[3 releases] Security campaigns for secret scanning alerts, and code/secret alert assignees (#57592)

Co-authored-by: Laura Coursen <lecoursen@github.com> Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com>
2025-12-19 18:10:59 -05:00 · 2025-09-23 16:25:36 +01:00
parent 3321203cdf
commit 84d8eeb49e
22 changed files with 208 additions and 51 deletions
--- a/assets/images/help/security/security-campaigns-tracking-overview-2tabs.png
+++ b/assets/images/help/security/security-campaigns-tracking-overview-2tabs.png
--- a/assets/images/help/security/security-campaigns-tracking-overview-code-only.png
+++ b/assets/images/help/security/security-campaigns-tracking-overview-code-only.png
--- a/content/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository.md
+++ b/content/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository.md
@@ -37,6 +37,7 @@ By default, the {% data variables.product.prodname_code_scanning %} alerts page
   ![Screenshot of a {% data variables.product.prodname_code_scanning %} alert. The "Show paths" and "Show more" links are outlined in dark orange.](/assets/images/help/repository/code-scanning-alert-details.png)
 1. Alerts from {% data variables.product.prodname_codeql %} analysis include a description of the problem. Click **Show more** for guidance on how to fix your code.
 {% data reusables.security.alert-assignee-step %}
 For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts).
--- a/content/code-security/code-scanning/managing-code-scanning-alerts/best-practices-for-participating-in-a-security-campaign.md
+++ b/content/code-security/code-scanning/managing-code-scanning-alerts/best-practices-for-participating-in-a-security-campaign.md
@@ -1,7 +1,7 @@
 ---
-title: Best practices for participating in a security campaign
+title: Best practices for participating in a code security campaign
 shortTitle: Best practices for campaigns
-intro: 'Learn how you can successfully take part in a security campaign and how it can benefit your career as well as your code.'
+intro: 'Learn how you can successfully take part in a security campaign for {% data variables.product.prodname_code_scanning %} alerts and how it can benefit your career as well as your code.'
 allowTitleToDifferFromFilename: true
 permissions: '{% data reusables.permissions.code-scanning-all-alerts %}'
 product: '{% data reusables.gated-features.security-campaigns %}'
@@ -15,9 +15,9 @@ topics:
  - Repositories
 ---
-## What is a security campaign
+## What is a code security campaign
-A security campaign is a group of security alerts, detected in the default branches of repositories, chosen by an organization owner or security manager for remediation.
+A security campaign is a group of {% data variables.product.prodname_code_scanning %} alerts, detected in the default branches of repositories, chosen by an organization owner or security manager for remediation.
 You can take part in a security campaign by fixing one or more of the alerts included in the campaign.
@@ -40,6 +40,8 @@ Adopting a few key best practices can help you participate successfully in a cam
 You'll automatically receive email updates about security campaigns for any repositories you have **write** access to, so you can stay informed about relevant updates.
 {% data reusables.security.alert-assignee-mention %}
 ### View campaign details
 When you open the **Security** tab for a repository with one or more campaign alerts, you can see the campaign name in the sidebar of the view. Click the campaign name to see the list of alerts included in the campaign and summary information on how the campaign is progressing.
--- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md
+++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md
@@ -95,6 +95,7 @@ Alerts for {% data variables.product.prodname_secret_scanning %} are displayed u
   > {% data reusables.secret-scanning.secret-scanning-user-owned-repo-access %}
   {% endif %}
 {% data reusables.security.alert-assignee-step %}
 ## Filtering alerts
--- a/content/code-security/securing-your-organization/fixing-security-alerts-at-scale/about-security-campaigns.md
+++ b/content/code-security/securing-your-organization/fixing-security-alerts-at-scale/about-security-campaigns.md
@@ -5,22 +5,27 @@ intro: 'You can fix security alerts at scale by creating security campaigns and
 product: '{% data reusables.gated-features.security-campaigns %}'
 allowTitleToDifferFromFilename: true
 type: overview
 audience:
  - driver
 contentType: concepts
 versions:
  feature: security-campaigns
 topics:
  - Code Security
  - Secret Protection
  - Organizations
  - Security
 ---
-Once you have identified security alerts in the default branches of your repositories, the next step is to identify the most urgent alerts and get them fixed. Security campaigns are a way to group alerts and share them with developers, so you can collaborate to remediate vulnerabilities in the code.
+Once you have identified security alerts the next step is to identify the most urgent alerts and get them fixed. Security campaigns are a way to group alerts and share them with developers, so you can collaborate to remediate vulnerabilities in the code{% ifversion security-campaigns-secrets %} and any exposed secrets{% endif %}.
 ## Security campaigns in your day-to-day work
 You can use security campaigns to support many of your aims as a security leader.
 * Improving the security posture of the company by leading work to remediate alerts.
-* Reinforcing security training for developers by creating a campaign of related alerts to fix collaboratively.
+* Reinforcing security training for developers by creating a campaign of related, {% data variables.product.prodname_code_scanning %} alerts to fix collaboratively.{% ifversion security-campaigns-secrets %}
 * Ensuring that {% data variables.product.prodname_secret_scanning %} alerts are resolved within your remediation target.{% endif %}
 * Building collaborative relationships between the security team and developers to promote shared ownership of security alerts.
 * Providing clarity to developers on the most urgent alerts to fix and monitoring alert remediation.
@@ -28,15 +33,52 @@ You can use security campaigns to support many of your aims as a security leader
 A security campaign has many benefits over other ways of encouraging developers to remediate security alerts. In particular,
-* Developers are notified about any security campaigns taking place in repositories they work in or subscribe to by email.
+* Developers are notified about any security campaigns that they can contribute to.
 * Developers can see the alerts you've highlighted for remediation without leaving their normal workflows.
 * Each campaign has a named point of contact for questions, reviews, and collaboration.  {% ifversion security-campaigns-autofix %}
-* {% data variables.copilot.copilot_autofix %} is automatically triggered to suggest a resolution for each security alert. {% endif %}
+* For {% data variables.product.prodname_code_scanning %} alerts, {% data variables.copilot.copilot_autofix %} is automatically triggered to suggest a resolution. {% endif %}
 You can use one of the templates to select a group of closely related alerts for a campaign. This allows developers to build on the knowledge gained by resolving one alert and use it to fix several more, providing them with an incentive to fix multiple alerts.
 {% data reusables.code-scanning.campaigns-api %}
 {% ifversion security-campaigns-secrets %}
 ## Differences between code and secret campaigns
 {% data reusables.security.secrets-campaign-preview %}
 The creation workflow is the same for all campaigns, but you will notice a few differences in progress tracking and developer experience.
 {% rowheaders %}
 | Property | Code | Secret |
 |--|--|--|
 | Alerts available for inclusion | {% octicon "check" aria-label="Supported" %} Default branch only | {% octicon "check" aria-label="Supported" %}
 | Repository tracking issues | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} |
 | Developer notifications | {% octicon "check" aria-label="Supported" %} Requires write access to repository | {% octicon "check" aria-label="Supported" %} Requires view access to alerts list |
 | {% ifversion code-secret-alert-assignees %} |
 | Alert assignment | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} May raise permissions |
 | {% endif %} |
 | Automatic remediation support | {% octicon "check" aria-label="Supported" %} {% data variables.copilot.copilot_autofix %} | {% octicon "x" aria-label="Not supported" %} |
 {% endrowheaders %}
 {% endif %}
 {% ifversion code-secret-alert-assignees %}
 ### Assigning alerts
 >[!NOTE]
 > The option to assign {% data variables.product.prodname_code_scanning %} and {% data variables.product.prodname_secret_scanning %} alerts to users is currently in public preview and is subject to change.
 You can assign a {% data variables.product.prodname_code_scanning %} or {% data variables.product.prodname_secret_scanning %} alert to any user who has **write** access for the repository.
 If the assignee for a {% data variables.product.prodname_secret_scanning %} alert **cannot view the alert list**, their permissions are temporarily raised for that alert. Any additional permissions are revoked when they are unassigned from the alert.
 {% endif %}
 ## Next steps
 * [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/best-practice-fix-alerts-at-scale)
--- a/content/code-security/securing-your-organization/fixing-security-alerts-at-scale/best-practice-fix-alerts-at-scale.md
+++ b/content/code-security/securing-your-organization/fixing-security-alerts-at-scale/best-practice-fix-alerts-at-scale.md
@@ -5,10 +5,14 @@ intro: 'Guidance on how to create successful security campaigns that engage deve
 allowTitleToDifferFromFilename: true
 product: '{% data reusables.gated-features.security-campaigns %}'
 type: reference
 audience:
  - driver
 contentType: tutorials
 versions:
  feature: security-campaigns
 topics:
  - Code Security
  - Secret Protection
  - Organizations
  - Security
 ---
@@ -17,11 +21,11 @@ topics:
 Successful security campaigns to fix alerts at scale have many features in common, including:
-* Selecting a related group of security alerts for remediation.
+* Selecting a related group of security alerts for remediation.{% ifversion security-campaigns-autofix %}
-* Using {% data variables.copilot.copilot_autofix_short %} suggestions where possible to help developers remediate alerts faster and more effectively.
+* For code campaigns, using {% data variables.copilot.copilot_autofix_short %} suggestions where possible to help developers remediate alerts faster and more effectively.{% endif %}
 * Making sure that the campaign managers are available for collaboration, reviews, and questions about fixes.
-* Providing access to educational information about the type of alerts included in the campaign.{% ifversion ghec %}
+* Providing access to educational information about the type of alerts included in the campaign.
-* Making {% data variables.copilot.copilot_chat %} available for developers to use to learn about the vulnerabilities highlighted by the security alerts in the campaign. {% endif %}
+* Making {% data variables.copilot.copilot_chat %} available for developers to use to learn about the vulnerabilities highlighted by the security alerts in the campaign.
 * Defining a realistic deadline for campaign, bearing in mind the number of alerts you aim to fix.
 * Publicizing the collaboration to developer teams and identifying the best way to engage them for your organization.
@@ -29,18 +33,35 @@ For information about the developer experience, see [AUTOTITLE](/code-security/c
 ## Selecting security alerts for remediation
-Your first thought may be to identify all the most urgent alerts and create a security campaign to fix them. If your developers already have a good understanding of secure coding and are keen to remediate potential vulnerabilities, this could be a successful approach for your company. However, if you need to build up knowledge of secure coding and common vulnerabilities, you will benefit from a more strategic approach.
+Your first thought may be to identify all the most urgent alerts and create a security campaign to fix them. If your developers already have a good understanding of secure coding and are keen to remediate potential vulnerabilities, this could be a successful approach for your company. However, if you need to build up knowledge of secure coding{% ifversion security-campaigns-secrets %}, exposed secrets,{% endif %} and common vulnerabilities, you will benefit from a more strategic approach.
-For example, if you have many alerts for cross-site scripting vulnerabilities, you could:
+{% ifversion security-campaigns-secrets %}
-* Create educational content for developers in a repository using resources from the OWASP Foundation, see [Cross Site Scripting (XSS)](https://owasp.org/www-community/attacks/xss/).
+### Example approach for a code campaign
-* Create a campaign to remediate all alerts for this vulnerability, including a link to the educational content in the campaign description.
+
 {% endif %}
 For a campaign to raise awareness and fix cross-site scripting vulnerabilities, you could:
 * Create educational content for developers in a repository using resources from the OWASP Foundation, see [Cross Site Scripting (XSS)](https://owasp.org/www-community/attacks/xss/).{% ifversion security-campaigns-autofix %}
 * Create a campaign to remediate all alerts for this vulnerability where {% data variables.copilot.copilot_autofix_short %} is supported, using the `autofix:supported` filter.{% endif %}
 * Include a link to the educational content in the campaign description.
 * Hold a training session or other event to highlight this opportunity to gain confidence in secure coding while fixing real bugs.
 * Make sure that the security team members assigned to manage the campaign are available to review the pull requests created to fix the campaign alerts, collaborating as needed.
-### Using {% data variables.copilot.copilot_autofix_short %} to help remediate security alerts
+{% ifversion security-campaigns-secrets %}
-{% data variables.copilot.copilot_autofix %} is an expansion of {% data variables.product.prodname_code_scanning %} that provides users with targeted recommendations to help fix {% data variables.product.prodname_code_scanning %} alerts. When you select alerts to include in a security campaign, you can preferentially include alerts that are eligible to be fixed with the help of {% data variables.copilot.copilot_autofix %} using the `autofix:supported` filter.
+### Example approach for a secrets campaign
 {% data reusables.security.secrets-campaign-preview %}
 For a campaign to raise awareness and fix exposed passwords, you could:
 * Create educational content for developers about storing passwords securely, for example, as {% data variables.product.github %} secrets, see [AUTOTITLE](/code-security/getting-started/understanding-github-secret-types).
 * Create a campaign to remediate all alerts for exposed passwords, including a link to the educational content in the campaign description.
 * Make sure that the security team members assigned to manage the campaign are available to ensure secrets are revoked and rotated acceptably, collaborating as needed.
 {% endif %}
 ### Campaign filter templates
@@ -83,11 +104,11 @@ The OWASP Foundation provides many resources for learning about the most common
 {% ifversion security-campaigns-autofix %}
-## Providing AI support for learning about security vulnerabilities
+## Providing AI support for learning about code vulnerabilities
-{% data variables.copilot.copilot_autofix %} is automatically triggered to suggest a resolution for each security alert. However, developers will often want more information about why the original code is insecure and how to test that the fix is correct and doesn't break other components.
+{% data variables.copilot.copilot_autofix %} is automatically triggered to suggest a resolution for each {% data variables.product.prodname_code_scanning %} alert. However, developers will often want more information about why the original code is insecure and how to test that the fix is correct and doesn't break other components.
-{% data variables.product.prodname_copilot %} is an important tool for developers who have questions about secure coding, how to fix security alerts, and test their fix. Check that all developers in your organization have access to {% data variables.product.prodname_copilot_short %} in both their IDE and {% data variables.product.github %}, see [AUTOTITLE](/copilot/managing-copilot/managing-github-copilot-in-your-organization/managing-access-to-github-copilot-in-your-organization/granting-access-to-copilot-for-members-of-your-organization).
+{% data variables.product.prodname_copilot %} chat is an important tool for developers who have questions about secure coding, how to fix security alerts, and test their fix. Check that all developers in your organization have access to {% data variables.product.prodname_copilot_short %} in both their IDE and {% data variables.product.github %}, see [AUTOTITLE](/copilot/how-tos/administer-copilot/manage-for-organization/manage-access/grant-access).
 {% endif %}
--- a/content/code-security/securing-your-organization/fixing-security-alerts-at-scale/creating-managing-security-campaigns.md
+++ b/content/code-security/securing-your-organization/fixing-security-alerts-at-scale/creating-managing-security-campaigns.md
@@ -6,23 +6,29 @@ allowTitleToDifferFromFilename: true
 permissions: '{% data reusables.permissions.security-org-enable %}'
 product: '{% data reusables.gated-features.security-campaigns %}'
 type: how_to
 audience:
  - driver
 contentType: how-tos
 versions:
  feature: security-campaigns
 topics:
  - Code Security
  - Secret Protection
  - Organizations
  - Security
 redirect_from:
  - /code-security/securing-your-organization/fixing-security-alerts-at-scale/creating-tracking-security-campaigns
 ---
 {% data reusables.security.secrets-campaign-preview %}
 ## Creating a security campaign
 Security campaigns are created and managed from the **Security** tab for your organization.
 You choose the alerts that you want to include in the campaign by using either:
- * **Campaign templates**: Campaign templates contain filters for the most common alert selections. {% ifversion security-campaigns-autofix %}They also all include the requirement that {% data variables.copilot.copilot_autofix %} is supported for all the alert types included (that is, `autofix:supported`).{% endif %}
+ * **Campaign templates**: Campaign templates contain filters for the most common alert selections. {% ifversion security-campaigns-autofix %}For code campaigns, they also all include the requirement that {% data variables.copilot.copilot_autofix %} is supported for all the alert types included (that is, `autofix:supported`).{% endif %}
 * **Custom filters**: Creating a campaign using custom filters lets you define your own criteria for selecting alerts for the campaign, and lets you tailor your campaign to your organization's specific needs.
 {% data reusables.code-scanning.campaigns-api %}
@@ -33,8 +39,8 @@ You choose the alerts that you want to include in the campaign by using either:
 {% data reusables.organizations.security-overview %}
 {% data reusables.code-scanning.campaigns-click %}
 1. Click **Create campaign {% octicon "triangle-down" aria-hidden="true" aria-label="triangle-down" %}**, then select one of the following options:
-   * Click **From template**, then select a pre-defined campaign template from the list.
+   * Click **From template**, then select a pre-defined{% ifversion security-campaigns-secrets %} **Code** or **Secrets**{% endif %} campaign template from the list.
-   * Click **From code scanning filters**, then add filters to define a subset of alerts for your campaign. See [Examples of useful filters](#examples-of-useful-filters).
+   * Click **From code scanning filters** or **From secret scanning filters**, then add filters to define a subset of alerts for your campaign. See [Examples of useful filters](#examples-of-useful-filters).
 1. Review the set of alerts to be included in the campaign, and adjust the filters as necessary. Make sure you have chosen 1000 alerts or fewer.
 1. When you are satisfied with the scope of the campaign, click **Save as**, then choose whether you want to create a draft campaign, or move straight ahead to finalizing the details of the campaign before publishing it:
   * If you plan to review the scope and details of the campaign prior to launch, or seek feedback on the implementation of the campaign, click **{% octicon "issue-draft" aria-hidden="true" aria-label="issue-draft" %} Draft campaign**.
@@ -51,7 +57,7 @@ You choose the alerts that you want to include in the campaign by using either:
   * Due date
   * Campaign managers
   * Contact link
-1. Optionally, to create campaign issues in each repository included in the campaign, on the "Publish campaign" page, under "Automations", select the checkbox next to "Create issues for NUMBER repositories in this campaign".
+1. Optionally,{% ifversion security-campaigns-secrets %} for "Code" campaigns,{% endif %} to create a campaign issue in each repository included in the campaign, on the "Publish campaign" page, under "Automations", select the checkbox next to "Create issues for NUMBER repositories in this campaign".
 1. Click **Publish campaign**.
 The security campaign is created and the campaign overview page is displayed.
@@ -66,37 +72,68 @@ Did you successfully create a security campaign for your organization?
 ### Examples of useful filters
-All the template filters include the following useful filters:
+All the template filters use `is:open` to include only alerts that need to be resolved. For {% data variables.product.prodname_code_scanning %} alerts, they must also be present in the default branch.
 Additional default filters for {% data variables.product.prodname_code_scanning %} alerts:
 * `is:open` includes only alerts that are open in the default branch.
 * `autofilter:true` includes only alerts that appear to be in application code. {% ifversion security-campaigns-autofix %}
 * `autofix:supported` includes only alerts that are for rules that are supported for {% data variables.copilot.copilot_autofix %}.{% endif %}
-Once you include these core filters, you will usually want to add a filter to limit results to a specific rule name, severity, or tag. For example:
+For more information about filtering alerts, see [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/best-practice-fix-alerts-at-scale#selecting-security-alerts-for-remediation) and [AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview).
-* `is:open autofilter:true {% ifversion security-campaigns-autofix %}autofix:supported {% endif %}rule:java/log-injection` to show only alerts for log injection in Java code.
+{% ifversion security-campaigns-secrets %}
 #### {% data variables.product.prodname_code_scanning_caps %} alert filters
 {% endif %}
 In addition to the core filters, you will usually want to add a filter to limit results to a specific rule name, severity, or tag.
 * `is:open autofilter:true {% ifversion security-campaigns-autofix %}autofix:supported {% endif %}rule:java/log-injection` to show only alerts for log injection in Java code. See [Query lists for the default query suites](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites#query-lists-for-the-default-query-suites).
 * `is:open autofilter:true {% ifversion security-campaigns-autofix %}autofix:supported {% endif %}tag:external/cwe/cwe-117` to show only alerts for "CWE 117: Improper Output Neutralization for Logs". This includes log injection in Java and other languages.
 * `is:open autofilter:true {% ifversion security-campaigns-autofix %}autofix:supported {% endif %}severity:critical` to show only alerts with a security severity of critical.
-> [!TIP] When you enter a keyword followed by colon in the search field, a list of all valid values is displayed, for example: `tag:`.
+{% ifversion security-campaigns-secrets %}
-For more information about the rules run by {% data variables.product.prodname_codeql %}{% ifversion security-campaigns-autofix %} and support for autofix{% endif %}, see [Query lists for the default query suites](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites#query-lists-for-the-default-query-suites).
+#### {% data variables.product.prodname_secret_scanning_caps %} alert filters
-For more information about filtering alerts, see [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/best-practice-fix-alerts-at-scale#selecting-security-alerts-for-remediation) and [AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview).
+In addition to the core filters, you will usually want to add a filter to limit results to a specific provider, secret type, or secrets that bypassed push protection (enterprise accounts only).
 * `is:open provider:azure` to show only alerts for the token provider Azure.
 * `is:open secret-type:azure_ai_services_key,azure_cognitive_services_key` to show only alerts for the tokens "azure_ai_services_key" and "azure_cognitive_services_key". See [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets).
 * `is:open props.BusinessPriority:Urgent` to show only alerts for repositories where the custom property "BusinessPriority" has the value "Urgent". See [AUTOTITLE](/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization).
 {% endif %}
 ## Launching a security campaign
 {% ifversion security-campaigns-autofix %}
-When you create a campaign, all the alerts are automatically submitted to {% data variables.copilot.copilot_autofix %} to be processed as capacity allows. This ensures that suggestions for alerts found in pull requests aren't delayed by a new campaign. In most cases, you should find that all suggestions that can be created are ready within an hour. At busy times of day, or for particularly complex alerts, it will take longer.
+When you create a code campaign, all the alerts are automatically submitted to {% data variables.copilot.copilot_autofix %} to be processed as capacity allows. This ensures that suggestions for alerts found in pull requests aren't delayed by a new campaign. In most cases, you should find that all suggestions that can be created are ready within an hour. At busy times of day, or for particularly complex alerts, it will take longer.
 {% endif %}
 ### How developers know a security campaign has started
 {% ifversion security-campaigns-secrets %}
 The new campaign is shown in the sidebar of the "Security" tab for each repository included.
 * **Code campaigns**: Anyone with **write** access to a repository included in the campaign is notified.
 * **Secret campaigns**: Anyone with access to see the alert list view for a repository included in the campaign is notified.
 {% ifversion code-secret-alert-assignees %}
 > [!TIP]
 > You can assign a campaign alert to anyone with **write** access to the repository, see [Assigning alerts](/code-security/securing-your-organization/fixing-security-alerts-at-scale/about-security-campaigns#assigning-alerts).
 {% endif %}
 {% else %}
 When a campaign is started, anyone with **write** access to a repository included in the campaign is notified.
-In addition to the automatic notifications sent out, the new campaign is shown in the sidebar of the "Security" tab for each repository included. For more information about the developer experience, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/fixing-alerts-in-security-campaign).
+{% endif %}
 For more information about the developer experience, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/fixing-alerts-in-security-campaign).
 ### How to increase engagement with the security campaign
--- a/content/code-security/securing-your-organization/fixing-security-alerts-at-scale/index.md
+++ b/content/code-security/securing-your-organization/fixing-security-alerts-at-scale/index.md
@@ -4,8 +4,11 @@ shortTitle: Fix alerts at scale
 intro: 'Once you detect security alerts across your organization, you will want to create security campaigns to engage with developers and collaborate on fixing alerts.'
 versions:
  feature: security-campaigns
 audience:
  - driver
 topics:
  - Code Security
  - Secret Protection
  - Organizations
  - Security
 children:
--- a/content/code-security/securing-your-organization/fixing-security-alerts-at-scale/tracking-security-campaigns.md
+++ b/content/code-security/securing-your-organization/fixing-security-alerts-at-scale/tracking-security-campaigns.md
@@ -6,31 +6,38 @@ allowTitleToDifferFromFilename: true
 permissions: '{% data reusables.permissions.security-org-enable %}'
 product: '{% data reusables.gated-features.security-campaigns %}'
 type: how_to
 audience:
  - driver
 contentType: how-tos
 versions:
  feature: security-campaigns
 topics:
  - Code Security
  - Secret Protection
  - Organizations
  - Security
 ---
 {% data reusables.security.secrets-campaign-preview %}
 ## Tracking campaigns across your organization
 The tracking view provides an overview of data for all open and closed campaigns. It helps you understand the impact of the campaigns, track progress through campaigns and measure success towards achieving your organization's goals.
-To display the campaign tracking view, navigate to the **Security** tab for the organization, then in the left sidebar click **{% octicon "goal" aria-hidden="true" aria-label="goal" %} Campaigns**.
+To display the campaign tracking view, navigate to the **Security** tab for the organization, then in the left sidebar click **{% octicon "goal" aria-hidden="true" aria-label="goal" %} Campaigns**. {% ifversion security-campaigns-secrets %}To display campaigns for secrets, click the **Secrets** at at the top of the page.
-![Screenshot of the security campaigns overview page.](/assets/images/help/security/security-campaigns-tracking-overview.png)
+![Screenshot of the security campaigns overview page. The "Secrets" campaign tab is outlined in orange.](/assets/images/help/security/security-campaigns-tracking-overview-2tabs.png)
-The tracking view shows you a summary of:
+{% else %}
-* **Open** campaigns (total alert count)
+![Screenshot of the security campaigns overview page.](/assets/images/help/security/security-campaigns-tracking-overview-code-only.png)
 * **Closed** campaigns (total alert count)
-For both open and closed campaigns, the view breaks down the total alert count into the following alert statuses:
+{% endif %}
 The tracking view shows you a summary of "Open" and "Closed" campaigns, with the total alert count across all campaigns of that type. The view breaks down the total alert count into the following alert statuses:
 * **Open**: the alert is still active and has not yet been addressed.
-* **In progress**: work has started to fix the alert—at least one branch or pull request has been created from the campaign view or alert page.
+* **In progress** (code campaigns only): work has started to fix the alert—at least one branch or pull request has been created from the campaign view or alert page.
 * **Fixed**: the alert has been resolved, either within or outside of the campaign workflow.
 * **Dismissed**: the alert was reviewed but intentionally not fixed; it has been dismissed.
@@ -38,7 +45,7 @@ For both open and closed campaigns, the view breaks down the total alert count i
 You can similarly track how a single campaign is progressing by viewing the campaign's own tracking page.
-To display the tracking page, navigate to the **Security** tab for the organization, click **{% octicon "goal" aria-hidden="true" aria-label="goal" %} Campaigns** in the left sidebar, and then select the campaign you want to view from the list of campaigns.
+To display the tracking page for a campaign, navigate to the "Campaigns" page, {% ifversion security-campaigns-secrets %}select **Code** or **Secrets** campaigns, {% endif %}and then select the campaign you want to view from the list of campaigns.
 ![Screenshot of campaign tracking view for "Testing Campaigns for CodeQL". The campaign progress is outlined in dark orange.](/assets/images/help/security/driver-sec-campaign-view.png)
@@ -46,11 +53,11 @@ The tracking view shows you a summary of:
 * **Campaign progress**: how many alerts are closed (fixed or dismissed), in progress, or still left to review.
 * **Status**: how the campaign is progressing towards its due date.
-* **{% data variables.copilot.copilot_autofix_short %}**: number of alerts where {% data variables.copilot.copilot_autofix_short %} can generate a fix to resolve the alert.
+* **{% data variables.copilot.copilot_autofix_short %}** (code campaigns only): number of alerts where {% data variables.copilot.copilot_autofix_short %} can generate a fix to resolve the alert.
 You can also explore the campaign repositories and alerts to see where teams are engaging in the campaign, and where teams might need some extra encouragement to take part.
 * **Repository details:** you can expand any repository to show the progress in alert remediation.
 * **Alert details:** you can set the "Group by" option to **None** to show a list of all alerts.
-You can filter both of these views to focus on a subset of repositories or alerts. Any alerts that are in progress are listed first.
+You can filter both of these views to focus on a subset of repositories or alerts. For code campaigns, any alerts that are in progress are listed first.
--- a/content/code-security/trialing-github-advanced-security/explore-trial-secret-scanning.md
+++ b/content/code-security/trialing-github-advanced-security/explore-trial-secret-scanning.md
@@ -21,7 +21,8 @@ This guide assumes that you have planned and started a trial of {% data variable
 * Identify additional access tokens you use by defining custom patterns.
 * Detect potential passwords using AI.
 * Control and audit the bypass process for push protection and {% data variables.secret-scanning.alerts %}.
-* Enable validity checks for exposed tokens.
+* Enable validity checks for exposed tokens.{% ifversion security-campaigns-secrets %}
 * Create security campaigns where security specialists and developers can collaborate to effectively reduce technical debt.{% endif %}
 To find out how to run a free secret risk assessment, see [Generating an initial secret risk assessment](/enterprise-cloud@latest/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/viewing-the-secret-risk-assessment-report-for-your-organization#generating-an-initial-secret-risk-assessment){% ifversion fpt or ghes %} in the {% data variables.product.prodname_ghe_cloud %} documentation{% endif %}.
@@ -67,6 +68,14 @@ Reviewers are defined in an organization-level security configuration or in the
 You can enable validity checks to check whether detected tokens are still active at the repository, organization, and enterprise level. Generally, it is worth enabling this feature across the whole enterprise using enterprise or organization-level security configurations. For more information, see [AUTOTITLE](/enterprise-cloud@latest/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository){% ifversion fpt or ghes %} in the {% data variables.product.prodname_ghe_cloud %} documentation{% endif %}.
 {% ifversion security-campaigns-secrets %}
 ## Engage developers in security remediation
 Security campaigns provide a way for security teams to engage with developers to remediate security technical debt. They also provide a practical way to combine education in secret storage with examples of exposed secrets that your developers can fix. For more information, see [AUTOTITLE](/enterprise-cloud@latest/code-security/securing-your-organization/fixing-security-alerts-at-scale/about-security-campaigns) and [AUTOTITLE](/enterprise-cloud@latest/code-security/securing-your-organization/fixing-security-alerts-at-scale/best-practice-fix-alerts-at-scale){% ifversion fpt or ghes %} in the {% data variables.product.prodname_ghe_cloud %} documentation{% endif %}.
 {% endif %}
 ## Next steps
 When you have enabled the additional controls for {% data variables.product.prodname_secret_protection %}, you're ready to test them against your business needs, and explore further. You may also be ready to look into exploring the options available with {% data variables.product.prodname_GH_code_security %}.
--- a/content/code-security/trialing-github-advanced-security/planning-a-trial-of-ghas.md
+++ b/content/code-security/trialing-github-advanced-security/planning-a-trial-of-ghas.md
@@ -38,7 +38,7 @@ If your company already uses {% data variables.product.github %}, consider what
 | Enforce use of security features | Enterprise-level security configurations and policies. See [AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/about-security-configurations) and [AUTOTITLE](/admin/enforcing-policies/enforcing-policies-for-your-enterprise/about-enterprise-policies) |
 | Protect custom access tokens | Custom patterns for {% data variables.product.prodname_secret_scanning %}, delegated bypass for push protection, and validity checks. See [AUTOTITLE](/code-security/trialing-github-advanced-security/explore-trial-secret-scanning) |
 | Define and enforce a development process | Dependency review, auto-triage rules, rulesets, and policies. See [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review), [AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/about-dependabot-auto-triage-rules), [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets), and [AUTOTITLE](/admin/enforcing-policies/enforcing-policies-for-your-enterprise/about-enterprise-policies) |
-| Reduce technical debt at scale | {% data variables.product.prodname_code_scanning_caps %} and security campaigns. See [AUTOTITLE](/code-security/trialing-github-advanced-security/explore-trial-code-scanning) |
+| Reduce technical debt at scale | Security campaigns. See {% ifversion fpt or ghec %}[AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/about-security-campaigns){% else %}[AUTOTITLE](/enterprise-cloud@latest/code-security/securing-your-organization/fixing-security-alerts-at-scale/about-security-campaigns) in the {% data variables.product.prodname_ghe_cloud %} documentation{% endif %}. |
 | Monitor and track trends in security risks | Security overview. See [AUTOTITLE](/code-security/security-overview/viewing-security-insights) |
 {% endrowheaders %}
--- a/content/get-started/learning-about-github/about-github-advanced-security.md
+++ b/content/get-started/learning-about-github/about-github-advanced-security.md
@@ -100,6 +100,9 @@ The table below summarizes the availability of {% data variables.product.prodnam
 |{% endif %}|
 | Custom patterns   | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} |
 | Delegated bypass for push protection    | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} |
 |{% ifversion security-campaigns-secrets %}|
 | Security campaigns | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} |
 |{% endif %}|
 | Security overview   | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} |
 {% endrowheaders %}
--- a/data/features/code-secret-alert-assignees.yml
+++ b/data/features/code-secret-alert-assignees.yml
@@ -0,0 +1,6 @@
 # Reference: #18652 and #17468
 # Assignees for code scanning and secret scanning alerts
 versions:
  fpt: '*'
  ghec: '*'
  ghes: '>=3.20'
--- a/data/features/security-campaigns-secrets.yml
+++ b/data/features/security-campaigns-secrets.yml
@@ -0,0 +1,5 @@
 # Reference: #18650
 # Documentation for security campaigns for secret scanning alerts
 versions:
  fpt: '*'
  ghec: '*'
--- a/data/features/security-campaigns.yml
+++ b/data/features/security-campaigns.yml
@@ -1,5 +1,5 @@
 # Reference: #14514
-# Documentation for security campaigns
+# Documentation for security campaigns for code scanning alerts
 # Ref 17108 Advanced Security available to Team plans
 versions:
  fpt: '*'
--- a/data/reusables/gated-features/security-campaigns.md
+++ b/data/reusables/gated-features/security-campaigns.md
@@ -1,8 +1,8 @@
 {% ifversion fpt %}
-Organizations on {% data variables.product.prodname_team %} with [{% data variables.product.prodname_GH_code_security %}](/get-started/learning-about-github/about-github-advanced-security) enabled{% endif %}
+Organizations on {% data variables.product.prodname_team %} with [{% data variables.product.prodname_GH_cs_or_sp %}](/get-started/learning-about-github/about-github-advanced-security) enabled{% endif %}
 {% ifversion ghec %}
-Organizations on {% data variables.product.prodname_team %} or {% data variables.product.prodname_ghe_cloud %} with [{% data variables.product.prodname_GH_code_security %}](/get-started/learning-about-github/about-github-advanced-security) enabled{% endif %}
+Organizations on {% data variables.product.prodname_team %} or {% data variables.product.prodname_ghe_cloud %} with [{% data variables.product.prodname_GH_cs_or_sp %}](/get-started/learning-about-github/about-github-advanced-security) enabled{% endif %}
 {% ifversion ghes %}
-Organizations with [{% data variables.product.prodname_GH_code_security %}](/get-started/learning-about-github/about-github-advanced-security) enabled{% endif %}
+Organizations with [{% ifversion security-campaigns %}{% data variables.product.prodname_GH_code_security %}{% elsif security-campaigns-secrets %}{% data variables.product.prodname_GH_cs_or_sp %}{% endif %}](/get-started/learning-about-github/about-github-advanced-security) enabled{% endif %}
--- a/data/reusables/secret-protection/product-list.md
+++ b/data/reusables/secret-protection/product-list.md
@@ -8,6 +8,8 @@
 * **Delegated bypass for push protection** and **Delegated alert dismissal**:  Implement an approval process for better control over who in your enterprise can perform sensitive actions, supporting governance at scale.{% elsif ghes = 3.15 or ghes = 3.16 %}
-* **Delegated bypass for push protection**: Implement controls over who can bypass push protection.{% endif %}
+* **Delegated bypass for push protection**: Implement controls over who can bypass push protection.{% endif %}{% ifversion security-campaigns-secrets %}
 * **Security campaigns**: remediate exposed secrets at scale by creating a campaign and collaborating to fix them.{% endif %}
 * **Security overview**: Understand the distribution of risk across your organization.
--- a/data/reusables/secret-scanning/secret-scanning-configure-notifications.md
+++ b/data/reusables/secret-scanning/secret-scanning-configure-notifications.md
@@ -11,3 +11,5 @@ You will receive an email notification if:
 * You are watching the repository.
 * You have enabled notifications for "All Activity", or for custom "Security alerts" on the repository.
 * In your notification settings, under "Subscriptions", then under "Watching", you have selected to receive notifications by email.
 {% data reusables.security.alert-assignee-mention %}
--- a/data/reusables/security/alert-assignee-mention.md
+++ b/data/reusables/security/alert-assignee-mention.md
@@ -0,0 +1,5 @@
 {% ifversion code-secret-alert-assignees %}
 In addition, you will receive a notification if someone assigns a {% data variables.product.prodname_secret_scanning %} alert to you, see [Assigning alerts](/code-security/securing-your-organization/fixing-security-alerts-at-scale/about-security-campaigns#assigning-alerts).
 {% endif %}
--- a/data/reusables/security/alert-assignee-step.md
+++ b/data/reusables/security/alert-assignee-step.md
@@ -0,0 +1,5 @@
 {% ifversion code-secret-alert-assignees %}
 1. Optionally, assign the alert to someone to fix using the **Assignees** control shown on the right, see [Assigning alerts](/code-security/securing-your-organization/fixing-security-alerts-at-scale/about-security-campaigns#assigning-alerts).
 {% endif %}
--- a/data/reusables/security/secrets-campaign-preview.md
+++ b/data/reusables/security/secrets-campaign-preview.md
@@ -0,0 +1,6 @@
 {% ifversion security-campaigns-secrets %}
 > [!NOTE]
 > Campaigns for {% data variables.product.prodname_secret_scanning %} alerts are currently in {% data variables.release-phases.public_preview %} and are subject to change.
 {% endif %}