jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-21 10:57:10 -05:00
Code Issues Projects Releases Wiki Activity

Docs for new Secret risk assessment, GHAS SKU unbundling, and expansion to Team plan - ships 1st April (UK morning) (#54748)

Browse Source 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com>
Co-authored-by: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com>
Co-authored-by: Hector Alfaro <hectorsector@github.com>
Co-authored-by: Vanessa <vgrl@github.com>
Co-authored-by: Erin Havens <erinhav@github.com>
Co-authored-by: Aaron Waggener <73763104+aaronwaggener@users.noreply.github.com>
Co-authored-by: Sam Browning <106113886+sabrowning1@users.noreply.github.com>
Co-authored-by: Sarah Schneider <sarahs@users.noreply.github.com>
Co-authored-by: Sarita Iyer <66540150+saritai@users.noreply.github.com>
Co-authored-by: Sarah Schneider <sarahs@github.com>
This commit is contained in:
Felicity Chapman
2025-04-01 11:29:37 +01:00
committed by GitHub
parent e447b5cb5f
commit 8c62486a96
249 changed files with 1841 additions and 1171 deletions
Download Patch File Download Diff File Expand all files Collapse all files

213
content/code-security/getting-started/github-security-features.md
View File

@@ -1,6 +1,6 @@
---
title: GitHub security features
intro: 'An overview of {% data variables.product.prodname_dotcom %} security features.'
intro: 'An overview of {% data variables.product.github %}''s security features.'
versions:
fpt: '*'
ghes: '*'
@@ -14,67 +14,101 @@ topics:
- Secret Protection
---
## About {% data variables.product.prodname_dotcom %}'s security features
## About {% data variables.product.github %}'s security features
{% data variables.product.prodname_dotcom %} has security features that help keep code and secrets secure in repositories and across organizations. {% data reusables.advanced-security.security-feature-availability %}
{% data variables.product.github %}'s security features help keep your code and secrets secure in repositories and across organizations.
The {% data variables.product.prodname_advisory_database %} contains a curated list of security vulnerabilities that you can view, search, and filter. {% data reusables.security-advisory.link-browsing-advisory-db %}
{% ifversion ghas-products %}
## Available for all repositories
{% ifversion fpt or ghec %}
* Some features are available for all {% data variables.product.github %} plans.
* Additional features are available to organizations {% ifversion ghec %}and enterprises{% endif %} on {% data variables.product.prodname_team %} and {% data variables.product.prodname_ghe_cloud %} that purchase a {% data variables.product.prodname_GHAS %} product:
* [{% data variables.product.prodname_GH_secret_protection %}](#available-with-github-secret-protection)
* [{% data variables.product.prodname_GH_code_security %}](#available-with-github-code-security)
* In addition, a number of {% data variables.product.prodname_GH_secret_protection %} and {% data variables.product.prodname_GH_code_security %} features can be run on public repositories for free.{% endif %}
{%- ifversion ghes %}
* Some features are available for all repositories by default.
* Additional features are available to enterprises that purchase a {% data variables.product.prodname_GHAS %} product:
* [{% data variables.product.prodname_GH_secret_protection %}](#available-with-github-secret-protection)
* [{% data variables.product.prodname_GH_code_security %}](#available-with-github-code-security){% endif %}
{%- else %}
* Some features are available for all {% data variables.product.github %} plans.
* Additional features are available to enterprises that purchase {% data variables.product.prodname_GHAS %}.
{% endif %}
## Available for all {% data variables.product.github %} plans
The following security features are available for you to use, regardless of the {% data variables.product.github %} plan you are on. {% ifversion ghas-products %}You don't need to purchase {% data variables.product.prodname_GH_cs_or_sp %} to use these features.{% endif %}
{% ifversion fpt or ghec %}
Most of these features are available for public{% ifversion ghec %}, internal,{% endif %} and private repositories.
Some features are _only_ available for public repositories.
{% endif %}
### Security policy
Make it easy for your users to confidentially report security vulnerabilities they've found in your repository. For more information, see [AUTOTITLE](/code-security/getting-started/adding-a-security-policy-to-your-repository).
### {% data variables.product.prodname_dependabot_alerts %} and security updates
View alerts about dependencies that are known to contain security vulnerabilities, and choose whether to have pull requests generated automatically to update these dependencies. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)
and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates).
You can use default {% data variables.dependabot.auto_triage_rules %} curated by {% data variables.product.prodname_dotcom %} to automatically filter out a substantial amount of false positives. {% data reusables.dependabot.dismiss-low-impact-rule %}
{% data reusables.dependabot.quickstart-link %}
### {% data variables.product.prodname_dependabot_version_updates %}
Use {% data variables.product.prodname_dependabot %} to automatically raise pull requests to keep your dependencies up-to-date. This helps reduce your exposure to older versions of dependencies. Using newer versions makes it easier to apply patches if security vulnerabilities are discovered, and also makes it easier for {% data variables.product.prodname_dependabot_security_updates %} to successfully raise pull requests to upgrade vulnerable dependencies. You can also customize {% data variables.product.prodname_dependabot_version_updates %} to streamline their integration into your repositories. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates).
### Dependency graph
The dependency graph allows you to explore the ecosystems and packages that your repository depends on and the repositories and packages that depend on your repository.
You can find the dependency graph on the **Insights** tab for your repository. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph).
{% data reusables.dependency-graph.sbom-export %}
### Software Bill of Materials (SBOM)
{% ifversion security-overview-displayed-alerts %}
You can export the dependency graph of your repository as an SPDX-compatible, Software Bill of Materials (SBOM). For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exporting-a-software-bill-of-materials-for-your-repository).
### Security overview
### {% data variables.product.prodname_advisory_database %}
Security overview allows you to review the overall security landscape of your organization, view trends and other insights, and manage security configurations, making it easy to monitor your organization's security status and identify the repositories and organizations at greatest risk. For more information, see [AUTOTITLE](/code-security/security-overview/about-security-overview).
The {% data variables.product.prodname_advisory_database %} contains a curated list of security vulnerabilities that you can view, search, and filter. {% data reusables.security-advisory.link-browsing-advisory-db %}
{% else %}
### {% data variables.product.prodname_dependabot_alerts %} and security updates
### Security overview for repositories
View alerts about dependencies that are known to contain security vulnerabilities, and choose whether to have pull requests generated automatically to update these dependencies. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)
and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates).
Security overview shows which security features are enabled for the repository, and lets you configure any available security features that are not already enabled.
{% endif %}
You can also use default {% data variables.dependabot.auto_triage_rules %} curated by {% data variables.product.github %} to automatically filter out a substantial amount of false positives.
{% ifversion fpt or ghec %}
{% data reusables.dependabot.quickstart-link %}
## Available for free public repositories
### {% data variables.product.prodname_dependabot_version_updates %}
Use {% data variables.product.prodname_dependabot %} to automatically raise pull requests to keep your dependencies up-to-date. This helps reduce your exposure to older versions of dependencies. Using newer versions makes it easier to apply patches if security vulnerabilities are discovered, and also makes it easier for {% data variables.product.prodname_dependabot_security_updates %} to successfully raise pull requests to upgrade vulnerable dependencies. You can also customize {% data variables.product.prodname_dependabot_version_updates %} to streamline their integration into your repositories. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates).
{% ifversion fpt or ghec %}
### Security advisories
Privately discuss and fix security vulnerabilities in your repository's code. You can then publish a security advisory to alert your community to the vulnerability and encourage community members to upgrade. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories).
Privately discuss and fix security vulnerabilities in your public repository's code. You can then publish a security advisory to alert your community to the vulnerability and encourage community members to upgrade. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories).
{% endif %}
### {% data variables.secret-scanning.user_alerts_caps %}
### Repository rulesets
Automatically detect tokens or credentials that have been checked into a {% ifversion ghec %}user-owned {% endif %}public repository. You can view alerts for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. For more information, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts#about-user-alerts).
Enforce consistent code standards, security, and compliance across branches and tags. For more information, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets).
{% ifversion fpt or ghec %}
### Artifact attestations
Create unfalsifiable provenance and integrity guarantees for the software you build. For more information, see [AUTOTITLE](/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds).
{% ifversion fpt %}
> [!NOTE]
> If you are on a {% data variables.product.prodname_free_user %}, {% data variables.product.prodname_pro %}, or {% data variables.product.prodname_team %} plan, artifact attestations are only available for public repositories. To use artifact attestations in private or internal repositories, you must be on a {% data variables.product.prodname_ghe_cloud %} plan.{% endif %}
### {% data variables.secret-scanning.partner_alerts_caps %}
When {% data variables.product.github %} detects a leaked secret in a public repository, or a public npm packages, {% data variables.product.github %} informs the relevant service provider that the secret may be compromised. For details of the supported secrets and service providers, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets).
{% ifversion secret-scanning-push-protection-for-users %}
@@ -84,42 +118,107 @@ Push protection for users automatically protects you from accidentally committin
{% endif %}
### {% data variables.secret-scanning.partner_alerts_caps %}
{% endif %}
Automatically detect leaked secrets across all public repositories, as well as public npm packages. {% data variables.product.company_short %} informs the relevant service provider that the secret may be compromised. For details of the supported secrets and service providers, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets).
{% ifversion ghas-products %}
## Available with {% data variables.product.prodname_GH_secret_protection %}
For accounts on {% ifversion fpt or ghec %}{% data variables.product.prodname_team %} and {% data variables.product.prodname_ghe_cloud %}{% endif %}{% ifversion ghes %} {% data variables.product.prodname_ghe_server %}{% endif %}, you can access additional security features when you purchase **{% data variables.product.prodname_GH_secret_protection %}**.
{% data variables.product.prodname_GH_secret_protection %} includes features that help you detect and prevent secret leaks, such as {% data variables.product.prodname_secret_scanning %} and push protection.
These features are available for all repository types. {% ifversion fpt or ghec %}Some of these features are available for public repositories free of charge, meaning that you don't need to purchase {% data variables.product.prodname_GH_secret_protection %} to enable the feature on a public repository.{% endif %}
<!--Hiding information on setting up a trial for now, as there is no available link for fpt yet. Needs versioning for fpt, ghec and ghes.
For information about how you can try {% data variables.product.prodname_GH_secret_protection %} for free, see [AUTOTITLE](/billing/managing-billing-for-your-products/managing-billing-for-github-advanced-security/setting-up-a-trial-of-github-advanced-security).
-->
{% else %}
## Available with {% data variables.product.prodname_GHAS %}
{% data variables.product.prodname_GHAS %} features are available for enterprises with a license for {% data variables.product.prodname_GHAS %}. The features are restricted to repositories owned by an organization.
{% endif %}
## Available with {% data variables.product.prodname_GH_advanced_security %}
### {% data variables.secret-scanning.user_alerts_caps %}
{% ifversion fpt %}
The following {% data variables.product.prodname_GH_advanced_security %} features are available and free of charge for public repositories on {% data variables.product.prodname_dotcom %}. Organizations that use {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %} can use the full set of features in any of their repositories. For a list of the features available with {% data variables.product.prodname_ghe_cloud %}, see the [{% data variables.product.prodname_ghe_cloud %} documentation](/enterprise-cloud@latest/code-security/getting-started/github-security-features#available-with-github-advanced-security).
Automatically detect tokens or credentials that have been checked into a repository. You can view alerts for any secrets that {% data variables.product.github %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. For more information, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts#about-user-alerts).
{% elsif ghec %}
Many {% data variables.product.prodname_GH_advanced_security %} features are available and free of charge for public repositories on {% data variables.product.prodname_dotcom %}. Organizations within an enterprise that have a {% data variables.product.prodname_GH_advanced_security %} license can use the following features on all their repositories. {% data reusables.advanced-security.more-info-ghas %}
{% data reusables.advanced-security.available-for-public-repos %}
{% elsif ghes %}
{% data variables.product.prodname_GH_advanced_security %} features are available for enterprises with a license for {% data variables.product.prodname_GH_advanced_security %}. The features are restricted to repositories owned by an organization. {% data reusables.advanced-security.more-info-ghas %}
{% ifversion secret-scanning-ai-generic-secret-detection %}
### {% data variables.secret-scanning.copilot-secret-scanning %}
{% data variables.secret-scanning.copilot-secret-scanning %}'s generic secret detection is an AI-powered expansion of {% data variables.product.prodname_secret_scanning %} that identifies unstructured secrets (passwords) in your source code and then generates an alert. For more information, see [AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets).
{% endif %}
{% ifversion copilot-chat-ghas-alerts %}
### Push protection
With a {% data variables.product.prodname_copilot_enterprise %} license, you can also ask {% data variables.product.prodname_copilot_chat %} for help to better understand security alerts in repositories in your organization from {% data variables.product.prodname_GH_advanced_security %} features ({% data variables.product.prodname_code_scanning %}, {% data variables.product.prodname_secret_scanning %}, and {% data variables.product.prodname_dependabot_alerts %}). For more information, see [AUTOTITLE](/copilot/using-github-copilot/asking-github-copilot-questions-in-githubcom#asking-questions-about-alerts-from-github-advanced-security-features).
Push protection proactively scans your code, and any repository contributors' code, for secrets during the push process and blocks the push if any secrets are detected. If a contributor bypasses the block, {% data variables.product.github %} creates an alert. For more information, see [AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection).
{% data reusables.advanced-security.available-for-public-repos %}
{% ifversion push-protection-delegated-bypass %}
### Delegated bypass for push protection
Delegated bypass for push protection lets you control which individuals, roles and teams can bypass push protection, and implements a review and approval cycle for pushes containing secrets. For more information, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection).
{% endif %}
{% data reusables.advanced-security.ghas-trial %}
### Custom patterns
You can define custom patterns to identify secrets that are not detected by the default patterns supported by {% data variables.product.prodname_secret_scanning %}, such as patterns that are internal to your organization. For more information, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning).
<!--Hiding security overview for earlier GHES versions, so it isn't duplicated below-->
{% ifversion ghas-products %}
### Security overview
Security overview allows you to review the overall security landscape of your organization, view trends and other insights, and manage security configurations, making it easy to monitor your organization's security status and identify the repositories and organizations at greatest risk. For more information, see [AUTOTITLE](/code-security/security-overview/about-security-overview).
## Available with {% data variables.product.prodname_GH_code_security %}
For accounts on {% ifversion fpt or ghec %}{% data variables.product.prodname_team %} and {% data variables.product.prodname_ghe_cloud %}{% endif %}{% ifversion ghes %} {% data variables.product.prodname_ghe_server %}{% endif %}, you can access additional security features when you purchase **{% data variables.product.prodname_GH_code_security %}**.
{% data variables.product.prodname_GH_code_security %} includes features that help you find and fix vulnerabilities, like {% data variables.product.prodname_code_scanning %}, premium {% data variables.product.prodname_dependabot %} features, and dependency review.
These features are available for all repository types. {% ifversion fpt or ghec %}Some of these features are available for public repositories free of charge, meaning that you don't need to purchase {% data variables.product.prodname_GH_code_security %} to enable the feature on a public repository.{% endif %}
<!--Hiding information on setting up a trial for now, as there is no available link for fpt yet. Needs versioning for fpt, ghec & ghes.
For information about how you can try {% data variables.product.prodname_GH_code_security %} for free, see [AUTOTITLE](/billing/managing-billing-for-your-products/managing-billing-for-github-advanced-security/setting-up-a-trial-of-github-advanced-security).
-->
{% endif %}
### {% data variables.product.prodname_code_scanning_caps %}
Automatically detect security vulnerabilities and coding errors in new or modified code. Potential problems are highlighted, with detailed information, allowing you to fix the code before it's merged into your default branch. For more information, see [AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning).
### {% data variables.secret-scanning.user_alerts_caps %}
{% data reusables.advanced-security.available-for-public-repos %}
Automatically detect tokens or credentials that have been checked into a repository. You can view alerts for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. {% data reusables.secret-scanning.alert-type-links %}
### {% data variables.product.prodname_codeql_cli %}
### {% data variables.dependabot.custom_rules_caps %}
Run {% data variables.product.prodname_codeql %} processes locally on software projects or to generate {% data variables.product.prodname_code_scanning %} results for upload to {% data variables.product.github %}. For more information, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/about-the-codeql-cli).
{% data reusables.advanced-security.available-for-public-repos %}
{% ifversion code-scanning-autofix %}
### {% data variables.product.prodname_copilot_autofix_short %}
Get automatically generated fixes for {% data variables.product.prodname_code_scanning %} alerts. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning).
{% data reusables.advanced-security.available-for-public-repos %}
{% endif %}
### {% data variables.dependabot.custom_rules_caps %} for {% data variables.product.prodname_dependabot %}
{% data reusables.dependabot.dependabot-custom-rules-ghas %}
@@ -127,18 +226,30 @@ Automatically detect tokens or credentials that have been checked into a reposit
Show the full impact of changes to dependencies and see details of any vulnerable versions before you merge a pull request. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review).
{% ifversion security-overview-displayed-alerts %}<!--Section appears in non-GHAS features above-->
{% data reusables.advanced-security.available-for-public-repos %}
{% elsif fpt %}<!--Feature requires enterprise product-->
{% ifversion security-campaigns %}
{% else %}
### Security campaigns
### Security overview for organizations{% ifversion ghes %}, enterprises,{% endif %} and teams
Fix security alerts at scale by creating security campaigns and collaborating with developers to reduce your security backlog. For more information, see [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/about-security-campaigns).
{% endif %}
### Security overview
Security overview allows you to review the overall security landscape of your organization, view trends and other insights, and manage security configurations, making it easy to monitor your organization's security status and identify the repositories and organizations at greatest risk. For more information, see [AUTOTITLE](/code-security/security-overview/about-security-overview).
{% ifversion copilot-chat-ghas-alerts %}
## Leveraging {% data variables.product.prodname_copilot_chat %} to understand security alerts
With a {% data variables.product.prodname_copilot_enterprise %} license, you can also ask {% data variables.product.prodname_copilot_chat %} for help to better understand security alerts in repositories in your organization from {% data variables.product.prodname_GHAS %} features ({% data variables.product.prodname_code_scanning %}, {% data variables.product.prodname_secret_scanning %}, and {% data variables.product.prodname_dependabot_alerts %}). For more information, see [AUTOTITLE](/copilot/using-github-copilot/asking-github-copilot-questions-in-githubcom#asking-questions-about-alerts-from-github-advanced-security-features).
Review the security configuration and alerts for your organization and identify the repositories at greatest risk. For more information, see [AUTOTITLE](/code-security/security-overview/about-security-overview).
{% endif %}
## Further reading
* [AUTOTITLE](/get-started/learning-about-github/githubs-plans)
* [AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security)
* [AUTOTITLE](/get-started/learning-about-github/github-language-support)