jprdonnelly/docs
1
0
Fork 0
mirror of synced 2026-01-05 21:04:17 -05:00
Code Issues Projects Releases Wiki Activity

Merge pull request #33998 from github/repo-sync

Browse Source 
Repo sync
This commit is contained in:
docs-bot
2024-07-16 14:29:46 -07:00
committed by GitHub
parent 3fa4b80d1c 14c2b1c030
commit 613bbc4d78
34 changed files with 939 additions and 145 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
.github/workflows/repo-sync.yml vendored
View File

@@ -17,14 +17,73 @@ permissions:
pull-requests: write
jobs:
repo-sync:
test-for-equality:
if: github.repository == 'github/docs-internal' || github.repository == 'github/docs'
name: Test for equality
runs-on: ubuntu-latest
outputs:
is-different: ${{ steps.set-is-different.outputs.result }}
steps:
- name: Check out docs
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: main
repository: github/docs
token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW }}
path: docs
- name: Check out docs-internal
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: main
repository: github/docs-internal
token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW }}
path: docs-internal
- name: Diff the two repos
id: set-is-different
run: |
# Order doesn't matter because we only care if they're different or not
# First a test to print the differences, if there is any.
# The '|| true' is just to avoid failing the job just because there is a difference.
diff -qr -x .git docs docs-internal || true
# The output means, for example, `true` means there
# *are* differences.
diff -qr -x .git docs docs-internal && echo "result=false" >> $GITHUB_OUTPUT || echo "result=true" >> $GITHUB_OUTPUT
# Doesn't matter which repo we use
- uses: ./docs-internal/.github/actions/slack-alert
if: ${{ failure() && github.event_name != 'workflow_dispatch' }}
with:
slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }}
slack_token: ${{ secrets.SLACK_DOCS_BOT_TOKEN }}
repo-sync:
# This is deliberately commented out like this.
# The job before this, `test-for-equality`, will set the output which
# will conclude if the files in github/docs and github/docs-internal
# are NOT identical.
# But as as of June 2024, let's be careful and let this logic just
# print until we're confident that the comparison is working correctly.
# Once we're confident, we can uncomment this.
# if: (github.repository == 'github/docs-internal' || github.repository == 'github/docs') && needs.test-for-equality.outputs.is-different == 'true'
if: github.repository == 'github/docs-internal' || github.repository == 'github/docs'
needs: test-for-equality
name: Repo Sync
runs-on: ubuntu-latest
steps:
- name: Check out repo
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Test for equality (different)
if: ${{ needs.test-for-equality.outputs.is-different == 'true' }}
run: echo "github/docs and github/docs-internal are different."
- name: Test for equality (same)
if: ${{ needs.test-for-equality.outputs.is-different == 'false' }}
run: echo "You'll find that github/docs and github/docs-internal are identical."
- name: Sync repo to branch
uses: repo-sync/github-sync@3832fe8e2be32372e1b3970bbae8e7079edeec88
with:

2
.github/workflows/validate-github-github-docs-urls.yml vendored
View File

@@ -7,7 +7,7 @@ name: Validate github/github docs URLs
on:
workflow_dispatch:
schedule:
- cron: '20 16 * * *' # Run every day at 16:20 UTC / 8:20 PST
- cron: '20 16 * * 1' # Run every Monday at 16:20 UTC / 8:20 PST
pull_request:
paths:
- 'content/**'

6
content/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning.md
View File

@@ -27,6 +27,12 @@ You can use {% data variables.product.prodname_code_scanning %} to find, triage,
If {% data variables.product.prodname_code_scanning %} finds a potential vulnerability or error in your code, {% data variables.product.prodname_dotcom %} displays an alert in the repository. After you fix the code that triggered the alert, {% data variables.product.prodname_dotcom %} closes the alert. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository)."
{% ifversion code-scanning-autofix %}
Autofix will suggest fixes for alerts from {% data variables.product.prodname_codeql %} analysis in private repositories, allowing developers to prevent and reduce vulnerabilities with less effort. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning)."
{% endif %}
To monitor results from {% data variables.product.prodname_code_scanning %} across your repositories or your organization, you can use webhooks and the {% data variables.product.prodname_code_scanning %} API. For information about the webhooks for {% data variables.product.prodname_code_scanning %}, see
"[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#code_scanning_alert)." For information about API endpoints, see "[AUTOTITLE](/rest/code-scanning)."

56
content/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning.md
View File

@@ -1,7 +1,7 @@
---
title: About autofix for CodeQL code scanning
shortTitle: Autofix for code scanning
intro: Learn how GitHub uses AI to suggest potential fixes for {% data variables.product.prodname_code_scanning %} alerts found by {% data variables.product.prodname_codeql %} in your pull request.
intro: Learn how GitHub uses AI to suggest potential fixes for {% data variables.product.prodname_code_scanning %} alerts found by {% data variables.product.prodname_codeql %}.
product: '{% data reusables.rai.code-scanning.gated-feature-autofix %}'
versions:
feature: code-scanning-autofix
@@ -15,20 +15,20 @@ topics:
---
<!--Note on the versioning above ^. This article is visible to free, pro, team users for transparency. They cannot use the feature so `fpt` is not included in the feature definition.-->
{% data reusables.rai.code-scanning.beta-autofix %}
{% data reusables.rai.code-scanning.autofix-note %}
## About autofix for {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %}
{% data variables.product.prodname_code_scanning_caps %} autofix is a {% data variables.product.prodname_copilot %}-powered expansion of {% data variables.product.prodname_code_scanning %} that provides users with targeted recommendations to help them fix {% data variables.product.prodname_code_scanning %} alerts in pull requests so they can avoid introducing new security vulnerabilities. The potential fixes are generated automatically by large language models (LLMs) using data from the codebase, the pull request, and from {% data variables.product.prodname_codeql %} analysis.
{% data variables.product.prodname_code_scanning_caps %} autofix is a {% data variables.product.prodname_copilot %}-powered expansion of {% data variables.product.prodname_code_scanning %} that provides users with targeted recommendations to help them fix {% data variables.product.prodname_code_scanning %} alerts so they can avoid introducing new security vulnerabilities. The potential fixes are generated automatically by large language models (LLMs) using data from the codebase and from {% data variables.product.prodname_codeql %} analysis.
> [!NOTE]
> While {% data variables.product.prodname_code_scanning %} autofix is powered by {% data variables.product.prodname_copilot %}, your enterprise does not need a subscription to {% data variables.product.prodname_copilot %} to use autofix. As long as your enterprise has {% data variables.product.prodname_GH_advanced_security %}, you will have access to autofix.
{% data variables.product.prodname_code_scanning_caps %} autofix generates potential fixes that are relevant to the existing source code and translates the description and location of an alert into code changes that may fix the alert. Autofix uses internal {% data variables.product.prodname_copilot %} APIs and private instances of OpenAI large language models such as GPT-4, which have sufficient generative capabilities to produce both suggested fixes in code and explanatory text for those fixes.
{% data variables.product.prodname_code_scanning_caps %} autofix generates potential fixes that are relevant to the existing source code and translates the description and location of an alert into code changes that may fix the alert. Autofix uses internal {% data variables.product.prodname_copilot %} APIs interfacing with the large language model GPT-4o from OpenAI, which has sufficient generative capabilities to produce both suggested fixes in code and explanatory text for those fixes.
{% ifversion code-scanning-autofix %}While {% data variables.product.prodname_code_scanning %} autofix is allowed by default in an enterprise and enabled for every repository using {% data variables.product.prodname_codeql %}, you can choose to opt out and disable autofix. To learn how to disable autofix at the enterprise, organization and repository levels, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/disabling-autofix-for-code-scanning)."{% endif %}
In an organization's security overview dashboard, you can view the total number of autofix suggestions generated on open and closed pull requests in the organization for a given time period. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/code-security/security-overview/viewing-security-insights#autofix-suggestions)" in the {% data variables.product.prodname_ghe_cloud %} documentation.
In an organization's security overview dashboard, you can view the total number of code suggestions generated on open and closed pull requests in the organization for a given time period. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/code-security/security-overview/viewing-security-insights#autofix-suggestions)" in the {% data variables.product.prodname_ghe_cloud %} documentation.
## Developer experience
@@ -40,35 +40,35 @@ After committing a suggested fix or modified fix, the developer should always ve
## Supported languages
{% data variables.product.prodname_code_scanning_caps %} autofix supports fix generation for a subset of queries included in the default and security-extended query suites for C#, C/C++, Go, Java/Kotlin, JavaScript/TypeScript, Python, and Ruby. For more information on these query suites, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites#built-in-codeql-query-suites)."
{% data variables.product.prodname_code_scanning_caps %} autofix supports fix generation for a subset of queries included in the default and security-extended query suites for {% data variables.code-scanning.code_scanning_autofix_languages %}. For more information on these query suites, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites#built-in-codeql-query-suites)."
## Autofix generation process
## Suggestion generation process
When autofix is enabled for a repository, {% data variables.product.prodname_code_scanning %} alerts that are identified in a pull request by supported {% data variables.product.prodname_codeql %} queries send input to the LLM. If the LLM can generate a potential fix, the fix is shown in the pull request as a suggestion comment.
When autofix is enabled for a repository, {% data variables.product.prodname_code_scanning %} alerts that are identified by supported {% data variables.product.prodname_codeql %} queries send input to the LLM. If the LLM can generate a potential fix, the fix is shown as a suggestion.
{% data variables.product.prodname_dotcom %} sends the LLM a variety of data from the pull request and from {% data variables.product.prodname_codeql %} analysis.
{% data variables.product.prodname_dotcom %} sends the LLM a variety of data from the {% data variables.product.prodname_codeql %} analysis.
* {% data variables.product.prodname_codeql %} alert data in SARIF format. For more information, see “[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning).”
* Code from the current version of the pull request branch.
* Code from the current version of the branch.
* Short snippets of code around each source location, sink location, and any location referenced in the alert message or included on the flow path.
* First ~10 lines from each file involved in any of those locations.
* Help text for the {% data variables.product.prodname_codeql %} query that identified the problem. For examples, see “[{% data variables.product.prodname_codeql %} query help](https://codeql.github.com/codeql-query-help/).”
Any autofix suggestions are generated and stored within the {% data variables.product.prodname_code_scanning %} backend. They are displayed as suggestion comments in the pull request. No user interaction is needed beyond enabling {% data variables.product.prodname_code_scanning %} on the codebase and creating the pull request.
Any autofix suggestions are generated and stored within the {% data variables.product.prodname_code_scanning %} backend. They are displayed as suggestions. No user interaction is needed beyond enabling {% data variables.product.prodname_code_scanning %} on the codebase and creating a pull request.
The process of generating fixes does not gather or utilize any customer data beyond the scope outlined above. Therefore, the use of this feature is governed by the existing terms and conditions associated with {% data variables.product.prodname_GH_advanced_security %}. Moreover, data handled by {% data variables.product.prodname_code_scanning %} autofix is strictly not employed for LLM training purposes. For more information on {% data variables.product.prodname_GH_advanced_security %} terms and conditions, see "[AUTOTITLE](/free-pro-team@latest/site-policy/github-terms/github-terms-for-additional-products-and-features#advanced-security){% ifversion fpt %}."{% else %} in the Free, Pro, & Team documentation.{% endif %}
## Quality of autofix suggestions
## Quality of suggestions
{% data variables.product.prodname_dotcom %} uses an automated test harness to continuously monitor the quality of autofix suggestions. This allows us to understand how the autofix suggestions generated by the LLM change as the model develops.
{% data variables.product.prodname_dotcom %} uses an automated test harness to continuously monitor the quality of suggestions from autofix. This allows us to understand how the suggestions generated by the LLM change as the model develops.
The test harness includes a set of over 2,300 alerts from a diverse set of public repositories where the highlighted code has test coverage. Autofix suggestions for these alerts are tested to see how good they are, that is, how much a developer would need to edit them before committing them to the codebase. For many of the test alerts, autofixes generated by the LLM could be committed as-is to fix the alert while continuing to successfully pass all the existing CI tests.
The test harness includes a set of over 2,300 alerts from a diverse set of public repositories where the highlighted code has test coverage. Suggestions for these alerts are tested to see how good they are, that is, how much a developer would need to edit them before committing them to the codebase. For many of the test alerts, suggestions generated by the LLM could be committed as-is to fix the alert while continuing to successfully pass all the existing CI tests.
In addition, the system is stress-tested to check for any potential harm (often referred to as red teaming), and a filtering system on the LLM helps prevent potentially harmful suggestions being displayed to users.
### How GitHub tests autofix suggestions
### How GitHub tests suggestions
We test the effectiveness of autofix suggestions by merging all suggested changes, unedited, before running {% data variables.product.prodname_code_scanning %} and the repository's unit tests on the resulting code.
We test the effectiveness of suggestions by merging all suggested changes, unedited, before running {% data variables.product.prodname_code_scanning %} and the repository's unit tests on the resulting code.
1. Was the {% data variables.product.prodname_code_scanning %} alert fixed by the suggestion?
1. Did the fix introduce any new {% data variables.product.prodname_code_scanning %} alerts?
@@ -79,24 +79,23 @@ In addition, we spot check many of the successful suggestions and verify that th
### Effectiveness on other projects
The test set contains a broad range of different types of projects and alerts. We predict that autofixes for other projects using languages supported by autofix should follow a similar pattern.
The test set contains a broad range of different types of projects and alerts. We predict that suggestions for other projects using languages supported by autofix should follow a similar pattern.
* Autofix is likely to add a code suggestion to the majority of alerts.
* When developers evaluate the autofix suggestions we expect that the majority of fixes can be committed without editing or with minor updates to reflect the wider context of the code.
* When developers evaluate the suggestions we expect that the majority of fixes can be committed without editing or with minor updates to reflect the wider context of the code.
* A small percentage of suggested fixes will reflect a significant misunderstanding of the codebase or the vulnerability.
However, each project and codebase is unique, so developers may need to edit a larger percentage of suggested fixes before committing them. Autofix provides valuable information to help you resolve {% data variables.product.prodname_code_scanning %} alerts, but ultimately it remains your responsibility to evaluate the proposed change and ensure the security and accuracy of your code.
> [!NOTE]
> Fix generation for supported languages is subject to LLM operational capacity. In addition, each suggested fix is tested before it is added to a pull request. If no suggestion is available, or if the suggested fix fails internal testing, then no autofix suggestion is displayed.
> Fix generation for supported languages is subject to LLM operational capacity. In addition, each suggested fix is tested before it is added to a pull request. If no suggestion is available, or if the suggested fix fails internal testing, then no suggestion is displayed.
## Limitations of autofix suggestions
## Limitations of suggestions
When you review an autofix suggestion, you must always consider the limitations of AI and edit the changes as needed before you accept the changes. You should also consider updating the CI testing and dependency management for a repository before enabling autofix for {% data variables.product.prodname_code_scanning %}. For more information, see "[Mitigating the limitations of autofix suggestions](#mitigating-the-limitations-of-autofix-suggestions)."
When you review a suggestion from autofix, you must always consider the limitations of AI and edit the changes as needed before you accept the changes. You should also consider updating the CI testing and dependency management for a repository before enabling autofix for {% data variables.product.prodname_code_scanning %}. For more information, see "[Mitigating the limitations of suggestions](#mitigating-the-limitations-of-suggestions)."
### Limitations of autofix code suggestions
### Limitations of code suggestions
* _Programming languages:_ A subset of programming languages is supported. Support for additional languages will be added, but there is no intention to provide support for all {% data variables.product.prodname_codeql %} languages.
* _Human languages:_ The system primarily uses English data, including the prompts sent to the system, the code seen by the LLMs in their datasets, and the test cases used for internal evaluation. Suggestions generated by the LLM may have a lower success rate for source code and comments written in other languages and using other character sets.
* _Syntax errors:_ The system may suggest fixes that are not syntactically correct code changes, so it is important to run syntax checks on pull requests.
* _Location errors:_ The system may suggest fixes that are syntactically correct code but are suggested at the incorrect location, which means that if a user accepts a fix without editing the location they will introduce a syntax error.
@@ -104,7 +103,7 @@ When you review an autofix suggestion, you must always consider the limitations
* _Security vulnerabilities and misleading fixes:_ The system may suggest fixes that fail to remediate the underlying security vulnerability and/or introduce new security vulnerabilities.
* _Partial fixes:_ The system may suggest fixes that only partially address the security vulnerability, or only partially preserve the intended code functionality. The system sees only a small subset of the code in the codebase and does not always produce globally optimal or correct solutions.
### Limitations of autofix dependency suggestions
### Limitations of dependency suggestions
Sometimes a suggested fix includes a change in the dependencies of the codebase. If you use a dependency management system, any changes will be highlighted automatically for the developer to review. Before merging a pull request always verify that any dependency changes are secure and maintain the intended behavior of the codebase.
@@ -112,9 +111,9 @@ Sometimes a suggested fix includes a change in the dependencies of the codebase.
* _Unsupported or insecure dependencies:_ The system does not know which versions of an existing dependency are supported or secure.
* _Fabricated dependencies:_ The system has incomplete knowledge of the dependencies published in the wider ecosystem. This can lead to suggestions that add a new dependency on malicious software that attackers have published under a statistically probable dependency name.
## Mitigating the limitations of autofix suggestions
## Mitigating the limitations of suggestions
The best way to mitigate the limitations of autofix suggestions is to follow best practices. For example, using CI testing of pull requests to verify functional requirements are unaffected and using dependency management solutions, such as the dependency review API and action. For more information, see “[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review).”
The best way to mitigate the limitations of suggestions from autofix is to follow best practices. For example, using CI testing of pull requests to verify functional requirements are unaffected and using dependency management solutions, such as the dependency review API and action. For more information, see “[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review).”
It is important to remember that the author of a pull request retains responsibility for how they respond to review comments and suggested code changes, whether proposed by colleagues or automated tools. Developers should always look at suggestions for code changes critically. If needed, they should edit the suggested changes to ensure that the resulting code and application are correct, secure, meet performance criteria, and satisfy all other functional and non-functional requirements for the application.
@@ -123,12 +122,13 @@ It is important to remember that the author of a pull request retains responsibi
{% ifversion code-scanning-autofix %}
* "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts)"
* "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests#working-with-autofix-suggestions-for-alerts)"
* "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests#working-with-autofix-suggestions-for-alerts-on-a-pull-request)"
* "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#generating-suggested-fixes-for-code-scanning-alerts)
* "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/disabling-autofix-for-code-scanning)"
{% elsif fpt %}
* "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts)"
* [AUTOTITLE](/enterprise-cloud@latest/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests#working-with-autofix-suggestions-for-alerts) in the {% data variables.product.prodname_ghe_cloud %} documentation
* [AUTOTITLE](/enterprise-cloud@latest/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests#working-with-autofix-suggestions-for-alerts-on-a-pull-request) in the {% data variables.product.prodname_ghe_cloud %} documentation
{% endif %}

6
content/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts.md
View File

@@ -23,6 +23,12 @@ You can configure {% data variables.product.prodname_code_scanning %} to check t
By default, {% data variables.product.prodname_code_scanning %} analyzes your code periodically on the default branch and during pull requests. For information about managing alerts on a pull request, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests)."
{% ifversion code-scanning-autofix %}
You can use autofix to generate fixes automatically for {% data variables.product.prodname_code_scanning %} alerts from {% data variables.product.prodname_codeql %} analysis. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#generating-suggested-fixes-for-code-scanning-alerts)."
{% endif %}
{% data reusables.code-scanning.audit-code-scanning-events %}
## About alert details

14
content/code-security/code-scanning/managing-code-scanning-alerts/disabling-autofix-for-code-scanning.md
View File

@@ -13,15 +13,15 @@ topics:
- AI
---
{% data reusables.rai.code-scanning.beta-autofix %}
{% data reusables.rai.code-scanning.autofix-note %}
## About disabling autofix for {% data variables.product.prodname_code_scanning %}
{% data variables.product.prodname_code_scanning_caps %} autofix is a {% data variables.product.prodname_copilot %}-powered expansion of {% data variables.product.prodname_code_scanning %} that provides users with targeted recommendations to help them fix {% data variables.product.prodname_code_scanning %} alerts in pull requests so they can avoid introducing new security vulnerabilities. To learn more about autofix for code scanning, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning)."
{% data variables.product.prodname_code_scanning_caps %} autofix is a {% data variables.product.prodname_copilot %}-powered is an expansion of {% data variables.product.prodname_code_scanning %} that provides users with targeted recommendations to help them fix {% data variables.product.prodname_code_scanning %} alerts so they can avoid introducing new security vulnerabilities. To learn more about autofix for {% data variables.product.prodname_code_scanning %}, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning)."
{% data variables.product.prodname_code_scanning_caps %} autofix is allowed by default in an enterprise and enabled for every repository that uses {% data variables.product.prodname_codeql %}, regardless of whether it uses default or advanced setup for {% data variables.product.prodname_code_scanning %}. Administrators at the enterprise, organization and repository levels can choose to opt-out and disable autofix.
Note that disabling autofix at any level will close all open autofix comments from all open pull requests at the level that was disabled. If autofix is disabled and then subsequently enabled, autofix won't automatically suggest any fixes for pull requests that are already open. The suggestions will only be generated for pull requests that are opened after autofix is enabled, or after re-running {% data variables.product.prodname_codeql %} analysis on existing pull requests.
Note that disabling autofix at any level will close all open autofix comments. If autofix is disabled and then subsequently enabled, autofix won't automatically suggest fixes for any pull requests that are already open. The suggestions will only be generated for any pull requests that are opened after autofix is enabled, or after re-running {% data variables.product.prodname_codeql %} analysis on existing pull requests.
## Blocking use of autofix for an enterprise
@@ -29,7 +29,7 @@ Enterprise administrators can disallow autofix for their enterprise. If you disa
Note that allowing autofix for an enterprise does not enforce enablement of autofix, but means that organization and repository administrators will have the option to enable or disable autofix.
Disallowing autofix at the enterprise level will remove all open autofix comments from open pull requests across all repositories of all organizations within the enterprise.
Disallowing autofix at the enterprise level will remove all open autofix comments across all repositories of all organizations within the enterprise.
{% data reusables.enterprise-accounts.access-enterprise %}
{% data reusables.enterprise-accounts.policies-tab %}
@@ -40,20 +40,18 @@ Disallowing autofix at the enterprise level will remove all open autofix comment
If autofix is allowed at the enterprise level, organization administrators have the option to disable autofix for an organization. If you disable autofix for an organization, autofix cannot be enabled for any repositories within the organization.
Note that disabling autofix at the organization level will remove all open autofix comments from open pull requests across all repositories in the organization.
Note that disabling autofix at the organization level will remove all open autofix comments across all repositories in the organization.
{% data reusables.profile.access_org %}
{% data reusables.profile.org_settings %}
1. In the "Security" section of the sidebar, click **{% octicon "codescan" aria-hidden="true" %} Code security** then **Global settings**.
1. Under the "{% data variables.product.prodname_code_scanning_caps %}" section, deselect **Autofix for {% data variables.product.prodname_codeql %}**.
For more information about configuring global {% data variables.product.prodname_code_scanning %} settings, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#configuring-global-code-scanning-settings)."
## Disabling autofix for a repository
If autofix is allowed at the enterprise level and enabled at the organization level, repository administrators have the option to disable autofix for a repository. Disabling autofix at the repository level will remove all open autofix comments from all open pull requests across the repository.
If autofix is allowed at the enterprise level and enabled at the organization level, repository administrators have the option to disable autofix for a repository. Disabling autofix at the repository level will remove all open autofix comments across the repository.
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-settings %}

19
content/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository.md
View File

@@ -116,7 +116,24 @@ Alternatively, to track a {% data variables.product.prodname_code_scanning %} al
{% endif %}
## Fixing an alert
{% ifversion code-scanning-autofix %}
## Generating suggested fixes for {% data variables.product.prodname_code_scanning %} alerts
{% data reusables.rai.code-scanning.autofix-note %}
{% data variables.product.prodname_code_scanning_caps %} autofix can generate fixes for alerts from {% data variables.product.prodname_codeql %} analysis in private repositories. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning)."
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-security %}
{% data reusables.repositories.sidebar-code-scanning-alerts %}
1. Click the name of an alert.
1. If autofix can suggest a fix, at the top of the page, click **{% octicon "shield-check" aria-label="Generate fix"%} Generate fix**.
1. Once the suggested fix has been generated, at the bottom of the page, you can click **Create PR with fix** to automatically generate a pull request with the suggested fix.
{% endif %}
## Fixing an alert {% ifversion code-scanning-autofix %}manually{% endif %}
Anyone with write permission for a repository can fix an alert by committing a correction to the code. If the repository has {% data variables.product.prodname_code_scanning %} scheduled to run on pull requests, it's best to raise a pull request with your correction. This will trigger {% data variables.product.prodname_code_scanning %} analysis of the changes and test that your fix doesn't introduce any new problems. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning)" and "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests)."

20
content/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests.md
View File

@@ -42,6 +42,12 @@ In repositories where {% data variables.product.prodname_code_scanning %} is con
{% endnote %}
{% endif %}
{% ifversion code-scanning-autofix %}
{% data variables.product.prodname_code_scanning_caps %} autofix will suggest fixes for alerts from {% data variables.product.prodname_codeql %} analysis in private repositories. For more information on working with suggestions from autofix in pull requests, see "[Working with autofix suggestions for alerts on a pull request](#working-with-autofix-suggestions-for-alerts-on-a-pull-request)."
{% endif %}
If you have write permission for the repository, you can see any existing {% data variables.product.prodname_code_scanning %} alerts on the **Security** tab. For information about repository alerts, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository)."
In repositories where {% data variables.product.prodname_code_scanning %} is configured to scan each time code is pushed, {% data variables.product.prodname_code_scanning %} will also map the results to any open pull requests and add the alerts as annotations in the same places as other pull request checks. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push)."
@@ -118,9 +124,9 @@ Anyone with push access to a pull request can fix a {% data variables.product.pr
{% ifversion code-scanning-autofix %}
## Working with autofix suggestions for alerts
## Working with autofix suggestions for alerts on a pull request
{% data reusables.rai.code-scanning.beta-autofix %}
{% data reusables.rai.code-scanning.autofix-note %}
Autofix, powered by {% data variables.product.prodname_copilot %}, is an expansion of {% data variables.product.prodname_code_scanning %} that provides you with targeted recommendations to help you fix {% data variables.product.prodname_code_scanning %} alerts in pull requests. The potential fixes are generated automatically by large language models (LLMs) using data from the codebase, the pull request, and from {% data variables.product.prodname_codeql %} analysis.
@@ -135,6 +141,7 @@ When autofix is enabled for a repository, alerts are displayed in pull requests
**Notes:**
* Autofix supports a subset of {% data variables.product.prodname_codeql %} queries. For information about the availability of autofix, see the query tables linked from "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites#query-lists-for-the-default-query-suites)."
* When analysis is complete, all relevant results are published to the pull request at once. If at least one alert in your pull request has an autofix suggestion, you should assume that the LLM has finished identifying potential fixes for your code.
* On alerts generated from queries that are not supported by autofix, you will see a note telling you that the query is not supported. If an autofix suggestion for a supported query fails to generate, you will see a note on the alert prompting you to try pushing another commit or to contact support.
{% endnote %}
@@ -144,11 +151,14 @@ Usually, when you suggest changes to a pull request, your comment contains chang
### Assessing and committing an autofix suggestion
Each autofix suggestion demonstrates a potential solution for a {% data variables.product.prodname_code_scanning %} alert in your codebase. You must assess the suggested changes to determine whether they are a good solution for your codebase and to ensure that they maintain the intended behavior. For information about the limitations of autofix suggestions, see "[Limitations of autofix suggestions](/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning/#limitations-of-autofix-suggestions)" and "[Mitigating the limitations of autofix suggestions](/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning#mitigating-the-limitations-of-autofix-suggestions)" in "About autofix for {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %}."
Each autofix suggestion demonstrates a potential solution for a {% data variables.product.prodname_code_scanning %} alert in your codebase. You must assess the suggested changes to determine whether they are a good solution for your codebase and to ensure that they maintain the intended behavior. For information about the limitations of autofix suggestions, see "[Limitations of suggestions](/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning#limitations-of-suggestions)" and "[Mitigating the limitations of suggestions](/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning#mitigating-the-limitations-of-suggestions)" in "About autofix for {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %}."
1. Click **Edit** to display the editing options and select your preferred method.
* Select **Edit with codespaces** to open a codespace showing your branch with the suggested fix applied.
* Select **Edit locally with {% data variables.product.prodname_cli %}** to display instructions for applying the suggested fix to any local repository or branch.
* Under **Edit with {% data variables.product.prodname_cli %}**, follow the instructions for checking out the pull request locally and applying the suggested fix.
* Select **Edit FILENAME** to edit the file directly on {% data variables.product.prodname_dotcom %} with the suggested fix applied.
1. Optionally, if you prefer to apply the fix on a local repository or branch, select the {% octicon "copy" aria-hidden="true" %} dropdown menu on the suggestion.
* Select **View autofix patch** to display instructions for applying the suggested fix to any local repository or branch.
* Select **Copy modified line LINE_NUMBER** to copy a specific line of the suggestion.
1. Test and modify the suggested fix as needed.
1. When you have finished testing your changes, commit the changes, and push them to your branch.
1. Pushing the changes to your branch will trigger all the usual tests for your pull request. Confirm that your unit tests still pass and that the {% data variables.product.prodname_code_scanning %} alert is now fixed.

2
content/code-security/code-scanning/managing-your-code-scanning-configuration/c-cpp-built-in-queries.md
View File

@@ -20,6 +20,6 @@ topics:
{% data reusables.code-scanning.codeql-query-tables.codeql-version-info %}
{% data reusables.rai.code-scanning.beta-autofix %}
{% data reusables.rai.code-scanning.autofix-note %}
{% data reusables.code-scanning.codeql-query-tables.cpp %}

2
content/code-security/code-scanning/managing-your-code-scanning-configuration/csharp-built-in-queries.md
View File

@@ -20,6 +20,6 @@ topics:
{% data reusables.code-scanning.codeql-query-tables.codeql-version-info %}
{% data reusables.rai.code-scanning.beta-autofix %}
{% data reusables.rai.code-scanning.autofix-note %}
{% data reusables.code-scanning.codeql-query-tables.csharp %}

2
content/code-security/code-scanning/managing-your-code-scanning-configuration/go-built-in-queries.md
View File

@@ -20,6 +20,6 @@ topics:
{% data reusables.code-scanning.codeql-query-tables.codeql-version-info %}
{% data reusables.rai.code-scanning.beta-autofix %}
{% data reusables.rai.code-scanning.autofix-note %}
{% data reusables.code-scanning.codeql-query-tables.go %}

2
content/code-security/code-scanning/managing-your-code-scanning-configuration/java-kotlin-built-in-queries.md
View File

@@ -22,6 +22,6 @@ topics:
{% data reusables.code-scanning.codeql-query-tables.codeql-version-info %}
{% data reusables.rai.code-scanning.beta-autofix %}
{% data reusables.rai.code-scanning.autofix-note %}
{% data reusables.code-scanning.codeql-query-tables.java %}

2
content/code-security/code-scanning/managing-your-code-scanning-configuration/javascript-typescript-built-in-queries.md
View File

@@ -20,6 +20,6 @@ topics:
{% data reusables.code-scanning.codeql-query-tables.codeql-version-info %}
{% data reusables.rai.code-scanning.beta-autofix %}
{% data reusables.rai.code-scanning.autofix-note %}
{% data reusables.code-scanning.codeql-query-tables.javascript %}

2
content/code-security/code-scanning/managing-your-code-scanning-configuration/python-built-in-queries.md
View File

@@ -20,6 +20,6 @@ topics:
{% data reusables.code-scanning.codeql-query-tables.codeql-version-info %}
{% data reusables.rai.code-scanning.beta-autofix %}
{% data reusables.rai.code-scanning.autofix-note %}
{% data reusables.code-scanning.codeql-query-tables.python %}

2
content/code-security/code-scanning/managing-your-code-scanning-configuration/ruby-built-in-queries.md
View File

@@ -20,6 +20,6 @@ topics:
{% data reusables.code-scanning.codeql-query-tables.codeql-version-info %}
{% data reusables.rai.code-scanning.beta-autofix %}
{% data reusables.rai.code-scanning.autofix-note %}
{% data reusables.code-scanning.codeql-query-tables.ruby %}

2
content/code-security/code-scanning/managing-your-code-scanning-configuration/swift-built-in-queries.md
View File

@@ -22,6 +22,6 @@ topics:
{% data reusables.code-scanning.codeql-query-tables.codeql-version-info %}
{% data reusables.rai.code-scanning.beta-autofix %}
{% data reusables.rai.code-scanning.autofix-note %}
{% data reusables.code-scanning.codeql-query-tables.swift %}

15
content/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis.md
View File

@@ -71,11 +71,16 @@ You can specify additional options depending on the location of your source file
| Option | Required | Usage |
|--------|:--------:|-----|
| `<database>` | {% octicon "check" aria-label="Required" %} | Specify the name and location of a directory to create for the {% data variables.product.prodname_codeql %} database. The command will fail if you try to overwrite an existing directory. If you also specify `--db-cluster`, this is the parent directory and a subdirectory is created for each language analyzed. | {% ifversion codeql-language-identifiers-311 %}
| <code><span style="white-space: nowrap;">--language</span></code> | {% octicon "check" aria-label="Required" %} | Specify the identifier for the language to create a database for, one of: {% data reusables.code-scanning.codeql-languages-keywords %}. When used with <code><span style="white-space: nowrap;">--db-cluster</span></code>, the option accepts a comma-separated list, or can be specified more than once. | {% else %}
| <code><span style="white-space: nowrap;">--language</span></code> | {% octicon "check" aria-label="Required" %} | Specify the identifier for the language to create a database for, one of: {% data reusables.code-scanning.codeql-languages-keywords %} (use `javascript` to analyze TypeScript code {% ifversion codeql-kotlin-beta %} and `java` to analyze Kotlin code{% endif %}). When used with <code><span style="white-space: nowrap;">--db-cluster</span></code>, the option accepts a comma-separated list, or can be specified more than once. | {% endif %}
| <code><span style="white-space: nowrap;">--command</span></code> | {% octicon "x" aria-label="Optional" %} | **Recommended.** Use to specify the build command or script that invokes the build process for the codebase. Commands are run from the current folder or, where it is defined, from <code><span style="white-space: nowrap;">--source-root</span></code>. Not needed for Python and JavaScript/TypeScript analysis. |{% ifversion codeql-no-build %}
| <code><span style="white-space: nowrap;">--build-mode</span></code> | {% octicon "x" aria-label="Optional" %} | **Beta.** Use for {% data variables.code-scanning.no_build_support %} when not providing a `--command` to specify whether to create a CodeQL database without a build (`none`) or by attempting to automatically detect a build command (`autobuild`). By default, autobuild detection is used. For a comparison of build modes, see "[CodeQL build modes](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#codeql-build-modes)." |{% endif %}
| `<database>` | {% octicon "check" aria-label="Required" %} | Specify the name and location of a directory to create for the {% data variables.product.prodname_codeql %} database. The command will fail if you try to overwrite an existing directory. If you also specify `--db-cluster`, this is the parent directory and a subdirectory is created for each language analyzed. |
| {% ifversion codeql-language-identifiers-311 %} |
| <code><span style="white-space: nowrap;">--language</span></code> | {% octicon "check" aria-label="Required" %} | Specify the identifier for the language to create a database for, one of: {% data reusables.code-scanning.codeql-languages-keywords %}. When used with <code><span style="white-space: nowrap;">--db-cluster</span></code>, the option accepts a comma-separated list, or can be specified more than once. |
| {% else %} |
| <code><span style="white-space: nowrap;">--language</span></code> | {% octicon "check" aria-label="Required" %} | Specify the identifier for the language to create a database for, one of: {% data reusables.code-scanning.codeql-languages-keywords %} (use `javascript` to analyze TypeScript code {% ifversion codeql-kotlin-beta %} and `java` to analyze Kotlin code{% endif %}). When used with <code><span style="white-space: nowrap;">--db-cluster</span></code>, the option accepts a comma-separated list, or can be specified more than once. |
| {% endif %} |
| <code><span style="white-space: nowrap;">--command</span></code> | {% octicon "x" aria-label="Optional" %} | **Recommended.** Use to specify the build command or script that invokes the build process for the codebase. Commands are run from the current folder or, where it is defined, from <code><span style="white-space: nowrap;">--source-root</span></code>. Not needed for Python and JavaScript/TypeScript analysis. |
| {% ifversion codeql-no-build %} |
| <code><span style="white-space: nowrap;">--build-mode</span></code> | {% octicon "x" aria-label="Optional" %} | **Beta.** Use for {% data variables.code-scanning.no_build_support %} when not providing a `--command` to specify whether to create a CodeQL database without a build (`none`) or by attempting to automatically detect a build command (`autobuild`). By default, autobuild detection is used. For a comparison of build modes, see "[CodeQL build modes](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#codeql-build-modes)." |
| {% endif %} |
| <code><span style="white-space: nowrap;">--db-cluster</span></code> | {% octicon "x" aria-label="Optional" %} | Use in multi-language codebases to generate one database for each language specified by <code><span style="white-space: nowrap;">--language</span></code>. |
| <code><span style="white-space: nowrap;">--no-run-unnecessary-builds</span></code> | {% octicon "x" aria-label="Optional" %} | **Recommended.** Use to suppress the build command for languages where the {% data variables.product.prodname_codeql_cli %} does not need to monitor the build (for example, Python and JavaScript/TypeScript). |
| <code><span style="white-space: nowrap;">--source-root</span></code> | {% octicon "x" aria-label="Optional" %} | Use if you run the CLI outside the checkout root of the repository. By default, the `database create` command assumes that the current directory is the root directory for the source files, use this option to specify a different location. |

33
content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md
View File

@@ -67,17 +67,19 @@ You can apply various filters to the alerts list to help you find the alerts you
|Qualifier|Description|
|---------|-----------|
|`is:open`|Displays open alerts.|
|`is:closed`|Displays closed alerts.|{% ifversion secret-scanning-bypass-filter %}
|`bypassed: true`|Displays alerts for secrets where push protection has been bypassed. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)."|{% endif %}{% ifversion secret-scanning-validity-check %}
|`is:closed`|Displays closed alerts.|
| {% ifversion secret-scanning-bypass-filter %} |
|`bypassed: true`|Displays alerts for secrets where push protection has been bypassed. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)."|
| {% endif %} |
|`validity:active`| Displays alerts for secrets that are still active. {% ifversion fpt %}Applies to {% data variables.product.company_short %} tokens only.{% endif %} For more information about validity statuses, see "[Checking a secret's validity](#checking-a-secrets-validity)."|
|`validity:inactive`| Displays alerts for secrets that are no longer active.|
|`validity:unknown`| Displays alerts for secrets where the validity status of the secret is unknown.|{% endif %}
|`validity:unknown`| Displays alerts for secrets where the validity status of the secret is unknown.|
|`secret-type:SECRET-NAME`| Displays alerts for a specific secret type, for example, `secret-type:github_personal_access_token`. For a list of supported secret types, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secret)." |
|`provider:PROVIDER-NAME`|Displays alerts for a specific provider, for example, `provider:github`. For a list of supported partners, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."|{% ifversion secret-scanning-non-provider-patterns %}
|`provider:PROVIDER-NAME`|Displays alerts for a specific provider, for example, `provider:github`. For a list of supported partners, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."|
| {% ifversion secret-scanning-non-provider-patterns %} |
|`confidence:high`| Displays alerts for high-confidence secrets, which relate to supported secrets and custom patterns. For a list of supported high-confidence patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#high-confidence-patterns)." |
|`confidence:other`| Displays alerts for non-provider patterns, such as private keys{% ifversion secret-scanning-ai-generic-secret-detection %}, and AI-detected generic secrets, such as passwords{% endif %}. For a list of supported non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns)." {% ifversion secret-scanning-ai-generic-secret-detection %}For more information AI-detected generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/about-the-detection-of-generic-secrets-with-secret-scanning)."{% endif %}|{% endif %}
{% ifversion secret-scanning-validity-check %}
|`confidence:other`| Displays alerts for non-provider patterns, such as private keys{% ifversion secret-scanning-ai-generic-secret-detection %}, and AI-detected generic secrets, such as passwords{% endif %}. For a list of supported non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns)." {% ifversion secret-scanning-ai-generic-secret-detection %}For more information AI-detected generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/about-the-detection-of-generic-secrets-with-secret-scanning)."{% endif %}|
| {% endif %} |
## Evaluating alerts
@@ -135,8 +137,6 @@ Once you have enabled validity checks for partner patterns for your repository,
{% endif %}
{% endif %}
{% ifversion secret-scanning-github-token-metadata %}
### Reviewing {% data variables.product.company_short %} token metadata
@@ -190,30 +190,22 @@ Once a secret has been committed to a repository, you should consider the secret
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-security %}
1. In the left sidebar, under "Vulnerability alerts", click **{% data variables.product.prodname_secret_scanning_caps %}**.
1. Under "{% data variables.product.prodname_secret_scanning_caps %}", click the alert you want to view. {% ifversion secret-scanning-partner-documentation-link-UI %}
1. Under "{% data variables.product.prodname_secret_scanning_caps %}", click the alert you want to view.
1. To dismiss an alert, select the "Close as" dropdown menu and click a reason for resolving an alert.
![Screenshot of a {% data variables.product.prodname_secret_scanning %} alert. A dropdown menu, titled "Close as", is expanded and highlighted in a dark orange outline.](/assets/images/help/repository/secret-scanning-dismiss-alert-web-ui-link-partner-documentation.png)
{% else %}
1. To dismiss an alert, select the "Mark as" dropdown menu and click a reason for resolving an alert.
{% endif %}{% ifversion secret-scanning-dismissal-comment %}
1. Optionally, in the "Comment" field, add a dismissal comment. The dismissal comment will be added to the alert timeline and can be used as justification during auditing and reporting. You can view the history of all dismissed alerts and dismissal comments in the alert timeline. You can also retrieve or set a comment by using the {% data variables.product.prodname_secret_scanning_caps %} API. The comment is contained in the `resolution_comment` field. For more information, see "[AUTOTITLE](/rest/secret-scanning#update-a-secret-scanning-alert)" in the REST API documentation.
1. Click **Close alert**.
{% endif %}
## Configuring notifications for {% data variables.secret-scanning.alerts %}
{% ifversion secret-scanning-backfills %}
Notifications are different for incremental scans and historical scans.
### Incremental scans
{% endif %}
{% data reusables.secret-scanning.secret-scanning-configure-notifications %}
{% ifversion secret-scanning-notification-settings %}
{% data reusables.repositories.navigate-to-repo %}
1. To start watching the repository, select **{% octicon "eye" aria-hidden="true" %} Watch**.
@@ -225,12 +217,9 @@ Notifications are different for incremental scans and historical scans.
1. Select "Email" as a notification option, then click **Save**.
![Screenshot of the notification settings for a user account. An element header, titled "Subscriptions", and a sub-header, titled "Watching", are shown. A checkbox, titled "Email", is highlighted with an orange outline.](/assets/images/help/notifications/repository-watching-notification-options.png)
{% endif %}
{% data reusables.notifications.watch-settings %}
{% ifversion secret-scanning-backfills %}
### Historical scans
For historical scans, {% data variables.product.product_name %} notifies the following users:
@@ -242,8 +231,6 @@ We do _not_ notify commit authors.
{% data reusables.notifications.watch-settings %}
{% endif %}
## Auditing responses to secret scanning alerts
{% data reusables.secret-scanning.audit-secret-scanning-events %}

7
content/code-security/secret-scanning/secret-scanning-patterns.md
View File

@@ -84,7 +84,7 @@ Push protection alerts are user alerts that are reported by push protection. {%
## Supported secrets
This table lists the secrets supported by {% data variables.product.prodname_secret_scanning %}. You can see the types of alert that get generated for each token{% ifversion secret-scanning-validity-check %}, as well as whether a validity check is performed on the token{% endif %}.
This table lists the secrets supported by {% data variables.product.prodname_secret_scanning %}. You can see the types of alert that get generated for each token, as well as whether a validity check is performed on the token.
* **Provider**—name of the token provider.{% ifversion fpt or ghec %}
* **Partner**—token for which leaks are reported to the relevant token partner. Applies to public repositories only.
* **User**—token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}.{% ifversion secret-scanning-non-provider-patterns %}
@@ -100,8 +100,8 @@ This table lists the secrets supported by {% data variables.product.prodname_sec
**Note:** {% data reusables.secret-scanning.push-protection-older-tokens %} For more information about push protection limitations, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning#push-protection-and-pattern-versions)."
{% endnote %}{% ifversion secret-scanning-validity-check %}
* **Validity check**—token for which a validity check is implemented. {% ifversion secret-scanning-validity-check-partner-patterns %}For partner tokens, {% data variables.product.prodname_dotcom %} sends the token to the relevant partner. Note that not all partners are based in the United States. For more information, see "[{% data variables.product.prodname_advanced_security %}](/free-pro-team@latest/site-policy/github-terms/github-terms-for-additional-products-and-features#advanced-security)" in the Site Policy documentation.{% else %} {% ifversion ghes %}Currently only applies to {% data variables.product.prodname_dotcom %} tokens.{% endif %} {% ifversion fpt %}Currently only applies to {% data variables.product.prodname_dotcom %} tokens, and not shown in the table. For more information about validity check support see "[AUTOTITLE](/enterprise-cloud@latest/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)" in the {% data variables.product.prodname_ghe_cloud %} documentation.{% endif %}{% endif %}{% endif %}
{% endnote %}
* **Validity check**—token for which a validity check is implemented. {% ifversion secret-scanning-validity-check-partner-patterns %}For partner tokens, {% data variables.product.prodname_dotcom %} sends the token to the relevant partner. Note that not all partners are based in the United States. For more information, see "[{% data variables.product.prodname_advanced_security %}](/free-pro-team@latest/site-policy/github-terms/github-terms-for-additional-products-and-features#advanced-security)" in the Site Policy documentation.{% else %} {% ifversion ghes %}Currently only applies to {% data variables.product.prodname_dotcom %} tokens.{% endif %} {% ifversion fpt %}Currently only applies to {% data variables.product.prodname_dotcom %} tokens, and not shown in the table. For more information about validity check support see "[AUTOTITLE](/enterprise-cloud@latest/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)" in the {% data variables.product.prodname_ghe_cloud %} documentation.{% endif %}{% endif %}
{% ifversion secret-scanning-non-provider-patterns %}
@@ -145,6 +145,7 @@ Push protection and validity checks are not supported for non-provider patterns.
{%- for entry in secretScanningData %}
| {{ entry.provider }} | {{ entry.secretType }} | {% if entry.isPublic %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %} | {% if entry.isPrivateWithGhas %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %} | {% if entry.hasPushProtection %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %} | {% if entry.hasValidityCheck %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %} |
{%- endfor %}
{% endif %}
<!-- GHES 3.9+ table -->

2
content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md
View File

@@ -79,7 +79,7 @@ You can customize several {% data variables.product.prodname_global_settings %}
### Enabling autofix for {% data variables.product.prodname_codeql %}
You can select **Autofix for {% data variables.product.prodname_codeql %}** to enable autofix for all the repositories in your organization that use {% data variables.product.prodname_codeql %} default setup or {% data variables.product.prodname_codeql %} advanced setup. Autofix is a {% data variables.product.prodname_copilot %}-powered expansion of {% data variables.product.prodname_code_scanning %} that suggests fixes for {% data variables.product.prodname_code_scanning %} alerts in pull requests. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning)."
You can select **Autofix for {% data variables.product.prodname_codeql %}** to enable autofix for all the repositories in your organization that use {% data variables.product.prodname_codeql %} default setup or {% data variables.product.prodname_codeql %} advanced setup. Autofix is a {% data variables.product.prodname_copilot %}-powered expansion of {% data variables.product.prodname_code_scanning %} that suggests fixes for {% data variables.product.prodname_code_scanning %} alerts. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning)."
{% endif %}

6
content/code-security/security-overview/viewing-security-insights.md
View File

@@ -152,11 +152,11 @@ Alerts that are reopened and re-closed during the chosen time period are ignored
### Autofix suggestions
{% data reusables.rai.code-scanning.beta-autofix %}
{% data reusables.rai.code-scanning.autofix-note %}
Autofix, powered by {% data variables.product.prodname_copilot %}, is an expansion of {% data variables.product.prodname_code_scanning %} that provides you with targeted recommendations to help you fix {% data variables.product.prodname_code_scanning %} alerts in pull requests. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning)."
Autofix, powered by {% data variables.product.prodname_copilot %}, is an expansion of {% data variables.product.prodname_code_scanning %} that provides you with targeted recommendations to help you fix {% data variables.product.prodname_code_scanning %} alerts. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning)."
The "Autofix suggestions" metric is the total number of Autofix suggestions generated in open and closed pull requests during the chosen time period.
The "Autofix suggestions" metric is the total number of autofix suggestions generated in open and closed pull requests during the chosen time period.
{% endif %}

12
content/copilot/managing-copilot/managing-copilot-as-an-individual-subscriber/subscribing-to-copilot-as-an-individual-user.md
View File

@@ -16,13 +16,13 @@ topics:
Before you can start using {% data variables.product.prodname_copilot_for_individuals %}, you will need to set up a free trial or subscription.
{% data reusables.copilot.copilot-individual-emus %}
{% data reusables.copilot.tp-users-trial-eligibility %}
>[!NOTE]
>
> * _If you are a member of an organization or enterprise_ that has a subscription to {% data variables.product.prodname_copilot %}, you can request access to {% data variables.product.prodname_copilot_short %} by going to [https://github.com/settings/copilot](https://github.com/settings/copilot) and requesting access under "Get Copilot from an organization."{% ifversion ghec %} If you have a {% data variables.enterprise.prodname_managed_user %} account instead of a personal account, you cannot get a {% data variables.product.prodname_copilot_for_individuals %} subscription.{% endif %}
> * _If you are a verified student, teacher, or maintainer of a popular open source project_, {% data variables.product.prodname_copilot %} is free to use. See "[AUTOTITLE](/copilot/managing-copilot/managing-copilot-as-an-individual-subscriber/getting-free-access-to-copilot-as-a-student-teacher-or-maintainer)."
{% data reusables.copilot.signup-procedure %}
## Further reading
## Next steps
* "[AUTOTITLE](/copilot/about-github-copilot/what-is-github-copilot)"
* "[AUTOTITLE](/copilot/using-github-copilot/getting-started-with-github-copilot)"
To start using {% data variables.product.prodname_copilot_short %}, see "[AUTOTITLE](/copilot/setting-up-github-copilot/setting-up-github-copilot-for-yourself)."

14
content/copilot/setting-up-github-copilot/setting-up-github-copilot-for-yourself.md
View File

@@ -32,13 +32,7 @@ If you connect through an HTTP proxy server or firewall, ensure that [these URLs
You may also need to install a custom SSL certificate on your machine. See "[AUTOTITLE](/copilot/managing-copilot/configure-personal-settings/configuring-network-settings-for-github-copilot)."
## 5. Start using {% data variables.product.prodname_copilot_short %}
Start using {% data variables.product.prodname_copilot_short %} to help you write code faster and more efficiently. For all the ways you can use {% data variables.product.prodname_copilot_short %}, see "[AUTOTITLE](/copilot/using-github-copilot)." {% data variables.product.prodname_copilot_short %} code suggestions and {% data variables.product.prodname_copilot_chat_short %} in your IDE is a great place to start.
To improve your {% data variables.product.prodname_copilot_short %} results, follow these prompt engineering strategies: "[AUTOTITLE](/copilot/using-github-copilot/prompt-engineering-for-github-copilot)."
## 6. Configure settings (optional)
## 5. Configure settings (optional)
All users can configure {% data variables.product.prodname_copilot_short %} settings in their IDE or in the CLI. See "[AUTOTITLE](/copilot/managing-copilot/configure-personal-settings/configuring-github-copilot-in-your-environment)" and "[AUTOTITLE](/copilot/managing-copilot/configure-personal-settings/configuring-github-copilot-in-the-cli)."
@@ -46,3 +40,9 @@ If you have your own subscription to {% data variables.product.prodname_copilot_
* **Install {% data variables.product.prodname_copilot_extensions_short %}** to integrate other tools with {% data variables.product.prodname_copilot_chat_short %}. See "[AUTOTITLE](/copilot/managing-copilot/managing-copilot-as-an-individual-subscriber/installing-github-copilot-extensions-for-your-personal-account)."
* **Manage policies**. See "[AUTOTITLE](/copilot/managing-copilot/managing-copilot-as-an-individual-subscriber/managing-copilot-policies-as-an-individual-subscriber)."
## 6. Start using {% data variables.product.prodname_copilot_short %}
Start using {% data variables.product.prodname_copilot_short %} to help you write code faster and more efficiently. For all the ways you can use {% data variables.product.prodname_copilot_short %}, see "[AUTOTITLE](/copilot/using-github-copilot)." {% data variables.product.prodname_copilot_short %} code suggestions and {% data variables.product.prodname_copilot_chat_short %} in your IDE is a great place to start.
To improve your {% data variables.product.prodname_copilot_short %} results, follow these prompt engineering strategies: "[AUTOTITLE](/copilot/using-github-copilot/prompt-engineering-for-github-copilot)."

134
data/release-notes/enterprise-server/3-10/14.yml Normal file
View File

@@ -0,0 +1,134 @@
date: '2024-07-10'
intro: |
{% warning %}
**Warning**: A change to MySQL in GitHub Enterprise Server 3.9 and later may impact the performance of your instance. Before you upgrade, make sure you've read the "[Known issues](#3.10.14-known-issues)" section of these release notes.
{% endwarning %}
sections:
security_fixes:
- |
**HIGH**: An attacker could cause unbounded resource exhaustion on the instance by sending a large payload to the Git server. To mitigate this issue, GitHub has limited the count of "have" and "want" lines for Git read operations. GitHub has requested CVE ID [CVE-2024-5795](https://www.cve.org/cverecord?id=CVE-2024-5795) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
- |
**MEDIUM:** An improper privilege management vulnerability allowed users to migrate private repositories without having appropriate scopes defined on the related {% data variables.product.pat_generic %}. GitHub has requested CVE ID [CVE-2024-5566](https://www.cve.org/cverecord?id=CVE-2024-5566) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
- |
**MEDIUM:** An attacker could have unauthorized access in a public repository using a suspended GitHub App via a scoped user access token. This was only exploitable in public repositories while private repositories were not impacted. GitHub has requested CVE ID [CVE-2024-5816](https://www.cve.org/cverecord?id=CVE-2024-5816) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
- |
**MEDIUM:** An attacker could execute a Cross Site Request Forgery (CSRF) attack to perform write operations on a victim-owned repository in GitHub Enterprise Server by exploiting incorrect request types. A mitigating factor is that the attacker has to be a trusted user and the victim has to visit a tag in the attacker's fork of their own repository. GitHub has requested CVE ID [CVE-2024-5815](https://nvd.nist.gov/vuln/detail/CVE-2024-5815) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
- |
**MEDIUM:** An attacker could disclose the name of a private repository on the GitHub Enterprise Server appliance when the private repository has a deploy key associated to it. GitHub has requested CVE ID [CVE-2024-6395](https://www.cve.org/cverecord?id=CVE-2024-6395) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
- |
**LOW:** Instance administrators could see fine-grained {% data variables.product.pat_generic_plural %} in plaintext in the babeld and gitauth logs.
- |
**LOW:** An attacker with read access to a project could use the REST API to view a list of all members in an organization, including members who had made their membership private. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program.
- |
**LOW:** An attacker could include MathJax syntax in Markdown to bypass GitHubs normal restrictions on CSS properties in Markdown. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program.
- |
**MEDIUM:** An attacker could disclose sensitive information from a private repository exploiting organization ruleset features. This attack required an organization member to explicitly change the visibility of a dependent repository from private to public. GitHub has requested CVE ID [CVE-2024-6336](https://www.cve.org/cverecord?id=CVE-2024-6336) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
- |
**MEDIUM:** An attacker could have unauthorized read access to issue content inside an internal repository via GitHub projects. This attack required attacker access to the corresponding project board. GitHub has requested CVE ID [CVE-2024-5817](https://nvd.nist.gov/vuln/detail/CVE-2024-5817) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
- |
Firewall port 9199, which linked to a static maintenance page used when enabling maintenance mode with an IP exception list, was opened unnecessarily.
- |
Packages have been updated to the latest security versions.
bugs:
- |
On an instance with GitHub Actions enabled, remote blob storage could fill up with large amounts of data because cleanup jobs were skipped on old hosts.
- |
In some cases, commands run in an administrative SSH shell were not written to the audit log.
- |
When an administrator submitted support data to GitHub Support, spokesd keys were incorrectly sanitized.
- |
When log forwarding was enabled, some specific service logs, including babeld, gitauth, unicorn, and resqued, were duplicated.
- |
During the initial boot of an instance, a data disk attached as `/dev/sdb` may not have been recognized as an available disk.
- |
In some cases, the HAProxy `kill_timeout` setting caused service outages during upgrades or large transactions.
- |
The `ssh-audit-log.sh` script did not effectively log SSH commands, and the `ghe-sanitize-log.psed` script inadequately sanitized password-related logs.
- |
The default MSSQL timeout of 8 seconds sometimes caused issues during administrator activities. The default timeout has been increased to 30 seconds.
- |
For an instance running on Microsoft Azure, the user disk service failed to start because the attached volume could not be found.
- |
Establishing a new GitHub Connect connection could fail with a 500 error.
- |
When using `ghe-migrator` to migrate a repository, the links for pull requests merge commits were not imported.
- |
In some cases, reading data from repositories with a large number of objects would result in timeout or error.
- |
When a user used the REST API endpoints that returned secret scanning alerts at the repository or organization level with non-cursor-based pagination (for example, without `before` or `after` query parameters), the REST API endpoints for secret scanning returned incorrect `Link` headers.
- |
On instances with SAML authentication configured, users were unable to sign out and became stuck in an infinite SAML SSO loop.
- |
Deleting a branch that was targeted by many pull requests could result in delayed job processing and increased system memory usage.
- |
On an instance that restricts emails to verified domains, secret scanning emails would sometimes be sent to an unverified domain.
- |
In some cases, on the "Files" tab of a pull request, a comment on the first line did not render.
- |
Some organizations were not recognized as part of an instance's enterprise account.
- |
Some users would encounter an error when navigating to their personal security settings page at `https://HOSTNAME/settings/security`.
- |
On the "Code scanning" page of a repository, the branch filter did not correctly display all branches.
- |
Users viewing the alerts index page experienced inconsistencies in rendering the closed alert state.
- |
Organizations named "C" were incorrectly routed to the GitHub Enterprise Server contact page instead of their organization page.
- |
When servers responded with unsupported characters, webhook deliveries were not displayed in the UI.
- |
Chat integrations required frequent reauthentication, as a result of new app installations overwriting previous ones.
- |
On an instance in a cluster configuration, the `ghe-spokesctl ssh` command did not select the correct Nomad container when running a command within a git repository.
- |
On an instance with a GitHub Advanced Security license, disabling and re-enabling GitHub Advanced Security for an organization resulted in redundant scans of some repositories.
changes:
- |
The timeout for requests made to the REST API endpoints for secret scanning has been extended.
- |
When a user changes a repository's visibility to public, the user is now warned that previous Actions history and logs will become public as well.
- |
When using the `ghe-webhook-logs` utility, webhook delivery logs can be filtered by event and action. Users can use `ghe-webhook-logs --event issues` to filter by event, or `ghe-webhook-logs --event issues.opened` to filter by event and action.
known_issues:
- |
Custom firewall rules are removed during the upgrade process.
- |
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
- |
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)."
- |
If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
- |
The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning.
- |
{% data reusables.release-notes.upgrade-to-3-9-or-to-3-10-mysql-cannot-start-up %}
- |
{% data reusables.release-notes.upgrade-to-3-9-or-to-3-10-io-utilization-increase %}
- |
{% data reusables.release-notes.2023-08-mssql-replication-known-issue %}
- |
{% data reusables.release-notes.2023-09-config-apply-timeout-hookshot-go-replicas %}
- |
After an administrator enables maintenance mode from the instance's Management Console UI using Firefox, the administrator is redirected to the Settings page, but maintenance mode is not enabled. To work around this issue, use a different browser.
- |
{% data reusables.release-notes.2023-11-aws-system-time %}
- |
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
- |
{% data reusables.release-notes.2023-10-git-push-made-but-not-registered %}
- |
{% data reusables.release-notes.2023-10-actions-upgrade-bug %}
- |
{% data reusables.release-notes.large-adoc-files-issue %}
- |
{% data reusables.release-notes.2023-12-backup-utils-exit-early-redis %}
- |
{% data reusables.release-notes.2024-01-haproxy-upgrade-causing-increased-errors %}
- |
The reply.[hostname] subdomain is falsely always displaying as having no ssl and dns record, when testing the domain settings via management console **without subdomain isolation**.
- |
_Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised._
- |
If a hotpatch upgrade requires the `haproxy-frontend` service to be restarted, the restart will hang if there are existing long-lived connections, such as browser web sockets or Git operations. No new connections will be accepted for up to 5 minutes. Any existing unfinished connections at this time will be disconnected.

156
data/release-notes/enterprise-server/3-11/12.yml Normal file
View File

@@ -0,0 +1,156 @@
date: '2024-07-10'
sections:
security_fixes:
- |
**HIGH**: An attacker could cause unbounded resource exhaustion on the instance by sending a large payload to the Git server. To mitigate this issue, GitHub has limited the count of "have" and "want" lines for Git read operations. GitHub has requested CVE ID [CVE-2024-5795](https://www.cve.org/cverecord?id=CVE-2024-5795) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
- |
**MEDIUM:** An improper privilege management vulnerability allowed users to migrate private repositories without having appropriate scopes defined on the related {% data variables.product.pat_generic %}. GitHub has requested CVE ID [CVE-2024-5566](https://www.cve.org/cverecord?id=CVE-2024-5566) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
- |
**MEDIUM:** An attacker could have unauthorized access in a public repository using a suspended GitHub App via a scoped user access token. This was only exploitable in public repositories while private repositories were not impacted. GitHub has requested CVE ID [CVE-2024-5816](https://www.cve.org/cverecord?id=CVE-2024-5816) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
- |
**MEDIUM:** An attacker could execute a Cross Site Request Forgery (CSRF) attack to perform write operations on a victim-owned repository in GitHub Enterprise Server by exploiting incorrect request types. A mitigating factor is that the attacker has to be a trusted user and the victim has to visit a tag in the attacker's fork of their own repository. GitHub has requested CVE ID [CVE-2024-5815](https://nvd.nist.gov/vuln/detail/CVE-2024-5815) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
- |
**MEDIUM:** An attacker could disclose the name of a private repository on the GitHub Enterprise Server appliance when the private repository has a deploy key associated to it. GitHub has requested CVE ID [CVE-2024-6395](https://www.cve.org/cverecord?id=CVE-2024-6395) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
- |
**LOW:** Instance administrators could see fine-grained {% data variables.product.pat_generic_plural %} in plaintext in the babeld and gitauth logs.
- |
**LOW:** An attacker with read access to a project could use the REST API to view a list of all members in an organization, including members who had made their membership private. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program.
- |
**LOW:** An attacker could include MathJax syntax in Markdown to bypass GitHubs normal restrictions on CSS properties in Markdown. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program.
- |
**MEDIUM:** An attacker could disclose sensitive information from a private repository exploiting organization ruleset features. This attack required an organization member to explicitly change the visibility of a dependent repository from private to public. GitHub has requested CVE ID [CVE-2024-6336](https://www.cve.org/cverecord?id=CVE-2024-6336) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
- |
**MEDIUM:** An attacker could have unauthorized read access to issue content inside an internal repository via GitHub projects. This attack required attacker access to the corresponding project board. GitHub has requested CVE ID [CVE-2024-5817](https://nvd.nist.gov/vuln/detail/CVE-2024-5817) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
- |
Packages have been updated to the latest security versions.
bugs:
- |
On an instance with GitHub Actions enabled, remote blob storage could fill up with large amounts of data because cleanup jobs were skipped on old hosts.
- |
The threshold set by `server_rejoin_age_max` for single-node GHES deployments was too low.
- |
In some cases, commands run in an administrative SSH shell were not written to the audit log.
- |
When an administrator submitted support data to GitHub Support, spokesd keys were incorrectly sanitized.
- |
When log forwarding was enabled, some specific service logs, including babeld, gitauth, unicorn, and resqued, were duplicated.
- |
During the initial boot of an instance, a data disk attached as `/dev/sdb` may not have been recognized as an available disk.
- |
In a high availablity configuration, running `ghe-repl-node` multiple times from a node that did not have replication running had the potential to overwrite the configuration on the primary node.
- |
Configuration history is only generated for instances in a cluster, high availability (HA) cluster, or standalone HA configuration. The current node must be a primary or replica node with replication running.
- |
In some cases, the HAProxy `kill_timeout` setting caused service outages during upgrades or large transactions.
- |
The `ssh-audit-log.sh` script did not effectively log SSH commands, and the `ghe-sanitize-log.psed` script inadequately sanitized password-related logs.
- |
The default MSSQL timeout of 8 seconds sometimes caused issues during administrator activities. The default timeout has been increased to 30 seconds.
- |
For an instance running on Microsoft Azure, the user disk service failed to start because the attached volume could not be found.
- |
Establishing a new GitHub Connect connection could fail with a 500 error.
- |
When using `ghe-migrator` to migrate a repository, the links for pull requests merge commits were not imported.
- |
When a user used the REST API endpoints that returned secret scanning alerts at the repository or organization level with non-cursor-based pagination (for example, without `before` or `after` query parameters), the REST API endpoints for secret scanning returned incorrect `Link` headers.
- |
On certain branch names, the branch info bar was causing frozen string errors.
- |
On instances with SAML authentication configured, users were unable to sign out and became stuck in an infinite SAML SSO loop.
- |
On instances with SCIM enabled, the administrator was unable to view users without an external identity record (for example, because they were provisioned before SCIM was enabled on the instance) in stafftools.
- |
On instances enrolled in the SCIM private beta, built-in authentication users can be added to organizations and teams. Organization owners will no longer see the misleading message that the organization membership is managed by the SAML identity provider when updating organization memberships.
- |
Enterprise owners managed by an identity provider were asked to authenticate within GitHub when performing privileged actions.
- |
On an instance that restricts emails to verified domains, secret scanning emails would sometimes be sent to an unverified domain.
- |
In some cases, on the "Files" tab of a pull request, a comment on the first line did not render.
- |
Some organizations were not recognized as part of an instance's enterprise account.
- |
Some users would encounter an error when navigating to their personal security settings page at `https://HOSTNAME/settings/security`.
- |
The `SpokesSyncCacheReplicaJob` could not initialize in some cases, resulting in an exception when handling the error.
- |
On the "Code scanning" page of a repository, the branch filter did not correctly display all branches.
- |
When including a `.gitignore` or `README.md` file on repository creation failed due to a ruleset or pre-receive hook, no error message displayed.
- |
On an instance with a GitHub Advanced Security license, requests to the `/enterprises/{enterprise}/settings/billing/advanced-security` REST API endpoint could fail due to timeout.
- |
Users viewing the alerts index page experienced inconsistencies in rendering the closed alert state.
- |
Organizations named "C" were incorrectly routed to the GitHub Enterprise Server contact page instead of their organization page.
- |
On an instance with a GitHub Advanced Security license, commits made by users who do not belong to an organization were not counted.
- |
When servers responded with unsupported characters, webhook deliveries were not displayed in the UI.
- |
Chat integrations required frequent reauthentication, as a result of new app installations overwriting previous ones.
- |
On an instance in a cluster configuration, the `ghe-spokesctl ssh` command did not select the correct Nomad container when running a command within a Git repository.
- |
On an instance with a GitHub Advanced Security license, disabling and re-enabling GitHub Advanced Security for an organization resulted in redundant scans of some repositories.
- |
On an instance with a GitHub Advanced Security license, contributions were not tracked on public repositories.
- |
On an instance with a GitHub Advanced Security license, the "adjust configuration" step failed when enabling code scanning with the default setup on self-hosted Windows runners.
changes:
- |
In a high availability configuration, users can only run `ghe-config-apply` or `ghe-cluster-config-apply` on a replica node if replication is already running (from `ghe-repl-start`). If replication isnt running on the node, the user will be instructed to start replication.
- |
Configuration history has been extended. When `ghe-config-apply`, `ghe-cluster-config-apply`, or `ghe-config-archive` is run: `secrets.conf` is captured, a sha256sum for each of the current configuration files is included, the existing patch that is generated includes `secrets.conf`, and an additional sanitized patch that excludes `secrets.conf` is also generated.
- |
The timeout for requests made to the REST API endpoints for secret scanning has been extended.
- |
A more specific error message is shown when a non-provisioned user tried to sign in to an instance with SCIM enabled.
- |
When a user changes a repository's visibility to public, the user is now warned that previous Actions history and logs will become public as well.
- |
A more specific error message is shown when a deprovisioned user attempts signing into an instance with SCIM enabled.
- |
In the audit logs, administrators can see more context for failed user authentication attempts using LDAP.
- |
The system logs provide more context for authentication failures related to multi-factor authentication.
- |
When using the `ghe-webhook-logs` utility, webhook delivery logs can be filtered by event and action. Users can use `ghe-webhook-logs --event issues` to filter by event, or `ghe-webhook-logs --event issues.opened` to filter by event and action.
- |
To avoid excessive log volume and associated disk pressure, requests for `GetCacheKey` are no longer logged. Previously, the high frequency of these requests caused significant log accumulation.
known_issues:
- |
Custom firewall rules are removed during the upgrade process.
- |
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
- |
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)."
- |
If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
- |
The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning.
- |
{% data reusables.release-notes.2023-11-aws-system-time %}
- |
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
- |
{% data reusables.release-notes.2023-10-git-push-made-but-not-registered %}
- |
{% data reusables.release-notes.large-adoc-files-issue %}
- |
{% data reusables.release-notes.2023-11-cluster-ha-failover-git-push-failure %}
- |
{% data reusables.release-notes.2023-12-backup-utils-exit-early-redis %}
- |
{% data reusables.release-notes.2024-01-haproxy-upgrade-causing-increased-errors %}
- |
Repositories originally imported using ghe-migrator will not correctly track Advanced Security contributions.
- |
Due to a known regression, operators will not be able to use the `ghe-migrations` visualizer to view the status of migrations during an upgrade. Instead, the operator can inspect the log files in `/var/log/dbmigration` to see the status and progress of migrations.
- |
The reply.[hostname] subdomain is falsely always displaying as having no ssl and dns record, when testing the domain settings via management console **without subdomain isolation**.
- |
_Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised._
- |
If a hotpatch upgrade requires the `haproxy-frontend` service to be restarted, the restart will hang if there are existing long-lived connections, such as browser web sockets or Git operations. No new connections will be accepted for up to 5 minutes. Any existing unfinished connections at this time will be disconnected.

162
data/release-notes/enterprise-server/3-12/6.yml Normal file
View File

@@ -0,0 +1,162 @@
date: '2024-07-10'
sections:
security_fixes:
- |
**HIGH**: An attacker could cause unbounded resource exhaustion on the instance by sending a large payload to the Git server. To mitigate this issue, GitHub has limited the count of "have" and "want" lines for Git read operations. GitHub has requested CVE ID [CVE-2024-5795](https://www.cve.org/cverecord?id=CVE-2024-5795) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
- |
**MEDIUM:** An improper privilege management vulnerability allowed users to migrate private repositories without having appropriate scopes defined on the related {% data variables.product.pat_generic %}. GitHub has requested CVE ID [CVE-2024-5566](https://www.cve.org/cverecord?id=CVE-2024-5566) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
- |
**MEDIUM:** An attacker could have unauthorized access in a public repository using a suspended GitHub App via a scoped user access token. This was only exploitable in public repositories while private repositories were not impacted. GitHub has requested CVE ID [CVE-2024-5816](https://www.cve.org/cverecord?id=CVE-2024-5816) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
- |
**MEDIUM:** An attacker could execute a Cross Site Request Forgery (CSRF) attack to perform write operations on a victim-owned repository in GitHub Enterprise Server by exploiting incorrect request types. A mitigating factor is that the attacker has to be a trusted user and the victim has to visit a tag in the attacker's fork of their own repository. GitHub has requested CVE ID [CVE-2024-5815](https://nvd.nist.gov/vuln/detail/CVE-2024-5815) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
- |
**MEDIUM:** An attacker could disclose the name of a private repository on the GitHub Enterprise Server appliance when the private repository has a deploy key associated to it. GitHub has requested CVE ID [CVE-2024-6395](https://www.cve.org/cverecord?id=CVE-2024-6395) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
- |
**LOW:** Instance administrators could see fine-grained {% data variables.product.pat_generic_plural %} in plaintext in the babeld and gitauth logs.
- |
**LOW:** An attacker with read access to a project could use the REST API to view a list of all members in an organization, including members who had made their membership private. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program.
- |
**LOW:** An attacker could include MathJax syntax in Markdown to bypass GitHubs normal restrictions on CSS properties in Markdown. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program.
- |
**MEDIUM:** An attacker could disclose sensitive information from a private repository exploiting organization ruleset features. This attack required an organization member to explicitly change the visibility of a dependent repository from private to public. GitHub has requested CVE ID [CVE-2024-6336](https://www.cve.org/cverecord?id=CVE-2024-6336) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
- |
**MEDIUM:** An attacker could have unauthorized read access to issue content inside an internal repository via GitHub projects. This attack required attacker access to the corresponding project board. GitHub has requested CVE ID [CVE-2024-5817](https://nvd.nist.gov/vuln/detail/CVE-2024-5817) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
- |
Packages have been updated to the latest security versions.
bugs:
- |
On an instance with GitHub Actions enabled, remote blob storage could fill up with large amounts of data because cleanup jobs were skipped on old hosts.
- |
The `ghe-cluster-repl-status` command could be run on instance configurations other than high-availability clusters, resulting in an incorrect or incomplete status.
- |
The threshold set by `server_rejoin_age_max` for single-node GHES deployments was too low.
- |
In some cases, commands run in an administrative SSH shell were not written to the audit log.
- |
When an administrator submitted support data to GitHub Support, spokesd keys were incorrectly sanitized.
- |
When log forwarding was enabled, some specific service logs, including babeld, gitauth, unicorn, and resqued, were duplicated.
- |
During the initial boot of an instance, a data disk attached as `/dev/sdb` may not have been recognized as an available disk.
- |
In a high availablity configuration, running `ghe-repl-node` multiple times from a node that did not have replication running had the potential to overwrite the configuration on the primary node.
- |
Configuration history is only generated for instances in a cluster, high availability (HA) cluster, or standalone HA configuration. The current node must be a primary or replica node with replication running.
- |
In some cases, the HAProxy `kill_timeout` setting caused service outages during upgrades or large transactions.
- |
The `ssh-audit-log.sh` script did not effectively log SSH commands, and the `ghe-sanitize-log.psed` script inadequately sanitized password-related logs.
- |
The default MSSQL timeout of 8 seconds sometimes caused issues during administrator activities. The default timeout has been increased to 30 seconds.
- |
For an instance running on Microsoft Azure, the user disk service failed to start because the attached volume could not be found.
- |
Establishing a new GitHub Connect connection could fail with a 500 error.
- |
When using `ghe-migrator` to migrate a repository, the links for pull requests merge commits were not imported.
- |
When a user used the REST API endpoints that returned secret scanning alerts at the repository or organization level with non-cursor-based pagination (for example, without `before` or `after` query parameters), the REST API endpoints for secret scanning returned incorrect `Link` headers.
- |
On certain branch names, the branch info bar was causing frozen string errors.
- |
On instances with SAML authentication configured, users were unable to sign out and became stuck in an infinite SAML SSO loop.
- |
On instances with SCIM enabled, the administrator was unable to view users without an external identity record (for example, because they were provisioned before SCIM was enabled on the instance) in stafftools.
- |
After navigating to a discussion, the link underline for the Discussions tab in the GitHub UI incorrectly appeared under the Settings tab heading.
- |
On instances enrolled in the SCIM private beta, built-in authentication users can be added to organizations and teams. Organization owners will no longer see the misleading message that the organization membership is managed by the SAML identity provider when updating organization memberships.
- |
Enterprise owners managed by an identity provider were asked to authenticate within GitHub when performing privileged actions.
- |
On an instance that restricts emails to verified domains, secret scanning emails would sometimes be sent to an unverified domain.
- |
In some cases, on the "Files" tab of a pull request, a comment on the first line did not render.
- |
Some organizations were not recognized as part of an instance's enterprise account.
- |
Some users would encounter an error when navigating to their personal security settings page at `https://HOSTNAME/settings/security`.
- |
The `SpokesSyncCacheReplicaJob` could not initialize in some cases, resulting in an exception when handling the error.
- |
In the sidebar menu that is displayed when a user clicks their profile picture, users who are not enterprise owners saw an "Enterprise settings" option, linking to the main page of an enterprise. This option is now labeled "Your enterprise".
- |
On the "Code scanning" page of a repository, the branch filter did not correctly display all branches.
- |
When including a `.gitignore` or `README.md` file on repository creation failed due to a ruleset or pre-receive hook, no error message displayed.
- |
On an instance with a GitHub Advanced Security license, requests to the `/enterprises/{enterprise}/settings/billing/advanced-security` REST API endpoint could fail due to timeout.
- |
On some instances, users were unable to save historical insights charts for Projects.
- |
The setting to enable or view non-provider patterns was not available for public repositories.
- |
Users viewing the alerts index page experienced inconsistencies in rendering the closed alert state.
- |
Organizations named "C" were incorrectly routed to the GitHub Enterprise Server contact page instead of their organization page.
- |
On an instance with a GitHub Advanced Security license, commits made by users who do not belong to an organization were not counted.
- |
When servers responded with unsupported characters, webhook deliveries were not displayed in the UI.
- |
Chat integrations required frequent reauthentication, as a result of new app installations overwriting previous ones.
- |
On an instance in a cluster configuration, the `ghe-spokesctl ssh` command did not select the correct Nomad container when running a command within a Git repository.
- |
On an instance with a GitHub Advanced Security license, disabling and re-enabling GitHub Advanced Security for an organization resulted in redundant scans of some repositories.
- |
On an instance with a GitHub Advanced Security license, contributions were not tracked on public repositories.
- |
On an instance with a GitHub Advanced Security license, the "adjust configuration" step failed when enabling code scanning with the default setup on self-hosted Windows runners.
changes:
- |
In a high availability configuration, users can only run `ghe-config-apply` or `ghe-cluster-config-apply` on a replica node if replication is already running (from `ghe-repl-start`). If replication isnt running on the node, the user will be instructed to start replication.
- |
Configuration history has been extended. When `ghe-config-apply`, `ghe-cluster-config-apply`, or `ghe-config-archive` is run: `secrets.conf` is captured, a sha256sum for each of the current configuration files is included, the existing patch that is generated includes `secrets.conf`, and an additional sanitized patch that excludes `secrets.conf` is also generated.
- |
The timeout for requests made to the REST API endpoints for secret scanning has been extended.
- |
A more specific error message is shown when a non-provisioned user tried to sign in to an instance with SCIM enabled.
- |
When a user changes a repository's visibility to public, the user is now warned that previous Actions history and logs will become public as well.
- |
A more specific error message is shown when a deprovisioned user attempts signing into an instance with SCIM enabled.
- |
In the audit logs, administrators can see more context for failed user authentication attempts using LDAP.
- |
The system logs provide more context for authentication failures related to multi-factor authentication.
- |
When using the `ghe-webhook-logs` utility, webhook delivery logs can be filtered by event and action. Users can use `ghe-webhook-logs --event issues` to filter by event, or `ghe-webhook-logs --event issues.opened` to filter by event and action.
- |
To avoid excessive log volume and associated disk pressure, requests for `GetCacheKey` are no longer logged. Previously, the high frequency of these requests caused significant log accumulation.
known_issues:
- |
Custom firewall rules are removed during the upgrade process.
- |
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
- |
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)."
- |
If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
- |
The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning.
- |
{% data reusables.release-notes.2023-11-aws-system-time %}
- |
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
- |
{% data reusables.release-notes.large-adoc-files-issue %}
- |
{% data reusables.release-notes.2023-11-cluster-ha-failover-git-push-failure %}
- |
{% data reusables.release-notes.2023-12-backup-utils-exit-early-redis %}
- |
Repositories originally imported using ghe-migrator will not correctly track Advanced Security contributions.
- |
Due to a known regression, operators will not be able to use the `ghe-migrations` visualizer to view the status of migrations during an upgrade. Instead, the operator can inspect the log files in `/var/log/dbmigration` to see the status and progress of migrations.
- |
The reply.[hostname] subdomain is falsely always displaying as having no ssl and dns record, when testing the domain settings via management console **without subdomain isolation**.
- |
_Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised._
- |
If a hotpatch upgrade requires the `haproxy-frontend` service to be restarted, the restart will hang if there are existing long-lived connections, such as browser web sockets or Git operations. No new connections will be accepted for up to 5 minutes. Any existing unfinished connections at this time will be disconnected.

162
data/release-notes/enterprise-server/3-13/1.yml Normal file
View File

@@ -0,0 +1,162 @@
date: '2024-07-10'
sections:
security_fixes:
- |
**HIGH**: An attacker could cause unbounded resource exhaustion on the instance by sending a large payload to the Git server. To mitigate this issue, GitHub has limited the count of "have" and "want" lines for Git read operations. GitHub has requested CVE ID [CVE-2024-5795](https://www.cve.org/cverecord?id=CVE-2024-5795) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
- |
**MEDIUM:** An improper privilege management vulnerability allowed users to migrate private repositories without having appropriate scopes defined on the related {% data variables.product.pat_generic %}. GitHub has requested CVE ID [CVE-2024-5566](https://www.cve.org/cverecord?id=CVE-2024-5566) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
- |
**MEDIUM:** An attacker could have unauthorized access in a public repository using a suspended GitHub App via a scoped user access token. This was only exploitable in public repositories while private repositories were not impacted. GitHub has requested CVE ID [CVE-2024-5816](https://www.cve.org/cverecord?id=CVE-2024-5816) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
- |
**MEDIUM:** An attacker could execute a Cross Site Request Forgery (CSRF) attack to perform write operations on a victim-owned repository in GitHub Enterprise Server by exploiting incorrect request types. A mitigating factor is that the attacker has to be a trusted user and the victim has to visit a tag in the attacker's fork of their own repository. GitHub has requested CVE ID [CVE-2024-5815](https://nvd.nist.gov/vuln/detail/CVE-2024-5815) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
- |
**MEDIUM:** An attacker could disclose the name of a private repository on the GitHub Enterprise Server appliance when the private repository has a deploy key associated to it. GitHub has requested CVE ID [CVE-2024-6395](https://www.cve.org/cverecord?id=CVE-2024-6395) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
- |
**LOW:** Instance administrators could see fine-grained {% data variables.product.pat_generic_plural %} in plaintext in the babeld and gitauth logs.
- |
**LOW:** An attacker with read access to a project could use the REST API to view a list of all members in an organization, including members who had made their membership private. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program.
- |
**LOW:** An attacker could include MathJax syntax in Markdown to bypass GitHubs normal restrictions on CSS properties in Markdown. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program.
- |
**MEDIUM:** An attacker could have unauthorized read access to issue content inside an internal repository via GitHub projects. This attack required attacker access to the corresponding project board. GitHub has requested CVE ID [CVE-2024-5817](https://nvd.nist.gov/vuln/detail/CVE-2024-5817) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
- |
An attacker could access previously executed private required workflows by changing the repository visibility from private to public. This occurred despite the repositories with the required workflows remaining private. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
- |
A user without the enterprise owner role could view all secret scanning alerts for user-owned repositories using the REST API. Alerts in user-owned repositories are now properly restricted to only be visible to enterprise owners.
- |
Packages have been updated to the latest security versions.
bugs:
- |
On an instance with GitHub Actions enabled, remote blob storage could fill up with large amounts of data because cleanup jobs were skipped on old hosts.
- |
The `ghe-cluster-repl-status` command could be run on instance configurations other than high-availability clusters, resulting in an incorrect or incomplete status.
- |
The threshold set by `server_rejoin_age_max` for single-node GHES deployments was too low.
- |
On an instance in a cluster configuration, former primary nodes were able to access the newly promoted nodes after failover.
- |
In some cases, commands run in an administrative SSH shell were not written to the audit log.
- |
When an administrator submitted support data to GitHub Support, spokesd keys were incorrectly sanitized.
- |
When log forwarding was enabled, some specific service logs, including babeld, gitauth, unicorn, and resqued, were duplicated.
- |
During the initial boot of an instance, a data disk attached as `/dev/sdb` may not have been recognized as an available disk.
- |
In a high availablity configuration, running `ghe-repl-node` multiple times from a node that didnt have replication running had the potential to overwrite the configuration on the primary node.
- |
Configuration history is only generated for instances in a cluster, high availability (HA) cluster, or standalone HA configuration. The current node must be a primary or replica node with replication running.
- |
In some cases, the HAProxy `kill_timeout` setting caused service outages during upgrades or large transactions.
- |
The `ssh-audit-log.sh` script did not effectively log SSH commands, and the `ghe-sanitize-log.psed` script inadequately sanitized password-related logs.
- |
For an instance running on Microsoft Azure, the user disk service failed to start because the attached volume could not be found.
- |
When analyzing a repository with code scanning, the extractor logs only contained warnings and errors for some languages.
- |
The `GitHub Desktop` option in the `Open with...` edit menu was not shown unless `github.dev` was also enabled.
- |
When transferring a repository, the required properties for one organization continued to be displayed even after a user chose a different owner.
- |
Establishing a new GitHub Connect connection could fail with a 500 error.
- |
When using `ghe-migrator` to migrate a repository, the links for pull requests merge commits were not imported.
- |
When a user used the REST API endpoints that returned secret scanning alerts at the repository or organization level with non-cursor-based pagination (for example, without `before` or `after` query parameters), the REST API endpoints for secret scanning returned incorrect `Link` headers.
- |
On certain branch names, the branch info bar was causing frozen string errors.
- |
On instances with SAML authentication configured, users were unable to sign out and became stuck in an infinite SAML SSO loop.
- |
On instances with SCIM enabled, the administrator was unable to view users without an external identity record (for example, because they were provisioned before SCIM was enabled on the instance) in stafftools.
- |
On instances enrolled in the SCIM private beta, built-in authentication users can be added to organizations and teams. Organization owners will no longer see the misleading message that the organization membership is managed by the SAML identity provider when updating organization memberships.
- |
Enterprise owners managed by an identity provider were asked to authenticate within GitHub when performing privileged actions.
- |
On an instance that restricts emails to verified domains, secret scanning emails would sometimes be sent to an unverified domain.
- |
In some cases, on the "Files" tab of a pull request, a comment on the first line did not render.
- |
Some organizations were not recognized as part of an instance's enterprise account.
- |
Some users would encounter an error when navigating to their personal security settings page at `https://HOSTNAME/settings/security`.
- |
The `SpokesSyncCacheReplicaJob` could not initialize in some cases, resulting in an exception when handling the error.
- |
In the sidebar menu that is displayed when a user clicks their profile picture, users who are not enterprise owners saw an "Enterprise settings" option, linking to the main page of an enterprise. This option is now labeled "Your enterprise".
- |
On the "Code scanning" page of a repository, the branch filter did not correctly display all branches.
- |
The video player did not load a video that was uploaded to an issue.
- |
The warning message `irb: warn: cant alias delete from irb_delete` would appear during Support Bundle creation and upload.
- |
When including a `.gitignore` or `README.md` file on repository creation failed due to a ruleset or pre-receive hook, no error message displayed.
- |
On an instance with a GitHub Advanced Security license, requests to the `/enterprises/{enterprise}/settings/billing/advanced-security` REST API endpoint could fail due to timeout.
- |
The global enterprise overview page contained a "Give feedback" link that was only intended for GitHub Enterprise Cloud.
- |
Organizations named "C" were incorrectly routed to the GitHub Enterprise Server contact page instead of their organization page.
- |
On an instance with a GitHub Advanced Security license, commits made by users who do not belong to an organization were not counted.
- |
Due to a regression, adding `../` when editing a files name did not result in the file being moved up a directory level.
- |
When servers responded with unsupported characters, webhook deliveries were not displayed in the UI.
- |
Chat integrations required frequent reauthentication, as a result of new app installations overwriting previous ones.
- |
On an instance in a cluster configuration, the `ghe-spokesctl ssh` command did not select the correct Nomad container when running a command within a git repository.
- |
On an instance with a GitHub Advanced Security license, contributions were not tracked on public repositories.
- |
The "Adjust configuration" step failed when enabling code scanning with default setup on self-hosted Windows runners.
changes:
- |
In a high availability configuration, users can only run `ghe-config-apply` or `ghe-cluster-config-apply` on a replica node if replication is already running (from `ghe-repl-start`). If replication isnt running on the node, the user will be instructed to start replication.
- |
Configuration history has been extended. When `ghe-config-apply`, `ghe-cluster-config-apply`, or `ghe-config-archive` is run: `secrets.conf` is captured, a sha256sum for each of the current configuration files is included, the existing patch that is generated includes `secrets.conf`, and an additional sanitized patch that excludes `secrets.conf` is also generated.
- |
The timeout for requests made to the REST API endpoints for secret scanning has been extended.
- |
A more specific error message is shown when a non-provisioned user tried to sign in to an instance with SCIM enabled.
- |
A more specific error message is shown when a deprovisioned user attempts signing into an instance with SCIM enabled.
- |
In the audit logs, administrators can see more context for failed user authentication attempts using LDAP.
- |
The system logs provide more context for authentication failures related to multi-factor authentication.
- |
When using the `ghe-webhook-logs` utility, webhook delivery logs can be filtered by event and action. Users can use `ghe-webhook-logs --event issues` to filter by event, or `ghe-webhook-logs --event issues.opened` to filter by event and action.
- |
To avoid excessive log volume and associated disk pressure, requests for `GetCacheKey` are no longer logged. Previously, the high frequency of these requests caused significant log accumulation.
known_issues:
- |
TODO: Add finalized release note for https://github.com/github/ghes/issues/9451.
- |
Custom firewall rules are removed during the upgrade process.
- |
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
- |
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)."
- |
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
- |
Repositories originally imported using ghe-migrator will not correctly track Advanced Security contributions.
- |
Due to a known regression, operators will not be able to use the `ghe-migrations` visualizer to view the status of migrations during an upgrade. Instead, the operator can inspect the log files in `/var/log/dbmigration` to see the status and progress of migrations.
- |
For an instance in a cluster configuration and with GitHub Actions enabled, restoring a cluster from backup requires targeting the primary DB node.
- |
`TokenScanningServiceMetricsApiError` errors may appear after the upgrade.
- |
When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed.
- |
Memory utilization may increase after the upgrade. During periods of high traffic, interruptions in service may occur due to insufficient memory allocations for internal components.
- |
Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps.
- |
If a hotpatch upgrade requires the `haproxy-frontend` service to be restarted, the restart will hang if there are existing long-lived connections, such as browser web sockets or Git operations. No new connections will be accepted for up to 5 minutes. Any existing unfinished connections at this time will be disconnected.

116
data/release-notes/enterprise-server/3-9/17.yml Normal file
View File

@@ -0,0 +1,116 @@
date: '2024-07-10'
intro: |
{% warning %}
**Warning**: A change to MySQL in GitHub Enterprise Server 3.9 and later may impact the performance of your instance. Before you upgrade, make sure you've read the "[Known issues](#3.9.17-known-issues)" section of these release notes.
{% endwarning %}
sections:
security_fixes:
- |
**HIGH**: An attacker could cause unbounded resource exhaustion on the instance by sending a large payload to the Git server. To mitigate this issue, GitHub has limited the count of "have" and "want" lines for Git read operations. GitHub has requested CVE ID [CVE-2024-5795](https://www.cve.org/cverecord?id=CVE-2024-5795) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
- |
**MEDIUM:** An improper privilege management vulnerability allowed users to migrate private repositories without having appropriate scopes defined on the related {% data variables.product.pat_generic %}. GitHub has requested CVE ID CVE-2024-5566 for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
- |
**MEDIUM:** An attacker could have unauthorized access in a public repository using a suspended GitHub App via a scoped user access token. This was only exploitable in public repositories while private repositories were not impacted. GitHub has requested CVE ID [CVE-2024-5816](https://www.cve.org/cverecord?id=CVE-2024-5816) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
- |
**MEDIUM:** An attacker could execute a Cross Site Request Forgery (CSRF) attack to perform write operations on a victim-owned repository in GitHub Enterprise Server by exploiting incorrect request types. A mitigating factor is that the attacker has to be a trusted user and the victim has to visit a tag in the attacker's fork of their own repository. GitHub has requested CVE ID [CVE-2024-5815](https://nvd.nist.gov/vuln/detail/CVE-2024-5815) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
- |
**MEDIUM:** An attacker could disclose sensitive information from a private repository exploiting organization ruleset features. This attack required an organization member to explicitly change the visibility of a dependent repository from private to public. GitHub has requested CVE ID [CVE-2024-6336](https://www.cve.org/cverecord?id=CVE-2024-6336) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
- |
**MEDIUM:** An attacker could have unauthorized read access to issue content inside an internal repository via GitHub projects. This attack required attacker access to the corresponding project board. GitHub has requested CVE ID [CVE-2024-5817](https://nvd.nist.gov/vuln/detail/CVE-2024-5817) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
- |
**LOW:** An attacker with read access to a project could use the REST API to view a list of all members in an organization, including members who had made their membership private. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program.
- |
**LOW:** An attacker could include MathJax syntax in Markdown to bypass GitHubs normal restrictions on CSS properties in Markdown. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program.
- |
Firewall port 9199, which linked to a static maintenance page used when enabling maintenance mode with an IP exception list, was opened unnecessarily.
bugs:
- |
On an instance with GitHub Actions enabled, remote blob storage could fill up with large amounts of data because cleanup jobs were skipped on old hosts.
- |
The memory limit for a Redis job was too low in some cases, causing the process to run out of memory.
- |
In some cases, commands run in an administrative SSH shell were not written to the audit log.
- |
When an administrator submitted a support data to GitHub Support, spokesd keys were incorrectly sanitized.
- |
When log forwarding was enabled, some specific service logs, including babeld, gitauth, unicorn, and resqued, were duplicated.
- |
During the initial boot of an instance, a data disk attached as `/dev/sdb` may not have been recognized as an available disk.
- |
In some cases, the HAProxy `kill_timeout` setting caused service outages during upgrades or large transactions.
- |
The `ssh-audit-log.sh` script did not effectively log SSH commands, and the `ghe-sanitize-log.psed` script inadequately sanitized password-related logs
- |
The default MSSQL timeout of 8 seconds sometimes caused issues during administrator activities. The default timeout has been increased to 30 seconds.
- |
For an instance running on Microsoft Azure, the user disk service failed to start because the attached volume could not be found.
- |
Establishing a new GitHub Connect connection could fail with a 500 error.
- |
When using `ghe-migrator` to migrate a repository, the links for pull requests merge commits were not imported.
- |
In some cases, reading data from repositories with a large number of objects would result in timeout or error.
- |
On an instance that restricts emails to verified domains, secret scanning emails would sometimes be sent to an unverified domain.
- |
In some cases, on the "Files" tab of a pull request, a comment on the first line did not render.
- |
Some organizations were not recognized as part of an instance's enterprise account.
- |
On the "Code scanning" page of a repository, the branch filter did not correctly display all branches.
- |
Users viewing the alerts index page experienced inconsistencies in rendering the closed alert state.
- |
Organizations named "C" were incorrectly routed to the GitHub Enterprise Server contact page instead of their organization page.
- |
Chat integrations required frequent reauthentication, as a result of new app installations overwriting previous ones.
- |
On an instance in a cluster configuration, the `ghe-spokesctl ssh` command did not select the correct Nomad container when running a command within a git repository.
- |
On an instance with a GitHub Advanced Security license, disabling and re-enabling GitHub Advanced Security for an organization resulted in redundant scans of some repositories.
changes:
- |
When a user changes a repository's visibility to public, the user is now warned that previous Actions history and logs will become public as well.
known_issues:
- |
Custom firewall rules are removed during the upgrade process.
- |
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
- |
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)."
- |
If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
- |
When running `ghe-config-apply`, the process may stall with the message `Deployment is running pending automatic promotion`.
- |
The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning.
- |
When enabling CodeQL via default setup [at scale](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-at-scale), some checks related to GitHub Actions are omitted, potentially preventing the process from completing.
- |
{% data reusables.release-notes.upgrade-to-3-9-or-to-3-10-mysql-cannot-start-up %}
- |
{% data reusables.release-notes.upgrade-to-3-9-or-to-3-10-io-utilization-increase %}
- |
{% data reusables.release-notes.2023-08-mssql-replication-known-issue %}
- |
{% data reusables.release-notes.2023-09-config-apply-timeout-hookshot-go-replicas %}
- |
{% data reusables.release-notes.2023-11-aws-system-time %}
- |
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
- |
{% data reusables.release-notes.2023-10-git-push-made-but-not-registered %}
- |
{% data reusables.release-notes.2023-10-actions-upgrade-bug %}
- |
{% data reusables.release-notes.2023-12-backup-utils-exit-early-redis %}
- |
{% data reusables.release-notes.2024-01-haproxy-upgrade-causing-increased-errors %}
- |
The reply.[hostname] subdomain is falsely always displaying as having no ssl and dns record, when testing the domain settings via management console **without subdomain isolation**.
- |
_Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised._
- |
If a hotpatch upgrade requires the `haproxy-frontend` service to be restarted, the restart will hang if there are existing long-lived connections, such as browser web sockets or Git operations. No new connections will be accepted for up to 5 minutes. Any existing unfinished connections at this time will be disconnected.

6
data/reusables/copilot/signup-procedure.md
View File

@@ -1,5 +1,5 @@
1. In the upper-right corner of any page, click your profile photo, then click **{% octicon "copilot" aria-hidden="true" %} Your {% data variables.product.prodname_copilot_short %}**.
1. On the {% data variables.product.prodname_copilot %} settings page, click **Start free trial**.
1. On the {% data variables.product.prodname_copilot %} settings page, click **Start free trial**. If you are not eligible for a free trial because you have already used the free trial or because you were part of the technical preview, you will be prompted to subscribe to {% data variables.product.prodname_copilot_short %} instead.
1. Choose whether you want to pay monthly or yearly, and click **Get access to {% data variables.product.prodname_copilot %}**.
If your personal account meets the criteria for a free {% data variables.product.prodname_copilot %} subscription instead of a trial or paid subscription, you will automatically be taken to step 5.
@@ -7,4 +7,6 @@
1. Follow the steps to enter and confirm your payment details, then click **Submit**.
1. Select your preferences, then click **Save and complete setup**.
You can change these preferences at a later time by returning to your {% data variables.product.prodname_copilot %} settings. For more information, see "[AUTOTITLE](/copilot/configuring-github-copilot/configuring-github-copilot-in-your-environment?tool=vscode#configuring-your-personal-github-copilot-settings-on-githubcom)."
The **Suggestions matching public code** preference controls whether {% data variables.product.prodname_copilot_short %} will provide code completion suggestions that match publicly available code.
For details about the preferences, see "[AUTOTITLE](/copilot/managing-copilot/managing-copilot-as-an-individual-subscriber/managing-copilot-policies-as-an-individual-subscriber)." You can change the preferences at any time.

6
data/reusables/rai/code-scanning/autofix-note.md Normal file
View File

@@ -0,0 +1,6 @@
{% ifversion code-scanning-autofix or fpt %}
> [!NOTE]
> {% data variables.product.prodname_dotcom %} autofix for {% data variables.product.prodname_code_scanning %} is in beta. Functionality and documentation are subject to change. During this phase, the feature is restricted to alerts identified by {% data variables.product.prodname_codeql %} for private and internal repositories. If you have an enterprise account and use {% data variables.product.prodname_GH_advanced_security %}, your enterprise has access to the beta.
{% endif %}

6
data/reusables/rai/code-scanning/beta-autofix.md
View File

@@ -1,6 +0,0 @@
{% ifversion code-scanning-autofix or fpt %}
> [!NOTE]
> {% data variables.product.prodname_dotcom %} autofix for {% data variables.product.prodname_code_scanning %} is in beta. Functionality and documentation are subject to change. During this phase, the feature is restricted to C#, C/C++, Go, Java/Kotlin, JavaScript/TypeScript, Python, and Ruby alerts identified by {% data variables.product.prodname_codeql %} for private and internal repositories. If you have an enterprise account and use {% data variables.product.prodname_GH_advanced_security %}, your enterprise has access to the beta.
{% endif %}

4
data/variables/code-scanning.yml
View File

@@ -13,8 +13,10 @@ no_build_support: 'Java{% ifversion codeql-no-build-csharp %} and C#{% endif %}'
compiled_languages: 'C/C++, C#, {% ifversion codeql-go-autobuild %} Go,{% endif %} {% ifversion codeql-swift-beta %} Java, and Swift{% else %} and Java{% endif %}'
# List of languages where the libraries support expansion using CodeQL model packs at the repository level.
codeql_model_packs_support: '{% ifversion fpt or ghec or ghes > 3.12 %}C#, Java/Kotlin, and Ruby{% elsif ghes > 3.10 %}Java/Kotlin{% endif %}'
# List of that allow threat models to be configurable for code scanning
code_scanning_threat_model_support: 'Java/Kotlin{% ifversion fpt or ghec or ghes > 3.12 %} and C#{% endif %}'
# List of languages that Copilot Autofix Agent supports
code_scanning_autofix_languages: ' C#, C/C++, Go, Java/Kotlin, Swift, JavaScript/TypeScript, Python, and Ruby'

39
src/code-scanning/scripts/generate-code-scanning-query-list.ts
View File

@@ -58,28 +58,6 @@ import { program } from 'commander'
import { getSupportedQueries } from '@github/cocofix/dist/querySuites.js' // eslint-disable-line import/no-extraneous-dependencies
import { type Language } from '@github/cocofix/dist/codeql' // eslint-disable-line import/no-extraneous-dependencies
/**
* The list of languages for which autofix support has (publicly) shipped.
*
* We don't want to add documentation about autofix support for languages that have not shipped.
*
* Note that this is conceptually different from the list of languages for which we support autofix:
* some languages are supported, but only staff-shipped internally (currently, `go` and `ruby`).
*
* Supporting a language is a technical decision, and reflected in the list of supported queries
* returned by `getSupportedQueries`. Shipping a language, on the other hand, is a product decision,
* and is implemented by a feature flag in the monolith, so we cannot easily check it here.
*
* Instead we hard-code the list of shipped languages here and manually keep it in sync with
* https://docs.github.com/en/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning#supported-languages.
* This sounds worse than it is, since CodeQL only supports a total of eight languages
* and we are on track to ship autofix support for all of them in the next few months.
*
* Note that we never publicly ship a language for which we don't have autofix support, so if a language
* has been shipped, we know for sure that it is supported.
*/
const AUTOFIX_SHIPPED_LANGUAGES = ['csharp', 'java', 'javascript', 'python', 'go', 'ruby', 'cpp']
program
.description('Generate a reusable Markdown for for a code scanning query language')
.option('--verbose', 'Verbose outputs')
@@ -213,20 +191,14 @@ async function main(options: Options, language: string) {
return a.name.localeCompare(b.name)
})
// Omit the 'Autofix' column if the language has not been shipped
const includeAutofix = AUTOFIX_SHIPPED_LANGUAGES.includes(language)
console.warn(`${includeAutofix ? 'Including' : 'Excluding'} 'Autofix' column for ${language}`)
printQueries(options, entries, includeAutofix)
printQueries(options, entries)
}
function printQueries(options: Options, queries: QueryExtended[], includeAutofix: boolean) {
function printQueries(options: Options, queries: QueryExtended[]) {
const markdown: string[] = []
markdown.push('{% rowheaders %}')
markdown.push('') // blank line
const header = ['Query name', 'Related CWEs', 'Default', 'Extended']
if (includeAutofix) {
header.push('Autofix')
}
const header = ['Query name', 'Related CWEs', 'Default', 'Extended', 'Autofix']
markdown.push(`| ${header.join(' | ')} |`)
markdown.push(`| ${header.map(() => '---').join(' | ')} |`)
@@ -238,10 +210,7 @@ function printQueries(options: Options, queries: QueryExtended[], includeAutofix
const defaultIcon = query.inDefault ? includedOcticon : notIncludedOcticon
const extendedIcon = query.inExtended ? includedOcticon : notIncludedOcticon
const autofixIcon = query.inAutofix ? includedOcticon : notIncludedOcticon
const row = [markdownLink, query.cwes.join(', '), defaultIcon, extendedIcon]
if (includeAutofix) {
row.push(autofixIcon)
}
const row = [markdownLink, query.cwes.join(', '), defaultIcon, extendedIcon, autofixIcon]
markdown.push(`| ${row.join(' | ')} |`)
}
markdown.push('') // blank line

4
src/workflows/tests/actions-workflows.js
View File

@@ -100,7 +100,9 @@ describe('GitHub Actions workflows', () => {
'scheduled workflows slack alert on fail $filename',
({ filename, data }) => {
for (const [name, job] of Object.entries(data.jobs)) {
if (!job.steps.find((step) => step.uses === './.github/actions/slack-alert')) {
if (
!job.steps.find((step) => step.uses && step.uses.endsWith('.github/actions/slack-alert'))
) {
throw new Error(`Job ${filename} # ${name} missing slack alert on fail`)
}
}