From 392432d7a2bc091810c28f044eea465baf7439e8 Mon Sep 17 00:00:00 2001
From: Martin Lopes <martin389@github.com>
Date: Fri, 18 Mar 2022 16:31:12 +1000
Subject: [PATCH 1/3] Fixes broken links (#26308)

---
 .../working-with-the-rubygems-registry.md                       | 2 +-
 data/product-examples/code-security/code-examples.yml           | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/content/packages/working-with-a-github-packages-registry/working-with-the-rubygems-registry.md b/content/packages/working-with-a-github-packages-registry/working-with-the-rubygems-registry.md
index b3a5b600b9..01a56b4478 100644
--- a/content/packages/working-with-a-github-packages-registry/working-with-the-rubygems-registry.md
+++ b/content/packages/working-with-a-github-packages-registry/working-with-the-rubygems-registry.md
@@ -136,7 +136,7 @@ You can use gems from {% data variables.product.prodname_registry %} much like y
   end
   ```
 
-3. For Bundler versions earlier than 1.7.0, you need to add a new global `source`. For more information on using Bundler, see the [bundler.io documentation](http://bundler.io/v1.5/gemfile.html).
+3. For Bundler versions earlier than 1.7.0, you need to add a new global `source`. For more information on using Bundler, see the [bundler.io documentation](https://bundler.io/gemfile.html).
 
   ```ruby
   source "https://{% ifversion fpt or ghec %}rubygems.pkg.github.com{% else %}REGISTRY-URL{% endif %}/OWNER"
diff --git a/data/product-examples/code-security/code-examples.yml b/data/product-examples/code-security/code-examples.yml
index 4a9dc89aaa..5296f72264 100644
--- a/data/product-examples/code-security/code-examples.yml
+++ b/data/product-examples/code-security/code-examples.yml
@@ -21,7 +21,7 @@
 # Security policies
 - title: Microsoft security policy template
   description: Example security policy
-  href: https://github.com/microsoft/repo-templates/blob/main/shared/SECURITY.md
+  href: /microsoft/repo-templates/blob/main/shared/SECURITY.md
   tags:
     - Security policy
 - title: Electron security policy

From 1be8da450ae440f44e0a7ef66964b8da898a9a71 Mon Sep 17 00:00:00 2001
From: hubwriter <hubwriter@github.com>
Date: Fri, 18 Mar 2022 09:23:08 +0000
Subject: [PATCH 2/3] Change publisher of open-reusables extension

Changed publisher to AlistairChristie to pick up the extension from the VS Code Marketplace: https://marketplace.visualstudio.com/items?itemName=AlistairChristie.open-reusables
---
 .devcontainer/devcontainer.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
index ab835f2098..e8dc09b104 100644
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -22,7 +22,7 @@
 		"davidanson.vscode-markdownlint",
 		"bierner.markdown-preview-github-styles",
 		"streetsidesoftware.code-spell-checker",
-		"docs.open-reusables"
+		"alistairchristie.open-reusables"
 	],
 
 	// Use 'forwardPorts' to make a list of ports inside the container available locally.

From 28a7ce3fcbeef1babbe2ec64af142c5a1a6d8d55 Mon Sep 17 00:00:00 2001
From: mc <42146119+mchammer01@users.noreply.github.com>
Date: Fri, 18 Mar 2022 10:30:41 +0000
Subject: [PATCH 3/3] Add overview article about supply chain security (#25835)

* add overview article
---
 .../about-dependabot-alerts.md                |   1 -
 .../about-supply-chain-security.md            | 156 ++++++++++++++++++
 .../index.md                                  |   1 +
 ...analysis-settings-for-your-organization.md |   4 +-
 4 files changed, 159 insertions(+), 3 deletions(-)
 create mode 100644 content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security.md

diff --git a/content/code-security/dependabot/dependabot-alerts/about-dependabot-alerts.md b/content/code-security/dependabot/dependabot-alerts/about-dependabot-alerts.md
index 9545862ba4..da996b60cc 100644
--- a/content/code-security/dependabot/dependabot-alerts/about-dependabot-alerts.md
+++ b/content/code-security/dependabot/dependabot-alerts/about-dependabot-alerts.md
@@ -7,7 +7,6 @@ redirect_from:
   - /github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies
   - /code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies
   - /code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-alerts-for-vulnerable-dependencies
-  - /code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies
 versions:
   fpt: '*'
   ghes: '*'
diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security.md
new file mode 100644
index 0000000000..6ff3e6e9ed
--- /dev/null
+++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security.md
@@ -0,0 +1,156 @@
+---
+title: About supply chain security
+intro: '{% data variables.product.product_name %} helps you secure your supply chain, from understanding the dependencies in your environment, to knowing about vulnerabilities in those dependencies{% ifversion fpt or ghec or ghes > 3.2 %}, and patching them{% endif %}.'
+miniTocMaxHeadingLevel: 3
+shortTitle: Supply chain security
+redirect_from:
+  - /code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies
+versions:
+  fpt: '*'
+  ghes: '*'
+  ghae: issue-4864
+  ghec: '*'
+type: overview
+topics:
+  - Advanced Security
+  - Dependency review
+  - Dependency graph
+  - Vulnerabilities
+  - Dependencies
+  - Pull requests
+  - Repositories
+---
+
+## About supply chain security at GitHub
+
+With the accelerated use of open source, most projects depend on hundreds of open-source dependencies. This poses a security problem: what if the dependencies you're using are vulnerable? You could be putting your users at risk of a supply chain attack. One of the most important things you can do to protect your supply chain is to patch your vulnerabilities.
+
+You add dependencies directly to your supply chain when you specify them in a manifest file or a lockfile. Dependencies can also be included transitively, that is, even if you don’t specify a particular dependency, but a dependency of yours uses it, then you’re also dependent on that dependency.
+
+{% data variables.product.product_name %} offers a range of features to help you understand the dependencies in your environment{% ifversion ghes < 3.3 or ghae %} and know about vulnerabilities in those dependencies{% endif %}{% ifversion fpt or ghec or ghes > 3.2 %}, know about vulnerabilities in those dependencies, and patch them{% endif %}. 
+
+The supply chain features on {% data variables.product.product_name %} are:
+- **Dependency graph**
+{% ifversion fpt or ghec or ghes > 3.1 or ghae %}- **Dependency review**{% endif %}
+- **{% data variables.product.prodname_dependabot_alerts %} **
+{% ifversion fpt or ghec or ghes > 3.2 %}- **{% data variables.product.prodname_dependabot_updates %}**
+  - **{% data variables.product.prodname_dependabot_security_updates %}**
+  - **{% data variables.product.prodname_dependabot_version_updates %}**{% endif %}
+
+The dependency graph is central to supply chain security. The dependency graph identifies all upstream dependencies and public downstream dependents of a repository or package. You can see your repository’s dependencies and some of their properties, like vulnerability information, on the dependency graph for the repository. 
+
+{% ifversion fpt or ghec or ghes > 3.1 or ghae %}
+Other supply chain features on {% data variables.product.prodname_dotcom %} rely on the information provided by the dependency graph.
+
+- Dependency review uses the dependency graph to identify dependency changes and help you understand the security impact of these changes when you review pull requests.
+- {% data variables.product.prodname_dependabot %} cross-references dependency data provided by the dependency graph with the list of known vulnerabilities published in the {% data variables.product.prodname_advisory_database %}, scans your dependecies and generates {% data variables.product.prodname_dependabot_alerts %} when a potential vulnerability is detected.
+{% ifversion fpt or ghec or ghes > 3.2 %}- {% data variables.product.prodname_dependabot_security_updates %} use the dependency graph and  {% data variables.product.prodname_dependabot_alerts %} to help you update dependencies with known vulnerabilities in your repository.
+
+{% data variables.product.prodname_dependabot_version_updates %} don't use the dependency graph and rely on the semantic versioning of dependencies instead. {% data variables.product.prodname_dependabot_version_updates %} help you keep your dependencies updated, even when they don’t have any vulnerabilities.
+{% endif %}
+{% endif %}
+
+{% ifversion ghes < 3.2 %}
+{% data variables.product.prodname_dependabot %} cross-references dependency data provided by the dependency graph with the list of known vulnerabilities published in the {% data variables.product.prodname_advisory_database %}, scans your dependencies and generates {% data variables.product.prodname_dependabot_alerts %} when a potential vulnerability is detected.
+ {% endif %}
+
+## Feature overview
+
+### What is the dependency graph
+
+To generate the dependency graph, {% data variables.product.company_short %} looks at a repository’s explicit dependencies declared in the manifest and lockfiles. When enabled, the dependency graph automatically parses all known package manifest files in the repository, and uses this to construct a graph with known dependency names and versions.
+
+- The dependency graph includes information on your _direct_ dependencies and _transitive_ dependencies. 
+- The dependency graph is automatically updated when you push a commit to {% data variables.product.company_short %} that changes or adds a supported manifest or lock file to the default branch, and when anyone pushes a change to the repository of one of your dependencies.
+- You can see the dependency graph by opening the repository's main page on {% data variables.product.product_name %}, and navigating to the **Insights** tab.
+
+For more information about the dependency graph, see "[About the dependency graph](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)."
+
+{% ifversion fpt or ghec or ghes > 3.1 or ghae %}
+### What is dependency review
+
+Dependency review helps reviewers and contributors understand dependency changes and their security impact in every pull request. 
+
+- Dependency review tells you which dependencies were added, removed, or updated, in a pull request. You can use the release dates, popularity of dependencies, and vulnerability information to help you decide whether to accept the change.
+- You can see the dependency review for a pull request by showing the rich diff on the **Files Changed** tab.
+
+For more information about dependency review, see "[About dependency review](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review)."
+
+{% endif %}
+
+### What is Dependabot
+
+{% data variables.product.prodname_dependabot %} keeps your dependencies up to date by informing you of any security vulnerabilities in your dependencies{% ifversion fpt or ghec or ghes > 3.2 or ghae %}, and automatically opens pull requests to upgrade your dependencies to the next available secure version when a {% data variables.product.prodname_dependabot %} alert is triggered, or to the latest version when a release is published{% else %} so that you can update that dependency{% endif %}.
+
+{% ifversion fpt or ghec or ghes > 3.2 %}
+The term "{% data variables.product.prodname_dependabot %}" encompasses the following features:
+- {% data variables.product.prodname_dependabot_alerts %}—Displayed notification on the **Security** tab for the repository, and in the repository's dependency graph. The alert includes a link to the affected file in the project, and information about a fixed version.
+- {% data variables.product.prodname_dependabot_updates %}:
+   - {% data variables.product.prodname_dependabot_security_updates %}—Triggered updates to upgrade your dependencies to a secure version when an alert is triggered.
+   - {% data variables.product.prodname_dependabot_version_updates %}—Scheduled updates to keep your dependencies up to date with the latest version.
+{% endif %}
+
+#### What are Dependabot alerts
+
+{% data variables.product.prodname_dependabot_alerts %} highlight repositories affected by a newly discovered vulnerability based on the dependency graph and the {% data variables.product.prodname_advisory_database %}, which contains the versions on known vulnerability lists. 
+
+- {% data variables.product.prodname_dependabot %} performs a scan to detect vulnerable dependencies and sends {% data variables.product.prodname_dependabot_alerts %} when:
+{% ifversion fpt or ghec %}
+   - A new vulnerability is added to the {% data variables.product.prodname_advisory_database %}.{% else %}
+   - New advisory data is synchronized to {% data variables.product.product_location %} each hour from {% data variables.product.prodname_dotcom_the_website %}. {% data reusables.security-advisory.link-browsing-advisory-db %}{% endif %}
+   - The dependency graph for the repository changes. 
+- {% data variables.product.prodname_dependabot_alerts %} are displayed {% ifversion fpt or ghec or ghes > 3.0 %} on the **Security** tab for the repository and{% endif %} in the repository's dependency graph. The alert includes {% ifversion fpt or ghec or ghes > 3.0 %}a link to the affected file in the project, and {% endif %}information about a fixed version.
+
+For more information about {% data variables.product.prodname_dependabot_alerts %}, see "[About alerts for vulnerable dependencies](/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-alerts-for-vulnerable-dependencies)."
+
+{% ifversion fpt or ghec or ghes > 3.2 %}
+#### What are Dependabot updates
+
+There are two types of {% data variables.product.prodname_dependabot_updates %}: {% data variables.product.prodname_dependabot %} _security_ updates and _version_ updates. {% data variables.product.prodname_dependabot %} generates automatic pull requests to update your dependencies in both cases, but there are several differences.
+
+{% data variables.product.prodname_dependabot_security_updates %}:
+ - Triggered by a {% data variables.product.prodname_dependabot %} alert
+ - Update dependencies to the minimum version that resolves a known vulnerability
+ - Supported for ecosystems the dependency graph supports
+ 
+{% data variables.product.prodname_dependabot_version_updates %}:
+ - Run on a schedule you configure
+ - Update dependencies to the latest version that matches the configuration
+ - Supported for a different group of ecosystems
+
+For more information about {% data variables.product.prodname_dependabot_updates %}, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-dependabot-security-updates)" and "[About {% data variables.product.prodname_dependabot_version_updates %}](/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/about-dependabot-version-updates)."
+{% endif %}
+
+## Feature availability
+
+{% ifversion fpt or ghec %}
+
+Public repositories:
+- **Dependency graph**—enabled by default and cannot be disabled.
+- **Dependency review**—enabled by default and cannot be disabled.
+- **{% data variables.product.prodname_dependabot_alerts %}**—not enabled by default. {% data variables.product.prodname_dotcom %} detects vulnerable dependencies and displays information in the dependency graph, but does not generate {% data variables.product.prodname_dependabot_alerts %} by default. Repository owners or people with admin access can enable {% data variables.product.prodname_dependabot_alerts %}. 
+  You can also enable or disable Dependabot alerts for all repositories owned by your user account or organization. For more information, see "[Managing security and analysis settings for your user account](/account-and-profile/setting-up-and-managing-your-github-user-account/managing-user-account-settings/managing-security-and-analysis-settings-for-your-user-account)" or "[Managing security and analysis settings for your organization](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)."
+
+Private repositories:
+- **Dependency graph**—not enabled by default. The feature can be enabled by repository administrators. For more information, see "[Exploring the dependencies of a repository](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#enabling-and-disabling-the-dependency-graph-for-a-private-repository)."
+{% ifversion fpt %}
+- **Dependency review**—available in private repositories owned by organizations that use {% data variables.product.prodname_ghe_cloud %} and have a license for {% data variables.product.prodname_GH_advanced_security %}. For more information, see the [{% data variables.product.prodname_ghe_cloud %} documentation](/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review).
+{% elsif ghec %}
+- **Dependency review**—available in private repositories owned by organizations provided you have a license for {% data variables.product.prodname_GH_advanced_security %} and the dependency graph enabled. For more information, see "[About {% data variables.product.prodname_GH_advanced_security %}](/get-started/learning-about-github/about-github-advanced-security)" and "[Exploring the dependencies of a repository](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#enabling-and-disabling-the-dependency-graph-for-a-private-repository)." 
+{% endif %}
+- **{% data variables.product.prodname_dependabot_alerts %}**—not enabled by default. Owners of private repositories, or people with admin access, can enable {% data variables.product.prodname_dependabot_alerts %} by enabling the dependency graph and {% data variables.product.prodname_dependabot_alerts %} for their repositories.
+  You can also enable or disable Dependabot alerts for all repositories owned by your user account or organization. For more information, see "[Managing security and analysis settings for your user account](/account-and-profile/setting-up-and-managing-your-github-user-account/managing-user-account-settings/managing-security-and-analysis-settings-for-your-user-account)" or "[Managing security and analysis settings for your organization](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)."
+
+Any repository type:
+- **{% data variables.product.prodname_dependabot_security_updates %}**—not enabled by default. You can enable {% data variables.product.prodname_dependabot_security_updates %} for any repository that uses {% data variables.product.prodname_dependabot_alerts %} and the dependency graph. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)."
+- **{% data variables.product.prodname_dependabot_version_updates %}**—not enabled by default. People with write permissions to a repository can enable {% data variables.product.prodname_dependabot_version_updates %}. For information about enabling security updates, see "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-dependabot-security-updates)."
+{% endif %}
+
+{% ifversion ghes or ghae %}
+- **Dependency graph** and **{% data variables.product.prodname_dependabot_alerts %}**—not enabled by default. Both features are configured at an enterprise level by the enterprise owner. For more information, see {% ifversion ghes %}"[Enabling the dependency graph for your enterprise](/admin/code-security/managing-supply-chain-security-for-your-enterprise/enabling-the-dependency-graph-for-your-enterprise)" and {% endif %}"[Enabling {% data variables.product.prodname_dependabot %} for your enterprise](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise)."
+- **Dependency review**—available when dependency graph is enabled for {% data variables.product.product_location %} and {% data variables.product.prodname_advanced_security %} is enabled for the organization or repository. For more information, see "[About {% data variables.product.prodname_GH_advanced_security %}](/get-started/learning-about-github/about-github-advanced-security)."
+{% endif %}
+{% ifversion ghes > 3.2 %}
+- **{% data variables.product.prodname_dependabot_security_updates %}**—not enabled by default. You can enable {% data variables.product.prodname_dependabot_security_updates %} for any repository that uses {% data variables.product.prodname_dependabot_alerts %} and the dependency graph. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)."
+- **{% data variables.product.prodname_dependabot_version_updates %}**—not enabled by default. People with write permissions to a repository can enable {% data variables.product.prodname_dependabot_version_updates %}. For information about enabling security updates, see "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-dependabot-security-updates)."
+{% endif %}
diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/index.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/index.md
index d690614ed1..646c4e30f1 100644
--- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/index.md
+++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/index.md
@@ -11,6 +11,7 @@ topics:
   - Repositories
 shortTitle: Understand your supply chain
 children:
+  - /about-supply-chain-security
   - /about-the-dependency-graph
   - /about-dependency-review
   - /exploring-the-dependencies-of-a-repository
diff --git a/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization.md b/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization.md
index 67055d249c..61b87d6530 100644
--- a/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization.md
+++ b/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization.md
@@ -163,5 +163,5 @@ You can manage access to {% data variables.product.prodname_GH_advanced_security
 
 - "[Securing your repository](/code-security/getting-started/securing-your-repository)"{% ifversion not fpt %}
 - "[About secret scanning](/github/administering-a-repository/about-secret-scanning)"{% endif %}{% ifversion not ghae %}
-- "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph)"{% endif %}{% ifversion fpt or ghec or ghes > 3.2 %}
-- "[Keeping your dependencies updated automatically](/github/administering-a-repository/keeping-your-dependencies-updated-automatically)"{% endif %}
\ No newline at end of file
+- "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph)"{% endif %}{% ifversion fpt or ghec or ghes or ghae-issue-4864 %}
+- "[About supply chain security](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security)"{% endif %}