 100644 content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md diff --git a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md index 212a38295006..630e10e96ae8 100644 --- a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md +++ b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md @@ -99,6 +99,24 @@ For more information about non-provider patterns, see "{% ifversion fpt or ghec {% endif %} +{% ifversion secret-scanning-enable-by-default-for-public-repos %} + +## Enabling {% data variables.secret-scanning.user_alerts %} for all your {% ifversion ghec %}user-owned {% endif %}public repositories + +You can enable {% data variables.product.prodname_secret_scanning %} for all of your existing {% ifversion ghec %}user-owned {% endif %}public repositories through your personal account settings. +{% note %} + +**Note**: As of March 11, 2024, {% data variables.product.prodname_secret_scanning %} and push protection will be enabled by default for all new {% ifversion ghec %}user-owned {% endif %}public repositories that you create. You can still choose to disable these features for an individual repository in the repository's "Code security and analysis" settings page. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-public-repositories)". + +{% endnote %} + +{% data reusables.user-settings.access_settings %} +{% data reusables.user-settings.security-analysis %} +1. Under "Code security and analysis", to the right of "{% data variables.product.prodname_secret_scanning_caps %}", click **Disable all** or **Enable all**. +{% data reusables.secret-scanning.push-protection-optional-enable %} + +{% endif %} + ## Excluding directories from {% data variables.secret-scanning.user_alerts %} You can configure a `secret_scanning.yml` file to exclude directories from {% data variables.product.prodname_secret_scanning %}, including when you use push protection. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning)." diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md index fea26a8e2b33..4a5ba486277b 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md @@ -13,7 +13,6 @@ topics: - Advanced Security - Repositories children: - - /secret-scanning-for-your-user-owned-repositories - /push-protection-for-users - /working-with-push-protection-from-the-command-line - /working-with-push-protection-in-the-github-ui diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md deleted file mode 100644 index c6c464c837da..000000000000 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -title: Enabling secret scanning alerts for your user-owned repositories -shortTitle: Secret scanning alerts for user-owned repositories -intro: 'You can protect yourself from accidentally leaking secrets from your {% ifversion ghec %}user-owned {% endif %}public repositories using {% data variables.product.prodname_secret_scanning %} and push protection.' -allowTitleToDifferFromFilename: true -versions: - feature: secret-scanning-enable-by-default-for-public-repos -type: how_to -topics: - - Secret scanning - - Advanced Security - - Troubleshooting -redirect_from: - - /TODO ---- - -## About {% data variables.secret-scanning.user_alerts %} for all your {% ifversion ghec %}user-owned {% endif %}public repositories - -You can enable {% data variables.product.prodname_secret_scanning %} for all of your existing {% ifversion ghec %}user-owned {% endif %}public repositories through your personal account settings. - - -> [! NOTE] -> As of March 11, 2024, {% data variables.product.prodname_secret_scanning %} and push protection will be enabled by default for all new {% ifversion ghec %}user-owned {% endif %}public repositories that you create. You can still choose to disable these features for an individual repository in the repository's "Code security and analysis" settings page. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-public-repositories)". - - - -## Enabling {% data variables.secret-scanning.user_alerts %} for all your {% ifversion ghec %}user-owned {% endif %}public repositories - -{% data reusables.user-settings.access_settings %} -{% data reusables.user-settings.security-analysis %} -1. Under "Code security and analysis", to the right of "{% data variables.product.prodname_secret_scanning_caps %}", click **Disable all** or **Enable all**. -{% data reusables.secret-scanning.push-protection-optional-enable %} From 9b72e9e9dc42f99add6bc571f22172632003e3a6 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Tue, 23 Jul 2024 08:18:42 +0100 Subject: [PATCH 143/282] correcting links --- .../working-with-push-protection-from-the-command-line.md | 8 ++++---- .../working-with-push-protection-in-the-github-ui.md | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md index 0c6167175062..ba531a5aea0c 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md @@ -23,8 +23,8 @@ When you attempt to push a supported secret from the command line to a repositor You should either: -* **Remove** the secret from your branch. For more information, see "[Resolving a blocked push from the command line](#resolving-a-blocked-push-from-the-command-line)." -* **Follow a provided URL** {% ifversion push-protection-delegated-bypass %}to see what options are available to you{% endif %} to allow the push. For more information, see "[Bypassing push protection when working from the command line](#bypassing-push-protection-when-working-from-the-command-line){% ifversion push-protection-delegated-bypass %}" and "[Requesting bypass privileges when working from the command line](#requesting-bypass-privileges-when-working-from-the-command-line){% endif %}." +* **Remove** the secret from your branch. For more information, see "[Resolving a blocked push](#resolving-a-blocked-push)." +* **Follow a provided URL** {% ifversion push-protection-delegated-bypass %}to see what options are available to you{% endif %} to allow the push. For more information, see "[Bypassing push protection](#bypassing-push-protection){% ifversion push-protection-delegated-bypass %}" and "[Requesting bypass privileges](#requesting-bypass-privileges){% endif %}." Up to five detected secrets will be displayed at a time on the command line. If a particular secret has already been detected in the repository and an alert already exists, {% data variables.product.prodname_dotcom %} will not block that secret. @@ -117,7 +117,7 @@ If {% data variables.product.prodname_dotcom %} blocks a secret that you believe {% data reusables.secret-scanning.push-protection-allow-email %} -If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to push the blocked secret. For more information, see "[Requesting bypass privileges when working from the command line](/enterprise-cloud@latest/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line#requesting-bypass-privileges-when-working-from-the-command-line)" in the {% data variables.product.prodname_ghe_cloud %} documentation. +If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to push the blocked secret. For more information, see "[Requesting bypass privileges](/enterprise-cloud@latest/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line#requesting-bypass-privileges)" in the {% data variables.product.prodname_ghe_cloud %} documentation. {% data reusables.secret-scanning.push-protection-visit-URL %} {% data reusables.secret-scanning.push-protection-choose-allow-secret-options %} @@ -144,7 +144,7 @@ Requests expire after 7 days. If your request is approved, you can push the commit (or commits) containing the secret to the repository, as well as any future commits that contain the same secret. -If your request is denied, you will need to remove the secret from all commits containing the secret before pushing again. For information on how to remove a blocked secret, see "[Resolving a blocked push from the command line](#resolving-a-blocked-push-from-the-command-line)." +If your request is denied, you will need to remove the secret from all commits containing the secret before pushing again. For information on how to remove a blocked secret, see "[Resolving a blocked push](#resolving-a-blocked-push)." {% endif %} diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md index b96ffaec2185..247828019aee 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md @@ -29,8 +29,8 @@ When you are creating and editing files in the {% data variables.product.prodnam You should either: -* **Remove** the secret from the commit. For more information, see "[Resolving a blocked commit in the {% data variables.product.prodname_dotcom %} UI](#resolving-a-blocked-commit-in-the-github-ui)." -* **Review** the instructions in the dialog box {% ifversion push-protection-delegated-bypass %}to see what options are available to you{% endif %} to allow the push. For more information, see "[Bypassing push protection when working in the {% data variables.product.prodname_dotcom %} UI](#bypassing-push-protection-when-working-in-the-github-ui){% ifversion push-protection-delegated-bypass %}" and "[Requesting bypass privileges when working in the {% data variables.product.prodname_dotcom %} UI](#requesting-bypass-privileges-when-working-in-the-github-ui){% endif %}." +* **Remove** the secret from the commit. For more information, see "[Resolving a blocked commit](#resolving-a-blocked-commit)." +* **Review** the instructions in the dialog box {% ifversion push-protection-delegated-bypass %}to see what options are available to you{% endif %} to allow the push. For more information, see "[Bypassing push protection](#bypassing-push-protection){% ifversion push-protection-delegated-bypass %}" and "[Requesting bypass privileges](#requesting-bypass-privileges){% endif %}." {% data variables.product.prodname_dotcom %} will only display one detected secret at a time in the web UI. If a particular secret has already been detected in the repository and an alert already exists, {% data variables.product.prodname_dotcom %} will not block that secret. @@ -55,7 +55,7 @@ If {% data variables.product.prodname_dotcom %} blocks a secret that you believe {% data reusables.secret-scanning.push-protection-public-repos-bypass %} 1. Click **Allow secret**. -If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to push the blocked secret. For more information, see "[Requesting bypass privileges when working from the command line](/enterprise-cloud@latest/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui#requesting-bypass-privileges-when-working-in-the-github-ui)" in the {% data variables.product.prodname_ghe_cloud %} documentation. +If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to push the blocked secret. For more information, see "[Requesting bypass privileges](/enterprise-cloud@latest/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui#requesting-bypass-privileges)" in the {% data variables.product.prodname_ghe_cloud %} documentation. {% ifversion push-protection-delegated-bypass %} From a279583a43e8e8b5cd498427ea09da456910313a Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 23 Jul 2024 09:48:55 +0100 Subject: [PATCH 144/282] try to fix merg conflict --- content/code-security/secret-scanning/index.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 4a89e1e35d5a..b76531a3c6ea 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -18,9 +18,7 @@ children: - /introduction - /configuring-secret-scanning-for-your-repositories - /managing-alerts-from-secret-scanning - - /push-protection-for-users - - /working-with-push-protection - - /pushing-a-branch-blocked-by-push-protection + - /working-with-secret-scanning-and-push-protection - /using-advanced-secret-scanning-and-push-protection-features - /troubleshooting-secret-scanning-and-push-protection - /secret-scanning-partnership-program From 6a67a7fdaafa33691bedc9668c5e0a7f2f746e9f Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 23 Jul 2024 10:17:48 +0100 Subject: [PATCH 145/282] trying to get file to render --- .../secret-scanning/introduction/about-push-protection.md | 6 ++++-- content/code-security/secret-scanning/introduction/index.md | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index faeaa0f556d9..9b41a1a65e1e 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -10,7 +10,7 @@ redirect_from: - /early-access/code-security/secret-scanning/protecting-pushes-with-secret-scanning - /code-security/secret-scanning/protecting-pushes-with-secret-scanning - /code-security/secret-scanning/push-protection-for-repositories-and-organizations -type: how_to +type: overview topics: - Secret scanning - Advanced Security @@ -60,7 +60,9 @@ For information on the secrets and service providers supported for push protecti {% ifversion secret-scanning-push-protection-for-users %} -## About push protection for users. +## About push protection for users + +Everyone across {% data variables.product.prodname_dotcom %} can enable push protection for themselves within your individual settings. This ensures your pushes are protected whenever you push to a public repository on {% data variables.product.prodname_dotcom %}, without relying on that repository to have push protection enabled. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)." {% endif %} diff --git a/content/code-security/secret-scanning/introduction/index.md b/content/code-security/secret-scanning/introduction/index.md index 506adc128991..7c8fb7d1da8d 100644 --- a/content/code-security/secret-scanning/introduction/index.md +++ b/content/code-security/secret-scanning/introduction/index.md @@ -1,6 +1,6 @@ --- title: Introduction to secret scanning -shortTitle: Secret scanning +shortTitle: Introduction allowTitleToDifferFromFilename: true intro: 'Learn about {% data variables.product.prodname_secret_scanning_caps %} can keep your repositories secure by scanning them for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally.' product: '{% data reusables.gated-features.secret-scanning %}' From 8e73eb5f3df699f2e6e6203a3af79fb75b06819c Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 23 Jul 2024 11:18:34 +0100 Subject: [PATCH 146/282] trying to get file to render 2 --- .../secret-scanning/introduction/about-push-protection.md | 3 +-- .../secret-scanning/introduction/about-secret-scanning.md | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index 9b41a1a65e1e..c75445fccdc8 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -56,7 +56,7 @@ By default, anyone with write access to the repository can choose to bypass push You can monitor security alerts to discover when users are bypassing push protections and creating alerts. For more information, see "[AUTOTITLE](/code-security/getting-started/auditing-security-alerts)." -For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md#supported-secrets)." +For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." {% ifversion secret-scanning-push-protection-for-users %} @@ -75,5 +75,4 @@ Mention custom patterns at the end? ## Further reading -* "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection)" * "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)" diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index a225b8cafe4b..0f7770424000 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -1,5 +1,5 @@ --- -title: About secret scanning +title: Secret scanning intro: '{% data variables.product.product_name %} scans repositories for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally.' product: '{% data reusables.gated-features.secret-scanning %}' redirect_from: From ff95b54e1fe24d5ba25ab25e0452938a8b3c64f8 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 23 Jul 2024 11:23:10 +0100 Subject: [PATCH 147/282] trying to get file to render 3 --- .../secret-scanning/introduction/about-secret-scanning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 0f7770424000..a225b8cafe4b 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -1,5 +1,5 @@ --- -title: Secret scanning +title: About secret scanning intro: '{% data variables.product.product_name %} scans repositories for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally.' product: '{% data reusables.gated-features.secret-scanning %}' redirect_from: From e77112068c1c9c9872c48876ebe8059e7e7d887a Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 23 Jul 2024 12:25:36 +0100 Subject: [PATCH 148/282] more work on push protection --- .../introduction/about-push-protection.md | 42 ++++++++++--------- .../introduction/about-secret-scanning.md | 1 + 2 files changed, 24 insertions(+), 19 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index c75445fccdc8..d34ce3a7d10b 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -1,6 +1,6 @@ --- title: About push protection -intro: 'TODO.' +intro: 'With push protection for repositories and organizations, {% data variables.product.prodname_secret_scanning %} blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block. TODO' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: fpt: '*' @@ -38,41 +38,45 @@ If you are a repository administrator or an organization owner, you can enable p {% endif %} -{% ifversion security-overview-push-protection-metrics-page %} - -If you are an organization owner or security manager, you can view metrics on how push protection is performing across your organization. For more information, see "[AUTOTITLE](/code-security/security-overview/viewing-metrics-for-secret-scanning-push-protection)." +{% ifversion secret-scanning-push-protection-for-users %} -{% endif %} +## About push protection for users -{% ifversion ghec or fpt %} -{% note %} +Every user across {% data variables.product.prodname_dotcom %} can enable push protection for themselves within their individual settings. -**Note:** The github.dev web-based editor doesn't support push protection. For more information about the editor, see "[AUTOTITLE](/codespaces/the-githubdev-web-based-editor)." +Enabling push protection for your user account means that your pushes are protected whenever you push to a public repository on {% data variables.product.prodname_dotcom %}, without relying on that repository to have push protection enabled. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)." -{% endnote %} {% endif %} -By default, anyone with write access to the repository can choose to bypass push protection by specifying one of the bypass reasons outlined in the table. If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see "[Enabling delegated bypass for push protection](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)." +## What are the supported secrets -You can monitor security alerts to discover when users are bypassing push protections and creating alerts. For more information, see "[AUTOTITLE](/code-security/getting-started/auditing-security-alerts)." +For information about the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." -For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." +{% ifversion push-protection-delegated-bypass %} -{% ifversion secret-scanning-push-protection-for-users %} +## Delegated bypass -## About push protection for users +{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} -Everyone across {% data variables.product.prodname_dotcom %} can enable push protection for themselves within your individual settings. This ensures your pushes are protected whenever you push to a public repository on {% data variables.product.prodname_dotcom %}, without relying on that repository to have push protection enabled. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)." +When you enable push protection, by default, anyone with write access to the repository can choose to bypass the protection by specifying a reason for allowing the push containing a secret. With delegated bypass, contributors to a repository are instead obligated to request "bypass privileges." The request is sent to a designated group of reviewers, who either approve or deny the request to bypass push protection. + +If the request to bypass push protection is approved, the contributor can push the commit containing the secret. If the request is denied, the contributor must remove the secret from the commit (or commits) containing the secret before pushing again. + +For information about delegated bypass for push protection, see "[Configuring delegated bypass for an organization](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." {% endif %} -TODO Add link to enabling article, which is new. +{% ifversion secret-scanning-push-protection-custom-patterns %} + +## Custom patterns -## Next steps +You can define custom patterns to identify secrets that are not detected by the default patterns supported by push protection. For example, you might have a secret pattern that is internal to your organization. -Mention custom patterns at the end? -{% data reusables.secret-scanning.push-protection-custom-pattern %} {% ifversion secret-scanning-push-protection-custom-patterns %}For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."{% endif %} +{% data reusables.secret-scanning.push-protection-custom-pattern %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." + +{% endif %} ## Further reading +* TODO: add link to enabling push protection * "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)" diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index a225b8cafe4b..92595aec494d 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -17,6 +17,7 @@ type: overview topics: - Secret scanning - Advanced Security +shortTitle: Secret scanning --- {% data reusables.secret-scanning.enterprise-enable-secret-scanning %} From ed448d505663ec6ddcd9a84c9562acd0cf332a3b Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 23 Jul 2024 13:34:59 +0100 Subject: [PATCH 149/282] version delegated bypass section --- .../secret-scanning/introduction/about-push-protection.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index d34ce3a7d10b..9bfd86ed1431 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -27,17 +27,15 @@ Push protection is a {% data variables.product.prodname_secret_scanning %} featu You can enable push protection: -* At repository/organization level, if you are a repository administrator or an organization owner For more information, see +* At repository/organization level, if you are a repository administrator or an organization owner. * For your account on {% data variables.product.prodname_dotcom %}, as a user. ## About push protection for repositories and organizations -{% else %} +{% endif %} If you are a repository administrator or an organization owner, you can enable push protection at repository/organization level. -{% endif %} - {% ifversion secret-scanning-push-protection-for-users %} ## About push protection for users @@ -62,7 +60,7 @@ When you enable push protection, by default, anyone with write access to the rep If the request to bypass push protection is approved, the contributor can push the commit containing the secret. If the request is denied, the contributor must remove the secret from the commit (or commits) containing the secret before pushing again. -For information about delegated bypass for push protection, see "[Configuring delegated bypass for an organization](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." +For information about delegated bypass for push protection, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." {% endif %} From 3de6c358755a44231a63fe2c905296df55bc29b6 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 23 Jul 2024 17:33:45 +0100 Subject: [PATCH 150/282] and more work --- .../introduction/about-push-protection.md | 12 ++++++------ .../introduction/about-secret-scanning.md | 6 ++++++ 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index 9bfd86ed1431..2b6ea61119a5 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -1,6 +1,6 @@ --- title: About push protection -intro: 'With push protection for repositories and organizations, {% data variables.product.prodname_secret_scanning %} blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block. TODO' +intro: 'Push protection helps detect secrets in code as changes are pushed. Push protection blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block. TODO for users' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: fpt: '*' @@ -19,6 +19,8 @@ topics: shortTitle: Push protection --- +## What is push protection + Push protection is a {% data variables.product.prodname_secret_scanning %} feature that checks commits for highly identifiable secrets before these commits are pushed to a repository. {% data reusables.secret-scanning.pre-push-protection %} {% data reusables.secret-scanning.push-protection-overview %} @@ -48,7 +50,7 @@ Enabling push protection for your user account means that your pushes are protec ## What are the supported secrets -For information about the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." +For information about the secrets and service providers supported by push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." {% ifversion push-protection-delegated-bypass %} @@ -66,11 +68,9 @@ For information about delegated bypass for push protection, see "[AUTOTITLE](/co {% ifversion secret-scanning-push-protection-custom-patterns %} -## Custom patterns - -You can define custom patterns to identify secrets that are not detected by the default patterns supported by push protection. For example, you might have a secret pattern that is internal to your organization. +## Custom pattern support -{% data reusables.secret-scanning.push-protection-custom-pattern %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." +You can define custom patterns to identify secrets that are not detected by the default patterns supported by push protection. For example, you might have a secret pattern that is internal to your organization. {% data reusables.secret-scanning.push-protection-custom-pattern %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." {% endif %} diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 92595aec494d..23f25e9ca5cb 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -20,6 +20,8 @@ topics: shortTitle: Secret scanning --- +## What is {% data variables.product.prodname_secret_scanning %} + {% data reusables.secret-scanning.enterprise-enable-secret-scanning %} @@ -59,6 +61,10 @@ If your project communicates with an external service, you might use a token or {% endnote %} +## What are the supported secrets + +For information about the secrets and service providers supported by {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." + {% ifversion fpt or ghec %} ## About {% data variables.secret-scanning.partner_alerts %} From f8d90dfb327fc59024f7638b3db469a5b82425b6 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Tue, 23 Jul 2024 21:14:17 +0000 Subject: [PATCH 151/282] working on about alerts --- .../managing-alerts-from-secret-scanning.md | 236 ------------------ .../about-alerts.md | 17 ++ .../viewing-alerts.md | 36 ++- 3 files changed, 51 insertions(+), 238 deletions(-) delete mode 100644 content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md deleted file mode 100644 index e66b2d79c5c4..000000000000 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md +++ /dev/null @@ -1,236 +0,0 @@ ---- -title: Managing alerts from secret scanning -intro: 'You can view, evaluate and resolve alerts for secrets checked in to your repository.' -permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view and dismiss secret scanning alerts for the repository.' -product: '{% data reusables.gated-features.secret-scanning %}' -redirect_from: - - /github/administering-a-repository/managing-alerts-from-secret-scanning - - /code-security/secret-security/managing-alerts-from-secret-scanning -versions: - fpt: '*' - ghes: '*' - ghec: '*' -type: how_to -topics: - - Secret scanning - - Advanced Security - - Alerts - - Repositories -shortTitle: Manage secret alerts ---- -## About the {% data variables.product.prodname_secret_scanning %} alerts page - -{% data reusables.secret-scanning.secret-scanning-about-alerts %} {% data reusables.secret-scanning.repository-alert-location %} - -{% ifversion secret-scanning-non-provider-patterns %} -To help you triage alerts more effectively, {% data variables.product.company_short %} separates alerts into two lists: -* **High confidence** alerts. -* **Other** alerts. - -![Screenshot of the {% data variables.product.prodname_secret_scanning %} alert view. The button to toggle between "High confidence" and "Other" alerts is highlighted with an orange outline.](/assets/images/help/security/secret-scanning-high-confidence-alert-view.png) - -### High confidence alerts list - -The "High confidence" alerts list displays alerts that relate to supported patterns and specified custom patterns. This list is always the default view for the alerts page. - -### Other alerts list - -The "Other" alerts list displays alerts that relate to non-provider patterns (such as private keys){% ifversion secret-scanning-ai-generic-secret-detection %}, or generic secrets detected using AI (such as passwords){% endif %}. These types of alerts have a higher rate of false positives. - -In addition, alerts that fall into this category: -* Are limited in quantity to 5000 alerts per repository (this includes open and closed alerts). -* Are not shown in the summary views for security overview, only in the "{% data variables.product.prodname_secret_scanning_caps %}" view. -* Only have the first five detected locations shown on {% data variables.product.prodname_dotcom %} for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %}, and only the first detected location shown for AI-detected generic secrets{% endif %}. - -For {% data variables.product.company_short %} to scan for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %} and generic secrets{% endif %}, you must first enable the feature{% ifversion secret-scanning-ai-generic-secret-detection %}s{% endif %} for your repository or organization. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#enabling-scanning-for-non-provider-patterns){% ifversion secret-scanning-ai-generic-secret-detection %}" and "[AUTOTITLE](/code-security/secret-scanning/enabling-ai-powered-generic-secret-detection){% endif %}." - -{% endif %} - -## Viewing alerts - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-security %} -1. In the left sidebar, under "Vulnerability alerts", click **{% data variables.product.prodname_secret_scanning_caps %}**. {% ifversion secret-scanning-non-provider-patterns %} -1. Optionally, toggle to "Other" to see alerts for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %} or generic secrets detected using AI{% endif %}.{% endif %} -1. Under "{% data variables.product.prodname_secret_scanning_caps %}", click the alert you want to view. - {% ifversion secret-scanning-user-owned-repos %} - - > [!NOTE] - > {% data reusables.secret-scanning.secret-scanning-user-owned-repo-access %} - - {% endif %} - -## Filtering alerts - -You can apply various filters to the alerts list to help you find the alerts you're interested in. You can use the dropdown menus above the alerts list, or input the qualifiers listed in the table into the search bar. - -|Qualifier|Description| -|---------|-----------| -|`is:open`|Displays open alerts.| -|`is:closed`|Displays closed alerts.| -| {% ifversion secret-scanning-bypass-filter %} | -|`bypassed: true`|Displays alerts for secrets where push protection has been bypassed. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)."| -| {% endif %} | -|`validity:active`| Displays alerts for secrets that are still active. {% ifversion fpt %}Applies to {% data variables.product.company_short %} tokens only.{% endif %} For more information about validity statuses, see "[Checking a secret's validity](#checking-a-secrets-validity)."| -|`validity:inactive`| Displays alerts for secrets that are no longer active.| -|`validity:unknown`| Displays alerts for secrets where the validity status of the secret is unknown.| -|`secret-type:SECRET-NAME`| Displays alerts for a specific secret type, for example, `secret-type:github_personal_access_token`. For a list of supported secret types, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secret)." | -|`provider:PROVIDER-NAME`|Displays alerts for a specific provider, for example, `provider:github`. For a list of supported partners, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."| -| {% ifversion secret-scanning-non-provider-patterns %} | -|`confidence:high`| Displays alerts for high-confidence secrets, which relate to supported secrets and custom patterns. For a list of supported high-confidence patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#high-confidence-patterns)." | -|`confidence:other`| Displays alerts for non-provider patterns, such as private keys{% ifversion secret-scanning-ai-generic-secret-detection %}, and AI-detected generic secrets, such as passwords{% endif %}. For a list of supported non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns)." {% ifversion secret-scanning-ai-generic-secret-detection %}For more information AI-detected generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/about-the-detection-of-generic-secrets-with-secret-scanning)."{% endif %}| -| {% endif %} | - -## Evaluating alerts - -There are some additional features that can help you to evaluate alerts in order to better prioritize and manage them. You can: - -* Check the validity of a secret, to see if the secret is still active. {% ifversion fpt or ghes %}**Applies to {% data variables.product.company_short %} tokens only**.{% endif %} For more information, see "[Checking a secret's validity](#checking-a-secrets-validity)."{% ifversion secret-scanning-validity-check-partner-patterns %} -* Perform an "on-demand" validity check, to get the most up to date validiation status. For more information, see "[Performing an on-demand-validity-check](#performing-an-on-demand-validity-check)."{% endif %}{% ifversion secret-scanning-github-token-metadata %} -* Review a token's metadata. **Applies to {% data variables.product.company_short %} tokens only**. For example, to see when the token was last used. For more information, see "[Reviewing {% data variables.product.company_short %} token metadata](#reviewing-github-token-metadata)."{% endif %} - -### Checking a secret's validity - -{% ifversion secret-scanning-validity-check-partner-patterns %} - -{% data reusables.secret-scanning.validity-check-partner-patterns-beta %} - -{% endif %} - -Validity checks help you prioritize alerts by telling you which secrets are `active` or `inactive`. An `active` secret is one that could still be exploited, so these alerts should be reviewed and remediated as a priority. - -By default, {% data variables.product.company_short %} checks the validity of {% data variables.product.company_short %} tokens and displays the validitation status of the token in the alert view. - -{% ifversion fpt %} - -Organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %} can also enable validity checks for partner patterns. For more information, see "[Checking a secret's validity](/enterprise-cloud@latest/code-security/secret-scanning/managing-alerts-from-secret-scanning#checking-a-secrets-validity)" in the {% data variables.product.prodname_ghe_cloud %} documentation. - -{% endif %} - -{% ifversion secret-scanning-validity-check-partner-patterns %} - -You can additionally choose to enable validity checks for partner patterns. Once enabled, {% data variables.product.company_short %} will periodically check the validity of a detected credential by sending the secret directly to the provider, as part of {% data variables.product.company_short %}'s formal secret scanning partnership program. {% data variables.product.company_short %} typically makes GET requests to check the validity of the credential, picks the least intrusive endpoints, and selects endpoints that don't return any personal information. - -{% data variables.product.company_short %} displays the validation status of the secret in the alert view. - -{% endif %} - -{% data reusables.secret-scanning.validity-check-table %} - -{% ifversion secret-scanning-validity-check-partner-patterns %} - -{% data reusables.gated-features.partner-pattern-validity-check-ghas %} - -For information on how to enable validity checks for partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#enabling-validity-checks-for-partner-patterns)," and for information on which partner patterns are currently supported, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#high-confidence-patterns)." - -{% endif %} - -You can use the REST API to retrieve a list of the most recent validation status for each of your tokens. For more information, see "[AUTOTITLE](/rest/secret-scanning)" in the REST API documentation. You can also use webhooks to be notified of activity relating to a {% data variables.product.prodname_secret_scanning %} alert. For more information, see the `secret_scanning_alert` event in "[AUTOTITLE](/webhooks/webhook-events-and-payloads?actionType=created#secret_scanning_alert)." - -{% ifversion secret-scanning-validity-check-partner-patterns %} - -### Performing an on-demand validity check - -Once you have enabled validity checks for partner patterns for your repository, you can perform an "on-demand" validity check for any supported secret by clicking {% octicon "sync" aria-hidden="true" %} **Verify secret** in the alert view. {% data variables.product.company_short %} will send the pattern to the relevant partner and display the validation status of the secret in the alert view. - -![Screenshot of the UI showing a {% data variables.product.prodname_secret_scanning %} alert. A button, labeled "Verify secret" is highlighted with an orange outline.](/assets/images/help/security/secret-scanning-verify-secret.png) - -{% endif %} - -{% ifversion secret-scanning-github-token-metadata %} - -### Reviewing {% data variables.product.company_short %} token metadata - -> [!NOTE] -> Metadata for {% data variables.product.company_short %} tokens is currently in public beta and subject to change. - -In the view for an active {% data variables.product.company_short %} token alert, you can review certain metadata about the token. This metadata may help you identify the token and decide what remediation steps to take. - -Tokens, like {% data variables.product.pat_generic %} and other credentials, are considered personal information. For more information about using {% data variables.product.company_short %} tokens, see [GitHub's Privacy Statement](/free-pro-team@latest/site-policy/privacy-policies/github-privacy-statement) and [Acceptable Use Policies](/free-pro-team@latest/site-policy/acceptable-use-policies/github-acceptable-use-policies). - - ![Screenshot of the UI for a {% data variables.product.company_short %} token, showing the token metadata.](/assets/images/help/repository/secret-scanning-github-token-metadata.png) - - Metadata for {% data variables.product.company_short %} tokens is available for active tokens in any repository with secret scanning enabled. If a token has been revoked or its status cannot be validated, metadata will not be available. {% data variables.product.company_short %} auto-revokes {% data variables.product.company_short %} tokens in public repositories, so metadata for {% data variables.product.company_short %} tokens in public repositories is unlikely to be available. The following metadata is available for active {% data variables.product.company_short %} tokens: - -|Metadata|Description| -|-------------------------|--------------------------------------------------------------------------------| -|Secret name| The name given to the {% data variables.product.company_short %} token by its creator| -|Secret owner| The {% data variables.product.company_short %} handle of the token's owner| -|Created on| Date the token was created| -|Expired on| Date the token expired| -|Last used on| Date the token was last used| -|Access| Whether the token has organization access| - -{% ifversion secret-scanning-user-owned-repos %}{% data reusables.secret-scanning.secret-scanning-user-owned-repo-access %} If access is granted, {% data variables.product.prodname_dotcom %} will notify the owner of the repository containing the leaked secret, report the action in the repository owner and enterprise audit logs, and enable access for 2 hours.{% ifversion ghec %} For more information, see "[AUTOTITLE](/admin/managing-accounts-and-repositories/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise)."{% endif %}{% endif %} - -{% endif %} - -## Fixing alerts - -Once a secret has been committed to a repository, you should consider the secret compromised. {% data variables.product.prodname_dotcom %} recommends the following actions for compromised secrets: - -* For a compromised {% data variables.product.prodname_dotcom %} {% data variables.product.pat_generic %}, delete the compromised token, create a new token, and update any services that use the old token. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)." -{%- ifversion token-audit-log %} - * {% ifversion ghec %}If your organization is owned by an enterprise account, identify{% else %}Identify{% endif %} any actions taken by the compromised token on your enterprise's resources. For more information, see "[AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token)." -{%- endif %} -* For all other secrets, first verify that the secret committed to {% data variables.product.product_name %} is valid. If so, create a new secret, update any services that use the old secret, and then delete the old secret. - -{% ifversion fpt or ghec %} - -> [!NOTE] -> If a secret is detected in a public repository on {% data variables.product.prodname_dotcom_the_website %} and the secret also matches a partner pattern, an alert is generated and the potential secret is reported to the service provider. For details of partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." - -{% endif %} - -## Closing alerts - -> [!NOTE] ->{% data variables.product.prodname_secret_scanning_caps %} doesn't automatically close alerts when the corresponding token has been removed from the repository. You must manually close these alerts in the alert list on {% data variables.product.prodname_dotcom %}. - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-security %} -1. In the left sidebar, under "Vulnerability alerts", click **{% data variables.product.prodname_secret_scanning_caps %}**. -1. Under "{% data variables.product.prodname_secret_scanning_caps %}", click the alert you want to view. -1. To dismiss an alert, select the "Close as" dropdown menu and click a reason for resolving an alert. - - ![Screenshot of a {% data variables.product.prodname_secret_scanning %} alert. A dropdown menu, titled "Close as", is expanded and highlighted in a dark orange outline.](/assets/images/help/repository/secret-scanning-dismiss-alert-web-ui-link-partner-documentation.png) - -1. Optionally, in the "Comment" field, add a dismissal comment. The dismissal comment will be added to the alert timeline and can be used as justification during auditing and reporting. You can view the history of all dismissed alerts and dismissal comments in the alert timeline. You can also retrieve or set a comment by using the {% data variables.product.prodname_secret_scanning_caps %} API. The comment is contained in the `resolution_comment` field. For more information, see "[AUTOTITLE](/rest/secret-scanning#update-a-secret-scanning-alert)" in the REST API documentation. -1. Click **Close alert**. - -## Configuring notifications for {% data variables.secret-scanning.alerts %} - -Notifications are different for incremental scans and historical scans. - -### Incremental scans - -{% data reusables.secret-scanning.secret-scanning-configure-notifications %} - -{% data reusables.repositories.navigate-to-repo %} -1. To start watching the repository, select **{% octicon "eye" aria-hidden="true" %} Watch**. - - ![Screenshot of the repository's main page. A dropdown menu, titled "Watch", is highlighted with an orange outline.](/assets/images/help/repository/repository-watch-dropdown.png) - -1. In the dropdown menu, click **All Activity**. Alternatively, to only subscribe to security alerts, click **Custom**, then click **Security alerts**. -1. Navigate to the notification settings for your personal account. These are available at [https://github.com/settings/notifications](https://github.com/settings/notifications). -1. On your notification settings page, under "Subscriptions", then under "Watching", select the **Notify me** dropdown. -1. Select "Email" as a notification option, then click **Save**. - - ![Screenshot of the notification settings for a user account. An element header, titled "Subscriptions", and a sub-header, titled "Watching", are shown. A checkbox, titled "Email", is highlighted with an orange outline.](/assets/images/help/notifications/repository-watching-notification-options.png) - -{% data reusables.notifications.watch-settings %} - -### Historical scans - -For historical scans, {% data variables.product.product_name %} notifies the following users: - -* Organization owners, enterprise owners, and security managers—whenever a historical scan is complete, even if no secrets are found. -* Repository administrators, security managers, and users with custom roles with read/write access—whenever a historical scan detects a secret, and according to their notification preferences. - -We do _not_ notify commit authors. - -{% data reusables.notifications.watch-settings %} - -## Auditing responses to secret scanning alerts - -{% data reusables.secret-scanning.audit-secret-scanning-events %} diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index e69de29bb2d1..048108f998d0 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -0,0 +1,17 @@ +--- +title: About secret scanning alerts +intro: 'Learn about the different types of {% data variables.product.prodname_secret_scanning %} alerts for your repository.' +permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can manage secret scanning alerts for the repository.' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +type: how_to +topics: + - Secret scanning + - Advanced Security + - Alerts + - Repositories +shortTitle: About alerts +--- diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md index f43a3de7348f..b28d4722c752 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md @@ -1,7 +1,7 @@ --- title: Viewing and filtering alerts from secret scanning -intro: 'You can view alerts for secrets checked in to your repository and you can use filters to help you prioritize alerts.' -permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view secret scanning alerts for the repository.' +intro: 'Learn how to find and filter {% data variables.secret-scanning.user_alerts_caps %} alerts for your repository.' +permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view {% data variables.secret-scanning.user_alerts_caps %} for the repository.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' @@ -16,6 +16,34 @@ topics: shortTitle: View alerts --- +## About the {% data variables.product.prodname_secret_scanning %} alerts page + +{% data reusables.secret-scanning.secret-scanning-about-alerts %} {% data reusables.secret-scanning.repository-alert-location %} + +{% ifversion secret-scanning-non-provider-patterns %} +To help you triage alerts more effectively, {% data variables.product.company_short %} separates alerts into two lists: +* **High confidence** alerts. +* **Other** alerts. + +![Screenshot of the {% data variables.product.prodname_secret_scanning %} alert view. The button to toggle between "High confidence" and "Other" alerts is highlighted with an orange outline.](/assets/images/help/security/secret-scanning-high-confidence-alert-view.png) + +### High confidence alerts list + +The "High confidence" alerts list displays alerts that relate to supported patterns and specified custom patterns. This list is always the default view for the alerts page. + +### Other alerts list + +The "Other" alerts list displays alerts that relate to non-provider patterns (such as private keys){% ifversion secret-scanning-ai-generic-secret-detection %}, or generic secrets detected using AI (such as passwords){% endif %}. These types of alerts have a higher rate of false positives. + +In addition, alerts that fall into this category: +* Are limited in quantity to 5000 alerts per repository (this includes open and closed alerts). +* Are not shown in the summary views for security overview, only in the "{% data variables.product.prodname_secret_scanning_caps %}" view. +* Only have the first five detected locations shown on {% data variables.product.prodname_dotcom %} for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %}, and only the first detected location shown for AI-detected generic secrets{% endif %}. + +For {% data variables.product.company_short %} to scan for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %} and generic secrets{% endif %}, you must first enable the feature{% ifversion secret-scanning-ai-generic-secret-detection %}s{% endif %} for your repository or organization. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#enabling-scanning-for-non-provider-patterns){% ifversion secret-scanning-ai-generic-secret-detection %}" and "[AUTOTITLE](/code-security/secret-scanning/enabling-ai-powered-generic-secret-detection){% endif %}." + +{% endif %} + ## Viewing alerts Alerts for {% data variables.product.prodname_secret_scanning %} are displayed under the **Security** tab of the repository. @@ -52,3 +80,7 @@ You can apply various filters to the alerts list to help you find the alerts you |`confidence:high`| Displays alerts for high-confidence secrets, which relate to supported secrets and custom patterns. For a list of supported high-confidence patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#high-confidence-patterns)." | |`confidence:other`| Displays alerts for non-provider patterns, such as private keys{% ifversion secret-scanning-ai-generic-secret-detection %}, and AI-detected generic secrets, such as passwords{% endif %}. For a list of supported non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns)." {% ifversion secret-scanning-ai-generic-secret-detection %}For more information about AI-detected generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/about-the-detection-of-generic-secrets-with-secret-scanning)."{% endif %}| | {% endif %} | + +## Next steps + +* [AUTOTITLE](/TODO) From 3b120a8944308f4a649c6aa78f86b5c40d8b1ebc Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Tue, 23 Jul 2024 21:32:32 +0000 Subject: [PATCH 152/282] new articles --- ...ing-push-protection-for-your-repository.md | 17 ++++++++++++++ ...ing-secret-scanning-for-your-repository.md | 17 ++++++++++++++ ...ing-validity-checks-for-your-repository.md | 19 ++++++++++++++++ .../index.md | 22 +++++++++++++++++++ 4 files changed, 75 insertions(+) create mode 100644 content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md create mode 100644 content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md create mode 100644 content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md create mode 100644 content/code-security/secret-scanning/enabling-secret-scanning-features/index.md diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md new file mode 100644 index 000000000000..f70168531271 --- /dev/null +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md @@ -0,0 +1,17 @@ +--- +title: TODO +shortTitle: TODO +intro: 'TODO.' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +type: how_to +topics: + - Secret scanning + - Advanced Security + - Alerts +--- + +## About enabling push protection diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md new file mode 100644 index 000000000000..2e7f156350f0 --- /dev/null +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md @@ -0,0 +1,17 @@ +--- +title: TODO +shortTitle: TODO +intro: 'TODO.' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +type: how_to +topics: + - Secret scanning + - Advanced Security + - Alerts +--- + +## About enabling diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md new file mode 100644 index 000000000000..13c0416a8b66 --- /dev/null +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md @@ -0,0 +1,19 @@ +--- +title: TODO +shortTitle: TODO +intro: 'TODO.' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +type: how_to +topics: + - Secret scanning + - Advanced Security + - Alerts +--- + +## About validity checks + +## TODO diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md new file mode 100644 index 000000000000..203755a35bcc --- /dev/null +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md @@ -0,0 +1,22 @@ +--- +title: Enabling secret scanning features +shortTitle: Enable secret scanning +allowTitleToDifferFromFilename: true +intro: '{% data variables.product.prodname_secret_scanning_caps %} scans for and detects secrets that have been checked into a repository. Push protection proactively secures you against leaking secrets by blocking pushes containing secrets.' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +topics: + - Secret scanning + - Advanced Security + - Repositories +children: + - /enabling-secret-scanning-for-your-repository + - /enabling-push-protection-for-your-repository + - /enabling-validity-checks-for-your-repository +redirect_from: + - /code-security/secret-scanning/configuring-secret-scanning-for-your-repositories + - /code-security/secret-scanning/push-protection-for-repositories-and-organizations +--- From 99a31f53602cdcd2645a7d9e53ad72596a12a603 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Wed, 24 Jul 2024 06:42:17 +0000 Subject: [PATCH 153/282] first draft validity checks --- ...ing-validity-checks-for-your-repository.md | 32 +++++++++++++++---- 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md index 13c0416a8b66..adc659fae9c3 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md @@ -1,12 +1,10 @@ --- -title: TODO -shortTitle: TODO +title: Enabling validity checks for your repository +shortTitle: Enable validity checks intro: 'TODO.' -product: '{% data reusables.gated-features.secret-scanning %}' +product: '{% data reusables.gated-features.partner-pattern-validity-check-ghas %}' versions: - fpt: '*' - ghes: '*' - ghec: '*' + feature: secret-scanning-validity-check-partner-patterns type: how_to topics: - Secret scanning @@ -16,4 +14,24 @@ topics: ## About validity checks -## TODO +You can choose to enable validity checks for partner patterns for your repository. Once enabled, {% data variables.product.company_short %} will periodically check the validity of a detected credential by sending the secret directly to the provider, as part of {% data variables.product.company_short %}'s formal secret scanning partnership program. + +{% data variables.product.company_short %} displays the validation status of the secret in the alert view, so you can see if the secret is `active`, `inactive`, or if the validation status is `unknown`. You can optionally perform an "on-demand" validity check for the secret in the alert view. + +You can also filter by validity status on the alerts page, to help you prioritize which alerts you need to take action on. + +> [!NOTE] +> {% data variables.product.company_short %} typically makes GET requests to check the validity of the credential, picks the least intrusive endpoints, and selects endpoints that don't return any personal information. + +For more information on using validity checks, see "Checking a secret's validity" in "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning#checking-a-secrets-validity)." + +## Enabling validity checks + +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.sidebar-settings %} +{% data reusables.repositories.navigate-to-code-security-and-analysis %} +{% data reusables.secret-scanning.validity-check-auto-enable %} + +You can also use the REST API to enable validity checks for partner patterns for your repository. For more information, see "[AUTOTITLE](/rest/repos/repos#update-a-repository)." + +Alternatively, organization owners and enterprise administrators can enable the feature for all repositories in the organization or enterprise settings. For more information on enabling at the organization-level, see "[AUTOTITLE](/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration)." For more information on enabling at the enterprise-level, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)" and "[AUTOTITLE](/rest/enterprise-admin/code-security-and-analysis#update-code-security-and-analysis-features-for-an-enterprise)." From 0556b126e3854ee531278e1065503b7a43a57662 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Wed, 24 Jul 2024 06:54:09 +0000 Subject: [PATCH 154/282] more edits to validity checks --- .../enabling-validity-checks-for-your-repository.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md index adc659fae9c3..deae5c4edc5b 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md @@ -1,7 +1,7 @@ --- title: Enabling validity checks for your repository shortTitle: Enable validity checks -intro: 'TODO.' +intro: 'Validity checks tell you if a secret is active or inactive, which can help you to prioritize remediation of alerts.' product: '{% data reusables.gated-features.partner-pattern-validity-check-ghas %}' versions: feature: secret-scanning-validity-check-partner-patterns @@ -18,12 +18,12 @@ You can choose to enable validity checks for partner patterns for your repositor {% data variables.product.company_short %} displays the validation status of the secret in the alert view, so you can see if the secret is `active`, `inactive`, or if the validation status is `unknown`. You can optionally perform an "on-demand" validity check for the secret in the alert view. -You can also filter by validity status on the alerts page, to help you prioritize which alerts you need to take action on. +You can also filter by validation status on the alerts page, to help you prioritize which alerts you need to take action on. > [!NOTE] > {% data variables.product.company_short %} typically makes GET requests to check the validity of the credential, picks the least intrusive endpoints, and selects endpoints that don't return any personal information. -For more information on using validity checks, see "Checking a secret's validity" in "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning#checking-a-secrets-validity)." +For more information on using validity checks, see "[AUTOTITLE](/TODO)." ## Enabling validity checks From 047b4c4c9504618889d0999ee8f3621d822f55ca Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Wed, 24 Jul 2024 07:33:35 +0000 Subject: [PATCH 155/282] first draft enable SS article --- ...ing-secret-scanning-for-your-repository.md | 36 ++++++++++++++++--- ...ing-validity-checks-for-your-repository.md | 2 +- 2 files changed, 33 insertions(+), 5 deletions(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md index 2e7f156350f0..4627dd805fb0 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md @@ -1,7 +1,7 @@ --- -title: TODO -shortTitle: TODO -intro: 'TODO.' +title: Enabling secret scanning for your repository +shortTitle: Enable secret scanning +intro: '{% data variables.product.prodname_secret_scanning %} scans your repositories for leaked secrets and generates alerts.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' @@ -14,4 +14,32 @@ topics: - Alerts --- -## About enabling +## About enabling {% data variables.secret-scanning.user_alerts %} + +You can enable {% data variables.secret-scanning.user_alerts %} for any {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}repository{% else %} repository that is owned by an organization, and for repositories owned by user accounts when using {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_emus %}{% endif %}{% elsif fpt %}free public repository that you own{% else %}repository that is owned by an organization{% endif %}. Once enabled, {% data reusables.secret-scanning.secret-scanning-process %}{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %} {% data reusables.secret-scanning.what-is-scanned %} + +You can also enable {% data variables.product.prodname_secret_scanning %} for multiple repositories in an organization at the same time. For more information, see "[AUTOTITLE](/code-security/getting-started/securing-your-organization)." + +{% ifversion secret-scanning-enterprise-level %} +{% note %} + +**Note:** If your organization is owned by an enterprise account, an enterprise owner can also enable {% data variables.product.prodname_secret_scanning %} at the enterprise level. For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)." + +{% endnote %} +{% endif %} + +A repository administrator can choose to disable {% data variables.product.prodname_secret_scanning %} for a repository at any time. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)." + +## Enabling {% data variables.secret-scanning.user_alerts %} + +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.sidebar-settings %} +{% data reusables.repositories.navigate-to-code-security-and-analysis %}{% ifversion ghec or ghes %} +1. If {% data variables.product.prodname_advanced_security %} is not already enabled for the repository, to the right of "{% data variables.product.prodname_GH_advanced_security %}", click **Enable**. +1. Review the impact of enabling {% data variables.product.prodname_advanced_security %}, then click **Enable {% data variables.product.prodname_GH_advanced_security %} for this repository**. +1. When you enable {% data variables.product.prodname_advanced_security %}, {% data variables.product.prodname_secret_scanning %} may automatically be enabled for the repository due to the organization's settings. If "{% data variables.product.prodname_secret_scanning_caps %}" is shown with an **Enable** button, you still need to enable {% data variables.product.prodname_secret_scanning %} by clicking **Enable**. If you see a **Disable** button, {% data variables.product.prodname_secret_scanning %} is already enabled. + + ![Screenshot of the "{% data variables.product.prodname_secret_scanning_caps %}" section of the "Code security and analysis" page, with the "Enable" button highlighted in a dark orange outline.](/assets/images/help/repository/enable-secret-scanning-alerts.png){% endif %}{% ifversion fpt %} +1. Scroll down to the bottom of the page, and click **Enable** for {% data variables.product.prodname_secret_scanning %}. If you see a **Disable** button, it means that {% data variables.product.prodname_secret_scanning %} is already enabled for the repository. + + ![Screenshot of the "{% data variables.product.prodname_secret_scanning_caps %}" section of the "Code security and analysis" page, with the "Enable" button highlighted in a dark orange outline.](/assets/images/help/repository/enable-secret-scanning-alerts.png){% endif %} diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md index deae5c4edc5b..913d275990e2 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md @@ -1,7 +1,7 @@ --- title: Enabling validity checks for your repository shortTitle: Enable validity checks -intro: 'Validity checks tell you if a secret is active or inactive, which can help you to prioritize remediation of alerts.' +intro: 'Validity checks tell you if a secret is active or inactive, which can help you to prioritize the remediation of alerts.' product: '{% data reusables.gated-features.partner-pattern-validity-check-ghas %}' versions: feature: secret-scanning-validity-check-partner-patterns From 92f11f8af6aca1957f392d3aa80d66eb9d33a243 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Wed, 24 Jul 2024 08:10:10 +0000 Subject: [PATCH 156/282] first edits --- ...ing-push-protection-for-your-repository.md | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md index f70168531271..cd48da8e7faf 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md @@ -1,7 +1,7 @@ --- -title: TODO -shortTitle: TODO -intro: 'TODO.' +title: Enabling push protection for your repository +shortTitle: Enable push protection +intro: 'With push protection, {% data variables.product.prodname_secret_scanning %} blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' @@ -12,6 +12,19 @@ topics: - Secret scanning - Advanced Security - Alerts +redirect_from: + - /early-access/code-security/secret-scanning/protecting-pushes-with-secret-scanning + - /code-security/secret-scanning/protecting-pushes-with-secret-scanning --- ## About enabling push protection + +TODO + +## Enabling push protection + +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.sidebar-settings %} +{% data reusables.repositories.navigate-to-code-security-and-analysis %} +{% data reusables.repositories.navigate-to-ghas-settings %} +{% data reusables.advanced-security.secret-scanning-push-protection-repo %} From 50e080613742db35d932385f83e68640f5939d7a Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Wed, 24 Jul 2024 10:36:05 +0000 Subject: [PATCH 157/282] edits to about alerts --- .../about-alerts.md | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index 048108f998d0..e39294d2e1c0 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -15,3 +15,56 @@ topics: - Repositories shortTitle: About alerts --- + +## About the different types of {% data variables.product.prodname_secret_scanning %} alerts + +There are three types of {% data variables.product.prodname_secret_scanning %} alerts: + +* **{% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts**: When [GitHub] detects a supported secret in a repository that has {% data variables.product.prodname_secret_scanning %} enabled, a {% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alert is generated and displayed in the **Security** tab of the repository. +* **Push protection alerts**: When a contributor pushes a supported secret to a repository that has push protection enabled, a push protection alert is generated and displayed in the **Security** tab of the repository. +* **Partner alerts**: Unlike other alerts, partner alerts are sent directly to the secret providers whenever a secret leak is reported for one of their secrets, as part of {% data variables.product.prodname_secret_scanning %}'s partner program. + +### About {% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts + +{% ifversion fpt or ghec %}User alerts are alerts that are reported to users on {% data variables.product.prodname_dotcom %}. {% endif %}When {% data variables.secret-scanning.user_alerts %} {% ifversion fpt or ghec %}are{% else %}is{% endif %} enabled, {% data variables.product.prodname_dotcom %} scans repositories for secrets issued by a large variety of service providers and generates {% data variables.secret-scanning.alerts %}. + +{% ifversion secret-scanning-non-provider-patterns %}{% ifversion fpt or ghec %}User {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts can be of the following types: + +* High confidence alerts, which relate to supported patterns and specified custom patterns. +* Non-provider alerts, which have a higher ratio of false positives, and correspond to secrets such as private keys. + +{% data variables.product.prodname_dotcom %} displays non-provider alerts in a different list to high confidence alerts, making triaging a better experience for users. For more information, see "[AUTOTITLE](/TODO)." + +{% data reusables.secret-scanning.non-provider-patterns-beta %} + +{% endif %} + +You can see these alerts on the **Security** tab of the repository. {% ifversion fpt or ghec %}For more information about {% data variables.secret-scanning.user_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-users)."{% endif %} + +{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} + +If you use the REST API for secret scanning, you can use the `Secret type` to report on secrets from specific issuers. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/rest/secret-scanning)." + +{% ifversion ghes or ghec %} +{% note %} + +**Note:** You can also define custom {% data variables.product.prodname_secret_scanning %} patterns for your repository, organization, or enterprise. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." + +{% endnote %} +{% endif %} + +### About push protection alerts + +Push protection alerts are user alerts that are reported by push protection. {% data variables.product.prodname_secret_scanning_caps %} as a push protection currently scans repositories for secrets issued by some service providers. + +{% ifversion secret-scanning-push-protection-for-users %}Push protection alerts are not created for secrets that are bypassed with user-based push protection only. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-users)."{% endif %} + +{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} + +{% data reusables.secret-scanning.push-protection-older-tokens %} For more information about push protection limitations, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning#push-protection-and-pattern-versions)." + +### About partner alerts + +Partner alerts are alerts that are sent to the secret providers whenever a secret leak is reported for one of their secrets. {% data variables.product.product_name %} currently scans public repositories and public npm packages for secrets issued by specific service providers and alerts the relevant service provider whenever a secret is detected in a commit. For more information about {% data variables.secret-scanning.partner_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-partners)." + +{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} From 4acf7f3fb71460eed3d69e95c7a9b7f21c657d45 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Wed, 24 Jul 2024 13:52:48 +0000 Subject: [PATCH 158/282] more edits --- .../managing-alerts-from-secret-scanning/about-alerts.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index e39294d2e1c0..4afa1ba039e0 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -18,11 +18,11 @@ shortTitle: About alerts ## About the different types of {% data variables.product.prodname_secret_scanning %} alerts -There are three types of {% data variables.product.prodname_secret_scanning %} alerts: +There are {% ifversion fpt or ghec %}three{% else %}two{% endif %} types of {% data variables.product.prodname_secret_scanning %} alerts: * **{% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts**: When [GitHub] detects a supported secret in a repository that has {% data variables.product.prodname_secret_scanning %} enabled, a {% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alert is generated and displayed in the **Security** tab of the repository. -* **Push protection alerts**: When a contributor pushes a supported secret to a repository that has push protection enabled, a push protection alert is generated and displayed in the **Security** tab of the repository. -* **Partner alerts**: Unlike other alerts, partner alerts are sent directly to the secret providers whenever a secret leak is reported for one of their secrets, as part of {% data variables.product.prodname_secret_scanning %}'s partner program. +* **Push protection alerts**: When a contributor bypasses push protection to push a secret to the repository that has {% data variables.product.prodname_secret_scanning %} and push protection enabled, an alert is generated and displayed in the **Security** tab of the repository.{% ifversion fpt or ghec %} +* **Partner alerts**: When [GitHub] detects a leaked secret in a public repository or npm package, an alert is sent directly to the secret provider if they are part of GitHub's secret scanning partner program. Partner alerts are not displayed in the **Security** tab of the repository.{% endif %} ### About {% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts @@ -31,7 +31,7 @@ There are three types of {% data variables.product.prodname_secret_scanning %} a {% ifversion secret-scanning-non-provider-patterns %}{% ifversion fpt or ghec %}User {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts can be of the following types: * High confidence alerts, which relate to supported patterns and specified custom patterns. -* Non-provider alerts, which have a higher ratio of false positives, and correspond to secrets such as private keys. +* Non-provider alerts, which have a higher ratio of false positives, and correspond to secrets such as private keys{% ifversion secret-scanning-ai-generic-secret-detection %}or AI-detected generic secrets{% endif %}. {% data variables.product.prodname_dotcom %} displays non-provider alerts in a different list to high confidence alerts, making triaging a better experience for users. For more information, see "[AUTOTITLE](/TODO)." From cd28dbdff94221a4603dc4986d313651504f483d Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Thu, 25 Jul 2024 09:56:44 +0000 Subject: [PATCH 159/282] fixing links --- .../about-alerts.md | 23 ++++++++++--------- .../evaluating-alerts.md | 1 + .../index.md | 2 +- .../monitoring-alerts.md | 1 + .../resolving-alerts.md | 1 + .../viewing-alerts.md | 1 + 6 files changed, 17 insertions(+), 12 deletions(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index 4afa1ba039e0..0100d00567a9 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -1,6 +1,6 @@ --- title: About secret scanning alerts -intro: 'Learn about the different types of {% data variables.product.prodname_secret_scanning %} alerts for your repository.' +intro: 'Learn about the different types of {% data variables.product.prodname_secret_scanning %} alerts.' permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can manage secret scanning alerts for the repository.' product: '{% data reusables.gated-features.secret-scanning %}' versions: @@ -14,15 +14,16 @@ topics: - Alerts - Repositories shortTitle: About alerts +allowTitleToDifferFromFilename: true --- -## About the different types of {% data variables.product.prodname_secret_scanning %} alerts +## About different types of {% data variables.product.prodname_secret_scanning %} alerts There are {% ifversion fpt or ghec %}three{% else %}two{% endif %} types of {% data variables.product.prodname_secret_scanning %} alerts: -* **{% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts**: When [GitHub] detects a supported secret in a repository that has {% data variables.product.prodname_secret_scanning %} enabled, a {% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alert is generated and displayed in the **Security** tab of the repository. -* **Push protection alerts**: When a contributor bypasses push protection to push a secret to the repository that has {% data variables.product.prodname_secret_scanning %} and push protection enabled, an alert is generated and displayed in the **Security** tab of the repository.{% ifversion fpt or ghec %} -* **Partner alerts**: When [GitHub] detects a leaked secret in a public repository or npm package, an alert is sent directly to the secret provider if they are part of GitHub's secret scanning partner program. Partner alerts are not displayed in the **Security** tab of the repository.{% endif %} +* **{% ifversion fpt or ghec %}User {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts**: When {% data variables.product.company_short %} detects a supported secret in a repository that has {% data variables.product.prodname_secret_scanning %} enabled, a {% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alert is generated and displayed in the **Security** tab of the repository. +* **Push protection alerts**: When a contributor bypasses push protection to push a secret to the repository that has {% data variables.product.prodname_secret_scanning %} and push protection enabled, a push protection alert is generated and displayed in the **Security** tab of the repository.{% ifversion fpt or ghec %} +* **Partner alerts**: When {% data variables.product.company_short %} detects a leaked secret in a public repository or npm package, an alert is sent directly to the secret provider, if they are part of {% data variables.product.company_short %}'s secret scanning partner program. Partner alerts are not applicable to repository administrators, so you do not need to take any action for this type of alert.{% endif %} ### About {% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts @@ -33,13 +34,13 @@ There are {% ifversion fpt or ghec %}three{% else %}two{% endif %} types of {% d * High confidence alerts, which relate to supported patterns and specified custom patterns. * Non-provider alerts, which have a higher ratio of false positives, and correspond to secrets such as private keys{% ifversion secret-scanning-ai-generic-secret-detection %}or AI-detected generic secrets{% endif %}. -{% data variables.product.prodname_dotcom %} displays non-provider alerts in a different list to high confidence alerts, making triaging a better experience for users. For more information, see "[AUTOTITLE](/TODO)." +{% data variables.product.prodname_dotcom %} displays non-provider alerts in a different list to high confidence alerts, making triaging a better experience for users. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)." {% data reusables.secret-scanning.non-provider-patterns-beta %} {% endif %} -You can see these alerts on the **Security** tab of the repository. {% ifversion fpt or ghec %}For more information about {% data variables.secret-scanning.user_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-users)."{% endif %} +You can see these alerts on the **Security** tab of the repository. {% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} @@ -48,7 +49,7 @@ If you use the REST API for secret scanning, you can use the `Secret type` to re {% ifversion ghes or ghec %} {% note %} -**Note:** You can also define custom {% data variables.product.prodname_secret_scanning %} patterns for your repository, organization, or enterprise. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." +**Note:** You can also define custom {% data variables.product.prodname_secret_scanning %} patterns for your repository, organization, or enterprise. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." {% endnote %} {% endif %} @@ -57,14 +58,14 @@ If you use the REST API for secret scanning, you can use the `Secret type` to re Push protection alerts are user alerts that are reported by push protection. {% data variables.product.prodname_secret_scanning_caps %} as a push protection currently scans repositories for secrets issued by some service providers. -{% ifversion secret-scanning-push-protection-for-users %}Push protection alerts are not created for secrets that are bypassed with user-based push protection only. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-users)."{% endif %} +{% ifversion secret-scanning-push-protection-for-users %}Push protection alerts are not created for secrets that are bypassed with user-based push protection only. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)."{% endif %} {% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} -{% data reusables.secret-scanning.push-protection-older-tokens %} For more information about push protection limitations, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning#push-protection-and-pattern-versions)." +{% data reusables.secret-scanning.push-protection-older-tokens %} For more information about push protection limitations, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning#push-protection-limitations)." ### About partner alerts -Partner alerts are alerts that are sent to the secret providers whenever a secret leak is reported for one of their secrets. {% data variables.product.product_name %} currently scans public repositories and public npm packages for secrets issued by specific service providers and alerts the relevant service provider whenever a secret is detected in a commit. For more information about {% data variables.secret-scanning.partner_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-partners)." +Partner alerts are alerts that are sent to the secret providers whenever a secret leak is reported for one of their secrets. {% data variables.product.product_name %} currently scans public repositories and public npm packages for secrets issued by specific service providers and alerts the relevant service provider whenever a secret is detected in a commit. For more information about {% data variables.secret-scanning.partner_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." {% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md index f9b95cbea138..fad8d985541c 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md @@ -14,6 +14,7 @@ topics: - Alerts - Repositories shortTitle: Evaluate alerts +allowTitleToDifferFromFilename: true --- ## About evaluating alerts diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md index 582c69e084ef..3c805b618841 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md @@ -1,6 +1,6 @@ --- title: Managing alerts from secret scanning -intro: 'You can view, evaluate and resolve alerts for secrets checked in to your repository.' +intro: 'Learn how to find, evaluate and resolve alerts for secrets checked in to your repository.' product: '{% data reusables.gated-features.secret-scanning %}' redirect_from: - /github/administering-a-repository/managing-alerts-from-secret-scanning diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md index 9884c11164df..50214f73ce55 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md @@ -13,6 +13,7 @@ topics: - Alerts - Repositories shortTitle: Monitor alerts +allowTitleToDifferFromFilename: true --- ## Configuring notifications for {% data variables.secret-scanning.alerts %} diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md index 5635a4ecbfa5..98b339df9994 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md @@ -14,6 +14,7 @@ topics: - Alerts - Repositories shortTitle: Resolve alerts +allowTitleToDifferFromFilename: true --- ## Fixing alerts diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md index b28d4722c752..c77715f4c514 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md @@ -14,6 +14,7 @@ topics: - Alerts - Repositories shortTitle: View alerts +allowTitleToDifferFromFilename: true --- ## About the {% data variables.product.prodname_secret_scanning %} alerts page From 4d9c74dd6ce0a712066704b62263ce38fc7f5a86 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 25 Jul 2024 12:15:38 +0100 Subject: [PATCH 160/282] and more work --- .../introduction/about-push-protection.md | 83 ++++++++++++++----- .../introduction/about-secret-scanning.md | 77 +++++++++++++++-- 2 files changed, 135 insertions(+), 25 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index 2b6ea61119a5..13082cc567e0 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -21,26 +21,60 @@ shortTitle: Push protection ## What is push protection -Push protection is a {% data variables.product.prodname_secret_scanning %} feature that checks commits for highly identifiable secrets before these commits are pushed to a repository. +Push protection is a {% data variables.product.prodname_secret_scanning %} feature that is designed to prevent sensitive information, such as secrets or tokens, from being pushed to your repository in the first place. Unlike {% data variables.product.prodname_secret_scanning %} , which detects secrets after they have been committed, push protection proactively scans your code for secrets during the push process and blocks the push if any are detected. -{% data reusables.secret-scanning.pre-push-protection %} {% data reusables.secret-scanning.push-protection-overview %} +Push protection helps you avoid the risks associated with exposed secrets, like unauthorized access to resources or services. With this feature, developers get immediate feedback and can address potential issues before they become a security concern. + +Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push. For some {% data variables.product.prodname_dotcom %} products, more advanced feature are available: + +* Delegated bypass—allows repository administrators or designated users to temporarily bypass the push protection mechanism. This can be useful in situations where a developer needs to push a commit that contains strings or patterns that resemble secrets but are actually safe and necessary for the project.This allows gives users with administrative rights more control about what is committed. +* Custom patterns—allows you to define specific patterns or regular expressions that represent the types of secrets unique to your environment or organization. These patterns are used to identify sensitive information that might not be covered by the default scanning rules implemented by {% data variables.product.prodname_dotcom %}. {% ifversion secret-scanning-push-protection-for-users %} You can enable push protection: -* At repository/organization level, if you are a repository administrator or an organization owner. -* For your account on {% data variables.product.prodname_dotcom %}, as a user. - -## About push protection for repositories and organizations +* At repository/organization level, if you are a repository administrator or an organization owner. This type of push protection is referred to as "push protection". +* For your account on {% data variables.product.prodname_dotcom %}, as a user. This type of push protection is referred to as "push protection for users". {% endif %} -If you are a repository administrator or an organization owner, you can enable push protection at repository/organization level. +## What are the benefits of push protection -{% ifversion secret-scanning-push-protection-for-users %} +* **Proactive Security**— +Push Protection acts as a front-line defense mechanism by scanning code for secrets at the time of the push. This proactive approach helps to catch potential issues before they are merged into your repository. + +* **Immediate Feedback**— +Developers receive instant feedback if a potential secret is detected during a push attempt. This immediate notification allows for quick remediation, reducing the likelihood of sensitive information being exposed. + +* **Reduced Risk of Data Leaks**— +By blocking commits that contain sensitive information, Push Protection significantly reduces the risk of accidental data leaks. This helps in safeguarding against unauthorized access to your infrastructure, services, and data. + +* **Efficient Secret Management**— +Instead of retrospectively dealing with exposed secrets, developers can address issues at the source. This makes secret management more efficient and less time-consuming. + +* **Integration with CI/CD Pipelines**— +Push Protection can be integrated into your Continuous Integration/Continuous Deployment (CI/CD) pipelines, ensuring that every push is scanned for secrets before it gets deployed. This adds an extra layer of security to your DevOps practices. + +* **Customizable Rules**— +Organizations can define custom patterns for detecting secrets unique to their environment. This customization ensures that Push Protection can effectively identify and block even non-standard secrets. -## About push protection for users +* **Delegated Bypass for Flexibility**— +For cases where false positives occur or when certain patterns are necessary, the Delegated Bypass feature allows designated users to approve specific pushes. This provides flexibility without compromising overall security. + +* **Audit and Monitoring**— +Push Protection maintains logs of all blocked attempts and bypass approvals. These logs can be audited to ensure compliance and to review any potential security incidents, thereby providing transparency and accountability. + +* **Collaboration and Education**— +By frequently reminding developers of secure coding practices, Push Protection helps foster a culture of security within development teams. It serves as a constant reminder that security is everyone's responsibility. + +## Configuring push protection + +To use push protection, you need to have administrative access to the repository or organization you want to configure. Also, your repository or organization should be hosted on {% data variables.product.prodname_dotcom %}. + +Enabling and configuring push protection involves a few steps. For more information, see TODO: - link to enabling article. + +{% ifversion secret-scanning-push-protection-for-users %} Every user across {% data variables.product.prodname_dotcom %} can enable push protection for themselves within their individual settings. @@ -52,29 +86,40 @@ Enabling push protection for your user account means that your pushes are protec For information about the secrets and service providers supported by push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." -{% ifversion push-protection-delegated-bypass %} +## Customizing push protection -## Delegated bypass +Once push protection is enabled, you can customize it further, if needed: -{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} +### Integration with CI/CD Pipelines -When you enable push protection, by default, anyone with write access to the repository can choose to bypass the protection by specifying a reason for allowing the push containing a secret. With delegated bypass, contributors to a repository are instead obligated to request "bypass privileges." The request is sent to a designated group of reviewers, who either approve or deny the request to bypass push protection. +You can integrate push protection with your Continuous Integration/Continuous Deployment (CI/CD) pipelines to ensure that it runs scans during automated processes. This typically involves adding steps in your pipeline configuration file to call GitHub's APIs or using {% data variables.product.prodname_actions %}. -If the request to bypass push protection is approved, the contributor can push the commit containing the secret. If the request is denied, the contributor must remove the secret from the commit (or commits) containing the secret before pushing again. +### Handling false positives -For information about delegated bypass for push protection, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." +If push protection occasionally flags non-sensitive information, you can configure the system to recognize these as false positives. This may also involve adding specific rules or exceptions within your security settings. + +{% ifversion secret-scanning-push-protection-custom-patterns %} + +### Defining custom patterns + +If you have specific patterns or types of secrets that are unique to your environment, you can define custom patterns that push protection will use to identify secrets. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." {% endif %} -{% ifversion secret-scanning-push-protection-custom-patterns %} +{% ifversion push-protection-delegated-bypass %} + +### Using delegated bypass + +{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} -## Custom pattern support +When you enable push protection, by default, anyone with write access to the repository can choose to bypass the protection by specifying a reason for allowing the push containing a secret. With delegated bypass, contributors to a repository are instead obligated to request "bypass privileges." The request is sent to a designated group of reviewers, who either approve or deny the request to bypass push protection. + +If the request to bypass push protection is approved, the contributor can push the commit containing the secret. If the request is denied, the contributor must remove the secret from the commit (or commits) containing the secret before pushing again. -You can define custom patterns to identify secrets that are not detected by the default patterns supported by push protection. For example, you might have a secret pattern that is internal to your organization. {% data reusables.secret-scanning.push-protection-custom-pattern %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." +For information about delegated bypass for push protection, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." {% endif %} ## Further reading -* TODO: add link to enabling push protection * "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)" diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 23f25e9ca5cb..eeeb5fc24886 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -22,9 +22,78 @@ shortTitle: Secret scanning ## What is {% data variables.product.prodname_secret_scanning %} -{% data reusables.secret-scanning.enterprise-enable-secret-scanning %} +{% data variables.product.prodname_secret_scanning_caps %} is a security feature that helps detect and prevent the accidental inclusion of sensitive information such as API keys, passwords, tokens, and other secrets in your repository. When enabled, {% data variables.product.prodname_secret_scanning %} scans commits in public repositories for known types of secrets and alerts repository administrators upon detection. + +For private repositories, {% data variables.product.prodname_secret_scanning %} is available if you have a {% data variables.product.prodname_GH_advanced_security %} (GHAS) license, providing additional scanning capabilities and custom patterns for detection. + +Below is a typical workflow: + +* Detection of secrets: {% data variables.product.prodname_secret_scanning_caps %}automatically scans your repository's contents for sensitive data, such as API keys, passwords, tokens, and other secrets. It looks for patterns and heuristics that match known types of secrets. + +* Alerts and notifications: When a potential secret is detected, {% data variables.product.prodname_dotcom %} generates an alert and notifies the relevant repository administrators and users. This notification includes details about the detected secret, such as its location in the repository. + +TODO: +* Review Alerts: When a secret is detected, review the alert details provided by GitHub. + +* *Remediation: Take appropriate actions to remediate the exposure. This might include: + * Rotating the affected credential to ensure it is no longer usable. + * Removing the secret from the repository's history (using tools like BFG Repo-Cleaner or GitHub's built-in features). +* Audit and Monitor: Regularly audit and monitor your repositories to ensure no other secrets are exposed. + +{% ifversion fpt or ghec %} + +* Integration with partners: {% data variables.product.prodname_dotcom %} works with various service providers to validate secrets. When a partner secret is detected, {% data variables.product.prodname_dotcom %} notifies the provider so they can take appropriate action, such as revoking the credential. For more information about the partnership program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." + +{% endif %} + +## What are the benefits of {% data variables.product.prodname_secret_scanning %} + +* **Enhanced security**—{% data variables.product.prodname_secret_scanning_caps %} scans your repositories for sensitive information like API keys, passwords, tokens, and other secrets. By detecting these early, you can mitigate potential security risks before they are exploited by malicious actors. + +* **Automated detection**—The feature automatically scans your codebase, including commits, issues, and pull requests, ensuring continuous protection without requiring manual intervention. This automation helps in maintaining security even as your repository evolves. + +* **Real-time alerts**—When a secret is detected, {% data variables.product.prodname_secret_scanning %} provides real-time alerts to repository administrators and contributors. This immediate feedback allows for swift remediation actions. + +* **Historical scanning**—{% data variables.product.prodname_secret_scanning_caps %} can be configured to scan the entire commit history of your repository. This retrospective analysis helps in identifying and mitigating risks from previously committed secrets that may have gone unnoticed. + +{% ifversion fpt or ghec %} + +* **Integration with service providers**—{% data variables.product.prodname_dotcom %} partners with various service providers to validate detected secrets. When a secret is identified, {% data variables.product.prodname_dotcom %} notifies the corresponding service provider to take appropriate actions, such as revoking the exposed credential. + +{% endif %} + +* **Custom patterns**—Organizations can define custom patterns to detect proprietary or unique types of secrets that may not be covered by default patterns. This flexibility allows for tailored security measures specific to your environment. - +* **Educational value**—Developers receive notifications when secrets are detected, which serves as a learning opportunity. This ongoing education helps in fostering a culture of security awareness within the development team. + +* **Remediation guidance**—Along with alerts, {% data variables.product.prodname_dotcom %}provides remediation guidance, helping teams understand how to safely remove the sensitive information from their codebase and rotate the compromised credentials. + +## Enabling {% data variables.product.prodname_secret_scanning %} + +{% data variables.product.prodname_secret_scanning_caps %} is automatically enabled for all public repositories on GitHub. +For private repositories, {% data variables.product.prodname_secret_scanning %} can be enabled as part of {% data variables.product.prodname_GH_advanced_security %}. + +For more information, see TODO: - link to enabling article. + +## What are the supported secrets + +For information about the secrets and service providers supported by {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." + +{% ifversion ghec or ghes %} + +## Custom patterns + +For advanced users, GitHub allows custom patterns to be added to Secret Scanning. This is useful if you have unique types of secrets that don’t match default patterns. Benefits are: + +* Tailored Security Detect secrets unique to your applications, APIs, or internal tools. +* Increased Coverage Capture additional types of sensitive data that default patterns might miss. +* Prevent Data Leaks Proactively identify and mitigate risks associated with exposed proprietary secrets. + +{% endif %} + +OLD + +{% data reusables.secret-scanning.enterprise-enable-secret-scanning %} If your project communicates with an external service, you might use a token or private key for authentication. Tokens and private keys are examples of secrets that a service provider can issue. If you check a secret into a repository, anyone who has read access to the repository can use the secret to access the external service with your privileges. We recommend that you store secrets in a dedicated, secure location outside of the repository for your project. @@ -61,10 +130,6 @@ If your project communicates with an external service, you might use a token or {% endnote %} -## What are the supported secrets - -For information about the secrets and service providers supported by {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." - {% ifversion fpt or ghec %} ## About {% data variables.secret-scanning.partner_alerts %} From 949e499d188e638cd98029265536c7a5ef94df13 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Thu, 25 Jul 2024 11:23:02 +0000 Subject: [PATCH 161/282] fix links in veiwing alerts --- .../managing-alerts-from-secret-scanning/viewing-alerts.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md index c77715f4c514..f7f9d3ec9c63 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md @@ -41,7 +41,7 @@ In addition, alerts that fall into this category: * Are not shown in the summary views for security overview, only in the "{% data variables.product.prodname_secret_scanning_caps %}" view. * Only have the first five detected locations shown on {% data variables.product.prodname_dotcom %} for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %}, and only the first detected location shown for AI-detected generic secrets{% endif %}. -For {% data variables.product.company_short %} to scan for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %} and generic secrets{% endif %}, you must first enable the feature{% ifversion secret-scanning-ai-generic-secret-detection %}s{% endif %} for your repository or organization. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#enabling-scanning-for-non-provider-patterns){% ifversion secret-scanning-ai-generic-secret-detection %}" and "[AUTOTITLE](/code-security/secret-scanning/enabling-ai-powered-generic-secret-detection){% endif %}." +For {% data variables.product.company_short %} to scan for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %} and generic secrets{% endif %}, you must first enable the feature{% ifversion secret-scanning-ai-generic-secret-detection %}s{% endif %} for your repository or organization. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns){% ifversion secret-scanning-ai-generic-secret-detection %}" and "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection){% endif %}." {% endif %} @@ -84,4 +84,4 @@ You can apply various filters to the alerts list to help you find the alerts you ## Next steps -* [AUTOTITLE](/TODO) +TODO From 02fe49d571ae9f559d3fa26244c2458ac562c0b0 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 25 Jul 2024 15:22:48 +0100 Subject: [PATCH 162/282] more work on secret scanning and push protection articles --- .../introduction/about-push-protection.md | 39 ++++------- .../about-secret-scanning-for-partners.md | 6 ++ .../introduction/about-secret-scanning.md | 70 ++++++------------- 3 files changed, 42 insertions(+), 73 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index 13082cc567e0..490a99684016 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -1,6 +1,6 @@ --- title: About push protection -intro: 'Push protection helps detect secrets in code as changes are pushed. Push protection blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block. TODO for users' +intro: 'Push protection helps detect secrets in code as changes are pushed. Push protection blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block.{% ifversion secret-scanning-push-protection-for-users %} Push protection can be applied at the repository, organization, and user account level{% else %} You can apply push protection at repository or organization level{% endif %}.' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: fpt: '*' @@ -25,10 +25,7 @@ Push protection is a {% data variables.product.prodname_secret_scanning %} featu Push protection helps you avoid the risks associated with exposed secrets, like unauthorized access to resources or services. With this feature, developers get immediate feedback and can address potential issues before they become a security concern. -Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push. For some {% data variables.product.prodname_dotcom %} products, more advanced feature are available: - -* Delegated bypass—allows repository administrators or designated users to temporarily bypass the push protection mechanism. This can be useful in situations where a developer needs to push a commit that contains strings or patterns that resemble secrets but are actually safe and necessary for the project.This allows gives users with administrative rights more control about what is committed. -* Custom patterns—allows you to define specific patterns or regular expressions that represent the types of secrets unique to your environment or organization. These patterns are used to identify sensitive information that might not be covered by the default scanning rules implemented by {% data variables.product.prodname_dotcom %}. +Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push. For some {% data variables.product.prodname_dotcom %} products, more advanced features such as delegated bypass and the use of custom patterns are available: {% ifversion secret-scanning-push-protection-for-users %} @@ -41,32 +38,24 @@ You can enable push protection: ## What are the benefits of push protection -* **Proactive Security**— -Push Protection acts as a front-line defense mechanism by scanning code for secrets at the time of the push. This proactive approach helps to catch potential issues before they are merged into your repository. +* **Proactive security**—Push protection acts as a frontline defense mechanism by scanning code for secrets at the time of the push. This proactive approach helps to catch potential issues before they are merged into your repository. -* **Immediate Feedback**— -Developers receive instant feedback if a potential secret is detected during a push attempt. This immediate notification allows for quick remediation, reducing the likelihood of sensitive information being exposed. +* **Immediate feedback**—Developers receive instant feedback if a potential secret is detected during a push attempt. This immediate notification allows for quick remediation, reducing the likelihood of sensitive information being exposed. -* **Reduced Risk of Data Leaks**— -By blocking commits that contain sensitive information, Push Protection significantly reduces the risk of accidental data leaks. This helps in safeguarding against unauthorized access to your infrastructure, services, and data. +* **Reduced risk of data leaks**—By blocking commits that contain sensitive information, push protection significantly reduces the risk of accidental data leaks. This helps in safeguarding against unauthorized access to your infrastructure, services, and data. -* **Efficient Secret Management**— -Instead of retrospectively dealing with exposed secrets, developers can address issues at the source. This makes secret management more efficient and less time-consuming. +* **Efficient secret management**—Instead of retrospectively dealing with exposed secrets, developers can address issues at the source. This makes secret management more efficient and less time-consuming. * **Integration with CI/CD Pipelines**— Push Protection can be integrated into your Continuous Integration/Continuous Deployment (CI/CD) pipelines, ensuring that every push is scanned for secrets before it gets deployed. This adds an extra layer of security to your DevOps practices. -* **Customizable Rules**— -Organizations can define custom patterns for detecting secrets unique to their environment. This customization ensures that Push Protection can effectively identify and block even non-standard secrets. +{% ifversion secret-scanning-push-protection-custom-patterns %}* **Ability to detect custom patterns**—Organizations can define custom patterns for detecting secrets unique to their environment. This customization ensures that push Protection can effectively identify and block even non-standard secrets.{% endif %} -* **Delegated Bypass for Flexibility**— -For cases where false positives occur or when certain patterns are necessary, the Delegated Bypass feature allows designated users to approve specific pushes. This provides flexibility without compromising overall security. +{% ifversion push-protection-delegated-bypass %}* **Delegated bypass for flexibility**—For cases where false positives occur or when certain patterns are necessary, the delegated bypass feature allows designated users to approve specific pushes. This provides flexibility without compromising overall security.{% endif %} -* **Audit and Monitoring**— -Push Protection maintains logs of all blocked attempts and bypass approvals. These logs can be audited to ensure compliance and to review any potential security incidents, thereby providing transparency and accountability. +* **Audit and monitoring**—Push protection maintains logs of all blocked attempts and bypass approvals. These logs can be audited to ensure compliance and to review any potential security incidents, thereby providing transparency and accountability. -* **Collaboration and Education**— -By frequently reminding developers of secure coding practices, Push Protection helps foster a culture of security within development teams. It serves as a constant reminder that security is everyone's responsibility. +* **Collaboration and education**—By frequently reminding developers of secure coding practices, push protection helps foster a culture of security within development teams. It serves as a constant reminder that security is everyone's responsibility. ## Configuring push protection @@ -76,7 +65,7 @@ Enabling and configuring push protection involves a few steps. For more informat {% ifversion secret-scanning-push-protection-for-users %} -Every user across {% data variables.product.prodname_dotcom %} can enable push protection for themselves within their individual settings. +Every user across {% data variables.product.prodname_dotcom %} can also enable push protection for themselves within their individual settings. Enabling push protection for your user account means that your pushes are protected whenever you push to a public repository on {% data variables.product.prodname_dotcom %}, without relying on that repository to have push protection enabled. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)." @@ -102,7 +91,7 @@ If push protection occasionally flags non-sensitive information, you can configu ### Defining custom patterns -If you have specific patterns or types of secrets that are unique to your environment, you can define custom patterns that push protection will use to identify secrets. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." +If you have specific patterns or types of secrets that are unique to your environment or organization, you can define custom patterns that push protection will use to identify secrets. These patterns are used to identify sensitive information that might not be covered by the default scanning rules implemented by {% data variables.product.prodname_dotcom %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." {% endif %} @@ -122,4 +111,6 @@ For information about delegated bypass for push protection, see "[AUTOTITLE](/co ## Further reading -* "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)" +* "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)"{% ifversion secret-scanning-push-protection-custom-patterns %} +* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)"{% endif %}{% ifversion push-protection-delegated-bypass %} +* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)"{% endif %} diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md index 610e2ddaa2de..966201b42846 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md @@ -13,6 +13,12 @@ shortTitle: Secret scanning for partners ## About {% data variables.secret-scanning.partner_alerts %} +When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." + +You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories. + +## About {% data variables.secret-scanning.partner_alerts %} + {% data variables.product.product_name %} scans public repositories and public npm packages for secrets issued by specific service providers and alerts the relevant service provider whenever a secret is detected in a commit. {% data variables.product.prodname_secret_scanning %} generates partner alerts when it detects secrets from providers who joined our partnership program. For information about the partnership program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index eeeb5fc24886..28a4654766c7 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -24,6 +24,10 @@ shortTitle: Secret scanning {% data variables.product.prodname_secret_scanning_caps %} is a security feature that helps detect and prevent the accidental inclusion of sensitive information such as API keys, passwords, tokens, and other secrets in your repository. When enabled, {% data variables.product.prodname_secret_scanning %} scans commits in public repositories for known types of secrets and alerts repository administrators upon detection. +{% data variables.product.prodname_secret_scanning_caps %} will scan your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repository for secrets{% ifversion ghec or ghes %}, even if the repository is archived{% endif %}.{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %} + +{% data reusables.secret-scanning.what-is-scanned %} + For private repositories, {% data variables.product.prodname_secret_scanning %} is available if you have a {% data variables.product.prodname_GH_advanced_security %} (GHAS) license, providing additional scanning capabilities and custom patterns for detection. Below is a typical workflow: @@ -62,15 +66,19 @@ TODO: {% endif %} +{% ifversion ghec or ghes %} + * **Custom patterns**—Organizations can define custom patterns to detect proprietary or unique types of secrets that may not be covered by default patterns. This flexibility allows for tailored security measures specific to your environment. +{% endif %} + * **Educational value**—Developers receive notifications when secrets are detected, which serves as a learning opportunity. This ongoing education helps in fostering a culture of security awareness within the development team. -* **Remediation guidance**—Along with alerts, {% data variables.product.prodname_dotcom %}provides remediation guidance, helping teams understand how to safely remove the sensitive information from their codebase and rotate the compromised credentials. +* **Remediation guidance**—Along with alerts, we provide remediation guidance, helping teams understand how to safely remove the sensitive information from their codebase and rotate the compromised credentials. ## Enabling {% data variables.product.prodname_secret_scanning %} -{% data variables.product.prodname_secret_scanning_caps %} is automatically enabled for all public repositories on GitHub. +{% data variables.product.prodname_secret_scanning_caps %} is automatically enabled for all public repositories on {% data variables.product.prodname_dotcom %}. For private repositories, {% data variables.product.prodname_secret_scanning %} can be enabled as part of {% data variables.product.prodname_GH_advanced_security %}. For more information, see TODO: - link to enabling article. @@ -79,9 +87,19 @@ For more information, see TODO: - link to enabling article. For information about the secrets and service providers supported by {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." +## Customizing {% data variables.product.prodname_secret_scanning %} + +Once {% data variables.product.prodname_secret_scanning %} is enabled, you can customize it further, if needed: + +### Detection of non-provider patterns + +### eneric secret detection + +### Validity checks + {% ifversion ghec or ghes %} -## Custom patterns +### Custom patterns For advanced users, GitHub allows custom patterns to be added to Secret Scanning. This is useful if you have unique types of secrets that don’t match default patterns. Benefits are: @@ -93,14 +111,6 @@ For advanced users, GitHub allows custom patterns to be added to Secret Scanning OLD -{% data reusables.secret-scanning.enterprise-enable-secret-scanning %} - -If your project communicates with an external service, you might use a token or private key for authentication. Tokens and private keys are examples of secrets that a service provider can issue. If you check a secret into a repository, anyone who has read access to the repository can use the secret to access the external service with your privileges. We recommend that you store secrets in a dedicated, secure location outside of the repository for your project. - -{% data variables.product.prodname_secret_scanning_caps %} will scan your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repository for secrets{% ifversion ghec or ghes %}, even if the repository is archived{% endif %}.{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %} - -{% data reusables.secret-scanning.what-is-scanned %} - {% ifversion fpt or ghec %} {% data variables.product.prodname_secret_scanning_caps %} is available on {% data variables.product.prodname_dotcom_the_website %} in two forms: @@ -118,28 +128,6 @@ If your project communicates with an external service, you might use a token or {% data reusables.secret-scanning.push-protection-high-level %} To proceed, contributors must either remove the secret(s) from the push or, if needed, bypass the protection. {% ifversion push-protection-custom-link-orgs %}Admins can also specify a custom link that is displayed to the contributor when a push is blocked; the link can contain resources specific to the organization to aid contributors. {% endif %}For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning)." -{% ifversion secret-scanning-push-protection-for-users %} - -{% data reusables.secret-scanning.push-protection-for-users %} - -{% endif %} - -{% note %} - -**Note:** When you fork a repository with {% data variables.product.prodname_secret_scanning %} or push protection enabled, these features are not enabled by default on the fork. You can enable {% data variables.product.prodname_secret_scanning %} or push protection on the fork the same way you enable them on a standalone repository. - -{% endnote %} - -{% ifversion fpt or ghec %} - -## About {% data variables.secret-scanning.partner_alerts %} - -When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." - -You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories. - -{% endif %} - ## About {% data variables.secret-scanning.user_alerts %}{% ifversion ghes %} on {% data variables.product.product_name %}{% endif %} {% data variables.secret-scanning.user_alerts_caps %} is available {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}on all repositories with a license for {% data variables.product.prodname_GH_advanced_security %}{% else %}for free on all public repositories, and for private and internal repositories that are owned by organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %}{% endif %}{% elsif fpt %}for free on all public repositories that you own{% else %}on all organization-owned repositories with a license for {% data variables.product.prodname_GH_advanced_security %}. The feature is not available on user-owned repositories{% endif %}. {% data reusables.secret-scanning.secret-scanning-user-owned-repos-beta %} @@ -157,22 +145,6 @@ You can also define custom {% data variables.product.prodname_secret_scanning %} {% ifversion secret-scanning-store-tokens %} {% data variables.product.company_short %} stores detected secrets using symmetric encryption, both in transit and at rest.{% endif %}{% ifversion ghes %} To rotate the encryption keys used for storing the detected secrets, you can contact us by visiting {% data variables.contact.contact_ent_support %}.{% endif %} -### Accessing {% data variables.secret-scanning.alerts %} - -{% data reusables.secret-scanning.secret-scanning-about-alerts %} - -* {% data variables.product.prodname_dotcom %} sends an email alert to the repository administrators and organization owners. You'll receive an alert if you are watching the repository{% ifversion secret-scanning-notification-settings %}, {% else %}, and {% endif %}if you have enabled notifications either for security alerts or for all the activity on the repository{% ifversion secret-scanning-notification-settings %}, and if, in your notification settings, you have selected to receive email notifications for the repositories that you are watching.{% else %}.{% endif %} -* If the person who introduced the secret isn't ignoring the repository, {% data variables.product.prodname_dotcom %} will also send them an email alert. The email contains a link to the related {% data variables.product.prodname_secret_scanning %} alert. The person who introduced the secret can then view the alert in the repository, and resolve the alert. -* {% data reusables.secret-scanning.repository-alert-location %} - -For more information about viewing and resolving {% data variables.secret-scanning.alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." - -{% ifversion secret-scanning-notification-settings %} -For more information on how to configure notifications for {% data variables.secret-scanning.alerts %}, see "[Configuring notifications for secret scanning alerts](/code-security/secret-scanning/managing-alerts-from-secret-scanning#configuring-notifications-for-secret-scanning-alerts)." -{% endif %} - -Repository administrators and organization owners can grant users and teams access to {% data variables.secret-scanning.alerts %}. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts)." - {% ifversion ghec or ghes %} You can use security overview to see an organization-level view of which repositories have enabled {% data variables.product.prodname_secret_scanning %} and the alerts found. For more information, see "[AUTOTITLE](/code-security/security-overview/about-security-overview)." {% endif %} From 03021332a63f35bd8a342d49490a0b3dad82672b Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 25 Jul 2024 15:50:43 +0100 Subject: [PATCH 163/282] fix failing linter test --- .../introduction/about-push-protection.md | 8 ++--- .../introduction/about-secret-scanning.md | 36 +++++++++++-------- 2 files changed, 25 insertions(+), 19 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index 490a99684016..f5d332522b94 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -46,7 +46,7 @@ You can enable push protection: * **Efficient secret management**—Instead of retrospectively dealing with exposed secrets, developers can address issues at the source. This makes secret management more efficient and less time-consuming. -* **Integration with CI/CD Pipelines**— +* **Integration with CI/CD pipelines**— Push Protection can be integrated into your Continuous Integration/Continuous Deployment (CI/CD) pipelines, ensuring that every push is scanned for secrets before it gets deployed. This adds an extra layer of security to your DevOps practices. {% ifversion secret-scanning-push-protection-custom-patterns %}* **Ability to detect custom patterns**—Organizations can define custom patterns for detecting secrets unique to their environment. This customization ensures that push Protection can effectively identify and block even non-standard secrets.{% endif %} @@ -65,9 +65,7 @@ Enabling and configuring push protection involves a few steps. For more informat {% ifversion secret-scanning-push-protection-for-users %} -Every user across {% data variables.product.prodname_dotcom %} can also enable push protection for themselves within their individual settings. - -Enabling push protection for your user account means that your pushes are protected whenever you push to a public repository on {% data variables.product.prodname_dotcom %}, without relying on that repository to have push protection enabled. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)." +Every user across {% data variables.product.prodname_dotcom %} can also enable push protection for themselves within their individual settings. Enabling push protection for your user account means that your pushes are protected whenever you push to a public repository on {% data variables.product.prodname_dotcom %}, without relying on that repository to have push protection enabled. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)." {% endif %} @@ -79,7 +77,7 @@ For information about the secrets and service providers supported by push protec Once push protection is enabled, you can customize it further, if needed: -### Integration with CI/CD Pipelines +### Integration with CI/CD pipelines You can integrate push protection with your Continuous Integration/Continuous Deployment (CI/CD) pipelines to ensure that it runs scans during automated processes. This typically involves adding steps in your pipeline configuration file to call GitHub's APIs or using {% data variables.product.prodname_actions %}. diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 28a4654766c7..75e636bdb9d1 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -30,19 +30,19 @@ shortTitle: Secret scanning For private repositories, {% data variables.product.prodname_secret_scanning %} is available if you have a {% data variables.product.prodname_GH_advanced_security %} (GHAS) license, providing additional scanning capabilities and custom patterns for detection. -Below is a typical workflow: +Below is a typical workflow that explains how {% data variables.product.prodname_secret_scanning %} works: -* Detection of secrets: {% data variables.product.prodname_secret_scanning_caps %}automatically scans your repository's contents for sensitive data, such as API keys, passwords, tokens, and other secrets. It looks for patterns and heuristics that match known types of secrets. +* Detection of secrets: {% data variables.product.prodname_secret_scanning_caps %} automatically scans your repository's contents for sensitive data, such as API keys, passwords, tokens, and other secrets. It looks for patterns and heuristics that match known types of secrets. -* Alerts and notifications: When a potential secret is detected, {% data variables.product.prodname_dotcom %} generates an alert and notifies the relevant repository administrators and users. This notification includes details about the detected secret, such as its location in the repository. +* Alerts and notifications: When a potential secret is detected, {% data variables.product.prodname_dotcom %} generates an alert and notifies the relevant repository administrators and users. This notification includes details about the detected secret, such as its location in the repository. For more information about alert types and alert details, see TODO: - link to "About alerts" article. -TODO: -* Review Alerts: When a secret is detected, review the alert details provided by GitHub. +* Review Alerts: When a secret is detected, you'll need to review the alert details provided. -* *Remediation: Take appropriate actions to remediate the exposure. This might include: +* *Remediation: You then need take appropriate actions to remediate the exposure. This might include: * Rotating the affected credential to ensure it is no longer usable. - * Removing the secret from the repository's history (using tools like BFG Repo-Cleaner or GitHub's built-in features). -* Audit and Monitor: Regularly audit and monitor your repositories to ensure no other secrets are exposed. + * Removing the secret from the repository's history (using tools like BFG Repo-Cleaner or {% data variables.product.prodname_dotcom %}'s built-in features). + +* Audit and monitor: It's good practice to regularly audit and monitor your repositories to ensure no other secrets are exposed. {% ifversion fpt or ghec %} @@ -62,7 +62,7 @@ TODO: {% ifversion fpt or ghec %} -* **Integration with service providers**—{% data variables.product.prodname_dotcom %} partners with various service providers to validate detected secrets. When a secret is identified, {% data variables.product.prodname_dotcom %} notifies the corresponding service provider to take appropriate actions, such as revoking the exposed credential. +* **Integration with service providers**—{% data variables.product.prodname_dotcom %} partners with various service providers to validate detected secrets. When a secret is identified, {% data variables.product.prodname_dotcom %} notifies the corresponding service provider to take appropriate actions, such as revoking the exposed credential. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." {% endif %} @@ -91,17 +91,25 @@ For information about the secrets and service providers supported by {% data var Once {% data variables.product.prodname_secret_scanning %} is enabled, you can customize it further, if needed: +{% ifversion secret-scanning-non-provider-patterns %} + ### Detection of non-provider patterns -### eneric secret detection +{% endif %} + +{% ifversion secret-scanning-ai-generic-secret-detection %} + +### Generic secret detection + +{% endif %} -### Validity checks +### Performing validity checks {% ifversion ghec or ghes %} -### Custom patterns +### Defining custom patterns -For advanced users, GitHub allows custom patterns to be added to Secret Scanning. This is useful if you have unique types of secrets that don’t match default patterns. Benefits are: +You can define advanced users, GitHub allows custom patterns to be added to Secret Scanning. This is useful if you have unique types of secrets that don’t match default patterns. Benefits are: * Tailored Security Detect secrets unique to your applications, APIs, or internal tools. * Increased Coverage Capture additional types of sensitive data that default patterns might miss. @@ -132,7 +140,7 @@ OLD {% data variables.secret-scanning.user_alerts_caps %} is available {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}on all repositories with a license for {% data variables.product.prodname_GH_advanced_security %}{% else %}for free on all public repositories, and for private and internal repositories that are owned by organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %}{% endif %}{% elsif fpt %}for free on all public repositories that you own{% else %}on all organization-owned repositories with a license for {% data variables.product.prodname_GH_advanced_security %}. The feature is not available on user-owned repositories{% endif %}. {% data reusables.secret-scanning.secret-scanning-user-owned-repos-beta %} -When you enable {% data variables.product.prodname_secret_scanning %} for a repository, {% data variables.product.prodname_dotcom %} scans the code for patterns that match secrets used by many service providers. {% ifversion secret-scanning-backfill-email %}When the scan is completed, {% data variables.product.prodname_dotcom %} sends an email alert to the enterprise and organization owners, even if no secrets were found.{% endif %} For more information about the repository content that is scanned, see the [beginning of this article](#about-secret-scanning). +When you enable {% data variables.product.prodname_secret_scanning %} for a repository, {% data variables.product.prodname_dotcom %} scans the code for patterns that match secrets used by many service providers. {% ifversion secret-scanning-backfill-email %}When the scan is completed, {% data variables.product.prodname_dotcom %} sends an email alert to the enterprise and organization owners, even if no secrets were found.{% endif %} When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. {% ifversion secret-scanning-backfills %}{% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled, and send alert notifications following the {% data variables.product.prodname_secret_scanning %} alert notification settings.{% endif %}{% ifversion secret-scanning-non-provider-patterns %} User alerts can be of two types: high confidence alerts, or non-provider alerts.{% endif %} For more information, see "{% ifversion fpt or ghec %}[About user alerts](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[{% data variables.product.prodname_secret_scanning_caps %} patterns](/code-security/secret-scanning/secret-scanning-patterns#about-user-secret-scanning-alerts){% endif %}." From dac79eeb7e15fadddc423b39cf5922a57adcf960 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 25 Jul 2024 16:56:46 +0100 Subject: [PATCH 164/282] add skeleton --- .../secret-scanning/introduction/about-secret-scanning.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 75e636bdb9d1..1af3654fd581 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -36,9 +36,9 @@ Below is a typical workflow that explains how {% data variables.product.prodname * Alerts and notifications: When a potential secret is detected, {% data variables.product.prodname_dotcom %} generates an alert and notifies the relevant repository administrators and users. This notification includes details about the detected secret, such as its location in the repository. For more information about alert types and alert details, see TODO: - link to "About alerts" article. -* Review Alerts: When a secret is detected, you'll need to review the alert details provided. +* Review of alerts: When a secret is detected, you'll need to review the alert details provided. -* *Remediation: You then need take appropriate actions to remediate the exposure. This might include: +* Alert remediation: You then need take appropriate actions to remediate the exposure. This might include: * Rotating the affected credential to ensure it is no longer usable. * Removing the secret from the repository's history (using tools like BFG Repo-Cleaner or {% data variables.product.prodname_dotcom %}'s built-in features). @@ -109,7 +109,8 @@ Once {% data variables.product.prodname_secret_scanning %} is enabled, you can c ### Defining custom patterns -You can define advanced users, GitHub allows custom patterns to be added to Secret Scanning. This is useful if you have unique types of secrets that don’t match default patterns. Benefits are: +You can scan custom patterns with {% data variables.product.prodname_secret_scanning %} +. This is useful if you have unique types of secrets that don’t match default patterns. Benefits are: * Tailored Security Detect secrets unique to your applications, APIs, or internal tools. * Increased Coverage Capture additional types of sensitive data that default patterns might miss. From 523f53267f6fe7acacdf180670cd4fc6b70c528d Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 25 Jul 2024 17:01:51 +0100 Subject: [PATCH 165/282] fix failing check --- .../secret-scanning/introduction/about-secret-scanning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 75e636bdb9d1..7c8440bc7ef8 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -122,7 +122,7 @@ OLD {% ifversion fpt or ghec %} {% data variables.product.prodname_secret_scanning_caps %} is available on {% data variables.product.prodname_dotcom_the_website %} in two forms: -1. **{% data variables.secret-scanning.partner_alerts_caps %}.** Runs automatically on all public repositories and public npm packages. Service providers can partner with {% data variables.product.company_short %} to provide their secret formats for scanning, hence the term "partners." {% data reusables.secret-scanning.partner-program-link %} Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner. For more information, see the "[About {% data variables.secret-scanning.partner_alerts %}](#about-secret-scanning-alerts-for-partners)" section below. +1. **{% data variables.secret-scanning.partner_alerts_caps %}.** Runs automatically on all public repositories and public npm packages. Service providers can partner with {% data variables.product.company_short %} to provide their secret formats for scanning, hence the term "partners." {% data reusables.secret-scanning.partner-program-link %} Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner. For more information, see TODO: 1. **{% data variables.secret-scanning.user_alerts_caps %}.** These alerts are reported on {% data variables.product.prodname_dotcom_the_website %}{% ifversion secret-scanning-non-provider-patterns %} and can be high confidence alerts or non-provider alerts (such as private keys){% endif %}. {% ifversion fpt %}The following users can enable and configure additional scanning: From 5c2b50dcfe1ee9cc2c7303fc83033752e2fe6e16 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 25 Jul 2024 17:17:50 +0100 Subject: [PATCH 166/282] start work on non-provider patterns --- .../introduction/about-secret-scanning.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 81a7977a5721..81788fb1964c 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -95,16 +95,35 @@ Once {% data variables.product.prodname_secret_scanning %} is enabled, you can c ### Detection of non-provider patterns +Non-provider patterns refer to patterns used to identify secrets that are not specific to any particular service provider. These patterns are general and can apply to a wide range of sensitive data types. Here are a few examples of non-provider patterns: + +* Generic API Keys: Identifiable by common structural attributes like specific lengths or character sets. For example, a string of 32 alphanumeric characters. +* Tokens: Generic patterns used to detect various types of tokens that might be common across different services. +* Private Keys: Patterns identifying sections of code that look like private keys, such as those used in SSH or GPG. + +For more information about + {% endif %} {% ifversion secret-scanning-ai-generic-secret-detection %} ### Generic secret detection +TODO: +or generic secrets detected using AI (such as passwords) + {% endif %} +{% ifversion secret-scanning-validity-check-partner-patterns %} + ### Performing validity checks +{% data reusables.secret-scanning.validity-check-partner-patterns-beta %} + +TODO: + +{% endif %} + {% ifversion ghec or ghes %} ### Defining custom patterns From 995561e3ad47c5b6e727eb793aa17c6e47bd87c7 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 26 Jul 2024 09:13:23 +0100 Subject: [PATCH 167/282] work on advanced secret scanning features --- .../introduction/about-secret-scanning.md | 20 ++++++++++++++----- .../managing-alerts-from-secret-scanning.md | 4 +--- .../secret-scanning/validity-checks-intro.md | 3 +++ 3 files changed, 19 insertions(+), 8 deletions(-) create mode 100644 data/reusables/secret-scanning/validity-checks-intro.md diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 81788fb1964c..5af2cc1eda1e 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -97,11 +97,13 @@ Once {% data variables.product.prodname_secret_scanning %} is enabled, you can c Non-provider patterns refer to patterns used to identify secrets that are not specific to any particular service provider. These patterns are general and can apply to a wide range of sensitive data types. Here are a few examples of non-provider patterns: -* Generic API Keys: Identifiable by common structural attributes like specific lengths or character sets. For example, a string of 32 alphanumeric characters. +* Generic API Keys: Identifiable by common structural attributes like specific lengths or character sets (for example, a string of 32 alphanumeric characters). * Tokens: Generic patterns used to detect various types of tokens that might be common across different services. * Private Keys: Patterns identifying sections of code that look like private keys, such as those used in SSH or GPG. -For more information about +Non-provider pattern detection is not enabled by default because the feature can potentially generate a high ratio of false positives. + +For more information about non-provider pattern detection, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns)." {% endif %} @@ -109,8 +111,11 @@ For more information about ### Generic secret detection -TODO: -or generic secrets detected using AI (such as passwords) +You can also enable generic secret detection to instruct {% data variables.product.prodname_secret_scanning %} to search your codebase for generic secrets. Generic secrets are unstructured secrets, such as passwords. + +{% data variables.product.prodname_secret_scanning_caps %} uses AI to detect unstructured passwords in git content and generate an alert. Alerts for passwords appear in a separated tab from regular {% data variables.product.prodname_secret_scanning %} alerts. + +For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection\about-the-detection-of-generic-secrets-with-secret-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection)." {% endif %} @@ -120,7 +125,11 @@ or generic secrets detected using AI (such as passwords) {% data reusables.secret-scanning.validity-check-partner-patterns-beta %} -TODO: +{% data reusables.secret-scanning.validity-checks-intro %} + +You can + +For more information, see TODO: article about validity checks. {% endif %} @@ -128,6 +137,7 @@ TODO: ### Defining custom patterns +TODO: You can scan custom patterns with {% data variables.product.prodname_secret_scanning %} . This is useful if you have unique types of secrets that don’t match default patterns. Benefits are: diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md index e66b2d79c5c4..c64e43a088b4 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md @@ -97,9 +97,7 @@ There are some additional features that can help you to evaluate alerts in order {% endif %} -Validity checks help you prioritize alerts by telling you which secrets are `active` or `inactive`. An `active` secret is one that could still be exploited, so these alerts should be reviewed and remediated as a priority. - -By default, {% data variables.product.company_short %} checks the validity of {% data variables.product.company_short %} tokens and displays the validitation status of the token in the alert view. +{% data reusables.secret-scanning.validity-checks-intro %} {% ifversion fpt %} diff --git a/data/reusables/secret-scanning/validity-checks-intro.md b/data/reusables/secret-scanning/validity-checks-intro.md new file mode 100644 index 000000000000..506c7a0dad62 --- /dev/null +++ b/data/reusables/secret-scanning/validity-checks-intro.md @@ -0,0 +1,3 @@ +Validity checks help you prioritize alerts by telling you which secrets are `active` or `inactive`. An `active` secret is one that could still be exploited, so these alerts should be reviewed and remediated as a priority. + +By default, {% data variables.product.company_short %} checks the validity of {% data variables.product.company_short %} tokens and displays the validitation status of the token in the alert view. From f3655843b8ebb0c62c9490de356631de438e4427 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 26 Jul 2024 10:40:54 +0100 Subject: [PATCH 168/282] more work on secret scanning article --- .../introduction/about-secret-scanning.md | 32 +++++++------------ 1 file changed, 12 insertions(+), 20 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 5af2cc1eda1e..381e805acd0d 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -30,6 +30,8 @@ shortTitle: Secret scanning For private repositories, {% data variables.product.prodname_secret_scanning %} is available if you have a {% data variables.product.prodname_GH_advanced_security %} (GHAS) license, providing additional scanning capabilities and custom patterns for detection. +When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. {% ifversion secret-scanning-backfills %}{% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled, and send alert notifications following the {% data variables.product.prodname_secret_scanning %} alert notification settings.{% endif %} For more information, see "{% ifversion fpt or ghec %}[About user alerts](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[{% data variables.product.prodname_secret_scanning_caps %} patterns](/code-security/secret-scanning/secret-scanning-patterns#about-user-secret-scanning-alerts){% endif %}." + Below is a typical workflow that explains how {% data variables.product.prodname_secret_scanning %} works: * Detection of secrets: {% data variables.product.prodname_secret_scanning_caps %} automatically scans your repository's contents for sensitive data, such as API keys, passwords, tokens, and other secrets. It looks for patterns and heuristics that match known types of secrets. @@ -119,31 +121,31 @@ For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-adva {% endif %} -{% ifversion secret-scanning-validity-check-partner-patterns %} - ### Performing validity checks {% data reusables.secret-scanning.validity-check-partner-patterns-beta %} {% data reusables.secret-scanning.validity-checks-intro %} -You can +{% ifversion secret-scanning-validity-check-partner-patterns %} -For more information, see TODO: article about validity checks. +Organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %} can also enable validity checks for supported partner patterns in their repository, organization, or enterprise level code security settings. Wewill automatically check validation for patterns on a cadence by sending the pattern to our relevant partner provider. You can use the validation status on leaked secrets to help prioritize secrets needing remediation action. {% endif %} +For more information, see TODO: article about validity checks. + {% ifversion ghec or ghes %} ### Defining custom patterns -TODO: -You can scan custom patterns with {% data variables.product.prodname_secret_scanning %} -. This is useful if you have unique types of secrets that don’t match default patterns. Benefits are: +You can define custom patterns and ask {% data variables.product.prodname_secret_scanning %} to scan for these user-defined patterns. This is useful if you have unique types of secrets that don’t match default patterns. This tailored security feature allows for increased coverage as custom pattern detection captures additional types of sensitive data that default patterns might miss, and allows for detection of secrets unique to your applications, APIs, or internal tools. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." + +{% ifversion secret-scanning-custom-pattern-ai-generated %} -* Tailored Security Detect secrets unique to your applications, APIs, or internal tools. -* Increased Coverage Capture additional types of sensitive data that default patterns might miss. -* Prevent Data Leaks Proactively identify and mitigate risks associated with exposed proprietary secrets. +You can use AI to generate regular expressions that will capture all your custom patterns. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-generating-regular-expressions-with-ai)." + +{% endif %} {% endif %} @@ -164,22 +166,12 @@ OLD {% data reusables.secret-scanning.audit-secret-scanning-events %} -{% data reusables.secret-scanning.push-protection-high-level %} To proceed, contributors must either remove the secret(s) from the push or, if needed, bypass the protection. {% ifversion push-protection-custom-link-orgs %}Admins can also specify a custom link that is displayed to the contributor when a push is blocked; the link can contain resources specific to the organization to aid contributors. {% endif %}For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning)." - ## About {% data variables.secret-scanning.user_alerts %}{% ifversion ghes %} on {% data variables.product.product_name %}{% endif %} {% data variables.secret-scanning.user_alerts_caps %} is available {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}on all repositories with a license for {% data variables.product.prodname_GH_advanced_security %}{% else %}for free on all public repositories, and for private and internal repositories that are owned by organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %}{% endif %}{% elsif fpt %}for free on all public repositories that you own{% else %}on all organization-owned repositories with a license for {% data variables.product.prodname_GH_advanced_security %}. The feature is not available on user-owned repositories{% endif %}. {% data reusables.secret-scanning.secret-scanning-user-owned-repos-beta %} -When you enable {% data variables.product.prodname_secret_scanning %} for a repository, {% data variables.product.prodname_dotcom %} scans the code for patterns that match secrets used by many service providers. {% ifversion secret-scanning-backfill-email %}When the scan is completed, {% data variables.product.prodname_dotcom %} sends an email alert to the enterprise and organization owners, even if no secrets were found.{% endif %} - -When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. {% ifversion secret-scanning-backfills %}{% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled, and send alert notifications following the {% data variables.product.prodname_secret_scanning %} alert notification settings.{% endif %}{% ifversion secret-scanning-non-provider-patterns %} User alerts can be of two types: high confidence alerts, or non-provider alerts.{% endif %} For more information, see "{% ifversion fpt or ghec %}[About user alerts](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[{% data variables.product.prodname_secret_scanning_caps %} patterns](/code-security/secret-scanning/secret-scanning-patterns#about-user-secret-scanning-alerts){% endif %}." - If you're a repository administrator, you can enable {% data variables.secret-scanning.user_alerts %} for any {% ifversion fpt %}public{% endif %} repository{% ifversion ghec or ghes %}, including archived repositories{% endif %}. Organization owners can also enable {% data variables.secret-scanning.user_alerts %} for all {% ifversion fpt %}public {% endif %}repositories or for all new {% ifversion fpt %}public {% endif %}repositories within an organization. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)" and "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)." -{% data reusables.secret-scanning.secret-scanning-user-owned-enablement %} - -You can also define custom {% data variables.product.prodname_secret_scanning %} patterns for a repository, organization, or enterprise. For more information, see "[AUTOTITLE]({% ifversion fpt %}/enterprise-cloud@latest{% endif %}/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning){% ifversion fpt %}" in the {% data variables.product.prodname_ghe_cloud %} documentation.{% else %}."{% endif %} - {% ifversion secret-scanning-store-tokens %} {% data variables.product.company_short %} stores detected secrets using symmetric encryption, both in transit and at rest.{% endif %}{% ifversion ghes %} To rotate the encryption keys used for storing the detected secrets, you can contact us by visiting {% data variables.contact.contact_ent_support %}.{% endif %} From d25d0cfcbb7bd40964e79b584cb8b39cfd5906b2 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 26 Jul 2024 12:57:41 +0100 Subject: [PATCH 169/282] fix link --- .../introduction/about-secret-scanning.md | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 381e805acd0d..8f8108cecd20 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -32,6 +32,12 @@ For private repositories, {% data variables.product.prodname_secret_scanning %} When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. {% ifversion secret-scanning-backfills %}{% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled, and send alert notifications following the {% data variables.product.prodname_secret_scanning %} alert notification settings.{% endif %} For more information, see "{% ifversion fpt or ghec %}[About user alerts](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[{% data variables.product.prodname_secret_scanning_caps %} patterns](/code-security/secret-scanning/secret-scanning-patterns#about-user-secret-scanning-alerts){% endif %}." +{% ifversion ghec or ghes %} +You can use security overview to see an organization-level view of which repositories have enabled {% data variables.product.prodname_secret_scanning %} and the alerts found. For more information, see "[AUTOTITLE](/code-security/security-overview/about-security-overview)." +{% endif %} + +You can also use the REST API to monitor results from {% data variables.product.prodname_secret_scanning %} across your repositories{% ifversion ghes %} or your organization{% endif %}. For more information about API endpoints, see "[AUTOTITLE](/rest/secret-scanning)." + Below is a typical workflow that explains how {% data variables.product.prodname_secret_scanning %} works: * Detection of secrets: {% data variables.product.prodname_secret_scanning_caps %} automatically scans your repository's contents for sensitive data, such as API keys, passwords, tokens, and other secrets. It looks for patterns and heuristics that match known types of secrets. @@ -117,7 +123,7 @@ You can also enable generic secret detection to instruct {% data variables.produ {% data variables.product.prodname_secret_scanning_caps %} uses AI to detect unstructured passwords in git content and generate an alert. Alerts for passwords appear in a separated tab from regular {% data variables.product.prodname_secret_scanning %} alerts. -For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection\about-the-detection-of-generic-secrets-with-secret-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection)." +For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection)." {% endif %} @@ -175,18 +181,8 @@ If you're a repository administrator, you can enable {% data variables.secret-sc {% ifversion secret-scanning-store-tokens %} {% data variables.product.company_short %} stores detected secrets using symmetric encryption, both in transit and at rest.{% endif %}{% ifversion ghes %} To rotate the encryption keys used for storing the detected secrets, you can contact us by visiting {% data variables.contact.contact_ent_support %}.{% endif %} -{% ifversion ghec or ghes %} -You can use security overview to see an organization-level view of which repositories have enabled {% data variables.product.prodname_secret_scanning %} and the alerts found. For more information, see "[AUTOTITLE](/code-security/security-overview/about-security-overview)." -{% endif %} - -You can also use the REST API to monitor results from {% data variables.product.prodname_secret_scanning %} across your repositories{% ifversion ghes %} or your organization{% endif %}. For more information about API endpoints, see "[AUTOTITLE](/rest/secret-scanning)." - ## Further reading * "[AUTOTITLE](/code-security/getting-started/securing-your-repository)" * "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure)" * "[AUTOTITLE](/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization)" -{%- ifversion fpt or ghec %} -* "[AUTOTITLE](/codespaces/managing-your-codespaces/managing-encrypted-secrets-for-your-codespaces)"{% endif %} -* "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#storing-credentials-for-dependabot-to-use)" -* "[AUTOTITLE](/actions/security-guides/encrypted-secrets)" From fcbcae22d8c6be67dc8d68853e74c4a82246b8c5 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 26 Jul 2024 12:31:15 +0000 Subject: [PATCH 170/282] working on conceptual info --- .../about-alerts.md | 43 ++++++++----------- 1 file changed, 17 insertions(+), 26 deletions(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index 0100d00567a9..1cb2c7624bca 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -17,54 +17,45 @@ shortTitle: About alerts allowTitleToDifferFromFilename: true --- -## About different types of {% data variables.product.prodname_secret_scanning %} alerts +## About types of alerts There are {% ifversion fpt or ghec %}three{% else %}two{% endif %} types of {% data variables.product.prodname_secret_scanning %} alerts: -* **{% ifversion fpt or ghec %}User {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts**: When {% data variables.product.company_short %} detects a supported secret in a repository that has {% data variables.product.prodname_secret_scanning %} enabled, a {% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alert is generated and displayed in the **Security** tab of the repository. -* **Push protection alerts**: When a contributor bypasses push protection to push a secret to the repository that has {% data variables.product.prodname_secret_scanning %} and push protection enabled, a push protection alert is generated and displayed in the **Security** tab of the repository.{% ifversion fpt or ghec %} -* **Partner alerts**: When {% data variables.product.company_short %} detects a leaked secret in a public repository or npm package, an alert is sent directly to the secret provider, if they are part of {% data variables.product.company_short %}'s secret scanning partner program. Partner alerts are not applicable to repository administrators, so you do not need to take any action for this type of alert.{% endif %} +* **{% ifversion fpt or ghec %}User {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts**: Reported to users in the **Security** tab of the repository, when a supported secret is detected in the repository. +* **Push protection alerts**: Reported to users in the **Security** tab of the repository, when a contributor bypasses push protection. {% ifversion fpt or ghec %} +* **Partner alerts**: Reported directly to secret providers that are part of {% data variables.product.prodname_secret_scanning %}'s partner program. These alerts are not reported in the **Security** tab of the repository.{% endif %} -### About {% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts +## About {% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts -{% ifversion fpt or ghec %}User alerts are alerts that are reported to users on {% data variables.product.prodname_dotcom %}. {% endif %}When {% data variables.secret-scanning.user_alerts %} {% ifversion fpt or ghec %}are{% else %}is{% endif %} enabled, {% data variables.product.prodname_dotcom %} scans repositories for secrets issued by a large variety of service providers and generates {% data variables.secret-scanning.alerts %}. +When {% data variables.product.company_short %} detects a supported secret in a repository that has {% data variables.product.prodname_secret_scanning %} enabled, a {% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alert is generated and displayed in the **Security** tab of the repository. {% ifversion secret-scanning-non-provider-patterns %}{% ifversion fpt or ghec %}User {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts can be of the following types: * High confidence alerts, which relate to supported patterns and specified custom patterns. -* Non-provider alerts, which have a higher ratio of false positives, and correspond to secrets such as private keys{% ifversion secret-scanning-ai-generic-secret-detection %}or AI-detected generic secrets{% endif %}. +* Other alerts, which have a higher ratio of false positives, and correspond to secrets such as private keys{% ifversion secret-scanning-ai-generic-secret-detection %} or AI-detected generic secrets{% endif %}. -{% data variables.product.prodname_dotcom %} displays non-provider alerts in a different list to high confidence alerts, making triaging a better experience for users. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)." +{% data variables.product.prodname_dotcom %} displays these "other" alerts in a different list to high confidence alerts, making triaging a better experience for users. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)." {% data reusables.secret-scanning.non-provider-patterns-beta %} {% endif %} -You can see these alerts on the **Security** tab of the repository. - {% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} -If you use the REST API for secret scanning, you can use the `Secret type` to report on secrets from specific issuers. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/rest/secret-scanning)." - -{% ifversion ghes or ghec %} -{% note %} - -**Note:** You can also define custom {% data variables.product.prodname_secret_scanning %} patterns for your repository, organization, or enterprise. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." - -{% endnote %} -{% endif %} - -### About push protection alerts +## About push protection alerts -Push protection alerts are user alerts that are reported by push protection. {% data variables.product.prodname_secret_scanning_caps %} as a push protection currently scans repositories for secrets issued by some service providers. - -{% ifversion secret-scanning-push-protection-for-users %}Push protection alerts are not created for secrets that are bypassed with user-based push protection only. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)."{% endif %} +Push protection scans pushes from contributors for supported secrets. If push protection detects a supported secret, it will block the push. When a contributor bypasses push protection to push a secret to the repository, a push protection alert is generated and displayed in the **Security** tab of the repository. {% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} -{% data reusables.secret-scanning.push-protection-older-tokens %} For more information about push protection limitations, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning#push-protection-limitations)." +>[!NOTE] +> {% ifversion secret-scanning-push-protection-for-users %}You can also enable push protection for your personal account, which prevents you from accidentally pushing supported secrets to _any_ public repository. Push protection alerts are _not_ created when you bypass this user-based push protection only. Alerts are only created if the repository itself has push protection enabled. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)."{% endif %} +> +> {% data reusables.secret-scanning.push-protection-older-tokens %} For more information about push protection limitations, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning#push-protection-and-pattern-versions)." + +## About partner alerts -### About partner alerts +When {% data variables.product.company_short %} detects a leaked secret in a public repository or npm package, an alert is sent directly to the secret provider, if they are part of {% data variables.product.company_short %}'s secret scanning partner program. Partner alerts are not applicable to repository administrators, so you do not need to take any action for this type of alert. Partner alerts are alerts that are sent to the secret providers whenever a secret leak is reported for one of their secrets. {% data variables.product.product_name %} currently scans public repositories and public npm packages for secrets issued by specific service providers and alerts the relevant service provider whenever a secret is detected in a commit. For more information about {% data variables.secret-scanning.partner_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." From a96cfc5ba694aed335cd4ef77db2da4936747ad9 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 26 Jul 2024 14:21:07 +0100 Subject: [PATCH 171/282] getting bored with this work --- .../secret-scanning/introduction/about-secret-scanning.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 8f8108cecd20..345e7ef5bcd8 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -28,7 +28,9 @@ shortTitle: Secret scanning {% data reusables.secret-scanning.what-is-scanned %} -For private repositories, {% data variables.product.prodname_secret_scanning %} is available if you have a {% data variables.product.prodname_GH_advanced_security %} (GHAS) license, providing additional scanning capabilities and custom patterns for detection. + {% ifversion secret-scanning-backfills %}{% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled, and send alert notifications following the {% data variables.product.prodname_secret_scanning %} alert notification settings.{% endif %} + +{% data variables.secret-scanning.user_alerts_caps %} is available {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}on all repositories with a license for {% data variables.product.prodname_GH_advanced_security %}{% else %}for free on all public repositories, and for private and internal repositories that are owned by organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %}{% endif %}{% elsif fpt %}for free on all public repositories that you own{% else %}on all organization-owned repositories with a license for {% data variables.product.prodname_GH_advanced_security %}. The feature is not available on user-owned repositories{% endif %}. When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. {% ifversion secret-scanning-backfills %}{% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled, and send alert notifications following the {% data variables.product.prodname_secret_scanning %} alert notification settings.{% endif %} For more information, see "{% ifversion fpt or ghec %}[About user alerts](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[{% data variables.product.prodname_secret_scanning_caps %} patterns](/code-security/secret-scanning/secret-scanning-patterns#about-user-secret-scanning-alerts){% endif %}." From eaf5934c24ed57b7a939a6b333b531d5c7b0fb50 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 26 Jul 2024 14:25:26 +0100 Subject: [PATCH 172/282] first commit --- .../introduction/about-secret-scanning-for-partners.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md index 966201b42846..ec06e4d9b5c2 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md @@ -11,6 +11,8 @@ topics: shortTitle: Secret scanning for partners --- +TODO: + ## About {% data variables.secret-scanning.partner_alerts %} When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." From 464e39cda29c0ba6cda750e310a8d923dddc24e5 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 26 Jul 2024 14:53:33 +0000 Subject: [PATCH 173/282] more edits to map topic --- .../managing-alerts-from-secret-scanning/about-alerts.md | 2 +- .../managing-alerts-from-secret-scanning/evaluating-alerts.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index 1cb2c7624bca..20391928f9ba 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -44,7 +44,7 @@ When {% data variables.product.company_short %} detects a supported secret in a ## About push protection alerts -Push protection scans pushes from contributors for supported secrets. If push protection detects a supported secret, it will block the push. When a contributor bypasses push protection to push a secret to the repository, a push protection alert is generated and displayed in the **Security** tab of the repository. +Push protection scans pushes for supported secrets. If push protection detects a supported secret, it will block the push. When a contributor bypasses push protection to push a secret to the repository, a push protection alert is generated and displayed in the **Security** tab of the repository. To see all push protection alerts for a repository, you must filter by `bypassed: true` on the alerts page. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts#filtering-alerts)." {% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md index fad8d985541c..679d66560621 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md @@ -1,6 +1,6 @@ --- title: Evaluating alerts from secret scanning -intro: 'You can view alerts for secrets checked in to your repository and you can use filters to help you prioritize alerts.' +intro: 'There are some additional features that can help you evaluate alerts and prioritize their remediation, such as checking the secret''s validity.' permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view secret scanning alerts for the repository.' product: '{% data reusables.gated-features.secret-scanning %}' versions: @@ -22,7 +22,7 @@ allowTitleToDifferFromFilename: true There are some additional features that can help you to evaluate alerts in order to better prioritize and manage them. You can: * Check the validity of a secret, to see if the secret is still active. {% ifversion fpt or ghes %}**Applies to {% data variables.product.company_short %} tokens only**.{% endif %} For more information, see "[Checking a secret's validity](#checking-a-secrets-validity)."{% ifversion secret-scanning-validity-check-partner-patterns %} -* Perform an "on-demand" validity check, to get the most up to date validiation status. For more information, see "[Performing an on-demand-validity-check](#performing-an-on-demand-validity-check)."{% endif %}{% ifversion secret-scanning-github-token-metadata %} +* Perform an "on-demand" validity check, to get the most up to date validation status. For more information, see "[Performing an on-demand-validity-check](#performing-an-on-demand-validity-check)."{% endif %}{% ifversion secret-scanning-github-token-metadata %} * Review a token's metadata. **Applies to {% data variables.product.company_short %} tokens only**. For example, to see when the token was last used. For more information, see "[Reviewing {% data variables.product.company_short %} token metadata](#reviewing-github-token-metadata)."{% endif %} ## Checking a secret's validity From 363265f87c65554018a350ad59f02b8c80f936a0 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 26 Jul 2024 16:40:17 +0100 Subject: [PATCH 174/282] write new article --- .../about-secret-scanning-for-partners.md | 28 ++++++++----------- 1 file changed, 12 insertions(+), 16 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md index ec06e4d9b5c2..6abb34d4b08b 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md @@ -1,6 +1,6 @@ --- title: About secret scanning for partners -intro: 'TODO' +intro: '{% data variables.product.prodname_secret_scanning_caps %} sends directly alerts to partners when partner secrets are found in codebases. This allows partners to promtply take action to secure their systems.' versions: fpt: '*' ghec: '*' @@ -11,27 +11,23 @@ topics: shortTitle: Secret scanning for partners --- -TODO: - ## About {% data variables.secret-scanning.partner_alerts %} -When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." - -You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories. - -## About {% data variables.secret-scanning.partner_alerts %} +{% data variables.product.product_name %} scans public repositories and public npm packages for secrets issued by specific service providers who joined our partnership program, and alerts the relevant service provider whenever a secret is detected in a commit. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For information about the partnership program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." -{% data variables.product.product_name %} scans public repositories and public npm packages for secrets issued by specific service providers and alerts the relevant service provider whenever a secret is detected in a commit. +> [!NOTE]You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories. -{% data variables.product.prodname_secret_scanning %} generates partner alerts when it detects secrets from providers who joined our partnership program. For information about the partnership program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." +The reason partner alerts are directly sent to the secret providers whenever a secret leak is reported for one of their secrets is because this way of proceeding helps ensure that secrets are not inadvertently exposed in public or private repositories. This workflow allows partner organizations to address the exposure prompt. The notification for regular alerts is different. Regular alerts are displayed on the repository's **Security** tab on {% data variables.product.prodname_dotcom %}. -You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories. +{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} -Partner alerts are not displayed on {% data variables.product.prodname_dotcom %}. Instead, partner alerts are directly sent to the secret providers whenever a secret leak is reported for one of their secrets. +## What are the supported secrets -For more information about {% data variables.secret-scanning.partner_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-partners)." -{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} +For information about the secrets and service providers supported by push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." -When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." +## Further reading -TODO: apply scannability techniques +* "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)" +* "[AUTOTITLE](/ccode-security/secret-scanning/introduction/supported-secret-scanning-patterns)" +* "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection)" +* TODO: add link to "About alerts" article From 055b1179498358cd7158ec01174a93231fea0d99 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 26 Jul 2024 16:47:50 +0100 Subject: [PATCH 175/282] fix typo --- .../introduction/about-secret-scanning-for-partners.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md index 6abb34d4b08b..35dc111201bd 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md @@ -28,6 +28,6 @@ For information about the secrets and service providers supported by push protec ## Further reading * "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)" -* "[AUTOTITLE](/ccode-security/secret-scanning/introduction/supported-secret-scanning-patterns)" +* "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)" * "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection)" * TODO: add link to "About alerts" article From 45833a029757880bc61fcbae061e3cab2ca1394d Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 26 Jul 2024 16:59:25 +0100 Subject: [PATCH 176/282] improve --- .../introduction/about-secret-scanning-for-partners.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md index 35dc111201bd..ea592ecb1907 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md @@ -1,6 +1,6 @@ --- title: About secret scanning for partners -intro: '{% data variables.product.prodname_secret_scanning_caps %} sends directly alerts to partners when partner secrets are found in codebases. This allows partners to promtply take action to secure their systems.' +intro: '{% data variables.product.prodname_secret_scanning_caps %} sends directly alerts to partners when any of the partner secrets are found in repositories on {% data variables.product.prodname_dotcom %}. This allows partners to promtply take action to secure their systems.' versions: fpt: '*' ghec: '*' @@ -17,7 +17,7 @@ shortTitle: Secret scanning for partners > [!NOTE]You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories. -The reason partner alerts are directly sent to the secret providers whenever a secret leak is reported for one of their secrets is because this way of proceeding helps ensure that secrets are not inadvertently exposed in public or private repositories. This workflow allows partner organizations to address the exposure prompt. The notification for regular alerts is different. Regular alerts are displayed on the repository's **Security** tab on {% data variables.product.prodname_dotcom %}. +The reason partner alerts are directly sent to the secret providers whenever a secret leak is reported for one of their secrets is because this way of proceeding helps ensure that secrets are not inadvertently exposed in public or private repositories. This workflow allows partner organizations to address the exposure promptly. The notification for regular alerts is different. Regular alerts are displayed on the repository's **Security** tab on {% data variables.product.prodname_dotcom %}. {% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} From 4b7cf61c37960a3b86747806d2a186e44a7e5194 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 26 Jul 2024 17:01:27 +0100 Subject: [PATCH 177/282] add TODO --- .../secret-scanning/introduction/about-secret-scanning.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 345e7ef5bcd8..f622344df245 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -30,6 +30,8 @@ shortTitle: Secret scanning {% ifversion secret-scanning-backfills %}{% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled, and send alert notifications following the {% data variables.product.prodname_secret_scanning %} alert notification settings.{% endif %} +TODO: mention alerts somewhere in this article, not necessarily here, and make the distinction between partner alerts and regular alerts. + {% data variables.secret-scanning.user_alerts_caps %} is available {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}on all repositories with a license for {% data variables.product.prodname_GH_advanced_security %}{% else %}for free on all public repositories, and for private and internal repositories that are owned by organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %}{% endif %}{% elsif fpt %}for free on all public repositories that you own{% else %}on all organization-owned repositories with a license for {% data variables.product.prodname_GH_advanced_security %}. The feature is not available on user-owned repositories{% endif %}. When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. {% ifversion secret-scanning-backfills %}{% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled, and send alert notifications following the {% data variables.product.prodname_secret_scanning %} alert notification settings.{% endif %} For more information, see "{% ifversion fpt or ghec %}[About user alerts](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[{% data variables.product.prodname_secret_scanning_caps %} patterns](/code-security/secret-scanning/secret-scanning-patterns#about-user-secret-scanning-alerts){% endif %}." From e45fe55e489258a6d1661a0a162b3e7a747351f6 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 26 Jul 2024 17:02:06 +0100 Subject: [PATCH 178/282] add another TODO --- .../secret-scanning/introduction/about-secret-scanning.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index f622344df245..be6e5b2412a8 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -190,3 +190,4 @@ If you're a repository administrator, you can enable {% data variables.secret-sc * "[AUTOTITLE](/code-security/getting-started/securing-your-repository)" * "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure)" * "[AUTOTITLE](/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization)" +TODO: review links From 725be04a34a61b5c531e44f75c506e1640e1f136 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 29 Jul 2024 08:43:19 +0100 Subject: [PATCH 179/282] address review comments --- .../introduction/about-secret-scanning-for-partners.md | 4 ++-- data/reusables/secret-scanning/partner-program-link.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md index ea592ecb1907..dc13a088856d 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md @@ -13,11 +13,11 @@ shortTitle: Secret scanning for partners ## About {% data variables.secret-scanning.partner_alerts %} -{% data variables.product.product_name %} scans public repositories and public npm packages for secrets issued by specific service providers who joined our partnership program, and alerts the relevant service provider whenever a secret is detected in a commit. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For information about the partnership program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." +{% data variables.product.product_name %} scans public repositories and public npm packages for secrets issued by specific service providers who joined our partnership program, and alerts the relevant service provider whenever a secret is detected in a commit. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. {% data reusables.secret-scanning.partner-program-link %} > [!NOTE]You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories. -The reason partner alerts are directly sent to the secret providers whenever a secret leak is reported for one of their secrets is because this way of proceeding helps ensure that secrets are not inadvertently exposed in public or private repositories. This workflow allows partner organizations to address the exposure promptly. The notification for regular alerts is different. Regular alerts are displayed on the repository's **Security** tab on {% data variables.product.prodname_dotcom %}. +The reason partner alerts are directly sent to the secret providers whenever a secret leak is reported for one of their secrets is because this helps ensure that secrets are not inadvertently exposed in public or private repositories. The notification for regular alerts is different. Regular alerts are displayed on the repository's **Security** tab on {% data variables.product.prodname_dotcom %}. {% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} diff --git a/data/reusables/secret-scanning/partner-program-link.md b/data/reusables/secret-scanning/partner-program-link.md index b91d5761706b..4d358da42e48 100644 --- a/data/reusables/secret-scanning/partner-program-link.md +++ b/data/reusables/secret-scanning/partner-program-link.md @@ -1,5 +1,5 @@ {% ifversion fpt or ghec %} -To find out about our partner program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partner-program)." +To find out about our partner program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." {% else %} -To find out about our partner program, see "[AUTOTITLE](/enterprise-cloud@latest/code-security/secret-scanning/secret-scanning-partner-program)" in the {% data variables.product.prodname_ghe_cloud %} documentation. +To find out about our partner program, see "[AUTOTITLE](/enterprise-cloud@latest/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)" in the {% data variables.product.prodname_ghe_cloud %} documentation. {% endif %} From 97fb82ebd6a95e8e14702e32f2ef02e5f1283013 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Mon, 29 Jul 2024 08:47:35 +0100 Subject: [PATCH 180/282] Update content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com> --- .../introduction/about-secret-scanning-for-partners.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md index ea592ecb1907..1945861321c3 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md @@ -1,6 +1,6 @@ --- title: About secret scanning for partners -intro: '{% data variables.product.prodname_secret_scanning_caps %} sends directly alerts to partners when any of the partner secrets are found in repositories on {% data variables.product.prodname_dotcom %}. This allows partners to promtply take action to secure their systems.' +intro: '{% data variables.product.prodname_secret_scanning_caps %} sends alerts directly to partners when any of the partner's secrets are found in repositories on {% data variables.product.prodname_dotcom %}. This allows partners to promptly take action to secure their systems.' versions: fpt: '*' ghec: '*' From 85caff80c54fe408f61d423183962a64ec9e0d80 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 29 Jul 2024 08:51:37 +0100 Subject: [PATCH 181/282] fix frontmatter issue --- .../introduction/about-secret-scanning-for-partners.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md index fcaa95687ca0..10fbdb9873d6 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md @@ -1,6 +1,6 @@ --- title: About secret scanning for partners -intro: '{% data variables.product.prodname_secret_scanning_caps %} sends alerts directly to partners when any of the partner's secrets are found in repositories on {% data variables.product.prodname_dotcom %}. This allows partners to promptly take action to secure their systems.' +intro: '{% data variables.product.prodname_secret_scanning_caps %} sends alerts directly to partners when any of the partner''s secrets are found in repositories on {% data variables.product.prodname_dotcom %}. This allows partners to promptly take action to secure their systems.' versions: fpt: '*' ghec: '*' From 074e8b58386e72351cbf05b69d010e721b022406 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 30 Jul 2024 08:40:48 +0100 Subject: [PATCH 182/282] fix stupid error --- .../introduction/about-secret-scanning.md | 63 ++++++++++--------- 1 file changed, 32 insertions(+), 31 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index be6e5b2412a8..4cb4a7161a38 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -24,23 +24,25 @@ shortTitle: Secret scanning {% data variables.product.prodname_secret_scanning_caps %} is a security feature that helps detect and prevent the accidental inclusion of sensitive information such as API keys, passwords, tokens, and other secrets in your repository. When enabled, {% data variables.product.prodname_secret_scanning %} scans commits in public repositories for known types of secrets and alerts repository administrators upon detection. -{% data variables.product.prodname_secret_scanning_caps %} will scan your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repository for secrets{% ifversion ghec or ghes %}, even if the repository is archived{% endif %}.{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %} +{% data variables.product.prodname_secret_scanning_caps %} scans your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repository for secrets{% ifversion ghec or ghes %}, even if the repository is archived{% endif %}.{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %} -{% data reusables.secret-scanning.what-is-scanned %} +{% ifversion secret-scanning-backfills %}{% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled.{% endif %} - {% ifversion secret-scanning-backfills %}{% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled, and send alert notifications following the {% data variables.product.prodname_secret_scanning %} alert notification settings.{% endif %} +{% data reusables.secret-scanning.what-is-scanned %} -TODO: mention alerts somewhere in this article, not necessarily here, and make the distinction between partner alerts and regular alerts. +When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. Alerts are reported on {% data variables.product.prodname_dotcom_the_website %}, where you can view, evaluate, and manage (fix or dismiss) them. For more information, see TODO: link to Managing alerts. -{% data variables.secret-scanning.user_alerts_caps %} is available {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}on all repositories with a license for {% data variables.product.prodname_GH_advanced_security %}{% else %}for free on all public repositories, and for private and internal repositories that are owned by organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %}{% endif %}{% elsif fpt %}for free on all public repositories that you own{% else %}on all organization-owned repositories with a license for {% data variables.product.prodname_GH_advanced_security %}. The feature is not available on user-owned repositories{% endif %}. +{% ifversion fpt or ghec %} Additionally, we automatically run {% data variables.product.prodname_secret_scanning %} for partner patterns on all public repositories and public npm packages. This is a partnership program that Service providers can partner with {% data variables.product.company_short %} to provide their secret formats for scanning{% endif %}{% data reusables.secret-scanning.partner-program-link %} Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner, and aren't displayed on {% data variables.product.prodname_dotcom_the_website %}. -When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. {% ifversion secret-scanning-backfills %}{% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled, and send alert notifications following the {% data variables.product.prodname_secret_scanning %} alert notification settings.{% endif %} For more information, see "{% ifversion fpt or ghec %}[About user alerts](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[{% data variables.product.prodname_secret_scanning_caps %} patterns](/code-security/secret-scanning/secret-scanning-patterns#about-user-secret-scanning-alerts){% endif %}." +You can use the REST API to monitor results from {% data variables.product.prodname_secret_scanning %} across your repositories{% ifversion ghes %} or your organization{% endif %}. For more information about API endpoints, see "[AUTOTITLE](/rest/secret-scanning)." {% ifversion ghec or ghes %} -You can use security overview to see an organization-level view of which repositories have enabled {% data variables.product.prodname_secret_scanning %} and the alerts found. For more information, see "[AUTOTITLE](/code-security/security-overview/about-security-overview)." +You can also use security overview to see an organization-level view of which repositories have enabled {% data variables.product.prodname_secret_scanning %} and the alerts found. For more information, see "[AUTOTITLE](/code-security/security-overview/about-security-overview)." {% endif %} -You can also use the REST API to monitor results from {% data variables.product.prodname_secret_scanning %} across your repositories{% ifversion ghes %} or your organization{% endif %}. For more information about API endpoints, see "[AUTOTITLE](/rest/secret-scanning)." +{% data reusables.secret-scanning.audit-secret-scanning-events %} + +## How {% data variables.product.prodname_secret_scanning %} works Below is a typical workflow that explains how {% data variables.product.prodname_secret_scanning %} works: @@ -51,8 +53,8 @@ Below is a typical workflow that explains how {% data variables.product.prodname * Review of alerts: When a secret is detected, you'll need to review the alert details provided. * Alert remediation: You then need take appropriate actions to remediate the exposure. This might include: - * Rotating the affected credential to ensure it is no longer usable. - * Removing the secret from the repository's history (using tools like BFG Repo-Cleaner or {% data variables.product.prodname_dotcom %}'s built-in features). + *Rotating the affected credential to ensure it is no longer usable. + *Removing the secret from the repository's history (using tools like BFG Repo-Cleaner or {% data variables.product.prodname_dotcom %}'s built-in features). * Audit and monitor: It's good practice to regularly audit and monitor your repositories to ensure no other secrets are exposed. @@ -88,16 +90,27 @@ Below is a typical workflow that explains how {% data variables.product.prodname * **Remediation guidance**—Along with alerts, we provide remediation guidance, helping teams understand how to safely remove the sensitive information from their codebase and rotate the compromised credentials. +## What are the supported secrets + +For information about the secrets and service providers supported by {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." + ## Enabling {% data variables.product.prodname_secret_scanning %} +{% data variables.secret-scanning.user_alerts_caps %} is available {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}on all repositories with a license for {% data variables.product.prodname_GH_advanced_security %}{% else %}for free on all public repositories, and for private and internal repositories that are owned by organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %}{% endif %}{% elsif fpt %}for free on all public repositories that you own{% else %}on all organization-owned repositories with a license for {% data variables.product.prodname_GH_advanced_security %}. The feature is not available on user-owned repositories{% endif %}. + {% data variables.product.prodname_secret_scanning_caps %} is automatically enabled for all public repositories on {% data variables.product.prodname_dotcom %}. For private repositories, {% data variables.product.prodname_secret_scanning %} can be enabled as part of {% data variables.product.prodname_GH_advanced_security %}. -For more information, see TODO: - link to enabling article. +{% data variables.secret-scanning.user_alerts_caps %} is available {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}on all repositories with a license for {% data variables.product.prodname_GH_advanced_security %}{% else %}for free on all public repositories, and for private and internal repositories that are owned by organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %}{% endif %}{% elsif fpt %}for free on all public repositories that you own{% else %}on all organization-owned repositories with a license for {% data variables.product.prodname_GH_advanced_security %}. The feature is not available on user-owned repositories{% endif %}. {% data reusables.secret-scanning.secret-scanning-user-owned-repos-beta %} -## What are the supported secrets +If you're a repository administrator, you can enable {% data variables.secret-scanning.user_alerts %} for any {% ifversion fpt %}public{% endif %} repository{% ifversion ghec or ghes %}, including archived repositories{% endif %}. Organization owners can also enable {% data variables.secret-scanning.user_alerts %} for all {% ifversion fpt %}public {% endif %}repositories or for all new {% ifversion fpt %}public {% endif %}repositories within an organization. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)" and "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)." -For information about the secrets and service providers supported by {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." +{% ifversion fpt %}The following users can enable and configure additional scanning: + *Owners of repositories on {% data variables.product.prodname_dotcom_the_website %}, on any _public_ repositories they own. + *Organizations owning _public_ repositories, on any of these repositories. + *Organizations using {% data variables.product.prodname_ghe_cloud %}, on any public repositories (for free), and on any private and internal repositories, when you have a license for {% data variables.product.prodname_GH_advanced_security %}.{% elsif ghec %}You can enable and configure additional scanning for repositories owned by organizations that use {% data variables.product.prodname_ghe_cloud %} for any public repositories (for free), and for private and internal repositories when you have a license for {% data variables.product.prodname_GH_advanced_security %}. Enterprise owners can manage the automatic enablement of {% data variables.product.prodname_GH_advanced_security %} for new repositories owned by {% data variables.product.prodname_emus %} with an enterprise level setting.{% endif %} + +For more information, see TODO: - link to enabling article. ## Customizing {% data variables.product.prodname_secret_scanning %} @@ -162,32 +175,20 @@ You can use AI to generate regular expressions that will capture all your custom OLD {% ifversion fpt or ghec %} -{% data variables.product.prodname_secret_scanning_caps %} is available on {% data variables.product.prodname_dotcom_the_website %} in two forms: -1. **{% data variables.secret-scanning.partner_alerts_caps %}.** Runs automatically on all public repositories and public npm packages. Service providers can partner with {% data variables.product.company_short %} to provide their secret formats for scanning, hence the term "partners." {% data reusables.secret-scanning.partner-program-link %} Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner. For more information, see TODO: +1. **{% data variables.secret-scanning.partner_alerts_caps %}** Runs automatically on all public repositories and public npm packages. Service providers can partner with {% data variables.product.company_short %} to provide their secret formats for scanning, hence the term "partners." {% data reusables.secret-scanning.partner-program-link %} Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner. For more information, see TODO: -1. **{% data variables.secret-scanning.user_alerts_caps %}.** These alerts are reported on {% data variables.product.prodname_dotcom_the_website %}{% ifversion secret-scanning-non-provider-patterns %} and can be high confidence alerts or non-provider alerts (such as private keys){% endif %}. - {% ifversion fpt %}The following users can enable and configure additional scanning: - * Owners of repositories on {% data variables.product.prodname_dotcom_the_website %}, on any _public_ repositories they own. - * Organizations owning _public_ repositories, on any of these repositories. - * Organizations using {% data variables.product.prodname_ghe_cloud %}, on any public repositories (for free), and on any private and internal repositories, when you have a license for {% data variables.product.prodname_GH_advanced_security %}.{% elsif ghec %}You can enable and configure additional scanning for repositories owned by organizations that use {% data variables.product.prodname_ghe_cloud %} for any public repositories (for free), and for private and internal repositories when you have a license for {% data variables.product.prodname_GH_advanced_security %}. Enterprise owners can manage the automatic enablement of {% data variables.product.prodname_GH_advanced_security %} for new repositories owned by {% data variables.product.prodname_emus %} with an enterprise level setting.{% endif %} - - Any strings that match patterns provided by secret scanning partners, by other service providers, or defined by you or your organization, are reported as alerts in the **Security** tab of repositories. If a string in a public repository matches a partner pattern, it is also reported to the partner. For more information, see the "[About {% data variables.secret-scanning.user_alerts %}](#about-secret-scanning-alerts-for-users)" section below.{% endif %} - -{% data reusables.secret-scanning.audit-secret-scanning-events %} +Any strings that match patterns provided by secret scanning partners, by other service providers, or defined by you or your organization, are reported as alerts in the **Security** tab of repositories. If a string in a public repository matches a partner pattern, it is also reported to the partner. For more information, see the "[About {% data variables.secret-scanning.user_alerts %}](#about-secret-scanning-alerts-for-users)" section below.{% endif %} -## About {% data variables.secret-scanning.user_alerts %}{% ifversion ghes %} on {% data variables.product.product_name %}{% endif %} - -{% data variables.secret-scanning.user_alerts_caps %} is available {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}on all repositories with a license for {% data variables.product.prodname_GH_advanced_security %}{% else %}for free on all public repositories, and for private and internal repositories that are owned by organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %}{% endif %}{% elsif fpt %}for free on all public repositories that you own{% else %}on all organization-owned repositories with a license for {% data variables.product.prodname_GH_advanced_security %}. The feature is not available on user-owned repositories{% endif %}. {% data reusables.secret-scanning.secret-scanning-user-owned-repos-beta %} - -If you're a repository administrator, you can enable {% data variables.secret-scanning.user_alerts %} for any {% ifversion fpt %}public{% endif %} repository{% ifversion ghec or ghes %}, including archived repositories{% endif %}. Organization owners can also enable {% data variables.secret-scanning.user_alerts %} for all {% ifversion fpt %}public {% endif %}repositories or for all new {% ifversion fpt %}public {% endif %}repositories within an organization. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)" and "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)." +About {% data variables.secret-scanning.user_alerts %}{% ifversion ghes %} on {% data variables.product.product_name %}{% endif %} {% ifversion secret-scanning-store-tokens %} {% data variables.product.company_short %} stores detected secrets using symmetric encryption, both in transit and at rest.{% endif %}{% ifversion ghes %} To rotate the encryption keys used for storing the detected secrets, you can contact us by visiting {% data variables.contact.contact_ent_support %}.{% endif %} ## Further reading +* "[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection) +* "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection) +* "[AUTOTITLE](/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization)" * "[AUTOTITLE](/code-security/getting-started/securing-your-repository)" * "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure)" -* "[AUTOTITLE](/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization)" -TODO: review links From ce5ac0daacbb2562a2486629f0d7f943477f366a Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Tue, 30 Jul 2024 10:56:39 +0000 Subject: [PATCH 183/282] more edits --- ...ing-push-protection-for-your-repository.md | 26 +++++++++++++++++-- ...ing-secret-scanning-for-your-repository.md | 7 +++-- .../code-security/secret-scanning/index.md | 1 + .../secret-scanning-custom-link-on-block.yml | 2 +- 4 files changed, 29 insertions(+), 7 deletions(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md index cd48da8e7faf..312c4f74a032 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md @@ -19,12 +19,34 @@ redirect_from: ## About enabling push protection -TODO +To enable push protection for a repository, you must first enable {% data variables.product.prodname_secret_scanning %}. You can then enable push protection in the repository's "Code security and analysis" settings page following the steps outlined in this article. -## Enabling push protection +{% ifversion secret-scanning-push-protection-for-users %} + +You can additionally enable push protection for your own personal account, which prevents you from pushing secrets to _any_ public repository on [GitHub]. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)." + +{% endif %} + +If you're an organization owner, you can enable push protection for multiple repositories at a time{% ifversion security-configurations-ga %} using a security configuration{% endif %}. For more information, see {% ifversion security-configurations-ga %}"[AUTOTITLE](/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration){% else %}"[AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-organization#enabling-security-features-in-your-organization){% endif %}." + +Organization owners, security managers, and repository administrators can also enable push protection for {% data variables.product.prodname_secret_scanning %} via the API. For more information, see "[AUTOTITLE](/rest/repos#update-a-repository)" and expand the "Properties of the `security_and_analysis` object" section. + +{% ifversion secret-scanning-enterprise-level %} + +>[!NOTE] +> If your organization is owned by an enterprise account, an enterprise owner can also enable push protection at the enterprise level. For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)." + +{% endif %} + +## Enabling push protection for a repository {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-settings %} {% data reusables.repositories.navigate-to-code-security-and-analysis %} {% data reusables.repositories.navigate-to-ghas-settings %} {% data reusables.advanced-security.secret-scanning-push-protection-repo %} + +## Further reading + +* "[AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security)" +* "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)" diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md index 4627dd805fb0..56c4c04cf1bc 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md @@ -18,14 +18,13 @@ topics: You can enable {% data variables.secret-scanning.user_alerts %} for any {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}repository{% else %} repository that is owned by an organization, and for repositories owned by user accounts when using {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_emus %}{% endif %}{% elsif fpt %}free public repository that you own{% else %}repository that is owned by an organization{% endif %}. Once enabled, {% data reusables.secret-scanning.secret-scanning-process %}{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %} {% data reusables.secret-scanning.what-is-scanned %} -You can also enable {% data variables.product.prodname_secret_scanning %} for multiple repositories in an organization at the same time. For more information, see "[AUTOTITLE](/code-security/getting-started/securing-your-organization)." +You can also enable {% data variables.product.prodname_secret_scanning %} for multiple repositories in an organization at the same time. For more information, see {% ifversion security-configurations-ga %}"[AUTOTITLE](/code-security/getting-started/securing-your-organization){% else %}"[AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-organization#enabling-security-features-in-your-organization)"{% endif %}." {% ifversion secret-scanning-enterprise-level %} -{% note %} -**Note:** If your organization is owned by an enterprise account, an enterprise owner can also enable {% data variables.product.prodname_secret_scanning %} at the enterprise level. For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)." +>[!NOTE] +> If your organization is owned by an enterprise account, an enterprise owner can also enable {% data variables.product.prodname_secret_scanning %} at the enterprise level. For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)." -{% endnote %} {% endif %} A repository administrator can choose to disable {% data variables.product.prodname_secret_scanning %} for a repository at any time. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)." diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index ca46b445c528..2a0fe5813b15 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -16,6 +16,7 @@ topics: - Repositories children: - /introduction + - /enabling-secret-scanning-features - /about-secret-scanning - /configuring-secret-scanning-for-your-repositories - /managing-alerts-from-secret-scanning diff --git a/data/features/secret-scanning-custom-link-on-block.yml b/data/features/secret-scanning-custom-link-on-block.yml index 7f0a595d72e1..323d4f94967b 100644 --- a/data/features/secret-scanning-custom-link-on-block.yml +++ b/data/features/secret-scanning-custom-link-on-block.yml @@ -1,5 +1,5 @@ # Reference: #8384. -# Documentation for secret scanning: custom link on block. +# Documentation for secret scanning: on block. versions: ghec: '*' ghes: '>=3.8' From 141b78276bd801ec2deea4c44e99298c094ddd1a Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 30 Jul 2024 12:15:16 +0100 Subject: [PATCH 184/282] fix failing check --- .../introduction/supported-secret-scanning-patterns.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md index cfca6c8282a9..9f280300e1e0 100644 --- a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md +++ b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md @@ -60,7 +60,7 @@ Partner alerts are alerts that are sent to the secret providers whenever a secre {% endif %} -You can see these alerts on the **Security** tab of the repository. {% ifversion fpt or ghec %}For more information about {% data variables.secret-scanning.user_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-users)."{% endif %} +You can see these alerts on the **Security** tab of the repository. {% ifversion fpt or ghec %}For more information about {% data variables.secret-scanning.user_alerts %}, see TODO: About secret scanning alerts for users{% endif %} {% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} From 406706c8f6b3fa49536c42f7d7d93f3675e9b3e2 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 30 Jul 2024 12:26:32 +0100 Subject: [PATCH 185/282] fix failing check --- .../secret-scanning/introduction/about-secret-scanning.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 4cb4a7161a38..3c0e3fe5e35c 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -146,8 +146,6 @@ For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-adva ### Performing validity checks -{% data reusables.secret-scanning.validity-check-partner-patterns-beta %} - {% data reusables.secret-scanning.validity-checks-intro %} {% ifversion secret-scanning-validity-check-partner-patterns %} @@ -178,7 +176,7 @@ OLD 1. **{% data variables.secret-scanning.partner_alerts_caps %}** Runs automatically on all public repositories and public npm packages. Service providers can partner with {% data variables.product.company_short %} to provide their secret formats for scanning, hence the term "partners." {% data reusables.secret-scanning.partner-program-link %} Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner. For more information, see TODO: -Any strings that match patterns provided by secret scanning partners, by other service providers, or defined by you or your organization, are reported as alerts in the **Security** tab of repositories. If a string in a public repository matches a partner pattern, it is also reported to the partner. For more information, see the "[About {% data variables.secret-scanning.user_alerts %}](#about-secret-scanning-alerts-for-users)" section below.{% endif %} +Any strings that match patterns provided by secret scanning partners, by other service providers, or defined by you or your organization, are reported as alerts in the **Security** tab of repositories. If a string in a public repository matches a partner pattern, it is also reported to the partner. For more information, see TODO: the About secret scanning for users section below.{% endif %} About {% data variables.secret-scanning.user_alerts %}{% ifversion ghes %} on {% data variables.product.product_name %}{% endif %} From bb246e681d8b6890c0973e206ff5f4b2fd9fe676 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Tue, 30 Jul 2024 11:29:40 +0000 Subject: [PATCH 186/282] more edits --- .../enabling-secret-scanning-for-your-repository.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md index 56c4c04cf1bc..5fafa7358dfe 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md @@ -18,7 +18,7 @@ topics: You can enable {% data variables.secret-scanning.user_alerts %} for any {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}repository{% else %} repository that is owned by an organization, and for repositories owned by user accounts when using {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_emus %}{% endif %}{% elsif fpt %}free public repository that you own{% else %}repository that is owned by an organization{% endif %}. Once enabled, {% data reusables.secret-scanning.secret-scanning-process %}{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %} {% data reusables.secret-scanning.what-is-scanned %} -You can also enable {% data variables.product.prodname_secret_scanning %} for multiple repositories in an organization at the same time. For more information, see {% ifversion security-configurations-ga %}"[AUTOTITLE](/code-security/getting-started/securing-your-organization){% else %}"[AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-organization#enabling-security-features-in-your-organization)"{% endif %}." +You can also enable {% data variables.product.prodname_secret_scanning %} for multiple repositories in an organization at the same time. For more information, see {% ifversion security-configurations-ga %}"[AUTOTITLE](/code-security/securing-your-organization){% else %}"[AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-organization#enabling-security-features-in-your-organization)"{% endif %}." {% ifversion secret-scanning-enterprise-level %} From 9d383d7348e0b792fe25570ee9c51e61639fb154 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Tue, 30 Jul 2024 11:48:08 +0000 Subject: [PATCH 187/282] more edits --- .../enabling-push-protection-for-your-repository.md | 3 +-- .../enabling-secret-scanning-for-your-repository.md | 9 ++++----- .../enabling-validity-checks-for-your-repository.md | 2 +- 3 files changed, 6 insertions(+), 8 deletions(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md index 312c4f74a032..c829b5e6286d 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md @@ -33,8 +33,7 @@ Organization owners, security managers, and repository administrators can also e {% ifversion secret-scanning-enterprise-level %} ->[!NOTE] -> If your organization is owned by an enterprise account, an enterprise owner can also enable push protection at the enterprise level. For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)." +If your organization is owned by an enterprise account, an enterprise owner can also enable push protection at the enterprise level. For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)." {% endif %} diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md index 5fafa7358dfe..9a3a2971928e 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md @@ -1,7 +1,7 @@ --- title: Enabling secret scanning for your repository shortTitle: Enable secret scanning -intro: '{% data variables.product.prodname_secret_scanning %} scans your repositories for leaked secrets and generates alerts.' +intro: '{% data variables.product.prodname_secret_scanning_caps %} scans your repositories for leaked secrets and generates alerts.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' @@ -16,14 +16,13 @@ topics: ## About enabling {% data variables.secret-scanning.user_alerts %} -You can enable {% data variables.secret-scanning.user_alerts %} for any {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}repository{% else %} repository that is owned by an organization, and for repositories owned by user accounts when using {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_emus %}{% endif %}{% elsif fpt %}free public repository that you own{% else %}repository that is owned by an organization{% endif %}. Once enabled, {% data reusables.secret-scanning.secret-scanning-process %}{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %} {% data reusables.secret-scanning.what-is-scanned %} +You can enable {% data variables.secret-scanning.user_alerts %} for any {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}repository{% else %} repository that is owned by an organization, and for repositories owned by user accounts when using {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_emus %}{% endif %}{% elsif fpt %}free public repository that you own{% else %}repository that is owned by an organization{% endif %}. -You can also enable {% data variables.product.prodname_secret_scanning %} for multiple repositories in an organization at the same time. For more information, see {% ifversion security-configurations-ga %}"[AUTOTITLE](/code-security/securing-your-organization){% else %}"[AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-organization#enabling-security-features-in-your-organization)"{% endif %}." +If you're an organization owner, you can enable {% data variables.product.prodname_secret_scanning %} for multiple repositories at the same time{% ifversion security-configurations-ga %} using a security configuration{% endif %}. For more information, see {% ifversion security-configurations-ga %}"[AUTOTITLE](/code-security/securing-your-organization){% else %}"[AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-organization#enabling-security-features-in-your-organization)"{% endif %}." {% ifversion secret-scanning-enterprise-level %} ->[!NOTE] -> If your organization is owned by an enterprise account, an enterprise owner can also enable {% data variables.product.prodname_secret_scanning %} at the enterprise level. For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)." +If your organization is owned by an enterprise account, an enterprise owner can also enable {% data variables.product.prodname_secret_scanning %} at the enterprise level. For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)." {% endif %} diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md index 913d275990e2..3f4c5375dbff 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md @@ -23,7 +23,7 @@ You can also filter by validation status on the alerts page, to help you priorit > [!NOTE] > {% data variables.product.company_short %} typically makes GET requests to check the validity of the credential, picks the least intrusive endpoints, and selects endpoints that don't return any personal information. -For more information on using validity checks, see "[AUTOTITLE](/TODO)." +For more information on using validity checks, see "TODO." ## Enabling validity checks From a8ef9d9c6df186433223c87f5bafeafcf1d6bb96 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 30 Jul 2024 12:50:29 +0100 Subject: [PATCH 188/282] more work on partner patterns --- .../introduction/about-secret-scanning.md | 20 +++++++------------ 1 file changed, 7 insertions(+), 13 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 3c0e3fe5e35c..a10ca5004607 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -24,15 +24,15 @@ shortTitle: Secret scanning {% data variables.product.prodname_secret_scanning_caps %} is a security feature that helps detect and prevent the accidental inclusion of sensitive information such as API keys, passwords, tokens, and other secrets in your repository. When enabled, {% data variables.product.prodname_secret_scanning %} scans commits in public repositories for known types of secrets and alerts repository administrators upon detection. -{% data variables.product.prodname_secret_scanning_caps %} scans your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repository for secrets{% ifversion ghec or ghes %}, even if the repository is archived{% endif %}.{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %} - -{% ifversion secret-scanning-backfills %}{% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled.{% endif %} +{% data variables.product.prodname_secret_scanning_caps %} scans your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repository for secrets{% ifversion ghec or ghes %}, even if the repository is archived{% endif %}.{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %}{% ifversion secret-scanning-backfills %}{% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled.{% endif %} {% data reusables.secret-scanning.what-is-scanned %} -When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. Alerts are reported on {% data variables.product.prodname_dotcom_the_website %}, where you can view, evaluate, and manage (fix or dismiss) them. For more information, see TODO: link to Managing alerts. +When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. Alerts are reported on the **Security** tab of repositories in {% data variables.product.prodname_dotcom_the_website %}, where you can view, evaluate, and manage (fix or dismiss) them. For more information, see TODO: link to Managing alerts. + +{% ifversion fpt or ghec %}Service providers can partner with {% data variables.product.company_short %} to provide their secret formats for scanning. We automatically run {% data variables.product.prodname_secret_scanning %} for partner patterns on all public repositories and public npm packages.{% data reusables.secret-scanning.partner-program-link %} -{% ifversion fpt or ghec %} Additionally, we automatically run {% data variables.product.prodname_secret_scanning %} for partner patterns on all public repositories and public npm packages. This is a partnership program that Service providers can partner with {% data variables.product.company_short %} to provide their secret formats for scanning{% endif %}{% data reusables.secret-scanning.partner-program-link %} Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner, and aren't displayed on {% data variables.product.prodname_dotcom_the_website %}. +Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner, and aren't displayed on {% data variables.product.prodname_dotcom_the_website %}. For more information, see TODO: link to about secret scanning for partner alerts.{% endif %} You can use the REST API to monitor results from {% data variables.product.prodname_secret_scanning %} across your repositories{% ifversion ghes %} or your organization{% endif %}. For more information about API endpoints, see "[AUTOTITLE](/rest/secret-scanning)." @@ -53,8 +53,8 @@ Below is a typical workflow that explains how {% data variables.product.prodname * Review of alerts: When a secret is detected, you'll need to review the alert details provided. * Alert remediation: You then need take appropriate actions to remediate the exposure. This might include: - *Rotating the affected credential to ensure it is no longer usable. - *Removing the secret from the repository's history (using tools like BFG Repo-Cleaner or {% data variables.product.prodname_dotcom %}'s built-in features). + * Rotating the affected credential to ensure it is no longer usable. + * Removing the secret from the repository's history (using tools like BFG Repo-Cleaner or {% data variables.product.prodname_dotcom %}'s built-in features). * Audit and monitor: It's good practice to regularly audit and monitor your repositories to ensure no other secrets are exposed. @@ -172,12 +172,6 @@ You can use AI to generate regular expressions that will capture all your custom OLD -{% ifversion fpt or ghec %} - -1. **{% data variables.secret-scanning.partner_alerts_caps %}** Runs automatically on all public repositories and public npm packages. Service providers can partner with {% data variables.product.company_short %} to provide their secret formats for scanning, hence the term "partners." {% data reusables.secret-scanning.partner-program-link %} Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner. For more information, see TODO: - -Any strings that match patterns provided by secret scanning partners, by other service providers, or defined by you or your organization, are reported as alerts in the **Security** tab of repositories. If a string in a public repository matches a partner pattern, it is also reported to the partner. For more information, see TODO: the About secret scanning for users section below.{% endif %} - About {% data variables.secret-scanning.user_alerts %}{% ifversion ghes %} on {% data variables.product.product_name %}{% endif %} {% ifversion secret-scanning-store-tokens %} From e1a66f145410b05a598ac74aa9364257aaeb0f9f Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 30 Jul 2024 14:23:48 +0100 Subject: [PATCH 189/282] more work on secret scanning conceptual article --- .../introduction/about-secret-scanning.md | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index a10ca5004607..cfabf3fa7330 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -28,7 +28,7 @@ shortTitle: Secret scanning {% data reusables.secret-scanning.what-is-scanned %} -When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. Alerts are reported on the **Security** tab of repositories in {% data variables.product.prodname_dotcom_the_website %}, where you can view, evaluate, and manage (fix or dismiss) them. For more information, see TODO: link to Managing alerts. +When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. Alerts are reported on the **Security** tab of repositories on {% data variables.product.product_name %}, where you can view, evaluate, and manage (fix or dismiss) them. For more information, see TODO: link to Managing alerts. {% ifversion fpt or ghec %}Service providers can partner with {% data variables.product.company_short %} to provide their secret formats for scanning. We automatically run {% data variables.product.prodname_secret_scanning %} for partner patterns on all public repositories and public npm packages.{% data reusables.secret-scanning.partner-program-link %} @@ -46,21 +46,21 @@ You can also use security overview to see an organization-level view of which re Below is a typical workflow that explains how {% data variables.product.prodname_secret_scanning %} works: -* Detection of secrets: {% data variables.product.prodname_secret_scanning_caps %} automatically scans your repository's contents for sensitive data, such as API keys, passwords, tokens, and other secrets. It looks for patterns and heuristics that match known types of secrets. +* **Detection of secrets**: {% data variables.product.prodname_secret_scanning_caps %} automatically scans your repository's contents for sensitive data, such as API keys, passwords, tokens, and other secrets. It looks for patterns and heuristics that match known types of secrets. -* Alerts and notifications: When a potential secret is detected, {% data variables.product.prodname_dotcom %} generates an alert and notifies the relevant repository administrators and users. This notification includes details about the detected secret, such as its location in the repository. For more information about alert types and alert details, see TODO: - link to "About alerts" article. +* **Alerts and notifications**: When a potential secret is detected, {% data variables.product.prodname_dotcom %} generates an alert and notifies the relevant repository administrators and users. This notification includes details about the detected secret, such as its location in the repository. For more information about alert types and alert details, see TODO: - link to "About alerts" article. -* Review of alerts: When a secret is detected, you'll need to review the alert details provided. +* **Review of alerts**: When a secret is detected, you'll need to review the alert details provided. -* Alert remediation: You then need take appropriate actions to remediate the exposure. This might include: +* **Alert remediation**: You then need take appropriate actions to remediate the exposure. This might include: * Rotating the affected credential to ensure it is no longer usable. * Removing the secret from the repository's history (using tools like BFG Repo-Cleaner or {% data variables.product.prodname_dotcom %}'s built-in features). -* Audit and monitor: It's good practice to regularly audit and monitor your repositories to ensure no other secrets are exposed. +* **Audit and monitor**: It's good practice to regularly audit and monitor your repositories to ensure no other secrets are exposed. {% ifversion fpt or ghec %} -* Integration with partners: {% data variables.product.prodname_dotcom %} works with various service providers to validate secrets. When a partner secret is detected, {% data variables.product.prodname_dotcom %} notifies the provider so they can take appropriate action, such as revoking the credential. For more information about the partnership program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." +* **Integration with partners**: {% data variables.product.prodname_dotcom %} works with various service providers to validate secrets. When a partner secret is detected, {% data variables.product.prodname_dotcom %} notifies the provider so they can take appropriate action, such as revoking the credential. For more information about the partnership program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." {% endif %} @@ -96,6 +96,8 @@ For information about the secrets and service providers supported by {% data var ## Enabling {% data variables.product.prodname_secret_scanning %} +TODO: PLEASE DO NOT REVIEW THIS SECTION AS I WANT TO MAKE IT CONCISE AND SEE WHAT IS IN THE ENABLING ARTICLE(S) + {% data variables.secret-scanning.user_alerts_caps %} is available {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}on all repositories with a license for {% data variables.product.prodname_GH_advanced_security %}{% else %}for free on all public repositories, and for private and internal repositories that are owned by organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %}{% endif %}{% elsif fpt %}for free on all public repositories that you own{% else %}on all organization-owned repositories with a license for {% data variables.product.prodname_GH_advanced_security %}. The feature is not available on user-owned repositories{% endif %}. {% data variables.product.prodname_secret_scanning_caps %} is automatically enabled for all public repositories on {% data variables.product.prodname_dotcom %}. From 5694af7a208d18441f590d046754d8ccfc65fd62 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Tue, 30 Jul 2024 15:28:12 +0000 Subject: [PATCH 190/282] add redirects, delete old article --- ...g-secret-scanning-for-your-repositories.md | 131 ------------------ ...ing-secret-scanning-for-your-repository.md | 4 + 2 files changed, 4 insertions(+), 131 deletions(-) delete mode 100644 content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md diff --git a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md deleted file mode 100644 index 642b570f40b2..000000000000 --- a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md +++ /dev/null @@ -1,131 +0,0 @@ ---- -title: Configuring secret scanning for your repositories -intro: 'You can configure how {% data variables.product.prodname_dotcom %} scans your repositories for leaked secrets and generates alerts.' -product: '{% data reusables.gated-features.secret-scanning %}' -permissions: 'People with admin permissions to a {% ifversion fpt %}public {% endif %}repository can enable {% data variables.product.prodname_secret_scanning %} for the repository.' -redirect_from: - - /github/administering-a-repository/configuring-secret-scanning-for-private-repositories - - /github/administering-a-repository/configuring-secret-scanning-for-your-repositories - - /code-security/secret-security/configuring-secret-scanning-for-your-repositories -versions: - fpt: '*' - ghes: '*' - ghec: '*' -type: how_to -topics: - - Secret scanning - - Advanced Security - - Repositories -shortTitle: Configure secret scans ---- - -{% data reusables.secret-scanning.enterprise-enable-secret-scanning %} - -## Enabling {% data variables.secret-scanning.user_alerts %} - -You can enable {% data variables.secret-scanning.user_alerts %} for any {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}repository{% else %} repository that is owned by an organization, and for repositories owned by user accounts when using {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_emus %}{% endif %}{% elsif fpt %}free public repository that you own{% else %}repository that is owned by an organization{% endif %}. Once enabled, {% data reusables.secret-scanning.secret-scanning-process %}{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %} {% data reusables.secret-scanning.what-is-scanned %} - -You can also enable {% data variables.product.prodname_secret_scanning %} for multiple repositories in an organization at the same time. For more information, see {% ifversion security-configurations-ga %}"[AUTOTITLE](/code-security/securing-your-organization)."{% else %}"[AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-organization)."{% endif %} - -{% ifversion secret-scanning-enterprise-level %} -{% note %} - -**Note:** If your organization is owned by an enterprise account, an enterprise owner can also enable {% data variables.product.prodname_secret_scanning %} at the enterprise level. For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)." - -{% endnote %} -{% endif %} - -A repository administrator can choose to disable {% data variables.product.prodname_secret_scanning %} for a repository at any time. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)." - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-settings %} -{% data reusables.repositories.navigate-to-code-security-and-analysis %}{% ifversion ghec or ghes %} -1. If {% data variables.product.prodname_advanced_security %} is not already enabled for the repository, to the right of "{% data variables.product.prodname_GH_advanced_security %}", click **Enable**. -1. Review the impact of enabling {% data variables.product.prodname_advanced_security %}, then click **Enable {% data variables.product.prodname_GH_advanced_security %} for this repository**. -1. When you enable {% data variables.product.prodname_advanced_security %}, {% data variables.product.prodname_secret_scanning %} may automatically be enabled for the repository due to the organization's settings. If "{% data variables.product.prodname_secret_scanning_caps %}" is shown with an **Enable** button, you still need to enable {% data variables.product.prodname_secret_scanning %} by clicking **Enable**. If you see a **Disable** button, {% data variables.product.prodname_secret_scanning %} is already enabled. - - ![Screenshot of the "{% data variables.product.prodname_secret_scanning_caps %}" section of the "Code security and analysis" page, with the "Enable" button highlighted in a dark orange outline.](/assets/images/help/repository/enable-secret-scanning-alerts.png){% endif %}{% ifversion fpt %} -1. Scroll down to the bottom of the page, and click **Enable** for {% data variables.product.prodname_secret_scanning %}. If you see a **Disable** button, it means that {% data variables.product.prodname_secret_scanning %} is already enabled for the repository. - - ![Screenshot of the "{% data variables.product.prodname_secret_scanning_caps %}" section of the "Code security and analysis" page, with the "Enable" button highlighted in a dark orange outline.](/assets/images/help/repository/enable-secret-scanning-alerts.png){% endif %} - -## Enabling additional features for {% data variables.secret-scanning.user_alerts %} - -You can enable the following additional {% data variables.product.prodname_secret_scanning %} feature{% ifversion ghec or ghes %}s{% endif %} through your repository's "Code security and analysis" settings: -* **Push protection**. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-secret-scanning-as-a-push-protection-for-a-repository)."{% ifversion secret-scanning-validity-check-partner-patterns %} -* **Validity checks for partner patterns**. For more infomation, see "[Enabling validity checks for partner patterns](#enabling-validity-checks-for-partner-patterns)."{% endif %}{% ifversion secret-scanning-non-provider-patterns %} -* **Scanning for non-provider patterns**. For more information, see "[Enabling scanning for non-provider patterns](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns)."{% endif %}{% ifversion secret-scanning-ai-generic-secret-detection%} -* **AI-powered generic secret detection**. For more information, see "[AUTOTITLE](/code-security/secret-scanning/enabling-ai-powered-generic-secret-detection)."{% endif %}{% ifversion secret-scanning-push-protection-custom-patterns %} -* **Scanning for custom patterns**. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)."{% endif %} - -{% ifversion secret-scanning-validity-check-partner-patterns %} - -### Enabling validity checks for partner patterns - -{% data reusables.gated-features.partner-pattern-validity-check-ghas %} - -You can allow {% data variables.product.prodname_secret_scanning %} to automatically check the validity of a secret found in your repository by sending it to the relevant partner. For more information on validity checks, see "Checking a secret's validity" in "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning#checking-a-secrets-validity)." - -{% note %} - -**Note:** When you enable automatic validity checks for a repository, you also allow on-demand validity checks to be performed for patterns detected in that repository. - -{% endnote %} - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-settings %} -{% data reusables.repositories.navigate-to-code-security-and-analysis %} -{% data reusables.secret-scanning.validity-check-auto-enable %} - -You can also use the REST API to enable validity checks for partner patterns for your repository. For more information, see "[AUTOTITLE](/rest/repos/repos#update-a-repository)." Alternatively, organization owners and enterprise administrators can enable the feature for all repositories in the organization or enterprise settings. For more information on enabling at the organization-level, see "[AUTOTITLE](/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration)." For more information on enabling at the enterprise-level, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)" and "[AUTOTITLE](/rest/enterprise-admin/code-security-and-analysis#update-code-security-and-analysis-features-for-an-enterprise)." - -{% endif %} - -{% ifversion secret-scanning-non-provider-patterns %} - -### Enabling scanning for non-provider patterns - -{% data reusables.secret-scanning.non-provider-patterns-beta %} - -You can enable scanning for non-provider patterns. Non-provider patterns correspond to secrets such as private keys and they have a higher ratio of false positives. - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-settings %} -{% data reusables.repositories.navigate-to-code-security-and-analysis %} -1. Under {% data variables.product.prodname_secret_scanning_caps %}, select the checkbox next to "Scan for non-provider patterns". - -For more information about non-provider patterns, see "{% ifversion fpt or ghec %}[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-secret-scanning-alerts){% endif %}." - -{% endif %} - -{% ifversion secret-scanning-enable-by-default-for-public-repos %} - -## Enabling {% data variables.secret-scanning.user_alerts %} for all your {% ifversion ghec %}user-owned {% endif %}public repositories - -You can enable {% data variables.product.prodname_secret_scanning %} for all of your existing {% ifversion ghec %}user-owned {% endif %}public repositories through your personal account settings. -{% note %} - -**Note**: As of March 11, 2024, {% data variables.product.prodname_secret_scanning %} and push protection will be enabled by default for all new {% ifversion ghec %}user-owned {% endif %}public repositories that you create. You can still choose to disable these features for an individual repository in the repository's "Code security and analysis" settings page. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-public-repositories)". - -{% endnote %} - -{% data reusables.user-settings.access_settings %} -{% data reusables.user-settings.security-analysis %} -1. Under "Code security and analysis", to the right of "{% data variables.product.prodname_secret_scanning_caps %}", click **Disable all** or **Enable all**. -{% data reusables.secret-scanning.push-protection-optional-enable %} - -{% endif %} - -## Excluding directories from {% data variables.secret-scanning.user_alerts %} - -You can configure a `secret_scanning.yml` file to exclude directories from {% data variables.product.prodname_secret_scanning %}, including when you use push protection. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning)." - -You can also ignore individual alerts from {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." - -{% ifversion not fpt %} - -## Further reading - -* "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)" -* "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)" -{% endif %} diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md index 9a3a2971928e..85b6dd795b79 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md @@ -12,6 +12,10 @@ topics: - Secret scanning - Advanced Security - Alerts +redirect_from: + - /github/administering-a-repository/configuring-secret-scanning-for-private-repositories + - /github/administering-a-repository/configuring-secret-scanning-for-your-repositories + - /code-security/secret-security/configuring-secret-scanning-for-your-repositories --- ## About enabling {% data variables.secret-scanning.user_alerts %} From 8ea8bfa01e77815f605a735ef249e6417db551c3 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Wed, 31 Jul 2024 11:20:30 +0000 Subject: [PATCH 191/282] removing deleted article from index frontmatter --- content/code-security/secret-scanning/index.md | 1 - 1 file changed, 1 deletion(-) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 2a0fe5813b15..f08832bf03a3 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -18,7 +18,6 @@ children: - /introduction - /enabling-secret-scanning-features - /about-secret-scanning - - /configuring-secret-scanning-for-your-repositories - /managing-alerts-from-secret-scanning - /secret-scanning-patterns - /push-protection-for-repositories-and-organizations From 825a24533ab07a6d9f80f20ae93faac810e79f72 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Wed, 31 Jul 2024 12:09:23 +0000 Subject: [PATCH 192/282] fix redirect duplication --- .../enabling-secret-scanning-for-your-repository.md | 1 - 1 file changed, 1 deletion(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md index 85b6dd795b79..8d16cdf243aa 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md @@ -15,7 +15,6 @@ topics: redirect_from: - /github/administering-a-repository/configuring-secret-scanning-for-private-repositories - /github/administering-a-repository/configuring-secret-scanning-for-your-repositories - - /code-security/secret-security/configuring-secret-scanning-for-your-repositories --- ## About enabling {% data variables.secret-scanning.user_alerts %} From 9e9497f5801da5191ad3023b5912531895d2e117 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Wed, 31 Jul 2024 12:27:08 +0000 Subject: [PATCH 193/282] run script to fix test --- data/learning-tracks/code-security.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/data/learning-tracks/code-security.yml b/data/learning-tracks/code-security.yml index eaf1d1d53015..db3a1ed979a2 100644 --- a/data/learning-tracks/code-security.yml +++ b/data/learning-tracks/code-security.yml @@ -113,8 +113,7 @@ secret_scanning: passwords, and other secrets to your repository. guides: - /code-security/secret-scanning/about-secret-scanning - - >- - /code-security/secret-scanning/configuring-secret-scanning-for-your-repositories + - /code-security/secret-scanning/enabling-secret-scanning-features - >- /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning - >- @@ -129,7 +128,8 @@ secret_scanning: endif %} - >- {% ifversion secret-scanning-push-protection-for-users - %}/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users{% endif %} + %}/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users{% + endif %} - >- {% ifversion secret-scanning-push-protection %}/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line{% @@ -138,7 +138,8 @@ secret_scanning: {% ifversion secret-scanning-push-protection %}/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui{% endif %} - - /code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning + - >- + /code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning security_alerts: title: Explore and manage security alerts description: Learn where to find and resolve security alerts. From 9d9c0d96d7e277729c561269b82f7745ad8700a6 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Wed, 31 Jul 2024 13:49:49 +0000 Subject: [PATCH 194/282] trying to fix redirect errors --- .../enabling-push-protection-for-your-repository.md | 3 --- .../enabling-secret-scanning-for-your-repository.md | 3 --- .../secret-scanning/enabling-secret-scanning-features/index.md | 2 ++ 3 files changed, 2 insertions(+), 6 deletions(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md index c829b5e6286d..efbd2647c506 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md @@ -12,9 +12,6 @@ topics: - Secret scanning - Advanced Security - Alerts -redirect_from: - - /early-access/code-security/secret-scanning/protecting-pushes-with-secret-scanning - - /code-security/secret-scanning/protecting-pushes-with-secret-scanning --- ## About enabling push protection diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md index 8d16cdf243aa..9a3a2971928e 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md @@ -12,9 +12,6 @@ topics: - Secret scanning - Advanced Security - Alerts -redirect_from: - - /github/administering-a-repository/configuring-secret-scanning-for-private-repositories - - /github/administering-a-repository/configuring-secret-scanning-for-your-repositories --- ## About enabling {% data variables.secret-scanning.user_alerts %} diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md index 203755a35bcc..d55126629f30 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md @@ -17,6 +17,8 @@ children: - /enabling-push-protection-for-your-repository - /enabling-validity-checks-for-your-repository redirect_from: + - /github/administering-a-repository/configuring-secret-scanning-for-private-repositories + - /github/administering-a-repository/configuring-secret-scanning-for-your-repositories - /code-security/secret-scanning/configuring-secret-scanning-for-your-repositories - /code-security/secret-scanning/push-protection-for-repositories-and-organizations --- From 7ca9a7b602c71c459c634b139dea66c1f4057b3a Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Wed, 31 Jul 2024 13:58:08 +0000 Subject: [PATCH 195/282] removing redirect to try and fix failing test --- .../secret-scanning/enabling-secret-scanning-features/index.md | 1 - 1 file changed, 1 deletion(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md index d55126629f30..f296220c5eb8 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md @@ -20,5 +20,4 @@ redirect_from: - /github/administering-a-repository/configuring-secret-scanning-for-private-repositories - /github/administering-a-repository/configuring-secret-scanning-for-your-repositories - /code-security/secret-scanning/configuring-secret-scanning-for-your-repositories - - /code-security/secret-scanning/push-protection-for-repositories-and-organizations --- From 3ef11bb923aecf05141cc337a055759512fc4994 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Thu, 1 Aug 2024 08:17:42 +0100 Subject: [PATCH 196/282] linter errors --- content/apps/oauth-apps/using-oauth-apps/internal-oauth-apps.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/apps/oauth-apps/using-oauth-apps/internal-oauth-apps.md b/content/apps/oauth-apps/using-oauth-apps/internal-oauth-apps.md index 18d74fc9c944..10a885f05a9b 100644 --- a/content/apps/oauth-apps/using-oauth-apps/internal-oauth-apps.md +++ b/content/apps/oauth-apps/using-oauth-apps/internal-oauth-apps.md @@ -23,7 +23,7 @@ These {% data variables.product.prodname_oauth_apps %} are : * GitHub Codespaces for JetBrains * GitHub Desktop * GitHub Education -* github-importer-production +* Github-importer-production * GitHub iOS * GitHub Support * JetBrains IDE Integration From dd36012633c037966b4bbfd3e3ad4294d4677848 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Thu, 1 Aug 2024 07:42:33 +0000 Subject: [PATCH 197/282] delete old article --- .../managing-alerts-from-secret-scanning.md | 230 ------------------ 1 file changed, 230 deletions(-) delete mode 100644 content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md deleted file mode 100644 index 4520fef86cb0..000000000000 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md +++ /dev/null @@ -1,230 +0,0 @@ ---- -title: Managing alerts from secret scanning -intro: 'You can view, evaluate and resolve alerts for secrets checked in to your repository.' -permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view and dismiss secret scanning alerts for the repository.' -product: '{% data reusables.gated-features.secret-scanning %}' -redirect_from: - - /github/administering-a-repository/managing-alerts-from-secret-scanning - - /code-security/secret-security/managing-alerts-from-secret-scanning -versions: - fpt: '*' - ghes: '*' - ghec: '*' -type: how_to -topics: - - Secret scanning - - Advanced Security - - Alerts - - Repositories -shortTitle: Manage secret alerts ---- -## About the {% data variables.product.prodname_secret_scanning %} alerts page - -{% data reusables.secret-scanning.secret-scanning-about-alerts %} {% data reusables.secret-scanning.repository-alert-location %} - -{% ifversion secret-scanning-non-provider-patterns %} -To help you triage alerts more effectively, {% data variables.product.company_short %} separates alerts into two lists: -* **High confidence** alerts. -* **Other** alerts. - -![Screenshot of the {% data variables.product.prodname_secret_scanning %} alert view. The button to toggle between "High confidence" and "Other" alerts is highlighted with an orange outline.](/assets/images/help/security/secret-scanning-high-confidence-alert-view.png) - -### High confidence alerts list - -The "High confidence" alerts list displays alerts that relate to supported patterns and specified custom patterns. This list is always the default view for the alerts page. - -### Other alerts list - -The "Other" alerts list displays alerts that relate to non-provider patterns (such as private keys){% ifversion secret-scanning-ai-generic-secret-detection %}, or generic secrets detected using AI (such as passwords){% endif %}. These types of alerts have a higher rate of false positives. - -In addition, alerts that fall into this category: -* Are limited in quantity to 5000 alerts per repository (this includes open and closed alerts). -* Are not shown in the summary views for security overview, only in the "{% data variables.product.prodname_secret_scanning_caps %}" view. -* Only have the first five detected locations shown on {% data variables.product.prodname_dotcom %} for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %}, and only the first detected location shown for AI-detected generic secrets{% endif %}. - -For {% data variables.product.company_short %} to scan for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %} and generic secrets{% endif %}, you must first enable the feature{% ifversion secret-scanning-ai-generic-secret-detection %}s{% endif %} for your repository or organization. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#enabling-scanning-for-non-provider-patterns){% ifversion secret-scanning-ai-generic-secret-detection %}" and "[AUTOTITLE](/code-security/secret-scanning/enabling-ai-powered-generic-secret-detection){% endif %}." - -{% endif %} - -## Viewing alerts - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-security %} -1. In the left sidebar, under "Vulnerability alerts", click **{% data variables.product.prodname_secret_scanning_caps %}**. {% ifversion secret-scanning-non-provider-patterns %} -1. Optionally, toggle to "Other" to see alerts for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %} or generic secrets detected using AI{% endif %}.{% endif %} -1. Under "{% data variables.product.prodname_secret_scanning_caps %}", click the alert you want to view. - {% ifversion secret-scanning-user-owned-repos %} - - > [!NOTE] - > {% data reusables.secret-scanning.secret-scanning-user-owned-repo-access %} - - {% endif %} - -## Filtering alerts - -You can apply various filters to the alerts list to help you find the alerts you're interested in. You can use the dropdown menus above the alerts list, or input the qualifiers listed in the table into the search bar. - -|Qualifier|Description| -|---------|-----------| -|`is:open`|Displays open alerts.| -|`is:closed`|Displays closed alerts.| -| {% ifversion secret-scanning-bypass-filter %} | -|`bypassed: true`|Displays alerts for secrets where push protection has been bypassed. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)."| -| {% endif %} | -|`validity:active`| Displays alerts for secrets that are still active. {% ifversion fpt %}Applies to {% data variables.product.company_short %} tokens only.{% endif %} For more information about validity statuses, see "[Checking a secret's validity](#checking-a-secrets-validity)."| -|`validity:inactive`| Displays alerts for secrets that are no longer active.| -|`validity:unknown`| Displays alerts for secrets where the validity status of the secret is unknown.| -|`secret-type:SECRET-NAME`| Displays alerts for a specific secret type, for example, `secret-type:github_personal_access_token`. For a list of supported secret types, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secret)." | -|`provider:PROVIDER-NAME`|Displays alerts for a specific provider, for example, `provider:github`. For a list of supported partners, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."| -| {% ifversion secret-scanning-non-provider-patterns %} | -|`confidence:high`| Displays alerts for high-confidence secrets, which relate to supported secrets and custom patterns. For a list of supported high-confidence patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#high-confidence-patterns)." | -|`confidence:other`| Displays alerts for non-provider patterns, such as private keys{% ifversion secret-scanning-ai-generic-secret-detection %}, and AI-detected generic secrets, such as passwords{% endif %}. For a list of supported non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns)." {% ifversion secret-scanning-ai-generic-secret-detection %}For more information AI-detected generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/about-the-detection-of-generic-secrets-with-secret-scanning)."{% endif %}| -| {% endif %} | - -## Evaluating alerts - -There are some additional features that can help you to evaluate alerts in order to better prioritize and manage them. You can: - -* Check the validity of a secret, to see if the secret is still active. {% ifversion fpt or ghes %}**Applies to {% data variables.product.company_short %} tokens only**.{% endif %} For more information, see "[Checking a secret's validity](#checking-a-secrets-validity)."{% ifversion secret-scanning-validity-check-partner-patterns %} -* Perform an "on-demand" validity check, to get the most up to date validiation status. For more information, see "[Performing an on-demand-validity-check](#performing-an-on-demand-validity-check)."{% endif %}{% ifversion secret-scanning-github-token-metadata %} -* Review a token's metadata. **Applies to {% data variables.product.company_short %} tokens only**. For example, to see when the token was last used. For more information, see "[Reviewing {% data variables.product.company_short %} token metadata](#reviewing-github-token-metadata)."{% endif %} - -### Checking a secret's validity - -Validity checks help you prioritize alerts by telling you which secrets are `active` or `inactive`. An `active` secret is one that could still be exploited, so these alerts should be reviewed and remediated as a priority. - -By default, {% data variables.product.company_short %} checks the validity of {% data variables.product.company_short %} tokens and displays the validitation status of the token in the alert view. - -{% ifversion fpt %} - -Organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %} can also enable validity checks for partner patterns. For more information, see "[Checking a secret's validity](/enterprise-cloud@latest/code-security/secret-scanning/managing-alerts-from-secret-scanning#checking-a-secrets-validity)" in the {% data variables.product.prodname_ghe_cloud %} documentation. - -{% endif %} - -{% ifversion secret-scanning-validity-check-partner-patterns %} - -You can additionally choose to enable validity checks for partner patterns. Once enabled, {% data variables.product.company_short %} will periodically check the validity of a detected credential by sending the secret directly to the provider, as part of {% data variables.product.company_short %}'s formal secret scanning partnership program. {% data variables.product.company_short %} typically makes GET requests to check the validity of the credential, picks the least intrusive endpoints, and selects endpoints that don't return any personal information. - -{% data variables.product.company_short %} displays the validation status of the secret in the alert view. - -{% endif %} - -{% data reusables.secret-scanning.validity-check-table %} - -{% ifversion secret-scanning-validity-check-partner-patterns %} - -{% data reusables.gated-features.partner-pattern-validity-check-ghas %} - -For information on how to enable validity checks for partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#enabling-validity-checks-for-partner-patterns)," and for information on which partner patterns are currently supported, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#high-confidence-patterns)." - -{% endif %} - -You can use the REST API to retrieve a list of the most recent validation status for each of your tokens. For more information, see "[AUTOTITLE](/rest/secret-scanning)" in the REST API documentation. You can also use webhooks to be notified of activity relating to a {% data variables.product.prodname_secret_scanning %} alert. For more information, see the `secret_scanning_alert` event in "[AUTOTITLE](/webhooks/webhook-events-and-payloads?actionType=created#secret_scanning_alert)." - -{% ifversion secret-scanning-validity-check-partner-patterns %} - -### Performing an on-demand validity check - -Once you have enabled validity checks for partner patterns for your repository, you can perform an "on-demand" validity check for any supported secret by clicking {% octicon "sync" aria-hidden="true" %} **Verify secret** in the alert view. {% data variables.product.company_short %} will send the pattern to the relevant partner and display the validation status of the secret in the alert view. - -![Screenshot of the UI showing a {% data variables.product.prodname_secret_scanning %} alert. A button, labeled "Verify secret" is highlighted with an orange outline.](/assets/images/help/security/secret-scanning-verify-secret.png) - -{% endif %} - -{% ifversion secret-scanning-github-token-metadata %} - -### Reviewing {% data variables.product.company_short %} token metadata - -> [!NOTE] -> Metadata for {% data variables.product.company_short %} tokens is currently in public beta and subject to change. - -In the view for an active {% data variables.product.company_short %} token alert, you can review certain metadata about the token. This metadata may help you identify the token and decide what remediation steps to take. - -Tokens, like {% data variables.product.pat_generic %} and other credentials, are considered personal information. For more information about using {% data variables.product.company_short %} tokens, see [GitHub's Privacy Statement](/free-pro-team@latest/site-policy/privacy-policies/github-privacy-statement) and [Acceptable Use Policies](/free-pro-team@latest/site-policy/acceptable-use-policies/github-acceptable-use-policies). - - ![Screenshot of the UI for a {% data variables.product.company_short %} token, showing the token metadata.](/assets/images/help/repository/secret-scanning-github-token-metadata.png) - - Metadata for {% data variables.product.company_short %} tokens is available for active tokens in any repository with secret scanning enabled. If a token has been revoked or its status cannot be validated, metadata will not be available. {% data variables.product.company_short %} auto-revokes {% data variables.product.company_short %} tokens in public repositories, so metadata for {% data variables.product.company_short %} tokens in public repositories is unlikely to be available. The following metadata is available for active {% data variables.product.company_short %} tokens: - -|Metadata|Description| -|-------------------------|--------------------------------------------------------------------------------| -|Secret name| The name given to the {% data variables.product.company_short %} token by its creator| -|Secret owner| The {% data variables.product.company_short %} handle of the token's owner| -|Created on| Date the token was created| -|Expired on| Date the token expired| -|Last used on| Date the token was last used| -|Access| Whether the token has organization access| - -{% ifversion secret-scanning-user-owned-repos %}{% data reusables.secret-scanning.secret-scanning-user-owned-repo-access %} If access is granted, {% data variables.product.prodname_dotcom %} will notify the owner of the repository containing the leaked secret, report the action in the repository owner and enterprise audit logs, and enable access for 2 hours.{% ifversion ghec %} For more information, see "[AUTOTITLE](/admin/managing-accounts-and-repositories/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise)."{% endif %}{% endif %} - -{% endif %} - -## Fixing alerts - -Once a secret has been committed to a repository, you should consider the secret compromised. {% data variables.product.prodname_dotcom %} recommends the following actions for compromised secrets: - -* For a compromised {% data variables.product.prodname_dotcom %} {% data variables.product.pat_generic %}, delete the compromised token, create a new token, and update any services that use the old token. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)." -{%- ifversion token-audit-log %} - * {% ifversion ghec %}If your organization is owned by an enterprise account, identify{% else %}Identify{% endif %} any actions taken by the compromised token on your enterprise's resources. For more information, see "[AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token)." -{%- endif %} -* For all other secrets, first verify that the secret committed to {% data variables.product.product_name %} is valid. If so, create a new secret, update any services that use the old secret, and then delete the old secret. - -{% ifversion fpt or ghec %} - -> [!NOTE] -> If a secret is detected in a public repository on {% data variables.product.prodname_dotcom_the_website %} and the secret also matches a partner pattern, an alert is generated and the potential secret is reported to the service provider. For details of partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." - -{% endif %} - -## Closing alerts - -> [!NOTE] ->{% data variables.product.prodname_secret_scanning_caps %} doesn't automatically close alerts when the corresponding token has been removed from the repository. You must manually close these alerts in the alert list on {% data variables.product.prodname_dotcom %}. - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-security %} -1. In the left sidebar, under "Vulnerability alerts", click **{% data variables.product.prodname_secret_scanning_caps %}**. -1. Under "{% data variables.product.prodname_secret_scanning_caps %}", click the alert you want to view. -1. To dismiss an alert, select the "Close as" dropdown menu and click a reason for resolving an alert. - - ![Screenshot of a {% data variables.product.prodname_secret_scanning %} alert. A dropdown menu, titled "Close as", is expanded and highlighted in a dark orange outline.](/assets/images/help/repository/secret-scanning-dismiss-alert-web-ui-link-partner-documentation.png) - -1. Optionally, in the "Comment" field, add a dismissal comment. The dismissal comment will be added to the alert timeline and can be used as justification during auditing and reporting. You can view the history of all dismissed alerts and dismissal comments in the alert timeline. You can also retrieve or set a comment by using the {% data variables.product.prodname_secret_scanning_caps %} API. The comment is contained in the `resolution_comment` field. For more information, see "[AUTOTITLE](/rest/secret-scanning#update-a-secret-scanning-alert)" in the REST API documentation. -1. Click **Close alert**. - -## Configuring notifications for {% data variables.secret-scanning.alerts %} - -Notifications are different for incremental scans and historical scans. - -### Incremental scans - -{% data reusables.secret-scanning.secret-scanning-configure-notifications %} - -{% data reusables.repositories.navigate-to-repo %} -1. To start watching the repository, select **{% octicon "eye" aria-hidden="true" %} Watch**. - - ![Screenshot of the repository's main page. A dropdown menu, titled "Watch", is highlighted with an orange outline.](/assets/images/help/repository/repository-watch-dropdown.png) - -1. In the dropdown menu, click **All Activity**. Alternatively, to only subscribe to security alerts, click **Custom**, then click **Security alerts**. -1. Navigate to the notification settings for your personal account. These are available at [https://github.com/settings/notifications](https://github.com/settings/notifications). -1. On your notification settings page, under "Subscriptions", then under "Watching", select the **Notify me** dropdown. -1. Select "Email" as a notification option, then click **Save**. - - ![Screenshot of the notification settings for a user account. An element header, titled "Subscriptions", and a sub-header, titled "Watching", are shown. A checkbox, titled "Email", is highlighted with an orange outline.](/assets/images/help/notifications/repository-watching-notification-options.png) - -{% data reusables.notifications.watch-settings %} - -### Historical scans - -For historical scans, {% data variables.product.product_name %} notifies the following users: - -* Organization owners, enterprise owners, and security managers—whenever a historical scan is complete, even if no secrets are found. -* Repository administrators, security managers, and users with custom roles with read/write access—whenever a historical scan detects a secret, and according to their notification preferences. - -We do _not_ notify commit authors. - -{% data reusables.notifications.watch-settings %} - -## Auditing responses to secret scanning alerts - -{% data reusables.secret-scanning.audit-secret-scanning-events %} From f75e710aba252b1a61b5b42b122c9d0bfd032fc9 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Thu, 1 Aug 2024 08:00:24 +0000 Subject: [PATCH 198/282] removing leftover beta note --- .../evaluating-alerts.md | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md index 679d66560621..6849593be118 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md @@ -27,15 +27,9 @@ There are some additional features that can help you to evaluate alerts in order ## Checking a secret's validity -{% ifversion secret-scanning-validity-check-partner-patterns %} - -{% data reusables.secret-scanning.validity-check-partner-patterns-beta %} - -{% endif %} - Validity checks help you prioritize alerts by telling you which secrets are `active` or `inactive`. An `active` secret is one that could still be exploited, so these alerts should be reviewed and remediated as a priority. -By default, {% data variables.product.company_short %} checks the validity of {% data variables.product.company_short %} tokens and displays the validitation status of the token in the alert view. +By default, {% data variables.product.company_short %} checks the validity of {% data variables.product.company_short %} tokens and displays the validation status of the token in the alert view. {% ifversion fpt %} From 59b5347151e6cd2316ab92fa5b30acced38f0f7b Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 1 Aug 2024 10:52:02 +0100 Subject: [PATCH 199/282] Update content/code-security/secret-scanning/introduction/about-secret-scanning.md Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com> --- .../secret-scanning/introduction/about-secret-scanning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index cfabf3fa7330..1575cdc754a9 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -28,7 +28,7 @@ shortTitle: Secret scanning {% data reusables.secret-scanning.what-is-scanned %} -When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. Alerts are reported on the **Security** tab of repositories on {% data variables.product.product_name %}, where you can view, evaluate, and manage (fix or dismiss) them. For more information, see TODO: link to Managing alerts. +When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. Alerts are reported on the **Security** tab of repositories on {% data variables.product.product_name %}, where you can view, evaluate, and resolve them. For more information, see TODO: link to Managing alerts. {% ifversion fpt or ghec %}Service providers can partner with {% data variables.product.company_short %} to provide their secret formats for scanning. We automatically run {% data variables.product.prodname_secret_scanning %} for partner patterns on all public repositories and public npm packages.{% data reusables.secret-scanning.partner-program-link %} From 0f5daa397fa98b54713c549cb6ce54783ae349ed Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 1 Aug 2024 11:03:51 +0100 Subject: [PATCH 200/282] start addressing comments --- .../introduction/about-secret-scanning.md | 35 +++++-------------- 1 file changed, 8 insertions(+), 27 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 1575cdc754a9..9700f6fcd2a6 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -20,7 +20,7 @@ topics: shortTitle: Secret scanning --- -## What is {% data variables.product.prodname_secret_scanning %} +## About {% data variables.product.prodname_secret_scanning %} {% data variables.product.prodname_secret_scanning_caps %} is a security feature that helps detect and prevent the accidental inclusion of sensitive information such as API keys, passwords, tokens, and other secrets in your repository. When enabled, {% data variables.product.prodname_secret_scanning %} scans commits in public repositories for known types of secrets and alerts repository administrators upon detection. @@ -46,17 +46,17 @@ You can also use security overview to see an organization-level view of which re Below is a typical workflow that explains how {% data variables.product.prodname_secret_scanning %} works: -* **Detection of secrets**: {% data variables.product.prodname_secret_scanning_caps %} automatically scans your repository's contents for sensitive data, such as API keys, passwords, tokens, and other secrets. It looks for patterns and heuristics that match known types of secrets. +* **Detection**: {% data variables.product.prodname_secret_scanning_caps %} automatically scans your repository's contents for sensitive data, such as API keys, passwords, tokens, and other secrets. It looks for patterns and heuristics that match known types of secrets. -* **Alerts and notifications**: When a potential secret is detected, {% data variables.product.prodname_dotcom %} generates an alert and notifies the relevant repository administrators and users. This notification includes details about the detected secret, such as its location in the repository. For more information about alert types and alert details, see TODO: - link to "About alerts" article. +* **Alerts**: When a potential secret is detected, {% data variables.product.prodname_dotcom %} generates an alert and notifies the relevant repository administrators and users. This notification includes details about the detected secret, such as its location in the repository. For more information about alert types and alert details, see TODO: - link to "About alerts" article. -* **Review of alerts**: When a secret is detected, you'll need to review the alert details provided. +* **Review**: When a secret is detected, you'll need to review the alert details provided. -* **Alert remediation**: You then need take appropriate actions to remediate the exposure. This might include: +* **Remediation**: You then need take appropriate actions to remediate the exposure. This might include: * Rotating the affected credential to ensure it is no longer usable. * Removing the secret from the repository's history (using tools like BFG Repo-Cleaner or {% data variables.product.prodname_dotcom %}'s built-in features). -* **Audit and monitor**: It's good practice to regularly audit and monitor your repositories to ensure no other secrets are exposed. +* **Monitoring**: It's good practice to regularly audit and monitor your repositories to ensure no other secrets are exposed. {% ifversion fpt or ghec %} @@ -64,7 +64,7 @@ Below is a typical workflow that explains how {% data variables.product.prodname {% endif %} -## What are the benefits of {% data variables.product.prodname_secret_scanning %} +## Benefits of using {% data variables.product.prodname_secret_scanning %} * **Enhanced security**—{% data variables.product.prodname_secret_scanning_caps %} scans your repositories for sensitive information like API keys, passwords, tokens, and other secrets. By detecting these early, you can mitigate potential security risks before they are exploited by malicious actors. @@ -94,26 +94,6 @@ Below is a typical workflow that explains how {% data variables.product.prodname For information about the secrets and service providers supported by {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." -## Enabling {% data variables.product.prodname_secret_scanning %} - -TODO: PLEASE DO NOT REVIEW THIS SECTION AS I WANT TO MAKE IT CONCISE AND SEE WHAT IS IN THE ENABLING ARTICLE(S) - -{% data variables.secret-scanning.user_alerts_caps %} is available {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}on all repositories with a license for {% data variables.product.prodname_GH_advanced_security %}{% else %}for free on all public repositories, and for private and internal repositories that are owned by organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %}{% endif %}{% elsif fpt %}for free on all public repositories that you own{% else %}on all organization-owned repositories with a license for {% data variables.product.prodname_GH_advanced_security %}. The feature is not available on user-owned repositories{% endif %}. - -{% data variables.product.prodname_secret_scanning_caps %} is automatically enabled for all public repositories on {% data variables.product.prodname_dotcom %}. -For private repositories, {% data variables.product.prodname_secret_scanning %} can be enabled as part of {% data variables.product.prodname_GH_advanced_security %}. - -{% data variables.secret-scanning.user_alerts_caps %} is available {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}on all repositories with a license for {% data variables.product.prodname_GH_advanced_security %}{% else %}for free on all public repositories, and for private and internal repositories that are owned by organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %}{% endif %}{% elsif fpt %}for free on all public repositories that you own{% else %}on all organization-owned repositories with a license for {% data variables.product.prodname_GH_advanced_security %}. The feature is not available on user-owned repositories{% endif %}. {% data reusables.secret-scanning.secret-scanning-user-owned-repos-beta %} - -If you're a repository administrator, you can enable {% data variables.secret-scanning.user_alerts %} for any {% ifversion fpt %}public{% endif %} repository{% ifversion ghec or ghes %}, including archived repositories{% endif %}. Organization owners can also enable {% data variables.secret-scanning.user_alerts %} for all {% ifversion fpt %}public {% endif %}repositories or for all new {% ifversion fpt %}public {% endif %}repositories within an organization. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)" and "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)." - -{% ifversion fpt %}The following users can enable and configure additional scanning: - *Owners of repositories on {% data variables.product.prodname_dotcom_the_website %}, on any _public_ repositories they own. - *Organizations owning _public_ repositories, on any of these repositories. - *Organizations using {% data variables.product.prodname_ghe_cloud %}, on any public repositories (for free), and on any private and internal repositories, when you have a license for {% data variables.product.prodname_GH_advanced_security %}.{% elsif ghec %}You can enable and configure additional scanning for repositories owned by organizations that use {% data variables.product.prodname_ghe_cloud %} for any public repositories (for free), and for private and internal repositories when you have a license for {% data variables.product.prodname_GH_advanced_security %}. Enterprise owners can manage the automatic enablement of {% data variables.product.prodname_GH_advanced_security %} for new repositories owned by {% data variables.product.prodname_emus %} with an enterprise level setting.{% endif %} - -For more information, see TODO: - link to enabling article. - ## Customizing {% data variables.product.prodname_secret_scanning %} Once {% data variables.product.prodname_secret_scanning %} is enabled, you can customize it further, if needed: @@ -181,6 +161,7 @@ About {% data variables.secret-scanning.user_alerts %}{% ifversion ghes %} on {% ## Further reading +* TODO: link to enabling secret scanning article * "[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection) * "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection) * "[AUTOTITLE](/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization)" From 738f2fbd078ecc7febaa3137dc4088e5f1bd8643 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 1 Aug 2024 11:24:45 +0100 Subject: [PATCH 201/282] address more comments --- .../introduction/about-secret-scanning.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 9700f6fcd2a6..dd01f4011246 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -64,7 +64,7 @@ Below is a typical workflow that explains how {% data variables.product.prodname {% endif %} -## Benefits of using {% data variables.product.prodname_secret_scanning %} +## Benefits of {% data variables.product.prodname_secret_scanning %} * **Enhanced security**—{% data variables.product.prodname_secret_scanning_caps %} scans your repositories for sensitive information like API keys, passwords, tokens, and other secrets. By detecting these early, you can mitigate potential security risks before they are exploited by malicious actors. @@ -72,8 +72,6 @@ Below is a typical workflow that explains how {% data variables.product.prodname * **Real-time alerts**—When a secret is detected, {% data variables.product.prodname_secret_scanning %} provides real-time alerts to repository administrators and contributors. This immediate feedback allows for swift remediation actions. -* **Historical scanning**—{% data variables.product.prodname_secret_scanning_caps %} can be configured to scan the entire commit history of your repository. This retrospective analysis helps in identifying and mitigating risks from previously committed secrets that may have gone unnoticed. - {% ifversion fpt or ghec %} * **Integration with service providers**—{% data variables.product.prodname_dotcom %} partners with various service providers to validate detected secrets. When a secret is identified, {% data variables.product.prodname_dotcom %} notifies the corresponding service provider to take appropriate actions, such as revoking the exposed credential. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." @@ -82,13 +80,15 @@ Below is a typical workflow that explains how {% data variables.product.prodname {% ifversion ghec or ghes %} -* **Custom patterns**—Organizations can define custom patterns to detect proprietary or unique types of secrets that may not be covered by default patterns. This flexibility allows for tailored security measures specific to your environment. +* **Custom pattern support**—Organizations can define custom patterns to detect proprietary or unique types of secrets that may not be covered by default patterns. This flexibility allows for tailored security measures specific to your environment. {% endif %} -* **Educational value**—Developers receive notifications when secrets are detected, which serves as a learning opportunity. This ongoing education helps in fostering a culture of security awareness within the development team. +{% ifversion secret-scanning-non-provider-patterns %} + +* **Ability to detect non-provider patterns**—You can expand the detection to include non-provider patterns such as connection strings, authentication headers, and private keys, for your repository or organization. -* **Remediation guidance**—Along with alerts, we provide remediation guidance, helping teams understand how to safely remove the sensitive information from their codebase and rotate the compromised credentials. +{% endif %} ## What are the supported secrets From d7930cab792c598908d497007442bddfdfe8fbad Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 1 Aug 2024 12:00:38 +0100 Subject: [PATCH 202/282] Update content/code-security/secret-scanning/introduction/about-push-protection.md Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com> --- .../secret-scanning/introduction/about-push-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index f5d332522b94..a93bd79a56f2 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -21,7 +21,7 @@ shortTitle: Push protection ## What is push protection -Push protection is a {% data variables.product.prodname_secret_scanning %} feature that is designed to prevent sensitive information, such as secrets or tokens, from being pushed to your repository in the first place. Unlike {% data variables.product.prodname_secret_scanning %} , which detects secrets after they have been committed, push protection proactively scans your code for secrets during the push process and blocks the push if any are detected. +Push protection is a {% data variables.product.prodname_secret_scanning %} feature that is designed to prevent sensitive information, such as secrets or tokens, from being pushed to your repository in the first place. Unlike {% data variables.product.prodname_secret_scanning %}, which detects secrets after they have been committed, push protection proactively scans your code for secrets during the push process and blocks the push if any are detected. Push protection helps you avoid the risks associated with exposed secrets, like unauthorized access to resources or services. With this feature, developers get immediate feedback and can address potential issues before they become a security concern. From 7ef9bed381b0e4ec40d5102aa7bbbc821495c4f7 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 1 Aug 2024 12:04:36 +0100 Subject: [PATCH 203/282] Update content/code-security/secret-scanning/introduction/about-push-protection.md Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com> --- .../secret-scanning/introduction/about-push-protection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index a93bd79a56f2..bd9c5b8f7e9f 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -31,8 +31,8 @@ Once enabled, if push protection detects a potential secret during a push attemp You can enable push protection: -* At repository/organization level, if you are a repository administrator or an organization owner. This type of push protection is referred to as "push protection". -* For your account on {% data variables.product.prodname_dotcom %}, as a user. This type of push protection is referred to as "push protection for users". +* At repository/organization level, if you are a repository administrator or an organization owner. You will see alerts in the **Security** tab of your repository when a contributor to the repository bypasses push protection. +* For your account on {% data variables.product.prodname_dotcom %}, as a user. This type of push protection is referred to as "push protection for users". It protects you from pushing secrets to _any_ public repository on {% data variables.product.prodname_dotcom %}, but it doesn't generate alerts. {% endif %} From 5e9045db7a4e5bd34e637df6c017b5e5f98aa954 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 1 Aug 2024 12:05:11 +0100 Subject: [PATCH 204/282] Update content/code-security/secret-scanning/introduction/about-push-protection.md Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com> --- .../secret-scanning/introduction/about-push-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index bd9c5b8f7e9f..6cf2f9b279c9 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -25,7 +25,7 @@ Push protection is a {% data variables.product.prodname_secret_scanning %} featu Push protection helps you avoid the risks associated with exposed secrets, like unauthorized access to resources or services. With this feature, developers get immediate feedback and can address potential issues before they become a security concern. -Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push. For some {% data variables.product.prodname_dotcom %} products, more advanced features such as delegated bypass and the use of custom patterns are available: +Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push. For some {% data variables.product.prodname_dotcom %} products, more advanced features such as delegated bypass and the use of custom patterns are available. {% ifversion secret-scanning-push-protection-for-users %} From 2640efb09e53d7826828058def2b31b2edbe7bc8 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 1 Aug 2024 12:06:02 +0100 Subject: [PATCH 205/282] Update content/code-security/secret-scanning/introduction/about-push-protection.md Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com> --- .../secret-scanning/introduction/about-push-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index 6cf2f9b279c9..f4b810f2e711 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -38,7 +38,7 @@ You can enable push protection: ## What are the benefits of push protection -* **Proactive security**—Push protection acts as a frontline defense mechanism by scanning code for secrets at the time of the push. This proactive approach helps to catch potential issues before they are merged into your repository. +* **Preventative security**—Push protection acts as a frontline defense mechanism by scanning code for secrets at the time of the push. This preventative approach helps to catch potential issues before they are merged into your repository. * **Immediate feedback**—Developers receive instant feedback if a potential secret is detected during a push attempt. This immediate notification allows for quick remediation, reducing the likelihood of sensitive information being exposed. From 804e280359bcf6b5adc6ffee71cf14e5ab09a996 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 1 Aug 2024 12:08:33 +0100 Subject: [PATCH 206/282] what a mess --- .../secret-scanning/introduction/about-push-protection.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index f4b810f2e711..4eb154eee410 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -19,19 +19,19 @@ topics: shortTitle: Push protection --- -## What is push protection +## About push protection Push protection is a {% data variables.product.prodname_secret_scanning %} feature that is designed to prevent sensitive information, such as secrets or tokens, from being pushed to your repository in the first place. Unlike {% data variables.product.prodname_secret_scanning %}, which detects secrets after they have been committed, push protection proactively scans your code for secrets during the push process and blocks the push if any are detected. Push protection helps you avoid the risks associated with exposed secrets, like unauthorized access to resources or services. With this feature, developers get immediate feedback and can address potential issues before they become a security concern. -Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push. For some {% data variables.product.prodname_dotcom %} products, more advanced features such as delegated bypass and the use of custom patterns are available. +Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push. For some {% data variables.product.prodname_dotcom %} products, more advanced features such as delegated bypass and the use of custom patterns are available. {% ifversion secret-scanning-push-protection-for-users %} You can enable push protection: -* At repository/organization level, if you are a repository administrator or an organization owner. You will see alerts in the **Security** tab of your repository when a contributor to the repository bypasses push protection. +* At repository/organization level, if you are a repository administrator or an organization owner. You will see alerts in the **Security** tab of your repository when a contributor to the repository bypasses push protection. * For your account on {% data variables.product.prodname_dotcom %}, as a user. This type of push protection is referred to as "push protection for users". It protects you from pushing secrets to _any_ public repository on {% data variables.product.prodname_dotcom %}, but it doesn't generate alerts. {% endif %} From 4cb9c8d8b52e36dd44debcdaea0b7c43c8bc33ce Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 1 Aug 2024 12:22:01 +0100 Subject: [PATCH 207/282] addressed more comments --- .../introduction/about-push-protection.md | 35 +++++++------------ 1 file changed, 12 insertions(+), 23 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index 4eb154eee410..2bcae813612c 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -1,6 +1,6 @@ --- title: About push protection -intro: 'Push protection helps detect secrets in code as changes are pushed. Push protection blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block.{% ifversion secret-scanning-push-protection-for-users %} Push protection can be applied at the repository, organization, and user account level{% else %} You can apply push protection at repository or organization level{% endif %}.' +intro: 'Push protection blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block.{% ifversion secret-scanning-push-protection-for-users %} Push protection can be applied at the repository, organization, and user account level{% else %} You can apply push protection at repository or organization level{% endif %}.' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: fpt: '*' @@ -25,43 +25,31 @@ Push protection is a {% data variables.product.prodname_secret_scanning %} featu Push protection helps you avoid the risks associated with exposed secrets, like unauthorized access to resources or services. With this feature, developers get immediate feedback and can address potential issues before they become a security concern. -Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push. For some {% data variables.product.prodname_dotcom %} products, more advanced features such as delegated bypass and the use of custom patterns are available. +Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push. For some {% data variables.product.prodname_dotcom %} products, more advanced features such as {% ifversion push-protection-delegated-bypass %}delegated bypass and {% endif %}the use of custom patterns are available. {% ifversion secret-scanning-push-protection-for-users %} You can enable push protection: * At repository/organization level, if you are a repository administrator or an organization owner. You will see alerts in the **Security** tab of your repository when a contributor to the repository bypasses push protection. -* For your account on {% data variables.product.prodname_dotcom %}, as a user. This type of push protection is referred to as "push protection for users". It protects you from pushing secrets to _any_ public repository on {% data variables.product.prodname_dotcom %}, but it doesn't generate alerts. - +* For your account on {% data variables.product.prodname_dotcom %}, as a user. This type of push protection is referred to as "push protection for users". It protects you from pushing secrets to _any_ public repository on {% data variables.product.prodname_dotcom %}, but no alerts are generated. {% endif %} -## What are the benefits of push protection - -* **Preventative security**—Push protection acts as a frontline defense mechanism by scanning code for secrets at the time of the push. This preventative approach helps to catch potential issues before they are merged into your repository. - -* **Immediate feedback**—Developers receive instant feedback if a potential secret is detected during a push attempt. This immediate notification allows for quick remediation, reducing the likelihood of sensitive information being exposed. - -* **Reduced risk of data leaks**—By blocking commits that contain sensitive information, push protection significantly reduces the risk of accidental data leaks. This helps in safeguarding against unauthorized access to your infrastructure, services, and data. - -* **Efficient secret management**—Instead of retrospectively dealing with exposed secrets, developers can address issues at the source. This makes secret management more efficient and less time-consuming. - -* **Integration with CI/CD pipelines**— -Push Protection can be integrated into your Continuous Integration/Continuous Deployment (CI/CD) pipelines, ensuring that every push is scanned for secrets before it gets deployed. This adds an extra layer of security to your DevOps practices. +## About the benefits of push protection -{% ifversion secret-scanning-push-protection-custom-patterns %}* **Ability to detect custom patterns**—Organizations can define custom patterns for detecting secrets unique to their environment. This customization ensures that push Protection can effectively identify and block even non-standard secrets.{% endif %} +* **Preventative security**: Push protection acts as a frontline defense mechanism by scanning code for secrets at the time of the push. This preventative approach helps to catch potential issues before they are merged into your repository. -{% ifversion push-protection-delegated-bypass %}* **Delegated bypass for flexibility**—For cases where false positives occur or when certain patterns are necessary, the delegated bypass feature allows designated users to approve specific pushes. This provides flexibility without compromising overall security.{% endif %} +* **Immediate feedback**: Developers receive instant feedback if a potential secret is detected during a push attempt. This immediate notification allows for quick remediation, reducing the likelihood of sensitive information being exposed. -* **Audit and monitoring**—Push protection maintains logs of all blocked attempts and bypass approvals. These logs can be audited to ensure compliance and to review any potential security incidents, thereby providing transparency and accountability. +* **Reduced risk of data leaks**: By blocking commits that contain sensitive information, push protection significantly reduces the risk of accidental data leaks. This helps in safeguarding against unauthorized access to your infrastructure, services, and data. -* **Collaboration and education**—By frequently reminding developers of secure coding practices, push protection helps foster a culture of security within development teams. It serves as a constant reminder that security is everyone's responsibility. +* **Efficient secret management**: Instead of retrospectively dealing with exposed secrets, developers can address issues at the source. This makes secret management more efficient and less time-consuming. -## Configuring push protection +* **Integration with CI/CD pipelines**: Push Protection can be integrated into your Continuous Integration/Continuous Deployment (CI/CD) pipelines, ensuring that every push is scanned for secrets before it gets deployed. This adds an extra layer of security to your DevOps practices. -To use push protection, you need to have administrative access to the repository or organization you want to configure. Also, your repository or organization should be hosted on {% data variables.product.prodname_dotcom %}. +{% ifversion secret-scanning-push-protection-custom-patterns %}* **Ability to detect custom patterns**: Organizations can define custom patterns for detecting secrets unique to their environment. This customization ensures that push Protection can effectively identify and block even non-standard secrets.{% endif %} -Enabling and configuring push protection involves a few steps. For more information, see TODO: - link to enabling article. +{% ifversion push-protection-delegated-bypass %}* **Delegated bypass for flexibility**: For cases where false positives occur or when certain patterns are necessary, the delegated bypass feature allows designated users to approve specific pushes. This provides flexibility without compromising overall security.{% endif %} {% ifversion secret-scanning-push-protection-for-users %} @@ -109,6 +97,7 @@ For information about delegated bypass for push protection, see "[AUTOTITLE](/co ## Further reading +* TODO: add link to enabling push protection article * "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)"{% ifversion secret-scanning-push-protection-custom-patterns %} * "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)"{% endif %}{% ifversion push-protection-delegated-bypass %} * "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)"{% endif %} From e876e65aaa7fce02d8301fa07fd1642bab687b4f Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 1 Aug 2024 12:23:55 +0100 Subject: [PATCH 208/282] follow content model --- .../secret-scanning/introduction/about-secret-scanning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index dd01f4011246..4d3f9adeb6a0 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -64,7 +64,7 @@ Below is a typical workflow that explains how {% data variables.product.prodname {% endif %} -## Benefits of {% data variables.product.prodname_secret_scanning %} +## About the benefits of {% data variables.product.prodname_secret_scanning %} * **Enhanced security**—{% data variables.product.prodname_secret_scanning_caps %} scans your repositories for sensitive information like API keys, passwords, tokens, and other secrets. By detecting these early, you can mitigate potential security risks before they are exploited by malicious actors. From 79a6261ac462aba69e7c8088e1e04e058d1f18d8 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Thu, 1 Aug 2024 11:43:03 +0000 Subject: [PATCH 209/282] final edits --- .../about-alerts.md | 10 ++++++---- .../evaluating-alerts.md | 6 +++++- .../monitoring-alerts.md | 2 +- .../resolving-alerts.md | 4 ++++ .../viewing-alerts.md | 4 ++-- 5 files changed, 18 insertions(+), 8 deletions(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index 20391928f9ba..e5c5c94fad8c 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -49,14 +49,16 @@ Push protection scans pushes for supported secrets. If push protection detects a {% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} >[!NOTE] -> {% ifversion secret-scanning-push-protection-for-users %}You can also enable push protection for your personal account, which prevents you from accidentally pushing supported secrets to _any_ public repository. Push protection alerts are _not_ created when you bypass this user-based push protection only. Alerts are only created if the repository itself has push protection enabled. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)."{% endif %} +> {% ifversion secret-scanning-push-protection-for-users %}You can also enable push protection for your personal account, called "push protection for users", which prevents you from accidentally pushing supported secrets to _any_ public repository. Alerts are _not_ created if you choose to bypass your user-based push protection only. Alerts are only created if the repository itself has push protection enabled. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)."{% endif %} > > {% data reusables.secret-scanning.push-protection-older-tokens %} For more information about push protection limitations, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning#push-protection-and-pattern-versions)." ## About partner alerts -When {% data variables.product.company_short %} detects a leaked secret in a public repository or npm package, an alert is sent directly to the secret provider, if they are part of {% data variables.product.company_short %}'s secret scanning partner program. Partner alerts are not applicable to repository administrators, so you do not need to take any action for this type of alert. +When {% data variables.product.company_short %} detects a leaked secret in a public repository or npm package, an alert is sent directly to the secret provider, if they are part of {% data variables.product.company_short %}'s secret scanning partner program. For more information about {% data variables.secret-scanning.partner_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." -Partner alerts are alerts that are sent to the secret providers whenever a secret leak is reported for one of their secrets. {% data variables.product.product_name %} currently scans public repositories and public npm packages for secrets issued by specific service providers and alerts the relevant service provider whenever a secret is detected in a commit. For more information about {% data variables.secret-scanning.partner_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." +Partner alerts are not applicable to repository administrators, so you do not need to take any action for this type of alert. -{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} +## Next steps + +* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)" diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md index 6849593be118..ecf0cb8b0cab 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md @@ -1,6 +1,6 @@ --- title: Evaluating alerts from secret scanning -intro: 'There are some additional features that can help you evaluate alerts and prioritize their remediation, such as checking the secret''s validity.' +intro: 'Learn about additional features that can help you evaluate alerts and prioritize their remediation, such as checking a secret''s validity.' permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view secret scanning alerts for the repository.' product: '{% data reusables.gated-features.secret-scanning %}' versions: @@ -94,3 +94,7 @@ Tokens, like {% data variables.product.pat_generic %} and other credentials, are {% ifversion secret-scanning-user-owned-repos %}{% data reusables.secret-scanning.secret-scanning-user-owned-repo-access %} If access is granted, {% data variables.product.prodname_dotcom %} will notify the owner of the repository containing the leaked secret, report the action in the repository owner and enterprise audit logs, and enable access for 2 hours.{% ifversion ghec %} For more information, see "[AUTOTITLE](/admin/managing-accounts-and-repositories/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise)."{% endif %}{% endif %} {% endif %} + +## Next steps + +* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts)" diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md index 50214f73ce55..bef02a081885 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md @@ -18,7 +18,7 @@ allowTitleToDifferFromFilename: true ## Configuring notifications for {% data variables.secret-scanning.alerts %} -In addition to Notifications are different for incremental scans and historical scans. +In addition to displaying an alert in the **Security** tab of the repository, {% data variables.product.product_name %} also sends email notifications for alerts. These notifications are different for incremental scans and historical scans. ### Incremental scans diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md index 98b339df9994..c03941d584bf 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md @@ -49,3 +49,7 @@ Once a secret has been committed to a repository, you should consider the secret 1. Optionally, in the "Comment" field, add a dismissal comment. The dismissal comment will be added to the alert timeline and can be used as justification during auditing and reporting. You can view the history of all dismissed alerts and dismissal comments in the alert timeline. You can also retrieve or set a comment by using the {% data variables.product.prodname_secret_scanning_caps %} API. The comment is contained in the `resolution_comment` field. For more information, see "[AUTOTITLE](/rest/secret-scanning#update-a-secret-scanning-alert)" in the REST API documentation. 1. Click **Close alert**. + +## Next steps + +* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts)" diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md index f7f9d3ec9c63..dc1a59828d15 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md @@ -1,6 +1,6 @@ --- title: Viewing and filtering alerts from secret scanning -intro: 'Learn how to find and filter {% data variables.secret-scanning.user_alerts_caps %} alerts for your repository.' +intro: 'Learn how to find and filter {% data variables.secret-scanning.user_alerts %} alerts for your repository.' permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view {% data variables.secret-scanning.user_alerts_caps %} for the repository.' product: '{% data reusables.gated-features.secret-scanning %}' versions: @@ -84,4 +84,4 @@ You can apply various filters to the alerts list to help you find the alerts you ## Next steps -TODO +* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts)" From 92ecffd52e25c3426b0073e8e52702069b4ea571 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 1 Aug 2024 12:50:36 +0100 Subject: [PATCH 210/282] streamline --- .../introduction/about-push-protection.md | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index 2bcae813612c..1bf5ff2d18f0 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -77,7 +77,7 @@ If push protection occasionally flags non-sensitive information, you can configu ### Defining custom patterns -If you have specific patterns or types of secrets that are unique to your environment or organization, you can define custom patterns that push protection will use to identify secrets. These patterns are used to identify sensitive information that might not be covered by the default scanning rules implemented by {% data variables.product.prodname_dotcom %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." +If you have specific patterns or types of secrets that are unique to your environment or organization, you can define custom patterns that push protection will use to identify secrets. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." {% endif %} @@ -85,13 +85,7 @@ If you have specific patterns or types of secrets that are unique to your enviro ### Using delegated bypass -{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} - -When you enable push protection, by default, anyone with write access to the repository can choose to bypass the protection by specifying a reason for allowing the push containing a secret. With delegated bypass, contributors to a repository are instead obligated to request "bypass privileges." The request is sent to a designated group of reviewers, who either approve or deny the request to bypass push protection. - -If the request to bypass push protection is approved, the contributor can push the commit containing the secret. If the request is denied, the contributor must remove the secret from the commit (or commits) containing the secret before pushing again. - -For information about delegated bypass for push protection, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." +{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} For information about delegated bypass for push protection, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." {% endif %} From 4ba251a3272b3eb3112093b51d91ca7e0e2f4daf Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Thu, 1 Aug 2024 13:11:53 +0000 Subject: [PATCH 211/282] fixing link --- .../managing-alerts-from-secret-scanning/evaluating-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md index ecf0cb8b0cab..2c70f79256ee 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md @@ -33,7 +33,7 @@ By default, {% data variables.product.company_short %} checks the validity of {% {% ifversion fpt %} -Organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %} can also enable validity checks for partner patterns. For more information, see "[Checking a secret's validity](/enterprise-cloud@latest/code-security/secret-scanning/managing-alerts-from-secret-scanning#checking-a-secrets-validity)" in the {% data variables.product.prodname_ghe_cloud %} documentation. +Organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %} can also enable validity checks for partner patterns. For more information, see "[Checking a secret's validity](/enterprise-cloud@latest/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)" in the {% data variables.product.prodname_ghe_cloud %} documentation. {% endif %} From e8c7024d00994998458af11ca13b8f29aeee6879 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Thu, 1 Aug 2024 13:43:06 +0000 Subject: [PATCH 212/282] tryig to fix broken links --- .../managing-alerts-from-secret-scanning/about-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index e5c5c94fad8c..5813dd93b6a5 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -55,7 +55,7 @@ Push protection scans pushes for supported secrets. If push protection detects a ## About partner alerts -When {% data variables.product.company_short %} detects a leaked secret in a public repository or npm package, an alert is sent directly to the secret provider, if they are part of {% data variables.product.company_short %}'s secret scanning partner program. For more information about {% data variables.secret-scanning.partner_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." +When {% data variables.product.company_short %} detects a leaked secret in a public repository or npm package, an alert is sent directly to the secret provider, if they are part of {% data variables.product.company_short %}'s secret scanning partner program. For more information about {% data variables.secret-scanning.partner_alerts %}, see "TODO." Partner alerts are not applicable to repository administrators, so you do not need to take any action for this type of alert. From 9df8602c4956302c272b7c31d2786ccf9cfb7155 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Thu, 1 Aug 2024 15:56:55 +0000 Subject: [PATCH 213/282] trying again --- .../managing-alerts-from-secret-scanning/viewing-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md index dc1a59828d15..824bb98cd4d9 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md @@ -72,7 +72,7 @@ You can apply various filters to the alerts list to help you find the alerts you | {% ifversion secret-scanning-bypass-filter %} | |`bypassed: true`|Displays alerts for secrets where push protection has been bypassed. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)."| | {% endif %} | -|`validity:active`| Displays alerts for secrets that are still active. {% ifversion fpt %}Applies to {% data variables.product.company_short %} tokens only.{% endif %} For more information about validity statuses, see "[Checking a secret's validity](#checking-a-secrets-validity)."| +|`validity:active`| Displays alerts for secrets that are still active. {% ifversion fpt %}Applies to {% data variables.product.company_short %} tokens only.{% endif %} For more information about validity statuses, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)."| |`validity:inactive`| Displays alerts for secrets that are no longer active.| |`validity:unknown`| Displays alerts for secrets where the validity status of the secret is unknown.| |`secret-type:SECRET-NAME`| Displays alerts for a specific secret type, for example, `secret-type:github_personal_access_token`. For a list of supported secret types, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secret)." | From 0f691ee177782693379418930e8fd475c5403d38 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Thu, 1 Aug 2024 16:22:56 +0000 Subject: [PATCH 214/282] updating links --- .../setting-up-notifications/configuring-notifications.md | 2 +- content/code-security/secret-scanning/about-secret-scanning.md | 2 +- .../configuring-secret-scanning-for-your-repositories.md | 2 +- .../push-protection-for-repositories-and-organizations.md | 2 +- .../code-security/secret-scanning/secret-scanning-patterns.md | 2 +- ...out-the-detection-of-generic-secrets-with-secret-scanning.md | 2 +- .../enabling-ai-powered-generic-secret-detection.md | 2 +- ...onfiguring-global-security-settings-for-your-organization.md | 2 +- .../creating-a-custom-security-configuration.md | 2 +- .../contributing/style-guide-and-content-model/style-guide.md | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/content/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications.md b/content/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications.md index a0a44014950d..64a52b4a745f 100644 --- a/content/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications.md +++ b/content/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications.md @@ -220,7 +220,7 @@ For more information about the notification delivery methods available to you, a {% data reusables.secret-scanning.secret-scanning-configure-notifications %} -For more information on how to configure notifications for {% data variables.secret-scanning.alerts %}, see "[Configuring notifications for secret scanning alerts](/code-security/secret-scanning/managing-alerts-from-secret-scanning#configuring-notifications-for-secret-scanning-alerts)." +For more information on how to configure notifications for {% data variables.secret-scanning.alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts)." {% ifversion update-notification-settings-22 or ghes %} diff --git a/content/code-security/secret-scanning/about-secret-scanning.md b/content/code-security/secret-scanning/about-secret-scanning.md index e16760f2f972..cf53f635c0c9 100644 --- a/content/code-security/secret-scanning/about-secret-scanning.md +++ b/content/code-security/secret-scanning/about-secret-scanning.md @@ -95,7 +95,7 @@ You can also define custom {% data variables.product.prodname_secret_scanning %} For more information about viewing and resolving {% data variables.secret-scanning.alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." {% ifversion secret-scanning-notification-settings %} -For more information on how to configure notifications for {% data variables.secret-scanning.alerts %}, see "[Configuring notifications for secret scanning alerts](/code-security/secret-scanning/managing-alerts-from-secret-scanning#configuring-notifications-for-secret-scanning-alerts)." +For more information on how to configure notifications for {% data variables.secret-scanning.alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts)." {% endif %} Repository administrators and organization owners can grant users and teams access to {% data variables.secret-scanning.alerts %}. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts)." diff --git a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md index 642b570f40b2..1ac1d22a589c 100644 --- a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md +++ b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md @@ -64,7 +64,7 @@ You can enable the following additional {% data variables.product.prodname_secre {% data reusables.gated-features.partner-pattern-validity-check-ghas %} -You can allow {% data variables.product.prodname_secret_scanning %} to automatically check the validity of a secret found in your repository by sending it to the relevant partner. For more information on validity checks, see "Checking a secret's validity" in "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning#checking-a-secrets-validity)." +You can allow {% data variables.product.prodname_secret_scanning %} to automatically check the validity of a secret found in your repository by sending it to the relevant partner. For more information on validity checks, see "Checking a secret's validity" in "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)." {% note %} diff --git a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md index e6080275e9a9..5515de0ebfb4 100644 --- a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md +++ b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md @@ -36,7 +36,7 @@ By default, anyone with write access to the repository can choose to bypass push {% ifversion secret-scanning-bypass-filter %} -On the {% data variables.product.prodname_secret_scanning %} alerts page for a repository or organization, you can apply the `bypassed:true` filter to easily see which alerts are the result of a user bypassing push protection. For more information on viewing these alerts, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." +On the {% data variables.product.prodname_secret_scanning %} alerts page for a repository or organization, you can apply the `bypassed:true` filter to easily see which alerts are the result of a user bypassing push protection. For more information on viewing these alerts, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)." {% endif %} diff --git a/content/code-security/secret-scanning/secret-scanning-patterns.md b/content/code-security/secret-scanning/secret-scanning-patterns.md index 6caa786a3d1a..69196806db81 100644 --- a/content/code-security/secret-scanning/secret-scanning-patterns.md +++ b/content/code-security/secret-scanning/secret-scanning-patterns.md @@ -52,7 +52,7 @@ Partner alerts are alerts that are sent to the secret providers whenever a secre * High confidence alerts, which relate to supported patterns and specified custom patterns. * Non-provider alerts, which have a higher ratio of false positives, and correspond to secrets such as private keys. -{% data variables.product.prodname_dotcom %} displays non-provider alerts in a different list to high confidence alerts, making triaging a better experience for users. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning#other-alerts-list)." +{% data variables.product.prodname_dotcom %} displays non-provider alerts in a different list to high confidence alerts, making triaging a better experience for users. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)." {% data reusables.secret-scanning.non-provider-patterns-beta %} diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning.md index 5ac0b3491190..9cf1aaffc015 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning.md @@ -38,7 +38,7 @@ The system scans for passwords using the LLM. No additional data is collected by The LLM scans for strings that resemble passwords and verifies that the identified strings included in the response actually exist in the input. -These detected strings are surfaced as alerts on the {% data variables.product.prodname_secret_scanning %} alerts page, but they are displayed in an additional list that is separate from regular {% data variables.secret-scanning.alerts %}. The intent is that this separate list is triaged with more scrutiny to verify the validity of the findings. Each alert notes that it was detected using AI. {% ifversion secret-scanning-ai-generic-secret-detection %}For information on how to view alerts for generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)."{% endif %} +These detected strings are surfaced as alerts on the {% data variables.product.prodname_secret_scanning %} alerts page, but they are displayed in an additional list that is separate from regular {% data variables.secret-scanning.alerts %}. The intent is that this separate list is triaged with more scrutiny to verify the validity of the findings. Each alert notes that it was detected using AI. {% ifversion secret-scanning-ai-generic-secret-detection %}For information on how to view alerts for generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)."{% endif %} ## Improving the performance of generic secret detection diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection.md index 4f94b52b0220..3364959cecb6 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection.md @@ -38,7 +38,7 @@ You can then enable the feature in the security settings page of your organizati 1. In the "Security" section of the sidebar, click **{% octicon "codescan" aria-hidden="true" %} Code security** then **Global settings**. 1. Under "Secret scanning", select the checkbox next to "Use AI detection to find additional secrets". -For information on how to view alerts for generic secrets that have been detected using AI, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." +For information on how to view alerts for generic secrets that have been detected using AI, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)." ## Further reading diff --git a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md index 49a57068fd88..4056b2747b89 100644 --- a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md +++ b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md @@ -103,7 +103,7 @@ You can customize several {% data variables.product.prodname_global_settings %} ### Scanning for non-provider patterns -You can choose to scan for non-provider patterns, such as private keys, to detect non-provider secrets before they are leaked. To enable these scans, select **Scan for non-provider patterns**. Be aware that non-provider tokens often have a higher rate of false positives. To learn more about non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-user-alerts)" and "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning#other-alerts-list)." +You can choose to scan for non-provider patterns, such as private keys, to detect non-provider secrets before they are leaked. To enable these scans, select **Scan for non-provider patterns**. Be aware that non-provider tokens often have a higher rate of false positives. To learn more about non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-user-alerts)" and "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)." {% data reusables.secret-scanning.non-provider-patterns-beta %} diff --git a/content/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration.md b/content/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration.md index 38751267a1a6..c60ed6c0ae6d 100644 --- a/content/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration.md +++ b/content/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration.md @@ -48,7 +48,7 @@ With {% data variables.product.prodname_custom_security_configurations %}, you c 1. In the "{% data variables.product.prodname_code_scanning_caps %}" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for {% data variables.product.prodname_code_scanning %} default setup. To learn about default setup, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#about-default-setup)." 1. In the "{% data variables.product.prodname_secret_scanning_caps %}" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for the following security features: * {% data variables.product.prodname_secret_scanning_caps %}. To learn about {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)."{% ifversion secret-scanning-validity-check-partner-patterns %} - * Validity check. To learn more about validity checks for partner patterns, see "[Checking a secret's validity](/code-security/secret-scanning/managing-alerts-from-secret-scanning#checking-a-secrets-validity)".{% endif %} + * Validity check. To learn more about validity checks for partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)".{% endif %} * Push protection. To learn about push protection, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)." {% ifversion fpt or ghec %} 1. In the "Private vulnerability reporting" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for private vulnerability reporting. To learn about private vulnerability reporting, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository)." diff --git a/content/contributing/style-guide-and-content-model/style-guide.md b/content/contributing/style-guide-and-content-model/style-guide.md index 1e0dda5831f4..e2ef6039dc34 100644 --- a/content/contributing/style-guide-and-content-model/style-guide.md +++ b/content/contributing/style-guide-and-content-model/style-guide.md @@ -54,7 +54,7 @@ Notes are particularly useful for communicating parenthetical information that i * Caveats that might affect the outcome of a process, such as specific user settings. * Products and features that are subject to changes in availability, such as those in beta or being deprecated. -For example, "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning#reviewing-github-token-metadata)" uses a note to inform users that metadata for {% data variables.product.prodname_dotcom %} tokens is currently in beta. +For example, "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#reviewing-github-token-metadata)" uses a note to inform users that metadata for {% data variables.product.prodname_dotcom %} tokens is currently in beta. > [!NOTE] > Metadata for {% data variables.product.prodname_dotcom %} tokens is currently in public beta and subject to change. From 86c899fec4ec246232be6540332b54ed3038f516 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 2 Aug 2024 07:02:53 +0100 Subject: [PATCH 215/282] Update content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../enabling-push-protection-for-your-repository.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md index efbd2647c506..4c54d0042ee6 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md @@ -20,7 +20,7 @@ To enable push protection for a repository, you must first enable {% data variab {% ifversion secret-scanning-push-protection-for-users %} -You can additionally enable push protection for your own personal account, which prevents you from pushing secrets to _any_ public repository on [GitHub]. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)." +You can additionally enable push protection for your own personal account, which prevents you from pushing secrets to _any_ public repository on {% data variables.product.prodname_dotcom %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)." {% endif %} From 1765c02a06b05801371ae05ac611e4df779b87f1 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 2 Aug 2024 07:08:16 +0100 Subject: [PATCH 216/282] Update content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../enabling-validity-checks-for-your-repository.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md index 3f4c5375dbff..26977f06e333 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md @@ -1,7 +1,7 @@ --- title: Enabling validity checks for your repository shortTitle: Enable validity checks -intro: 'Validity checks tell you if a secret is active or inactive, which can help you to prioritize the remediation of alerts.' +intro: 'Enabling validity checks on your repository helps you prioritize the remediation of alerts as it tells you if a secret is active or inactive.' product: '{% data reusables.gated-features.partner-pattern-validity-check-ghas %}' versions: feature: secret-scanning-validity-check-partner-patterns From 74ec009286b8f0a26d975843183042081931164e Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 2 Aug 2024 07:08:36 +0100 Subject: [PATCH 217/282] Update content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../enabling-validity-checks-for-your-repository.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md index 26977f06e333..8e0307269776 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md @@ -14,7 +14,7 @@ topics: ## About validity checks -You can choose to enable validity checks for partner patterns for your repository. Once enabled, {% data variables.product.company_short %} will periodically check the validity of a detected credential by sending the secret directly to the provider, as part of {% data variables.product.company_short %}'s formal secret scanning partnership program. +You can choose to enable validity checks for partner patterns for your repository. Once enabled, {% data variables.product.company_short %} will periodically check the validity of a detected credential by sending the secret directly to the provider, as part of {% data variables.product.company_short %}'s secret scanning partnership program. {% data reusables.secret-scanning.partner-program-link %} {% data variables.product.company_short %} displays the validation status of the secret in the alert view, so you can see if the secret is `active`, `inactive`, or if the validation status is `unknown`. You can optionally perform an "on-demand" validity check for the secret in the alert view. From 0bf0fb41e06a052c803d05fcc8f17eb15cea6220 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 2 Aug 2024 07:09:11 +0100 Subject: [PATCH 218/282] Update content/code-security/secret-scanning/enabling-secret-scanning-features/index.md Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../secret-scanning/enabling-secret-scanning-features/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md index f296220c5eb8..1dacb7d1134d 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md @@ -2,7 +2,7 @@ title: Enabling secret scanning features shortTitle: Enable secret scanning allowTitleToDifferFromFilename: true -intro: '{% data variables.product.prodname_secret_scanning_caps %} scans for and detects secrets that have been checked into a repository. Push protection proactively secures you against leaking secrets by blocking pushes containing secrets.' +intro: 'Learn how to enable {% data variables.product.prodname_secret_scanning %} that scans for and detects secrets that have been checked into a repository, as well as push protection that proactively secures you against leaking secrets by blocking pushes containing secrets.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' From f47a25b008cf265a7632bc4611657e6bc0a16a9b Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 2 Aug 2024 07:09:30 +0100 Subject: [PATCH 219/282] Update content/code-security/secret-scanning/enabling-secret-scanning-features/index.md Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../secret-scanning/enabling-secret-scanning-features/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md index 1dacb7d1134d..76d8a4966174 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md @@ -1,6 +1,6 @@ --- title: Enabling secret scanning features -shortTitle: Enable secret scanning +shortTitle: Enable secret scanning features allowTitleToDifferFromFilename: true intro: 'Learn how to enable {% data variables.product.prodname_secret_scanning %} that scans for and detects secrets that have been checked into a repository, as well as push protection that proactively secures you against leaking secrets by blocking pushes containing secrets.' product: '{% data reusables.gated-features.secret-scanning %}' From b6e32166c2d929696bcd8fc1f2f8f2f90007bcbc Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 2 Aug 2024 06:54:56 +0000 Subject: [PATCH 220/282] apply review feedback --- .../enabling-push-protection-for-your-repository.md | 1 + .../enabling-secret-scanning-for-your-repository.md | 7 ++++++- .../enabling-validity-checks-for-your-repository.md | 4 ++++ data/learning-tracks/code-security.yml | 6 ++++-- 4 files changed, 15 insertions(+), 3 deletions(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md index efbd2647c506..64fbfe079b48 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md @@ -44,5 +44,6 @@ If your organization is owned by an enterprise account, an enterprise owner can ## Further reading +* "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection)" * "[AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security)" * "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)" diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md index 9a3a2971928e..8e2698479c66 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md @@ -1,7 +1,7 @@ --- title: Enabling secret scanning for your repository shortTitle: Enable secret scanning -intro: '{% data variables.product.prodname_secret_scanning_caps %} scans your repositories for leaked secrets and generates alerts.' +intro: 'You can configure how {% data variables.product.prodname_dotcom %} scans your repositories for leaked secrets and generates alerts.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' @@ -41,3 +41,8 @@ A repository administrator can choose to disable {% data variables.product.prodn 1. Scroll down to the bottom of the page, and click **Enable** for {% data variables.product.prodname_secret_scanning %}. If you see a **Disable** button, it means that {% data variables.product.prodname_secret_scanning %} is already enabled for the repository. ![Screenshot of the "{% data variables.product.prodname_secret_scanning_caps %}" section of the "Code security and analysis" page, with the "Enable" button highlighted in a dark orange outline.](/assets/images/help/repository/enable-secret-scanning-alerts.png){% endif %} + +## Next steps + +* "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository)"{% ifversion secret-scanning-validity-check-partner-patterns %} +* "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository)"{% endif %} diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md index 3f4c5375dbff..7b937e97da83 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md @@ -35,3 +35,7 @@ For more information on using validity checks, see "TODO." You can also use the REST API to enable validity checks for partner patterns for your repository. For more information, see "[AUTOTITLE](/rest/repos/repos#update-a-repository)." Alternatively, organization owners and enterprise administrators can enable the feature for all repositories in the organization or enterprise settings. For more information on enabling at the organization-level, see "[AUTOTITLE](/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration)." For more information on enabling at the enterprise-level, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)" and "[AUTOTITLE](/rest/enterprise-admin/code-security-and-analysis#update-code-security-and-analysis-features-for-an-enterprise)." + +## Further reading + +* TODO - add link to Managing alerts diff --git a/data/learning-tracks/code-security.yml b/data/learning-tracks/code-security.yml index db3a1ed979a2..d87502d1e717 100644 --- a/data/learning-tracks/code-security.yml +++ b/data/learning-tracks/code-security.yml @@ -113,9 +113,11 @@ secret_scanning: passwords, and other secrets to your repository. guides: - /code-security/secret-scanning/about-secret-scanning - - /code-security/secret-scanning/enabling-secret-scanning-features + - /code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository + - /code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository - >- - /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning + {% ifversion secret-scanning-validity-check-partner-patterns %} + /code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository{% endif %} - >- {% ifversion not fpt %}/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning{% From fe87fcbe77c32a65845aa342853008b7a216b0ef Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 2 Aug 2024 10:18:34 +0100 Subject: [PATCH 221/282] more work --- .../introduction/about-secret-scanning.md | 23 ++----------------- 1 file changed, 2 insertions(+), 21 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 4d3f9adeb6a0..8b343629fe63 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -102,15 +102,7 @@ Once {% data variables.product.prodname_secret_scanning %} is enabled, you can c ### Detection of non-provider patterns -Non-provider patterns refer to patterns used to identify secrets that are not specific to any particular service provider. These patterns are general and can apply to a wide range of sensitive data types. Here are a few examples of non-provider patterns: - -* Generic API Keys: Identifiable by common structural attributes like specific lengths or character sets (for example, a string of 32 alphanumeric characters). -* Tokens: Generic patterns used to detect various types of tokens that might be common across different services. -* Private Keys: Patterns identifying sections of code that look like private keys, such as those used in SSH or GPG. - -Non-provider pattern detection is not enabled by default because the feature can potentially generate a high ratio of false positives. - -For more information about non-provider pattern detection, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns)." +Non-provider pattern detection is not enabled by default because the feature can potentially generate a high ratio of false positives. However, you can choose to enable that detection for your repositories or organizations. For more information about non-provider pattern detection, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns)." {% endif %} @@ -118,11 +110,7 @@ For more information about non-provider pattern detection, see "[AUTOTITLE](/cod ### Generic secret detection -You can also enable generic secret detection to instruct {% data variables.product.prodname_secret_scanning %} to search your codebase for generic secrets. Generic secrets are unstructured secrets, such as passwords. - -{% data variables.product.prodname_secret_scanning_caps %} uses AI to detect unstructured passwords in git content and generate an alert. Alerts for passwords appear in a separated tab from regular {% data variables.product.prodname_secret_scanning %} alerts. - -For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection)." +You can enable generic secret detection to instruct {% data variables.product.prodname_secret_scanning %} to search your codebase for generic secrets such as passwords. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection)." {% endif %} @@ -152,13 +140,6 @@ You can use AI to generate regular expressions that will capture all your custom {% endif %} -OLD - -About {% data variables.secret-scanning.user_alerts %}{% ifversion ghes %} on {% data variables.product.product_name %}{% endif %} - -{% ifversion secret-scanning-store-tokens %} -{% data variables.product.company_short %} stores detected secrets using symmetric encryption, both in transit and at rest.{% endif %}{% ifversion ghes %} To rotate the encryption keys used for storing the detected secrets, you can contact us by visiting {% data variables.contact.contact_ent_support %}.{% endif %} - ## Further reading * TODO: link to enabling secret scanning article From 71ad597c595240c13ba7c673c71b6be3b8ec1861 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 2 Aug 2024 10:49:20 +0000 Subject: [PATCH 222/282] fixing enabling after discussion --- .../enabling-secret-scanning-for-your-repository.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md index 8e2698479c66..459d8fb73dd2 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md @@ -16,7 +16,15 @@ topics: ## About enabling {% data variables.secret-scanning.user_alerts %} -You can enable {% data variables.secret-scanning.user_alerts %} for any {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}repository{% else %} repository that is owned by an organization, and for repositories owned by user accounts when using {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_emus %}{% endif %}{% elsif fpt %}free public repository that you own{% else %}repository that is owned by an organization{% endif %}. +{% ifversion fpt %} + +{% data variables.secret-scanning.user_alerts_caps %} can be enabled on any free public repository that you own. + +{% endif %}{% ifversion ghec or ghes %} + +{% data variables.secret-scanning.user_alerts_caps %} can be enabled for any repository that is owned by an organization{% ifversion secret-scanning-user-owned-repos %}, and for repositories owned by user accounts when using {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_emus %}{% endif %}. + +{% endif %} If you're an organization owner, you can enable {% data variables.product.prodname_secret_scanning %} for multiple repositories at the same time{% ifversion security-configurations-ga %} using a security configuration{% endif %}. For more information, see {% ifversion security-configurations-ga %}"[AUTOTITLE](/code-security/securing-your-organization){% else %}"[AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-organization#enabling-security-features-in-your-organization)"{% endif %}." From 69448564fa025f3ec91ded914097d58349ea9fc8 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 2 Aug 2024 11:26:55 +0000 Subject: [PATCH 223/282] updated what is scanned because of preview error in ghes 3.10, add li nk to supported secrets in conceptual article --- .../secret-scanning/introduction/about-secret-scanning.md | 6 +++--- data/reusables/secret-scanning/what-is-scanned.md | 4 ++++ 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 8b343629fe63..f5ce32e05ba6 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -24,7 +24,7 @@ shortTitle: Secret scanning {% data variables.product.prodname_secret_scanning_caps %} is a security feature that helps detect and prevent the accidental inclusion of sensitive information such as API keys, passwords, tokens, and other secrets in your repository. When enabled, {% data variables.product.prodname_secret_scanning %} scans commits in public repositories for known types of secrets and alerts repository administrators upon detection. -{% data variables.product.prodname_secret_scanning_caps %} scans your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repository for secrets{% ifversion ghec or ghes %}, even if the repository is archived{% endif %}.{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %}{% ifversion secret-scanning-backfills %}{% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled.{% endif %} +{% data variables.product.prodname_secret_scanning_caps %} scans your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repository for secrets{% ifversion ghec or ghes %}, even if the repository is archived{% endif %}.{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %}{% ifversion secret-scanning-backfills %} {% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled.{% endif %} {% data reusables.secret-scanning.what-is-scanned %} @@ -34,6 +34,8 @@ When a supported secret is leaked, {% data variables.product.product_name %} gen Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner, and aren't displayed on {% data variables.product.prodname_dotcom_the_website %}. For more information, see TODO: link to about secret scanning for partner alerts.{% endif %} +For information about the secrets and service providers supported by {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." + You can use the REST API to monitor results from {% data variables.product.prodname_secret_scanning %} across your repositories{% ifversion ghes %} or your organization{% endif %}. For more information about API endpoints, see "[AUTOTITLE](/rest/secret-scanning)." {% ifversion ghec or ghes %} @@ -92,8 +94,6 @@ Below is a typical workflow that explains how {% data variables.product.prodname ## What are the supported secrets -For information about the secrets and service providers supported by {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." - ## Customizing {% data variables.product.prodname_secret_scanning %} Once {% data variables.product.prodname_secret_scanning %} is enabled, you can customize it further, if needed: diff --git a/data/reusables/secret-scanning/what-is-scanned.md b/data/reusables/secret-scanning/what-is-scanned.md index e0933e4f3cbf..57d883051026 100644 --- a/data/reusables/secret-scanning/what-is-scanned.md +++ b/data/reusables/secret-scanning/what-is-scanned.md @@ -1,3 +1,5 @@ +{% ifversion fpt or ghec or ghes > 3.10 %} + Additionally, {% data variables.product.prodname_secret_scanning %} scans:{% ifversion secret-scanning-issue-body-comments %} * Descriptions and comments in issues{% endif %}{% ifversion secret-scanning-backfills-historical-issues %} * Titles, descriptions, and comments, in open and closed _historical_ issues{% ifversion ghec %}. A notification is sent to the relevant partner when a historical partner pattern is detected.{% endif %}{% endif %}{% ifversion secret-scanning-enhancements-prs-discussions %} @@ -10,3 +12,5 @@ This additional scanning is free for public repositories. {% endif %} {% data reusables.secret-scanning.beta-prs-discussions-wikis-scanned %} + +{% endif %} From ffe1b2c79926b515f2fa74f47d7c1a4b80e80c0e Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 2 Aug 2024 12:36:14 +0000 Subject: [PATCH 224/282] edits to customizing secret scanning section --- .../introduction/about-secret-scanning.md | 22 +++++-------------- 1 file changed, 6 insertions(+), 16 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index f5ce32e05ba6..1accf8cd5be4 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -92,17 +92,15 @@ Below is a typical workflow that explains how {% data variables.product.prodname {% endif %} -## What are the supported secrets - ## Customizing {% data variables.product.prodname_secret_scanning %} -Once {% data variables.product.prodname_secret_scanning %} is enabled, you can customize it further, if needed: +Once {% data variables.product.prodname_secret_scanning %} is enabled, you can customize it further: {% ifversion secret-scanning-non-provider-patterns %} ### Detection of non-provider patterns -Non-provider pattern detection is not enabled by default because the feature can potentially generate a high ratio of false positives. However, you can choose to enable that detection for your repositories or organizations. For more information about non-provider pattern detection, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns)." +Scan for and detect secrets that are not specific to a service provider, such as private keys and generic API keys. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns)." {% endif %} @@ -110,31 +108,23 @@ Non-provider pattern detection is not enabled by default because the feature can ### Generic secret detection -You can enable generic secret detection to instruct {% data variables.product.prodname_secret_scanning %} to search your codebase for generic secrets such as passwords. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection)." +Leverage {% data variables.product.prodname_secret_scanning %}'s AI capabilities to detect unstructured secrets, such as passwords, in your repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning)." {% endif %} ### Performing validity checks -{% data reusables.secret-scanning.validity-checks-intro %} - -{% ifversion secret-scanning-validity-check-partner-patterns %} - -Organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %} can also enable validity checks for supported partner patterns in their repository, organization, or enterprise level code security settings. Wewill automatically check validation for patterns on a cadence by sending the pattern to our relevant partner provider. You can use the validation status on leaked secrets to help prioritize secrets needing remediation action. - -{% endif %} - -For more information, see TODO: article about validity checks. +Validity checks help you prioritize alerts by telling you which secrets are `active` or `inactive`. For more information, see{% ifversion secret-scanning-validity-check-partner-patterns %} "TODO: link to Enable validity checks" and{% endif %} "TODO: Checking a secret's validity in Evaluating alerts." {% ifversion ghec or ghes %} ### Defining custom patterns -You can define custom patterns and ask {% data variables.product.prodname_secret_scanning %} to scan for these user-defined patterns. This is useful if you have unique types of secrets that don’t match default patterns. This tailored security feature allows for increased coverage as custom pattern detection captures additional types of sensitive data that default patterns might miss, and allows for detection of secrets unique to your applications, APIs, or internal tools. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." +Define your own patterns for secrets used by your organization that {% data variables.product.prodname_secret_scanning %} can scan for and detect. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." {% ifversion secret-scanning-custom-pattern-ai-generated %} -You can use AI to generate regular expressions that will capture all your custom patterns. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-generating-regular-expressions-with-ai)." +You can also leverage AI to generate regular expressions that will capture all your custom patterns. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-generating-regular-expressions-with-ai)." {% endif %} From 00079016b285dcb49c3349654b4868818e037c73 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 2 Aug 2024 13:06:22 +0000 Subject: [PATCH 225/282] add similar how it works section for missing content, update customizing section --- .../introduction/about-push-protection.md | 29 ++++++++++++------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index 1bf5ff2d18f0..490e9222c86b 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -25,16 +25,27 @@ Push protection is a {% data variables.product.prodname_secret_scanning %} featu Push protection helps you avoid the risks associated with exposed secrets, like unauthorized access to resources or services. With this feature, developers get immediate feedback and can address potential issues before they become a security concern. -Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push. For some {% data variables.product.prodname_dotcom %} products, more advanced features such as {% ifversion push-protection-delegated-bypass %}delegated bypass and {% endif %}the use of custom patterns are available. - {% ifversion secret-scanning-push-protection-for-users %} You can enable push protection: * At repository/organization level, if you are a repository administrator or an organization owner. You will see alerts in the **Security** tab of your repository when a contributor to the repository bypasses push protection. * For your account on {% data variables.product.prodname_dotcom %}, as a user. This type of push protection is referred to as "push protection for users". It protects you from pushing secrets to _any_ public repository on {% data variables.product.prodname_dotcom %}, but no alerts are generated. + {% endif %} +For information about the secrets and service providers supported by push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." + +## How push protection works + +Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push. + +By default, anyone with write access to the repository can choose to bypass push protection by specifying one of the bypass reasons outlined in the table. {% data reusables.secret-scanning.push-protection-bypass %} + +{% data reusables.secret-scanning.bypass-reasons-and-alerts %} + +{% ifversion push-protection-delegated-bypass %} If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see "TODO: link to delegated bypass."{% endif %} + ## About the benefits of push protection * **Preventative security**: Push protection acts as a frontline defense mechanism by scanning code for secrets at the time of the push. This preventative approach helps to catch potential issues before they are merged into your repository. @@ -57,27 +68,23 @@ Every user across {% data variables.product.prodname_dotcom %} can also enable p {% endif %} -## What are the supported secrets - -For information about the secrets and service providers supported by push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." - ## Customizing push protection -Once push protection is enabled, you can customize it further, if needed: +Once push protection is enabled, you can customize it further: ### Integration with CI/CD pipelines -You can integrate push protection with your Continuous Integration/Continuous Deployment (CI/CD) pipelines to ensure that it runs scans during automated processes. This typically involves adding steps in your pipeline configuration file to call GitHub's APIs or using {% data variables.product.prodname_actions %}. +Integrate push protection with your Continuous Integration/Continuous Deployment (CI/CD) pipelines to ensure that it runs scans during automated processes. This typically involves adding steps in your pipeline configuration file to call GitHub's APIs or using {% data variables.product.prodname_actions %}. For more information, see "TODO - add link to something here?" ### Handling false positives -If push protection occasionally flags non-sensitive information, you can configure the system to recognize these as false positives. This may also involve adding specific rules or exceptions within your security settings. +If push protection occasionally flags non-sensitive information, you can configure the system to recognize these as false positives. For more information, see "TODO - not sure what to link to here?" {% ifversion secret-scanning-push-protection-custom-patterns %} ### Defining custom patterns -If you have specific patterns or types of secrets that are unique to your environment or organization, you can define custom patterns that push protection will use to identify secrets. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." +Define custom patterns that push protection can use to identify secrets and block pushes containing these secrets. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." {% endif %} @@ -85,7 +92,7 @@ If you have specific patterns or types of secrets that are unique to your enviro ### Using delegated bypass -{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} For information about delegated bypass for push protection, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." +Define contributors who can bypass push protection and add an approval process for other contributors. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." {% endif %} From 01bdcd93586921aa8c090c016598eae9af9bc172 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 2 Aug 2024 15:42:19 +0100 Subject: [PATCH 226/282] Update content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../managing-alerts-from-secret-scanning/about-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index 5813dd93b6a5..144833622672 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -1,6 +1,6 @@ --- title: About secret scanning alerts -intro: 'Learn about the different types of {% data variables.product.prodname_secret_scanning %} alerts.' +intro: 'Learn about the different types of {% data variables.secret-scanning.alerts %}.' permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can manage secret scanning alerts for the repository.' product: '{% data reusables.gated-features.secret-scanning %}' versions: From 85d30298e87bea0d7e52e087613aa920c52eaff5 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 2 Aug 2024 15:42:32 +0100 Subject: [PATCH 227/282] Update content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../managing-alerts-from-secret-scanning/about-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index 144833622672..ed83c99c8f4f 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -1,7 +1,7 @@ --- title: About secret scanning alerts intro: 'Learn about the different types of {% data variables.secret-scanning.alerts %}.' -permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can manage secret scanning alerts for the repository.' +permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can manage {% data variables.secret-scanning.alerts %} for the repository.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' From 2ceda850a308793a006aed8809849412ece1b6e3 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 2 Aug 2024 15:42:43 +0100 Subject: [PATCH 228/282] Update content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../managing-alerts-from-secret-scanning/about-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index ed83c99c8f4f..5e671006535d 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -19,7 +19,7 @@ allowTitleToDifferFromFilename: true ## About types of alerts -There are {% ifversion fpt or ghec %}three{% else %}two{% endif %} types of {% data variables.product.prodname_secret_scanning %} alerts: +There are {% ifversion fpt or ghec %}three{% else %}two{% endif %} types of {% data variables.secret-scanning.alerts %}: * **{% ifversion fpt or ghec %}User {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts**: Reported to users in the **Security** tab of the repository, when a supported secret is detected in the repository. * **Push protection alerts**: Reported to users in the **Security** tab of the repository, when a contributor bypasses push protection. {% ifversion fpt or ghec %} From b5a0c01e60371f5bed22abb37bafce98665a2c61 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 2 Aug 2024 15:43:12 +0100 Subject: [PATCH 229/282] Update content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../managing-alerts-from-secret-scanning/about-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index 5e671006535d..158f34ac9127 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -21,7 +21,7 @@ allowTitleToDifferFromFilename: true There are {% ifversion fpt or ghec %}three{% else %}two{% endif %} types of {% data variables.secret-scanning.alerts %}: -* **{% ifversion fpt or ghec %}User {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts**: Reported to users in the **Security** tab of the repository, when a supported secret is detected in the repository. +* **{% ifversion fpt or ghec %}User alerts {% else %}{% data variables.secret-scanning.alerts_caps %}{% endif %}**: Reported to users in the **Security** tab of the repository, when a supported secret is detected in the repository. * **Push protection alerts**: Reported to users in the **Security** tab of the repository, when a contributor bypasses push protection. {% ifversion fpt or ghec %} * **Partner alerts**: Reported directly to secret providers that are part of {% data variables.product.prodname_secret_scanning %}'s partner program. These alerts are not reported in the **Security** tab of the repository.{% endif %} From d72992de8f6ab7b24cb12c3566459bc419dc8bd7 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 2 Aug 2024 18:56:03 +0100 Subject: [PATCH 230/282] fix formatting --- data/learning-tracks/code-security.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/data/learning-tracks/code-security.yml b/data/learning-tracks/code-security.yml index 638eb7258a00..ab42d18f493a 100644 --- a/data/learning-tracks/code-security.yml +++ b/data/learning-tracks/code-security.yml @@ -116,6 +116,7 @@ secret_scanning: - /code-security/secret-scanning/about-secret-scanning - /code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository - /code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository + - >- {% ifversion secret-scanning-validity-check-partner-patterns %} /code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository{% endif %} - >- From 721e0a7ba4b16b7acc46a3c0d2df0cb352b9e201 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 2 Aug 2024 19:18:05 +0100 Subject: [PATCH 231/282] remove duplicate entry --- data/learning-tracks/code-security.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/data/learning-tracks/code-security.yml b/data/learning-tracks/code-security.yml index ab42d18f493a..1f5d26db59e5 100644 --- a/data/learning-tracks/code-security.yml +++ b/data/learning-tracks/code-security.yml @@ -113,7 +113,6 @@ secret_scanning: passwords, and other secrets to your repository. guides: - /code-security/secret-scanning/introduction/about-secret-scanning - - /code-security/secret-scanning/about-secret-scanning - /code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository - /code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository - >- From 9cb4baf8c3df709cd24786927abd5df417ced0a2 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 2 Aug 2024 19:23:35 +0100 Subject: [PATCH 232/282] fix 2nd test failure --- .../about-generating-regular-expressions-with-ai.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-generating-regular-expressions-with-ai.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-generating-regular-expressions-with-ai.md index f40e85f4a19e..a4c4a26269f7 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-generating-regular-expressions-with-ai.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-generating-regular-expressions-with-ai.md @@ -13,7 +13,7 @@ topics: - AI redirect_from: - /code-security/secret-scanning/about-the-regular-expression-generator-for-custom-patterns - - /code-security/secret-scanning/about-generating-regular-expressions-with-ai.md + - /code-security/secret-scanning/about-generating-regular-expressions-with-ai --- From 15ceaebab10763bd07a66e325ede7d89ded30e6c Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Sun, 4 Aug 2024 15:58:33 +0100 Subject: [PATCH 233/282] made a start --- .../introduction/supported-secret-scanning-patterns.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md index 9f280300e1e0..36d59fc0f37e 100644 --- a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md +++ b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md @@ -17,6 +17,8 @@ layout: inline shortTitle: Supported patterns --- +TODO + {% data reusables.secret-scanning.enterprise-enable-secret-scanning %} {% ifversion fpt or ghec %} From 8b10139690b1d0bbcba740f6bac44786a43b1775 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Sun, 4 Aug 2024 22:07:20 +0100 Subject: [PATCH 234/282] Update content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../managing-alerts-from-secret-scanning/about-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index 158f34ac9127..dde4050e3377 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -25,7 +25,7 @@ There are {% ifversion fpt or ghec %}three{% else %}two{% endif %} types of {% d * **Push protection alerts**: Reported to users in the **Security** tab of the repository, when a contributor bypasses push protection. {% ifversion fpt or ghec %} * **Partner alerts**: Reported directly to secret providers that are part of {% data variables.product.prodname_secret_scanning %}'s partner program. These alerts are not reported in the **Security** tab of the repository.{% endif %} -## About {% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts +## About {% ifversion fpt or ghec %}user alerts {% else %}{% data variables.secret-scanning.alerts %}{% endif %} When {% data variables.product.company_short %} detects a supported secret in a repository that has {% data variables.product.prodname_secret_scanning %} enabled, a {% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alert is generated and displayed in the **Security** tab of the repository. From 2f0555c73a5d7ff6e41c43148ad1de133e8420c7 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Sun, 4 Aug 2024 22:07:39 +0100 Subject: [PATCH 235/282] Update content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../managing-alerts-from-secret-scanning/about-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index dde4050e3377..30fafce004ac 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -57,7 +57,7 @@ Push protection scans pushes for supported secrets. If push protection detects a When {% data variables.product.company_short %} detects a leaked secret in a public repository or npm package, an alert is sent directly to the secret provider, if they are part of {% data variables.product.company_short %}'s secret scanning partner program. For more information about {% data variables.secret-scanning.partner_alerts %}, see "TODO." -Partner alerts are not applicable to repository administrators, so you do not need to take any action for this type of alert. +Partner alerts are not sent to repository administrators, so you do not need to take any action for this type of alert. ## Next steps From 3074cd2258a91bcdfc620da174edbaa4a6fa37f2 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Sun, 4 Aug 2024 22:08:28 +0100 Subject: [PATCH 236/282] Update content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../managing-alerts-from-secret-scanning/evaluating-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md index 2c70f79256ee..0abbda855084 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md @@ -1,7 +1,7 @@ --- title: Evaluating alerts from secret scanning intro: 'Learn about additional features that can help you evaluate alerts and prioritize their remediation, such as checking a secret''s validity.' -permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view secret scanning alerts for the repository.' +permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view {% data variables.secret-scanning.alerts %} for the repository.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' From be284ce3045c9f61e5fcb83b1003ce5a3dddb994 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Sun, 4 Aug 2024 22:08:55 +0100 Subject: [PATCH 237/282] Update content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../managing-alerts-from-secret-scanning/viewing-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md index 824bb98cd4d9..174b4bf08019 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md @@ -1,6 +1,6 @@ --- title: Viewing and filtering alerts from secret scanning -intro: 'Learn how to find and filter {% data variables.secret-scanning.user_alerts %} alerts for your repository.' +intro: 'Learn how to find and filter {% ifversion fpt or ghec %}{% data variables.secret-scanning.user_alerts %}{% else %}{% data variables.secret-scanning.user_alerts %} alerts{% endif %} for your repository.' permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view {% data variables.secret-scanning.user_alerts_caps %} for the repository.' product: '{% data reusables.gated-features.secret-scanning %}' versions: From 92fd323ea76522bdac6e585c4be58239f1f6508c Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Sun, 4 Aug 2024 22:09:48 +0100 Subject: [PATCH 238/282] Update content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../managing-alerts-from-secret-scanning/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md index 3c805b618841..c76f60fbfa46 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md @@ -1,6 +1,6 @@ --- title: Managing alerts from secret scanning -intro: 'Learn how to find, evaluate and resolve alerts for secrets checked in to your repository.' +intro: 'Learn how to find, evaluate, and resolve alerts for secrets checked in to your repository.' product: '{% data reusables.gated-features.secret-scanning %}' redirect_from: - /github/administering-a-repository/managing-alerts-from-secret-scanning From 81d42e87933ca6a159bb7f3ee966d5112d621fe1 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Sun, 4 Aug 2024 22:10:10 +0100 Subject: [PATCH 239/282] Update content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../managing-alerts-from-secret-scanning/monitoring-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md index bef02a081885..55d3f7954280 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md @@ -18,7 +18,7 @@ allowTitleToDifferFromFilename: true ## Configuring notifications for {% data variables.secret-scanning.alerts %} -In addition to displaying an alert in the **Security** tab of the repository, {% data variables.product.product_name %} also sends email notifications for alerts. These notifications are different for incremental scans and historical scans. +In addition to displaying an alert in the **Security** tab of the repository, {% data variables.product.product_name %} can also send email notifications for alerts. These notifications are different for incremental scans and historical scans. ### Incremental scans From 1049d4e82f44a1cb99ee284f7c9b9b12f131f0fa Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Sun, 4 Aug 2024 22:10:28 +0100 Subject: [PATCH 240/282] Update content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../managing-alerts-from-secret-scanning/resolving-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md index c03941d584bf..d91679ecacaf 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md @@ -1,6 +1,6 @@ --- title: Resolving alerts from secret scanning -intro: 'After reviewing the details of alert, you should fix and then close the alert.' +intro: 'After reviewing the details of a secret scanning alert, you should fix and then close the alert.' permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can dismiss secret scanning alerts for the repository.' product: '{% data reusables.gated-features.secret-scanning %}' versions: From fc9954f9446987ef48448d3978673078d6101be0 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Sun, 4 Aug 2024 22:11:01 +0100 Subject: [PATCH 241/282] Update content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../managing-alerts-from-secret-scanning/viewing-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md index 174b4bf08019..b51a24bc33a2 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md @@ -1,7 +1,7 @@ --- title: Viewing and filtering alerts from secret scanning intro: 'Learn how to find and filter {% ifversion fpt or ghec %}{% data variables.secret-scanning.user_alerts %}{% else %}{% data variables.secret-scanning.user_alerts %} alerts{% endif %} for your repository.' -permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view {% data variables.secret-scanning.user_alerts_caps %} for the repository.' +permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view {% data variables.secret-scanning.user_alerts %}{% ifversion ghes %} alerts{% endif %} for the repository.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' From 49e4a4fbc7038568573f35540e9b02fb6ba98ee9 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Sun, 4 Aug 2024 21:38:11 +0000 Subject: [PATCH 242/282] apply review feedback --- .../managing-alerts-from-secret-scanning/about-alerts.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index 30fafce004ac..898b98b62bae 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -62,3 +62,10 @@ Partner alerts are not sent to repository administrators, so you do not need to ## Next steps * "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)" + +## Further reading + +* TODO - link to supported patterns +* TODO - link to define custom patterns +* TODO - link to non-provider patterns +* TODO - link to generic secret detection From 8a7356fa84c412d05309ed81245edc9f6302ff0c Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Sun, 4 Aug 2024 22:58:54 +0100 Subject: [PATCH 243/282] resolve conflicts --- .../managing-alerts-from-secret-scanning.md | 232 ------------------ 1 file changed, 232 deletions(-) delete mode 100644 content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md deleted file mode 100644 index ca3f384f1de0..000000000000 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md +++ /dev/null @@ -1,232 +0,0 @@ ---- -title: Managing alerts from secret scanning -intro: 'You can view, evaluate and resolve alerts for secrets checked in to your repository.' -permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view and dismiss secret scanning alerts for the repository.' -product: '{% data reusables.gated-features.secret-scanning %}' -redirect_from: - - /github/administering-a-repository/managing-alerts-from-secret-scanning - - /code-security/secret-security/managing-alerts-from-secret-scanning -versions: - fpt: '*' - ghes: '*' - ghec: '*' -type: how_to -topics: - - Secret scanning - - Advanced Security - - Alerts - - Repositories -shortTitle: Manage secret alerts ---- -## About the {% data variables.product.prodname_secret_scanning %} alerts page - -{% data reusables.secret-scanning.secret-scanning-about-alerts %} {% data reusables.secret-scanning.repository-alert-location %} - -{% ifversion secret-scanning-non-provider-patterns %} -To help you triage alerts more effectively, {% data variables.product.company_short %} separates alerts into two lists: -* **High confidence** alerts. -* **Other** alerts. - -![Screenshot of the {% data variables.product.prodname_secret_scanning %} alert view. The button to toggle between "High confidence" and "Other" alerts is highlighted with an orange outline.](/assets/images/help/security/secret-scanning-high-confidence-alert-view.png) - -### High confidence alerts list - -The "High confidence" alerts list displays alerts that relate to supported patterns and specified custom patterns. This list is always the default view for the alerts page. - -### Other alerts list - -The "Other" alerts list displays alerts that relate to non-provider patterns (such as private keys){% ifversion secret-scanning-ai-generic-secret-detection %}, or generic secrets detected using AI (such as passwords){% endif %}. These types of alerts have a higher rate of false positives. - -In addition, alerts that fall into this category: -* Are limited in quantity to 5000 alerts per repository (this includes open and closed alerts). -* Are not shown in the summary views for security overview, only in the "{% data variables.product.prodname_secret_scanning_caps %}" view. -* Only have the first five detected locations shown on {% data variables.product.prodname_dotcom %} for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %}, and only the first detected location shown for AI-detected generic secrets{% endif %}. - -For {% data variables.product.company_short %} to scan for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %} and generic secrets{% endif %}, you must first enable the feature{% ifversion secret-scanning-ai-generic-secret-detection %}s{% endif %} for your repository or organization. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#enabling-scanning-for-non-provider-patterns){% ifversion secret-scanning-ai-generic-secret-detection %}" and "[AUTOTITLE](/code-security/secret-scanning/enabling-ai-powered-generic-secret-detection){% endif %}." - -{% endif %} - -## Viewing alerts - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-security %} -1. In the left sidebar, under "Vulnerability alerts", click **{% data variables.product.prodname_secret_scanning_caps %}**. {% ifversion secret-scanning-non-provider-patterns %} -1. Optionally, toggle to "Other" to see alerts for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %} or generic secrets detected using AI{% endif %}.{% endif %} -1. Under "{% data variables.product.prodname_secret_scanning_caps %}", click the alert you want to view. - {% ifversion secret-scanning-user-owned-repos %} - - > [!NOTE] - > {% data reusables.secret-scanning.secret-scanning-user-owned-repo-access %} - - {% endif %} - -## Filtering alerts - -You can apply various filters to the alerts list to help you find the alerts you're interested in. You can use the dropdown menus above the alerts list, or input the qualifiers listed in the table into the search bar. - -|Qualifier|Description| -|---------|-----------| -|`is:open`|Displays open alerts.| -|`is:closed`|Displays closed alerts.| -| {% ifversion secret-scanning-bypass-filter %} | -|`bypassed: true`|Displays alerts for secrets where push protection has been bypassed. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)."| -| {% endif %} | -|`validity:active`| Displays alerts for secrets that are still active. {% ifversion fpt %}Applies to {% data variables.product.company_short %} tokens only.{% endif %} For more information about validity statuses, see "[Checking a secret's validity](#checking-a-secrets-validity)."| -|`validity:inactive`| Displays alerts for secrets that are no longer active.| -|`validity:unknown`| Displays alerts for secrets where the validity status of the secret is unknown.| -|`secret-type:SECRET-NAME`| Displays alerts for a specific secret type, for example, `secret-type:github_personal_access_token`. For a list of supported secret types, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secret)." | -|`provider:PROVIDER-NAME`|Displays alerts for a specific provider, for example, `provider:github`. For a list of supported partners, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."| -| {% ifversion secret-scanning-non-provider-patterns %} | -|`confidence:high`| Displays alerts for high-confidence secrets, which relate to supported secrets and custom patterns. For a list of supported high-confidence patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#high-confidence-patterns)." | -|`confidence:other`| Displays alerts for non-provider patterns, such as private keys{% ifversion secret-scanning-ai-generic-secret-detection %}, and AI-detected generic secrets, such as passwords{% endif %}. For a list of supported non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns)." {% ifversion secret-scanning-ai-generic-secret-detection %}For more information AI-detected generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/about-the-detection-of-generic-secrets-with-secret-scanning)."{% endif %}| -| {% endif %} | - -## Evaluating alerts - -There are some additional features that can help you to evaluate alerts in order to better prioritize and manage them. You can: - -* Check the validity of a secret, to see if the secret is still active. {% ifversion fpt or ghes %}**Applies to {% data variables.product.company_short %} tokens only**.{% endif %} For more information, see "[Checking a secret's validity](#checking-a-secrets-validity)."{% ifversion secret-scanning-validity-check-partner-patterns %} -* Perform an "on-demand" validity check, to get the most up to date validiation status. For more information, see "[Performing an on-demand-validity-check](#performing-an-on-demand-validity-check)."{% endif %}{% ifversion secret-scanning-github-token-metadata %} -* Review a token's metadata. **Applies to {% data variables.product.company_short %} tokens only**. For example, to see when the token was last used. For more information, see "[Reviewing {% data variables.product.company_short %} token metadata](#reviewing-github-token-metadata)."{% endif %} - -### Checking a secret's validity - -{% data reusables.secret-scanning.validity-checks-intro %} - -Validity checks help you prioritize alerts by telling you which secrets are `active` or `inactive`. An `active` secret is one that could still be exploited, so these alerts should be reviewed and remediated as a priority. - -By default, {% data variables.product.company_short %} checks the validity of {% data variables.product.company_short %} tokens and displays the validitation status of the token in the alert view. - -{% ifversion fpt %} - -Organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %} can also enable validity checks for partner patterns. For more information, see "[Checking a secret's validity](/enterprise-cloud@latest/code-security/secret-scanning/managing-alerts-from-secret-scanning#checking-a-secrets-validity)" in the {% data variables.product.prodname_ghe_cloud %} documentation. - -{% endif %} - -{% ifversion secret-scanning-validity-check-partner-patterns %} - -You can additionally choose to enable validity checks for partner patterns. Once enabled, {% data variables.product.company_short %} will periodically check the validity of a detected credential by sending the secret directly to the provider, as part of {% data variables.product.company_short %}'s formal secret scanning partnership program. {% data variables.product.company_short %} typically makes GET requests to check the validity of the credential, picks the least intrusive endpoints, and selects endpoints that don't return any personal information. - -{% data variables.product.company_short %} displays the validation status of the secret in the alert view. - -{% endif %} - -{% data reusables.secret-scanning.validity-check-table %} - -{% ifversion secret-scanning-validity-check-partner-patterns %} - -{% data reusables.gated-features.partner-pattern-validity-check-ghas %} - -For information on how to enable validity checks for partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#enabling-validity-checks-for-partner-patterns)," and for information on which partner patterns are currently supported, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#high-confidence-patterns)." - -{% endif %} - -You can use the REST API to retrieve a list of the most recent validation status for each of your tokens. For more information, see "[AUTOTITLE](/rest/secret-scanning)" in the REST API documentation. You can also use webhooks to be notified of activity relating to a {% data variables.product.prodname_secret_scanning %} alert. For more information, see the `secret_scanning_alert` event in "[AUTOTITLE](/webhooks/webhook-events-and-payloads?actionType=created#secret_scanning_alert)." - -{% ifversion secret-scanning-validity-check-partner-patterns %} - -### Performing an on-demand validity check - -Once you have enabled validity checks for partner patterns for your repository, you can perform an "on-demand" validity check for any supported secret by clicking {% octicon "sync" aria-hidden="true" %} **Verify secret** in the alert view. {% data variables.product.company_short %} will send the pattern to the relevant partner and display the validation status of the secret in the alert view. - -![Screenshot of the UI showing a {% data variables.product.prodname_secret_scanning %} alert. A button, labeled "Verify secret" is highlighted with an orange outline.](/assets/images/help/security/secret-scanning-verify-secret.png) - -{% endif %} - -{% ifversion secret-scanning-github-token-metadata %} - -### Reviewing {% data variables.product.company_short %} token metadata - -> [!NOTE] -> Metadata for {% data variables.product.company_short %} tokens is currently in public beta and subject to change. - -In the view for an active {% data variables.product.company_short %} token alert, you can review certain metadata about the token. This metadata may help you identify the token and decide what remediation steps to take. - -Tokens, like {% data variables.product.pat_generic %} and other credentials, are considered personal information. For more information about using {% data variables.product.company_short %} tokens, see [GitHub's Privacy Statement](/free-pro-team@latest/site-policy/privacy-policies/github-privacy-statement) and [Acceptable Use Policies](/free-pro-team@latest/site-policy/acceptable-use-policies/github-acceptable-use-policies). - - ![Screenshot of the UI for a {% data variables.product.company_short %} token, showing the token metadata.](/assets/images/help/repository/secret-scanning-github-token-metadata.png) - - Metadata for {% data variables.product.company_short %} tokens is available for active tokens in any repository with secret scanning enabled. If a token has been revoked or its status cannot be validated, metadata will not be available. {% data variables.product.company_short %} auto-revokes {% data variables.product.company_short %} tokens in public repositories, so metadata for {% data variables.product.company_short %} tokens in public repositories is unlikely to be available. The following metadata is available for active {% data variables.product.company_short %} tokens: - -|Metadata|Description| -|-------------------------|--------------------------------------------------------------------------------| -|Secret name| The name given to the {% data variables.product.company_short %} token by its creator| -|Secret owner| The {% data variables.product.company_short %} handle of the token's owner| -|Created on| Date the token was created| -|Expired on| Date the token expired| -|Last used on| Date the token was last used| -|Access| Whether the token has organization access| - -{% ifversion secret-scanning-user-owned-repos %}{% data reusables.secret-scanning.secret-scanning-user-owned-repo-access %} If access is granted, {% data variables.product.prodname_dotcom %} will notify the owner of the repository containing the leaked secret, report the action in the repository owner and enterprise audit logs, and enable access for 2 hours.{% ifversion ghec %} For more information, see "[AUTOTITLE](/admin/managing-accounts-and-repositories/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise)."{% endif %}{% endif %} - -{% endif %} - -## Fixing alerts - -Once a secret has been committed to a repository, you should consider the secret compromised. {% data variables.product.prodname_dotcom %} recommends the following actions for compromised secrets: - -* For a compromised {% data variables.product.prodname_dotcom %} {% data variables.product.pat_generic %}, delete the compromised token, create a new token, and update any services that use the old token. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)." -{%- ifversion token-audit-log %} - * {% ifversion ghec %}If your organization is owned by an enterprise account, identify{% else %}Identify{% endif %} any actions taken by the compromised token on your enterprise's resources. For more information, see "[AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token)." -{%- endif %} -* For all other secrets, first verify that the secret committed to {% data variables.product.product_name %} is valid. If so, create a new secret, update any services that use the old secret, and then delete the old secret. - -{% ifversion fpt or ghec %} - -> [!NOTE] -> If a secret is detected in a public repository on {% data variables.product.prodname_dotcom_the_website %} and the secret also matches a partner pattern, an alert is generated and the potential secret is reported to the service provider. For details of partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." - -{% endif %} - -## Closing alerts - -> [!NOTE] ->{% data variables.product.prodname_secret_scanning_caps %} doesn't automatically close alerts when the corresponding token has been removed from the repository. You must manually close these alerts in the alert list on {% data variables.product.prodname_dotcom %}. - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-security %} -1. In the left sidebar, under "Vulnerability alerts", click **{% data variables.product.prodname_secret_scanning_caps %}**. -1. Under "{% data variables.product.prodname_secret_scanning_caps %}", click the alert you want to view. -1. To dismiss an alert, select the "Close as" dropdown menu and click a reason for resolving an alert. - - ![Screenshot of a {% data variables.product.prodname_secret_scanning %} alert. A dropdown menu, titled "Close as", is expanded and highlighted in a dark orange outline.](/assets/images/help/repository/secret-scanning-dismiss-alert-web-ui-link-partner-documentation.png) - -1. Optionally, in the "Comment" field, add a dismissal comment. The dismissal comment will be added to the alert timeline and can be used as justification during auditing and reporting. You can view the history of all dismissed alerts and dismissal comments in the alert timeline. You can also retrieve or set a comment by using the {% data variables.product.prodname_secret_scanning_caps %} API. The comment is contained in the `resolution_comment` field. For more information, see "[AUTOTITLE](/rest/secret-scanning#update-a-secret-scanning-alert)" in the REST API documentation. -1. Click **Close alert**. - -## Configuring notifications for {% data variables.secret-scanning.alerts %} - -Notifications are different for incremental scans and historical scans. - -### Incremental scans - -{% data reusables.secret-scanning.secret-scanning-configure-notifications %} - -{% data reusables.repositories.navigate-to-repo %} -1. To start watching the repository, select **{% octicon "eye" aria-hidden="true" %} Watch**. - - ![Screenshot of the repository's main page. A dropdown menu, titled "Watch", is highlighted with an orange outline.](/assets/images/help/repository/repository-watch-dropdown.png) - -1. In the dropdown menu, click **All Activity**. Alternatively, to only subscribe to security alerts, click **Custom**, then click **Security alerts**. -1. Navigate to the notification settings for your personal account. These are available at [https://github.com/settings/notifications](https://github.com/settings/notifications). -1. On your notification settings page, under "Subscriptions", then under "Watching", select the **Notify me** dropdown. -1. Select "Email" as a notification option, then click **Save**. - - ![Screenshot of the notification settings for a user account. An element header, titled "Subscriptions", and a sub-header, titled "Watching", are shown. A checkbox, titled "Email", is highlighted with an orange outline.](/assets/images/help/notifications/repository-watching-notification-options.png) - -{% data reusables.notifications.watch-settings %} - -### Historical scans - -For historical scans, {% data variables.product.product_name %} notifies the following users: - -* Organization owners, enterprise owners, and security managers—whenever a historical scan is complete, even if no secrets are found. -* Repository administrators, security managers, and users with custom roles with read/write access—whenever a historical scan detects a secret, and according to their notification preferences. - -We do _not_ notify commit authors. - -{% data reusables.notifications.watch-settings %} - -## Auditing responses to secret scanning alerts - -{% data reusables.secret-scanning.audit-secret-scanning-events %} From e2811b01b8d5d8099b2ac1264f9b68a18220c459 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Sun, 4 Aug 2024 23:12:32 +0100 Subject: [PATCH 244/282] fix again merge problems --- .../secret-scanning/about-secret-scanning.md | 117 ---------------- ...g-secret-scanning-for-your-repositories.md | 131 ------------------ ...tion-for-repositories-and-organizations.md | 129 ----------------- 3 files changed, 377 deletions(-) delete mode 100644 content/code-security/secret-scanning/about-secret-scanning.md delete mode 100644 content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md delete mode 100644 content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md diff --git a/content/code-security/secret-scanning/about-secret-scanning.md b/content/code-security/secret-scanning/about-secret-scanning.md deleted file mode 100644 index cf53f635c0c9..000000000000 --- a/content/code-security/secret-scanning/about-secret-scanning.md +++ /dev/null @@ -1,117 +0,0 @@ ---- -title: About secret scanning -intro: '{% data variables.product.product_name %} scans repositories for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally.' -product: '{% data reusables.gated-features.secret-scanning %}' -redirect_from: - - /github/administering-a-repository/about-token-scanning - - /articles/about-token-scanning - - /articles/about-token-scanning-for-private-repositories - - /github/administering-a-repository/about-secret-scanning - - /code-security/secret-security/about-secret-scanning -versions: - fpt: '*' - ghes: '*' - ghec: '*' -type: overview -topics: - - Secret scanning - - Advanced Security ---- - -{% data reusables.secret-scanning.enterprise-enable-secret-scanning %} - - - -If your project communicates with an external service, you might use a token or private key for authentication. Tokens and private keys are examples of secrets that a service provider can issue. If you check a secret into a repository, anyone who has read access to the repository can use the secret to access the external service with your privileges. We recommend that you store secrets in a dedicated, secure location outside of the repository for your project. - -{% data variables.product.prodname_secret_scanning_caps %} will scan your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repository for secrets{% ifversion ghec or ghes %}, even if the repository is archived{% endif %}.{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %} - -{% data reusables.secret-scanning.what-is-scanned %} - -{% ifversion fpt or ghec %} -{% data variables.product.prodname_secret_scanning_caps %} is available on {% data variables.product.prodname_dotcom_the_website %} in two forms: - -1. **{% data variables.secret-scanning.partner_alerts_caps %}.** Runs automatically on all public repositories and public npm packages. Service providers can partner with {% data variables.product.company_short %} to provide their secret formats for scanning, hence the term "partners." {% data reusables.secret-scanning.partner-program-link %} Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner. For more information, see the "[About {% data variables.secret-scanning.partner_alerts %}](#about-secret-scanning-alerts-for-partners)" section below. - -1. **{% data variables.secret-scanning.user_alerts_caps %}.** These alerts are reported on {% data variables.product.prodname_dotcom_the_website %}{% ifversion secret-scanning-non-provider-patterns %} and can be high confidence alerts or non-provider alerts (such as private keys){% endif %}. - {% ifversion fpt %}The following users can enable and configure additional scanning: - * Owners of repositories on {% data variables.product.prodname_dotcom_the_website %}, on any _public_ repositories they own. - * Organizations owning _public_ repositories, on any of these repositories. - * Organizations using {% data variables.product.prodname_ghe_cloud %}, on any public repositories (for free), and on any private and internal repositories, when you have a license for {% data variables.product.prodname_GH_advanced_security %}.{% elsif ghec %}You can enable and configure additional scanning for repositories owned by organizations that use {% data variables.product.prodname_ghe_cloud %} for any public repositories (for free), and for private and internal repositories when you have a license for {% data variables.product.prodname_GH_advanced_security %}. Enterprise owners can manage the automatic enablement of {% data variables.product.prodname_GH_advanced_security %} for new repositories owned by {% data variables.product.prodname_emus %} with an enterprise level setting.{% endif %} - - Any strings that match patterns provided by secret scanning partners, by other service providers, or defined by you or your organization, are reported as alerts in the **Security** tab of repositories. If a string in a public repository matches a partner pattern, it is also reported to the partner. For more information, see the "[About {% data variables.secret-scanning.user_alerts %}](#about-secret-scanning-alerts-for-users)" section below.{% endif %} - -{% data reusables.secret-scanning.audit-secret-scanning-events %} - -{% data reusables.secret-scanning.push-protection-high-level %} To proceed, contributors must either remove the secret(s) from the push or, if needed, bypass the protection. {% ifversion push-protection-custom-link-orgs %}Admins can also specify a custom link that is displayed to the contributor when a push is blocked; the link can contain resources specific to the organization to aid contributors. {% endif %}For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning)." - -{% ifversion secret-scanning-push-protection-for-users %} - -{% data reusables.secret-scanning.push-protection-for-users %} - -{% endif %} - -{% note %} - -**Note:** When you fork a repository with {% data variables.product.prodname_secret_scanning %} or push protection enabled, these features are not enabled by default on the fork. You can enable {% data variables.product.prodname_secret_scanning %} or push protection on the fork the same way you enable them on a standalone repository. - -{% endnote %} - -{% ifversion fpt or ghec %} - -## About {% data variables.secret-scanning.partner_alerts %} - -When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." - -You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories. - -{% endif %} - -## About {% data variables.secret-scanning.user_alerts %}{% ifversion ghes %} on {% data variables.product.product_name %}{% endif %} - -{% data variables.secret-scanning.user_alerts_caps %} is available {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}on all repositories with a license for {% data variables.product.prodname_GH_advanced_security %}{% else %}for free on all public repositories, and for private and internal repositories that are owned by organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %}{% endif %}{% elsif fpt %}for free on all public repositories that you own{% else %}on all organization-owned repositories with a license for {% data variables.product.prodname_GH_advanced_security %}. The feature is not available on user-owned repositories{% endif %}. {% data reusables.secret-scanning.secret-scanning-user-owned-repos-beta %} - -When you enable {% data variables.product.prodname_secret_scanning %} for a repository, {% data variables.product.prodname_dotcom %} scans the code for patterns that match secrets used by many service providers. {% ifversion secret-scanning-backfill-email %}When the scan is completed, {% data variables.product.prodname_dotcom %} sends an email alert to the enterprise and organization owners, even if no secrets were found.{% endif %} For more information about the repository content that is scanned, see the [beginning of this article](#about-secret-scanning). - -When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. {% ifversion secret-scanning-backfills %}{% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled, and send alert notifications following the {% data variables.product.prodname_secret_scanning %} alert notification settings.{% endif %}{% ifversion secret-scanning-non-provider-patterns %} User alerts can be of two types: high confidence alerts, or non-provider alerts.{% endif %} For more information, see "{% ifversion fpt or ghec %}[About user alerts](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[{% data variables.product.prodname_secret_scanning_caps %} patterns](/code-security/secret-scanning/secret-scanning-patterns#about-user-secret-scanning-alerts){% endif %}." - -If you're a repository administrator, you can enable {% data variables.secret-scanning.user_alerts %} for any {% ifversion fpt %}public{% endif %} repository{% ifversion ghec or ghes %}, including archived repositories{% endif %}. Organization owners can also enable {% data variables.secret-scanning.user_alerts %} for all {% ifversion fpt %}public {% endif %}repositories or for all new {% ifversion fpt %}public {% endif %}repositories within an organization. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)" and "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)." - -{% data reusables.secret-scanning.secret-scanning-user-owned-enablement %} - -You can also define custom {% data variables.product.prodname_secret_scanning %} patterns for a repository, organization, or enterprise. For more information, see "[AUTOTITLE]({% ifversion fpt %}/enterprise-cloud@latest{% endif %}/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning){% ifversion fpt %}" in the {% data variables.product.prodname_ghe_cloud %} documentation.{% else %}."{% endif %} - -{% ifversion secret-scanning-store-tokens %} -{% data variables.product.company_short %} stores detected secrets using symmetric encryption, both in transit and at rest.{% endif %}{% ifversion ghes %} To rotate the encryption keys used for storing the detected secrets, you can contact us by visiting {% data variables.contact.contact_ent_support %}.{% endif %} - -### Accessing {% data variables.secret-scanning.alerts %} - -{% data reusables.secret-scanning.secret-scanning-about-alerts %} - -* {% data variables.product.prodname_dotcom %} sends an email alert to the repository administrators and organization owners. You'll receive an alert if you are watching the repository{% ifversion secret-scanning-notification-settings %}, {% else %}, and {% endif %}if you have enabled notifications either for security alerts or for all the activity on the repository{% ifversion secret-scanning-notification-settings %}, and if, in your notification settings, you have selected to receive email notifications for the repositories that you are watching.{% else %}.{% endif %} -* If the person who introduced the secret isn't ignoring the repository, {% data variables.product.prodname_dotcom %} will also send them an email alert. The email contains a link to the related {% data variables.product.prodname_secret_scanning %} alert. The person who introduced the secret can then view the alert in the repository, and resolve the alert. -* {% data reusables.secret-scanning.repository-alert-location %} - -For more information about viewing and resolving {% data variables.secret-scanning.alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." - -{% ifversion secret-scanning-notification-settings %} -For more information on how to configure notifications for {% data variables.secret-scanning.alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts)." -{% endif %} - -Repository administrators and organization owners can grant users and teams access to {% data variables.secret-scanning.alerts %}. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts)." - -{% ifversion ghec or ghes %} -You can use security overview to see an organization-level view of which repositories have enabled {% data variables.product.prodname_secret_scanning %} and the alerts found. For more information, see "[AUTOTITLE](/code-security/security-overview/about-security-overview)." -{% endif %} - -You can also use the REST API to monitor results from {% data variables.product.prodname_secret_scanning %} across your repositories{% ifversion ghes %} or your organization{% endif %}. For more information about API endpoints, see "[AUTOTITLE](/rest/secret-scanning)." - -## Further reading - -* "[AUTOTITLE](/code-security/getting-started/securing-your-repository)" -* "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure)" -* "[AUTOTITLE](/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization)" -{%- ifversion fpt or ghec %} -* "[AUTOTITLE](/codespaces/managing-your-codespaces/managing-encrypted-secrets-for-your-codespaces)"{% endif %} -* "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#storing-credentials-for-dependabot-to-use)" -* "[AUTOTITLE](/actions/security-guides/encrypted-secrets)" diff --git a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md deleted file mode 100644 index 1ac1d22a589c..000000000000 --- a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md +++ /dev/null @@ -1,131 +0,0 @@ ---- -title: Configuring secret scanning for your repositories -intro: 'You can configure how {% data variables.product.prodname_dotcom %} scans your repositories for leaked secrets and generates alerts.' -product: '{% data reusables.gated-features.secret-scanning %}' -permissions: 'People with admin permissions to a {% ifversion fpt %}public {% endif %}repository can enable {% data variables.product.prodname_secret_scanning %} for the repository.' -redirect_from: - - /github/administering-a-repository/configuring-secret-scanning-for-private-repositories - - /github/administering-a-repository/configuring-secret-scanning-for-your-repositories - - /code-security/secret-security/configuring-secret-scanning-for-your-repositories -versions: - fpt: '*' - ghes: '*' - ghec: '*' -type: how_to -topics: - - Secret scanning - - Advanced Security - - Repositories -shortTitle: Configure secret scans ---- - -{% data reusables.secret-scanning.enterprise-enable-secret-scanning %} - -## Enabling {% data variables.secret-scanning.user_alerts %} - -You can enable {% data variables.secret-scanning.user_alerts %} for any {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}repository{% else %} repository that is owned by an organization, and for repositories owned by user accounts when using {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_emus %}{% endif %}{% elsif fpt %}free public repository that you own{% else %}repository that is owned by an organization{% endif %}. Once enabled, {% data reusables.secret-scanning.secret-scanning-process %}{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %} {% data reusables.secret-scanning.what-is-scanned %} - -You can also enable {% data variables.product.prodname_secret_scanning %} for multiple repositories in an organization at the same time. For more information, see {% ifversion security-configurations-ga %}"[AUTOTITLE](/code-security/securing-your-organization)."{% else %}"[AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-organization)."{% endif %} - -{% ifversion secret-scanning-enterprise-level %} -{% note %} - -**Note:** If your organization is owned by an enterprise account, an enterprise owner can also enable {% data variables.product.prodname_secret_scanning %} at the enterprise level. For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)." - -{% endnote %} -{% endif %} - -A repository administrator can choose to disable {% data variables.product.prodname_secret_scanning %} for a repository at any time. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)." - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-settings %} -{% data reusables.repositories.navigate-to-code-security-and-analysis %}{% ifversion ghec or ghes %} -1. If {% data variables.product.prodname_advanced_security %} is not already enabled for the repository, to the right of "{% data variables.product.prodname_GH_advanced_security %}", click **Enable**. -1. Review the impact of enabling {% data variables.product.prodname_advanced_security %}, then click **Enable {% data variables.product.prodname_GH_advanced_security %} for this repository**. -1. When you enable {% data variables.product.prodname_advanced_security %}, {% data variables.product.prodname_secret_scanning %} may automatically be enabled for the repository due to the organization's settings. If "{% data variables.product.prodname_secret_scanning_caps %}" is shown with an **Enable** button, you still need to enable {% data variables.product.prodname_secret_scanning %} by clicking **Enable**. If you see a **Disable** button, {% data variables.product.prodname_secret_scanning %} is already enabled. - - ![Screenshot of the "{% data variables.product.prodname_secret_scanning_caps %}" section of the "Code security and analysis" page, with the "Enable" button highlighted in a dark orange outline.](/assets/images/help/repository/enable-secret-scanning-alerts.png){% endif %}{% ifversion fpt %} -1. Scroll down to the bottom of the page, and click **Enable** for {% data variables.product.prodname_secret_scanning %}. If you see a **Disable** button, it means that {% data variables.product.prodname_secret_scanning %} is already enabled for the repository. - - ![Screenshot of the "{% data variables.product.prodname_secret_scanning_caps %}" section of the "Code security and analysis" page, with the "Enable" button highlighted in a dark orange outline.](/assets/images/help/repository/enable-secret-scanning-alerts.png){% endif %} - -## Enabling additional features for {% data variables.secret-scanning.user_alerts %} - -You can enable the following additional {% data variables.product.prodname_secret_scanning %} feature{% ifversion ghec or ghes %}s{% endif %} through your repository's "Code security and analysis" settings: -* **Push protection**. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-secret-scanning-as-a-push-protection-for-a-repository)."{% ifversion secret-scanning-validity-check-partner-patterns %} -* **Validity checks for partner patterns**. For more infomation, see "[Enabling validity checks for partner patterns](#enabling-validity-checks-for-partner-patterns)."{% endif %}{% ifversion secret-scanning-non-provider-patterns %} -* **Scanning for non-provider patterns**. For more information, see "[Enabling scanning for non-provider patterns](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns)."{% endif %}{% ifversion secret-scanning-ai-generic-secret-detection%} -* **AI-powered generic secret detection**. For more information, see "[AUTOTITLE](/code-security/secret-scanning/enabling-ai-powered-generic-secret-detection)."{% endif %}{% ifversion secret-scanning-push-protection-custom-patterns %} -* **Scanning for custom patterns**. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)."{% endif %} - -{% ifversion secret-scanning-validity-check-partner-patterns %} - -### Enabling validity checks for partner patterns - -{% data reusables.gated-features.partner-pattern-validity-check-ghas %} - -You can allow {% data variables.product.prodname_secret_scanning %} to automatically check the validity of a secret found in your repository by sending it to the relevant partner. For more information on validity checks, see "Checking a secret's validity" in "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)." - -{% note %} - -**Note:** When you enable automatic validity checks for a repository, you also allow on-demand validity checks to be performed for patterns detected in that repository. - -{% endnote %} - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-settings %} -{% data reusables.repositories.navigate-to-code-security-and-analysis %} -{% data reusables.secret-scanning.validity-check-auto-enable %} - -You can also use the REST API to enable validity checks for partner patterns for your repository. For more information, see "[AUTOTITLE](/rest/repos/repos#update-a-repository)." Alternatively, organization owners and enterprise administrators can enable the feature for all repositories in the organization or enterprise settings. For more information on enabling at the organization-level, see "[AUTOTITLE](/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration)." For more information on enabling at the enterprise-level, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)" and "[AUTOTITLE](/rest/enterprise-admin/code-security-and-analysis#update-code-security-and-analysis-features-for-an-enterprise)." - -{% endif %} - -{% ifversion secret-scanning-non-provider-patterns %} - -### Enabling scanning for non-provider patterns - -{% data reusables.secret-scanning.non-provider-patterns-beta %} - -You can enable scanning for non-provider patterns. Non-provider patterns correspond to secrets such as private keys and they have a higher ratio of false positives. - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-settings %} -{% data reusables.repositories.navigate-to-code-security-and-analysis %} -1. Under {% data variables.product.prodname_secret_scanning_caps %}, select the checkbox next to "Scan for non-provider patterns". - -For more information about non-provider patterns, see "{% ifversion fpt or ghec %}[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-secret-scanning-alerts){% endif %}." - -{% endif %} - -{% ifversion secret-scanning-enable-by-default-for-public-repos %} - -## Enabling {% data variables.secret-scanning.user_alerts %} for all your {% ifversion ghec %}user-owned {% endif %}public repositories - -You can enable {% data variables.product.prodname_secret_scanning %} for all of your existing {% ifversion ghec %}user-owned {% endif %}public repositories through your personal account settings. -{% note %} - -**Note**: As of March 11, 2024, {% data variables.product.prodname_secret_scanning %} and push protection will be enabled by default for all new {% ifversion ghec %}user-owned {% endif %}public repositories that you create. You can still choose to disable these features for an individual repository in the repository's "Code security and analysis" settings page. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-public-repositories)". - -{% endnote %} - -{% data reusables.user-settings.access_settings %} -{% data reusables.user-settings.security-analysis %} -1. Under "Code security and analysis", to the right of "{% data variables.product.prodname_secret_scanning_caps %}", click **Disable all** or **Enable all**. -{% data reusables.secret-scanning.push-protection-optional-enable %} - -{% endif %} - -## Excluding directories from {% data variables.secret-scanning.user_alerts %} - -You can configure a `secret_scanning.yml` file to exclude directories from {% data variables.product.prodname_secret_scanning %}, including when you use push protection. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning)." - -You can also ignore individual alerts from {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." - -{% ifversion not fpt %} - -## Further reading - -* "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)" -* "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)" -{% endif %} diff --git a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md deleted file mode 100644 index 5515de0ebfb4..000000000000 --- a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md +++ /dev/null @@ -1,129 +0,0 @@ ---- -title: Push protection for repositories and organizations -intro: 'With push protection for repositories and organizations, {% data variables.product.prodname_secret_scanning %} blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block.' -product: '{% data reusables.gated-features.push-protection-for-repos %}' -versions: - fpt: '*' - ghes: '*' - ghec: '*' -redirect_from: - - /early-access/code-security/secret-scanning/protecting-pushes-with-secret-scanning - - /code-security/secret-scanning/protecting-pushes-with-secret-scanning -type: how_to -topics: - - Secret scanning - - Advanced Security - - Alerts - - Repositories -shortTitle: Push protection for repositories ---- - -{% data reusables.secret-scanning.enterprise-enable-secret-scanning %} - -## About push protection for repositories and organizations - -{% data reusables.secret-scanning.pre-push-protection %} {% data reusables.secret-scanning.push-protection-overview %} {% data reusables.secret-scanning.push-protection-custom-pattern %} {% ifversion secret-scanning-push-protection-custom-patterns %}For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."{% endif %} - -{% data reusables.secret-scanning.push-protection-bypass %} - -{% data reusables.secret-scanning.bypass-reasons-and-alerts %} - -{% ifversion push-protection-delegated-bypass %} - -By default, anyone with write access to the repository can choose to bypass push protection by specifying one of the bypass reasons outlined in the table. If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see "[Enabling delegated bypass for push protection](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)." - -{% endif %} - -{% ifversion secret-scanning-bypass-filter %} - -On the {% data variables.product.prodname_secret_scanning %} alerts page for a repository or organization, you can apply the `bypassed:true` filter to easily see which alerts are the result of a user bypassing push protection. For more information on viewing these alerts, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)." - -{% endif %} - -You can monitor security alerts to discover when users are bypassing push protections and creating alerts. For more information, see "[AUTOTITLE](/code-security/getting-started/auditing-security-alerts)." - -{% ifversion security-overview-push-protection-metrics-page %} - -If you are an organization owner or security manager, you can view metrics on how push protection is performing across your organization. For more information, see "[AUTOTITLE](/code-security/security-overview/viewing-metrics-for-secret-scanning-push-protection)." - -{% endif %} - -{% ifversion ghec or fpt %} -{% note %} - -**Note:** The github.dev web-based editor doesn't support push protection. For more information about the editor, see "[AUTOTITLE](/codespaces/the-githubdev-web-based-editor)." - -{% endnote %} -{% endif %} - -For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." - -## Enabling {% data variables.product.prodname_secret_scanning %} as a push protection - -For you to use {% data variables.product.prodname_secret_scanning %} as a push protection in public repositories, the {% ifversion secret-scanning-enterprise-level %}enterprise,{% endif %} organization{% ifversion secret-scanning-enterprise-level %},{% endif %} or repository needs to have {% data variables.product.prodname_secret_scanning %} enabled.{% ifversion secret-scanning-push-protection-private-internal %} To use {% data variables.product.prodname_secret_scanning %} as a push protection in private or internal repositories,{% ifversion secret-scanning-user-owned-repos %} or in user-owned repositories{% ifversion ghec %} for {% data variables.product.prodname_emus %}{% endif %},{% endif %} the enterprise or organization also needs to have {% data variables.product.prodname_GH_advanced_security %} enabled.{% endif %} For more information, see {% ifversion secret-scanning-enterprise-level %}"[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise),"{% endif %} "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)," "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)," and "[AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security)." - -Organization owners, security managers, and repository administrators can also enable push protection for {% data variables.product.prodname_secret_scanning %} via the API. For more information, see "[AUTOTITLE](/rest/repos#update-a-repository)" and expand the "Properties of the `security_and_analysis` object" section. - -Organization owners can provide a custom link that will be displayed when a push is blocked. This custom link can contain organization-specific resources and advice, such as directions on using a recommended secrets vault or who to contact for questions relating to the blocked secret. - -{% ifversion secret-scanning-enable-by-default-for-public-repos %} - -You can also enable push protection for all of your existing {% ifversion ghec %}user-owned {% endif %} public repositories through your personal account settings. For any new public repositories you create, push protection will be enabled by default. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#enabling-secret-scanning-alerts-for-users-for-all-your-public-repositories)." - -{% endif %} - -{% ifversion secret-scanning-enterprise-level-api %} -Enterprise administrators can also enable or disable {% data variables.product.prodname_secret_scanning %} as a push protection for the enterprise via the API. For more information, see "[AUTOTITLE](/rest/enterprise-admin/code-security-and-analysis)."{% endif %} - -{% note %} - -**Note:** When you fork a repository with {% data variables.product.prodname_secret_scanning %} as a push protection enabled, this is not enabled by default on the fork. You can enable it on the fork the same way you enable it on a standalone repository. - -{% endnote %} - -{% ifversion secret-scanning-enterprise-level %} - -### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection for your enterprise - -{% data reusables.enterprise-accounts.access-enterprise %} -{% data reusables.enterprise-accounts.settings-tab %} -1. In the left sidebar, click **Code security and analysis**. -{% data reusables.advanced-security.secret-scanning-push-protection-enterprise %} -{% endif %} - -### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection for an organization - -{% ifversion security-configurations-ga %} -You can find a set of repositories and enable or disable {% data variables.product.prodname_secret_scanning %} as a push protection for them all at the same time. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)." - -{% elsif security-configurations-beta-and-pre-beta %} - -You can use the organization settings page for "Code security and analysis" to enable or disable {% data variables.product.prodname_secret_scanning %} as a push protection for all existing repositories in an organization. - -{% data reusables.organizations.navigate-to-org %} -{% data reusables.organizations.org_settings %} -{% data reusables.organizations.security-and-analysis %} - -{% ifversion security-configurations-beta-only %} - {% data reusables.security-configurations.changed-org-settings-security-configurations-callout %} For next steps on enabling push protection and other security features at scale with {% data variables.product.prodname_security_configurations %}, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)." -{% endif %} - -{% data reusables.repositories.navigate-to-ghas-settings %} -{% data reusables.advanced-security.secret-scanning-push-protection-org %} - -{% data reusables.security.note-securing-your-org %} -{% endif %} - -### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection for a repository - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-settings %} -{% data reusables.repositories.navigate-to-code-security-and-analysis %} -{% data reusables.repositories.navigate-to-ghas-settings %} -{% data reusables.advanced-security.secret-scanning-push-protection-repo %} - -## Further reading - -* "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection)" -* "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)"{% ifversion push-protection-delegated-bypass %} -* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)"{% endif %} From 8d4543a0fb049789aad24e08361a245bb1a7456e Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 5 Aug 2024 09:11:00 +0100 Subject: [PATCH 245/282] more work --- .../introduction/supported-secret-scanning-patterns.md | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md index 36d59fc0f37e..1fdbad602514 100644 --- a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md +++ b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md @@ -17,11 +17,7 @@ layout: inline shortTitle: Supported patterns --- -TODO - -{% data reusables.secret-scanning.enterprise-enable-secret-scanning %} - -{% ifversion fpt or ghec %} +TODO: ## About {% data variables.product.prodname_secret_scanning %} patterns @@ -45,8 +41,6 @@ Partner alerts are alerts that are sent to the secret providers whenever a secre {% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} -{% endif %} - ## About {% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts {% ifversion fpt or ghec %}User alerts are alerts that are reported to users on {% data variables.product.prodname_dotcom %}. {% endif %}When {% data variables.secret-scanning.user_alerts %} {% ifversion fpt or ghec %}are{% else %}is{% endif %} enabled, {% data variables.product.prodname_dotcom %} scans repositories for secrets issued by a large variety of service providers and generates {% data variables.secret-scanning.alerts %}. @@ -89,6 +83,7 @@ Push protection alerts are user alerts that are reported by push protection. {% ## Supported secrets This table lists the secrets supported by {% data variables.product.prodname_secret_scanning %}. You can see the types of alert that get generated for each token, as well as whether a validity check is performed on the token. + * **Provider**—name of the token provider.{% ifversion fpt or ghec %} * **Partner**—token for which leaks are reported to the relevant token partner. Applies to public repositories only. * **User**—token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}.{% ifversion secret-scanning-non-provider-patterns %} From b44d9b5f82e4dd8923f2b87e62c3bc869e79650b Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 5 Aug 2024 09:20:39 +0100 Subject: [PATCH 246/282] fix redirect --- .../managing-alerts-from-secret-scanning/index.md | 1 + .../managing-alerts-from-secret-scanning/viewing-alerts.md | 2 ++ 2 files changed, 3 insertions(+) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md index c76f60fbfa46..71d5ea890624 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md @@ -6,6 +6,7 @@ redirect_from: - /github/administering-a-repository/managing-alerts-from-secret-scanning - /code-security/secret-security/managing-alerts-from-secret-scanning - /code-security/secret-scanning/managing-alerts-from-secret-scanning + versions: fpt: '*' ghes: '*' diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md index b51a24bc33a2..51f60991d138 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md @@ -3,6 +3,8 @@ title: Viewing and filtering alerts from secret scanning intro: 'Learn how to find and filter {% ifversion fpt or ghec %}{% data variables.secret-scanning.user_alerts %}{% else %}{% data variables.secret-scanning.user_alerts %} alerts{% endif %} for your repository.' permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view {% data variables.secret-scanning.user_alerts %}{% ifversion ghes %} alerts{% endif %} for the repository.' product: '{% data reusables.gated-features.secret-scanning %}' +redirect_from: + - /code-security/secret-scanning/managing-alerts-from-secret-scanning versions: fpt: '*' ghes: '*' From 81019de9f3bf21c1589fcda6484fdd9b61e97fc0 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 5 Aug 2024 09:30:30 +0100 Subject: [PATCH 247/282] delete redirect --- .../managing-alerts-from-secret-scanning/viewing-alerts.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md index 51f60991d138..b51a24bc33a2 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md @@ -3,8 +3,6 @@ title: Viewing and filtering alerts from secret scanning intro: 'Learn how to find and filter {% ifversion fpt or ghec %}{% data variables.secret-scanning.user_alerts %}{% else %}{% data variables.secret-scanning.user_alerts %} alerts{% endif %} for your repository.' permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view {% data variables.secret-scanning.user_alerts %}{% ifversion ghes %} alerts{% endif %} for the repository.' product: '{% data reusables.gated-features.secret-scanning %}' -redirect_from: - - /code-security/secret-scanning/managing-alerts-from-secret-scanning versions: fpt: '*' ghes: '*' From eb855fdb30176299f3483375cca6cd6664733b1e Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 5 Aug 2024 10:04:36 +0100 Subject: [PATCH 248/282] fixing some TODOs --- .../enabling-validity-checks-for-your-repository.md | 4 ++-- .../introduction/about-push-protection.md | 8 ++++---- .../about-secret-scanning-for-partners.md | 2 +- .../introduction/about-secret-scanning.md | 12 ++++++------ .../about-alerts.md | 10 +++++----- 5 files changed, 18 insertions(+), 18 deletions(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md index 33cb3d5dce13..751334209bd5 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md @@ -23,7 +23,7 @@ You can also filter by validation status on the alerts page, to help you priorit > [!NOTE] > {% data variables.product.company_short %} typically makes GET requests to check the validity of the credential, picks the least intrusive endpoints, and selects endpoints that don't return any personal information. -For more information on using validity checks, see "TODO." +For more information on using validity checks, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)." ## Enabling validity checks @@ -38,4 +38,4 @@ Alternatively, organization owners and enterprise administrators can enable the ## Further reading -* TODO - add link to Managing alerts +* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)" diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index 490e9222c86b..8a90dc60f38c 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -44,7 +44,7 @@ By default, anyone with write access to the repository can choose to bypass push {% data reusables.secret-scanning.bypass-reasons-and-alerts %} -{% ifversion push-protection-delegated-bypass %} If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see "TODO: link to delegated bypass."{% endif %} +{% ifversion push-protection-delegated-bypass %} If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)."{% endif %} ## About the benefits of push protection @@ -74,11 +74,11 @@ Once push protection is enabled, you can customize it further: ### Integration with CI/CD pipelines -Integrate push protection with your Continuous Integration/Continuous Deployment (CI/CD) pipelines to ensure that it runs scans during automated processes. This typically involves adding steps in your pipeline configuration file to call GitHub's APIs or using {% data variables.product.prodname_actions %}. For more information, see "TODO - add link to something here?" +Integrate push protection with your Continuous Integration/Continuous Deployment (CI/CD) pipelines to ensure that it runs scans during automated processes. This typically involves adding steps in your pipeline configuration file to call GitHub's APIs or using {% data variables.product.prodname_actions %}. For more information, see "TODO: - add link to something here?" ### Handling false positives -If push protection occasionally flags non-sensitive information, you can configure the system to recognize these as false positives. For more information, see "TODO - not sure what to link to here?" +If push protection occasionally flags non-sensitive information, you can configure the system to recognize these as false positives. For more information, see "TODO: - not sure what to link to here?" {% ifversion secret-scanning-push-protection-custom-patterns %} @@ -98,7 +98,7 @@ Define contributors who can bypass push protection and add an approval process f ## Further reading -* TODO: add link to enabling push protection article +* "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository)" * "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)"{% ifversion secret-scanning-push-protection-custom-patterns %} * "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)"{% endif %}{% ifversion push-protection-delegated-bypass %} * "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)"{% endif %} diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md index 10fbdb9873d6..f9117cb5e111 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md @@ -30,4 +30,4 @@ For information about the secrets and service providers supported by push protec * "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)" * "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)" * "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection)" -* TODO: add link to "About alerts" article +* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts)" diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 1accf8cd5be4..c1c9fd50d615 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -28,11 +28,11 @@ shortTitle: Secret scanning {% data reusables.secret-scanning.what-is-scanned %} -When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. Alerts are reported on the **Security** tab of repositories on {% data variables.product.product_name %}, where you can view, evaluate, and resolve them. For more information, see TODO: link to Managing alerts. +When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. Alerts are reported on the **Security** tab of repositories on {% data variables.product.product_name %}, where you can view, evaluate, and resolve them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." {% ifversion fpt or ghec %}Service providers can partner with {% data variables.product.company_short %} to provide their secret formats for scanning. We automatically run {% data variables.product.prodname_secret_scanning %} for partner patterns on all public repositories and public npm packages.{% data reusables.secret-scanning.partner-program-link %} -Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner, and aren't displayed on {% data variables.product.prodname_dotcom_the_website %}. For more information, see TODO: link to about secret scanning for partner alerts.{% endif %} +Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner, and aren't displayed on {% data variables.product.prodname_dotcom_the_website %}. For more information, see "Not sure which article to link to TODO:"{% endif %} For information about the secrets and service providers supported by {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." @@ -50,7 +50,7 @@ Below is a typical workflow that explains how {% data variables.product.prodname * **Detection**: {% data variables.product.prodname_secret_scanning_caps %} automatically scans your repository's contents for sensitive data, such as API keys, passwords, tokens, and other secrets. It looks for patterns and heuristics that match known types of secrets. -* **Alerts**: When a potential secret is detected, {% data variables.product.prodname_dotcom %} generates an alert and notifies the relevant repository administrators and users. This notification includes details about the detected secret, such as its location in the repository. For more information about alert types and alert details, see TODO: - link to "About alerts" article. +* **Alerts**: When a potential secret is detected, {% data variables.product.prodname_dotcom %} generates an alert and notifies the relevant repository administrators and users. This notification includes details about the detected secret, such as its location in the repository. For more information about alert types and alert details, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts)." * **Review**: When a secret is detected, you'll need to review the alert details provided. @@ -132,9 +132,9 @@ You can also leverage AI to generate regular expressions that will capture all y ## Further reading -* TODO: link to enabling secret scanning article -* "[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection) -* "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection) +* "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository)" +* "[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection)" +* "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection)" * "[AUTOTITLE](/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization)" * "[AUTOTITLE](/code-security/getting-started/securing-your-repository)" * "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure)" diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index 898b98b62bae..4a401621a3e5 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -55,7 +55,7 @@ Push protection scans pushes for supported secrets. If push protection detects a ## About partner alerts -When {% data variables.product.company_short %} detects a leaked secret in a public repository or npm package, an alert is sent directly to the secret provider, if they are part of {% data variables.product.company_short %}'s secret scanning partner program. For more information about {% data variables.secret-scanning.partner_alerts %}, see "TODO." +When {% data variables.product.company_short %} detects a leaked secret in a public repository or npm package, an alert is sent directly to the secret provider, if they are part of {% data variables.product.company_short %}'s secret scanning partner program. For more information about {% data variables.secret-scanning.partner_alerts %}, see TODO:. Partner alerts are not sent to repository administrators, so you do not need to take any action for this type of alert. @@ -65,7 +65,7 @@ Partner alerts are not sent to repository administrators, so you do not need to ## Further reading -* TODO - link to supported patterns -* TODO - link to define custom patterns -* TODO - link to non-provider patterns -* TODO - link to generic secret detection +* "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns){% ifversion ghec or ghes %} +* "[AUTOTITLE](/code-security/secret-scanning/ using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)"{% endif %}{% ifversion secret-scanning-non-provider-patterns %} +* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns)"{% endif %}{% ifversion secret-scanning-ai-generic-secret-detection %} +* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning)"{% endif %} From 416bb97b8cbf5e599153bfc20ff9c9e7ce1a46d1 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 5 Aug 2024 10:16:07 +0100 Subject: [PATCH 249/282] fixing more TODOs --- .../secret-scanning/introduction/about-secret-scanning.md | 2 +- .../managing-alerts-from-secret-scanning/about-alerts.md | 2 +- .../managing-alerts-from-secret-scanning/index.md | 1 - 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index c1c9fd50d615..c311aaa39268 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -114,7 +114,7 @@ Leverage {% data variables.product.prodname_secret_scanning %}'s AI capabilities ### Performing validity checks -Validity checks help you prioritize alerts by telling you which secrets are `active` or `inactive`. For more information, see{% ifversion secret-scanning-validity-check-partner-patterns %} "TODO: link to Enable validity checks" and{% endif %} "TODO: Checking a secret's validity in Evaluating alerts." +Validity checks help you prioritize alerts by telling you which secrets are `active` or `inactive`. For more information, see{% ifversion secret-scanning-validity-check-partner-patterns %} "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository)" and{% endif %} "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)." {% ifversion ghec or ghes %} diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index 4a401621a3e5..06d24e4c0965 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -55,7 +55,7 @@ Push protection scans pushes for supported secrets. If push protection detects a ## About partner alerts -When {% data variables.product.company_short %} detects a leaked secret in a public repository or npm package, an alert is sent directly to the secret provider, if they are part of {% data variables.product.company_short %}'s secret scanning partner program. For more information about {% data variables.secret-scanning.partner_alerts %}, see TODO:. +When {% data variables.product.company_short %} detects a leaked secret in a public repository or npm package, an alert is sent directly to the secret provider, if they are part of {% data variables.product.company_short %}'s secret scanning partner program. For more information about {% data variables.secret-scanning.partner_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)" and "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)." Partner alerts are not sent to repository administrators, so you do not need to take any action for this type of alert. diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md index 71d5ea890624..2060fa9ffeb0 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md @@ -5,7 +5,6 @@ product: '{% data reusables.gated-features.secret-scanning %}' redirect_from: - /github/administering-a-repository/managing-alerts-from-secret-scanning - /code-security/secret-security/managing-alerts-from-secret-scanning - - /code-security/secret-scanning/managing-alerts-from-secret-scanning versions: fpt: '*' From 8ca05b7307615b0be51a19524c57b73ba55972d4 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 5 Aug 2024 10:49:10 +0100 Subject: [PATCH 250/282] add versioning to fix broken links in GHES --- .../managing-alerts-from-secret-scanning/about-alerts.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index 06d24e4c0965..074f77a3b135 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -53,12 +53,16 @@ Push protection scans pushes for supported secrets. If push protection detects a > > {% data reusables.secret-scanning.push-protection-older-tokens %} For more information about push protection limitations, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning#push-protection-and-pattern-versions)." +{% ifversion fpt or ghec %} + ## About partner alerts When {% data variables.product.company_short %} detects a leaked secret in a public repository or npm package, an alert is sent directly to the secret provider, if they are part of {% data variables.product.company_short %}'s secret scanning partner program. For more information about {% data variables.secret-scanning.partner_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)" and "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)." Partner alerts are not sent to repository administrators, so you do not need to take any action for this type of alert. +{% endif %} + ## Next steps * "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)" From cd5b040321c309b8879097f4f07e8346a4b47d45 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 5 Aug 2024 12:16:07 +0100 Subject: [PATCH 251/282] more work on the supported pattern articles --- .../supported-secret-scanning-patterns.md | 56 +++---------------- .../about-alerts.md | 6 +- 2 files changed, 8 insertions(+), 54 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md index d3e643d64623..5243e1ba6554 100644 --- a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md +++ b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md @@ -17,48 +17,17 @@ layout: inline shortTitle: Supported patterns --- -TODO: - ## About {% data variables.product.prodname_secret_scanning %} patterns -{% data variables.product.product_name %} maintains these different sets of default {% data variables.product.prodname_secret_scanning %} patterns: - -1. **Partner patterns.** Used to detect potential secrets in all public repositories as well as public npm packages.{% data reusables.secret-scanning.partner-program-link %} -1. **User alert patterns.** Used to detect potential secrets in {% ifversion fpt %}public{% endif %} repositories with {% data variables.secret-scanning.user_alerts %} enabled. -1. **Push protection patterns.** Used to detect potential secrets in repositories with {% data variables.product.prodname_secret_scanning %} as a push protection enabled. +{% data reusables.secret-scanning.alert-types %} -{% ifversion fpt %} -Owners of public repositories, as well as organizations using {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_GH_advanced_security %}, can enable {% data variables.secret-scanning.user_alerts %} on their repositories. -{% endif %} +For in-depth information about each alert type, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts)." For details about all the supported patterns, see the "[Supported secrets](#supported-secrets)" section below. If you believe that {% data variables.product.prodname_secret_scanning %} should have detected a secret committed to your repository, and it has not, you first need to check that {% data variables.product.prodname_dotcom %} supports your secret. For more information, refer to the sections below. For more advanced troubleshooting information, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning)." -## About partner alerts - -Partner alerts are alerts that are sent to the secret providers whenever a secret leak is reported for one of their secrets. {% data variables.product.product_name %} currently scans public repositories and public npm packages for secrets issued by specific service providers and alerts the relevant service provider whenever a secret is detected in a commit. For more information about {% data variables.secret-scanning.partner_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-partners)." - -{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} - -## About {% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts - -{% ifversion fpt or ghec %}User alerts are alerts that are reported to users on {% data variables.product.prodname_dotcom %}. {% endif %}When {% data variables.secret-scanning.user_alerts %} {% ifversion fpt or ghec %}are{% else %}is{% endif %} enabled, {% data variables.product.prodname_dotcom %} scans repositories for secrets issued by a large variety of service providers and generates {% data variables.secret-scanning.alerts %}. - -{% ifversion secret-scanning-non-provider-patterns %}{% ifversion fpt or ghec %}User {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts can be of the following types: - -* High confidence alerts, which relate to supported patterns and specified custom patterns. -* Non-provider alerts, which have a higher ratio of false positives, and correspond to secrets such as private keys. - -{% data variables.product.prodname_dotcom %} displays non-provider alerts in a different list to high confidence alerts, making triaging a better experience for users. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)." - -{% data reusables.secret-scanning.non-provider-patterns-beta %} - -{% endif %} - -You can see these alerts on the **Security** tab of the repository. {% ifversion fpt or ghec %}For more information about {% data variables.secret-scanning.user_alerts %}, see TODO: About secret scanning alerts for users{% endif %} - -{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} +From here but not in about alerts If you use the REST API for secret scanning, you can use the `Secret type` to report on secrets from specific issuers. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/rest/secret-scanning)." @@ -70,16 +39,6 @@ If you use the REST API for secret scanning, you can use the `Secret type` to re {% endnote %} {% endif %} -## About push protection alerts - -Push protection alerts are user alerts that are reported by push protection. {% data variables.product.prodname_secret_scanning_caps %} as a push protection currently scans repositories for secrets issued by some service providers. - -{% ifversion secret-scanning-push-protection-for-users %}Push protection alerts are not created for secrets that are bypassed with user-based push protection only. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-users)."{% endif %} - -{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} - -{% data reusables.secret-scanning.push-protection-older-tokens %} For more information about push protection limitations, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning#push-protection-and-pattern-versions)." - ## Supported secrets This table lists the secrets supported by {% data variables.product.prodname_secret_scanning %}. You can see the types of alert that get generated for each token, as well as whether a validity check is performed on the token. @@ -160,10 +119,9 @@ Push protection and validity checks are not supported for non-provider patterns. ## Further reading +* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts)" +{%- ifversion fpt or ghec %} +* "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)" +{%- endif %} * "[AUTOTITLE](/code-security/getting-started/securing-your-repository)" * "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure)" -{%- ifversion fpt or ghec %} -* "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partner-program)" -{%- else %} -* "[AUTOTITLE](/free-pro-team@latest/code-security/secret-scanning/secret-scanning-partner-program)" in the {% data variables.product.prodname_ghe_cloud %} documentation -{% endif %} diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index 074f77a3b135..ab01aeb7d61d 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -19,11 +19,7 @@ allowTitleToDifferFromFilename: true ## About types of alerts -There are {% ifversion fpt or ghec %}three{% else %}two{% endif %} types of {% data variables.secret-scanning.alerts %}: - -* **{% ifversion fpt or ghec %}User alerts {% else %}{% data variables.secret-scanning.alerts_caps %}{% endif %}**: Reported to users in the **Security** tab of the repository, when a supported secret is detected in the repository. -* **Push protection alerts**: Reported to users in the **Security** tab of the repository, when a contributor bypasses push protection. {% ifversion fpt or ghec %} -* **Partner alerts**: Reported directly to secret providers that are part of {% data variables.product.prodname_secret_scanning %}'s partner program. These alerts are not reported in the **Security** tab of the repository.{% endif %} +{% data reusables.secret-scanning.alert-types %} ## About {% ifversion fpt or ghec %}user alerts {% else %}{% data variables.secret-scanning.alerts %}{% endif %} From 6eb39fe0353a17853b1dec791e5f82f457ab80b9 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 5 Aug 2024 12:22:28 +0100 Subject: [PATCH 252/282] add reusable --- data/reusables/secret-scanning/alert-types.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 data/reusables/secret-scanning/alert-types.md diff --git a/data/reusables/secret-scanning/alert-types.md b/data/reusables/secret-scanning/alert-types.md new file mode 100644 index 000000000000..23ec30827caf --- /dev/null +++ b/data/reusables/secret-scanning/alert-types.md @@ -0,0 +1,5 @@ +There are {% ifversion fpt or ghec %}three{% else %}two{% endif %} types of {% data variables.secret-scanning.alerts %}: + +* **{% ifversion fpt or ghec %}User alerts {% else %}{% data variables.secret-scanning.alerts_caps %}{% endif %}**: Reported to users in the **Security** tab of the repository, when a supported secret is detected in the repository. +* **Push protection alerts**: Reported to users in the **Security** tab of the repository, when a contributor bypasses push protection. {% ifversion fpt or ghec %} +* **Partner alerts**: Reported directly to secret providers that are part of {% data variables.product.prodname_secret_scanning %}'s partner program. These alerts are not reported in the **Security** tab of the repository.{% endif %} From 024d18a75946875a44371ea0a51e254eb717ce0d Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 5 Aug 2024 13:23:51 +0100 Subject: [PATCH 253/282] polishing --- .../supported-secret-scanning-patterns.md | 14 ++------------ data/reusables/secret-scanning/alert-types.md | 2 +- 2 files changed, 3 insertions(+), 13 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md index 5243e1ba6554..8c4183b6382b 100644 --- a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md +++ b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md @@ -25,19 +25,9 @@ For in-depth information about each alert type, see "[AUTOTITLE](/code-security/ For details about all the supported patterns, see the "[Supported secrets](#supported-secrets)" section below. -If you believe that {% data variables.product.prodname_secret_scanning %} should have detected a secret committed to your repository, and it has not, you first need to check that {% data variables.product.prodname_dotcom %} supports your secret. For more information, refer to the sections below. For more advanced troubleshooting information, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning)." - -From here but not in about alerts - If you use the REST API for secret scanning, you can use the `Secret type` to report on secrets from specific issuers. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/rest/secret-scanning)." -{% ifversion ghes or ghec %} -{% note %} - -**Note:** You can also define custom {% data variables.product.prodname_secret_scanning %} patterns for your repository, organization, or enterprise. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." - -{% endnote %} -{% endif %} +If you believe that {% data variables.product.prodname_secret_scanning %} should have detected a secret committed to your repository, and it has not, you first need to check that {% data variables.product.prodname_dotcom %} supports your secret. For more information, refer to the sections below. For more advanced troubleshooting information, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning)." ## Supported secrets @@ -78,7 +68,7 @@ This table lists the secrets supported by {% data variables.product.prodname_sec | Generic | postgres_connection_string | | Generic | rsa_private_key | -Push protection and validity checks are not supported for non-provider patterns. +>[!NOTE] Push protection and validity checks are not supported for non-provider patterns. ### High confidence patterns diff --git a/data/reusables/secret-scanning/alert-types.md b/data/reusables/secret-scanning/alert-types.md index 23ec30827caf..9a7b0cdbceef 100644 --- a/data/reusables/secret-scanning/alert-types.md +++ b/data/reusables/secret-scanning/alert-types.md @@ -1,5 +1,5 @@ There are {% ifversion fpt or ghec %}three{% else %}two{% endif %} types of {% data variables.secret-scanning.alerts %}: -* **{% ifversion fpt or ghec %}User alerts {% else %}{% data variables.secret-scanning.alerts_caps %}{% endif %}**: Reported to users in the **Security** tab of the repository, when a supported secret is detected in the repository. +* **{% ifversion fpt or ghec %}User alerts{% else %}{% data variables.secret-scanning.alerts_caps %}{% endif %}**: Reported to users in the **Security** tab of the repository, when a supported secret is detected in the repository. * **Push protection alerts**: Reported to users in the **Security** tab of the repository, when a contributor bypasses push protection. {% ifversion fpt or ghec %} * **Partner alerts**: Reported directly to secret providers that are part of {% data variables.product.prodname_secret_scanning %}'s partner program. These alerts are not reported in the **Security** tab of the repository.{% endif %} From 232c0810718701735052143d01e9e51fa907e860 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 5 Aug 2024 13:28:30 +0100 Subject: [PATCH 254/282] use variable --- .../introduction/supported-secret-scanning-patterns.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md index 8c4183b6382b..f40bae7eb617 100644 --- a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md +++ b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md @@ -25,7 +25,7 @@ For in-depth information about each alert type, see "[AUTOTITLE](/code-security/ For details about all the supported patterns, see the "[Supported secrets](#supported-secrets)" section below. -If you use the REST API for secret scanning, you can use the `Secret type` to report on secrets from specific issuers. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/rest/secret-scanning)." +If you use the REST API for {% data variables.product.prodname_secret_scanning %}, you can use the `Secret type` to report on secrets from specific issuers. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/rest/secret-scanning)." If you believe that {% data variables.product.prodname_secret_scanning %} should have detected a secret committed to your repository, and it has not, you first need to check that {% data variables.product.prodname_dotcom %} supports your secret. For more information, refer to the sections below. For more advanced troubleshooting information, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning)." From 441090756a9aed81e9dea5afdc6348d891477f31 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Mon, 5 Aug 2024 16:45:47 +0100 Subject: [PATCH 255/282] Update content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com> --- .../introduction/supported-secret-scanning-patterns.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md index f40bae7eb617..143d329037d8 100644 --- a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md +++ b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md @@ -27,7 +27,7 @@ For details about all the supported patterns, see the "[Supported secrets](#supp If you use the REST API for {% data variables.product.prodname_secret_scanning %}, you can use the `Secret type` to report on secrets from specific issuers. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/rest/secret-scanning)." -If you believe that {% data variables.product.prodname_secret_scanning %} should have detected a secret committed to your repository, and it has not, you first need to check that {% data variables.product.prodname_dotcom %} supports your secret. For more information, refer to the sections below. For more advanced troubleshooting information, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning)." +If you believe that {% data variables.product.prodname_secret_scanning %} should have detected a secret committed to your repository, and it has not, you first need to check that {% data variables.product.prodname_dotcom %} supports your secret. For more information, refer to the following sections. For more advanced troubleshooting information, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning)." ## Supported secrets From c86895525ec0f1edbd517343f2c361b0b86425c5 Mon Sep 17 00:00:00 2001 From: Rachael Sewell Date: Mon, 5 Aug 2024 12:45:40 -0700 Subject: [PATCH 256/282] update path to patterns file --- src/secret-scanning/middleware/secret-scanning.ts | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/secret-scanning/middleware/secret-scanning.ts b/src/secret-scanning/middleware/secret-scanning.ts index ebc33523fb5d..d98f1eacb3ec 100644 --- a/src/secret-scanning/middleware/secret-scanning.ts +++ b/src/secret-scanning/middleware/secret-scanning.ts @@ -14,7 +14,11 @@ export default async function secretScanning( res: Response, next: NextFunction, ) { - if (!req.pagePath!.endsWith('code-security/secret-scanning/secret-scanning-patterns')) + if ( + !req.pagePath!.endsWith( + 'code-security/secret-scanning/introduction/supported-secret-scanning-patterns', + ) + ) return next() const secretScanningData = yaml.load( From 7de9003d783ca9f3a9dc6c54be6d9e8c47e3359a Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 6 Aug 2024 08:05:28 +0100 Subject: [PATCH 257/282] another TODO --- .../secret-scanning/introduction/about-secret-scanning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index c311aaa39268..340a0ea5c614 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -32,7 +32,7 @@ When a supported secret is leaked, {% data variables.product.product_name %} gen {% ifversion fpt or ghec %}Service providers can partner with {% data variables.product.company_short %} to provide their secret formats for scanning. We automatically run {% data variables.product.prodname_secret_scanning %} for partner patterns on all public repositories and public npm packages.{% data reusables.secret-scanning.partner-program-link %} -Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner, and aren't displayed on {% data variables.product.prodname_dotcom_the_website %}. For more information, see "Not sure which article to link to TODO:"{% endif %} +Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner, and aren't displayed on {% data variables.product.prodname_dotcom_the_website %}. For more information about partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts)."{% endif %} For information about the secrets and service providers supported by {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." From 230fb8bdd41a09a9eede9200b9cd270ddddf72d5 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 6 Aug 2024 12:32:19 +0100 Subject: [PATCH 258/282] add notes linking to each of the 2 articles --- .../working-with-push-protection-from-the-command-line.md | 2 ++ .../working-with-push-protection-in-the-github-ui.md | 2 ++ 2 files changed, 4 insertions(+) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md index ba531a5aea0c..742267de805a 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md @@ -38,6 +38,8 @@ To resolve a blocked push, you must remove the secret from all of the commits it * If the secret was introduced by your latest commit, see "[Removing a secret introduced by the latest commit on your branch](#removing-a-secret-introduced-by-the-latest-commit-on-your-branch)." * If the secret appears in earlier commits, see "[Removing a secret introduced by an earlier commit on your branch](#removing-a-secret-introduced-by-an-earlier-commit-on-your-branch)." +>[!NOTE] To learn how to resolved a blocked commit in the {% data variables.product.prodname_dotcom %} UI, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui#resolving-a-blocked-commit)." + ### Removing a secret introduced by the latest commit on your branch If the blocked secret was introduced by the latest commit on your branch, you can follow the guidance below. diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md index 247828019aee..b5c5c6f1ad41 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md @@ -42,6 +42,8 @@ Organization owners can provide a custom link that will be displayed when a push To resolve a blocked commit in the web UI, you need to remove the secret from the file. Once you remove the secret, you will be able to commit your changes. +>[!NOTE] To learn how to resolved a blocked push on the command line, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line#resolving-a-blocked-push)." + ## Bypassing push protection If {% data variables.product.prodname_dotcom %} blocks a secret that you believe is safe to commit, you {% ifversion push-protection-delegated-bypass %}may be able to {% else %}can {% endif %}bypass the block by specifying a reason for allowing the secret. From 412ece77e6881ef69c161072cc4e409821f71908 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 8 Aug 2024 08:48:10 +0100 Subject: [PATCH 259/282] remove last TODOs --- .../secret-scanning/introduction/about-push-protection.md | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index 8a90dc60f38c..dbdd096f6aec 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -74,11 +74,7 @@ Once push protection is enabled, you can customize it further: ### Integration with CI/CD pipelines -Integrate push protection with your Continuous Integration/Continuous Deployment (CI/CD) pipelines to ensure that it runs scans during automated processes. This typically involves adding steps in your pipeline configuration file to call GitHub's APIs or using {% data variables.product.prodname_actions %}. For more information, see "TODO: - add link to something here?" - -### Handling false positives - -If push protection occasionally flags non-sensitive information, you can configure the system to recognize these as false positives. For more information, see "TODO: - not sure what to link to here?" +Integrate push protection with your Continuous Integration/Continuous Deployment (CI/CD) pipelines to ensure that it runs scans during automated processes. This typically involves adding steps in your pipeline configuration file to call GitHub's APIs or using {% data variables.product.prodname_actions %}. {% ifversion secret-scanning-push-protection-custom-patterns %} From 04955e51868b57a494a1c1c014918e95fe047a49 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 8 Aug 2024 09:00:02 +0100 Subject: [PATCH 260/282] Apply suggestions from code review Co-authored-by: Felicity Chapman Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com> --- .../enabling-push-protection-for-your-repository.md | 1 + .../enabling-secret-scanning-for-your-repository.md | 4 ++-- .../enabling-validity-checks-for-your-repository.md | 2 +- .../enabling-secret-scanning-features/index.md | 2 +- .../introduction/about-secret-scanning-for-partners.md | 7 +++---- .../secret-scanning/introduction/about-secret-scanning.md | 2 +- .../code-security/secret-scanning/introduction/index.md | 2 +- .../managing-alerts-from-secret-scanning/about-alerts.md | 2 +- .../managing-alerts-from-secret-scanning/index.md | 2 +- .../managing-alerts-from-secret-scanning/viewing-alerts.md | 2 +- .../custom-patterns/metrics-for-custom-patterns.md | 2 +- .../excluding-folders-and-files-from-secret-scanning.md | 2 +- 12 files changed, 15 insertions(+), 15 deletions(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md index cdc9dd9d8ce4..98552b0809dd 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md @@ -45,5 +45,6 @@ If your organization is owned by an enterprise account, an enterprise owner can ## Further reading * "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection)" +* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning)" * "[AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security)" * "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)" diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md index 459d8fb73dd2..2ddcbd894698 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md @@ -52,5 +52,5 @@ A repository administrator can choose to disable {% data variables.product.prodn ## Next steps -* "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository)"{% ifversion secret-scanning-validity-check-partner-patterns %} -* "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository)"{% endif %} +* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)" +* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts)" diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md index 751334209bd5..9f4aee2a30ca 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md @@ -14,7 +14,7 @@ topics: ## About validity checks -You can choose to enable validity checks for partner patterns for your repository. Once enabled, {% data variables.product.company_short %} will periodically check the validity of a detected credential by sending the secret directly to the provider, as part of {% data variables.product.company_short %}'s secret scanning partnership program. {% data reusables.secret-scanning.partner-program-link %} +You can enable validity checks for secrets identified as service provider tokens for your repository. Once enabled, {% data variables.product.company_short %} will periodically check the validity of a detected credential by sending the secret directly to the provider, as part of {% data variables.product.company_short %}'s secret scanning partnership program. {% data reusables.secret-scanning.partner-program-link %} {% data variables.product.company_short %} displays the validation status of the secret in the alert view, so you can see if the secret is `active`, `inactive`, or if the validation status is `unknown`. You can optionally perform an "on-demand" validity check for the secret in the alert view. diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md index 76d8a4966174..8041ca6b4529 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md @@ -2,7 +2,7 @@ title: Enabling secret scanning features shortTitle: Enable secret scanning features allowTitleToDifferFromFilename: true -intro: 'Learn how to enable {% data variables.product.prodname_secret_scanning %} that scans for and detects secrets that have been checked into a repository, as well as push protection that proactively secures you against leaking secrets by blocking pushes containing secrets.' +intro: 'Learn how to enable {% data variables.product.prodname_secret_scanning %} to detect secrets that are already visible in a repository, as well as push protection to proactively secure you against leaking additional secrets by blocking pushes containing secrets.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md index f9117cb5e111..276124021dcd 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md @@ -1,6 +1,6 @@ --- title: About secret scanning for partners -intro: '{% data variables.product.prodname_secret_scanning_caps %} sends alerts directly to partners when any of the partner''s secrets are found in repositories on {% data variables.product.prodname_dotcom %}. This allows partners to promptly take action to secure their systems.' +intro: 'When {% data variables.product.prodname_secret_scanning %} detects authentication details for a service provider in a public repository on {% data variables.product.prodname_dotcom %}, an alert is sent directly to the provider. This allows service providers who are {% data variables.product.prodname_dotcom %} partners to promptly take action to secure their systems.' versions: fpt: '*' ghec: '*' @@ -17,7 +17,7 @@ shortTitle: Secret scanning for partners > [!NOTE]You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories. -The reason partner alerts are directly sent to the secret providers whenever a secret leak is reported for one of their secrets is because this helps ensure that secrets are not inadvertently exposed in public or private repositories. The notification for regular alerts is different. Regular alerts are displayed on the repository's **Security** tab on {% data variables.product.prodname_dotcom %}. +The reason partner alerts are directly sent to the secret providers whenever a leak is detected for one of their secrets is that this enables the provider to take immediate action to protect you and protect their resources. The notification process for regular alerts is different. Regular alerts are displayed on the repository's **Security** tab on {% data variables.product.prodname_dotcom %} for you to resolve. {% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} @@ -29,5 +29,4 @@ For information about the secrets and service providers supported by push protec * "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)" * "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)" -* "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection)" -* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts)" +* "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)" diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 340a0ea5c614..e68d53e023f9 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -24,7 +24,7 @@ shortTitle: Secret scanning {% data variables.product.prodname_secret_scanning_caps %} is a security feature that helps detect and prevent the accidental inclusion of sensitive information such as API keys, passwords, tokens, and other secrets in your repository. When enabled, {% data variables.product.prodname_secret_scanning %} scans commits in public repositories for known types of secrets and alerts repository administrators upon detection. -{% data variables.product.prodname_secret_scanning_caps %} scans your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repository for secrets{% ifversion ghec or ghes %}, even if the repository is archived{% endif %}.{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %}{% ifversion secret-scanning-backfills %} {% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled.{% endif %} +{% data variables.product.prodname_secret_scanning_caps %} scans your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repository for secrets{% ifversion ghec or ghes %}, even if the repository is archived{% endif %}.{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %}{% ifversion secret-scanning-backfills %} {% data variables.product.prodname_dotcom %} will also periodically run a full Git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled.{% endif %} {% data reusables.secret-scanning.what-is-scanned %} diff --git a/content/code-security/secret-scanning/introduction/index.md b/content/code-security/secret-scanning/introduction/index.md index 7c8fb7d1da8d..5edda345e110 100644 --- a/content/code-security/secret-scanning/introduction/index.md +++ b/content/code-security/secret-scanning/introduction/index.md @@ -2,7 +2,7 @@ title: Introduction to secret scanning shortTitle: Introduction allowTitleToDifferFromFilename: true -intro: 'Learn about {% data variables.product.prodname_secret_scanning_caps %} can keep your repositories secure by scanning them for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally.' +intro: 'Learn how {% data variables.product.prodname_secret_scanning %} detects secrets in existing content and new commits, helping you to avoid exposing sensitive data that could be exploited.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index ab01aeb7d61d..def754ce0705 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -66,6 +66,6 @@ Partner alerts are not sent to repository administrators, so you do not need to ## Further reading * "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns){% ifversion ghec or ghes %} -* "[AUTOTITLE](/code-security/secret-scanning/ using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)"{% endif %}{% ifversion secret-scanning-non-provider-patterns %} +* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)"{% endif %}{% ifversion secret-scanning-non-provider-patterns %} * "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns)"{% endif %}{% ifversion secret-scanning-ai-generic-secret-detection %} * "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning)"{% endif %} diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md index 2060fa9ffeb0..6dd0553b9b8c 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md @@ -1,6 +1,6 @@ --- title: Managing alerts from secret scanning -intro: 'Learn how to find, evaluate, and resolve alerts for secrets checked in to your repository.' +intro: 'Learn how to find, evaluate, and resolve alerts for secrets stored in your repository.' product: '{% data reusables.gated-features.secret-scanning %}' redirect_from: - /github/administering-a-repository/managing-alerts-from-secret-scanning diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md index b51a24bc33a2..88a71f5b37b4 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md @@ -72,7 +72,7 @@ You can apply various filters to the alerts list to help you find the alerts you | {% ifversion secret-scanning-bypass-filter %} | |`bypassed: true`|Displays alerts for secrets where push protection has been bypassed. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)."| | {% endif %} | -|`validity:active`| Displays alerts for secrets that are still active. {% ifversion fpt %}Applies to {% data variables.product.company_short %} tokens only.{% endif %} For more information about validity statuses, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)."| +|`validity:active`| Displays alerts for secrets that are known to be active. {% ifversion fpt %}Applies to {% data variables.product.company_short %} tokens only.{% endif %} For more information about validity statuses, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)."| |`validity:inactive`| Displays alerts for secrets that are no longer active.| |`validity:unknown`| Displays alerts for secrets where the validity status of the secret is unknown.| |`secret-type:SECRET-NAME`| Displays alerts for a specific secret type, for example, `secret-type:github_personal_access_token`. For a list of supported secret types, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secret)." | diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md index 619db12b1b08..a9e3e99c420e 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md @@ -13,7 +13,7 @@ topics: ## Metrics for custom patterns -Organization owners and people with admin permissions can see an overview of the activity for custom patterns. The overview includes alert and push protection activity for the custom pattern during the last 30 days. +Organization owners and people with admin permission for a repository can see an overview of the activity for custom patterns. The overview includes alert and push protection activity for the custom pattern during the last 30 days. > [!NOTE] Metrics for custom patterns are in public beta and subject to change. diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md index 615d45ac73ab..59adb340ffed 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md @@ -66,6 +66,6 @@ You can configure a `secret_scanning.yml` file to exclude directories from {% da Best practices include: * Minimizing the number of directories excluded and being as precise as possible when defining exclusions. This ensures that the instructions are as clear as possible, and that exclusions work as intended. -* Explaining why a particular file or folder is excluded in a comment in the `secret_scanning.yml` file. As with regular code, using comments clarifies your intend, making it easier for others to understand the desired behavior. +* Explaining why a particular file or folder is excluded in a comment in the `secret_scanning.yml` file. As with regular code, using comments clarifies your intention, making it easier for others to understand the desired behavior. * Reviewing the `secret_scanning.yml` file on a regular basis. Some exclusions may no longer apply with time, and it is good practice to keep the file clean and current. The use of comments, as advised above, can help with this. * Informing the security team what files and folders you've excluded, and why. Good communication is vital in ensuring that everyone is on the same page, and understands why specific folders or files are excluded. From 0bed702eca735681abe9392207eb7e49cdbb9604 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 8 Aug 2024 10:37:48 +0100 Subject: [PATCH 261/282] address more comments --- .../enabling-secret-scanning-for-your-repository.md | 4 ++-- .../secret-scanning/introduction/about-push-protection.md | 6 +++--- .../secret-scanning/introduction/about-secret-scanning.md | 2 +- .../introduction/supported-secret-scanning-patterns.md | 2 +- .../enabling-delegated-bypass-for-push-protection.md | 4 ++-- .../index.md | 2 +- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md index 2ddcbd894698..cb6f9297d380 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md @@ -34,8 +34,6 @@ If your organization is owned by an enterprise account, an enterprise owner can {% endif %} -A repository administrator can choose to disable {% data variables.product.prodname_secret_scanning %} for a repository at any time. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)." - ## Enabling {% data variables.secret-scanning.user_alerts %} {% data reusables.repositories.navigate-to-repo %} @@ -50,6 +48,8 @@ A repository administrator can choose to disable {% data variables.product.prodn ![Screenshot of the "{% data variables.product.prodname_secret_scanning_caps %}" section of the "Code security and analysis" page, with the "Enable" button highlighted in a dark orange outline.](/assets/images/help/repository/enable-secret-scanning-alerts.png){% endif %} +A repository administrator can choose to disable {% data variables.product.prodname_secret_scanning %} for a repository at any time. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)." + ## Next steps * "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)" diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index dbdd096f6aec..4708f5bf133e 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -72,13 +72,13 @@ Every user across {% data variables.product.prodname_dotcom %} can also enable p Once push protection is enabled, you can customize it further: -### Integration with CI/CD pipelines +### Integrate with CI/CD pipelines Integrate push protection with your Continuous Integration/Continuous Deployment (CI/CD) pipelines to ensure that it runs scans during automated processes. This typically involves adding steps in your pipeline configuration file to call GitHub's APIs or using {% data variables.product.prodname_actions %}. {% ifversion secret-scanning-push-protection-custom-patterns %} -### Defining custom patterns +### Define custom patterns Define custom patterns that push protection can use to identify secrets and block pushes containing these secrets. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." @@ -86,7 +86,7 @@ Define custom patterns that push protection can use to identify secrets and bloc {% ifversion push-protection-delegated-bypass %} -### Using delegated bypass +### Configure delegated bypass Define contributors who can bypass push protection and add an approval process for other contributors. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index e68d53e023f9..2844ccefc30b 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -22,7 +22,7 @@ shortTitle: Secret scanning ## About {% data variables.product.prodname_secret_scanning %} -{% data variables.product.prodname_secret_scanning_caps %} is a security feature that helps detect and prevent the accidental inclusion of sensitive information such as API keys, passwords, tokens, and other secrets in your repository. When enabled, {% data variables.product.prodname_secret_scanning %} scans commits in public repositories for known types of secrets and alerts repository administrators upon detection. +{% data variables.product.prodname_secret_scanning_caps %} is a security feature that helps detect and prevent the accidental inclusion of sensitive information such as API keys, passwords, tokens, and other secrets in your repository. When enabled, {% data variables.product.prodname_secret_scanning %} scans commits in repositories for known types of secrets and alerts repository administrators upon detection. {% data variables.product.prodname_secret_scanning_caps %} scans your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repository for secrets{% ifversion ghec or ghes %}, even if the repository is archived{% endif %}.{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %}{% ifversion secret-scanning-backfills %} {% data variables.product.prodname_dotcom %} will also periodically run a full Git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled.{% endif %} diff --git a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md index 143d329037d8..bd8864ef963b 100644 --- a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md +++ b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md @@ -36,7 +36,7 @@ This table lists the secrets supported by {% data variables.product.prodname_sec * **Provider**—name of the token provider.{% ifversion fpt or ghec %} * **Partner**—token for which leaks are reported to the relevant token partner. Applies to public repositories only. * **User**—token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}.{% ifversion secret-scanning-non-provider-patterns %} - * Applies to public repositories, and to private repositories where {% data variables.product.prodname_GH_advanced_security %}, {% data variables.product.prodname_secret_scanning %}. + * Applies to public repositories, and to private repositories where {% data variables.product.prodname_GH_advanced_security %} and {% data variables.product.prodname_secret_scanning %} are enabled. * Includes high confidence tokens, which relate to supported patterns and specified custom patterns, as well as non-provider tokens such as private keys, which usually have a higher ratio of false positives. * For {% data variables.product.prodname_secret_scanning %} to scan for non-provider patterns, the detection of non-provider patterns must be enabled for the repository or the organization. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories)." {% data reusables.secret-scanning.non-provider-patterns-beta %}{% endif %}{% endif %}{% ifversion ghes %} diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md index 20c95220e062..fd6088da367e 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md @@ -24,7 +24,7 @@ When you enable this feature, you will create a bypass list of roles and teams w >[!NOTE] You can't add secret teams to the bypass list. -### Configuring delegated bypass for an organization +## Configuring delegated bypass for an organization {% data reusables.organizations.navigate-to-org %} {% data reusables.organizations.org_settings %} @@ -37,7 +37,7 @@ When you enable this feature, you will create a bypass list of roles and teams w 1. Under "Bypass list", click **Add role or team**. 1. In the dialog box, select the roles and teams that you want to add to the bypass list, then click **Add selected**. -### Configuring delegated bypass for a repository +## Configuring delegated bypass for a repository >[!NOTE] If an organization owner configures delegated bypass at the organization-level, the repository-level settings are disabled. diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md index f1c5f02d05d2..6ed5a0921dda 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md @@ -2,7 +2,7 @@ title: Using advanced secret scanning and push protection features shortTitle: Advanced features allowTitleToDifferFromFilename: true -intro: 'Learn how you can customize {% data variables.secret-scanning.partner_alerts %} to meet the needs of your company.' +intro: 'Learn how you can customize {% data variables.product.prodname_secret_scanning %} to meet the needs of your company.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' From 308851bbbd9f288ae65c99f4e62e41c555568563 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 8 Aug 2024 10:40:13 +0100 Subject: [PATCH 262/282] Update content/apps/oauth-apps/using-oauth-apps/internal-oauth-apps.md --- content/apps/oauth-apps/using-oauth-apps/internal-oauth-apps.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/apps/oauth-apps/using-oauth-apps/internal-oauth-apps.md b/content/apps/oauth-apps/using-oauth-apps/internal-oauth-apps.md index 10a885f05a9b..18d74fc9c944 100644 --- a/content/apps/oauth-apps/using-oauth-apps/internal-oauth-apps.md +++ b/content/apps/oauth-apps/using-oauth-apps/internal-oauth-apps.md @@ -23,7 +23,7 @@ These {% data variables.product.prodname_oauth_apps %} are : * GitHub Codespaces for JetBrains * GitHub Desktop * GitHub Education -* Github-importer-production +* github-importer-production * GitHub iOS * GitHub Support * JetBrains IDE Integration From a6d2bf36ca3f5dde1fc81cc1aeebe7be2fd47185 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 8 Aug 2024 10:41:48 +0100 Subject: [PATCH 263/282] Update content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com> --- .../managing-requests-to-bypass-push-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md index 8dbb251678ac..bd54906659f1 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md @@ -24,7 +24,7 @@ An organization owner or repository administrator defines which roles and teams > [!NOTE] Members of the bypass list are still protected from accidentally pushing secrets to a repository. When a member of the bypass list attempts to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. Members of the bypass list do not have to request bypass privileges from other members in order to override the block. -### Managing requests to bypass push protection at the repository-level +### Managing requests to bypass push protection at the repository level {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-security %} From 967783c7c9c2efb53efb973570b19adb6e2b91aa Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 8 Aug 2024 10:42:53 +0100 Subject: [PATCH 264/282] Update content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com> --- .../excluding-folders-and-files-from-secret-scanning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md index 59adb340ffed..797bc59e36db 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md @@ -28,7 +28,7 @@ You can configure a `secret_scanning.yml` file to exclude directories from {% da {% data reusables.repositories.navigate-to-repo %} {% data reusables.files.add-file %} -1. In the file name field, type _.github/secret_scanning.yml_. +1. In the file name field, enter ".github/secret_scanning.yml". 1. Under **Edit new file**, type `paths-ignore:` followed by the paths you want to exclude from {% data variables.product.prodname_secret_scanning %}. ``` yaml copy From 28a8ae087e490f6c63c089f693f46cfd4216315c Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 8 Aug 2024 11:20:15 +0100 Subject: [PATCH 265/282] address another comment --- .../enabling-validity-checks-for-your-repository.md | 10 +++++++++- .../evaluating-alerts.md | 8 -------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md index 9f4aee2a30ca..28781292d4f7 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md @@ -18,7 +18,15 @@ You can enable validity checks for secrets identified as service provider tokens {% data variables.product.company_short %} displays the validation status of the secret in the alert view, so you can see if the secret is `active`, `inactive`, or if the validation status is `unknown`. You can optionally perform an "on-demand" validity check for the secret in the alert view. -You can also filter by validation status on the alerts page, to help you prioritize which alerts you need to take action on. +{% ifversion secret-scanning-validity-check-partner-patterns %} + +You can additionally choose to enable validity checks for partner patterns. Once enabled, {% data variables.product.company_short %} will periodically check the validity of a detected credential by sending the secret directly to the provider, as part of {% data variables.product.company_short %}'s formal secret scanning partnership program. {% data variables.product.company_short %} typically makes GET requests to check the validity of the credential, picks the least intrusive endpoints, and selects endpoints that don't return any personal information. + +{% data variables.product.company_short %} displays the validation status of the secret in the alert view. + +{% endif %} + +You can filter by validation status on the alerts page, to help you prioritize which alerts you need to take action on. > [!NOTE] > {% data variables.product.company_short %} typically makes GET requests to check the validity of the credential, picks the least intrusive endpoints, and selects endpoints that don't return any personal information. diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md index 0abbda855084..e810be90052e 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md @@ -37,14 +37,6 @@ Organizations using {% data variables.product.prodname_ghe_cloud %} with a licen {% endif %} -{% ifversion secret-scanning-validity-check-partner-patterns %} - -You can additionally choose to enable validity checks for partner patterns. Once enabled, {% data variables.product.company_short %} will periodically check the validity of a detected credential by sending the secret directly to the provider, as part of {% data variables.product.company_short %}'s formal secret scanning partnership program. {% data variables.product.company_short %} typically makes GET requests to check the validity of the credential, picks the least intrusive endpoints, and selects endpoints that don't return any personal information. - -{% data variables.product.company_short %} displays the validation status of the secret in the alert view. - -{% endif %} - {% data reusables.secret-scanning.validity-check-table %} {% ifversion secret-scanning-validity-check-partner-patterns %} From b1027b97a4edd94bf11603052cb70c0234f1cb78 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 8 Aug 2024 11:36:41 +0100 Subject: [PATCH 266/282] removing versioning to simplify --- .../excluding-folders-and-files-from-secret-scanning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md index 797bc59e36db..a32dbca4091e 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md @@ -16,7 +16,7 @@ topics: ## About {% data variables.product.prodname_secret_scanning %} -{% data variables.product.prodname_secret_scanning_caps %} automatically detects tokens or credentials that have been checked into a {% ifversion ghec %}user-owned {% endif %}public repository. You can view {% ifversion fpt or ghec %}{% data variables.secret-scanning.user_alerts %}{% else %}alerts{% endif %} for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-users)." +{% data variables.product.prodname_secret_scanning_caps %} automatically detects tokens or credentials that have been checked into a repository. You can view {% ifversion fpt or ghec %}{% data variables.secret-scanning.user_alerts %}{% else %}alerts{% endif %} for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-users)." ## About excluding directories from {% data variables.secret-scanning.user_alerts %} From 6465fac273d6b8bcf86eea5891ccc289d608ab05 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 8 Aug 2024 11:41:58 +0100 Subject: [PATCH 267/282] Update content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md Co-authored-by: Felicity Chapman --- .../working-with-push-protection-in-the-github-ui.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md index b5c5c6f1ad41..1a334dc55f3b 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md @@ -57,7 +57,11 @@ If {% data variables.product.prodname_dotcom %} blocks a secret that you believe {% data reusables.secret-scanning.push-protection-public-repos-bypass %} 1. Click **Allow secret**. -If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to push the blocked secret. For more information, see "[Requesting bypass privileges](/enterprise-cloud@latest/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui#requesting-bypass-privileges)" in the {% data variables.product.prodname_ghe_cloud %} documentation. +{% ifversion push-protection-delegated-bypass %} + +If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to push the blocked secret. For more information, see "[Requesting bypass privileges](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui#requesting-bypass-privileges)." + +{% endif %} {% ifversion push-protection-delegated-bypass %} From db5bb6f83bea3032695b6786ea1ea09fd2a5f4a3 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 8 Aug 2024 12:45:25 +0100 Subject: [PATCH 268/282] update anchor links for supported patterns --- .../phase-2-preparing-to-enable-at-scale.md | 6 +++--- .../getting-started/github-security-features.md | 2 +- .../introduction/about-secret-scanning-for-partners.md | 2 +- .../introduction/supported-secret-scanning-patterns.md | 4 ++-- .../evaluating-alerts.md | 2 +- .../resolving-alerts.md | 2 +- .../viewing-alerts.md | 8 ++++---- .../troubleshooting-secret-scanning.md | 4 ++-- .../defining-custom-patterns-for-secret-scanning.md | 2 +- .../enabling-secret-scanning-for-non-provider-patterns.md | 2 +- .../push-protection-for-users.md | 2 +- ...ring-global-security-settings-for-your-organization.md | 2 +- .../end-to-end-supply-chain/securing-code.md | 2 +- .../github-terms-for-additional-products-and-features.md | 2 +- data/reusables/security-overview/settings-limitations.md | 2 +- 15 files changed, 22 insertions(+), 22 deletions(-) diff --git a/content/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md b/content/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md index a2ca0eec3f70..15584b48a1a8 100644 --- a/content/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md +++ b/content/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md @@ -132,7 +132,7 @@ Before you can proceed with pilot programs and rolling out {% data variables.pro **Note:** When a secret is detected in a repository that has enabled {% data variables.product.prodname_secret_scanning %}, {% data variables.product.prodname_dotcom %} alerts all users with access to security alerts for the repository. {% ifversion ghec %} -Secrets found in public repositories using {% data variables.secret-scanning.partner_alerts %} are reported directly to the partner, without creating an alert on {% data variables.product.product_name %}. For details about the supported partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."{% endif %} +Secrets found in public repositories using {% data variables.secret-scanning.partner_alerts %} are reported directly to the partner, without creating an alert on {% data variables.product.product_name %}. For details about the supported partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)."{% endif %} {% endnote %} @@ -158,13 +158,13 @@ If you are enabling {% data variables.product.prodname_secret_scanning %} on a l ### Custom patterns for {% data variables.product.prodname_secret_scanning %} -{% data variables.product.prodname_secret_scanning_caps %} detects a large number of default patterns but can also be configured to detect custom patterns, such as secret formats unique to your infrastructure or used by integrators that {% data variables.product.product_name %}'s {% data variables.product.prodname_secret_scanning %} does not currently detect. For more information about supported secrets for partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns)." +{% data variables.product.prodname_secret_scanning_caps %} detects a large number of default patterns but can also be configured to detect custom patterns, such as secret formats unique to your infrastructure or used by integrators that {% data variables.product.product_name %}'s {% data variables.product.prodname_secret_scanning %} does not currently detect. For more information about supported secrets for partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)." As you audit your repositories and speak to security and developer teams, build a list of the secret types that you will later use to configure custom patterns for {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." ### Push protection for {% data variables.product.prodname_secret_scanning %} -Push protection for organizations and repositories instructs {% data variables.product.prodname_secret_scanning %} to check pushes for supported secrets _before_ secrets are committed to the codebase. For information on which secrets are supported, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." +Push protection for organizations and repositories instructs {% data variables.product.prodname_secret_scanning %} to check pushes for supported secrets _before_ secrets are committed to the codebase. For information on which secrets are supported, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." If a secret is detected in a push, that push is blocked. {% data variables.product.prodname_secret_scanning_caps %} lists any secrets it detects so the author can review the secrets and remove them or, if needed, allow those secrets to be pushed. {% data reusables.secret-scanning.push-protection-custom-pattern %} diff --git a/content/code-security/getting-started/github-security-features.md b/content/code-security/getting-started/github-security-features.md index 55fbc5a9f543..550889a7be75 100644 --- a/content/code-security/getting-started/github-security-features.md +++ b/content/code-security/getting-started/github-security-features.md @@ -89,7 +89,7 @@ Push protection for users automatically protects you from accidentally committin ### {% data variables.secret-scanning.partner_alerts_caps %} -Automatically detect leaked secrets across all public repositories, as well as public npm packages. {% data variables.product.company_short %} informs the relevant service provider that the secret may be compromised. For details of the supported secrets and service providers, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." +Automatically detect leaked secrets across all public repositories, as well as public npm packages. {% data variables.product.company_short %} informs the relevant service provider that the secret may be compromised. For details of the supported secrets and service providers, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)." {% endif %} diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md index 276124021dcd..d99200b63eb7 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md @@ -23,7 +23,7 @@ The reason partner alerts are directly sent to the secret providers whenever a l ## What are the supported secrets -For information about the secrets and service providers supported by push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." +For information about the secrets and service providers supported by push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)." ## Further reading diff --git a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md index bd8864ef963b..6707ff85fcdf 100644 --- a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md +++ b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md @@ -12,7 +12,7 @@ topics: - Advanced Security redirect_from: - /code-security/secret-scanning/secret-scanning-partners - - /code-security/secret-scanning/secret-scanning-patterns + - /code-security/secret-scanning/introduction/supported-secret-scanning-patterns layout: inline shortTitle: Supported patterns --- @@ -49,7 +49,7 @@ This table lists the secrets supported by {% data variables.product.prodname_sec **Note:** {% data reusables.secret-scanning.push-protection-older-tokens %} For more information about push protection limitations, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning#push-protection-and-pattern-versions)." {% endnote %} -* **Validity check**—token for which a validity check is implemented. {% ifversion secret-scanning-validity-check-partner-patterns %}For partner tokens, {% data variables.product.prodname_dotcom %} sends the token to the relevant partner. Note that not all partners are based in the United States. For more information, see "[{% data variables.product.prodname_advanced_security %}](/free-pro-team@latest/site-policy/github-terms/github-terms-for-additional-products-and-features#advanced-security)" in the Site Policy documentation.{% else %} {% ifversion ghes %}Currently only applies to {% data variables.product.prodname_dotcom %} tokens.{% endif %} {% ifversion fpt %}Currently only applies to {% data variables.product.prodname_dotcom %} tokens, and not shown in the table. For more information about validity check support see "[AUTOTITLE](/enterprise-cloud@latest/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)" in the {% data variables.product.prodname_ghe_cloud %} documentation.{% endif %}{% endif %} +* **Validity check**—token for which a validity check is implemented. {% ifversion secret-scanning-validity-check-partner-patterns %}For partner tokens, {% data variables.product.prodname_dotcom %} sends the token to the relevant partner. Note that not all partners are based in the United States. For more information, see "[{% data variables.product.prodname_advanced_security %}](/free-pro-team@latest/site-policy/github-terms/github-terms-for-additional-products-and-features#advanced-security)" in the Site Policy documentation.{% else %} {% ifversion ghes %}Currently only applies to {% data variables.product.prodname_dotcom %} tokens.{% endif %} {% ifversion fpt %}Currently only applies to {% data variables.product.prodname_dotcom %} tokens, and not shown in the table. For more information about validity check support see "[AUTOTITLE](/enterprise-cloud@latest/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)" in the {% data variables.product.prodname_ghe_cloud %} documentation.{% endif %}{% endif %} {% ifversion secret-scanning-non-provider-patterns %} diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md index e810be90052e..074f03a498a2 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md @@ -43,7 +43,7 @@ Organizations using {% data variables.product.prodname_ghe_cloud %} with a licen {% data reusables.gated-features.partner-pattern-validity-check-ghas %} -For information on how to enable validity checks for partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#enabling-validity-checks-for-partner-patterns)," and for information on which partner patterns are currently supported, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#high-confidence-patterns)." +For information on how to enable validity checks for partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#enabling-validity-checks-for-partner-patterns)," and for information on which partner patterns are currently supported, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#high-confidence-patterns)." {% endif %} diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md index d91679ecacaf..196c2ed5e334 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md @@ -30,7 +30,7 @@ Once a secret has been committed to a repository, you should consider the secret {% ifversion fpt or ghec %} > [!NOTE] -> If a secret is detected in a public repository on {% data variables.product.prodname_dotcom_the_website %} and the secret also matches a partner pattern, an alert is generated and the potential secret is reported to the service provider. For details of partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." +> If a secret is detected in a public repository on {% data variables.product.prodname_dotcom_the_website %} and the secret also matches a partner pattern, an alert is generated and the potential secret is reported to the service provider. For details of partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." {% endif %} diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md index 88a71f5b37b4..0863d1e56abd 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md @@ -75,11 +75,11 @@ You can apply various filters to the alerts list to help you find the alerts you |`validity:active`| Displays alerts for secrets that are known to be active. {% ifversion fpt %}Applies to {% data variables.product.company_short %} tokens only.{% endif %} For more information about validity statuses, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)."| |`validity:inactive`| Displays alerts for secrets that are no longer active.| |`validity:unknown`| Displays alerts for secrets where the validity status of the secret is unknown.| -|`secret-type:SECRET-NAME`| Displays alerts for a specific secret type, for example, `secret-type:github_personal_access_token`. For a list of supported secret types, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secret)." | -|`provider:PROVIDER-NAME`|Displays alerts for a specific provider, for example, `provider:github`. For a list of supported partners, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."| +|`secret-type:SECRET-NAME`| Displays alerts for a specific secret type, for example, `secret-type:github_personal_access_token`. For a list of supported secret types, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secret)." | +|`provider:PROVIDER-NAME`|Displays alerts for a specific provider, for example, `provider:github`. For a list of supported partners, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."| | {% ifversion secret-scanning-non-provider-patterns %} | -|`confidence:high`| Displays alerts for high-confidence secrets, which relate to supported secrets and custom patterns. For a list of supported high-confidence patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#high-confidence-patterns)." | -|`confidence:other`| Displays alerts for non-provider patterns, such as private keys{% ifversion secret-scanning-ai-generic-secret-detection %}, and AI-detected generic secrets, such as passwords{% endif %}. For a list of supported non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns)." {% ifversion secret-scanning-ai-generic-secret-detection %}For more information about AI-detected generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/about-the-detection-of-generic-secrets-with-secret-scanning)."{% endif %}| +|`confidence:high`| Displays alerts for high-confidence secrets, which relate to supported secrets and custom patterns. For a list of supported high-confidence patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#high-confidence-patterns)." | +|`confidence:other`| Displays alerts for non-provider patterns, such as private keys{% ifversion secret-scanning-ai-generic-secret-detection %}, and AI-detected generic secrets, such as passwords{% endif %}. For a list of supported non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#non-provider-patterns)." {% ifversion secret-scanning-ai-generic-secret-detection %}For more information about AI-detected generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/about-the-detection-of-generic-secrets-with-secret-scanning)."{% endif %}| | {% endif %} | ## Next steps diff --git a/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md b/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md index 9572785a2cdf..aa572adac2df 100644 --- a/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md +++ b/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md @@ -22,7 +22,7 @@ redirect_from: {% data variables.product.prodname_secret_scanning_caps %} will only detect pattern pairs, such as AWS Access Keys and Secrets, if the ID and the secret are found in the same file, and both are pushed to the repository. Pair matching helps reduce false positives since both elements of a pair (the ID and the secret) must be used together to access the provider's resource. -Pairs pushed to different files, or not pushed to the same repository, will not result in alerts. For more information about the supported pattern pairs, see the table in "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns)." +Pairs pushed to different files, or not pushed to the same repository, will not result in alerts. For more information about the supported pattern pairs, see the table in "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)." {% ifversion secret-scanning-validity-check %} @@ -34,7 +34,7 @@ For {% data variables.product.prodname_dotcom %} tokens, we check the validity o ## Push protection limitations -If push protection did not detect a secret that you think should have been detected, then you should first check that push protection supports the secret type in the list of supported secrets. For further information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." +If push protection did not detect a secret that you think should have been detected, then you should first check that push protection supports the secret type in the list of supported secrets. For further information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." If your secret is in the supported list, there are various reasons why push protection may not detect it. diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md index 3c75151d3650..2fc60381c39a 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md @@ -17,7 +17,7 @@ topics: ## About custom patterns for {% data variables.product.prodname_secret_scanning %} -You can define custom patterns to identify secrets that are not detected by the default patterns supported by {% data variables.product.prodname_secret_scanning %}. For example, you might have a secret pattern that is internal to your organization. For details of the supported secrets and service providers, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns)." +You can define custom patterns to identify secrets that are not detected by the default patterns supported by {% data variables.product.prodname_secret_scanning %}. For example, you might have a secret pattern that is internal to your organization. For details of the supported secrets and service providers, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)." You can define custom patterns for your enterprise, organization, or repository. {% data variables.product.prodname_secret_scanning_caps %} supports up to 500 custom patterns for each organization or enterprise account, and up to 100 custom patterns per repository. diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md index f34762c6bff5..5a10b2fa9958 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md @@ -20,7 +20,7 @@ shortTitle: Enable for non-provider patterns You can enable scanning for non-provider patterns. Non-provider patterns correspond to secrets such as private keys and they have a higher ratio of false positives. -For more information about non-provider patterns, see "{% ifversion fpt or ghec %}[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-secret-scanning-alerts){% endif %}." +For more information about non-provider patterns, see "{% ifversion fpt or ghec %}[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#about-user--alerts){% else %}[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#about-secret-scanning-alerts){% endif %}." {% ifversion security-configurations %} diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md index c15343611c02..0cca4955ce4a 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md @@ -26,7 +26,7 @@ Push protection for users is different from _push protection for repositories an With push protection for users, {% data variables.product.prodname_dotcom %} won't create an alert when you bypass the protection and push a secret to a public repository, unless the repository itself has {% data variables.product.prodname_secret_scanning %} enabled. However, if the bypassed secret is a {% data variables.product.prodname_dotcom %} token, the token will be revoked and you will be notified by email. -For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." +For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." ## Disabling push protection for users diff --git a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md index 4056b2747b89..214c6ef2b514 100644 --- a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md +++ b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md @@ -103,7 +103,7 @@ You can customize several {% data variables.product.prodname_global_settings %} ### Scanning for non-provider patterns -You can choose to scan for non-provider patterns, such as private keys, to detect non-provider secrets before they are leaked. To enable these scans, select **Scan for non-provider patterns**. Be aware that non-provider tokens often have a higher rate of false positives. To learn more about non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-user-alerts)" and "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)." +You can choose to scan for non-provider patterns, such as private keys, to detect non-provider secrets before they are leaked. To enable these scans, select **Scan for non-provider patterns**. Be aware that non-provider tokens often have a higher rate of false positives. To learn more about non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#non-provider-patterns)" and "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts#other-alerts-list)." {% data reusables.secret-scanning.non-provider-patterns-beta %} diff --git a/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-code.md b/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-code.md index 4050c6dab3a0..bbcb51730d26 100644 --- a/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-code.md +++ b/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-code.md @@ -87,7 +87,7 @@ If your organization uses {% data variables.product.prodname_GH_advanced_securit You can also define custom patterns to detect additional secrets at the repository, organization, or enterprise level. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-users)." {% else %} -You can configure {% data variables.product.prodname_secret_scanning %} to check for secrets issued by many service providers and to notify you when any are detected. You can also define custom patterns to detect additional secrets at the repository, organization, or enterprise level. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns)." +You can configure {% data variables.product.prodname_secret_scanning %} to check for secrets issued by many service providers and to notify you when any are detected. You can also define custom patterns to detect additional secrets at the repository, organization, or enterprise level. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)." {% endif %} ### Secure storage of secrets you use in {% data variables.product.product_name %} diff --git a/content/site-policy/github-terms/github-terms-for-additional-products-and-features.md b/content/site-policy/github-terms/github-terms-for-additional-products-and-features.md index 6cfdcd331338..1c439bf750de 100644 --- a/content/site-policy/github-terms/github-terms-for-additional-products-and-features.md +++ b/content/site-policy/github-terms/github-terms-for-additional-products-and-features.md @@ -60,7 +60,7 @@ GitHub makes extra security features available to customers under an Advanced Se Advanced Security is licensed on a "Unique Committer" basis. A "Unique Committer" is a licensed user of GitHub Enterprise, GitHub Enterprise Cloud, or GitHub Enterprise Server, who has made a commit in the last 90 days to any repository with any GitHub Advanced Security functionality activated. You must acquire a GitHub Advanced Security User license for each of your Unique Committers. You may only use GitHub Advanced Security on codebases that are developed by or for you. For GitHub Enterprise Cloud users, some Advanced Security features also require the use of GitHub Actions. -For secret scanning with GitHub Advanced Security, when you opt-in to automatic validity checks for partner patterns, exposed third-party tokens may be shared with the relevant partner, in order to provide you with more information about the validity of the token. Not all partners are based in the United States. The [Secret scanning patterns documentation](/enterprise-cloud@latest/code-security/secret-scanning/secret-scanning-patterns) provides more details on which partners support the validity check. +For secret scanning with GitHub Advanced Security, when you opt-in to automatic validity checks for partner patterns, exposed third-party tokens may be shared with the relevant partner, in order to provide you with more information about the validity of the token. Not all partners are based in the United States. The [Secret scanning patterns documentation](/enterprise-cloud@latest/code-security/secret-scanning/introduction/supported-secret-scanning-patterns) provides more details on which partners support the validity check. ## Advisory Database diff --git a/data/reusables/security-overview/settings-limitations.md b/data/reusables/security-overview/settings-limitations.md index f993c80bfe4b..6dc3ca95fe90 100644 --- a/data/reusables/security-overview/settings-limitations.md +++ b/data/reusables/security-overview/settings-limitations.md @@ -4,7 +4,7 @@ **Notes:** * Enabling {% data variables.product.prodname_code_scanning %} default setup _will not_ override any existing configurations of advanced setup for the selected repositories, but it _will_ override any existing configurations of default setup. -* Enabling "Alerts" for {% data variables.product.prodname_secret_scanning %} enables high-confidence alerts. If you want to enable non-provider alerts, you need to edit the repository, organization, or enterprise settings. For more information about alert types, see "[Supported secrets](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." +* Enabling "Alerts" for {% data variables.product.prodname_secret_scanning %} enables high-confidence alerts. If you want to enable non-provider alerts, you need to edit the repository, organization, or enterprise settings. For more information about alert types, see "[Supported secrets](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." {% endnote %} From 76bc8de19a96a8049f070a99c1e32ef572a4a1f7 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 8 Aug 2024 13:18:31 +0100 Subject: [PATCH 269/282] its getting boring --- .../phase-2-preparing-to-enable-at-scale.md | 6 +++--- .../phase-3-pilot-programs.md | 2 +- .../phase-6-rollout-and-scale-secret-scanning.md | 2 +- ...s-for-preventing-data-leaks-in-your-organization.md | 2 +- .../getting-started/github-security-features.md | 2 +- .../introduction/about-push-protection.md | 2 +- .../introduction/about-secret-scanning-for-partners.md | 2 +- .../introduction/supported-secret-scanning-patterns.md | 4 ++-- .../evaluating-alerts.md | 2 +- .../defining-custom-patterns-for-secret-scanning.md | 4 ++-- ...g-global-security-settings-for-your-organization.md | 2 +- .../reviewing-the-audit-log-for-your-organization.md | 8 ++++---- .../reusables/audit_log/audit-log-action-categories.md | 10 +++++----- .../validity-check-partner-patterns-enabled.md | 2 +- src/fixtures/fixtures/versionless-redirects.txt | 2 +- 15 files changed, 26 insertions(+), 26 deletions(-) diff --git a/content/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md b/content/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md index 15584b48a1a8..c0e6bcd46123 100644 --- a/content/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md +++ b/content/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md @@ -132,7 +132,7 @@ Before you can proceed with pilot programs and rolling out {% data variables.pro **Note:** When a secret is detected in a repository that has enabled {% data variables.product.prodname_secret_scanning %}, {% data variables.product.prodname_dotcom %} alerts all users with access to security alerts for the repository. {% ifversion ghec %} -Secrets found in public repositories using {% data variables.secret-scanning.partner_alerts %} are reported directly to the partner, without creating an alert on {% data variables.product.product_name %}. For details about the supported partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)."{% endif %} +Secrets found in public repositories using {% data variables.secret-scanning.partner_alerts %} are reported directly to the partner, without creating an alert on {% data variables.product.product_name %}. For details about the supported partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."{% endif %} {% endnote %} @@ -154,13 +154,13 @@ Enabling {% data variables.product.prodname_secret_scanning %} for all repositor If you are enabling {% data variables.product.prodname_secret_scanning %} on a large organization, be prepared to see a high number of secrets found. Sometimes this comes as a shock to organizations and the alarm is raised. If you would like to turn on {% data variables.product.prodname_secret_scanning %} across all repositories at once, plan for how you will respond to multiple alerts across the organization. -{% data variables.product.prodname_secret_scanning_caps %} can be enabled for individual repositories. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories)." {% data variables.product.prodname_secret_scanning_caps %} can also be enabled for all repositories in your organization, as described above. For more information on enabling for all repositories, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)." +{% data variables.product.prodname_secret_scanning_caps %} can be enabled for individual repositories. For more information, see "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository)." {% data variables.product.prodname_secret_scanning_caps %} can also be enabled for all repositories in your organization, as described above. For more information on enabling for all repositories, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)." ### Custom patterns for {% data variables.product.prodname_secret_scanning %} {% data variables.product.prodname_secret_scanning_caps %} detects a large number of default patterns but can also be configured to detect custom patterns, such as secret formats unique to your infrastructure or used by integrators that {% data variables.product.product_name %}'s {% data variables.product.prodname_secret_scanning %} does not currently detect. For more information about supported secrets for partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)." -As you audit your repositories and speak to security and developer teams, build a list of the secret types that you will later use to configure custom patterns for {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." +As you audit your repositories and speak to security and developer teams, build a list of the secret types that you will later use to configure custom patterns for {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." ### Push protection for {% data variables.product.prodname_secret_scanning %} diff --git a/content/code-security/adopting-github-advanced-security-at-scale/phase-3-pilot-programs.md b/content/code-security/adopting-github-advanced-security-at-scale/phase-3-pilot-programs.md index ab7e0fe4c608..2762d9a094e3 100644 --- a/content/code-security/adopting-github-advanced-security-at-scale/phase-3-pilot-programs.md +++ b/content/code-security/adopting-github-advanced-security-at-scale/phase-3-pilot-programs.md @@ -102,7 +102,7 @@ Start to review activity using the push protection metrics page in security over {%- endif %} -If you have collated any custom patterns specific to your enterprise, especially any related to the projects piloting {% data variables.product.prodname_secret_scanning %}, you can configure those. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." +If you have collated any custom patterns specific to your enterprise, especially any related to the projects piloting {% data variables.product.prodname_secret_scanning %}, you can configure those. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." To learn how to view and close alerts for secrets checked into your repository, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." diff --git a/content/code-security/adopting-github-advanced-security-at-scale/phase-6-rollout-and-scale-secret-scanning.md b/content/code-security/adopting-github-advanced-security-at-scale/phase-6-rollout-and-scale-secret-scanning.md index e7c4fe486101..0be7b7612f68 100644 --- a/content/code-security/adopting-github-advanced-security-at-scale/phase-6-rollout-and-scale-secret-scanning.md +++ b/content/code-security/adopting-github-advanced-security-at-scale/phase-6-rollout-and-scale-secret-scanning.md @@ -107,7 +107,7 @@ Once you have decided on the secret types, you can do the following: You can now expand beyond the five most critical secret types into a more comprehensive list, with an additional focus on education. You can repeat the previous step, remediating previously committed secrets, for the different secret types you have targeted. -You can also include more of the custom patterns collated in the earlier phases and invite security teams and developer teams to submit more patterns, establishing a process for submitting new patterns as new secret types are created. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." +You can also include more of the custom patterns collated in the earlier phases and invite security teams and developer teams to submit more patterns, establishing a process for submitting new patterns as new secret types are created. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." As you continue to build your remediation processes for other secret types, start to create proactive training material that can be shared with all developers of GitHub in your organization. Until this point, a lot of the focus has been reactive. It is an excellent idea to shift focus to being proactive and encourage developers not to push credentials to GitHub in the first place. This can be achieved in multiple ways but creating a short document explaining the risks and reasons would be a great place to start. diff --git a/content/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization.md b/content/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization.md index ef129e252fa1..a31d159d2f50 100644 --- a/content/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization.md +++ b/content/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization.md @@ -84,7 +84,7 @@ There are two forms of {% data variables.product.prodname_secret_scanning %} ava For more information about {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)." -{% data reusables.secret-scanning.push-protection-high-level %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning)."{% ifversion ghec or ghes %} Finally, you can also extend the detection to include custom secret string structures. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."{% endif %} +{% data reusables.secret-scanning.push-protection-high-level %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning)."{% ifversion ghec or ghes %} Finally, you can also extend the detection to include custom secret string structures. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)."{% endif %} ### Review the audit log for your organization diff --git a/content/code-security/getting-started/github-security-features.md b/content/code-security/getting-started/github-security-features.md index 550889a7be75..2e375eac3db6 100644 --- a/content/code-security/getting-started/github-security-features.md +++ b/content/code-security/getting-started/github-security-features.md @@ -89,7 +89,7 @@ Push protection for users automatically protects you from accidentally committin ### {% data variables.secret-scanning.partner_alerts_caps %} -Automatically detect leaked secrets across all public repositories, as well as public npm packages. {% data variables.product.company_short %} informs the relevant service provider that the secret may be compromised. For details of the supported secrets and service providers, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)." +Automatically detect leaked secrets across all public repositories, as well as public npm packages. {% data variables.product.company_short %} informs the relevant service provider that the secret may be compromised. For details of the supported secrets and service providers, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." {% endif %} diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index 4708f5bf133e..b47948085baf 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -80,7 +80,7 @@ Integrate push protection with your Continuous Integration/Continuous Deployment ### Define custom patterns -Define custom patterns that push protection can use to identify secrets and block pushes containing these secrets. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." +Define custom patterns that push protection can use to identify secrets and block pushes containing these secrets. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." {% endif %} diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md index d99200b63eb7..276124021dcd 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md @@ -23,7 +23,7 @@ The reason partner alerts are directly sent to the secret providers whenever a l ## What are the supported secrets -For information about the secrets and service providers supported by push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)." +For information about the secrets and service providers supported by push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." ## Further reading diff --git a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md index 6707ff85fcdf..835df227d718 100644 --- a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md +++ b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md @@ -12,7 +12,7 @@ topics: - Advanced Security redirect_from: - /code-security/secret-scanning/secret-scanning-partners - - /code-security/secret-scanning/introduction/supported-secret-scanning-patterns + - /code-security/secret-scanning/secret-scanning-patterns layout: inline shortTitle: Supported patterns --- @@ -38,7 +38,7 @@ This table lists the secrets supported by {% data variables.product.prodname_sec * **User**—token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}.{% ifversion secret-scanning-non-provider-patterns %} * Applies to public repositories, and to private repositories where {% data variables.product.prodname_GH_advanced_security %} and {% data variables.product.prodname_secret_scanning %} are enabled. * Includes high confidence tokens, which relate to supported patterns and specified custom patterns, as well as non-provider tokens such as private keys, which usually have a higher ratio of false positives. - * For {% data variables.product.prodname_secret_scanning %} to scan for non-provider patterns, the detection of non-provider patterns must be enabled for the repository or the organization. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories)." + * For {% data variables.product.prodname_secret_scanning %} to scan for non-provider patterns, the detection of non-provider patterns must be enabled for the repository or the organization. For more information, see "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository)." {% data reusables.secret-scanning.non-provider-patterns-beta %}{% endif %}{% endif %}{% ifversion ghes %} * **{% data variables.product.prodname_secret_scanning_caps %} alert**—token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}.{% ifversion secret-scanning-non-provider-patterns %} * Applies to private repositories where {% data variables.product.prodname_GH_advanced_security %} and {% data variables.product.prodname_secret_scanning %} are enabled. diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md index 074f03a498a2..6652cf1273dd 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md @@ -43,7 +43,7 @@ Organizations using {% data variables.product.prodname_ghe_cloud %} with a licen {% data reusables.gated-features.partner-pattern-validity-check-ghas %} -For information on how to enable validity checks for partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#enabling-validity-checks-for-partner-patterns)," and for information on which partner patterns are currently supported, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#high-confidence-patterns)." +For information on how to enable validity checks for partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository)," and for information on which partner patterns are currently supported, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#high-confidence-patterns)." {% endif %} diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md index 2fc60381c39a..8e11d146fb97 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md @@ -5,7 +5,7 @@ intro: 'You can define your own custom patterns to extend the capabilities of {% product: '{% data reusables.gated-features.secret-scanning %}' redirect_from: - /code-security/secret-security/defining-custom-patterns-for-secret-scanning - - /code-security/secret-scanning/defining-custom-patterns-for-secret-scanning + - /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning versions: ghes: '*' ghec: '*' @@ -52,7 +52,7 @@ For simple tokens you will usually only need to specify a secret format. The oth ## Defining a custom pattern for a repository -Before defining a custom pattern, you must ensure that {% data variables.product.prodname_secret_scanning %} is enabled on your repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories)." +Before defining a custom pattern, you must ensure that {% data variables.product.prodname_secret_scanning %} is enabled on your repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository)." {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-settings %} diff --git a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md index 214c6ef2b514..b840e3c33638 100644 --- a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md +++ b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md @@ -126,7 +126,7 @@ To provide context for developers when {% data variables.product.prodname_secret ### Defining custom patterns -You can define custom patterns for {% data variables.product.prodname_secret_scanning %} with regular expressions. Custom patterns can identify secrets that are not detected by the default patterns supported by {% data variables.product.prodname_secret_scanning %}. To create a custom pattern, click **New pattern**, then enter the details for your pattern and click **Save and dry run**. For more information on custom patterns, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." +You can define custom patterns for {% data variables.product.prodname_secret_scanning %} with regular expressions. Custom patterns can identify secrets that are not detected by the default patterns supported by {% data variables.product.prodname_secret_scanning %}. To create a custom pattern, click **New pattern**, then enter the details for your pattern and click **Save and dry run**. For more information on custom patterns, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." {% endif %} diff --git a/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization.md b/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization.md index 94529e94b8b0..1624176b33d7 100644 --- a/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization.md +++ b/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization.md @@ -86,7 +86,7 @@ To search for specific events, use the `action` qualifier in your query. Actions | `org_secret_scanning_automatic_validity_checks` | Contains organization-level activities related to enabling and disabling automatic validity checks for {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization)." | {% endif %} | | {% ifversion secret-scanning-audit-log-custom-patterns %} | -| `org_secret_scanning_custom_pattern` | Contains organization-level activities related to {% data variables.product.prodname_secret_scanning %} custom patterns. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." +| `org_secret_scanning_custom_pattern` | Contains organization-level activities related to {% data variables.product.prodname_secret_scanning %} custom patterns. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." | {% endif %} | | `organization_default_label` | Contains all activities related to default labels for repositories in your organization. | `oauth_application` | Contains all activities related to {% data variables.product.prodname_oauth_apps %}. @@ -110,13 +110,13 @@ To search for specific events, use the `action` qualifier in your query. Actions | `repository_secret_scanning` | Contains repository-level activities related to {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)." | {% endif %} | | {% ifversion secret-scanning-validity-check-audit-log %} | -| `repository_secret_scanning_automatic_validity_checks` | Contains repository-level activities related to enabling and disabling automatic validity checks for {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories)." +| `repository_secret_scanning_automatic_validity_checks` | Contains repository-level activities related to enabling and disabling automatic validity checks for {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository)." | {% endif %} | | {% ifversion secret-scanning-audit-log-custom-patterns %} | -| `repository_secret_scanning_custom_pattern` | Contains repository-level activities related to {% data variables.product.prodname_secret_scanning %} custom patterns. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." | +| `repository_secret_scanning_custom_pattern` | Contains repository-level activities related to {% data variables.product.prodname_secret_scanning %} custom patterns. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." | | {% endif %} | | {% ifversion secret-scanning-custom-pattern-push-protection-audit %} | -| `repository_secret_scanning_custom_pattern_push_protection`| Contains repository-level activities related to push protection of a custom pattern for {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)." +| `repository_secret_scanning_custom_pattern_push_protection`| Contains repository-level activities related to push protection of a custom pattern for {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)." | {% endif %} | | {% ifversion secret-scanning-audit-log-custom-patterns %} | | `repository_secret_scanning_push_protection` | Contains repository-level activities related to {% data variables.product.prodname_secret_scanning %} push protection. For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning)." diff --git a/data/reusables/audit_log/audit-log-action-categories.md b/data/reusables/audit_log/audit-log-action-categories.md index 3190d2441fee..58c39d08cbae 100644 --- a/data/reusables/audit_log/audit-log-action-categories.md +++ b/data/reusables/audit_log/audit-log-action-categories.md @@ -25,7 +25,7 @@ | `business_secret_scanning_custom_pattern` | Contains activities related to custom patterns for {% data variables.product.prodname_secret_scanning %} in an enterprise. {%- endif %} {%- ifversion secret-scanning-custom-pattern-push-protection-audit %} -| `business_secret_scanning_custom_pattern_push_protection` | Contains activities related to push protection of a custom pattern for {% data variables.product.prodname_secret_scanning %} in an enterprise. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-enterprise-account)." +| `business_secret_scanning_custom_pattern_push_protection` | Contains activities related to push protection of a custom pattern for {% data variables.product.prodname_secret_scanning %} in an enterprise. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-enterprise-account)." {%- endif %} {%- ifversion code-security-audit-log-events %} | `business_secret_scanning_push_protection` | Contains activities related to the push protection feature of {% data variables.product.prodname_secret_scanning %} in an enterprise. For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)." @@ -95,7 +95,7 @@ | `org_secret_scanning_automatic_validity_checks` | Contains activities related to enabling or disabling automatic validity checks for {% data variables.product.prodname_secret_scanning %} in an organization. For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization)." {%- endif %} {%- ifversion secret-scanning-audit-log-custom-patterns %} -| `org_secret_scanning_custom_pattern` | Contains activities related to custom patterns for {% data variables.product.prodname_secret_scanning %} in an organization. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." +| `org_secret_scanning_custom_pattern` | Contains activities related to custom patterns for {% data variables.product.prodname_secret_scanning %} in an organization. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." {%- endif %} | `organization_default_label` | Contains activities related to default labels for repositories in an organization. | `organization_domain` | Contains activities related to verified organization domains. @@ -137,13 +137,13 @@ | `repository_secret_scanning` | Contains repository-level activities related to {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)." {%- endif %} {%- ifversion secret-scanning-validity-check-audit-log %} -| `repository_secret_scanning_automatic_validity_checks` | Contains activities related to enabling or disabling automatic validity checks for {% data variables.product.prodname_secret_scanning %} in a repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories)." +| `repository_secret_scanning_automatic_validity_checks` | Contains activities related to enabling or disabling automatic validity checks for {% data variables.product.prodname_secret_scanning %} in a repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository)." {%- endif %} {%- ifversion secret-scanning-audit-log-custom-patterns %} -| `repository_secret_scanning_custom_pattern` | Contains activities related to {% data variables.product.prodname_secret_scanning %} custom patterns in a repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." +| `repository_secret_scanning_custom_pattern` | Contains activities related to {% data variables.product.prodname_secret_scanning %} custom patterns in a repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." {%- endif %} {%- ifversion secret-scanning-custom-pattern-push-protection-audit %} -| `repository_secret_scanning_custom_pattern_push_protection` | Contains activities related to push protection of a custom pattern for {% data variables.product.prodname_secret_scanning %} in a repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)." +| `repository_secret_scanning_custom_pattern_push_protection` | Contains activities related to push protection of a custom pattern for {% data variables.product.prodname_secret_scanning %} in a repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)." {%- endif %} {%- ifversion secret-scanning-audit-log-custom-patterns %} | `repository_secret_scanning_push_protection` | Contains activities related to the push protection feature of {% data variables.product.prodname_secret_scanning %} in a repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning)." diff --git a/data/reusables/secret-scanning/validity-check-partner-patterns-enabled.md b/data/reusables/secret-scanning/validity-check-partner-patterns-enabled.md index bdbd7fbc852a..229a0e3fc2b3 100644 --- a/data/reusables/secret-scanning/validity-check-partner-patterns-enabled.md +++ b/data/reusables/secret-scanning/validity-check-partner-patterns-enabled.md @@ -1 +1 @@ -To be able to filter by validity status, you need to have validity checks for partner patterns enabled at the repository, organization, or enterprise level. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#enabling-validity-checks-for-partner-patterns)," "[AUTOTITLE](/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration)," and "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise#managing-advanced-security-features)." +To be able to filter by validity status, you need to have validity checks for partner patterns enabled at the repository, organization, or enterprise level. For more information, see "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository)," "[AUTOTITLE](/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration)," and "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise#managing-advanced-security-features)." diff --git a/src/fixtures/fixtures/versionless-redirects.txt b/src/fixtures/fixtures/versionless-redirects.txt index a16e709b967f..924ce1320c4a 100644 --- a/src/fixtures/fixtures/versionless-redirects.txt +++ b/src/fixtures/fixtures/versionless-redirects.txt @@ -380,7 +380,7 @@ /enterprise-cloud@latest/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning - /code-security/secret-security/defining-custom-patterns-for-secret-scanning -- /code-security/secret-scanning/defining-custom-patterns-for-secret-scanning +- /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning /enterprise-cloud@latest/organizations/managing-organization-settings/setting-permissions-for-adding-outside-collaborators - /articles/restricting-the-ability-to-add-outside-collaborators-to-organization-repositories From 55d00fd8f63658f316c3af48e3200403fee2bddb Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 8 Aug 2024 13:22:06 +0100 Subject: [PATCH 270/282] reinstate --- .../defining-custom-patterns-for-secret-scanning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md index 8e11d146fb97..c9ff88542f3a 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md @@ -5,7 +5,7 @@ intro: 'You can define your own custom patterns to extend the capabilities of {% product: '{% data reusables.gated-features.secret-scanning %}' redirect_from: - /code-security/secret-security/defining-custom-patterns-for-secret-scanning - - /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning + - /code-security/secret-scanning/defining-custom-patterns-for-secret-scanning versions: ghes: '*' ghec: '*' From 7d45834d7b94ca711f5db0a82419e5e2f9537fc6 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 8 Aug 2024 13:52:25 +0100 Subject: [PATCH 271/282] more link updates --- .../configuring-secret-scanning-for-your-appliance.md | 2 +- .../removing-sensitive-data-from-a-repository.md | 4 ++-- .../phase-2-preparing-to-enable-at-scale.md | 4 ++-- .../phase-6-rollout-and-scale-secret-scanning.md | 4 ++-- ...ctices-for-preventing-data-leaks-in-your-organization.md | 4 ++-- .../getting-started/github-security-features.md | 6 +++--- .../introduction/supported-secret-scanning-patterns.md | 4 ++-- .../managing-alerts-from-secret-scanning/about-alerts.md | 2 +- .../managing-alerts-from-secret-scanning/viewing-alerts.md | 4 ++-- .../about-generating-regular-expressions-with-ai.md | 4 ++-- .../excluding-folders-and-files-from-secret-scanning.md | 2 +- ...the-detection-of-generic-secrets-with-secret-scanning.md | 2 +- .../enabling-ai-powered-generic-secret-detection.md | 2 +- .../push-protection-for-users.md | 2 +- ...guring-global-security-settings-for-your-organization.md | 2 +- .../interpreting-security-findings-on-a-repository.md | 2 +- .../creating-a-custom-security-configuration.md | 4 ++-- .../security-overview/about-security-overview.md | 2 +- .../end-to-end-supply-chain/securing-code.md | 6 +++--- .../learning-about-github/about-github-advanced-security.md | 2 +- ...-security-and-analysis-settings-for-your-organization.md | 2 +- .../reviewing-the-audit-log-for-your-organization.md | 4 ++-- .../archiving-a-github-repository/archiving-repositories.md | 2 +- .../authentication/keeping-your-api-credentials-secure.md | 2 +- content/rest/secret-scanning/secret-scanning.md | 2 +- .../advanced-security/more-info-ghas-secret-scanning.md | 2 +- data/reusables/apps/app-scans.md | 2 +- data/reusables/audit_log/audit-log-action-categories.md | 4 ++-- .../gated-features/push-protection-users-and-repos.md | 2 +- data/reusables/secret-scanning/push-protection-for-users.md | 2 +- .../secret-scanning/push-protection-public-repos-bypass.md | 2 +- 31 files changed, 45 insertions(+), 45 deletions(-) diff --git a/content/admin/managing-code-security/managing-github-advanced-security-for-your-enterprise/configuring-secret-scanning-for-your-appliance.md b/content/admin/managing-code-security/managing-github-advanced-security-for-your-enterprise/configuring-secret-scanning-for-your-appliance.md index 2b491d7ce0ed..804106a27377 100644 --- a/content/admin/managing-code-security/managing-github-advanced-security-for-your-enterprise/configuring-secret-scanning-for-your-appliance.md +++ b/content/admin/managing-code-security/managing-github-advanced-security-for-your-enterprise/configuring-secret-scanning-for-your-appliance.md @@ -19,7 +19,7 @@ topics: ## About {% data variables.product.prodname_secret_scanning %} -If someone checks a secret with a known pattern into a repository, {% data variables.product.prodname_secret_scanning %} catches the secret as it's checked in, and helps you mitigate the impact of the leak. Repository administrators are notified about any commit that contains a secret, and they can quickly view all detected secrets in the **Security** tab for the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)." +If someone checks a secret with a known pattern into a repository, {% data variables.product.prodname_secret_scanning %} catches the secret as it's checked in, and helps you mitigate the impact of the leak. Repository administrators are notified about any commit that contains a secret, and they can quickly view all detected secrets in the **Security** tab for the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)." ## Checking whether your license includes {% data variables.product.prodname_GH_advanced_security %} diff --git a/content/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository.md b/content/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository.md index be9dfb77275b..241c1ce56ce4 100644 --- a/content/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository.md +++ b/content/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository.md @@ -214,10 +214,10 @@ There are a few simple tricks to avoid committing things you don't want committe * Avoid the catch-all commands `git add .` and `git commit -a` on the command line—use `git add filename` and `git rm filename` to individually stage files, instead. * Use `git add --interactive` to individually review and stage changes within each file. * Use `git diff --cached` to review the changes that you have staged for commit. This is the exact diff that `git commit` will produce as long as you don't use the `-a` flag. -* Enable push protection for your repository to detect and prevent pushes which contain hardcoded secrets from being committed to your codebase. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations#about-push-protection-for-repositories-and-organizations)." +* Enable push protection for your repository to detect and prevent pushes which contain hardcoded secrets from being committed to your codebase. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection)." ## Further reading * [`git filter-repo` man page](https://htmlpreview.github.io/?https://github.com/newren/git-filter-repo/blob/docs/html/git-filter-repo.html) * [Pro Git: Git Tools - Rewriting History](https://git-scm.com/book/en/Git-Tools-Rewriting-History) -* "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)" +* "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)" diff --git a/content/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md b/content/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md index c0e6bcd46123..d90585d9282b 100644 --- a/content/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md +++ b/content/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md @@ -136,7 +136,7 @@ Secrets found in public repositories using {% data variables.secret-scanning.par {% endnote %} -If a project communicates with an external service, it might use a token or private key for authentication. If you check a secret into a repository, anyone who has read access to the repository can use the secret to access the external service with your privileges. {% data variables.product.prodname_secret_scanning_caps %} will scan your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repositories for secrets and alert you or block the push containing the secret. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)." +If a project communicates with an external service, it might use a token or private key for authentication. If you check a secret into a repository, anyone who has read access to the repository can use the secret to access the external service with your privileges. {% data variables.product.prodname_secret_scanning_caps %} will scan your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repositories for secrets and alert you or block the push containing the secret. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)." {% ifversion ghec %}{% data variables.secret-scanning.partner_alerts_caps %} runs automatically on public repositories and public npm packages to notify service providers about leaked secrets on {% data variables.product.prodname_dotcom_the_website %}. @@ -176,7 +176,7 @@ Before enabling push protection, consider whether you need to create guidance fo Next, familiarize yourself with the different options for managing and monitoring alerts that are the result of a contributor bypassing push protection. -For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)." +For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection)." {% note %} diff --git a/content/code-security/adopting-github-advanced-security-at-scale/phase-6-rollout-and-scale-secret-scanning.md b/content/code-security/adopting-github-advanced-security-at-scale/phase-6-rollout-and-scale-secret-scanning.md index 0be7b7612f68..e91d27f773b4 100644 --- a/content/code-security/adopting-github-advanced-security-at-scale/phase-6-rollout-and-scale-secret-scanning.md +++ b/content/code-security/adopting-github-advanced-security-at-scale/phase-6-rollout-and-scale-secret-scanning.md @@ -53,11 +53,11 @@ Repeat the last two steps for any new secrets leaked. This process encourages de ## 2. Enable push protection -Once you have enabled {% data variables.product.prodname_secret_scanning %}, you should also enable push protection. With push protection, {% data variables.product.prodname_secret_scanning %} checks pushes for supported secrets and blocks pushes to {% data variables.product.prodname_dotcom %} _before_ the secrets are exposed to other users. For information on how to enable push protection, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-secret-scanning-as-a-push-protection)." +Once you have enabled {% data variables.product.prodname_secret_scanning %}, you should also enable push protection. With push protection, {% data variables.product.prodname_secret_scanning %} checks pushes for supported secrets and blocks pushes to {% data variables.product.prodname_dotcom %} _before_ the secrets are exposed to other users. For information on how to enable push protection, see "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository)." Once enabled, you can do the following: -1. **Provide guidance**: Configure a custom link in the message that contributors will see if their push is blocked by {% data variables.product.prodname_secret_scanning %}. The linked resource can provide guidance for contributors on how to resolve the blocked push. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-secret-scanning-as-a-push-protection)." +1. **Provide guidance**: Configure a custom link in the message that contributors will see if their push is blocked by {% data variables.product.prodname_secret_scanning %}. The linked resource can provide guidance for contributors on how to resolve the blocked push. For more information, see "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository)." 1. **Notify**: Define a webhook that specifically tracks {% data variables.secret-scanning.alerts %} created when someone bypasses push protection by using the alert property `"push_protection_bypassed": true`. Or, use the API to get updates on which {% data variables.secret-scanning.alerts %} were the result of a push protection bypass by filtering the list of results for `"push_protection_bypassed": true`. For more information, see "[AUTOTITLE](/code-security/getting-started/auditing-security-alerts)." diff --git a/content/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization.md b/content/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization.md index a31d159d2f50..7fdf778fa825 100644 --- a/content/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization.md +++ b/content/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization.md @@ -36,7 +36,7 @@ Protect your organization's repositories and settings by implementing security b * Encouraging your users to create strong passwords and secure them appropriately, by following {% data variables.product.prodname_dotcom %}’s recommended password guidelines. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-strong-password)."{% ifversion secret-scanning-push-protection-for-users %} -* Encouraging your users to keep push protection for users enabled in their personal account settings, so that no matter which public repository they push to, they are protected. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-users)."{% endif %} +* Encouraging your users to keep push protection for users enabled in their personal account settings, so that no matter which public repository they push to, they are protected. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)."{% endif %} * Establishing an internal security policy in {% data variables.product.prodname_dotcom %}, so users know the appropriate steps to take and who to contact if an incident is suspected. For more information, see "[AUTOTITLE](/code-security/getting-started/adding-a-security-policy-to-your-repository)." @@ -82,7 +82,7 @@ There are two forms of {% data variables.product.prodname_secret_scanning %} ava {% ifversion ghes %}Your site administrator must enable {% data variables.product.prodname_secret_scanning %} for {% data variables.location.product_location %} before you can use this feature. For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-secret-scanning-for-your-appliance)."{% endif %} -For more information about {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)." +For more information about {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)." {% data reusables.secret-scanning.push-protection-high-level %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning)."{% ifversion ghec or ghes %} Finally, you can also extend the detection to include custom secret string structures. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)."{% endif %} diff --git a/content/code-security/getting-started/github-security-features.md b/content/code-security/getting-started/github-security-features.md index 2e375eac3db6..4c40a23c94c4 100644 --- a/content/code-security/getting-started/github-security-features.md +++ b/content/code-security/getting-started/github-security-features.md @@ -77,13 +77,13 @@ Privately discuss and fix security vulnerabilities in your repository's code. Yo ### {% data variables.secret-scanning.user_alerts_caps %} -Automatically detect tokens or credentials that have been checked into a {% ifversion ghec %}user-owned {% endif %}public repository. You can view alerts for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-users)." +Automatically detect tokens or credentials that have been checked into a {% ifversion ghec %}user-owned {% endif %}public repository. You can view alerts for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-alerts-for-users)." {% ifversion secret-scanning-push-protection-for-users %} ### Push protection for users -Push protection for users automatically protects you from accidentally committing secrets to public repositories, regardless of whether the repository itself has {% data variables.product.prodname_secret_scanning %} enabled. Push protection for users is on by default, but you can disable the feature at any time through your personal account settings. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-users)." +Push protection for users automatically protects you from accidentally committing secrets to public repositories, regardless of whether the repository itself has {% data variables.product.prodname_secret_scanning %} enabled. Push protection for users is on by default, but you can disable the feature at any time through your personal account settings. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)." {% endif %} @@ -114,7 +114,7 @@ Automatically detect security vulnerabilities and coding errors in new or modifi ### {% data variables.secret-scanning.user_alerts_caps %} -Automatically detect tokens or credentials that have been checked into a repository. You can view alerts for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. For more information, see {% ifversion fpt or ghec %}"[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-users){% elsif ghes %}"[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-on-github-enterprise-server){% endif %}." +Automatically detect tokens or credentials that have been checked into a repository. You can view alerts for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. For more information, see {% ifversion fpt or ghec %}"[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-alerts-for-users){% elsif ghes %}"[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-on-github-enterprise-server){% endif %}." {% ifversion dependabot-auto-triage-rules %} diff --git a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md index 835df227d718..fe5552fc1fbd 100644 --- a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md +++ b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md @@ -27,7 +27,7 @@ For details about all the supported patterns, see the "[Supported secrets](#supp If you use the REST API for {% data variables.product.prodname_secret_scanning %}, you can use the `Secret type` to report on secrets from specific issuers. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/rest/secret-scanning)." -If you believe that {% data variables.product.prodname_secret_scanning %} should have detected a secret committed to your repository, and it has not, you first need to check that {% data variables.product.prodname_dotcom %} supports your secret. For more information, refer to the following sections. For more advanced troubleshooting information, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning)." +If you believe that {% data variables.product.prodname_secret_scanning %} should have detected a secret committed to your repository, and it has not, you first need to check that {% data variables.product.prodname_dotcom %} supports your secret. For more information, refer to the following sections. For more advanced troubleshooting information, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning)." ## Supported secrets @@ -46,7 +46,7 @@ This table lists the secrets supported by {% data variables.product.prodname_sec * **Push protection**—token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}. Applies to repositories with {% data variables.product.prodname_secret_scanning %} and push protection enabled. {% note %} - **Note:** {% data reusables.secret-scanning.push-protection-older-tokens %} For more information about push protection limitations, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning#push-protection-and-pattern-versions)." + **Note:** {% data reusables.secret-scanning.push-protection-older-tokens %} For more information about push protection limitations, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning#push-protection-and-pattern-versions)." {% endnote %} * **Validity check**—token for which a validity check is implemented. {% ifversion secret-scanning-validity-check-partner-patterns %}For partner tokens, {% data variables.product.prodname_dotcom %} sends the token to the relevant partner. Note that not all partners are based in the United States. For more information, see "[{% data variables.product.prodname_advanced_security %}](/free-pro-team@latest/site-policy/github-terms/github-terms-for-additional-products-and-features#advanced-security)" in the Site Policy documentation.{% else %} {% ifversion ghes %}Currently only applies to {% data variables.product.prodname_dotcom %} tokens.{% endif %} {% ifversion fpt %}Currently only applies to {% data variables.product.prodname_dotcom %} tokens, and not shown in the table. For more information about validity check support see "[AUTOTITLE](/enterprise-cloud@latest/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)" in the {% data variables.product.prodname_ghe_cloud %} documentation.{% endif %}{% endif %} diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index def754ce0705..b166bb541bbe 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -47,7 +47,7 @@ Push protection scans pushes for supported secrets. If push protection detects a >[!NOTE] > {% ifversion secret-scanning-push-protection-for-users %}You can also enable push protection for your personal account, called "push protection for users", which prevents you from accidentally pushing supported secrets to _any_ public repository. Alerts are _not_ created if you choose to bypass your user-based push protection only. Alerts are only created if the repository itself has push protection enabled. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)."{% endif %} > -> {% data reusables.secret-scanning.push-protection-older-tokens %} For more information about push protection limitations, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning#push-protection-and-pattern-versions)." +> {% data reusables.secret-scanning.push-protection-older-tokens %} For more information about push protection limitations, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning#push-protection-and-pattern-versions)." {% ifversion fpt or ghec %} diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md index 0863d1e56abd..8c044d59d82d 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md @@ -70,7 +70,7 @@ You can apply various filters to the alerts list to help you find the alerts you |`is:open`|Displays open alerts.| |`is:closed`|Displays closed alerts.| | {% ifversion secret-scanning-bypass-filter %} | -|`bypassed: true`|Displays alerts for secrets where push protection has been bypassed. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)."| +|`bypassed: true`|Displays alerts for secrets where push protection has been bypassed. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection)."| | {% endif %} | |`validity:active`| Displays alerts for secrets that are known to be active. {% ifversion fpt %}Applies to {% data variables.product.company_short %} tokens only.{% endif %} For more information about validity statuses, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)."| |`validity:inactive`| Displays alerts for secrets that are no longer active.| @@ -79,7 +79,7 @@ You can apply various filters to the alerts list to help you find the alerts you |`provider:PROVIDER-NAME`|Displays alerts for a specific provider, for example, `provider:github`. For a list of supported partners, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."| | {% ifversion secret-scanning-non-provider-patterns %} | |`confidence:high`| Displays alerts for high-confidence secrets, which relate to supported secrets and custom patterns. For a list of supported high-confidence patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#high-confidence-patterns)." | -|`confidence:other`| Displays alerts for non-provider patterns, such as private keys{% ifversion secret-scanning-ai-generic-secret-detection %}, and AI-detected generic secrets, such as passwords{% endif %}. For a list of supported non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#non-provider-patterns)." {% ifversion secret-scanning-ai-generic-secret-detection %}For more information about AI-detected generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/about-the-detection-of-generic-secrets-with-secret-scanning)."{% endif %}| +|`confidence:other`| Displays alerts for non-provider patterns, such as private keys{% ifversion secret-scanning-ai-generic-secret-detection %}, and AI-detected generic secrets, such as passwords{% endif %}. For a list of supported non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#non-provider-patterns)." {% ifversion secret-scanning-ai-generic-secret-detection %}For more information about AI-detected generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning)."{% endif %}| | {% endif %} | ## Next steps diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-generating-regular-expressions-with-ai.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-generating-regular-expressions-with-ai.md index a4c4a26269f7..e087bdaf2ed7 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-generating-regular-expressions-with-ai.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-generating-regular-expressions-with-ai.md @@ -65,11 +65,11 @@ Note that the {% data variables.secret-scanning.custom-pattern-regular-expressio ## Further reading {% ifversion fpt %} -* [AUTOTITLE](/code-security/secret-scanning/about-secret-scanning) +* [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning) * [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning) {% endif %} {% ifversion secret-scanning-custom-pattern-ai-generated %} * [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning) -* [AUTOTITLE](/code-security/secret-scanning/about-secret-scanning) +* [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning) {% endif %} diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md index a32dbca4091e..5d67eb6d7319 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md @@ -16,7 +16,7 @@ topics: ## About {% data variables.product.prodname_secret_scanning %} -{% data variables.product.prodname_secret_scanning_caps %} automatically detects tokens or credentials that have been checked into a repository. You can view {% ifversion fpt or ghec %}{% data variables.secret-scanning.user_alerts %}{% else %}alerts{% endif %} for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-users)." +{% data variables.product.prodname_secret_scanning_caps %} automatically detects tokens or credentials that have been checked into a repository. You can view {% ifversion fpt or ghec %}{% data variables.secret-scanning.user_alerts %}{% else %}alerts{% endif %} for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-alerts-for-users)." ## About excluding directories from {% data variables.secret-scanning.user_alerts %} diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning.md index 9cf1aaffc015..4738306efde1 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning.md @@ -83,5 +83,5 @@ Generic secret detection has been subject to Responsible AI Red Teaming and {% d ## Further reading -* [AUTOTITLE](/code-security/secret-scanning/about-secret-scanning) +* [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning) * [AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise#enforcing-a-policy-to-manage-the-use-of-generic-secret-detection-for-secret-scanning-in-your-enterprises-repositories) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection.md index 3364959cecb6..7fb698011111 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection.md @@ -43,4 +43,4 @@ For information on how to view alerts for generic secrets that have been detecte ## Further reading * [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning) -* [AUTOTITLE](/code-security/secret-scanning/about-secret-scanning) +* [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md index 0cca4955ce4a..bcf91feff3d4 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md @@ -22,7 +22,7 @@ When you try to push a secret to a public repository, {% data variables.product. Push protection for users is always on by default. You can disable the feature at any time through your personal account settings. This may cause secrets to be accidentally leaked. For more information, see "[Disabling push protection for users](#disabling-push-protection-for-users)." -Push protection for users is different from _push protection for repositories and organizations_, which is a {% data variables.product.prodname_secret_scanning %} feature that must be enabled by a repository administrator or organization owner. With push protection for repositories and organizations, {% data variables.product.prodname_secret_scanning %} blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the protection. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)." +Push protection for users is different from _push protection for repositories and organizations_, which is a {% data variables.product.prodname_secret_scanning %} feature that must be enabled by a repository administrator or organization owner. With push protection for repositories and organizations, {% data variables.product.prodname_secret_scanning %} blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the protection. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection)." With push protection for users, {% data variables.product.prodname_dotcom %} won't create an alert when you bypass the protection and push a secret to a public repository, unless the repository itself has {% data variables.product.prodname_secret_scanning %} enabled. However, if the bypassed secret is a {% data variables.product.prodname_dotcom %} token, the token will be revoked and you will be notified by email. diff --git a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md index b840e3c33638..a8a06c7cc7d6 100644 --- a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md +++ b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md @@ -113,7 +113,7 @@ You can choose to scan for non-provider patterns, such as private keys, to detec ### Generic secret detection -Generic secret detection is an AI-powered expansion of {% data variables.product.prodname_secret_scanning %} that scans and creates alerts for unstructured secrets, such as passwords. To enable these scans, select **Use AI detection to find additional secrets**. Be aware that generic secrets often have a higher rate of false positives than other types of alert. To learn more about generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/about-the-detection-of-generic-secrets-with-secret-scanning)." +Generic secret detection is an AI-powered expansion of {% data variables.product.prodname_secret_scanning %} that scans and creates alerts for unstructured secrets, such as passwords. To enable these scans, select **Use AI detection to find additional secrets**. Be aware that generic secrets often have a higher rate of false positives than other types of alert. To learn more about generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning)." {% data reusables.secret-scanning.generic-secret-detection-ai %} diff --git a/content/code-security/securing-your-organization/managing-the-security-of-your-organization/interpreting-security-findings-on-a-repository.md b/content/code-security/securing-your-organization/managing-the-security-of-your-organization/interpreting-security-findings-on-a-repository.md index a8b8fd728cf7..fbc704b5c62a 100644 --- a/content/code-security/securing-your-organization/managing-the-security-of-your-organization/interpreting-security-findings-on-a-repository.md +++ b/content/code-security/securing-your-organization/managing-the-security-of-your-organization/interpreting-security-findings-on-a-repository.md @@ -39,7 +39,7 @@ After you apply a {% data variables.product.prodname_security_configuration %} t {% endif %} You can view {% data variables.product.prodname_secret_scanning %} alerts for a repository by navigating to the main page of that repository, clicking the {% octicon "shield" aria-hidden="true" %} **Security** tab, then clicking {% octicon "key" aria-hidden="true" %} **{% data variables.product.prodname_secret_scanning_caps %}**. -For an introduction to {% data variables.product.prodname_secret_scanning %} alerts, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-users)." +For an introduction to {% data variables.product.prodname_secret_scanning %} alerts, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-alerts-for-users)." To learn how to interpret and resolve {% data variables.product.prodname_secret_scanning %} alerts, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." diff --git a/content/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration.md b/content/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration.md index c60ed6c0ae6d..96c434b3a641 100644 --- a/content/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration.md +++ b/content/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration.md @@ -47,9 +47,9 @@ With {% data variables.product.prodname_custom_security_configurations %}, you c 1. In the "{% data variables.product.prodname_code_scanning_caps %}" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for {% data variables.product.prodname_code_scanning %} default setup. To learn about default setup, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#about-default-setup)." 1. In the "{% data variables.product.prodname_secret_scanning_caps %}" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for the following security features: - * {% data variables.product.prodname_secret_scanning_caps %}. To learn about {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)."{% ifversion secret-scanning-validity-check-partner-patterns %} + * {% data variables.product.prodname_secret_scanning_caps %}. To learn about {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)."{% ifversion secret-scanning-validity-check-partner-patterns %} * Validity check. To learn more about validity checks for partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)".{% endif %} - * Push protection. To learn about push protection, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)." + * Push protection. To learn about push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection)." {% ifversion fpt or ghec %} 1. In the "Private vulnerability reporting" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for private vulnerability reporting. To learn about private vulnerability reporting, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository)." {% endif %} diff --git a/content/code-security/security-overview/about-security-overview.md b/content/code-security/security-overview/about-security-overview.md index d4665a415b1c..b7cde053ba69 100644 --- a/content/code-security/security-overview/about-security-overview.md +++ b/content/code-security/security-overview/about-security-overview.md @@ -89,7 +89,7 @@ Each repository is shown in security overview with an indicator for each type of | Indicator | Meaning | | -------- | -------- | | {% octicon "code-square" aria-label="Code scanning alerts" %} | {% data variables.product.prodname_code_scanning_caps %} alerts. For more information, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning)." | -| {% octicon "key" aria-label="Secret scanning alerts" %} | {% data variables.product.prodname_secret_scanning_caps %} alerts. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)." | +| {% octicon "key" aria-label="Secret scanning alerts" %} | {% data variables.product.prodname_secret_scanning_caps %} alerts. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)." | | {% octicon "hubot" aria-label="Dependabot alerts" %} | {% data variables.product.prodname_dependabot_alerts %}. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)." | | {% octicon "check" aria-label="Enabled" %} | The security feature is enabled, but does not raise alerts in this repository. | | {% octicon "x" aria-label="Not supported" %} | The security feature is not supported in this repository. | diff --git a/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-code.md b/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-code.md index bbcb51730d26..2009666b8448 100644 --- a/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-code.md +++ b/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-code.md @@ -74,7 +74,7 @@ Code often needs to communicate with other systems over a network, and requires {% data reusables.secret-scanning.enterprise-enable-secret-scanning %} {% ifversion fpt or ghec %} -{% data variables.product.prodname_dotcom %} partners with many providers to automatically detect when secrets are committed to or stored in your public repositories and public npm packages you depend on, and will notify the provider so they can take appropriate actions to ensure your account remains secure. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-partners)." +{% data variables.product.prodname_dotcom %} partners with many providers to automatically detect when secrets are committed to or stored in your public repositories and public npm packages you depend on, and will notify the provider so they can take appropriate actions to ensure your account remains secure. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-alerts-for-partners)." {% endif %} {% ifversion fpt %} @@ -85,9 +85,9 @@ You can enable and configure additional scanning that will alert you about accid {% elsif secret-scanning-user-owned-repos %} If your organization uses {% data variables.product.prodname_GH_advanced_security %}, you can enable {% data variables.secret-scanning.user_alerts %} on any repository owned by the organization, including private repositories. {% data reusables.secret-scanning.secret-scanning-user-owned-repos-beta %} -You can also define custom patterns to detect additional secrets at the repository, organization, or enterprise level. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-users)." +You can also define custom patterns to detect additional secrets at the repository, organization, or enterprise level. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-alerts-for-users)." {% else %} -You can configure {% data variables.product.prodname_secret_scanning %} to check for secrets issued by many service providers and to notify you when any are detected. You can also define custom patterns to detect additional secrets at the repository, organization, or enterprise level. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)." +You can configure {% data variables.product.prodname_secret_scanning %} to check for secrets issued by many service providers and to notify you when any are detected. You can also define custom patterns to detect additional secrets at the repository, organization, or enterprise level. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)." {% endif %} ### Secure storage of secrets you use in {% data variables.product.product_name %} diff --git a/content/get-started/learning-about-github/about-github-advanced-security.md b/content/get-started/learning-about-github/about-github-advanced-security.md index 145914bf6c16..6aeed745e55d 100644 --- a/content/get-started/learning-about-github/about-github-advanced-security.md +++ b/content/get-started/learning-about-github/about-github-advanced-security.md @@ -38,7 +38,7 @@ A {% data variables.product.prodname_GH_advanced_security %} license provides th * **{% data variables.product.prodname_codeql_cli %}** - Run {% data variables.product.prodname_codeql %} processes locally on software projects or to generate {% data variables.product.prodname_code_scanning %} results for upload to {% data variables.product.product_name %}. For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/about-the-codeql-cli)." -* **{% data variables.product.prodname_secret_scanning_caps %}** - Detect secrets, for example keys and tokens, that have been checked into {% ifversion fpt %}private repositories{% else %} the repository{% endif %}. If push protection is enabled, {% data variables.product.prodname_dotcom %} also detects secrets when they are pushed to your repository. {% ifversion secret-scanning-enable-by-default-for-public-repos %}{% data variables.secret-scanning.user_alerts_caps %} and push protection are available and free of charge for all {% ifversion ghec %}user-owned {% endif %}public repositories on {% data variables.product.prodname_dotcom_the_website %}.{% endif %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)." +* **{% data variables.product.prodname_secret_scanning_caps %}** - Detect secrets, for example keys and tokens, that have been checked into {% ifversion fpt %}private repositories{% else %} the repository{% endif %}. If push protection is enabled, {% data variables.product.prodname_dotcom %} also detects secrets when they are pushed to your repository. {% ifversion secret-scanning-enable-by-default-for-public-repos %}{% data variables.secret-scanning.user_alerts_caps %} and push protection are available and free of charge for all {% ifversion ghec %}user-owned {% endif %}public repositories on {% data variables.product.prodname_dotcom_the_website %}.{% endif %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection)." {% ifversion dependabot-auto-triage-rules %} diff --git a/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization.md b/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization.md index ee3c1ca94441..43f88b03c434 100644 --- a/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization.md +++ b/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization.md @@ -184,6 +184,6 @@ You can manage access to {% data variables.product.prodname_GH_advanced_security ## Further reading * "[AUTOTITLE](/code-security/getting-started/securing-your-repository)"{% ifversion not fpt %} -* "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)"{% endif %} +* "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)"{% endif %} * "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)" * "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security)" diff --git a/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization.md b/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization.md index 1624176b33d7..51be21c9ad68 100644 --- a/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization.md +++ b/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization.md @@ -107,7 +107,7 @@ To search for specific events, use the `action` qualifier in your query. Actions | `repository_dependency_graph` | Contains repository-level activities related to enabling or disabling the dependency graph for a {% ifversion fpt or ghec %}private {% endif %}repository. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)." | {% endif %} | | {% ifversion ghes or ghec %} | -| `repository_secret_scanning` | Contains repository-level activities related to {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)." +| `repository_secret_scanning` | Contains repository-level activities related to {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)." | {% endif %} | | {% ifversion secret-scanning-validity-check-audit-log %} | | `repository_secret_scanning_automatic_validity_checks` | Contains repository-level activities related to enabling and disabling automatic validity checks for {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository)." @@ -129,7 +129,7 @@ To search for specific events, use the `action` qualifier in your query. Actions | `role` | Contains all activities related to [custom repository roles](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-custom-repository-roles-for-an-organization). | {% endif %} | | {% ifversion ghes or ghec %} | -| `secret_scanning` | Contains organization-level configuration activities for {% data variables.product.prodname_secret_scanning %} in existing repositories. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)." +| `secret_scanning` | Contains organization-level configuration activities for {% data variables.product.prodname_secret_scanning %} in existing repositories. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)." | `secret_scanning_new_repos` | Contains organization-level configuration activities for {% data variables.product.prodname_secret_scanning %} for new repositories created in the organization. | {% endif %} | | {% ifversion fpt or ghec %} | diff --git a/content/repositories/archiving-a-github-repository/archiving-repositories.md b/content/repositories/archiving-a-github-repository/archiving-repositories.md index e2abd4ef2ccb..1fe3d66f529f 100644 --- a/content/repositories/archiving-a-github-repository/archiving-repositories.md +++ b/content/repositories/archiving-a-github-repository/archiving-repositories.md @@ -29,7 +29,7 @@ topics: {% ifversion ghec or ghes %} {% note %} -**Note:** Customers who use {% data variables.product.prodname_GH_advanced_security %} can enable {% data variables.product.prodname_secret_scanning %} on archived repositories. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-for-private-repositories)." +**Note:** Customers who use {% data variables.product.prodname_GH_advanced_security %} can enable {% data variables.product.prodname_secret_scanning %} on archived repositories. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-for-private-repositories)." {% endnote %} {% endif %} diff --git a/content/rest/authentication/keeping-your-api-credentials-secure.md b/content/rest/authentication/keeping-your-api-credentials-secure.md index a1753dab1b05..b9a14e6f2aab 100644 --- a/content/rest/authentication/keeping-your-api-credentials-secure.md +++ b/content/rest/authentication/keeping-your-api-credentials-secure.md @@ -47,7 +47,7 @@ Treat authentication credentials the same way you would treat your passwords or * Don't share authentication credentials using an unencrypted messaging or email system. * Don't pass your {% data variables.product.pat_generic %} as plain text in the command line. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#keeping-your-personal-access-tokens-secure)." * Don't push unencrypted authentication credentials like tokens or keys to any repository, even if the repository is private. Instead consider using a {% data variables.product.prodname_actions %} secret{% ifversion fpt or ghec %} or Codespaces secret{% endif %}. For more information, see "[AUTOTITLE](/actions/security-guides/encrypted-secrets)"{% ifversion fpt or ghec %} and "[AUTOTITLE](/codespaces/managing-your-codespaces/managing-encrypted-secrets-for-your-codespaces)"{% endif %}. -* You can use secret scanning to discover tokens, private keys, and other secrets that were pushed to a repository, or to block future pushes that contain secrets. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)." +* You can use secret scanning to discover tokens, private keys, and other secrets that were pushed to a repository, or to block future pushes that contain secrets. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)." ## Limit who can access your authentication credentials diff --git a/content/rest/secret-scanning/secret-scanning.md b/content/rest/secret-scanning/secret-scanning.md index 072eaa66d406..fd37126d14bc 100644 --- a/content/rest/secret-scanning/secret-scanning.md +++ b/content/rest/secret-scanning/secret-scanning.md @@ -23,6 +23,6 @@ You can use the API to: * Enable or disable {% data variables.product.prodname_secret_scanning %} and push protection for a repository. For more information, see "[AUTOTITLE](/rest/repos/repos#update-a-repository)" and expand the "Properties of the `security_and_analysis` object" section. * Retrieve and update {% data variables.secret-scanning.alerts %} from a repository. For further details, see the sections below. -For more information about {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)." +For more information about {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)." diff --git a/data/reusables/advanced-security/more-info-ghas-secret-scanning.md b/data/reusables/advanced-security/more-info-ghas-secret-scanning.md index f7f7fdece963..250ebca01bf9 100644 --- a/data/reusables/advanced-security/more-info-ghas-secret-scanning.md +++ b/data/reusables/advanced-security/more-info-ghas-secret-scanning.md @@ -1 +1 @@ -For more information, see {% ifversion fpt or ghec %}"[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-users)"{% elsif ghes %}"[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-on-github-enterprise-server)"{% endif %} and "[AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security)." +For more information, see {% ifversion fpt or ghec %}"[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-alerts-for-users)"{% elsif ghes %}"[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-on-github-enterprise-server)"{% endif %} and "[AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security)." diff --git a/data/reusables/apps/app-scans.md b/data/reusables/apps/app-scans.md index b7b74e71f2c7..4cb14320734a 100644 --- a/data/reusables/apps/app-scans.md +++ b/data/reusables/apps/app-scans.md @@ -1 +1 @@ -You should conduct regular vulnerability scans for your app. For example, you might set up code scanning and secret scanning for the repository that hosts your app's code. For more information, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)." +You should conduct regular vulnerability scans for your app. For example, you might set up code scanning and secret scanning for the repository that hosts your app's code. For more information, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)." diff --git a/data/reusables/audit_log/audit-log-action-categories.md b/data/reusables/audit_log/audit-log-action-categories.md index 58c39d08cbae..067145eef9c0 100644 --- a/data/reusables/audit_log/audit-log-action-categories.md +++ b/data/reusables/audit_log/audit-log-action-categories.md @@ -134,7 +134,7 @@ | `repository_invitation` | Contains activities related to invitations to join a repository. | `repository_projects_change` | Contains activities related to enabling projects for a repository or for all repositories in an organization. {%- ifversion ghec or ghes %} -| `repository_secret_scanning` | Contains repository-level activities related to {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)." +| `repository_secret_scanning` | Contains repository-level activities related to {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)." {%- endif %} {%- ifversion secret-scanning-validity-check-audit-log %} | `repository_secret_scanning_automatic_validity_checks` | Contains activities related to enabling or disabling automatic validity checks for {% data variables.product.prodname_secret_scanning %} in a repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository)." @@ -163,7 +163,7 @@ | `role` | Contains activities related to [custom repository roles](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-custom-repository-roles-for-an-organization). {%- endif %} {%- ifversion ghec or ghes %} -| `secret_scanning` | Contains organization-level configuration activities for {% data variables.product.prodname_secret_scanning %} in existing repositories. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)." +| `secret_scanning` | Contains organization-level configuration activities for {% data variables.product.prodname_secret_scanning %} in existing repositories. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)." | `secret_scanning_new_repos` | Contains organization-level configuration activities for {% data variables.product.prodname_secret_scanning %} for new repositories created in the organization. {%- endif %} {%- ifversion ghec or ghes %} diff --git a/data/reusables/gated-features/push-protection-users-and-repos.md b/data/reusables/gated-features/push-protection-users-and-repos.md index 1ad4a05bdc9c..d3cb5795c740 100644 --- a/data/reusables/gated-features/push-protection-users-and-repos.md +++ b/data/reusables/gated-features/push-protection-users-and-repos.md @@ -10,4 +10,4 @@ Push protection for repositories and organizations is available for {% ifversion {%- elsif ghes %} Push protection is available for organization-owned repositories in {% data variables.product.product_name %} if your enterprise has a license for {% data variables.product.prodname_GH_advanced_security %}.{% endif %} -For more information, see {% ifversion secret-scanning-push-protection-for-users %}"[AUTOTITLE](/code-security/secret-scanning/push-protection-for-users)" and {% endif %}"[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)." +For more information, see {% ifversion secret-scanning-push-protection-for-users %}"[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)" and {% endif %}"[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection)." diff --git a/data/reusables/secret-scanning/push-protection-for-users.md b/data/reusables/secret-scanning/push-protection-for-users.md index e9b8d79ef0c5..24e1b6ec94ac 100644 --- a/data/reusables/secret-scanning/push-protection-for-users.md +++ b/data/reusables/secret-scanning/push-protection-for-users.md @@ -1 +1 @@ -Additionally, push protection _for users_ automatically protects you from accidentally committing secrets to public repositories, regardless of whether the repository has {% data variables.product.prodname_secret_scanning %} enabled. Push protection for users is on by default, but you can disable the feature at any time through your personal account settings. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-users)." +Additionally, push protection _for users_ automatically protects you from accidentally committing secrets to public repositories, regardless of whether the repository has {% data variables.product.prodname_secret_scanning %} enabled. Push protection for users is on by default, but you can disable the feature at any time through your personal account settings. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)." diff --git a/data/reusables/secret-scanning/push-protection-public-repos-bypass.md b/data/reusables/secret-scanning/push-protection-public-repos-bypass.md index c44f50bed0ae..f30147f861dc 100644 --- a/data/reusables/secret-scanning/push-protection-public-repos-bypass.md +++ b/data/reusables/secret-scanning/push-protection-public-repos-bypass.md @@ -6,7 +6,7 @@ When pushing to a _public_ repository that doesn't have secret scanning enabled, you are still protected from accidentally pushing secrets thanks to _push protection for users_, which is on by default for your user account. - With push protection for users, GitHub will automatically block pushes to public repositories if these pushes contain supported secrets, but you won't need to specify a reason for allowing the secret, and {% data variables.product.prodname_dotcom %} won't generate an alert. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-users)." + With push protection for users, GitHub will automatically block pushes to public repositories if these pushes contain supported secrets, but you won't need to specify a reason for allowing the secret, and {% data variables.product.prodname_dotcom %} won't generate an alert. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)." {% endnote %} From 4fca80687b9e5913c10c87e929a9c70c9c5e3466 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 8 Aug 2024 14:04:36 +0100 Subject: [PATCH 272/282] more link updates --- .../secret-scanning/introduction/about-push-protection.md | 3 ++- .../push-protection-for-users.md | 2 +- .../managing-files/adding-a-file-to-a-repository.md | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index b47948085baf..2f286004a3a9 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -95,6 +95,7 @@ Define contributors who can bypass push protection and add an approval process f ## Further reading * "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository)" -* "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)"{% ifversion secret-scanning-push-protection-custom-patterns %} +* "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line)" +* "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui)"{% ifversion secret-scanning-push-protection-custom-patterns %} * "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)"{% endif %}{% ifversion push-protection-delegated-bypass %} * "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)"{% endif %} diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md index bcf91feff3d4..4884500b35c0 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md @@ -18,7 +18,7 @@ redirect_from: Push protection for users automatically protects you from accidentally committing secrets to public repositories across {% data variables.product.product_name %}. -When you try to push a secret to a public repository, {% data variables.product.prodname_dotcom %} blocks the push. If you believe it's safe to allow the secret, you have the option to bypass the block. Otherwise, you must remove the secret from the commit before pushing again. For more information on how to resolve a blocked push, see "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection)." +When you try to push a secret to a public repository, {% data variables.product.prodname_dotcom %} blocks the push. If you believe it's safe to allow the secret, you have the option to bypass the block. Otherwise, you must remove the secret from the commit before pushing again. For more information on how to resolve a blocked push, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui)" or "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line)", depending on whether you use the {% data variables.product.product_name %} UI or the command line. Push protection for users is always on by default. You can disable the feature at any time through your personal account settings. This may cause secrets to be accidentally leaked. For more information, see "[Disabling push protection for users](#disabling-push-protection-for-users)." diff --git a/content/repositories/working-with-files/managing-files/adding-a-file-to-a-repository.md b/content/repositories/working-with-files/managing-files/adding-a-file-to-a-repository.md index fa8eaa8d5711..e390619202f9 100644 --- a/content/repositories/working-with-files/managing-files/adding-a-file-to-a-repository.md +++ b/content/repositories/working-with-files/managing-files/adding-a-file-to-a-repository.md @@ -35,7 +35,7 @@ You can upload multiple files to {% data variables.product.product_name %} at th {% ifversion push-protection-block-uploads %} -Your repository may be secured by push protection. With push protection, {% data variables.product.prodname_dotcom %} will block uploading a file to the repository if the file contains a supported secret, such as a token. You should remove the secret from the file before attempting to upload the file again. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection#using-push-protection-from-the-web-ui)" and "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection#resolving-a-blocked-commit-in-the-web-ui)." +Your repository may be secured by push protection. With push protection, {% data variables.product.prodname_dotcom %} will block uploading a file to the repository if the file contains a supported secret, such as a token. You should remove the secret from the file before attempting to upload the file again. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui)" and "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui#resolving-a-blocked-commit)." {% data reusables.secret-scanning.push-protection-web-UI-uploads-beta %} From ac943529d6ba156630dc028dd3ce2891b1829d75 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 8 Aug 2024 14:54:31 +0100 Subject: [PATCH 273/282] and more link updates --- .../code-security/getting-started/github-security-features.md | 4 ++-- .../excluding-folders-and-files-from-secret-scanning.md | 2 +- .../interpreting-security-findings-on-a-repository.md | 2 +- .../end-to-end-supply-chain/securing-code.md | 4 ++-- .../archiving-a-github-repository/archiving-repositories.md | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/content/code-security/getting-started/github-security-features.md b/content/code-security/getting-started/github-security-features.md index 4c40a23c94c4..d6c6bb7a59d4 100644 --- a/content/code-security/getting-started/github-security-features.md +++ b/content/code-security/getting-started/github-security-features.md @@ -77,7 +77,7 @@ Privately discuss and fix security vulnerabilities in your repository's code. Yo ### {% data variables.secret-scanning.user_alerts_caps %} -Automatically detect tokens or credentials that have been checked into a {% ifversion ghec %}user-owned {% endif %}public repository. You can view alerts for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-alerts-for-users)." +Automatically detect tokens or credentials that have been checked into a {% ifversion ghec %}user-owned {% endif %}public repository. You can view alerts for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts#about-user-alerts)." {% ifversion secret-scanning-push-protection-for-users %} @@ -114,7 +114,7 @@ Automatically detect security vulnerabilities and coding errors in new or modifi ### {% data variables.secret-scanning.user_alerts_caps %} -Automatically detect tokens or credentials that have been checked into a repository. You can view alerts for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. For more information, see {% ifversion fpt or ghec %}"[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-alerts-for-users){% elsif ghes %}"[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-on-github-enterprise-server){% endif %}." +Automatically detect tokens or credentials that have been checked into a repository. You can view alerts for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. {% data reusables.secret-scanning.alert-type-links %} {% ifversion dependabot-auto-triage-rules %} diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md index 5d67eb6d7319..aece61ea3581 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md @@ -16,7 +16,7 @@ topics: ## About {% data variables.product.prodname_secret_scanning %} -{% data variables.product.prodname_secret_scanning_caps %} automatically detects tokens or credentials that have been checked into a repository. You can view {% ifversion fpt or ghec %}{% data variables.secret-scanning.user_alerts %}{% else %}alerts{% endif %} for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-alerts-for-users)." +{% data variables.product.prodname_secret_scanning_caps %} automatically detects tokens or credentials that have been checked into a repository. You can view {% ifversion fpt or ghec %}{% data variables.secret-scanning.user_alerts %}{% else %}alerts{% endif %} for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. {% data reusables.secret-scanning.alert-type-links %} ## About excluding directories from {% data variables.secret-scanning.user_alerts %} diff --git a/content/code-security/securing-your-organization/managing-the-security-of-your-organization/interpreting-security-findings-on-a-repository.md b/content/code-security/securing-your-organization/managing-the-security-of-your-organization/interpreting-security-findings-on-a-repository.md index fbc704b5c62a..caad619b9387 100644 --- a/content/code-security/securing-your-organization/managing-the-security-of-your-organization/interpreting-security-findings-on-a-repository.md +++ b/content/code-security/securing-your-organization/managing-the-security-of-your-organization/interpreting-security-findings-on-a-repository.md @@ -39,7 +39,7 @@ After you apply a {% data variables.product.prodname_security_configuration %} t {% endif %} You can view {% data variables.product.prodname_secret_scanning %} alerts for a repository by navigating to the main page of that repository, clicking the {% octicon "shield" aria-hidden="true" %} **Security** tab, then clicking {% octicon "key" aria-hidden="true" %} **{% data variables.product.prodname_secret_scanning_caps %}**. -For an introduction to {% data variables.product.prodname_secret_scanning %} alerts, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-alerts-for-users)." +For an introduction to {% data variables.product.prodname_secret_scanning %} alerts, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts)." To learn how to interpret and resolve {% data variables.product.prodname_secret_scanning %} alerts, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." diff --git a/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-code.md b/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-code.md index 2009666b8448..45f2af8dd539 100644 --- a/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-code.md +++ b/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-code.md @@ -74,7 +74,7 @@ Code often needs to communicate with other systems over a network, and requires {% data reusables.secret-scanning.enterprise-enable-secret-scanning %} {% ifversion fpt or ghec %} -{% data variables.product.prodname_dotcom %} partners with many providers to automatically detect when secrets are committed to or stored in your public repositories and public npm packages you depend on, and will notify the provider so they can take appropriate actions to ensure your account remains secure. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-alerts-for-partners)." +{% data variables.product.prodname_dotcom %} partners with many providers to automatically detect when secrets are committed to or stored in your public repositories and public npm packages you depend on, and will notify the provider so they can take appropriate actions to ensure your account remains secure. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts##about-partner-alerts)." {% endif %} {% ifversion fpt %} @@ -85,7 +85,7 @@ You can enable and configure additional scanning that will alert you about accid {% elsif secret-scanning-user-owned-repos %} If your organization uses {% data variables.product.prodname_GH_advanced_security %}, you can enable {% data variables.secret-scanning.user_alerts %} on any repository owned by the organization, including private repositories. {% data reusables.secret-scanning.secret-scanning-user-owned-repos-beta %} -You can also define custom patterns to detect additional secrets at the repository, organization, or enterprise level. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-alerts-for-users)." +You can also define custom patterns to detect additional secrets at the repository, organization, or enterprise level. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts#about-secret-scanning-alerts)." {% else %} You can configure {% data variables.product.prodname_secret_scanning %} to check for secrets issued by many service providers and to notify you when any are detected. You can also define custom patterns to detect additional secrets at the repository, organization, or enterprise level. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)." {% endif %} diff --git a/content/repositories/archiving-a-github-repository/archiving-repositories.md b/content/repositories/archiving-a-github-repository/archiving-repositories.md index 1fe3d66f529f..cb3bbc108cd9 100644 --- a/content/repositories/archiving-a-github-repository/archiving-repositories.md +++ b/content/repositories/archiving-a-github-repository/archiving-repositories.md @@ -29,7 +29,7 @@ topics: {% ifversion ghec or ghes %} {% note %} -**Note:** Customers who use {% data variables.product.prodname_GH_advanced_security %} can enable {% data variables.product.prodname_secret_scanning %} on archived repositories. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-for-private-repositories)." +**Note:** Customers who use {% data variables.product.prodname_GH_advanced_security %} can enable {% data variables.product.prodname_secret_scanning %} on archived repositories. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)." {% endnote %} {% endif %} From fee208b114e4394d3d0cb4724d18f04f90bc7a7e Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 8 Aug 2024 15:27:23 +0100 Subject: [PATCH 274/282] add reusable --- .../advanced-security/more-info-ghas-secret-scanning.md | 2 +- data/reusables/secret-scanning/alert-type-links.md | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 data/reusables/secret-scanning/alert-type-links.md diff --git a/data/reusables/advanced-security/more-info-ghas-secret-scanning.md b/data/reusables/advanced-security/more-info-ghas-secret-scanning.md index 250ebca01bf9..4b9b230a89ac 100644 --- a/data/reusables/advanced-security/more-info-ghas-secret-scanning.md +++ b/data/reusables/advanced-security/more-info-ghas-secret-scanning.md @@ -1 +1 @@ -For more information, see {% ifversion fpt or ghec %}"[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-alerts-for-users)"{% elsif ghes %}"[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-on-github-enterprise-server)"{% endif %} and "[AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security)." +For more information, see {% ifversion fpt or ghec %}"[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts#about-user-alerts)"{% elsif ghes %}"[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts#about-secret-scanning-alerts)"{% endif %} and "[AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security)." diff --git a/data/reusables/secret-scanning/alert-type-links.md b/data/reusables/secret-scanning/alert-type-links.md new file mode 100644 index 000000000000..d7c998acc2e2 --- /dev/null +++ b/data/reusables/secret-scanning/alert-type-links.md @@ -0,0 +1 @@ +For more information, see {% ifversion fpt or ghec %}"[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts#about-user-alerts){% elsif ghes %}"[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts#about-secret-scanning-alerts){% endif %}." From 2875e271b11ffd12e91140bd2043a51ccaea52e8 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 8 Aug 2024 15:29:53 +0100 Subject: [PATCH 275/282] space or no space --- .../excluding-folders-and-files-from-secret-scanning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md index aece61ea3581..82e7f4b586e3 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md @@ -16,7 +16,7 @@ topics: ## About {% data variables.product.prodname_secret_scanning %} -{% data variables.product.prodname_secret_scanning_caps %} automatically detects tokens or credentials that have been checked into a repository. You can view {% ifversion fpt or ghec %}{% data variables.secret-scanning.user_alerts %}{% else %}alerts{% endif %} for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. {% data reusables.secret-scanning.alert-type-links %} +{% data variables.product.prodname_secret_scanning_caps %} automatically detects tokens or credentials that have been checked into a repository. You can view {% ifversion fpt or ghec %}{% data variables.secret-scanning.user_alerts %}{% else %}alerts{% endif %} for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised.{% data reusables.secret-scanning.alert-type-links %} ## About excluding directories from {% data variables.secret-scanning.user_alerts %} From 6084552e76213f9263135805e8f56858b6a560d7 Mon Sep 17 00:00:00 2001 From: Hao Jiang <45571951+jianghao0718@users.noreply.github.com> Date: Thu, 8 Aug 2024 09:22:23 -0600 Subject: [PATCH 276/282] Update replacing-a-cluster-node-modify-cluster-conf.md (#51962) --- .../replacing-a-cluster-node-modify-cluster-conf.md | 1 + 1 file changed, 1 insertion(+) diff --git a/data/reusables/enterprise_clustering/replacing-a-cluster-node-modify-cluster-conf.md b/data/reusables/enterprise_clustering/replacing-a-cluster-node-modify-cluster-conf.md index 51659fafec18..bf3b5d52cd5b 100644 --- a/data/reusables/enterprise_clustering/replacing-a-cluster-node-modify-cluster-conf.md +++ b/data/reusables/enterprise_clustering/replacing-a-cluster-node-modify-cluster-conf.md @@ -5,6 +5,7 @@ hostname = ghe-replacement-data-node-3 ipv4 = 192.168.0.7 # ipv6 = fd12:3456:789a:1::7 + consul-datacenter = PRIMARY-DATACENTER git-server = true pages-server = true mysql-server = true From ca1c2d6fbcefa9d1d69ba0bdb3bc4cae672ab8a1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 8 Aug 2024 09:33:07 -0700 Subject: [PATCH 277/282] Bump docker/build-push-action from 6.5.0 to 6.6.1 (#51958) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/azure-preview-env-deploy-public.yml | 2 +- .github/workflows/azure-preview-env-deploy.yml | 2 +- .github/workflows/azure-prod-build-deploy.yml | 2 +- .github/workflows/azure-staging-build-deploy.yml | 2 +- .github/workflows/main-preview-docker-cache.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/azure-preview-env-deploy-public.yml b/.github/workflows/azure-preview-env-deploy-public.yml index c3ddf272bcdd..1be9f7664868 100644 --- a/.github/workflows/azure-preview-env-deploy-public.yml +++ b/.github/workflows/azure-preview-env-deploy-public.yml @@ -112,7 +112,7 @@ jobs: run: src/workflows/prune-for-preview-env.sh - name: 'Build and push image' - uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 + uses: docker/build-push-action@16ebe778df0e7752d2cfcbd924afdbbd89c1a755 with: context: . push: true diff --git a/.github/workflows/azure-preview-env-deploy.yml b/.github/workflows/azure-preview-env-deploy.yml index 1948aebe61e9..2b9c192d8d90 100644 --- a/.github/workflows/azure-preview-env-deploy.yml +++ b/.github/workflows/azure-preview-env-deploy.yml @@ -171,7 +171,7 @@ jobs: run: src/workflows/prune-for-preview-env.sh - name: 'Build and push image' - uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 + uses: docker/build-push-action@16ebe778df0e7752d2cfcbd924afdbbd89c1a755 with: context: . push: true diff --git a/.github/workflows/azure-prod-build-deploy.yml b/.github/workflows/azure-prod-build-deploy.yml index 2aef0da75af8..254ca141255b 100644 --- a/.github/workflows/azure-prod-build-deploy.yml +++ b/.github/workflows/azure-prod-build-deploy.yml @@ -92,7 +92,7 @@ jobs: token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} - name: 'Build and push image' - uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 + uses: docker/build-push-action@16ebe778df0e7752d2cfcbd924afdbbd89c1a755 with: context: . push: true diff --git a/.github/workflows/azure-staging-build-deploy.yml b/.github/workflows/azure-staging-build-deploy.yml index f9dc84fbbe91..c02e8a864c48 100644 --- a/.github/workflows/azure-staging-build-deploy.yml +++ b/.github/workflows/azure-staging-build-deploy.yml @@ -91,7 +91,7 @@ jobs: run: src/early-access/scripts/merge-early-access.sh - name: 'Build and push image' - uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 + uses: docker/build-push-action@16ebe778df0e7752d2cfcbd924afdbbd89c1a755 with: context: . push: true diff --git a/.github/workflows/main-preview-docker-cache.yml b/.github/workflows/main-preview-docker-cache.yml index 87e149aea564..db137ac78113 100644 --- a/.github/workflows/main-preview-docker-cache.yml +++ b/.github/workflows/main-preview-docker-cache.yml @@ -68,7 +68,7 @@ jobs: run: src/workflows/prune-for-preview-env.sh - name: 'Build and push image' - uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 + uses: docker/build-push-action@16ebe778df0e7752d2cfcbd924afdbbd89c1a755 with: context: . push: true From 78ef9319d46c348d82399e309bb9150a4560cf4e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 8 Aug 2024 16:33:25 +0000 Subject: [PATCH 278/282] Bump github/codeql-action from 3.25.5 to 3.26.0 (#51959) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a27be1874a02..67fdbd0d6702 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -36,13 +36,13 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: github/codeql-action/init@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # v3.25.5 + - uses: github/codeql-action/init@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # v3.26.0 with: languages: javascript # comma separated list of values from {go, python, javascript, java, cpp, csharp, ruby} config: | paths-ignore: - 'src/open-source/scripts/add-pr-links.js' - - uses: github/codeql-action/analyze@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # v3.25.5 + - uses: github/codeql-action/analyze@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # v3.26.0 continue-on-error: true - uses: ./.github/actions/slack-alert From 8a0c53a5195d33c1fd838dc7cff568ef51ee271d Mon Sep 17 00:00:00 2001 From: docs-bot <77750099+docs-bot@users.noreply.github.com> Date: Thu, 8 Aug 2024 09:34:26 -0700 Subject: [PATCH 279/282] Update audit log event data (#51969) --- src/audit-logs/lib/config.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/audit-logs/lib/config.json b/src/audit-logs/lib/config.json index f0e868e150f0..0d6dfaab7c96 100644 --- a/src/audit-logs/lib/config.json +++ b/src/audit-logs/lib/config.json @@ -3,5 +3,5 @@ "apiOnlyEvents": "This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "apiRequestEvent": "This event is only available via audit log streaming." }, - "sha": "003ef1c021b4d4a90e7e505cb8eeb7c47d30e26e" + "sha": "c010d21e15f2da163a244cc320587e577d4eae0a" } \ No newline at end of file From d806b00e952fd3cd3c7fa0da7185db593e998bdf Mon Sep 17 00:00:00 2001 From: docs-bot <77750099+docs-bot@users.noreply.github.com> Date: Thu, 8 Aug 2024 09:35:13 -0700 Subject: [PATCH 280/282] GraphQL schema update (#51970) Co-authored-by: rachmari <9831992+rachmari@users.noreply.github.com> --- src/graphql/data/ghes-3.14/previews.json | 149 +- .../ghes-3.14/schema.docs-enterprise.graphql | 703 ++++++- src/graphql/data/ghes-3.14/schema.json | 1837 +++++++++-------- 3 files changed, 1589 insertions(+), 1100 deletions(-) diff --git a/src/graphql/data/ghes-3.14/previews.json b/src/graphql/data/ghes-3.14/previews.json index 9b97f4399294..0637a088a01e 100644 --- a/src/graphql/data/ghes-3.14/previews.json +++ b/src/graphql/data/ghes-3.14/previews.json @@ -1,148 +1 @@ -[ - { - "title": "Access to package version deletion preview", - "description": "This preview adds support for the DeletePackageVersion mutation which enables deletion of private package versions.", - "toggled_by": "package-deletes-preview", - "toggled_on": [ - "Mutation.deletePackageVersion" - ], - "owning_teams": [ - "@github/pe-package-registry" - ], - "accept_header": "application/vnd.github.package-deletes-preview+json", - "href": "/graphql/overview/schema-previews#access-to-package-version-deletion-preview" - }, - { - "title": "Deployments preview", - "description": "This preview adds support for deployments mutations and new deployments features.", - "toggled_by": "flash-preview", - "toggled_on": [ - "DeploymentStatus.environment", - "Mutation.createDeploymentStatus", - "Mutation.createDeployment" - ], - "owning_teams": [ - "@github/pages" - ], - "accept_header": "application/vnd.github.flash-preview+json", - "href": "/graphql/overview/schema-previews#deployments-preview" - }, - { - "title": "Merge info preview more detailed information about a pull request's merge state preview", - "description": "This preview adds support for accessing fields that provide more detailed information about a pull request's merge state.", - "toggled_by": "merge-info-preview", - "toggled_on": [ - "PullRequest.canBeRebased", - "PullRequest.mergeStateStatus" - ], - "owning_teams": [ - "@github/pe-pull-requests" - ], - "accept_header": "application/vnd.github.merge-info-preview+json", - "href": "/graphql/overview/schema-previews#merge-info-preview-more-detailed-information-about-a-pull-requests-merge-state-preview" - }, - { - "title": "Update refs preview update multiple refs in a single operation preview", - "description": "This preview adds support for updating multiple refs in a single operation.", - "toggled_by": "update-refs-preview", - "toggled_on": [ - "Mutation.updateRefs", - "GitRefname", - "RefUpdate" - ], - "owning_teams": [ - "@github/repos" - ], - "accept_header": "application/vnd.github.update-refs-preview+json", - "href": "/graphql/overview/schema-previews#update-refs-preview-update-multiple-refs-in-a-single-operation-preview" - }, - { - "title": "Access to a repository's dependency graph preview", - "description": "This preview adds support for reading a dependency graph for a repository.", - "toggled_by": "hawkgirl-preview", - "toggled_on": [ - "DependencyGraphManifest", - "Repository.dependencyGraphManifests", - "DependencyGraphManifestEdge", - "DependencyGraphManifestConnection", - "DependencyGraphDependency", - "DependencyGraphDependencyEdge", - "DependencyGraphDependencyConnection" - ], - "owning_teams": [ - "@github/dependency-graph" - ], - "accept_header": "application/vnd.github.hawkgirl-preview+json", - "href": "/graphql/overview/schema-previews#access-to-a-repositorys-dependency-graph-preview" - }, - { - "title": "Project event details preview", - "description": "This preview adds project, project card, and project column details to project-related issue events.", - "toggled_by": "starfox-preview", - "toggled_on": [ - "AddedToProjectEvent.project", - "AddedToProjectEvent.projectCard", - "AddedToProjectEvent.projectColumnName", - "ConvertedNoteToIssueEvent.project", - "ConvertedNoteToIssueEvent.projectCard", - "ConvertedNoteToIssueEvent.projectColumnName", - "MovedColumnsInProjectEvent.project", - "MovedColumnsInProjectEvent.projectCard", - "MovedColumnsInProjectEvent.projectColumnName", - "MovedColumnsInProjectEvent.previousProjectColumnName", - "RemovedFromProjectEvent.project", - "RemovedFromProjectEvent.projectColumnName" - ], - "owning_teams": [ - "@github/github-projects" - ], - "accept_header": "application/vnd.github.starfox-preview+json", - "href": "/graphql/overview/schema-previews#project-event-details-preview" - }, - { - "title": "Labels preview", - "description": "This preview adds support for adding, updating, creating and deleting labels.", - "toggled_by": "bane-preview", - "toggled_on": [ - "Mutation.createLabel", - "Mutation.deleteLabel", - "Mutation.updateLabel" - ], - "owning_teams": [ - "@github/pe-pull-requests" - ], - "accept_header": "application/vnd.github.bane-preview+json", - "href": "/graphql/overview/schema-previews#labels-preview" - }, - { - "title": "Import project preview", - "description": "This preview adds support for importing projects.", - "toggled_by": "slothette-preview", - "toggled_on": [ - "Mutation.importProject" - ], - "owning_teams": [ - "@github/pe-issues-projects" - ], - "accept_header": "application/vnd.github.slothette-preview+json", - "href": "/graphql/overview/schema-previews#import-project-preview" - }, - { - "title": "Team review assignments preview", - "description": "This preview adds support for updating the settings for team review assignment.", - "toggled_by": "stone-crop-preview", - "toggled_on": [ - "Mutation.updateTeamReviewAssignment", - "TeamReviewAssignmentAlgorithm", - "Team.reviewRequestDelegationEnabled", - "Team.reviewRequestDelegationAlgorithm", - "Team.reviewRequestDelegationMemberCount", - "Team.reviewRequestDelegationNotifyTeam" - ], - "owning_teams": [ - "@github/pe-pull-requests" - ], - "accept_header": "application/vnd.github.stone-crop-preview+json", - "href": "/graphql/overview/schema-previews#team-review-assignments-preview" - } -] \ No newline at end of file +[] \ No newline at end of file diff --git a/src/graphql/data/ghes-3.14/schema.docs-enterprise.graphql b/src/graphql/data/ghes-3.14/schema.docs-enterprise.graphql index 35abd31e77db..0092e3c5bbd7 100644 --- a/src/graphql/data/ghes-3.14/schema.docs-enterprise.graphql +++ b/src/graphql/data/ghes-3.14/schema.docs-enterprise.graphql @@ -1097,17 +1097,17 @@ type AddedToProjectEvent implements Node { """ Project referenced by event. """ - project: Project @preview(toggledBy: "starfox-preview") + project: Project """ Project card referenced by this project event. """ - projectCard: ProjectCard @preview(toggledBy: "starfox-preview") + projectCard: ProjectCard """ Column name referenced by this project event. """ - projectColumnName: String! @preview(toggledBy: "starfox-preview") + projectColumnName: String! } """ @@ -1119,6 +1119,11 @@ interface AnnouncementBanner { """ announcement: String + """ + The date the announcement was created + """ + announcementCreatedAt: DateTime + """ The expiration date of the announcement, if any """ @@ -4123,7 +4128,7 @@ type ClosedEvent implements Node & UniformResourceLocatable { """ The object which triggered a `ClosedEvent`. """ -union Closer = Commit | PullRequest +union Closer = Commit | ProjectV2 | PullRequest """ The Code of Conduct for a repository @@ -4160,6 +4165,76 @@ type CodeOfConduct implements Node { url: URI } +""" +Choose which tools must provide code scanning results before the reference is +updated. When configured, code scanning must be enabled and have results for +both the commit and the reference being updated. +""" +type CodeScanningParameters { + """ + Tools that must provide code scanning results for this rule to pass. + """ + codeScanningTools: [CodeScanningTool!]! +} + +""" +Choose which tools must provide code scanning results before the reference is +updated. When configured, code scanning must be enabled and have results for +both the commit and the reference being updated. +""" +input CodeScanningParametersInput { + """ + Tools that must provide code scanning results for this rule to pass. + """ + codeScanningTools: [CodeScanningToolInput!]! +} + +""" +A tool that must provide code scanning results for this rule to pass. +""" +type CodeScanningTool { + """ + The severity level at which code scanning results that raise alerts block a + reference update. For more information on alert severity levels, see "[About code scanning alerts](${externalDocsUrl}/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#about-alert-severity-and-security-severity-levels)." + """ + alertsThreshold: String! + + """ + The severity level at which code scanning results that raise security alerts + block a reference update. For more information on security severity levels, + see "[About code scanning alerts](${externalDocsUrl}/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#about-alert-severity-and-security-severity-levels)." + """ + securityAlertsThreshold: String! + + """ + The name of a code scanning tool + """ + tool: String! +} + +""" +A tool that must provide code scanning results for this rule to pass. +""" +input CodeScanningToolInput { + """ + The severity level at which code scanning results that raise alerts block a + reference update. For more information on alert severity levels, see "[About code scanning alerts](${externalDocsUrl}/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#about-alert-severity-and-security-severity-levels)." + """ + alertsThreshold: String! + + """ + The severity level at which code scanning results that raise security alerts + block a reference update. For more information on security severity levels, + see "[About code scanning alerts](${externalDocsUrl}/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#about-alert-severity-and-security-severity-levels)." + """ + securityAlertsThreshold: String! + + """ + The name of a code scanning tool + """ + tool: String! +} + """ Collaborators affiliation level with a subject. """ @@ -6425,17 +6500,17 @@ type ConvertedNoteToIssueEvent implements Node { """ Project referenced by event. """ - project: Project @preview(toggledBy: "starfox-preview") + project: Project """ Project card referenced by this project event. """ - projectCard: ProjectCard @preview(toggledBy: "starfox-preview") + projectCard: ProjectCard """ Column name referenced by this project event. """ - projectColumnName: String! @preview(toggledBy: "starfox-preview") + projectColumnName: String! } """ @@ -6463,6 +6538,31 @@ type ConvertedToDiscussionEvent implements Node { id: ID! } +""" +Copilot endpoint information +""" +type CopilotEndpoints { + """ + Copilot API endpoint + """ + api: String! + + """ + Copilot origin tracker endpoint + """ + originTracker: String! + + """ + Copilot proxy endpoint + """ + proxy: String! + + """ + Copilot telemetry endpoint + """ + telemetry: String! +} + """ Autogenerated input type of CopyProjectV2 """ @@ -6895,7 +6995,7 @@ type CreateCommitOnBranchPayload { """ Autogenerated input type of CreateDeployment """ -input CreateDeploymentInput @preview(toggledBy: "flash-preview") { +input CreateDeploymentInput { """ Attempt to automatically merge the default branch into the requested ref, defaults to true. """ @@ -6946,7 +7046,7 @@ input CreateDeploymentInput @preview(toggledBy: "flash-preview") { """ Autogenerated return type of CreateDeployment """ -type CreateDeploymentPayload @preview(toggledBy: "flash-preview") { +type CreateDeploymentPayload { """ True if the default branch has been auto-merged into the deployment ref. """ @@ -6966,7 +7066,7 @@ type CreateDeploymentPayload @preview(toggledBy: "flash-preview") { """ Autogenerated input type of CreateDeploymentStatus """ -input CreateDeploymentStatusInput @preview(toggledBy: "flash-preview") { +input CreateDeploymentStatusInput { """ Adds a new inactive status to all non-transient, non-production environment deployments with the same repository and environment name as the created @@ -7015,7 +7115,7 @@ input CreateDeploymentStatusInput @preview(toggledBy: "flash-preview") { """ Autogenerated return type of CreateDeploymentStatus """ -type CreateDeploymentStatusPayload @preview(toggledBy: "flash-preview") { +type CreateDeploymentStatusPayload { """ A unique identifier for the client performing the mutation. """ @@ -7275,7 +7375,7 @@ type CreateIssuePayload { """ Autogenerated input type of CreateLabel """ -input CreateLabelInput @preview(toggledBy: "bane-preview") { +input CreateLabelInput { """ A unique identifier for the client performing the mutation. """ @@ -7305,7 +7405,7 @@ input CreateLabelInput @preview(toggledBy: "bane-preview") { """ Autogenerated return type of CreateLabel """ -type CreateLabelPayload @preview(toggledBy: "bane-preview") { +type CreateLabelPayload { """ A unique identifier for the client performing the mutation. """ @@ -8709,7 +8809,7 @@ type DeleteIssuePayload { """ Autogenerated input type of DeleteLabel """ -input DeleteLabelInput @preview(toggledBy: "bane-preview") { +input DeleteLabelInput { """ A unique identifier for the client performing the mutation. """ @@ -8724,7 +8824,7 @@ input DeleteLabelInput @preview(toggledBy: "bane-preview") { """ Autogenerated return type of DeleteLabel """ -type DeleteLabelPayload @preview(toggledBy: "bane-preview") { +type DeleteLabelPayload { """ A unique identifier for the client performing the mutation. """ @@ -9323,7 +9423,7 @@ type DependabotUpdateError { """ A dependency manifest entry """ -type DependencyGraphDependency @preview(toggledBy: "hawkgirl-preview") { +type DependencyGraphDependency { """ Does the dependency itself have dependencies? """ @@ -9361,7 +9461,7 @@ type DependencyGraphDependency @preview(toggledBy: "hawkgirl-preview") { """ The connection type for DependencyGraphDependency. """ -type DependencyGraphDependencyConnection @preview(toggledBy: "hawkgirl-preview") { +type DependencyGraphDependencyConnection { """ A list of edges. """ @@ -9386,7 +9486,7 @@ type DependencyGraphDependencyConnection @preview(toggledBy: "hawkgirl-preview") """ An edge in a connection. """ -type DependencyGraphDependencyEdge @preview(toggledBy: "hawkgirl-preview") { +type DependencyGraphDependencyEdge { """ A cursor for use in pagination. """ @@ -9401,7 +9501,7 @@ type DependencyGraphDependencyEdge @preview(toggledBy: "hawkgirl-preview") { """ Dependency manifest for a repository """ -type DependencyGraphManifest implements Node @preview(toggledBy: "hawkgirl-preview") { +type DependencyGraphManifest implements Node { """ Path to view the manifest file blob """ @@ -9466,7 +9566,7 @@ type DependencyGraphManifest implements Node @preview(toggledBy: "hawkgirl-previ """ The connection type for DependencyGraphManifest. """ -type DependencyGraphManifestConnection @preview(toggledBy: "hawkgirl-preview") { +type DependencyGraphManifestConnection { """ A list of edges. """ @@ -9491,7 +9591,7 @@ type DependencyGraphManifestConnection @preview(toggledBy: "hawkgirl-preview") { """ An edge in a connection. """ -type DependencyGraphManifestEdge @preview(toggledBy: "hawkgirl-preview") { +type DependencyGraphManifestEdge { """ A cursor for use in pagination. """ @@ -9922,6 +10022,11 @@ type DeploymentProtectionRuleEdge { The possible protection rule types. """ enum DeploymentProtectionRuleType { + """ + Branch policy + """ + BRANCH_POLICY + """ Required reviewers """ @@ -10265,7 +10370,7 @@ type DeploymentStatus implements Node { """ Identifies the environment of the deployment at the time of this deployment status """ - environment: String @preview(toggledBy: "flash-preview") + environment: String """ Identifies the environment URL of the deployment. @@ -11904,6 +12009,11 @@ type Enterprise implements AnnouncementBanner & Node { """ announcement: String + """ + The date the announcement was created + """ + announcementCreatedAt: DateTime + """ The expiration date of the announcement, if any """ @@ -14708,11 +14818,26 @@ type Environment implements Node { """ id: ID! + """ + Indicates whether or not this environment is currently pinned to the repository + """ + isPinned: Boolean + + """ + The latest completed deployment with status success, failure, or error if it exists + """ + latestCompletedDeployment: Deployment + """ The name of the environment """ name: String! + """ + The position of the environment if it is pinned, null if it is not pinned + """ + pinnedPosition: Int + """ The protection rules defined for this environment """ @@ -14789,6 +14914,26 @@ enum EnvironmentOrderField { NAME } +""" +Properties by which environments connections can be ordered +""" +enum EnvironmentPinnedFilterField { + """ + All environments will be returned. + """ + ALL + + """ + Environments exclude pinned will be returned + """ + NONE + + """ + Only pinned environment will be returned + """ + ONLY +} + """ Ordering options for environments """ @@ -15128,6 +15273,50 @@ input FileDeletion { path: String! } +""" +Prevent commits that include files with specified file extensions from being +pushed to the commit graph. NOTE: This rule is in beta and subject to change +""" +type FileExtensionRestrictionParameters { + """ + The file extensions that are restricted from being pushed to the commit graph. + """ + restrictedFileExtensions: [String!]! +} + +""" +Prevent commits that include files with specified file extensions from being +pushed to the commit graph. NOTE: This rule is in beta and subject to change +""" +input FileExtensionRestrictionParametersInput { + """ + The file extensions that are restricted from being pushed to the commit graph. + """ + restrictedFileExtensions: [String!]! +} + +""" +Prevent commits that include changes in specified file paths from being pushed +to the commit graph. NOTE: This rule is in beta and subject to change +""" +type FilePathRestrictionParameters { + """ + The file paths that are restricted from being pushed to the commit graph. + """ + restrictedFilePaths: [String!]! +} + +""" +Prevent commits that include changes in specified file paths from being pushed +to the commit graph. NOTE: This rule is in beta and subject to change +""" +input FilePathRestrictionParametersInput { + """ + The file paths that are restricted from being pushed to the commit graph. + """ + restrictedFilePaths: [String!]! +} + """ The possible viewed states of a file . """ @@ -15908,7 +16097,7 @@ scalar GitObjectID """ A fully qualified reference name (e.g. `refs/heads/master`). """ -scalar GitRefname @preview(toggledBy: "update-refs-preview") +scalar GitRefname """ Git SSH string @@ -19123,12 +19312,56 @@ type MarkedAsDuplicateEvent implements Node { isCrossRepository: Boolean! } +""" +Prevent commits that include file paths that exceed a specified character limit +from being pushed to the commit graph. NOTE: This rule is in beta and subject to change +""" +type MaxFilePathLengthParameters { + """ + The maximum amount of characters allowed in file paths + """ + maxFilePathLength: Int! +} + +""" +Prevent commits that include file paths that exceed a specified character limit +from being pushed to the commit graph. NOTE: This rule is in beta and subject to change +""" +input MaxFilePathLengthParametersInput { + """ + The maximum amount of characters allowed in file paths + """ + maxFilePathLength: Int! +} + +""" +Prevent commits that exceed a specified file size limit from being pushed to the +commit. NOTE: This rule is in beta and subject to change +""" +type MaxFileSizeParameters { + """ + The maximum file size allowed in megabytes. This limit does not apply to Git Large File Storage (Git LFS). + """ + maxFileSize: Int! +} + +""" +Prevent commits that exceed a specified file size limit from being pushed to the +commit. NOTE: This rule is in beta and subject to change +""" +input MaxFileSizeParametersInput { + """ + The maximum file size allowed in megabytes. This limit does not apply to Git Large File Storage (Git LFS). + """ + maxFileSize: Int! +} + """ Represents a member feature request notification """ type MemberFeatureRequestNotification implements Node { """ - Represents member feature request body containing organization name and the number of feature requests + Represents member feature request body containing entity name and the number of feature requests """ body: String! @@ -20678,22 +20911,22 @@ type MovedColumnsInProjectEvent implements Node { """ Column name the issue or pull request was moved from. """ - previousProjectColumnName: String! @preview(toggledBy: "starfox-preview") + previousProjectColumnName: String! """ Project referenced by event. """ - project: Project @preview(toggledBy: "starfox-preview") + project: Project """ Project card referenced by this project event. """ - projectCard: ProjectCard @preview(toggledBy: "starfox-preview") + projectCard: ProjectCard """ Column name the issue or pull request was moved to. """ - projectColumnName: String! @preview(toggledBy: "starfox-preview") + projectColumnName: String! } """ @@ -21161,7 +21394,7 @@ type Mutation { Parameters for CreateDeployment """ input: CreateDeploymentInput! - ): CreateDeploymentPayload @preview(toggledBy: "flash-preview") + ): CreateDeploymentPayload """ Create a deployment status. @@ -21171,7 +21404,7 @@ type Mutation { Parameters for CreateDeploymentStatus """ input: CreateDeploymentStatusInput! - ): CreateDeploymentStatusPayload @preview(toggledBy: "flash-preview") + ): CreateDeploymentStatusPayload """ Create a discussion. @@ -21236,7 +21469,7 @@ type Mutation { Parameters for CreateLabel """ input: CreateLabelInput! - ): CreateLabelPayload @preview(toggledBy: "bane-preview") + ): CreateLabelPayload """ Create a branch linked to an issue. @@ -21446,7 +21679,7 @@ type Mutation { Parameters for DeleteLabel """ input: DeleteLabelInput! - ): DeleteLabelPayload @preview(toggledBy: "bane-preview") + ): DeleteLabelPayload """ Unlink a branch from an issue. @@ -21466,7 +21699,7 @@ type Mutation { Parameters for DeletePackageVersion """ input: DeletePackageVersionInput! - ): DeletePackageVersionPayload @preview(toggledBy: "package-deletes-preview") + ): DeletePackageVersionPayload """ Deletes a project. @@ -21726,7 +21959,7 @@ type Mutation { Parameters for ImportProject """ input: ImportProjectInput! - ): ImportProjectPayload @preview(toggledBy: "slothette-preview") + ): ImportProjectPayload """ Links a project to a repository. @@ -21868,6 +22101,16 @@ type Mutation { input: MoveProjectColumnInput! ): MoveProjectColumnPayload + """ + Pin an environment to a repository + """ + pinEnvironment( + """ + Parameters for PinEnvironment + """ + input: PinEnvironmentInput! + ): PinEnvironmentPayload + """ Pin an issue to a repository """ @@ -21998,6 +22241,16 @@ type Mutation { input: ReopenPullRequestInput! ): ReopenPullRequestPayload + """ + Reorder a pinned repository environment + """ + reorderEnvironment( + """ + Parameters for ReorderEnvironment + """ + input: ReorderEnvironmentInput! + ): ReorderEnvironmentPayload + """ Set review requests on a pull request. """ @@ -22536,7 +22789,7 @@ type Mutation { Parameters for UpdateLabel """ input: UpdateLabelInput! - ): UpdateLabelPayload @preview(toggledBy: "bane-preview") + ): UpdateLabelPayload """ Update the setting to restrict notifications to only verified or approved domains available to an owner. @@ -22724,7 +22977,7 @@ type Mutation { Parameters for UpdateRefs """ input: UpdateRefsInput! - ): UpdateRefsPayload @preview(toggledBy: "update-refs-preview") + ): UpdateRefsPayload """ Update information about a repository. @@ -22794,7 +23047,7 @@ type Mutation { Parameters for UpdateTeamReviewAssignment """ input: UpdateTeamReviewAssignmentInput! - ): UpdateTeamReviewAssignmentPayload @preview(toggledBy: "stone-crop-preview") + ): UpdateTeamReviewAssignmentPayload """ Update team repository. @@ -26423,6 +26676,11 @@ type Organization implements Actor & AnnouncementBanner & MemberStatusable & Nod """ announcement: String + """ + The date the announcement was created + """ + announcementCreatedAt: DateTime + """ The expiration date of the announcement, if any """ @@ -28903,6 +29161,46 @@ type PermissionSource { source: PermissionGranter! } +""" +Autogenerated input type of PinEnvironment +""" +input PinEnvironmentInput { + """ + A unique identifier for the client performing the mutation. + """ + clientMutationId: String + + """ + The ID of the environment to modify + """ + environmentId: ID! @possibleTypes(concreteTypes: ["Environment"]) + + """ + The desired state of the environment. If true, environment will be pinned. If false, it will be unpinned. + """ + pinned: Boolean! +} + +""" +Autogenerated return type of PinEnvironment +""" +type PinEnvironmentPayload { + """ + A unique identifier for the client performing the mutation. + """ + clientMutationId: String + + """ + The environment that was pinned + """ + environment: Environment + + """ + The pinned environment if we pinned + """ + pinnedEnvironment: PinnedEnvironment +} + """ Autogenerated input type of PinIssue """ @@ -29183,6 +29481,106 @@ enum PinnedDiscussionPattern { ZAP } +""" +Represents a pinned environment on a given repository +""" +type PinnedEnvironment implements Node { + """ + Identifies the date and time when the pinned environment was created + """ + createdAt: DateTime! + + """ + Identifies the primary key from the database. + """ + databaseId: Int + + """ + Identifies the environment associated. + """ + environment: Environment! + + """ + The Node ID of the PinnedEnvironment object + """ + id: ID! + + """ + Identifies the position of the pinned environment. + """ + position: Int! + + """ + The repository that this environment was pinned to. + """ + repository: Repository! +} + +""" +The connection type for PinnedEnvironment. +""" +type PinnedEnvironmentConnection { + """ + A list of edges. + """ + edges: [PinnedEnvironmentEdge] + + """ + A list of nodes. + """ + nodes: [PinnedEnvironment] + + """ + Information to aid in pagination. + """ + pageInfo: PageInfo! + + """ + Identifies the total count of items in the connection. + """ + totalCount: Int! +} + +""" +An edge in a connection. +""" +type PinnedEnvironmentEdge { + """ + A cursor for use in pagination. + """ + cursor: String! + + """ + The item at the end of the edge. + """ + node: PinnedEnvironment +} + +""" +Ordering options for pinned environments +""" +input PinnedEnvironmentOrder { + """ + The direction in which to order pinned environments by the specified field. + """ + direction: OrderDirection! + + """ + The field to order pinned environments by. + """ + field: PinnedEnvironmentOrderField! +} + +""" +Properties by which pinned environments connections can be ordered +""" +enum PinnedEnvironmentOrderField { + """ + Order pinned environments by position + """ + POSITION +} + """ Represents a 'pinned' event on a given issue or pull request. """ @@ -33148,7 +33546,7 @@ type PullRequest implements Assignable & Closable & Comment & Labelable & Lockab """ Whether or not the pull request is rebaseable. """ - canBeRebased: Boolean! @preview(toggledBy: "merge-info-preview") + canBeRebased: Boolean! """ The number of changed files in this pull request. @@ -33511,7 +33909,7 @@ type PullRequest implements Assignable & Closable & Comment & Labelable & Lockab """ Detailed information about the current pull request merge state status. """ - mergeStateStatus: MergeStateStatus! @preview(toggledBy: "merge-info-preview") + mergeStateStatus: MergeStateStatus! """ Whether or not the pull request can be merged based on the existence of merge conflicts. @@ -33816,6 +34214,11 @@ type PullRequest implements Assignable & Closable & Comment & Labelable & Lockab """ state: PullRequestState! + """ + Check and Status rollup information for the PR's head ref. + """ + statusCheckRollup: StatusCheckRollup + """ A list of reviewer suggestions based on commit history and past review comments. """ @@ -37240,7 +37643,7 @@ enum RefOrderField { """ A ref update """ -input RefUpdate @preview(toggledBy: "update-refs-preview") { +input RefUpdate { """ The value this ref should be updated to. """ @@ -38170,12 +38573,12 @@ type RemovedFromProjectEvent implements Node { """ Project referenced by event. """ - project: Project @preview(toggledBy: "starfox-preview") + project: Project """ Column name referenced by this project event. """ - projectColumnName: String! @preview(toggledBy: "starfox-preview") + projectColumnName: String! } """ @@ -38338,6 +38741,41 @@ type ReopenedEvent implements Node { stateReason: IssueStateReason } +""" +Autogenerated input type of ReorderEnvironment +""" +input ReorderEnvironmentInput { + """ + A unique identifier for the client performing the mutation. + """ + clientMutationId: String + + """ + The ID of the environment to modify + """ + environmentId: ID! @possibleTypes(concreteTypes: ["Environment"]) + + """ + The desired position of the environment + """ + position: Int! +} + +""" +Autogenerated return type of ReorderEnvironment +""" +type ReorderEnvironmentPayload { + """ + A unique identifier for the client performing the mutation. + """ + clientMutationId: String + + """ + The environment that was reordered + """ + environment: Environment +} + """ Audit log entry for a repo.access event. """ @@ -40981,7 +41419,7 @@ type Repository implements Node & PackageOwner & ProjectOwner & ProjectV2Recent Flag to scope to only manifests with dependencies """ withDependencies: Boolean - ): DependencyGraphManifestConnection @preview(toggledBy: "hawkgirl-preview") + ): DependencyGraphManifestConnection """ A list of deploy keys that are on this repository. @@ -41196,6 +41634,11 @@ type Repository implements Node & PackageOwner & ProjectOwner & ProjectV2Recent Ordering options for the environments """ orderBy: Environments = {field: NAME, direction: ASC} + + """ + Filter to control pinned environments return + """ + pinnedEnvironmentFilter: EnvironmentPinnedFilterField = ALL ): EnvironmentConnection! """ @@ -41755,6 +42198,36 @@ type Repository implements Node & PackageOwner & ProjectOwner & ProjectV2Recent last: Int ): PinnedDiscussionConnection! + """ + A list of pinned environments for this repository. + """ + pinnedEnvironments( + """ + Returns the elements in the list that come after the specified cursor. + """ + after: String + + """ + Returns the elements in the list that come before the specified cursor. + """ + before: String + + """ + Returns the first _n_ elements from the list. + """ + first: Int + + """ + Returns the last _n_ elements from the list. + """ + last: Int + + """ + Ordering options for the environments + """ + orderBy: PinnedEnvironmentOrder = {field: POSITION, direction: ASC} + ): PinnedEnvironmentConnection + """ A list of pinned issues for this repository. """ @@ -41780,6 +42253,11 @@ type Repository implements Node & PackageOwner & ProjectOwner & ProjectV2Recent last: Int ): PinnedIssueConnection + """ + Returns information about the availability of certain features and limits based on the repository's billing plan. + """ + planFeatures: RepositoryPlanFeatures! + """ The primary language of the repository's code. """ @@ -43431,6 +43909,36 @@ enum RepositoryPermission { WRITE } +""" +Information about the availability of features and limits for a repository based on its billing plan. +""" +type RepositoryPlanFeatures { + """ + Whether reviews can be automatically requested and enforced with a CODEOWNERS file + """ + codeowners: Boolean! + + """ + Whether pull requests can be created as or converted to draft + """ + draftPullRequests: Boolean! + + """ + Maximum number of users that can be assigned to an issue or pull request + """ + maximumAssignees: Int! + + """ + Maximum number of manually-requested reviews on a pull request + """ + maximumManualReviewRequests: Int! + + """ + Whether teams can be requested to review pull requests + """ + teamReviewRequests: Boolean! +} + """ The privacy of a repository """ @@ -43660,6 +44168,13 @@ enum RepositoryRuleType { """ BRANCH_NAME_PATTERN + """ + Choose which tools must provide code scanning results before the reference is + updated. When configured, code scanning must be enabled and have results for + both the commit and the reference being updated. + """ + CODE_SCANNING + """ Committer email pattern """ @@ -43685,11 +44200,36 @@ enum RepositoryRuleType { """ DELETION + """ + Prevent commits that include files with specified file extensions from being + pushed to the commit graph. NOTE: Thie rule is in beta and subject to change + """ + FILE_EXTENSION_RESTRICTION + + """ + Prevent commits that include changes in specified file paths from being pushed + to the commit graph. NOTE: Thie rule is in beta and subject to change + """ + FILE_PATH_RESTRICTION + """ Branch is read-only. Users cannot push to the branch. """ LOCK_BRANCH + """ + Prevent commits that include file paths that exceed a specified character + limit from being pushed to the commit graph. NOTE: Thie rule is in beta and + subject to change + """ + MAX_FILE_PATH_LENGTH + + """ + Prevent commits that exceed a specified file size limit from being pushed to + the commit. NOTE: Thie rule is in beta and subject to change + """ + MAX_FILE_SIZE + """ Max ref updates """ @@ -43898,6 +44438,11 @@ type RepositoryRulesetBypassActor implements Node { """ bypassMode: RepositoryRulesetBypassActorBypassMode + """ + This actor represents the ability for a deploy key to bypass + """ + deployKey: Boolean! + """ The Node ID of the RepositoryRulesetBypassActor object """ @@ -43981,7 +44526,8 @@ type RepositoryRulesetBypassActorEdge { """ Specifies the attributes for a new or updated ruleset bypass actor. Only one of -`actor_id`, `repository_role_database_id`, or `organization_admin` should be specified. +`actor_id`, `repository_role_database_id`, `organization_admin`, or `deploy_key` +should be specified. """ input RepositoryRulesetBypassActorInput { """ @@ -43994,6 +44540,11 @@ input RepositoryRulesetBypassActorInput { """ bypassMode: RepositoryRulesetBypassActorBypassMode! + """ + For deploy key bypasses, true. Can only use ALWAYS as the bypass mode + """ + deployKey: Boolean + """ For organization owner bypasses, true """ @@ -44046,7 +44597,7 @@ type RepositoryRulesetEdge { } """ -The targets supported for rulesets +The targets supported for rulesets. NOTE: The push target is in beta and subject to change. """ enum RepositoryRulesetTarget { """ @@ -44054,6 +44605,11 @@ enum RepositoryRulesetTarget { """ BRANCH + """ + Push + """ + PUSH + """ Tag """ @@ -45347,9 +45903,14 @@ Types which can be parameters for `RepositoryRule` objects. """ union RuleParameters = BranchNamePatternParameters + | CodeScanningParameters | CommitAuthorEmailPatternParameters | CommitMessagePatternParameters | CommitterEmailPatternParameters + | FileExtensionRestrictionParameters + | FilePathRestrictionParameters + | MaxFilePathLengthParameters + | MaxFileSizeParameters | PullRequestParameters | RequiredDeploymentsParameters | RequiredStatusChecksParameters @@ -45366,6 +45927,11 @@ input RuleParametersInput { """ branchNamePattern: BranchNamePatternParametersInput + """ + Parameters used for the `code_scanning` rule type + """ + codeScanning: CodeScanningParametersInput + """ Parameters used for the `commit_author_email_pattern` rule type """ @@ -45381,6 +45947,26 @@ input RuleParametersInput { """ committerEmailPattern: CommitterEmailPatternParametersInput + """ + Parameters used for the `file_extension_restriction` rule type + """ + fileExtensionRestriction: FileExtensionRestrictionParametersInput + + """ + Parameters used for the `file_path_restriction` rule type + """ + filePathRestriction: FilePathRestrictionParametersInput + + """ + Parameters used for the `max_file_path_length` rule type + """ + maxFilePathLength: MaxFilePathLengthParametersInput + + """ + Parameters used for the `max_file_size` rule type + """ + maxFileSize: MaxFileSizeParametersInput + """ Parameters used for the `pull_request` rule type """ @@ -46621,7 +47207,7 @@ input StartRepositoryMigrationInput { """ The URL of the source repository. """ - sourceRepositoryUrl: URI + sourceRepositoryUrl: URI! """ The visibility of the imported repository. @@ -47661,22 +48247,22 @@ type Team implements MemberStatusable & Node & Subscribable { """ What algorithm is used for review assignment for this team """ - reviewRequestDelegationAlgorithm: TeamReviewAssignmentAlgorithm @preview(toggledBy: "stone-crop-preview") + reviewRequestDelegationAlgorithm: TeamReviewAssignmentAlgorithm """ True if review assignment is enabled for this team """ - reviewRequestDelegationEnabled: Boolean! @preview(toggledBy: "stone-crop-preview") + reviewRequestDelegationEnabled: Boolean! """ How many team members are required for review assignment for this team """ - reviewRequestDelegationMemberCount: Int @preview(toggledBy: "stone-crop-preview") + reviewRequestDelegationMemberCount: Int """ When assigning team members via delegation, whether the entire team should be notified as well. """ - reviewRequestDelegationNotifyTeam: Boolean! @preview(toggledBy: "stone-crop-preview") + reviewRequestDelegationNotifyTeam: Boolean! """ The slug corresponding to the team. @@ -49371,7 +49957,7 @@ enum TeamRepositoryOrderField { """ The possible team review assignment algorithms """ -enum TeamReviewAssignmentAlgorithm @preview(toggledBy: "stone-crop-preview") { +enum TeamReviewAssignmentAlgorithm { """ Balance review load across the entire team """ @@ -51950,7 +52536,7 @@ type UpdateIssuePayload { """ Autogenerated input type of UpdateLabel """ -input UpdateLabelInput @preview(toggledBy: "bane-preview") { +input UpdateLabelInput { """ A unique identifier for the client performing the mutation. """ @@ -51980,7 +52566,7 @@ input UpdateLabelInput @preview(toggledBy: "bane-preview") { """ Autogenerated return type of UpdateLabel """ -type UpdateLabelPayload @preview(toggledBy: "bane-preview") { +type UpdateLabelPayload { """ A unique identifier for the client performing the mutation. """ @@ -52750,7 +53336,7 @@ type UpdateRefPayload { """ Autogenerated input type of UpdateRefs """ -input UpdateRefsInput @preview(toggledBy: "update-refs-preview") { +input UpdateRefsInput { """ A unique identifier for the client performing the mutation. """ @@ -52770,7 +53356,7 @@ input UpdateRefsInput @preview(toggledBy: "update-refs-preview") { """ Autogenerated return type of UpdateRefs """ -type UpdateRefsPayload @preview(toggledBy: "update-refs-preview") { +type UpdateRefsPayload { """ A unique identifier for the client performing the mutation. """ @@ -53081,7 +53667,7 @@ type UpdateTeamDiscussionPayload { """ Autogenerated input type of UpdateTeamReviewAssignment """ -input UpdateTeamReviewAssignmentInput @preview(toggledBy: "stone-crop-preview") { +input UpdateTeamReviewAssignmentInput { """ The algorithm to use for review assignment """ @@ -53429,6 +54015,11 @@ type User implements Actor & Node & PackageOwner & ProfileOwner & ProjectOwner & to: DateTime ): ContributionsCollection! + """ + The user's Copilot endpoint information + """ + copilotEndpoints: CopilotEndpoints + """ Identifies the date and time when the object was created. """ diff --git a/src/graphql/data/ghes-3.14/schema.json b/src/graphql/data/ghes-3.14/schema.json index efdaf5d47910..6d6bc4cc725a 100644 --- a/src/graphql/data/ghes-3.14/schema.json +++ b/src/graphql/data/ghes-3.14/schema.json @@ -2117,22 +2117,6 @@ "id": "createdeployment", "href": "/graphql/reference/mutations#createdeployment", "description": "

Creates a new deployment event.

", - "isDeprecated": false, - "preview": { - "title": "Deployments preview", - "description": "This preview adds support for deployments mutations and new deployments features.", - "toggled_by": "flash-preview", - "toggled_on": [ - "DeploymentStatus.environment", - "Mutation.createDeploymentStatus", - "Mutation.createDeployment" - ], - "owning_teams": [ - "@github/pages" - ], - "accept_header": "application/vnd.github.flash-preview+json", - "href": "/graphql/overview/schema-previews#deployments-preview" - }, "inputFields": [ { "name": "input", @@ -2175,22 +2159,6 @@ "id": "createdeploymentstatus", "href": "/graphql/reference/mutations#createdeploymentstatus", "description": "

Create a deployment status.

", - "isDeprecated": false, - "preview": { - "title": "Deployments preview", - "description": "This preview adds support for deployments mutations and new deployments features.", - "toggled_by": "flash-preview", - "toggled_on": [ - "DeploymentStatus.environment", - "Mutation.createDeploymentStatus", - "Mutation.createDeployment" - ], - "owning_teams": [ - "@github/pages" - ], - "accept_header": "application/vnd.github.flash-preview+json", - "href": "/graphql/overview/schema-previews#deployments-preview" - }, "inputFields": [ { "name": "input", @@ -2403,22 +2371,6 @@ "id": "createlabel", "href": "/graphql/reference/mutations#createlabel", "description": "

Creates a new label.

", - "isDeprecated": false, - "preview": { - "title": "Labels preview", - "description": "This preview adds support for adding, updating, creating and deleting labels.", - "toggled_by": "bane-preview", - "toggled_on": [ - "Mutation.createLabel", - "Mutation.deleteLabel", - "Mutation.updateLabel" - ], - "owning_teams": [ - "@github/pe-pull-requests" - ], - "accept_header": "application/vnd.github.bane-preview+json", - "href": "/graphql/overview/schema-previews#labels-preview" - }, "inputFields": [ { "name": "input", @@ -3121,22 +3073,6 @@ "id": "deletelabel", "href": "/graphql/reference/mutations#deletelabel", "description": "

Deletes a label.

", - "isDeprecated": false, - "preview": { - "title": "Labels preview", - "description": "This preview adds support for adding, updating, creating and deleting labels.", - "toggled_by": "bane-preview", - "toggled_on": [ - "Mutation.createLabel", - "Mutation.deleteLabel", - "Mutation.updateLabel" - ], - "owning_teams": [ - "@github/pe-pull-requests" - ], - "accept_header": "application/vnd.github.bane-preview+json", - "href": "/graphql/overview/schema-previews#labels-preview" - }, "inputFields": [ { "name": "input", @@ -3197,20 +3133,6 @@ "id": "deletepackageversion", "href": "/graphql/reference/mutations#deletepackageversion", "description": "

Delete a package version.

", - "isDeprecated": false, - "preview": { - "title": "Access to package version deletion preview", - "description": "This preview adds support for the DeletePackageVersion mutation which enables deletion of private package versions.", - "toggled_by": "package-deletes-preview", - "toggled_on": [ - "Mutation.deletePackageVersion" - ], - "owning_teams": [ - "@github/pe-package-registry" - ], - "accept_header": "application/vnd.github.package-deletes-preview+json", - "href": "/graphql/overview/schema-previews#access-to-package-version-deletion-preview" - }, "inputFields": [ { "name": "input", @@ -4111,20 +4033,6 @@ "id": "importproject", "href": "/graphql/reference/mutations#importproject", "description": "

Creates a new project by importing columns and a list of issues/PRs.

", - "isDeprecated": false, - "preview": { - "title": "Import project preview", - "description": "This preview adds support for importing projects.", - "toggled_by": "slothette-preview", - "toggled_on": [ - "Mutation.importProject" - ], - "owning_teams": [ - "@github/pe-issues-projects" - ], - "accept_header": "application/vnd.github.slothette-preview+json", - "href": "/graphql/overview/schema-previews#import-project-preview" - }, "inputFields": [ { "name": "input", @@ -4661,6 +4569,48 @@ } ] }, + { + "name": "pinEnvironment", + "kind": "mutations", + "id": "pinenvironment", + "href": "/graphql/reference/mutations#pinenvironment", + "description": "

Pin an environment to a repository.

", + "inputFields": [ + { + "name": "input", + "type": "PinEnvironmentInput!", + "id": "pinenvironmentinput", + "kind": "input-objects", + "href": "/graphql/reference/input-objects#pinenvironmentinput" + } + ], + "returnFields": [ + { + "name": "clientMutationId", + "type": "String", + "id": "string", + "kind": "scalars", + "href": "/graphql/reference/scalars#string", + "description": "

A unique identifier for the client performing the mutation.

" + }, + { + "name": "environment", + "type": "Environment", + "id": "environment", + "kind": "objects", + "href": "/graphql/reference/objects#environment", + "description": "

The environment that was pinned.

" + }, + { + "name": "pinnedEnvironment", + "type": "PinnedEnvironment", + "id": "pinnedenvironment", + "kind": "objects", + "href": "/graphql/reference/objects#pinnedenvironment", + "description": "

The pinned environment if we pinned.

" + } + ] + }, { "name": "pinIssue", "kind": "mutations", @@ -5143,6 +5093,40 @@ } ] }, + { + "name": "reorderEnvironment", + "kind": "mutations", + "id": "reorderenvironment", + "href": "/graphql/reference/mutations#reorderenvironment", + "description": "

Reorder a pinned repository environment.

", + "inputFields": [ + { + "name": "input", + "type": "ReorderEnvironmentInput!", + "id": "reorderenvironmentinput", + "kind": "input-objects", + "href": "/graphql/reference/input-objects#reorderenvironmentinput" + } + ], + "returnFields": [ + { + "name": "clientMutationId", + "type": "String", + "id": "string", + "kind": "scalars", + "href": "/graphql/reference/scalars#string", + "description": "

A unique identifier for the client performing the mutation.

" + }, + { + "name": "environment", + "type": "Environment", + "id": "environment", + "kind": "objects", + "href": "/graphql/reference/objects#environment", + "description": "

The environment that was reordered.

" + } + ] + }, { "name": "requestReviews", "kind": "mutations", @@ -7119,22 +7103,6 @@ "id": "updatelabel", "href": "/graphql/reference/mutations#updatelabel", "description": "

Updates an existing label.

", - "isDeprecated": false, - "preview": { - "title": "Labels preview", - "description": "This preview adds support for adding, updating, creating and deleting labels.", - "toggled_by": "bane-preview", - "toggled_on": [ - "Mutation.createLabel", - "Mutation.deleteLabel", - "Mutation.updateLabel" - ], - "owning_teams": [ - "@github/pe-pull-requests" - ], - "accept_header": "application/vnd.github.bane-preview+json", - "href": "/graphql/overview/schema-previews#labels-preview" - }, "inputFields": [ { "name": "input", @@ -7737,22 +7705,6 @@ "id": "updaterefs", "href": "/graphql/reference/mutations#updaterefs", "description": "

Creates, updates and/or deletes multiple refs in a repository.

\n

This mutation takes a list of RefUpdates and performs these updates\non the repository. All updates are performed atomically, meaning that\nif one of them is rejected, no other ref will be modified.

\n

RefUpdate.beforeOid specifies that the given reference needs to point\nto the given value before performing any updates. A value of\n0000000000000000000000000000000000000000 can be used to verify that\nthe references should not exist.

\n

RefUpdate.afterOid specifies the value that the given reference\nwill point to after performing all updates. A value of\n0000000000000000000000000000000000000000 can be used to delete a\nreference.

\n

If RefUpdate.force is set to true, a non-fast-forward updates\nfor the given reference will be allowed.

", - "isDeprecated": false, - "preview": { - "title": "Update refs preview update multiple refs in a single operation preview", - "description": "This preview adds support for updating multiple refs in a single operation.", - "toggled_by": "update-refs-preview", - "toggled_on": [ - "Mutation.updateRefs", - "GitRefname", - "RefUpdate" - ], - "owning_teams": [ - "@github/repos" - ], - "accept_header": "application/vnd.github.update-refs-preview+json", - "href": "/graphql/overview/schema-previews#update-refs-preview-update-multiple-refs-in-a-single-operation-preview" - }, "inputFields": [ { "name": "input", @@ -7991,25 +7943,6 @@ "id": "updateteamreviewassignment", "href": "/graphql/reference/mutations#updateteamreviewassignment", "description": "

Updates team review assignment.

", - "isDeprecated": false, - "preview": { - "title": "Team review assignments preview", - "description": "This preview adds support for updating the settings for team review assignment.", - "toggled_by": "stone-crop-preview", - "toggled_on": [ - "Mutation.updateTeamReviewAssignment", - "TeamReviewAssignmentAlgorithm", - "Team.reviewRequestDelegationEnabled", - "Team.reviewRequestDelegationAlgorithm", - "Team.reviewRequestDelegationMemberCount", - "Team.reviewRequestDelegationNotifyTeam" - ], - "owning_teams": [ - "@github/pe-pull-requests" - ], - "accept_header": "application/vnd.github.stone-crop-preview+json", - "href": "/graphql/overview/schema-previews#team-review-assignments-preview" - }, "inputFields": [ { "name": "input", @@ -8407,32 +8340,7 @@ "type": "Project", "id": "project", "kind": "objects", - "href": "/graphql/reference/objects#project", - "isDeprecated": false, - "preview": { - "title": "Project event details preview", - "description": "This preview adds project, project card, and project column details to project-related issue events.", - "toggled_by": "starfox-preview", - "toggled_on": [ - "AddedToProjectEvent.project", - "AddedToProjectEvent.projectCard", - "AddedToProjectEvent.projectColumnName", - "ConvertedNoteToIssueEvent.project", - "ConvertedNoteToIssueEvent.projectCard", - "ConvertedNoteToIssueEvent.projectColumnName", - "MovedColumnsInProjectEvent.project", - "MovedColumnsInProjectEvent.projectCard", - "MovedColumnsInProjectEvent.projectColumnName", - "MovedColumnsInProjectEvent.previousProjectColumnName", - "RemovedFromProjectEvent.project", - "RemovedFromProjectEvent.projectColumnName" - ], - "owning_teams": [ - "@github/github-projects" - ], - "accept_header": "application/vnd.github.starfox-preview+json", - "href": "/graphql/overview/schema-previews#project-event-details-preview" - } + "href": "/graphql/reference/objects#project" }, { "name": "projectCard", @@ -8440,32 +8348,7 @@ "type": "ProjectCard", "id": "projectcard", "kind": "objects", - "href": "/graphql/reference/objects#projectcard", - "isDeprecated": false, - "preview": { - "title": "Project event details preview", - "description": "This preview adds project, project card, and project column details to project-related issue events.", - "toggled_by": "starfox-preview", - "toggled_on": [ - "AddedToProjectEvent.project", - "AddedToProjectEvent.projectCard", - "AddedToProjectEvent.projectColumnName", - "ConvertedNoteToIssueEvent.project", - "ConvertedNoteToIssueEvent.projectCard", - "ConvertedNoteToIssueEvent.projectColumnName", - "MovedColumnsInProjectEvent.project", - "MovedColumnsInProjectEvent.projectCard", - "MovedColumnsInProjectEvent.projectColumnName", - "MovedColumnsInProjectEvent.previousProjectColumnName", - "RemovedFromProjectEvent.project", - "RemovedFromProjectEvent.projectColumnName" - ], - "owning_teams": [ - "@github/github-projects" - ], - "accept_header": "application/vnd.github.starfox-preview+json", - "href": "/graphql/overview/schema-previews#project-event-details-preview" - } + "href": "/graphql/reference/objects#projectcard" }, { "name": "projectColumnName", @@ -8473,32 +8356,7 @@ "type": "String!", "id": "string", "kind": "scalars", - "href": "/graphql/reference/scalars#string", - "isDeprecated": false, - "preview": { - "title": "Project event details preview", - "description": "This preview adds project, project card, and project column details to project-related issue events.", - "toggled_by": "starfox-preview", - "toggled_on": [ - "AddedToProjectEvent.project", - "AddedToProjectEvent.projectCard", - "AddedToProjectEvent.projectColumnName", - "ConvertedNoteToIssueEvent.project", - "ConvertedNoteToIssueEvent.projectCard", - "ConvertedNoteToIssueEvent.projectColumnName", - "MovedColumnsInProjectEvent.project", - "MovedColumnsInProjectEvent.projectCard", - "MovedColumnsInProjectEvent.projectColumnName", - "MovedColumnsInProjectEvent.previousProjectColumnName", - "RemovedFromProjectEvent.project", - "RemovedFromProjectEvent.projectColumnName" - ], - "owning_teams": [ - "@github/github-projects" - ], - "accept_header": "application/vnd.github.starfox-preview+json", - "href": "/graphql/overview/schema-previews#project-event-details-preview" - } + "href": "/graphql/reference/scalars#string" } ] }, @@ -11977,6 +11835,56 @@ } ] }, + { + "name": "CodeScanningParameters", + "kind": "objects", + "id": "codescanningparameters", + "href": "/graphql/reference/objects#codescanningparameters", + "description": "

Choose which tools must provide code scanning results before the reference is\nupdated. When configured, code scanning must be enabled and have results for\nboth the commit and the reference being updated.

", + "fields": [ + { + "name": "codeScanningTools", + "description": "

Tools that must provide code scanning results for this rule to pass.

", + "type": "[CodeScanningTool!]!", + "id": "codescanningtool", + "kind": "objects", + "href": "/graphql/reference/objects#codescanningtool" + } + ] + }, + { + "name": "CodeScanningTool", + "kind": "objects", + "id": "codescanningtool", + "href": "/graphql/reference/objects#codescanningtool", + "description": "

A tool that must provide code scanning results for this rule to pass.

", + "fields": [ + { + "name": "alertsThreshold", + "description": "

The severity level at which code scanning results that raise alerts block a\nreference update. For more information on alert severity levels, see \"About code scanning alerts.\".

", + "type": "String!", + "id": "string", + "kind": "scalars", + "href": "/graphql/reference/scalars#string" + }, + { + "name": "securityAlertsThreshold", + "description": "

The severity level at which code scanning results that raise security alerts\nblock a reference update. For more information on security severity levels,\nsee \"About code scanning alerts.\".

", + "type": "String!", + "id": "string", + "kind": "scalars", + "href": "/graphql/reference/scalars#string" + }, + { + "name": "tool", + "description": "

The name of a code scanning tool.

", + "type": "String!", + "id": "string", + "kind": "scalars", + "href": "/graphql/reference/scalars#string" + } + ] + }, { "name": "CommentDeletedEvent", "kind": "objects", @@ -15097,32 +15005,7 @@ "type": "Project", "id": "project", "kind": "objects", - "href": "/graphql/reference/objects#project", - "isDeprecated": false, - "preview": { - "title": "Project event details preview", - "description": "This preview adds project, project card, and project column details to project-related issue events.", - "toggled_by": "starfox-preview", - "toggled_on": [ - "AddedToProjectEvent.project", - "AddedToProjectEvent.projectCard", - "AddedToProjectEvent.projectColumnName", - "ConvertedNoteToIssueEvent.project", - "ConvertedNoteToIssueEvent.projectCard", - "ConvertedNoteToIssueEvent.projectColumnName", - "MovedColumnsInProjectEvent.project", - "MovedColumnsInProjectEvent.projectCard", - "MovedColumnsInProjectEvent.projectColumnName", - "MovedColumnsInProjectEvent.previousProjectColumnName", - "RemovedFromProjectEvent.project", - "RemovedFromProjectEvent.projectColumnName" - ], - "owning_teams": [ - "@github/github-projects" - ], - "accept_header": "application/vnd.github.starfox-preview+json", - "href": "/graphql/overview/schema-previews#project-event-details-preview" - } + "href": "/graphql/reference/objects#project" }, { "name": "projectCard", @@ -15130,32 +15013,7 @@ "type": "ProjectCard", "id": "projectcard", "kind": "objects", - "href": "/graphql/reference/objects#projectcard", - "isDeprecated": false, - "preview": { - "title": "Project event details preview", - "description": "This preview adds project, project card, and project column details to project-related issue events.", - "toggled_by": "starfox-preview", - "toggled_on": [ - "AddedToProjectEvent.project", - "AddedToProjectEvent.projectCard", - "AddedToProjectEvent.projectColumnName", - "ConvertedNoteToIssueEvent.project", - "ConvertedNoteToIssueEvent.projectCard", - "ConvertedNoteToIssueEvent.projectColumnName", - "MovedColumnsInProjectEvent.project", - "MovedColumnsInProjectEvent.projectCard", - "MovedColumnsInProjectEvent.projectColumnName", - "MovedColumnsInProjectEvent.previousProjectColumnName", - "RemovedFromProjectEvent.project", - "RemovedFromProjectEvent.projectColumnName" - ], - "owning_teams": [ - "@github/github-projects" - ], - "accept_header": "application/vnd.github.starfox-preview+json", - "href": "/graphql/overview/schema-previews#project-event-details-preview" - } + "href": "/graphql/reference/objects#projectcard" }, { "name": "projectColumnName", @@ -15163,32 +15021,7 @@ "type": "String!", "id": "string", "kind": "scalars", - "href": "/graphql/reference/scalars#string", - "isDeprecated": false, - "preview": { - "title": "Project event details preview", - "description": "This preview adds project, project card, and project column details to project-related issue events.", - "toggled_by": "starfox-preview", - "toggled_on": [ - "AddedToProjectEvent.project", - "AddedToProjectEvent.projectCard", - "AddedToProjectEvent.projectColumnName", - "ConvertedNoteToIssueEvent.project", - "ConvertedNoteToIssueEvent.projectCard", - "ConvertedNoteToIssueEvent.projectColumnName", - "MovedColumnsInProjectEvent.project", - "MovedColumnsInProjectEvent.projectCard", - "MovedColumnsInProjectEvent.projectColumnName", - "MovedColumnsInProjectEvent.previousProjectColumnName", - "RemovedFromProjectEvent.project", - "RemovedFromProjectEvent.projectColumnName" - ], - "owning_teams": [ - "@github/github-projects" - ], - "accept_header": "application/vnd.github.starfox-preview+json", - "href": "/graphql/overview/schema-previews#project-event-details-preview" - } + "href": "/graphql/reference/scalars#string" } ] }, @@ -15240,6 +15073,47 @@ } ] }, + { + "name": "CopilotEndpoints", + "kind": "objects", + "id": "copilotendpoints", + "href": "/graphql/reference/objects#copilotendpoints", + "description": "

Copilot endpoint information.

", + "fields": [ + { + "name": "api", + "description": "

Copilot API endpoint.

", + "type": "String!", + "id": "string", + "kind": "scalars", + "href": "/graphql/reference/scalars#string" + }, + { + "name": "originTracker", + "description": "

Copilot origin tracker endpoint.

", + "type": "String!", + "id": "string", + "kind": "scalars", + "href": "/graphql/reference/scalars#string" + }, + { + "name": "proxy", + "description": "

Copilot proxy endpoint.

", + "type": "String!", + "id": "string", + "kind": "scalars", + "href": "/graphql/reference/scalars#string" + }, + { + "name": "telemetry", + "description": "

Copilot telemetry endpoint.

", + "type": "String!", + "id": "string", + "kind": "scalars", + "href": "/graphql/reference/scalars#string" + } + ] + }, { "name": "CreatedCommitContribution", "kind": "objects", @@ -16150,26 +16024,6 @@ "id": "dependencygraphdependency", "href": "/graphql/reference/objects#dependencygraphdependency", "description": "

A dependency manifest entry.

", - "isDeprecated": false, - "preview": { - "title": "Access to a repository's dependency graph preview", - "description": "This preview adds support for reading a dependency graph for a repository.", - "toggled_by": "hawkgirl-preview", - "toggled_on": [ - "DependencyGraphManifest", - "Repository.dependencyGraphManifests", - "DependencyGraphManifestEdge", - "DependencyGraphManifestConnection", - "DependencyGraphDependency", - "DependencyGraphDependencyEdge", - "DependencyGraphDependencyConnection" - ], - "owning_teams": [ - "@github/dependency-graph" - ], - "accept_header": "application/vnd.github.hawkgirl-preview+json", - "href": "/graphql/overview/schema-previews#access-to-a-repositorys-dependency-graph-preview" - }, "fields": [ { "name": "hasDependencies", @@ -16229,26 +16083,6 @@ "id": "dependencygraphdependencyconnection", "href": "/graphql/reference/objects#dependencygraphdependencyconnection", "description": "

The connection type for DependencyGraphDependency.

", - "isDeprecated": false, - "preview": { - "title": "Access to a repository's dependency graph preview", - "description": "This preview adds support for reading a dependency graph for a repository.", - "toggled_by": "hawkgirl-preview", - "toggled_on": [ - "DependencyGraphManifest", - "Repository.dependencyGraphManifests", - "DependencyGraphManifestEdge", - "DependencyGraphManifestConnection", - "DependencyGraphDependency", - "DependencyGraphDependencyEdge", - "DependencyGraphDependencyConnection" - ], - "owning_teams": [ - "@github/dependency-graph" - ], - "accept_header": "application/vnd.github.hawkgirl-preview+json", - "href": "/graphql/overview/schema-previews#access-to-a-repositorys-dependency-graph-preview" - }, "fields": [ { "name": "edges", @@ -16290,26 +16124,6 @@ "id": "dependencygraphdependencyedge", "href": "/graphql/reference/objects#dependencygraphdependencyedge", "description": "

An edge in a connection.

", - "isDeprecated": false, - "preview": { - "title": "Access to a repository's dependency graph preview", - "description": "This preview adds support for reading a dependency graph for a repository.", - "toggled_by": "hawkgirl-preview", - "toggled_on": [ - "DependencyGraphManifest", - "Repository.dependencyGraphManifests", - "DependencyGraphManifestEdge", - "DependencyGraphManifestConnection", - "DependencyGraphDependency", - "DependencyGraphDependencyEdge", - "DependencyGraphDependencyConnection" - ], - "owning_teams": [ - "@github/dependency-graph" - ], - "accept_header": "application/vnd.github.hawkgirl-preview+json", - "href": "/graphql/overview/schema-previews#access-to-a-repositorys-dependency-graph-preview" - }, "fields": [ { "name": "cursor", @@ -16335,26 +16149,6 @@ "id": "dependencygraphmanifest", "href": "/graphql/reference/objects#dependencygraphmanifest", "description": "

Dependency manifest for a repository.

", - "isDeprecated": false, - "preview": { - "title": "Access to a repository's dependency graph preview", - "description": "This preview adds support for reading a dependency graph for a repository.", - "toggled_by": "hawkgirl-preview", - "toggled_on": [ - "DependencyGraphManifest", - "Repository.dependencyGraphManifests", - "DependencyGraphManifestEdge", - "DependencyGraphManifestConnection", - "DependencyGraphDependency", - "DependencyGraphDependencyEdge", - "DependencyGraphDependencyConnection" - ], - "owning_teams": [ - "@github/dependency-graph" - ], - "accept_header": "application/vnd.github.hawkgirl-preview+json", - "href": "/graphql/overview/schema-previews#access-to-a-repositorys-dependency-graph-preview" - }, "implements": [ { "name": "Node", @@ -16477,26 +16271,6 @@ "id": "dependencygraphmanifestconnection", "href": "/graphql/reference/objects#dependencygraphmanifestconnection", "description": "

The connection type for DependencyGraphManifest.

", - "isDeprecated": false, - "preview": { - "title": "Access to a repository's dependency graph preview", - "description": "This preview adds support for reading a dependency graph for a repository.", - "toggled_by": "hawkgirl-preview", - "toggled_on": [ - "DependencyGraphManifest", - "Repository.dependencyGraphManifests", - "DependencyGraphManifestEdge", - "DependencyGraphManifestConnection", - "DependencyGraphDependency", - "DependencyGraphDependencyEdge", - "DependencyGraphDependencyConnection" - ], - "owning_teams": [ - "@github/dependency-graph" - ], - "accept_header": "application/vnd.github.hawkgirl-preview+json", - "href": "/graphql/overview/schema-previews#access-to-a-repositorys-dependency-graph-preview" - }, "fields": [ { "name": "edges", @@ -16538,26 +16312,6 @@ "id": "dependencygraphmanifestedge", "href": "/graphql/reference/objects#dependencygraphmanifestedge", "description": "

An edge in a connection.

", - "isDeprecated": false, - "preview": { - "title": "Access to a repository's dependency graph preview", - "description": "This preview adds support for reading a dependency graph for a repository.", - "toggled_by": "hawkgirl-preview", - "toggled_on": [ - "DependencyGraphManifest", - "Repository.dependencyGraphManifests", - "DependencyGraphManifestEdge", - "DependencyGraphManifestConnection", - "DependencyGraphDependency", - "DependencyGraphDependencyEdge", - "DependencyGraphDependencyConnection" - ], - "owning_teams": [ - "@github/dependency-graph" - ], - "accept_header": "application/vnd.github.hawkgirl-preview+json", - "href": "/graphql/overview/schema-previews#access-to-a-repositorys-dependency-graph-preview" - }, "fields": [ { "name": "cursor", @@ -17707,23 +17461,7 @@ "type": "String", "id": "string", "kind": "scalars", - "href": "/graphql/reference/scalars#string", - "isDeprecated": false, - "preview": { - "title": "Deployments preview", - "description": "This preview adds support for deployments mutations and new deployments features.", - "toggled_by": "flash-preview", - "toggled_on": [ - "DeploymentStatus.environment", - "Mutation.createDeploymentStatus", - "Mutation.createDeployment" - ], - "owning_teams": [ - "@github/pages" - ], - "accept_header": "application/vnd.github.flash-preview+json", - "href": "/graphql/overview/schema-previews#deployments-preview" - } + "href": "/graphql/reference/scalars#string" }, { "name": "environmentUrl", @@ -19824,6 +19562,14 @@ "kind": "scalars", "href": "/graphql/reference/scalars#string" }, + { + "name": "announcementCreatedAt", + "description": "

The date the announcement was created.

", + "type": "DateTime", + "id": "datetime", + "kind": "scalars", + "href": "/graphql/reference/scalars#datetime" + }, { "name": "announcementExpiresAt", "description": "

The expiration date of the announcement, if any.

", @@ -24149,6 +23895,22 @@ "kind": "scalars", "href": "/graphql/reference/scalars#id" }, + { + "name": "isPinned", + "description": "

Indicates whether or not this environment is currently pinned to the repository.

", + "type": "Boolean", + "id": "boolean", + "kind": "scalars", + "href": "/graphql/reference/scalars#boolean" + }, + { + "name": "latestCompletedDeployment", + "description": "

The latest completed deployment with status success, failure, or error if it exists.

", + "type": "Deployment", + "id": "deployment", + "kind": "objects", + "href": "/graphql/reference/objects#deployment" + }, { "name": "name", "description": "

The name of the environment.

", @@ -24157,6 +23919,14 @@ "kind": "scalars", "href": "/graphql/reference/scalars#string" }, + { + "name": "pinnedPosition", + "description": "

The position of the environment if it is pinned, null if it is not pinned.

", + "type": "Int", + "id": "int", + "kind": "scalars", + "href": "/graphql/reference/scalars#int" + }, { "name": "protectionRules", "description": "

The protection rules defined for this environment.

", @@ -24552,6 +24322,40 @@ } ] }, + { + "name": "FileExtensionRestrictionParameters", + "kind": "objects", + "id": "fileextensionrestrictionparameters", + "href": "/graphql/reference/objects#fileextensionrestrictionparameters", + "description": "

Prevent commits that include files with specified file extensions from being\npushed to the commit graph. NOTE: This rule is in beta and subject to change.

", + "fields": [ + { + "name": "restrictedFileExtensions", + "description": "

The file extensions that are restricted from being pushed to the commit graph.

", + "type": "[String!]!", + "id": "string", + "kind": "scalars", + "href": "/graphql/reference/scalars#string" + } + ] + }, + { + "name": "FilePathRestrictionParameters", + "kind": "objects", + "id": "filepathrestrictionparameters", + "href": "/graphql/reference/objects#filepathrestrictionparameters", + "description": "

Prevent commits that include changes in specified file paths from being pushed\nto the commit graph. NOTE: This rule is in beta and subject to change.

", + "fields": [ + { + "name": "restrictedFilePaths", + "description": "

The file paths that are restricted from being pushed to the commit graph.

", + "type": "[String!]!", + "id": "string", + "kind": "scalars", + "href": "/graphql/reference/scalars#string" + } + ] + }, { "name": "FollowerConnection", "kind": "objects", @@ -29285,6 +29089,40 @@ } ] }, + { + "name": "MaxFilePathLengthParameters", + "kind": "objects", + "id": "maxfilepathlengthparameters", + "href": "/graphql/reference/objects#maxfilepathlengthparameters", + "description": "

Prevent commits that include file paths that exceed a specified character limit\nfrom being pushed to the commit graph. NOTE: This rule is in beta and subject to change.

", + "fields": [ + { + "name": "maxFilePathLength", + "description": "

The maximum amount of characters allowed in file paths.

", + "type": "Int!", + "id": "int", + "kind": "scalars", + "href": "/graphql/reference/scalars#int" + } + ] + }, + { + "name": "MaxFileSizeParameters", + "kind": "objects", + "id": "maxfilesizeparameters", + "href": "/graphql/reference/objects#maxfilesizeparameters", + "description": "

Prevent commits that exceed a specified file size limit from being pushed to the\ncommit. NOTE: This rule is in beta and subject to change.

", + "fields": [ + { + "name": "maxFileSize", + "description": "

The maximum file size allowed in megabytes. This limit does not apply to Git Large File Storage (Git LFS).

", + "type": "Int!", + "id": "int", + "kind": "scalars", + "href": "/graphql/reference/scalars#int" + } + ] + }, { "name": "MemberFeatureRequestNotification", "kind": "objects", @@ -29301,7 +29139,7 @@ "fields": [ { "name": "body", - "description": "

Represents member feature request body containing organization name and the number of feature requests.

", + "description": "

Represents member feature request body containing entity name and the number of feature requests.

", "type": "String!", "id": "string", "kind": "scalars", @@ -31002,32 +30840,7 @@ "type": "String!", "id": "string", "kind": "scalars", - "href": "/graphql/reference/scalars#string", - "isDeprecated": false, - "preview": { - "title": "Project event details preview", - "description": "This preview adds project, project card, and project column details to project-related issue events.", - "toggled_by": "starfox-preview", - "toggled_on": [ - "AddedToProjectEvent.project", - "AddedToProjectEvent.projectCard", - "AddedToProjectEvent.projectColumnName", - "ConvertedNoteToIssueEvent.project", - "ConvertedNoteToIssueEvent.projectCard", - "ConvertedNoteToIssueEvent.projectColumnName", - "MovedColumnsInProjectEvent.project", - "MovedColumnsInProjectEvent.projectCard", - "MovedColumnsInProjectEvent.projectColumnName", - "MovedColumnsInProjectEvent.previousProjectColumnName", - "RemovedFromProjectEvent.project", - "RemovedFromProjectEvent.projectColumnName" - ], - "owning_teams": [ - "@github/github-projects" - ], - "accept_header": "application/vnd.github.starfox-preview+json", - "href": "/graphql/overview/schema-previews#project-event-details-preview" - } + "href": "/graphql/reference/scalars#string" }, { "name": "project", @@ -31035,32 +30848,7 @@ "type": "Project", "id": "project", "kind": "objects", - "href": "/graphql/reference/objects#project", - "isDeprecated": false, - "preview": { - "title": "Project event details preview", - "description": "This preview adds project, project card, and project column details to project-related issue events.", - "toggled_by": "starfox-preview", - "toggled_on": [ - "AddedToProjectEvent.project", - "AddedToProjectEvent.projectCard", - "AddedToProjectEvent.projectColumnName", - "ConvertedNoteToIssueEvent.project", - "ConvertedNoteToIssueEvent.projectCard", - "ConvertedNoteToIssueEvent.projectColumnName", - "MovedColumnsInProjectEvent.project", - "MovedColumnsInProjectEvent.projectCard", - "MovedColumnsInProjectEvent.projectColumnName", - "MovedColumnsInProjectEvent.previousProjectColumnName", - "RemovedFromProjectEvent.project", - "RemovedFromProjectEvent.projectColumnName" - ], - "owning_teams": [ - "@github/github-projects" - ], - "accept_header": "application/vnd.github.starfox-preview+json", - "href": "/graphql/overview/schema-previews#project-event-details-preview" - } + "href": "/graphql/reference/objects#project" }, { "name": "projectCard", @@ -31068,32 +30856,7 @@ "type": "ProjectCard", "id": "projectcard", "kind": "objects", - "href": "/graphql/reference/objects#projectcard", - "isDeprecated": false, - "preview": { - "title": "Project event details preview", - "description": "This preview adds project, project card, and project column details to project-related issue events.", - "toggled_by": "starfox-preview", - "toggled_on": [ - "AddedToProjectEvent.project", - "AddedToProjectEvent.projectCard", - "AddedToProjectEvent.projectColumnName", - "ConvertedNoteToIssueEvent.project", - "ConvertedNoteToIssueEvent.projectCard", - "ConvertedNoteToIssueEvent.projectColumnName", - "MovedColumnsInProjectEvent.project", - "MovedColumnsInProjectEvent.projectCard", - "MovedColumnsInProjectEvent.projectColumnName", - "MovedColumnsInProjectEvent.previousProjectColumnName", - "RemovedFromProjectEvent.project", - "RemovedFromProjectEvent.projectColumnName" - ], - "owning_teams": [ - "@github/github-projects" - ], - "accept_header": "application/vnd.github.starfox-preview+json", - "href": "/graphql/overview/schema-previews#project-event-details-preview" - } + "href": "/graphql/reference/objects#projectcard" }, { "name": "projectColumnName", @@ -31101,32 +30864,7 @@ "type": "String!", "id": "string", "kind": "scalars", - "href": "/graphql/reference/scalars#string", - "isDeprecated": false, - "preview": { - "title": "Project event details preview", - "description": "This preview adds project, project card, and project column details to project-related issue events.", - "toggled_by": "starfox-preview", - "toggled_on": [ - "AddedToProjectEvent.project", - "AddedToProjectEvent.projectCard", - "AddedToProjectEvent.projectColumnName", - "ConvertedNoteToIssueEvent.project", - "ConvertedNoteToIssueEvent.projectCard", - "ConvertedNoteToIssueEvent.projectColumnName", - "MovedColumnsInProjectEvent.project", - "MovedColumnsInProjectEvent.projectCard", - "MovedColumnsInProjectEvent.projectColumnName", - "MovedColumnsInProjectEvent.previousProjectColumnName", - "RemovedFromProjectEvent.project", - "RemovedFromProjectEvent.projectColumnName" - ], - "owning_teams": [ - "@github/github-projects" - ], - "accept_header": "application/vnd.github.starfox-preview+json", - "href": "/graphql/overview/schema-previews#project-event-details-preview" - } + "href": "/graphql/reference/scalars#string" } ] }, @@ -36841,6 +36579,14 @@ "kind": "scalars", "href": "/graphql/reference/scalars#string" }, + { + "name": "announcementCreatedAt", + "description": "

The date the announcement was created.

", + "type": "DateTime", + "id": "datetime", + "kind": "scalars", + "href": "/graphql/reference/scalars#datetime" + }, { "name": "announcementExpiresAt", "description": "

The expiration date of the announcement, if any.

", @@ -40698,6 +40444,136 @@ } ] }, + { + "name": "PinnedEnvironment", + "kind": "objects", + "id": "pinnedenvironment", + "href": "/graphql/reference/objects#pinnedenvironment", + "description": "

Represents a pinned environment on a given repository.

", + "implements": [ + { + "name": "Node", + "id": "node", + "href": "/graphql/reference/interfaces#node" + } + ], + "fields": [ + { + "name": "createdAt", + "description": "

Identifies the date and time when the pinned environment was created.

", + "type": "DateTime!", + "id": "datetime", + "kind": "scalars", + "href": "/graphql/reference/scalars#datetime" + }, + { + "name": "databaseId", + "description": "

Identifies the primary key from the database.

", + "type": "Int", + "id": "int", + "kind": "scalars", + "href": "/graphql/reference/scalars#int" + }, + { + "name": "environment", + "description": "

Identifies the environment associated.

", + "type": "Environment!", + "id": "environment", + "kind": "objects", + "href": "/graphql/reference/objects#environment" + }, + { + "name": "id", + "description": "

The Node ID of the PinnedEnvironment object.

", + "type": "ID!", + "id": "id", + "kind": "scalars", + "href": "/graphql/reference/scalars#id" + }, + { + "name": "position", + "description": "

Identifies the position of the pinned environment.

", + "type": "Int!", + "id": "int", + "kind": "scalars", + "href": "/graphql/reference/scalars#int" + }, + { + "name": "repository", + "description": "

The repository that this environment was pinned to.

", + "type": "Repository!", + "id": "repository", + "kind": "objects", + "href": "/graphql/reference/objects#repository" + } + ] + }, + { + "name": "PinnedEnvironmentConnection", + "kind": "objects", + "id": "pinnedenvironmentconnection", + "href": "/graphql/reference/objects#pinnedenvironmentconnection", + "description": "

The connection type for PinnedEnvironment.

", + "fields": [ + { + "name": "edges", + "description": "

A list of edges.

", + "type": "[PinnedEnvironmentEdge]", + "id": "pinnedenvironmentedge", + "kind": "objects", + "href": "/graphql/reference/objects#pinnedenvironmentedge" + }, + { + "name": "nodes", + "description": "

A list of nodes.

", + "type": "[PinnedEnvironment]", + "id": "pinnedenvironment", + "kind": "objects", + "href": "/graphql/reference/objects#pinnedenvironment" + }, + { + "name": "pageInfo", + "description": "

Information to aid in pagination.

", + "type": "PageInfo!", + "id": "pageinfo", + "kind": "objects", + "href": "/graphql/reference/objects#pageinfo" + }, + { + "name": "totalCount", + "description": "

Identifies the total count of items in the connection.

", + "type": "Int!", + "id": "int", + "kind": "scalars", + "href": "/graphql/reference/scalars#int" + } + ] + }, + { + "name": "PinnedEnvironmentEdge", + "kind": "objects", + "id": "pinnedenvironmentedge", + "href": "/graphql/reference/objects#pinnedenvironmentedge", + "description": "

An edge in a connection.

", + "fields": [ + { + "name": "cursor", + "description": "

A cursor for use in pagination.

", + "type": "String!", + "id": "string", + "kind": "scalars", + "href": "/graphql/reference/scalars#string" + }, + { + "name": "node", + "description": "

The item at the end of the edge.

", + "type": "PinnedEnvironment", + "id": "pinnedenvironment", + "kind": "objects", + "href": "/graphql/reference/objects#pinnedenvironment" + } + ] + }, { "name": "PinnedEvent", "kind": "objects", @@ -45974,22 +45850,7 @@ "type": "Boolean!", "id": "boolean", "kind": "scalars", - "href": "/graphql/reference/scalars#boolean", - "isDeprecated": false, - "preview": { - "title": "Merge info preview more detailed information about a pull request's merge state preview", - "description": "This preview adds support for accessing fields that provide more detailed information about a pull request's merge state.", - "toggled_by": "merge-info-preview", - "toggled_on": [ - "PullRequest.canBeRebased", - "PullRequest.mergeStateStatus" - ], - "owning_teams": [ - "@github/pe-pull-requests" - ], - "accept_header": "application/vnd.github.merge-info-preview+json", - "href": "/graphql/overview/schema-previews#merge-info-preview-more-detailed-information-about-a-pull-requests-merge-state-preview" - } + "href": "/graphql/reference/scalars#boolean" }, { "name": "changedFiles", @@ -46654,22 +46515,7 @@ "type": "MergeStateStatus!", "id": "mergestatestatus", "kind": "enums", - "href": "/graphql/reference/enums#mergestatestatus", - "isDeprecated": false, - "preview": { - "title": "Merge info preview more detailed information about a pull request's merge state preview", - "description": "This preview adds support for accessing fields that provide more detailed information about a pull request's merge state.", - "toggled_by": "merge-info-preview", - "toggled_on": [ - "PullRequest.canBeRebased", - "PullRequest.mergeStateStatus" - ], - "owning_teams": [ - "@github/pe-pull-requests" - ], - "accept_header": "application/vnd.github.merge-info-preview+json", - "href": "/graphql/overview/schema-previews#merge-info-preview-more-detailed-information-about-a-pull-requests-merge-state-preview" - } + "href": "/graphql/reference/enums#mergestatestatus" }, { "name": "mergeable", @@ -47239,6 +47085,14 @@ "kind": "enums", "href": "/graphql/reference/enums#pullrequeststate" }, + { + "name": "statusCheckRollup", + "description": "

Check and Status rollup information for the PR's head ref.

", + "type": "StatusCheckRollup", + "id": "statuscheckrollup", + "kind": "objects", + "href": "/graphql/reference/objects#statuscheckrollup" + }, { "name": "suggestedReviewers", "description": "

A list of reviewer suggestions based on commit history and past review comments.

", @@ -52197,32 +52051,7 @@ "type": "Project", "id": "project", "kind": "objects", - "href": "/graphql/reference/objects#project", - "isDeprecated": false, - "preview": { - "title": "Project event details preview", - "description": "This preview adds project, project card, and project column details to project-related issue events.", - "toggled_by": "starfox-preview", - "toggled_on": [ - "AddedToProjectEvent.project", - "AddedToProjectEvent.projectCard", - "AddedToProjectEvent.projectColumnName", - "ConvertedNoteToIssueEvent.project", - "ConvertedNoteToIssueEvent.projectCard", - "ConvertedNoteToIssueEvent.projectColumnName", - "MovedColumnsInProjectEvent.project", - "MovedColumnsInProjectEvent.projectCard", - "MovedColumnsInProjectEvent.projectColumnName", - "MovedColumnsInProjectEvent.previousProjectColumnName", - "RemovedFromProjectEvent.project", - "RemovedFromProjectEvent.projectColumnName" - ], - "owning_teams": [ - "@github/github-projects" - ], - "accept_header": "application/vnd.github.starfox-preview+json", - "href": "/graphql/overview/schema-previews#project-event-details-preview" - } + "href": "/graphql/reference/objects#project" }, { "name": "projectColumnName", @@ -52230,32 +52059,7 @@ "type": "String!", "id": "string", "kind": "scalars", - "href": "/graphql/reference/scalars#string", - "isDeprecated": false, - "preview": { - "title": "Project event details preview", - "description": "This preview adds project, project card, and project column details to project-related issue events.", - "toggled_by": "starfox-preview", - "toggled_on": [ - "AddedToProjectEvent.project", - "AddedToProjectEvent.projectCard", - "AddedToProjectEvent.projectColumnName", - "ConvertedNoteToIssueEvent.project", - "ConvertedNoteToIssueEvent.projectCard", - "ConvertedNoteToIssueEvent.projectColumnName", - "MovedColumnsInProjectEvent.project", - "MovedColumnsInProjectEvent.projectCard", - "MovedColumnsInProjectEvent.projectColumnName", - "MovedColumnsInProjectEvent.previousProjectColumnName", - "RemovedFromProjectEvent.project", - "RemovedFromProjectEvent.projectColumnName" - ], - "owning_teams": [ - "@github/github-projects" - ], - "accept_header": "application/vnd.github.starfox-preview+json", - "href": "/graphql/overview/schema-previews#project-event-details-preview" - } + "href": "/graphql/reference/scalars#string" } ] }, @@ -56901,27 +56705,7 @@ "href": "/graphql/reference/scalars#boolean" } } - ], - "isDeprecated": false, - "preview": { - "title": "Access to a repository's dependency graph preview", - "description": "This preview adds support for reading a dependency graph for a repository.", - "toggled_by": "hawkgirl-preview", - "toggled_on": [ - "DependencyGraphManifest", - "Repository.dependencyGraphManifests", - "DependencyGraphManifestEdge", - "DependencyGraphManifestConnection", - "DependencyGraphDependency", - "DependencyGraphDependencyEdge", - "DependencyGraphDependencyConnection" - ], - "owning_teams": [ - "@github/dependency-graph" - ], - "accept_header": "application/vnd.github.hawkgirl-preview+json", - "href": "/graphql/overview/schema-previews#access-to-a-repositorys-dependency-graph-preview" - } + ] }, { "name": "deployKeys", @@ -57345,6 +57129,17 @@ "kind": "input-objects", "href": "/graphql/reference/input-objects#environments" } + }, + { + "name": "pinnedEnvironmentFilter", + "defaultValue": "ALL", + "description": "

Filter to control pinned environments return.

", + "type": { + "name": "EnvironmentPinnedFilterField", + "id": "environmentpinnedfilterfield", + "kind": "enums", + "href": "/graphql/reference/enums#environmentpinnedfilterfield" + } } ] }, @@ -58378,6 +58173,66 @@ } ] }, + { + "name": "pinnedEnvironments", + "description": "

A list of pinned environments for this repository.

", + "type": "PinnedEnvironmentConnection", + "id": "pinnedenvironmentconnection", + "kind": "objects", + "href": "/graphql/reference/objects#pinnedenvironmentconnection", + "arguments": [ + { + "name": "after", + "description": "

Returns the elements in the list that come after the specified cursor.

", + "type": { + "name": "String", + "id": "string", + "kind": "scalars", + "href": "/graphql/reference/scalars#string" + } + }, + { + "name": "before", + "description": "

Returns the elements in the list that come before the specified cursor.

", + "type": { + "name": "String", + "id": "string", + "kind": "scalars", + "href": "/graphql/reference/scalars#string" + } + }, + { + "name": "first", + "description": "

Returns the first n elements from the list.

", + "type": { + "name": "Int", + "id": "int", + "kind": "scalars", + "href": "/graphql/reference/scalars#int" + } + }, + { + "name": "last", + "description": "

Returns the last n elements from the list.

", + "type": { + "name": "Int", + "id": "int", + "kind": "scalars", + "href": "/graphql/reference/scalars#int" + } + }, + { + "name": "orderBy", + "description": "

Ordering options for the environments.

", + "type": { + "name": "PinnedEnvironmentOrder", + "id": "pinnedenvironmentorder", + "kind": "input-objects", + "href": "/graphql/reference/input-objects#pinnedenvironmentorder" + } + } + ] + }, { "name": "pinnedIssues", "description": "

A list of pinned issues for this repository.

", @@ -58428,6 +58283,14 @@ } ] }, + { + "name": "planFeatures", + "description": "

Returns information about the availability of certain features and limits based on the repository's billing plan.

", + "type": "RepositoryPlanFeatures!", + "id": "repositoryplanfeatures", + "kind": "objects", + "href": "/graphql/reference/objects#repositoryplanfeatures" + }, { "name": "primaryLanguage", "description": "

The primary language of the repository's code.

", @@ -60187,6 +60050,55 @@ } ] }, + { + "name": "RepositoryPlanFeatures", + "kind": "objects", + "id": "repositoryplanfeatures", + "href": "/graphql/reference/objects#repositoryplanfeatures", + "description": "

Information about the availability of features and limits for a repository based on its billing plan.

", + "fields": [ + { + "name": "codeowners", + "description": "

Whether reviews can be automatically requested and enforced with a CODEOWNERS file.

", + "type": "Boolean!", + "id": "boolean", + "kind": "scalars", + "href": "/graphql/reference/scalars#boolean" + }, + { + "name": "draftPullRequests", + "description": "

Whether pull requests can be created as or converted to draft.

", + "type": "Boolean!", + "id": "boolean", + "kind": "scalars", + "href": "/graphql/reference/scalars#boolean" + }, + { + "name": "maximumAssignees", + "description": "

Maximum number of users that can be assigned to an issue or pull request.

", + "type": "Int!", + "id": "int", + "kind": "scalars", + "href": "/graphql/reference/scalars#int" + }, + { + "name": "maximumManualReviewRequests", + "description": "

Maximum number of manually-requested reviews on a pull request.

", + "type": "Int!", + "id": "int", + "kind": "scalars", + "href": "/graphql/reference/scalars#int" + }, + { + "name": "teamReviewRequests", + "description": "

Whether teams can be requested to review pull requests.

", + "type": "Boolean!", + "id": "boolean", + "kind": "scalars", + "href": "/graphql/reference/scalars#boolean" + } + ] + }, { "name": "RepositoryPropertyConditionTarget", "kind": "objects", @@ -60595,6 +60507,14 @@ "kind": "enums", "href": "/graphql/reference/enums#repositoryrulesetbypassactorbypassmode" }, + { + "name": "deployKey", + "description": "

This actor represents the ability for a deploy key to bypass.

", + "type": "Boolean!", + "id": "boolean", + "kind": "scalars", + "href": "/graphql/reference/scalars#boolean" + }, { "name": "id", "description": "

The Node ID of the RepositoryRulesetBypassActor object.

", @@ -64968,26 +64888,7 @@ "type": "TeamReviewAssignmentAlgorithm", "id": "teamreviewassignmentalgorithm", "kind": "enums", - "href": "/graphql/reference/enums#teamreviewassignmentalgorithm", - "isDeprecated": false, - "preview": { - "title": "Team review assignments preview", - "description": "This preview adds support for updating the settings for team review assignment.", - "toggled_by": "stone-crop-preview", - "toggled_on": [ - "Mutation.updateTeamReviewAssignment", - "TeamReviewAssignmentAlgorithm", - "Team.reviewRequestDelegationEnabled", - "Team.reviewRequestDelegationAlgorithm", - "Team.reviewRequestDelegationMemberCount", - "Team.reviewRequestDelegationNotifyTeam" - ], - "owning_teams": [ - "@github/pe-pull-requests" - ], - "accept_header": "application/vnd.github.stone-crop-preview+json", - "href": "/graphql/overview/schema-previews#team-review-assignments-preview" - } + "href": "/graphql/reference/enums#teamreviewassignmentalgorithm" }, { "name": "reviewRequestDelegationEnabled", @@ -64995,26 +64896,7 @@ "type": "Boolean!", "id": "boolean", "kind": "scalars", - "href": "/graphql/reference/scalars#boolean", - "isDeprecated": false, - "preview": { - "title": "Team review assignments preview", - "description": "This preview adds support for updating the settings for team review assignment.", - "toggled_by": "stone-crop-preview", - "toggled_on": [ - "Mutation.updateTeamReviewAssignment", - "TeamReviewAssignmentAlgorithm", - "Team.reviewRequestDelegationEnabled", - "Team.reviewRequestDelegationAlgorithm", - "Team.reviewRequestDelegationMemberCount", - "Team.reviewRequestDelegationNotifyTeam" - ], - "owning_teams": [ - "@github/pe-pull-requests" - ], - "accept_header": "application/vnd.github.stone-crop-preview+json", - "href": "/graphql/overview/schema-previews#team-review-assignments-preview" - } + "href": "/graphql/reference/scalars#boolean" }, { "name": "reviewRequestDelegationMemberCount", @@ -65022,26 +64904,7 @@ "type": "Int", "id": "int", "kind": "scalars", - "href": "/graphql/reference/scalars#int", - "isDeprecated": false, - "preview": { - "title": "Team review assignments preview", - "description": "This preview adds support for updating the settings for team review assignment.", - "toggled_by": "stone-crop-preview", - "toggled_on": [ - "Mutation.updateTeamReviewAssignment", - "TeamReviewAssignmentAlgorithm", - "Team.reviewRequestDelegationEnabled", - "Team.reviewRequestDelegationAlgorithm", - "Team.reviewRequestDelegationMemberCount", - "Team.reviewRequestDelegationNotifyTeam" - ], - "owning_teams": [ - "@github/pe-pull-requests" - ], - "accept_header": "application/vnd.github.stone-crop-preview+json", - "href": "/graphql/overview/schema-previews#team-review-assignments-preview" - } + "href": "/graphql/reference/scalars#int" }, { "name": "reviewRequestDelegationNotifyTeam", @@ -65049,26 +64912,7 @@ "type": "Boolean!", "id": "boolean", "kind": "scalars", - "href": "/graphql/reference/scalars#boolean", - "isDeprecated": false, - "preview": { - "title": "Team review assignments preview", - "description": "This preview adds support for updating the settings for team review assignment.", - "toggled_by": "stone-crop-preview", - "toggled_on": [ - "Mutation.updateTeamReviewAssignment", - "TeamReviewAssignmentAlgorithm", - "Team.reviewRequestDelegationEnabled", - "Team.reviewRequestDelegationAlgorithm", - "Team.reviewRequestDelegationMemberCount", - "Team.reviewRequestDelegationNotifyTeam" - ], - "owning_teams": [ - "@github/pe-pull-requests" - ], - "accept_header": "application/vnd.github.stone-crop-preview+json", - "href": "/graphql/overview/schema-previews#team-review-assignments-preview" - } + "href": "/graphql/reference/scalars#boolean" }, { "name": "slug", @@ -68867,6 +68711,14 @@ } ] }, + { + "name": "copilotEndpoints", + "description": "

The user's Copilot endpoint information.

", + "type": "CopilotEndpoints", + "id": "copilotendpoints", + "kind": "objects", + "href": "/graphql/reference/objects#copilotendpoints" + }, { "name": "createdAt", "description": "

Identifies the date and time when the object was created.

", @@ -72817,6 +72669,14 @@ "kind": "scalars", "href": "/graphql/reference/scalars#string" }, + { + "name": "announcementCreatedAt", + "description": "

The date the announcement was created.

", + "type": "DateTime", + "id": "datetime", + "kind": "scalars", + "href": "/graphql/reference/scalars#datetime" + }, { "name": "announcementExpiresAt", "description": "

The expiration date of the announcement, if any.

", @@ -76256,6 +76116,10 @@ "href": "/graphql/reference/enums#deploymentprotectionruletype", "description": "

The possible protection rule types.

", "values": [ + { + "name": "BRANCH_POLICY", + "description": "

Branch policy.

" + }, { "name": "REQUIRED_REVIEWERS", "description": "

Required reviewers.

" @@ -76883,6 +76747,27 @@ } ] }, + { + "name": "EnvironmentPinnedFilterField", + "kind": "enums", + "id": "environmentpinnedfilterfield", + "href": "/graphql/reference/enums#environmentpinnedfilterfield", + "description": "

Properties by which environments connections can be ordered.

", + "values": [ + { + "name": "ALL", + "description": "

All environments will be returned.

" + }, + { + "name": "NONE", + "description": "

Environments exclude pinned will be returned.

" + }, + { + "name": "ONLY", + "description": "

Only pinned environment will be returned.

" + } + ] + }, { "name": "FileViewedState", "kind": "enums", @@ -78373,6 +78258,19 @@ } ] }, + { + "name": "PinnedEnvironmentOrderField", + "kind": "enums", + "id": "pinnedenvironmentorderfield", + "href": "/graphql/reference/enums#pinnedenvironmentorderfield", + "description": "

Properties by which pinned environments connections can be ordered.

", + "values": [ + { + "name": "POSITION", + "description": "

Order pinned environments by position.

" + } + ] + }, { "name": "ProjectCardArchivedState", "kind": "enums", @@ -79755,6 +79653,10 @@ "name": "BRANCH_NAME_PATTERN", "description": "

Branch name pattern.

" }, + { + "name": "CODE_SCANNING", + "description": "

Choose which tools must provide code scanning results before the reference is\nupdated. When configured, code scanning must be enabled and have results for\nboth the commit and the reference being updated.

" + }, { "name": "COMMITTER_EMAIL_PATTERN", "description": "

Committer email pattern.

" @@ -79775,10 +79677,26 @@ "name": "DELETION", "description": "

Only allow users with bypass permissions to delete matching refs.

" }, + { + "name": "FILE_EXTENSION_RESTRICTION", + "description": "

Prevent commits that include files with specified file extensions from being\npushed to the commit graph. NOTE: Thie rule is in beta and subject to change.

" + }, + { + "name": "FILE_PATH_RESTRICTION", + "description": "

Prevent commits that include changes in specified file paths from being pushed\nto the commit graph. NOTE: Thie rule is in beta and subject to change.

" + }, { "name": "LOCK_BRANCH", "description": "

Branch is read-only. Users cannot push to the branch.

" }, + { + "name": "MAX_FILE_PATH_LENGTH", + "description": "

Prevent commits that include file paths that exceed a specified character\nlimit from being pushed to the commit graph. NOTE: Thie rule is in beta and\nsubject to change.

" + }, + { + "name": "MAX_FILE_SIZE", + "description": "

Prevent commits that exceed a specified file size limit from being pushed to\nthe commit. NOTE: Thie rule is in beta and subject to change.

" + }, { "name": "MAX_REF_UPDATES", "description": "

Max ref updates.

" @@ -79871,12 +79789,16 @@ "kind": "enums", "id": "repositoryrulesettarget", "href": "/graphql/reference/enums#repositoryrulesettarget", - "description": "

The targets supported for rulesets.

", + "description": "

The targets supported for rulesets. NOTE: The push target is in beta and subject to change.

", "values": [ { "name": "BRANCH", "description": "

Branch.

" }, + { + "name": "PUSH", + "description": "

Push.

" + }, { "name": "TAG", "description": "

Tag.

" @@ -80525,25 +80447,6 @@ "id": "teamreviewassignmentalgorithm", "href": "/graphql/reference/enums#teamreviewassignmentalgorithm", "description": "

The possible team review assignment algorithms.

", - "isDeprecated": false, - "preview": { - "title": "Team review assignments preview", - "description": "This preview adds support for updating the settings for team review assignment.", - "toggled_by": "stone-crop-preview", - "toggled_on": [ - "Mutation.updateTeamReviewAssignment", - "TeamReviewAssignmentAlgorithm", - "Team.reviewRequestDelegationEnabled", - "Team.reviewRequestDelegationAlgorithm", - "Team.reviewRequestDelegationMemberCount", - "Team.reviewRequestDelegationNotifyTeam" - ], - "owning_teams": [ - "@github/pe-pull-requests" - ], - "accept_header": "application/vnd.github.stone-crop-preview+json", - "href": "/graphql/overview/schema-previews#team-review-assignments-preview" - }, "values": [ { "name": "LOAD_BALANCE", @@ -80868,6 +80771,11 @@ "id": "commit", "href": "/graphql/reference/objects#commit" }, + { + "name": "ProjectV2", + "id": "projectv2", + "href": "/graphql/reference/objects#projectv2" + }, { "name": "PullRequest", "id": "pullrequest", @@ -82474,6 +82382,11 @@ "id": "branchnamepatternparameters", "href": "/graphql/reference/objects#branchnamepatternparameters" }, + { + "name": "CodeScanningParameters", + "id": "codescanningparameters", + "href": "/graphql/reference/objects#codescanningparameters" + }, { "name": "CommitAuthorEmailPatternParameters", "id": "commitauthoremailpatternparameters", @@ -82489,6 +82402,26 @@ "id": "committeremailpatternparameters", "href": "/graphql/reference/objects#committeremailpatternparameters" }, + { + "name": "FileExtensionRestrictionParameters", + "id": "fileextensionrestrictionparameters", + "href": "/graphql/reference/objects#fileextensionrestrictionparameters" + }, + { + "name": "FilePathRestrictionParameters", + "id": "filepathrestrictionparameters", + "href": "/graphql/reference/objects#filepathrestrictionparameters" + }, + { + "name": "MaxFilePathLengthParameters", + "id": "maxfilepathlengthparameters", + "href": "/graphql/reference/objects#maxfilepathlengthparameters" + }, + { + "name": "MaxFileSizeParameters", + "id": "maxfilesizeparameters", + "href": "/graphql/reference/objects#maxfilesizeparameters" + }, { "name": "PullRequestParameters", "id": "pullrequestparameters", @@ -84378,6 +84311,56 @@ } ] }, + { + "name": "CodeScanningParametersInput", + "kind": "inputObjects", + "id": "codescanningparametersinput", + "href": "/graphql/reference/input-objects#codescanningparametersinput", + "description": "

Choose which tools must provide code scanning results before the reference is\nupdated. When configured, code scanning must be enabled and have results for\nboth the commit and the reference being updated.

", + "inputFields": [ + { + "name": "codeScanningTools", + "description": "

Tools that must provide code scanning results for this rule to pass.

", + "type": "[CodeScanningToolInput!]!", + "id": "codescanningtoolinput", + "kind": "input-objects", + "href": "/graphql/reference/input-objects#codescanningtoolinput" + } + ] + }, + { + "name": "CodeScanningToolInput", + "kind": "inputObjects", + "id": "codescanningtoolinput", + "href": "/graphql/reference/input-objects#codescanningtoolinput", + "description": "

A tool that must provide code scanning results for this rule to pass.

", + "inputFields": [ + { + "name": "alertsThreshold", + "description": "

The severity level at which code scanning results that raise alerts block a\nreference update. For more information on alert severity levels, see \"About code scanning alerts.\".

", + "type": "String!", + "id": "string", + "kind": "scalars", + "href": "/graphql/reference/scalars#string" + }, + { + "name": "securityAlertsThreshold", + "description": "

The severity level at which code scanning results that raise security alerts\nblock a reference update. For more information on security severity levels,\nsee \"About code scanning alerts.\".

", + "type": "String!", + "id": "string", + "kind": "scalars", + "href": "/graphql/reference/scalars#string" + }, + { + "name": "tool", + "description": "

The name of a code scanning tool.

", + "type": "String!", + "id": "string", + "kind": "scalars", + "href": "/graphql/reference/scalars#string" + } + ] + }, { "name": "CommitAuthor", "kind": "inputObjects", @@ -85235,22 +85218,6 @@ "id": "createdeploymentinput", "href": "/graphql/reference/input-objects#createdeploymentinput", "description": "

Autogenerated input type of CreateDeployment.

", - "isDeprecated": false, - "preview": { - "title": "Deployments preview", - "description": "This preview adds support for deployments mutations and new deployments features.", - "toggled_by": "flash-preview", - "toggled_on": [ - "DeploymentStatus.environment", - "Mutation.createDeploymentStatus", - "Mutation.createDeployment" - ], - "owning_teams": [ - "@github/pages" - ], - "accept_header": "application/vnd.github.flash-preview+json", - "href": "/graphql/overview/schema-previews#deployments-preview" - }, "inputFields": [ { "name": "autoMerge", @@ -85334,22 +85301,6 @@ "id": "createdeploymentstatusinput", "href": "/graphql/reference/input-objects#createdeploymentstatusinput", "description": "

Autogenerated input type of CreateDeploymentStatus.

", - "isDeprecated": false, - "preview": { - "title": "Deployments preview", - "description": "This preview adds support for deployments mutations and new deployments features.", - "toggled_by": "flash-preview", - "toggled_on": [ - "DeploymentStatus.environment", - "Mutation.createDeploymentStatus", - "Mutation.createDeployment" - ], - "owning_teams": [ - "@github/pages" - ], - "accept_header": "application/vnd.github.flash-preview+json", - "href": "/graphql/overview/schema-previews#deployments-preview" - }, "inputFields": [ { "name": "autoInactive", @@ -85703,22 +85654,6 @@ "id": "createlabelinput", "href": "/graphql/reference/input-objects#createlabelinput", "description": "

Autogenerated input type of CreateLabel.

", - "isDeprecated": false, - "preview": { - "title": "Labels preview", - "description": "This preview adds support for adding, updating, creating and deleting labels.", - "toggled_by": "bane-preview", - "toggled_on": [ - "Mutation.createLabel", - "Mutation.deleteLabel", - "Mutation.updateLabel" - ], - "owning_teams": [ - "@github/pe-pull-requests" - ], - "accept_header": "application/vnd.github.bane-preview+json", - "href": "/graphql/overview/schema-previews#labels-preview" - }, "inputFields": [ { "name": "clientMutationId", @@ -86670,22 +86605,6 @@ "id": "deletelabelinput", "href": "/graphql/reference/input-objects#deletelabelinput", "description": "

Autogenerated input type of DeleteLabel.

", - "isDeprecated": false, - "preview": { - "title": "Labels preview", - "description": "This preview adds support for adding, updating, creating and deleting labels.", - "toggled_by": "bane-preview", - "toggled_on": [ - "Mutation.createLabel", - "Mutation.deleteLabel", - "Mutation.updateLabel" - ], - "owning_teams": [ - "@github/pe-pull-requests" - ], - "accept_header": "application/vnd.github.bane-preview+json", - "href": "/graphql/overview/schema-previews#labels-preview" - }, "inputFields": [ { "name": "clientMutationId", @@ -87817,6 +87736,40 @@ } ] }, + { + "name": "FileExtensionRestrictionParametersInput", + "kind": "inputObjects", + "id": "fileextensionrestrictionparametersinput", + "href": "/graphql/reference/input-objects#fileextensionrestrictionparametersinput", + "description": "

Prevent commits that include files with specified file extensions from being\npushed to the commit graph. NOTE: This rule is in beta and subject to change.

", + "inputFields": [ + { + "name": "restrictedFileExtensions", + "description": "

The file extensions that are restricted from being pushed to the commit graph.

", + "type": "[String!]!", + "id": "string", + "kind": "scalars", + "href": "/graphql/reference/scalars#string" + } + ] + }, + { + "name": "FilePathRestrictionParametersInput", + "kind": "inputObjects", + "id": "filepathrestrictionparametersinput", + "href": "/graphql/reference/input-objects#filepathrestrictionparametersinput", + "description": "

Prevent commits that include changes in specified file paths from being pushed\nto the commit graph. NOTE: This rule is in beta and subject to change.

", + "inputFields": [ + { + "name": "restrictedFilePaths", + "description": "

The file paths that are restricted from being pushed to the commit graph.

", + "type": "[String!]!", + "id": "string", + "kind": "scalars", + "href": "/graphql/reference/scalars#string" + } + ] + }, { "name": "FollowOrganizationInput", "kind": "inputObjects", @@ -88535,6 +88488,40 @@ } ] }, + { + "name": "MaxFilePathLengthParametersInput", + "kind": "inputObjects", + "id": "maxfilepathlengthparametersinput", + "href": "/graphql/reference/input-objects#maxfilepathlengthparametersinput", + "description": "

Prevent commits that include file paths that exceed a specified character limit\nfrom being pushed to the commit graph. NOTE: This rule is in beta and subject to change.

", + "inputFields": [ + { + "name": "maxFilePathLength", + "description": "

The maximum amount of characters allowed in file paths.

", + "type": "Int!", + "id": "int", + "kind": "scalars", + "href": "/graphql/reference/scalars#int" + } + ] + }, + { + "name": "MaxFileSizeParametersInput", + "kind": "inputObjects", + "id": "maxfilesizeparametersinput", + "href": "/graphql/reference/input-objects#maxfilesizeparametersinput", + "description": "

Prevent commits that exceed a specified file size limit from being pushed to the\ncommit. NOTE: This rule is in beta and subject to change.

", + "inputFields": [ + { + "name": "maxFileSize", + "description": "

The maximum file size allowed in megabytes. This limit does not apply to Git Large File Storage (Git LFS).

", + "type": "Int!", + "id": "int", + "kind": "scalars", + "href": "/graphql/reference/scalars#int" + } + ] + }, { "name": "MergeBranchInput", "kind": "inputObjects", @@ -88914,6 +88901,40 @@ } ] }, + { + "name": "PinEnvironmentInput", + "kind": "inputObjects", + "id": "pinenvironmentinput", + "href": "/graphql/reference/input-objects#pinenvironmentinput", + "description": "

Autogenerated input type of PinEnvironment.

", + "inputFields": [ + { + "name": "clientMutationId", + "description": "

A unique identifier for the client performing the mutation.

", + "type": "String", + "id": "string", + "kind": "scalars", + "href": "/graphql/reference/scalars#string" + }, + { + "name": "environmentId", + "description": "

The ID of the environment to modify.

", + "type": "ID!", + "id": "id", + "kind": "scalars", + "href": "/graphql/reference/scalars#id", + "isDeprecated": false + }, + { + "name": "pinned", + "description": "

The desired state of the environment. If true, environment will be pinned. If false, it will be unpinned.

", + "type": "Boolean!", + "id": "boolean", + "kind": "scalars", + "href": "/graphql/reference/scalars#boolean" + } + ] + }, { "name": "PinIssueInput", "kind": "inputObjects", @@ -88940,6 +88961,31 @@ } ] }, + { + "name": "PinnedEnvironmentOrder", + "kind": "inputObjects", + "id": "pinnedenvironmentorder", + "href": "/graphql/reference/input-objects#pinnedenvironmentorder", + "description": "

Ordering options for pinned environments.

", + "inputFields": [ + { + "name": "direction", + "description": "

The direction in which to order pinned environments by the specified field.

", + "type": "OrderDirection!", + "id": "orderdirection", + "kind": "enums", + "href": "/graphql/reference/enums#orderdirection" + }, + { + "name": "field", + "description": "

The field to order pinned environments by.

", + "type": "PinnedEnvironmentOrderField!", + "id": "pinnedenvironmentorderfield", + "kind": "enums", + "href": "/graphql/reference/enums#pinnedenvironmentorderfield" + } + ] + }, { "name": "ProjectCardImport", "kind": "inputObjects", @@ -89470,22 +89516,6 @@ "id": "refupdate", "href": "/graphql/reference/input-objects#refupdate", "description": "

A ref update.

", - "isDeprecated": false, - "preview": { - "title": "Update refs preview update multiple refs in a single operation preview", - "description": "This preview adds support for updating multiple refs in a single operation.", - "toggled_by": "update-refs-preview", - "toggled_on": [ - "Mutation.updateRefs", - "GitRefname", - "RefUpdate" - ], - "owning_teams": [ - "@github/repos" - ], - "accept_header": "application/vnd.github.update-refs-preview+json", - "href": "/graphql/overview/schema-previews#update-refs-preview-update-multiple-refs-in-a-single-operation-preview" - }, "inputFields": [ { "name": "afterOid", @@ -89917,6 +89947,40 @@ } ] }, + { + "name": "ReorderEnvironmentInput", + "kind": "inputObjects", + "id": "reorderenvironmentinput", + "href": "/graphql/reference/input-objects#reorderenvironmentinput", + "description": "

Autogenerated input type of ReorderEnvironment.

", + "inputFields": [ + { + "name": "clientMutationId", + "description": "

A unique identifier for the client performing the mutation.

", + "type": "String", + "id": "string", + "kind": "scalars", + "href": "/graphql/reference/scalars#string" + }, + { + "name": "environmentId", + "description": "

The ID of the environment to modify.

", + "type": "ID!", + "id": "id", + "kind": "scalars", + "href": "/graphql/reference/scalars#id", + "isDeprecated": false + }, + { + "name": "position", + "description": "

The desired position of the environment.

", + "type": "Int!", + "id": "int", + "kind": "scalars", + "href": "/graphql/reference/scalars#int" + } + ] + }, { "name": "RepositoryIdConditionTargetInput", "kind": "inputObjects", @@ -90172,7 +90236,7 @@ "kind": "inputObjects", "id": "repositoryrulesetbypassactorinput", "href": "/graphql/reference/input-objects#repositoryrulesetbypassactorinput", - "description": "

Specifies the attributes for a new or updated ruleset bypass actor. Only one of\nactor_id, repository_role_database_id, or organization_admin should be specified.

", + "description": "

Specifies the attributes for a new or updated ruleset bypass actor. Only one of\nactor_id, repository_role_database_id, organization_admin, or deploy_key\nshould be specified.

", "inputFields": [ { "name": "actorId", @@ -90190,6 +90254,14 @@ "kind": "enums", "href": "/graphql/reference/enums#repositoryrulesetbypassactorbypassmode" }, + { + "name": "deployKey", + "description": "

For deploy key bypasses, true. Can only use ALWAYS as the bypass mode.

", + "type": "Boolean", + "id": "boolean", + "kind": "scalars", + "href": "/graphql/reference/scalars#boolean" + }, { "name": "organizationAdmin", "description": "

For organization owner bypasses, true.

", @@ -90529,6 +90601,14 @@ "kind": "input-objects", "href": "/graphql/reference/input-objects#branchnamepatternparametersinput" }, + { + "name": "codeScanning", + "description": "

Parameters used for the code_scanning rule type.

", + "type": "CodeScanningParametersInput", + "id": "codescanningparametersinput", + "kind": "input-objects", + "href": "/graphql/reference/input-objects#codescanningparametersinput" + }, { "name": "commitAuthorEmailPattern", "description": "

Parameters used for the commit_author_email_pattern rule type.

", @@ -90553,6 +90633,38 @@ "kind": "input-objects", "href": "/graphql/reference/input-objects#committeremailpatternparametersinput" }, + { + "name": "fileExtensionRestriction", + "description": "

Parameters used for the file_extension_restriction rule type.

", + "type": "FileExtensionRestrictionParametersInput", + "id": "fileextensionrestrictionparametersinput", + "kind": "input-objects", + "href": "/graphql/reference/input-objects#fileextensionrestrictionparametersinput" + }, + { + "name": "filePathRestriction", + "description": "

Parameters used for the file_path_restriction rule type.

", + "type": "FilePathRestrictionParametersInput", + "id": "filepathrestrictionparametersinput", + "kind": "input-objects", + "href": "/graphql/reference/input-objects#filepathrestrictionparametersinput" + }, + { + "name": "maxFilePathLength", + "description": "

Parameters used for the max_file_path_length rule type.

", + "type": "MaxFilePathLengthParametersInput", + "id": "maxfilepathlengthparametersinput", + "kind": "input-objects", + "href": "/graphql/reference/input-objects#maxfilepathlengthparametersinput" + }, + { + "name": "maxFileSize", + "description": "

Parameters used for the max_file_size rule type.

", + "type": "MaxFileSizeParametersInput", + "id": "maxfilesizeparametersinput", + "kind": "input-objects", + "href": "/graphql/reference/input-objects#maxfilesizeparametersinput" + }, { "name": "pullRequest", "description": "

Parameters used for the pull_request rule type.

", @@ -90803,7 +90915,7 @@ { "name": "sourceRepositoryUrl", "description": "

The URL of the source repository.

", - "type": "URI", + "type": "URI!", "id": "uri", "kind": "scalars", "href": "/graphql/reference/scalars#uri" @@ -92951,22 +93063,6 @@ "id": "updatelabelinput", "href": "/graphql/reference/input-objects#updatelabelinput", "description": "

Autogenerated input type of UpdateLabel.

", - "isDeprecated": false, - "preview": { - "title": "Labels preview", - "description": "This preview adds support for adding, updating, creating and deleting labels.", - "toggled_by": "bane-preview", - "toggled_on": [ - "Mutation.createLabel", - "Mutation.deleteLabel", - "Mutation.updateLabel" - ], - "owning_teams": [ - "@github/pe-pull-requests" - ], - "accept_header": "application/vnd.github.bane-preview+json", - "href": "/graphql/overview/schema-previews#labels-preview" - }, "inputFields": [ { "name": "clientMutationId", @@ -93770,22 +93866,6 @@ "id": "updaterefsinput", "href": "/graphql/reference/input-objects#updaterefsinput", "description": "

Autogenerated input type of UpdateRefs.

", - "isDeprecated": false, - "preview": { - "title": "Update refs preview update multiple refs in a single operation preview", - "description": "This preview adds support for updating multiple refs in a single operation.", - "toggled_by": "update-refs-preview", - "toggled_on": [ - "Mutation.updateRefs", - "GitRefname", - "RefUpdate" - ], - "owning_teams": [ - "@github/repos" - ], - "accept_header": "application/vnd.github.update-refs-preview+json", - "href": "/graphql/overview/schema-previews#update-refs-preview-update-multiple-refs-in-a-single-operation-preview" - }, "inputFields": [ { "name": "clientMutationId", @@ -94152,25 +94232,6 @@ "id": "updateteamreviewassignmentinput", "href": "/graphql/reference/input-objects#updateteamreviewassignmentinput", "description": "

Autogenerated input type of UpdateTeamReviewAssignment.

", - "isDeprecated": false, - "preview": { - "title": "Team review assignments preview", - "description": "This preview adds support for updating the settings for team review assignment.", - "toggled_by": "stone-crop-preview", - "toggled_on": [ - "Mutation.updateTeamReviewAssignment", - "TeamReviewAssignmentAlgorithm", - "Team.reviewRequestDelegationEnabled", - "Team.reviewRequestDelegationAlgorithm", - "Team.reviewRequestDelegationMemberCount", - "Team.reviewRequestDelegationNotifyTeam" - ], - "owning_teams": [ - "@github/pe-pull-requests" - ], - "accept_header": "application/vnd.github.stone-crop-preview+json", - "href": "/graphql/overview/schema-previews#team-review-assignments-preview" - }, "inputFields": [ { "name": "algorithm", @@ -94640,23 +94701,7 @@ "kind": "scalars", "id": "gitrefname", "href": "/graphql/reference/scalars#gitrefname", - "description": "

A fully qualified reference name (e.g. refs/heads/master).

", - "isDeprecated": false, - "preview": { - "title": "Update refs preview update multiple refs in a single operation preview", - "description": "This preview adds support for updating multiple refs in a single operation.", - "toggled_by": "update-refs-preview", - "toggled_on": [ - "Mutation.updateRefs", - "GitRefname", - "RefUpdate" - ], - "owning_teams": [ - "@github/repos" - ], - "accept_header": "application/vnd.github.update-refs-preview+json", - "href": "/graphql/overview/schema-previews#update-refs-preview-update-multiple-refs-in-a-single-operation-preview" - } + "description": "

A fully qualified reference name (e.g. refs/heads/master).

" }, { "name": "GitSSHRemote", From 9c9b5b73766693698ea49655ded707a468eb9b4b Mon Sep 17 00:00:00 2001 From: Sarita Iyer <66540150+saritai@users.noreply.github.com> Date: Thu, 8 Aug 2024 13:10:13 -0400 Subject: [PATCH 281/282] Rework article on exporting CSVs to include overview dashboard (#51905) Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com> --- .../about-security-overview.md | 2 +- .../assessing-adoption-code-security.md | 2 +- .../assessing-code-security-risk.md | 2 +- ... exporting-data-from-security-overview.md} | 20 +++++++++++-------- .../code-security/security-overview/index.md | 2 +- .../viewing-security-insights.md | 4 ++++ ...ecurity-overview-export-dashboard-data.yml | 4 ++++ .../security-overview/download-csv-files.md | 2 +- 8 files changed, 25 insertions(+), 13 deletions(-) rename content/code-security/security-overview/{exporting-data-from-the-risk-and-coverage-pages.md => exporting-data-from-security-overview.md} (57%) create mode 100644 data/features/security-overview-export-dashboard-data.yml diff --git a/content/code-security/security-overview/about-security-overview.md b/content/code-security/security-overview/about-security-overview.md index b7cde053ba69..78eb6aaff519 100644 --- a/content/code-security/security-overview/about-security-overview.md +++ b/content/code-security/security-overview/about-security-overview.md @@ -43,7 +43,7 @@ Security overview shows which security features are enabled for repositories and For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts#dependabot-alerts-for-vulnerable-dependencies)" and "[AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security)." {% ifversion security-overview-export-data %} -{% data reusables.security-overview.download-csv-files %} For more information, see "[AUTOTITLE](/code-security/security-overview/exporting-data-from-the-risk-and-coverage-pages)." +{% data reusables.security-overview.download-csv-files %} For more information, see "[AUTOTITLE](/code-security/security-overview/exporting-data-from-security-overview)." {% endif %} The views are interactive with filters that allow you to look at the aggregated data in detail and identify sources of high risk or low feature coverage. As you apply multiple filters to focus on narrower areas of interest, all data and metrics across the view change to reflect your current selection. For more information, see "[AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview)." diff --git a/content/code-security/security-overview/assessing-adoption-code-security.md b/content/code-security/security-overview/assessing-adoption-code-security.md index 61891c2ccf1c..663009aa3122 100644 --- a/content/code-security/security-overview/assessing-adoption-code-security.md +++ b/content/code-security/security-overview/assessing-adoption-code-security.md @@ -27,7 +27,7 @@ You can use security overview to see which repositories and teams have already e >[!NOTE] "Pull request alerts" are reported as enabled only when {% data variables.product.prodname_code_scanning %} has analyzed at least one pull request since alerts were enabled for the repository. {% ifversion security-overview-export-data %} -You can download a CSV file of the data displayed on the "Security coverage" page. This data file can be used for efforts like security research and in-depth data analysis, and can integrate easily with external datasets. For more information, see "[AUTOTITLE](/code-security/security-overview/exporting-data-from-the-risk-and-coverage-pages)." +You can download a CSV file of the data displayed on the "Security coverage" page. This data file can be used for efforts like security research and in-depth data analysis, and can integrate easily with external datasets. For more information, see "[AUTOTITLE](/code-security/security-overview/exporting-data-from-security-overview)." {% endif %} {% ifversion security-overview-tool-adoption %} diff --git a/content/code-security/security-overview/assessing-code-security-risk.md b/content/code-security/security-overview/assessing-code-security-risk.md index e335e70d66d6..e722aad442fa 100644 --- a/content/code-security/security-overview/assessing-code-security-risk.md +++ b/content/code-security/security-overview/assessing-code-security-risk.md @@ -28,7 +28,7 @@ You can use security overview to see which repositories and teams are free from ![Screenshot of the header section of the "Security risk" view on the "Security" tab for an organization.](/assets/images/help/security-overview/security-risk-view-summary.png) {% ifversion security-overview-export-data %} -You can download a CSV file of the data displayed on the "Security risk" page. This data file can be used for efforts like security research and in-depth data analysis, and can integrate easily with external datasets. For more information, see "[AUTOTITLE](/code-security/security-overview/exporting-data-from-the-risk-and-coverage-pages)." +You can download a CSV file of the data displayed on the "Security risk" page. This data file can be used for efforts like security research and in-depth data analysis, and can integrate easily with external datasets. For more information, see "[AUTOTITLE](/code-security/security-overview/exporting-data-from-security-overview)." {% endif %} {% note %} diff --git a/content/code-security/security-overview/exporting-data-from-the-risk-and-coverage-pages.md b/content/code-security/security-overview/exporting-data-from-security-overview.md similarity index 57% rename from content/code-security/security-overview/exporting-data-from-the-risk-and-coverage-pages.md rename to content/code-security/security-overview/exporting-data-from-security-overview.md index 7e4b4dbdf829..d30dd00691d3 100644 --- a/content/code-security/security-overview/exporting-data-from-the-risk-and-coverage-pages.md +++ b/content/code-security/security-overview/exporting-data-from-security-overview.md @@ -1,7 +1,7 @@ --- -title: Exporting data from the risk and coverage pages +title: Exporting data from security overview shortTitle: Export data -intro: You can export CSV files of your risk and coverage data from security overview. +intro: You can export CSV files of your organization's{% ifversion security-overview-export-dashboard-data %} overview,{% endif %} risk and coverage data from security overview. permissions: '{% data reusables.security-overview.permissions %}' product: '{% data reusables.gated-features.security-overview %}' versions: @@ -13,12 +13,16 @@ topics: - Alerts - Organizations - Teams +redirect_from: + - /code-security/security-overview/exporting-data-from-the-risk-and-coverage-pages --- -## About exporting your risk and coverage data +## About exporting your security overview data {% data reusables.security-overview.download-csv-files %} +{% ifversion security-overview-export-dashboard-data %}The overview page contains data about security alerts across your organization, while the risk and coverage pages contain data about repositories and how they are affected by security alerts or covered by security features.{% endif %} + The CSV file you download will contain data corresponding to the filters you have applied to security overview. For example, if you add the filter `dependabot-alerts:enabled`, your file will only contain data for repositories that have enabled {% data variables.product.prodname_dependabot_alerts %}. {% note %} @@ -27,15 +31,15 @@ The CSV file you download will contain data corresponding to the filters you hav {% endnote %} -## Exporting risk or coverage data from your organization's security overview +## Exporting data from your organization's security overview {% data reusables.profile.access_org %} -1. In the "Organizations" section, select the organization for which you would like to download risk and/or coverage data. -{% data reusables.organizations.security-overview %} By default, you will see the risk page of your organization's security overview. -1. If you would instead like to download coverage data for your organization, in the "Security" sidebar, click {% octicon "meter" aria-hidden="true" %} **Coverage**. +1. In the "Organizations" section, select the organization for which you would like to download security overview data. +{% data reusables.organizations.security-overview %} +1. In the "Security" sidebar, choose the page that you want to export data from by clicking on {% ifversion security-overview-export-dashboard-data %}**{% octicon "graph" aria-hidden="true" %}Overview**, {% endif %}**{% octicon "meter" aria-hidden="true" %} Coverage** or **{% octicon "shield" aria-hidden="true" %} Risk**. 1. Next to the search bar, click {% octicon "download" aria-hidden="true" %} **Export CSV**. - It may take a moment for {% data variables.product.product_name %} to generate the CSV file of your data. Once the CSV file generates, the file will automatically start downloading, and a banner will appear confirming your report is ready. + It may take a moment for {% data variables.product.product_name %} to generate the CSV file of your data. Once the CSV file generates, the file will automatically start downloading, and a banner will appear confirming your report is ready. {% ifversion security-overview-export-dashboard-data %}If you are downloading the CSV from the overview page, you will also receive an email when your report is ready, containing a link to download the CSV.{% endif %} {% ifversion secret-scanning-non-provider-patterns %} diff --git a/content/code-security/security-overview/index.md b/content/code-security/security-overview/index.md index 3835b2efaaad..cf60511dbe95 100644 --- a/content/code-security/security-overview/index.md +++ b/content/code-security/security-overview/index.md @@ -18,6 +18,6 @@ children: - /assessing-code-security-risk - /filtering-alerts-in-security-overview - /enabling-security-features-for-multiple-repositories - - /exporting-data-from-the-risk-and-coverage-pages + - /exporting-data-from-security-overview - /viewing-metrics-for-secret-scanning-push-protection --- diff --git a/content/code-security/security-overview/viewing-security-insights.md b/content/code-security/security-overview/viewing-security-insights.md index e957a3e3e731..d92b73a2cd7e 100644 --- a/content/code-security/security-overview/viewing-security-insights.md +++ b/content/code-security/security-overview/viewing-security-insights.md @@ -39,6 +39,10 @@ You can view a variety of metrics about the security alerts in your organization You can filter the overview dashboard by selecting a specific time period, and apply additional filters to focus on narrower areas of interest. All data and metrics across the dashboard will change as you apply filters. {% ifversion security-overview-additional-tools %}By default, the dashboard displays all alerts from {% data variables.product.prodname_dotcom %} tools, but you can use the tool filter to show alerts from a specific tool ({% data variables.product.prodname_secret_scanning %}, {% data variables.product.prodname_dependabot %}, {% data variables.product.prodname_code_scanning %} using {% data variables.product.prodname_codeql %}, a specific third-party tool) or all third-party {% data variables.product.prodname_code_scanning %} tools.{% endif %} For more information, see "[AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview)." +{% ifversion security-overview-export-dashboard-data %} +You can download a CSV file of the overview dashboard data for your organization. This data file can integrate easily with external datasets, so you may find it useful for security research, data analysis, and more. For more information, see "[AUTOTITLE](/code-security/security-overview/exporting-data-from-security-overview)." +{% endif %} + {% ifversion security-overview-dashboard-enterprise %}Enterprise members can access the overview page for organizations in their enterprise. {% endif %}The metrics you see will depend on your role and repository permissions. For more information, see "[AUTOTITLE](/code-security/security-overview/about-security-overview#permission-to-view-data-in-security-overview)." ### Limitations diff --git a/data/features/security-overview-export-dashboard-data.yml b/data/features/security-overview-export-dashboard-data.yml new file mode 100644 index 000000000000..01775162e26c --- /dev/null +++ b/data/features/security-overview-export-dashboard-data.yml @@ -0,0 +1,4 @@ +# Reference: #13511 +# Documentation for the ability to download CSV files of data from the overview dashboard page of security overview. +versions: + ghec: '*' diff --git a/data/reusables/security-overview/download-csv-files.md b/data/reusables/security-overview/download-csv-files.md index 918cdd7a77f7..ef40b639fd8d 100644 --- a/data/reusables/security-overview/download-csv-files.md +++ b/data/reusables/security-overview/download-csv-files.md @@ -1 +1 @@ -You can download comma-separated values (CSV) files containing data from the risk and coverage pages of security overview. These files can be used for efforts like security research and in-depth data analysis, and can integrate easily with external datasets. +You can download comma-separated values (CSV) files containing data from the {% ifversion security-overview-export-dashboard-data %} overview, {% endif %}risk and coverage pages of your organization's security overview. These files can be used for efforts like security research and in-depth data analysis, and can integrate easily with external datasets. From a4b90633e94913579d49fa2137a7a9775ff605d5 Mon Sep 17 00:00:00 2001 From: Jess Bees Date: Thu, 8 Aug 2024 14:05:05 -0400 Subject: [PATCH 282/282] Update pages domain verification to clarify that release is immediate (#51934) Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com> --- .../verifying-your-custom-domain-for-github-pages.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages.md b/content/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages.md index a4388413f7cb..46da08ad9416 100644 --- a/content/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages.md +++ b/content/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages.md @@ -24,7 +24,7 @@ It's also possible to verify a domain for your organization{% ifversion ghec %} ### Verifying a domain that is already taken -If you are verifying a domain you own, which is currently in use by another user or organization, to make it available for your {% data variables.product.prodname_pages %} website; note that the process to release the domain from its current location will take 7 days to complete. If you are attempting to verify an already verified domain (verified by another user or organization), the release process will not be successful. +You may be verifying a domain you own, which is currently in use by another user or organization, to make it available for your {% data variables.product.prodname_pages %} website. In this case, the domain will be immediately released from {% data variables.product.prodname_pages %} websites which are owned by other users or organizations. If you are attempting to verify an already verified domain (verified by another user or organization), the release process will not be successful. ## Verifying a domain for your user site