diff --git a/content/code-security/getting-started/github-security-features.md b/content/code-security/getting-started/github-security-features.md index df2ff6b8da..25c19e04ad 100644 --- a/content/code-security/getting-started/github-security-features.md +++ b/content/code-security/getting-started/github-security-features.md @@ -75,9 +75,9 @@ Security overview shows which security features are enabled for the repository, ## Available for free public repositories -### {% data variables.secret-scanning.partner_alerts_caps %} +### {% data variables.secret-scanning.user_alerts_caps %} -Automatically detect leaked secrets across all public repositories, as well as public npm packages. {% data variables.product.company_short %} informs the relevant service provider that the secret may be compromised. For details of the supported secrets and service providers, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." +Automatically detect tokens or credentials that have been checked into a {% ifversion ghec %}user-owned {% endif %}public repository. You can view alerts for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-users)." {% ifversion secret-scanning-push-protection-for-users %} @@ -87,6 +87,10 @@ Push protection for users automatically protects you from accidentally committin {% endif %} +### {% data variables.secret-scanning.partner_alerts_caps %} + +Automatically detect leaked secrets across all public repositories, as well as public npm packages. {% data variables.product.company_short %} informs the relevant service provider that the secret may be compromised. For details of the supported secrets and service providers, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." + {% endif %} ## Available with {% data variables.product.prodname_GH_advanced_security %} diff --git a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md index d7c3f7f1a3..61216b21d4 100644 --- a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md +++ b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md @@ -99,20 +99,21 @@ For more information about non-provider patterns, see "{% ifversion fpt or ghec {% endif %} -{% ifversion fpt %} +{% ifversion secret-scanning-enable-by-default-for-public-repos %} -## Enabling {% data variables.secret-scanning.user_alerts %} for all your public repositories +## Enabling {% data variables.secret-scanning.user_alerts %} for all your {% ifversion ghec %}user-owned {% endif %}public repositories -You can enable {% data variables.secret-scanning.user_alerts %} for all of your public repositories through your personal account settings. +You can enable {% data variables.product.prodname_secret_scanning %} for all of your existing {% ifversion ghec %}user-owned {% endif %}public repositories through your personal account settings. +{% note %} + +**Note**: As of March 11, 2024, {% data variables.product.prodname_secret_scanning %} and push protection will be enabled by default for all new {% ifversion ghec %}user-owned {% endif %}public repositories that you create. You can still choose to disable these features for an individual repository in the repository's "Code security and analysis" settings page. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-public-repositories)". + +{% endnote %} {% data reusables.user-settings.access_settings %} {% data reusables.user-settings.security-analysis %} 1. Under "Code security and analysis", to the right of "{% data variables.product.prodname_secret_scanning_caps %}", click **Disable all** or **Enable all**. - - ![Screenshot of the setting options for "{% data variables.product.prodname_secret_scanning_caps %}" on the personal account settings page. The options "Enable all" and "Disable all" are highlighted with an orange outline.](/assets/images/help/repository/secret-scanning-personal-account-settings-enable-all.png) -1. Optionally, to automatically enable {% data variables.product.prodname_secret_scanning %} for any new public repositories that you create, below "{% data variables.product.prodname_secret_scanning_caps %}", select the checkbox for "Automatically enable for new public repositories." - - ![Screenshot of the setting options for "{% data variables.product.prodname_secret_scanning_caps %}" on the personal account settings page. The option "Automatically enable for new public repositories" is highlighted with an orange outline.](/assets/images/help/repository/secret-scanning-personal-account-settings-auto-enable.png) +{% data reusables.secret-scanning.push-protection-optional-enable %} {% endif %} diff --git a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md index 4448ecc826..3e986eda36 100644 --- a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md +++ b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md @@ -60,6 +60,12 @@ For you to use {% data variables.product.prodname_secret_scanning %} as a push p Organization owners, security managers, and repository administrators can also enable push protection for {% data variables.product.prodname_secret_scanning %} via the API. For more information, see "[AUTOTITLE](/rest/repos#update-a-repository)" and expand the "Properties of the `security_and_analysis` object" section. +{% ifversion secret-scanning-enable-by-default-for-public-repos %} + +You can also enable push protection for all of your existing {% ifversion ghec %}user-owned {% endif %} public repositories through your personal account settings. For any new public repositories you create, push protection will be enabled by default. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#enabling-secret-scanning-alerts-for-users-for-all-your-public-repositories)." + +{% endif %} + {% ifversion secret-scanning-enterprise-level-api %} Enterprise administrators can also enable or disable {% data variables.product.prodname_secret_scanning %} as a push protection for the enterprise via the API. For more information, see "[AUTOTITLE](/rest/enterprise-admin/code-security-and-analysis)."{% endif %} diff --git a/content/get-started/learning-about-github/about-github-advanced-security.md b/content/get-started/learning-about-github/about-github-advanced-security.md index cae9821189..cae5ca51cd 100644 --- a/content/get-started/learning-about-github/about-github-advanced-security.md +++ b/content/get-started/learning-about-github/about-github-advanced-security.md @@ -36,7 +36,7 @@ A {% data variables.product.prodname_GH_advanced_security %} license provides th - **{% data variables.product.prodname_code_scanning_caps %}** - Search for potential security vulnerabilities and coding errors in your code. For more information, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning)." -- **{% data variables.product.prodname_secret_scanning_caps %}** - Detect secrets, for example keys and tokens, that have been checked into {% ifversion fpt %} private repositories{% else %} the repository{% endif %}. {% ifversion fpt%}{% data variables.secret-scanning.user_alerts_caps %} and {% data variables.secret-scanning.partner_alerts %} are available and free of charge for public repositories on {% data variables.product.prodname_dotcom_the_website %}.{% endif %}{% ifversion secret-scanning-push-protection %} If push protection is enabled, also detects secrets when they are pushed to your repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)."{% else %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)."{% endif %} +- **{% data variables.product.prodname_secret_scanning_caps %}** - Detect secrets, for example keys and tokens, that have been checked into {% ifversion fpt %}private repositories{% else %} the repository{% endif %}.{% ifversion secret-scanning-push-protection %} If push protection is enabled, {% data variables.product.prodname_dotcom %} also detects secrets when they are pushed to your repository. {% ifversion secret-scanning-enable-by-default-for-public-repos %}{% data variables.secret-scanning.user_alerts_caps %} and push protection are available and free of charge for all {% ifversion ghec %}user-owned {% endif %}public repositories on {% data variables.product.prodname_dotcom_the_website %}.{% endif %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)."{% else %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)."{% endif %} {% ifversion dependabot-auto-triage-rules %} diff --git a/data/features/secret-scanning-enable-by-default-for-public-repos.yml b/data/features/secret-scanning-enable-by-default-for-public-repos.yml new file mode 100644 index 0000000000..09a8566a0b --- /dev/null +++ b/data/features/secret-scanning-enable-by-default-for-public-repos.yml @@ -0,0 +1,5 @@ +# Reference: #13800. +# Secret scanning is automatically enabled on all new public repositories - [GA] +versions: + fpt: '*' + ghec: '*' diff --git a/data/reusables/gated-features/push-protection-for-repos.md b/data/reusables/gated-features/push-protection-for-repos.md index c09091b52d..113be5f27f 100644 --- a/data/reusables/gated-features/push-protection-for-repos.md +++ b/data/reusables/gated-features/push-protection-for-repos.md @@ -1,6 +1,6 @@ {%- ifversion fpt or ghec %} -Push protection for repositories and organizations is available for free on all public repositories. Organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %} can also enable push protection on their private and internal repositories. +Push protection for repositories and organizations is available for {% ifversion ghec %}user-owned {% endif %}public repositories for free. Organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %} can also enable push protection on their private and internal repositories. {%- elsif ghes %} Push protection is available for organization-owned repositories in {% data variables.product.product_name %} if your enterprise has a license for {% data variables.product.prodname_GH_advanced_security %}.{% endif %} diff --git a/data/reusables/gated-features/push-protection-users-and-repos.md b/data/reusables/gated-features/push-protection-users-and-repos.md index 59ed49c99a..1ad4a05bdc 100644 --- a/data/reusables/gated-features/push-protection-users-and-repos.md +++ b/data/reusables/gated-features/push-protection-users-and-repos.md @@ -5,7 +5,7 @@ Push protection for users is on by default and can be disabled in your personal {%- endif %} -Push protection for repositories and organizations is available for free on all public repositories. Organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %} can also enable push protection on their private and internal repositories. +Push protection for repositories and organizations is available for {% ifversion ghec %}user-owned {% endif %}public repositories for free. Organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %} can also enable push protection on their private and internal repositories. {%- elsif ghes %} Push protection is available for organization-owned repositories in {% data variables.product.product_name %} if your enterprise has a license for {% data variables.product.prodname_GH_advanced_security %}.{% endif %} diff --git a/data/reusables/gated-features/secret-scanning.md b/data/reusables/gated-features/secret-scanning.md index 6af8c0197b..c252367745 100644 --- a/data/reusables/gated-features/secret-scanning.md +++ b/data/reusables/gated-features/secret-scanning.md @@ -1,7 +1,7 @@ {%- ifversion fpt or ghec %} {% data variables.secret-scanning.partner_alerts_caps %} runs automatically on public repositories and public npm packages to notify service providers about leaked secrets on {% data variables.product.prodname_dotcom_the_website %}. -{% data variables.secret-scanning.user_alerts_caps %} are available for free on all public repositories. Organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %} can also enable {% data variables.secret-scanning.user_alerts %} on their private and internal repositories. {% data reusables.secret-scanning.secret-scanning-user-owned-repos-beta %} +{% data variables.secret-scanning.user_alerts_caps %} are available for {% ifversion ghec %}user-owned {% endif %}public repositories for free. Organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %} can also enable {% data variables.secret-scanning.user_alerts %} on their private and internal repositories. {% data reusables.secret-scanning.secret-scanning-user-owned-repos-beta %} {%- elsif ghes %} {% data variables.product.prodname_secret_scanning_caps %} is available for organization-owned repositories{% ifversion secret-scanning-user-owned-repos %}, and in beta for user-owned repositories{% endif %} in {% data variables.product.product_name %} if your enterprise has a license for {% data variables.product.prodname_GH_advanced_security %}. diff --git a/data/reusables/secret-scanning/push-protection-optional-enable.md b/data/reusables/secret-scanning/push-protection-optional-enable.md new file mode 100644 index 0000000000..adde12b600 --- /dev/null +++ b/data/reusables/secret-scanning/push-protection-optional-enable.md @@ -0,0 +1,7 @@ +{% ifversion secret-scanning-push-protection %} + +1. Optionally, if you want to enable push protection, click **Enable** to the right of "Push protection." {% data reusables.secret-scanning.push-protection-overview %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning)." + + ![Screenshot of the "{% data variables.product.prodname_secret_scanning_caps %}" section. The "Enable" button is highlighted in a dark orange outline in the "Push protection" section.](/assets/images/help/repository/secret-scanning-enable-push-protection.png) + +{% endif %}