Merge pull request #26120 from github/repo-sync

Repo sync

content/code-security/dependabot/dependabot-alerts/about-dependabot-alerts.md

@@ -36,6 +36,8 @@ If your code depends on a package with a security vulnerability, this can cause
 
 {% data reusables.security-advisory.link-browsing-advisory-db %}
 
+{% data reusables.dependabot.quickstart-link %}
+
 ## Detection of insecure dependencies
 
 {% data reusables.dependabot.dependabot-alerts-beta %}

content/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts.md

@@ -116,15 +116,15 @@ For more information, see "[Reviewing and fixing alerts](#reviewing-and-fixing-a
 {% data reusables.repositories.sidebar-security %}
 {% data reusables.repositories.sidebar-dependabot-alerts %}
 1. Optionally, to filter alerts, select a filter in a dropdown menu then click the filter that you would like to apply. You can also type filters into the search bar. {% ifversion dependabot-filter-label-security-advisory %}Alternatively, to filter by label, click a label assigned to an alert to automatically apply that filter to the alert list.{% endif %} For more information about filtering and sorting alerts, see "[Prioritizing {% data variables.product.prodname_dependabot_alerts %}](#prioritizing-dependabot-alerts)."
-{%- ifversion dependabot-bulk-alerts %}
 
-   ![Screenshot of the filter and sort menus in the {% data variables.product.prodname_dependabot_alerts %} tab.](/assets/images/help/graphs/dependabot-alerts-filters-checkbox.png){% endif %}
+{%- ifversion dependabot-bulk-alerts %}
+  ![Screenshot of the filter and sort menus in the {% data variables.product.prodname_dependabot_alerts %} tab](/assets/images/help/graphs/dependabot-alerts-filters-checkbox.png){% endif %}
 1. Click the alert that you would like to view.
 {% else %}
-{% data reusables.repositories.navigate-to-repo %}
-{% data reusables.repositories.sidebar-security %}
-{% data reusables.repositories.sidebar-dependabot-alerts %}
-1. Click the alert you'd like to view.{% endif %}{% ifversion dependabot-filter-label-security-advisory %}
+{% data reusables.dependabot.navigate-to-dependabot-alerts %}
+1. Click the alert you'd like to view.
+{% endif %}
+{% ifversion dependabot-filter-label-security-advisory %}
 1. Optionally, to suggest an improvement to the related security advisory, on the right-hand side of the alert details page, click **Suggest improvements for this advisory on the {% data variables.product.prodname_advisory_database %}**. For more information, see "[AUTOTITLE](/code-security/security-advisories/global-security-advisories/editing-security-advisories-in-the-github-advisory-database)."
 
    ![Screenshot of the right sidebar of a {% data variables.product.prodname_dependabot %} alert. A link, titled "Suggest improvements for this advisory on the {% data variables.product.prodname_advisory_database %}", is highlighted with an orange outline.](/assets/images/help/dependabot/dependabot-improve-security-advisory.png)

content/code-security/getting-started/dependabot-quickstart-guide.md

@@ -0,0 +1,145 @@
+---
+title: Dependabot quickstart guide
+intro: 'You can use {% data variables.product.prodname_dependabot %} to alert you when your repository is using a software dependency with a known vulnerability. This guide will help get you started on enabling {% data variables.product.prodname_dependabot %} for a repository, and exploring reported alerts.'
+product: '{% data reusables.gated-features.dependabot-alerts %}'
+versions:
+  fpt: '*'
+  ghes: '*'
+  ghec: '*'
+type: quick_start
+topics:
+  - Dependabot
+  - Alerts
+  - Vulnerabilities
+  - Repositories
+  - Dependencies
+shortTitle: Dependabot quickstart
+---
+
+## About {% data variables.product.prodname_dependabot %}
+
+This quickstart guide walks you through setting up and enabling {% data variables.product.prodname_dependabot %}  and viewing {% data variables.product.prodname_dependabot_alerts %} and updates for a repository.
+
+{% data variables.product.prodname_dependabot %} consists of three different features that help you manage your dependencies:
+
+- {% data variables.product.prodname_dependabot_alerts %}—inform you about vulnerabilities in the dependencies that you use in your repository.
+- {% data variables.product.prodname_dependabot_security_updates %}—automatically raise pull requests to update the dependencies you use that have known security vulnerabilities.
+- {% data variables.product.prodname_dependabot_version_updates %}—automatically raise pull requests to keep your dependencies up-to-date.
+
+## Prerequisites
+
+{% ifversion ghes %}
+Before you can use the {% data variables.product.prodname_dependabot_alerts %} feature in {% data variables.product.product_name %}, you must ensure that your enterprise administator enables {% data variables.product.prodname_dependabot %} for the instance. For more information, see "[AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise#enabling-dependabot-alerts)."
+{% endif %}
+
+For the purpose of this guide, we're going to use a demo repository to illustrate how {% data variables.product.prodname_dependabot %} finds vulnerabilities in dependencies, where you can see {% data variables.product.prodname_dependabot_alerts %} on {% data variables.product.prodname_dotcom %}, and how you can explore, fix, or dismiss these alerts. 
+
+You need to start by forking the demo repository.
+
+1. Navigate to [https://github.com/dependabot/demo](https://github.com/dependabot/demo).
+2. At the top of the page, on the right, click **{% octicon "repo-forked" aria-hidden="true" %} Fork**.
+3. Select an owner (you can select your {% data variables.product.prodname_dotcom %} personal account) and type a  repository name. For more information about forking repositories, see "[AUTOTITLE](/get-started/quickstart/fork-a-repo#forking-a-repository)."
+4. Click **Create fork**. 
+
+## Enabling {% data variables.product.prodname_dependabot %} for your repository
+
+You need to follow the steps below on the repository you forked in "[Prerequisites](#prerequisites)."
+
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.sidebar-settings %}
+{% data reusables.repositories.navigate-to-code-security-and-analysis %}
+1. Under "Code security and analysis", to the right of {% data variables.product.prodname_dependabot_alerts %}, click **Enable** for {% data variables.product.prodname_dependabot_alerts %}, {% data variables.product.prodname_dependabot_security_updates %}, and {% data variables.product.prodname_dependabot_version_updates %}.
+2. Optionally, if you are interested in experimenting with {% data variables.product.prodname_dependabot_version_updates %}, click **.github/dependabot.yml**. This will create a default _dependabot.yml_ configuration file in the `/.github` directory of your repository. To enable {% data variables.product.prodname_dependabot_version_updates %} for your repository, you typically configure this file to suit your needs by editing the default file, and committing your changes. You can refer to the snippet provided in "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#example-dependabotyml-file)" for an example.
+
+{% note %}
+
+**Note:** If the dependency graph is not already enabled for the repository, {% data variables.product.prodname_dotcom %} will enable it automatically when you enable {% data variables.product.prodname_dependabot %}.
+
+{% endnote %}
+
+For more information about configuring each of these {% data variables.product.prodname_dependabot %} features, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts)," "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates)," and "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates)."
+
+## Viewing {% data variables.product.prodname_dependabot_alerts %} for your repository
+
+If {% data variables.product.prodname_dependabot_alerts %} are enabled for a repository, you can view {% data variables.product.prodname_dependabot_alerts %} on the "Security" tab for the repository. You can use the forked repository that you enabled {% data variables.product.prodname_dependabot_alerts %} on in the previous section.
+
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.sidebar-security %}
+{% data reusables.repositories.sidebar-dependabot-alerts %}
+1. Review the open alerts on the {% data variables.product.prodname_dependabot_alerts %} page. By default, the page displays the **Open** tab, listing the open alerts. (You'll be able to view any closed alerts by clicking **Closed**.)
+
+   ![Screenshot showing the list of Dependabot alerts for the demo repository.](/assets/images/help/repository/dependabot-alerts-list-demo-repo.png)
+
+   You can filter {% data variables.product.prodname_dependabot_alerts %} in the list, using a variety of filters or labels. For more infomation, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts#prioritizing-dependabot-alerts)."{% ifversion dependabot-alert-rules-auto-dismissal-npm-dev-dependencies %} You can also use {% data variables.product.prodname_dependabot %} alert rules to filter out false positive alerts or alerts you're not interested in. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/using-alert-rules-to-prioritize-dependabot-alerts)."{% endif %} 
+
+2. Click the "Command Injection in lodash" alert on the _javascript/package-lock.json_ file. The details page for the alert will show the following information (note that some information may not apply to all alerts):
+   - Whether {% data variables.product.prodname_dependabot %} created a pull request that will fix the vulnerability. You can review the suggested security update by clicking **Review security update**.
+   - Package involved
+   - Affected versions
+   - Patched version
+   - Brief description of the vulnerability
+
+   ![Screenshot of the detailed page of an alert in the demo repository, showing the main information.](/assets/images/help/repository/alert-details-page-demo-repo.png)
+
+3. Optionally, you can also explore the information on the right-side of the page. Some of the information shown in the screenshot may not apply to every alert.
+   - Severity
+   - CVSS metrics—we use CVSS levels to assign severity levels. For more information, see "[AUTOTITLE](/code-security/security-advisories/global-security-advisories/about-the-github-advisory-database#about-cvss-levels)."
+   - Tags
+   - Weaknesses—list of CWEs related to the vulnerability, if applicable
+   - CVE ID—unique CVE identifier for the vulnerability, if applicable
+   - GHSA ID—unique identifier of the corresponding advisory on the {% data variables.product.prodname_advisory_database %}. For more information, see "[AUTOTITLE](/code-security/security-advisories/global-security-advisories/about-the-github-advisory-database#about-ghsa-ids)."
+   - Option to navigate to the advisory on the {% data variables.product.prodname_advisory_database %}
+   - Option to see all of your repositories that are affected by this vulnerability
+   - Option to suggest improvements for this advisory on the {% data variables.product.prodname_advisory_database %}
+
+   ![Screenshot of the detailed page of an alert in the demo repository, showing the information displayed on the right-side of the page.](/assets/images/help/repository/more-alert-details-demo-repo.png)
+
+For more information about viewing, prioritizing, and sorting {% data variables.product.prodname_dependabot_alerts %}, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts)."
+## Fixing or dismissing a {% data variables.product.prodname_dependabot %} alert
+
+You can fix or dismiss {% data variables.product.prodname_dependabot_alerts %} on {% data variables.product.prodname_dotcom %}. Let's continue to use the forked repository as an example, and the "Command Injection in lodash" alert described in the previous section.
+
+1. Navigate to the {% data variables.product.prodname_dependabot_alerts %} tab for the repository. For more information, see the "[Viewing {% data variables.product.prodname_dependabot_alerts %} for your repository](#viewing-dependabot-alerts-for-your-repository)" section above. 
+1. Click an alert.
+1. Click the "Command Injection in lodash" alert on the _javascript/package-lock.json_ file.  
+1. Review the alert. You can:
+   - Review the suggested security update by clicking **Review security update**. This will open the pull request generated by {% data variables.product.prodname_dependabot %} with the security fix.
+
+     ![Screenshot of the pull request generated by {% data variables.product.prodname_dependabot %} to fix the security vulnerability highlighted by the selected alert.](/assets/images/help/repository/dependabot-pull-request-demo-repo.png)
+
+      - On the pull request description, you can click **Commits** to explore the commits included in the pull request.
+      - You can also click **{% data variables.product.prodname_dependabot %} commands and options** to learn about the commands that you can use to interact with the pull request.
+      - When you're ready to update your dependency and resolve the vulnerability, merge the pull request.
+   - If you decide that you want to dismiss the alert
+      - Go back to the alert details page.
+      - On the top-right corner, click **Dismiss alert**.{% ifversion dependabot-alerts-dismissal-comment %}
+
+        ![Screenshot of the alert details page with the **Dismiss alert** button, dropdown menu options, and dismissal comment box highlighted with a dark orange outline.](/assets/images/help/repository/dismiss-alert-demo-repo.png){% else %}
+
+        ![Screenshot of the alert details page with the **Dismiss alert** button highlighted with a dark orange outline.](/assets/images/enterprise/3.4/repository/dismiss-alert-demo-repo.png){% endif %}
+
+      - Select a reason for dismissing the alert. {% ifversion dependabot-alerts-dismissal-comment %}
+      - Optionally, add a dismissal comment. The dismissal comment will be added to the alert timeline and can be used as justification during auditing and reporting.{% endif %}
+      - Click **Dismiss alert**. The alert won't appear aymore in the **Open** tab of the alert list, and you are able to view it in the **Closed** tab.
+
+For more information about reviewing and updating {% data variables.product.prodname_dependabot_alerts %}, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts#reviewing-and-fixing-alerts)."
+
+## Troubleshooting
+
+You may need to do some troubleshooting if:
+- {% data variables.product.prodname_dependabot %} is blocked from creating a pull request to fix an alert, or
+- The information reported by {% data variables.product.prodname_dependabot %} is not what you expect.
+
+For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors)" and "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies)," respectively.
+
+## Next steps
+
+For more information about configuring {% data variables.product.prodname_dependabot %} updates, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates)" and "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates)." 
+
+For more information about configuring {% data variables.product.prodname_dependabot %} for an organization, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts#managing-dependabot-alerts-for-your-organization).
+
+For more information about viewing pull requests opened by {% data variables.product.prodname_dependabot %}, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#viewing-dependabot-pull-requests)."
+
+For more information about the security advisories that contribute to {% data variables.product.prodname_dependabot_alerts %}, see "[AUTOTITLE](/code-security/security-advisories/global-security-advisories/browsing-security-advisories-in-the-github-advisory-database)."
+
+For more information about configuring notifications about {% data variables.product.prodname_dependabot_alerts %}, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-notifications-for-dependabot-alerts)."

content/code-security/getting-started/github-security-features.md

@@ -39,6 +39,8 @@ View alerts about dependencies that are known to contain security vulnerabilitie
 and "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates)."
 {% endif %}
 
+{% data reusables.dependabot.quickstart-link %}
+
 {% ifversion ghae %}
 ### {% data variables.product.prodname_dependabot_alerts %}
 

content/code-security/getting-started/index.md

@@ -13,9 +13,11 @@ topics:
   - Vulnerabilities
 children:
   - /github-security-features
+  - /dependabot-quickstart-guide
   - /securing-your-repository
   - /securing-your-organization
   - /adding-a-security-policy-to-your-repository
   - /auditing-security-alerts
+
 ---
 

content/code-security/getting-started/securing-your-organization.md

@@ -37,6 +37,8 @@ You can create a default security policy that will display in any of your organi
 
 {% ifversion fpt or ghec %}{% data variables.product.prodname_dotcom %} detects vulnerabilities in public repositories and displays the dependency graph. You can enable or disable {% data variables.product.prodname_dependabot_alerts %} for all public repositories owned by your organization. You can enable or disable {% data variables.product.prodname_dependabot_alerts %} and the dependency graph for all private repositories owned by your organization.
 
+{% data reusables.dependabot.quickstart-link %}
+
 1. Click your profile photo, then click **Organizations**.
 2. Click **Settings** next to your organization.
 3. Click **Security & analysis**.

content/code-security/getting-started/securing-your-repository.md

@@ -53,6 +53,8 @@ For more information, see "[AUTOTITLE](/code-security/supply-chain-security/unde
 
 {% data variables.product.prodname_dependabot_alerts %} are generated when {% data variables.product.prodname_dotcom %} identifies a dependency in the dependency graph with a vulnerability. {% ifversion fpt or ghec %}You can enable {% data variables.product.prodname_dependabot_alerts %} for any repository.{% endif %}
 
+{% data reusables.dependabot.quickstart-link %}
+
 {% ifversion fpt or ghec %}
 1. Click your profile photo, then click **Settings**.
 1. Click **Security & analysis**.
@@ -68,6 +70,7 @@ For more information, see "[AUTOTITLE](/code-security/supply-chain-security/unde
 
 For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts){% ifversion fpt or ghec %}" and "[AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-personal-account-settings/managing-security-and-analysis-settings-for-your-personal-account){% endif %}."
 
+
 ## Managing dependency review
 
 Dependency review lets you visualize dependency changes in pull requests before they are merged into your repositories. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review)."

content/code-security/guides.md

@@ -24,6 +24,7 @@ includeGuides:
   - /code-security/getting-started/github-security-features
   - /code-security/getting-started/securing-your-organization
   - /code-security/getting-started/securing-your-repository
+  - /code-security/getting-started/dependabot-quickstart-guide
   - /code-security/getting-started/auditing-security-alerts
   - /code-security/secret-scanning/about-secret-scanning
   - /code-security/secret-scanning/configuring-secret-scanning-for-your-repositories

content/repositories/creating-and-managing-repositories/transferring-a-repository.md

@@ -34,7 +34,7 @@ Prerequisites for repository transfers:
 - Internal repositories can't be transferred.{% endif %}
 - Private forks can't be transferred.
 {%- ifversion ghec %}
-- You cannot transfer an internal repository from an organization owned by one enterprise account to an organization owned by a different enterprise account.
+- Internal repositories can only be transferred to an organization in the enterprise. You cannot transfer an internal repository from an organization owned by one enterprise account to an organization owned by a different enterprise account.
 {%- endif %}
 
 {% ifversion fpt or ghec %}If you transfer a private repository to a {% data variables.product.prodname_free_user %} user or organization account, the repository will lose access to features like protected branches and {% data variables.product.prodname_pages %}. {% data reusables.gated-features.more-info %}{% endif %}

data/reusables/dependabot/navigate-to-dependabot-alerts.md

@@ -0,0 +1,3 @@
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.sidebar-security %}
+{% data reusables.repositories.sidebar-dependabot-alerts %}

data/reusables/dependabot/quickstart-link.md

@@ -0,0 +1,2 @@
+{% ifversion fpt or ghec or ghes %}
+For an overview of the different features offered by {% data variables.product.prodname_dependabot %} and instructions on how to get started, see "[AUTOTITLE](/code-security/getting-started/dependabot-quickstart-guide)."{% endif %}