Enabling delegated alert dismissal for code scanning and secret scanning (#54623)

Co-authored-by: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com>
2025-12-19 18:10:59 -05:00 · 2025-03-05 17:54:21 +01:00
parent 75040dcdf2
commit 742a8c1a1b
9 changed files with 109 additions and 0 deletions
--- a/content/code-security/code-scanning/managing-your-code-scanning-configuration/enabling-delegated-alert-dismissal-for-code-scanning.md
+++ b/content/code-security/code-scanning/managing-your-code-scanning-configuration/enabling-delegated-alert-dismissal-for-code-scanning.md
@@ -0,0 +1,41 @@
+---
+title: Enabling delegated alert dismissal for code scanning
+intro: 'You can use delegated alert dismissal to control who can dismiss an alert found by {% data variables.product.prodname_code_scanning %}.'
+permissions: '{% data reusables.permissions.delegated-alert-dismissal %}'
+versions:
+  feature: security-delegated-alert-dismissal
+type: how_to
+topics:
+  - Code scanning
+  - Advanced Security
+  - Alerts
+  - Repositories
+shortTitle: Enable delegated alert dismissal
+---
+
+## About enabling delegated alert dismissal
+
+{% data reusables.code-scanning.delegated-alert-dismissal-beta %}
+
+{% data reusables.security.delegated-alert-dismissal-intro %}
+
+## Configuring delegated dismissal for a repository
+
+>[!NOTE] If an organization owner configures delegated alert dismissal via an enforced security configuration, the settings can't be changed at the repository level.
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.sidebar-settings %}
+{% data reusables.repositories.navigate-to-code-security-and-analysis %}
+{% data reusables.repositories.navigate-to-ghas-settings %}
+
+1. Under "{% data variables.product.prodname_code_scanning_caps %}", toggle the option "Prevent direct alert dismissals".
+
+## Configuring delegated dismissal for an organization
+
+You must configure delegated dismissal for your organization using a custom security configuration. You can then apply the security configuration to all (or selected) repositories in your organization.
+
+1. Create a new custom security configuration, or edit an existing one. See [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration#creating-a-custom-security-configuration).
+1. When creating the custom security configuration, under "{% data variables.product.prodname_code_scanning_caps %}", set "Prevent direct alert dismissals" to **Enabled**.
+1. Click **Save configuration**.
+1. Apply the security configuration to all (or selected) repositories in your organization. See [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-a-custom-security-configuration).
+
+To learn more about security configurations, see [AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale).
--- a/content/code-security/code-scanning/managing-your-code-scanning-configuration/index.md
+++ b/content/code-security/code-scanning/managing-your-code-scanning-configuration/index.md
@@ -15,6 +15,7 @@ children:
  - /about-the-tool-status-page
  - /editing-your-configuration-of-default-setup
  - /set-code-scanning-merge-protection
+  - /enabling-delegated-alert-dismissal-for-code-scanning
  - /codeql-query-suites
  - /configuring-larger-runners-for-default-setup
  - /viewing-code-scanning-logs
--- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/enabling-delegated-alert-dismissal-for-secret-scanning.md
+++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/enabling-delegated-alert-dismissal-for-secret-scanning.md
@@ -0,0 +1,41 @@
+---
+title: Enabling delegated alert dismissal for secret scanning
+intro: 'You can use delegated alert dismissal to control who can dismiss an alert found by {% data variables.product.prodname_secret_scanning %}.'
+permissions: '{% data reusables.permissions.delegated-alert-dismissal %}'
+versions:
+  feature: security-delegated-alert-dismissal
+type: how_to
+topics:
+  - Secret scanning
+  - Advanced Security
+  - Alerts
+  - Repositories
+shortTitle: Enable delegated alert dismissal
+---
+
+## About enabling delegated alert dismissal
+
+{% data reusables.secret-scanning.delegated-alert-dismissal-beta %}
+
+{% data reusables.security.delegated-alert-dismissal-intro %}
+
+## Configuring delegated dismissal for a repository
+
+>[!NOTE] If an organization owner configures delegated alert dismissal via an enforced security configuration, the settings can't be changed at the repository level.
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.sidebar-settings %}
+{% data reusables.repositories.navigate-to-code-security-and-analysis %}
+{% data reusables.repositories.navigate-to-ghas-settings %}
+
+1. Under "{% data variables.product.prodname_secret_scanning_caps %}", toggle the option "Prevent direct alert dismissals".
+
+## Configuring delegated dismissal for an organization
+
+You must configure delegated dismissal for your organization using a custom security configuration. You can then apply the security configuration to all (or selected) repositories in your organization.
+
+1. Create a new custom security configuration, or edit an existing one. See [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration#creating-a-custom-security-configuration).
+1. When creating the custom security configuration, under "{% data variables.product.prodname_secret_scanning_caps %}", ensure that the dropdown menus for "Alerts" and "Prevent direct alert dismissals" are set to **Enabled**.
+1. Click **Save configuration**.
+1. Apply the security configuration to all (or selected) repositories in your organization. See [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-a-custom-security-configuration).
+
+To learn more about security configurations, see [AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale).
--- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md
+++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md
@@ -17,4 +17,5 @@ children:
  - /non-provider-patterns
  - /custom-patterns
  - /delegated-bypass-for-push-protection
+  - /enabling-delegated-alert-dismissal-for-secret-scanning
 ---
--- a/data/features/security-delegated-alert-dismissal.yml
+++ b/data/features/security-delegated-alert-dismissal.yml
@@ -0,0 +1,3 @@
+versions:
+  ghec: '*'
+  ghes: '>3.16'
--- a/data/reusables/code-scanning/delegated-alert-dismissal-beta.md
+++ b/data/reusables/code-scanning/delegated-alert-dismissal-beta.md
@@ -0,0 +1,6 @@
+{% ifversion security-delegated-alert-dismissal %}
+
+> [!NOTE]
+> The ability to use delegated alert dismissal for {% data variables.product.prodname_code_scanning %} is currently in {% data variables.release-phases.public_preview %} and subject to change.
+
+{% endif %}
--- a/data/reusables/permissions/delegated-alert-dismissal.md
+++ b/data/reusables/permissions/delegated-alert-dismissal.md
@@ -0,0 +1 @@
+Organization owners, security managers, and repository administrators can enable delegated alert dismissals. Once enabled, organization owners and security managers can dismiss alerts.
--- a/data/reusables/secret-scanning/delegated-alert-dismissal-beta.md
+++ b/data/reusables/secret-scanning/delegated-alert-dismissal-beta.md
@@ -0,0 +1,6 @@
+{% ifversion security-delegated-alert-dismissal %}
+
+> [!NOTE]
+> The ability to use delegated alert dismissal for {% data variables.product.prodname_secret_scanning %} is currently in {% data variables.release-phases.public_preview %} and subject to change.
+
+{% endif %}
--- a/data/reusables/security/delegated-alert-dismissal-intro.md
+++ b/data/reusables/security/delegated-alert-dismissal-intro.md
@@ -0,0 +1,9 @@
+Delegated alert dismissal lets you restrict which users can directly dismiss an alert. When enabled, users attempting to dismiss an alert will instead create a request for dismissal.
+When this happens, security managers and organization owners will be notified via email so they can review the request and approve it or deny it. The alert will only be dismissed if the dismissal request is approved; otherwise, the alert will remain open.
+
+When you enable this feature, only security managers and organization owners will be able to approve or deny dismissal requests for alerts.
+This might create friction and you should ensure to have sufficient coverage in your security managers team before you start.
+
+In addition, dismissal request emails are sent to all organization owners and security managers. Be sure to review these lists periodically to ensure that these are the correct people to take action on these requests.
+
+To learn more about the security manager role, see [AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/managing-security-managers-in-your-organization).
				`@@ -0,0 +1 @@`
				`Organization owners, security managers, and repository administrators can enable delegated alert dismissals. Once enabled, organization owners and security managers can dismiss alerts.`