jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-19 09:57:42 -05:00
Code Issues Projects Releases Wiki Activity

GitHub Advanced Security security configuration - [GA] (#51474)

Browse Source 
Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com>
Co-authored-by: Sarita Iyer <66540150+saritai@users.noreply.github.com>
This commit is contained in:
Ben Ahmady
2024-07-10 22:39:40 +01:00
committed by GitHub
parent 23aa848114
commit bc2f7df0bb
43 changed files with 216 additions and 150 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
content/admin/managing-code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise.md
View File

@@ -20,11 +20,7 @@ redirect_from:
You can use {% data variables.product.prodname_advanced_security %} features to harden security for the organizations in your enterprise. {% ifversion security-configurations %}{% data reusables.security-configurations.enable-security-features-with-gh-config %}
{% note %}
**Note:** {% data reusables.security-configurations.security-configurations-beta-note-short %}
{% endnote %}
{% data reusables.security-configurations.security-configurations-beta-note-short %}
To manage individual {% data variables.product.prodname_GH_advanced_security %} features, {% else %}To streamline management of {% data variables.product.prodname_advanced_security %}, {% endif %}you can enable or disable each feature for all existing and/or new repositories within the organizations owned by your enterprise.

12
content/billing/managing-billing-for-github-advanced-security/about-billing-for-github-advanced-security.md
View File

@@ -40,11 +40,7 @@ If you want to use {% data variables.product.prodname_GH_advanced_security %} fe
{% ifversion security-configurations %}
{% data reusables.security-configurations.managing-GHAS-licenses %}
{% note %}
**Note:** {% data reusables.security-configurations.security-configurations-beta-note-short %}
{% endnote %}
{% data reusables.security-configurations.security-configurations-beta-note-short %}
{% endif %}
@@ -61,11 +57,7 @@ You can make extra features for code security available to users by buying and u
{% ifversion security-configurations %}
{% data reusables.security-configurations.managing-GHAS-licenses %}
{% note %}
**Note:** {% data reusables.security-configurations.security-configurations-beta-note-short %}
{% endnote %}
{% data reusables.security-configurations.security-configurations-beta-note-short %}
{% endif %}

5
content/billing/managing-billing-for-github-advanced-security/managing-your-github-advanced-security-licensing.md
View File

@@ -18,13 +18,10 @@ Each license for {% data variables.product.prodname_GH_advanced_security %} spec
## Managing the number of committers in your subscription
{% ifversion security-configurations %}
{% note %}
**Note:** {% data reusables.security-configurations.managing-GHAS-licenses %}
{% data reusables.security-configurations.managing-GHAS-licenses %}
{% data reusables.security-configurations.security-configurations-beta-note-short %}
{% endnote %}
{% endif %}
{% data reusables.enterprise-accounts.access-enterprise %}

20
content/billing/managing-billing-for-github-advanced-security/viewing-your-github-advanced-security-usage.md
View File

@@ -33,6 +33,12 @@ Each license for {% data variables.product.prodname_GH_advanced_security %} spec
You can estimate the number of licenses your enterprise would need to purchase {% data variables.product.prodname_GH_advanced_security %} or to enable {% data variables.product.prodname_GH_advanced_security %} for additional organizations and repositories. For more information, see "[AUTOTITLE](/billing/managing-billing-for-github-advanced-security/viewing-committer-information-for-github-advanced-security)."
{% endif %}
{% ifversion security-configurations-ga %}
{% data reusables.security-configurations.managing-GHAS-licenses %}
{% endif %}
## Viewing {% data variables.product.prodname_GH_advanced_security %} license usage for your enterprise account
You can view the enterprise account's current {% ifversion ghas-billing-UI-update %}license{% endif %} limits and usage.
@@ -47,13 +53,8 @@ You can view the enterprise account's current {% ifversion ghas-billing-UI-updat
If you run out of licenses, the section will be red and show "Limit exceeded." You should either reduce your use of {% data variables.product.prodname_GH_advanced_security %} or purchase more licenses. For more information, see "[AUTOTITLE](/billing/managing-billing-for-github-advanced-security/about-billing-for-github-advanced-security#getting-the-most-out-of-github-advanced-security)" and "[AUTOTITLE](/billing/managing-billing-for-github-advanced-security/managing-your-github-advanced-security-licensing)."
{% ifversion security-configurations %}
{% note %}
**Note:** {% data reusables.security-configurations.managing-GHAS-licenses %}
{% data reusables.security-configurations.managing-GHAS-licenses %}
{% data reusables.security-configurations.security-configurations-beta-note-short %}
{% endnote %}
{% endif %}
{% elsif ghes %}
@@ -83,13 +84,10 @@ You can view the enterprise account's current {% ifversion ghas-billing-UI-updat
For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)."
{% ifversion security-configurations %}
{% note %}
**Note:** {% data reusables.security-configurations.managing-GHAS-licenses %}
{% data reusables.security-configurations.managing-GHAS-licenses %}
> {% data reusables.security-configurations.security-configurations-beta-note-short %}
{% data reusables.security-configurations.security-configurations-beta-note-short %}
{% endnote %}
{% endif %}
{% endif %}

18
content/code-security/adopting-github-advanced-security-at-scale/phase-3-pilot-programs.md
View File

@@ -33,15 +33,11 @@ You need to enable GHAS for each pilot project, either by enabling the GHAS feat
{% ifversion security-configurations %}
## Piloting all {% data variables.product.prodname_GH_advanced_security %} features (beta)
## Piloting all {% data variables.product.prodname_GH_advanced_security %} features {% ifversion security-configurations-beta-and-pre-beta %}(beta){% endif %}
{% data reusables.security-configurations.enable-security-features-with-gh-config %}
{% note %}
**Note:** {% data reusables.security-configurations.security-configurations-beta-note-short %}
{% endnote %}
{% data reusables.security-configurations.security-configurations-beta-note-short %}
{% endif %}
@@ -86,7 +82,15 @@ To enable secret scanning for your {% data variables.product.prodname_ghe_server
{% endif %}
You need to enable secret scanning for each pilot project, either by enabling the feature for each repository or for all repositories in any organizations taking part in the project. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)" or "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)."
{% ifversion security-configurations-ga %}
You need to enable {% data variables.product.prodname_secret_scanning %} for each pilot project. You can do this with the {% data variables.product.prodname_github_security_configuration %}, or you can create a {% data variables.product.prodname_custom_security_configuration %}. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)" and "[AUTOTITLE](/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration)."
{% else %}
You need to enable {% data variables.product.prodname_secret_scanning %} for each pilot project, either by enabling the feature for each repository or for all repositories in any organizations taking part in the project. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)" or "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)."
{% endif %}
Next, enable push protection for each pilot project.

4
content/code-security/adopting-github-advanced-security-at-scale/phase-5-rollout-and-scale-code-scanning.md
View File

@@ -16,13 +16,11 @@ This article is part of a series on adopting {% data variables.product.prodname_
{% endnote %}
{% ifversion security-configurations %}
{% note %}
**Note:** {% data reusables.security-configurations.enable-security-features-with-gh-config %}
{% data reusables.security-configurations.enable-security-features-with-gh-config %}
{% data reusables.security-configurations.security-configurations-beta-note-short %}
{% endnote %}
{% endif %}
## Enabling code scanning

4
content/code-security/adopting-github-advanced-security-at-scale/phase-6-rollout-and-scale-secret-scanning.md
View File

@@ -18,13 +18,11 @@ This article is part of a series on adopting {% data variables.product.prodname_
You can enable secret scanning for individual repositories or for all repositories in an organization or enterprise. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)", "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)", or "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)."
{% ifversion security-configurations %}
{% note %}
**Note:** {% data reusables.security-configurations.enable-security-features-with-gh-config %}
{% data reusables.security-configurations.enable-security-features-with-gh-config %}
{% data reusables.security-configurations.security-configurations-beta-note-short %}
{% endnote %}
{% endif %}
This article explains a high-level process focusing on enabling {% data variables.product.prodname_secret_scanning %} for all repositories in an organization. The principles described in this article can still be applied even if you take a more staggered approach of enabling {% data variables.product.prodname_secret_scanning %} for individual repositories.

17
content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale.md
View File

@@ -20,7 +20,8 @@ versions:
With default setup for {% data variables.product.prodname_code_scanning %}, you can quickly secure code in repositories across your organization.
You can use the organization settings page labeled "Code security and analysis" to enable {% data variables.product.prodname_code_scanning %} for all repositories in your organization that are eligible for default setup. After enabling default setup, the code written in {% data variables.product.prodname_codeql %}-supported languages in repositories in the organization will be scanned:
You can enable {% data variables.product.prodname_code_scanning %} for all repositories in your organization that are eligible for default setup. After enabling default setup, the code written in {% data variables.product.prodname_codeql %}-supported languages in repositories in the organization will be scanned:
* On each push to the repository's default branch, or any protected branch. For more information on protected branches, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches)."
* When creating or committing to a pull request based against the repository's default branch, or any protected branch, excluding pull requests from forks.{% ifversion default-setup-scan-on-schedule %}
* On a weekly schedule.{% endif %}
@@ -73,6 +74,8 @@ If the code in a repository changes to include {% ifversion code-scanning-defaul
## Configuring default setup for all eligible repositories in an organization
{% ifversion security-configurations-ga %} You can enable default setup for all eligible repositories in your organization. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)."
{% elsif security-configurations-beta-and-pre-beta %}
Through the "Code security and analysis" page of your organization's settings, you can enable default setup for all eligible repositories in your organization. For more information on repository eligibility, see "[Eligible repositories for {% data variables.product.prodname_codeql %} default setup at scale](#eligible-repositories-default-setup)."
{% data reusables.code-scanning.beta-org-enable-all %}
@@ -100,6 +103,8 @@ Through the "Code security and analysis" page of your organization's settings, y
{% endnote %}
{% endif %}
{% ifversion codeql-model-packs-org %}
### Extending {% data variables.product.prodname_codeql %} coverage in default setup
@@ -111,6 +116,12 @@ Through the "Code security and analysis" page of your organization's settings, y
## Configuring default setup for a subset of repositories in an organization
{% ifversion security-configurations-ga %}
You can filter for specific repositories you would like to configure default setup for. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/applying-a-custom-security-configuration)."
{% endif %}
Through security overview for your organization, you can find eligible repositories for default setup, then enable default setup across each of those repositories simultaneously. For more information on repository eligibility, see "[Eligible repositories for {% data variables.product.prodname_codeql %} default setup at scale](#eligible-repositories-default-setup)."
### Finding repositories that are eligible for default setup
@@ -140,6 +151,8 @@ Through security overview for your organization, you can find eligible repositor
- The repositories do not have {% data variables.product.prodname_GH_advanced_security %} enabled.
{%- endif %}
{% ifversion security-configurations-beta-and-pre-beta %}
You can select all of the displayed repositories, or a subset of them, and enable or disable default setup for {% data variables.product.prodname_code_scanning %} for them all at the same time. For more information, see step 5 of "[Configuring default setup at scale for multiple repositories in an organization](#configuring-default-setup-at-scale-for-multiple-repositories-in-an-organization)."
### Configuring default setup at scale for multiple repositories in an organization
@@ -178,6 +191,8 @@ You can select all of the displayed repositories, or a subset of them, and enabl
{% endif %}
{% endif %}
{% ifversion code-scanning-merge-protection-rulesets %}
{% ifversion ghes or ghec %}

7
content/code-security/code-scanning/managing-code-scanning-alerts/disabling-autofix-for-code-scanning.md
View File

@@ -44,14 +44,13 @@ Note that disabling autofix at the organization level will remove all open autof
{% data reusables.profile.access_org %}
{% data reusables.profile.org_settings %}
{% data reusables.organizations.security-and-analysis %}
{% ifversion security-configurations %}
{% data reusables.security-configurations.changed-org-settings-global-settings-callout %} For more information on {% data variables.product.prodname_global_settings %}, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization)."
{% endif %}
1. In the "Security" section of the sidebar, click **{% octicon "codescan" aria-hidden="true" %} Code security** then **Global settings**.
1. Under the "{% data variables.product.prodname_code_scanning_caps %}" section, deselect **Autofix for {% data variables.product.prodname_codeql %}**.
For more information about configuring global {% data variables.product.prodname_code_scanning %} settings, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#configuring-global-code-scanning-settings)."
## Disabling autofix for a repository
If autofix is allowed at the enterprise level and enabled at the organization level, repository administrators have the option to disable autofix for a repository. Disabling autofix at the repository level will remove all open autofix comments from all open pull requests across the repository.

4
content/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup.md
View File

@@ -118,7 +118,11 @@ For more information about {% data variables.product.prodname_codeql %} model pa
{% data reusables.profile.access_org %}
{% data reusables.organizations.org_settings %}
{% ifversion security-configurations-beta-and-pre-beta %}
1. Click **Code security and analysis**.
{% else %}
1. Click **Code security** then **Global settings**.
{% endif %}
1. Find the "{% data variables.product.prodname_code_scanning_caps %}" section.
1. Next to "Expand {% data variables.product.prodname_codeql %} analysis", click **Configure**.
1. Enter references to the published model packs you want to use, one per line, then click **Save**.

8
content/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts.md
View File

@@ -83,6 +83,10 @@ An enterprise owner must first set up {% data variables.product.prodname_dependa
## Managing {% data variables.product.prodname_dependabot_alerts %} for your organization
{% ifversion security-configurations-ga %} You can enable {% data variables.product.prodname_dependabot_alerts %} for all eligible repositories in your organization. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)."
{% elsif security-configurations-beta-and-pre-beta %}
You can enable or disable {% data variables.product.prodname_dependabot_alerts %} for some or all repositories owned by your organization. {% data reusables.security.note-securing-your-org %}
{% ifversion dependabot-alerts-ghes-enablement %}
@@ -102,7 +106,7 @@ You can use the organization settings page for "Code security and analysis" to e
{% data reusables.profile.org_settings %}
{% data reusables.organizations.security-and-analysis %}
{% ifversion security-configurations %}
{% ifversion security-configurations-beta-only %}
{% data reusables.security-configurations.changed-org-settings-security-configurations-callout %} For next steps on enabling {% data variables.product.prodname_dependabot_alerts %} and other security features at scale with {% data variables.product.prodname_security_configurations %}, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)."
{% endif %}
@@ -110,6 +114,8 @@ You can use the organization settings page for "Code security and analysis" to e
1. Optionally, to enable {% data variables.product.prodname_dependabot_alerts %} by default for new repositories in your organization, in the dialog box, select "Enable by default for new repositories".
1. Click **Disable {% data variables.product.prodname_dependabot_alerts %}** or **Enable {% data variables.product.prodname_dependabot_alerts %}** to disable or enable {% data variables.product.prodname_dependabot_alerts %} for all the repositories in your organization.
{% endif %}
{% ifversion dependabot-alerts-enterprise-enablement or ghes %}
## Managing {% data variables.product.prodname_dependabot_alerts %} for your enterprise

16
content/code-security/dependabot/dependabot-auto-triage-rules/customizing-auto-triage-rules-to-prioritize-dependabot-alerts.md
View File

@@ -79,6 +79,10 @@ For more information about enabling or disabling {% data variables.product.prodn
## Adding {% data variables.dependabot.custom_rules %} to your organization
{% ifversion security-configurations-ga %} You can add {% data variables.dependabot.custom_rules %} for all eligible repositories in your organization. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#creating-and-managing-dependabot-auto-triage-rules)."
{% elsif security-configurations-beta-and-pre-beta %}
{% note %}
**Note:** During the public beta, you can create up to 25 {% data variables.dependabot.custom_rules %} for your organization.
@@ -89,7 +93,7 @@ For more information about enabling or disabling {% data variables.product.prodn
{% data reusables.profile.org_settings %}
{% data reusables.organizations.security-and-analysis %}
{% ifversion security-configurations %}
{% ifversion security-configurations-beta-only %}
{% data reusables.security-configurations.changed-org-settings-global-settings-callout %} For next steps on adding {% data variables.dependabot.auto_triage_rules %} to your organization with {% data variables.product.prodname_global_settings %}, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#creating-and-managing-dependabot-auto-triage-rules)."
{% endif %}
@@ -106,6 +110,8 @@ For more information about enabling or disabling {% data variables.product.prodn
* Select **Open a pull request to resolve this alert** if you want {% data variables.product.prodname_dependabot %} to suggest changes to resolve alerts that match the metadata. Note that this option is unavailable if you have selected the option to dismiss the alerts indefinitely.
{% data reusables.dependabot.dependabot-alert-rules-click-create-rule %}
{% endif %}
## Editing or deleting {% data variables.dependabot.custom_rules %} for your repository
{% data reusables.repositories.navigate-to-repo %}
@@ -118,11 +124,15 @@ For more information about enabling or disabling {% data variables.product.prodn
## Editing or deleting {% data variables.dependabot.custom_rules %} for your organization
{% ifversion security-configurations-ga %} You can edit or delete {% data variables.dependabot.custom_rules %} for all eligible repositories in your organization. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#creating-and-managing-dependabot-auto-triage-rules)."
{% elsif security-configurations-beta-and-pre-beta %}
{% data reusables.profile.access_org %}
{% data reusables.profile.org_settings %}
{% data reusables.organizations.security-and-analysis %}
{% ifversion security-configurations %}
{% ifversion security-configurations-beta-only %}
{% data reusables.security-configurations.changed-org-settings-global-settings-callout %} For next steps on editing or deleting {% data variables.dependabot.auto_triage_rules %} in your organization with {% data variables.product.prodname_global_settings %}, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#creating-and-managing-dependabot-auto-triage-rules)."
{% endif %}
@@ -130,3 +140,5 @@ For more information about enabling or disabling {% data variables.product.prodn
1. Under "Organization rules", to the right of the rule that you want to edit or delete, click {% octicon "pencil" aria-label="Edit custom rule" %}.
{% data reusables.dependabot.custom-alert-rules-edit-rule %}
{% data reusables.dependabot.custom-alert-rules-delete-rule %}
{% endif %}

7
content/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates.md
View File

@@ -88,19 +88,24 @@ Repository administrators can enable or disable grouped security updates for the
### Enabling or disabling grouped {% data variables.product.prodname_dependabot_security_updates %} for an organization
{% ifversion security-configurations-ga %} You can enable grouped {% data variables.product.prodname_dependabot_security_updates %} into a single pull request. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#grouping-dependabot-security-updates)."
{% elsif security-configurations-beta-and-pre-beta %}
Organization owners can enable or disable grouped security updates for all repositories in their organization. However, repository administrators within the organization can update the settings for their repositories to override the default organization settings. {% data reusables.dependabot.dependabot-grouped-security-updates-yaml-override %}
{% data reusables.profile.access_org %}
{% data reusables.profile.org_settings %}
{% data reusables.organizations.security-and-analysis %}
{% ifversion security-configurations %}
{% ifversion security-configurations-beta-only %}
{% data reusables.security-configurations.changed-org-settings-global-settings-callout %} For next steps on enabling or disabling grouped {% data variables.product.prodname_dependabot_security_updates %} in your organization with {% data variables.product.prodname_global_settings %}, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#grouping-dependabot-security-updates)."
{% endif %}
1. Under "Code security and analysis", to the right of "Grouped security updates", click **Disable all** or **Enable all**.
1. Optionally, to enable grouped {% data variables.product.prodname_dependabot_security_updates %} for new repositories in your organization, select **Automatically enable for new repositories**.
{% endif %}
{% endif %}
## Overriding the default behavior with a configuration file

12
content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md
View File

@@ -67,7 +67,9 @@ You can manage {% data variables.product.prodname_dependabot %} on {% data varia
### Enabling or disabling for your organization
You can use the organization settings page for "Code security and analysis" to enable {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} for all existing repositories in an organization. Only repositories with the following configuration will be updated to run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} the next time a {% data variables.product.prodname_dependabot %} job is triggered.
You can enable {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} for all existing repositories in an organization.
Only repositories with the following configuration will be updated to run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} the next time a {% data variables.product.prodname_dependabot %} job is triggered.
* {% data variables.product.prodname_dependabot %} is enabled in the repository.
* {% data variables.product.prodname_actions %} is enabled in the repository.
@@ -76,13 +78,11 @@ If a repository in your organization has {% data variables.product.prodname_depe
{% data reusables.profile.access_org %}
{% data reusables.profile.org_settings %}
{% data reusables.organizations.security-and-analysis %}
{% ifversion security-configurations %}
{% data reusables.security-configurations.changed-org-settings-security-configurations-callout %} For next steps on enabling {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} and other security features at scale with {% data variables.product.prodname_security_configurations %}, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)."
{% endif %}
1. Under "Code security", select "Global settings".
1. In the "Security" section of the sidebar, click **{% octicon "codescan" aria-hidden="true" %} Code security** then **Global settings**.
1. Under "Dependabot", select "{% data variables.product.prodname_dependabot %} on Actions runners" to enable the feature or deselect to disable it.
For more information, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#enabling-dependency-updates-on-github-actions-runners)."
## Enabling or disabling {% data variables.product.prodname_dependabot %} on {% data variables.actions.hosted_runners %}
If you run into {% data variables.product.prodname_dependabot %} timeouts and out-of-memory errors, you may want to use {% data variables.actions.hosted_runners %}, as you can configure these runners to have more resources.

10
content/code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners.md
View File

@@ -86,15 +86,13 @@ You can manage {% data variables.product.prodname_dependabot %} on self-hosted r
### Enabling or disabling for your organization
You can use the organization settings page for "Code security and analysis" to enable {% data variables.product.prodname_dependabot %} on self-hosted runners for all existing {% ifversion ghec %}private or internal{% else %}private{% endif %} repositories in an organization. Only repositories already configured to run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} will be updated to run {% data variables.product.prodname_dependabot %} on self-hosted runners the next time a {% data variables.product.prodname_dependabot %} job is triggered.
You can enable {% data variables.product.prodname_dependabot %} on self-hosted runners for all existing {% ifversion ghec %}private or internal{% else %}private{% endif %} repositories in an organization. Only repositories already configured to run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} will be updated to run {% data variables.product.prodname_dependabot %} on self-hosted runners the next time a {% data variables.product.prodname_dependabot %} job is triggered.
> [!NOTE] You need to enable self-hosted runners for your organization if you use {% data variables.actions.hosted_runners %}. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners#enabling-or-disabling-dependabot-on-larger-runners)."
{% data reusables.profile.access_org %}
{% data reusables.profile.org_settings %}
{% data reusables.organizations.security-and-analysis %}
{% ifversion security-configurations %}
{% data reusables.security-configurations.changed-org-settings-security-configurations-callout %} For next steps on enabling {% data variables.product.prodname_dependabot %} on self-hosted runners and other security features at scale with {% data variables.product.prodname_security_configurations %}, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)."
{% endif %}
1. Under "Code security", select "Global settings".
1. In the "Security" section of the sidebar, click **{% octicon "codescan" aria-hidden="true" %} Code security** then **Global settings**.
1. Under "Dependabot", select "{% data variables.product.prodname_dependabot %} on self-hosted runners" to enable the feature or deselect to disable it. This action enables or disables the feature for all new repositories in the organization.
For more information, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization)."

13
content/code-security/getting-started/quickstart-for-securing-your-organization.md
View File

@@ -49,16 +49,19 @@ There are some features you must configure for each repository individually. For
## Enabling security features in your organization
{% ifversion security-configurations-ga %}
You can use {% data variables.product.prodname_security_configurations %} to enable security features using the {% data variables.product.prodname_github_security_configuration %}, or you can create a {% data variables.product.prodname_custom_security_configuration %}. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)" and "[AUTOTITLE](/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration)."
{% elsif security-configurations-beta-and-pre-beta %}
When you have decided to enable a security feature, the next step is to decide how to roll out that feature across your organization.
{% ifversion security-configurations %}
* If you want to enable multiple security features at scale, you can use the {% data variables.product.prodname_github_security_configuration %}, a collection of security enablement settings you can apply to repositories in your organization. See "[AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale)."
{% note %}
{% data reusables.security-configurations.security-configurations-beta-note-short %}
**Note:** {% data reusables.security-configurations.security-configurations-beta-note-short %}
{% endnote %}
{% endif %}
* If you want to roll out a {% ifversion security-configurations %}single {% endif %}feature as quickly as possible, you can enable it for all eligible repositories at once. For more information, see "[Enabling a feature for all repositories](#enabling-a-feature-for-all-repositories)."
* If you want control over how quickly you roll out a feature, and which features are enabled in which repositories, you can enable a feature for a selection of repositories. For more information, see "[Enabling a feature for a selection of repositories](#enabling-a-feature-for-a-selection-of-repositories)."
@@ -129,6 +132,8 @@ You can choose to enable a security feature automatically in all new repositorie
![Screenshot of the "Code security and analysis" page. Below "Dependabot alerts", a checkbox for enabling the feature in future repositories is highlighted with an orange outline.](/assets/images/help/security/enable-for-new-repos.png)
{% endif %}
## Monitoring the impact of security features
When you have enabled a feature, you should communicate with repository administrators and contributors in your organization to assess the impact of the feature. You may need to adjust the configuration of some features at the repository level, or reassess the distribution of security features across your organization. You should also monitor the security alerts that a feature generates, and your members' responses to these alerts.

16
content/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning.md
View File

@@ -107,18 +107,28 @@ aAAAe9
## Defining a custom pattern for an organization
Before defining a custom pattern, you must ensure that you enable {% data variables.product.prodname_secret_scanning %} for the repositories that you want to scan in your organization. To enable {% data variables.product.prodname_secret_scanning %} on all repositories in your organization, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)."
Before defining a custom pattern, you must ensure that you enable {% data variables.product.prodname_secret_scanning %} for the repositories that you want to scan in your organization. {% ifversion security-configurations-ga %} You can use {% data variables.product.prodname_security_configurations %} to enable {% data variables.product.prodname_secret_scanning %} on all repositories in your organization using the {% data variables.product.prodname_github_security_configuration %}, or you can create a {% data variables.product.prodname_custom_security_configuration %}. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)" and "[AUTOTITLE](/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration)."{% else %}
To enable {% data variables.product.prodname_secret_scanning %} on all repositories in your organization, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)."
{% endif %}
{% data reusables.profile.access_org %}
{% data reusables.profile.org_settings %}
{% ifversion security-configurations-beta-and-pre-beta %}
{% data reusables.organizations.security-and-analysis %}
{% else %}
1. In the "Security" section of the sidebar, click **{% octicon "codescan" aria-hidden="true" %} Code security** then **Global settings**.
{% endif %}
{% ifversion security-configurations %}
{% ifversion security-configurations-beta-only %}
{% data reusables.security-configurations.changed-org-settings-global-settings-callout %} For next steps on defining a custom pattern for your organization with {% data variables.product.prodname_global_settings %}, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#defining-custom-patterns)."
{% endif %}
{% ifversion security-configurations-beta-and-pre-beta %}
{% data reusables.repositories.navigate-to-ghas-settings %}
{% data reusables.advanced-security.secret-scanning-new-custom-pattern %}
{% else %}
1. Find "{% data variables.product.prodname_GH_advanced_security %}."
{% endif %}
{% data reusables.advanced-security.secret-scanning-new-custom-pattern-org %}
{% data reusables.advanced-security.secret-scanning-add-custom-pattern-details %}
{%- ifversion custom-pattern-dry-run-ga %}
1. When you're ready to test your new custom pattern, to identify matches in select repositories without creating alerts, click **Save and dry run**.

10
content/code-security/secret-scanning/generating-regular-expressions-for-custom-patterns-with-ai.md
View File

@@ -31,14 +31,8 @@ topics:
{% data reusables.profile.access_org %}
{% data reusables.profile.org_settings %}
{% data reusables.organizations.security-and-analysis %}
{% ifversion security-configurations %}
{% data reusables.security-configurations.changed-org-settings-global-settings-callout %} For detail on using the {% data variables.secret-scanning.custom-pattern-regular-expression-generator %}, reference the following steps in this procedure. For more information on configuring {% data variables.product.prodname_global_settings %} for your organization, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization)."
{% endif %}
{% data reusables.repositories.navigate-to-ghas-settings %}
{% data reusables.advanced-security.secret-scanning-new-custom-pattern %}
1. In the "Security" section of the sidebar, click **{% octicon "codescan" aria-hidden="true" %} Code security** then **Global settings**.
{% data reusables.advanced-security.secret-scanning-new-custom-pattern-org %}
{% data reusables.advanced-security.secret-scanning-generate-regular-expression-custom-pattern %}
1. When you're ready to test your new custom pattern, to identify matches in selected repositories without creating alerts, click **Save and dry run**.
{% data reusables.advanced-security.secret-scanning-dry-run-select-repos %}

35
content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md
View File

@@ -93,19 +93,18 @@ Enterprise administrators can also enable or disable {% data variables.product.p
### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection for an organization
{% ifversion code-security-multi-repo-enablement %}
You can use security overview to find a set of repositories and enable or disable {% data variables.product.prodname_secret_scanning %} as a push protection for them all at the same time. For more information, see "[AUTOTITLE](/code-security/security-overview/enabling-security-features-for-multiple-repositories)."
{% ifversion security-configurations-ga %}
You can find a set of repositories and enable or disable {% data variables.product.prodname_secret_scanning %} as a push protection for them all at the same time. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)."
{% elsif security-configurations-beta-and-pre-beta %}
You can also use the organization settings page for "Code security and analysis" to enable or disable {% data variables.product.prodname_secret_scanning %} as a push protection for all existing repositories in an organization.
{% else %}
You can use the organization settings page for "Code security and analysis" to enable or disable {% data variables.product.prodname_secret_scanning %} as a push protection for all existing repositories in an organization.
{% endif %}
{% data reusables.organizations.navigate-to-org %}
{% data reusables.organizations.org_settings %}
{% data reusables.organizations.security-and-analysis %}
{% ifversion security-configurations %}
{% ifversion security-configurations-beta-only %}
{% data reusables.security-configurations.changed-org-settings-security-configurations-callout %} For next steps on enabling push protection and other security features at scale with {% data variables.product.prodname_security_configurations %}, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)."
{% endif %}
@@ -113,6 +112,7 @@ You can use the organization settings page for "Code security and analysis" to e
{% data reusables.advanced-security.secret-scanning-push-protection-org %}
{% data reusables.security.note-securing-your-org %}
{% endif %}
### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection for a repository
@@ -162,13 +162,21 @@ Before enabling push protection for a custom pattern at organization level, you
{% data reusables.profile.access_org %}
{% data reusables.profile.org_settings %}
{% ifversion security-configurations-beta-and-pre-beta %}
{% data reusables.organizations.security-and-analysis %}
{% else %}
1. In the "Security" section of the sidebar, click **{% octicon "codescan" aria-hidden="true" %} Code security** then **Global settings**.
{% endif %}
{% ifversion security-configurations %}
{% ifversion security-configurations-beta-only %}
{% data reusables.security-configurations.changed-org-settings-global-settings-callout %} For next steps on managing custom patterns for your organization with {% data variables.product.prodname_global_settings %}, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#defining-custom-patterns)." For information on enabling push protection for specific custom patterns, reference the following steps.
{% endif %}
{% ifversion security-configurations-beta-and-pre-beta %}
{% data reusables.repositories.navigate-to-ghas-settings %}
{% else %}
1. Find "{% data variables.product.prodname_GH_advanced_security %}."
{% endif %}
{% data reusables.advanced-security.secret-scanning-edit-custom-pattern %}
1. To enable push protection for your custom pattern, scroll down to "Push Protection", and click **Enable**.
{% indented_data_reference reusables.secret-scanning.push-protection-org-notes spaces=3 %}
@@ -214,11 +222,22 @@ Members of the bypass list are still protected from accidentally pushing secrets
{% data reusables.organizations.navigate-to-org %}
{% data reusables.organizations.org_settings %}
{% ifversion security-configurations-beta-and-pre-beta %}
{% data reusables.organizations.security-and-analysis %}
{% ifversion security-configurations %}
{% else %}
1. In the "Security" section of the sidebar, click **{% octicon "codescan" aria-hidden="true" %} Code security** then **Global settings**.
{% endif %}
{% ifversion security-configurations-beta-only %}
{% data reusables.security-configurations.changed-org-settings-global-settings-callout %}
{% endif %}
{% ifversion security-configurations-beta-and-pre-beta %}
{% data reusables.repositories.navigate-to-ghas-settings %}
{% else %}
1. Find "{% data variables.product.prodname_GH_advanced_security %}."
{% endif %}
1. Under "Push protection", to the right of "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}", select the dropdown menu, then click **Specific roles or teams**.
1. Under "Bypass list", click **Add role or team**.
>[!NOTE] You can't add secret teams to the bypass list.

4
content/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization.md
View File

@@ -50,9 +50,13 @@ The {% data variables.product.prodname_github_security_configuration %} is a col
## Enforcing the {% data variables.product.prodname_github_security_configuration %}
{% ifversion enforce-security-configurations-beta %}
>[!NOTE]
> This feature is in beta, and is subject to change.
{% endif %}
{% data reusables.profile.access_org %}
{% data reusables.organizations.org_settings %}
{% data reusables.security-configurations.view-configurations-page %}

2
content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md
View File

@@ -51,7 +51,7 @@ For more information on {% data variables.dependabot.auto_triage_rules %}, see "
### Enabling dependency updates on {% data variables.product.prodname_actions %} runners
You can allow {% data variables.product.prodname_dependabot %} to use {% data variables.product.prodname_actions %} runners and the {% data variables.product.prodname_dependabot %} action to perform dependency updates. To enable {% data variables.product.prodname_dependabot %} for {% data variables.product.company_short %}-hosted runners on all repositories in your organization, click **Enable all**. To automatically enable {% data variables.product.prodname_dependabot %} for {% data variables.product.company_short %}-hosted runners on new repositories in your organization, select **Automatically enable for new repositories**. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)."
You can allow {% data variables.product.prodname_dependabot %} to use {% data variables.product.prodname_actions %} runners and the {% data variables.product.prodname_dependabot %} action to perform dependency updates. To enable {% data variables.product.prodname_dependabot %} for {% data variables.product.company_short %}-hosted runners on all repositories in your organization, select **Dependabot on Actions runners**. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)."
{% data reusables.dependabot.dependabot-on-actions-self-hosted-link %}

2
content/code-security/securing-your-organization/managing-the-security-of-your-organization/editing-a-custom-security-configuration.md
View File

@@ -36,7 +36,7 @@ To determine if your {% data variables.product.prodname_custom_security_configur
1. Edit the name and description of your {% data variables.product.prodname_custom_security_configuration %} as desired.
1. In the "Security settings" section, edit the enablement settings of your {% data variables.product.prodname_custom_security_configuration %} as desired.{% ifversion enforce-security-configurations %}
1. In the "Policy" section, you can modify the configuration's enforcement status. Enforcing a configuration will block repository owners from changing features that are enabled or disabled by the configuration, but features that are not set aren't enforced. Next to "Enforce configuration", select **Enforce** or **Don't enforce** from the dropdown menu. This feature is in beta, and is subject to change.
1. In the "Policy" section, you can modify the configuration's enforcement status. Enforcing a configuration will block repository owners from changing features that are enabled or disabled by the configuration, but features that are not set aren't enforced. Next to "Enforce configuration", select **Enforce** or **Don't enforce** from the dropdown menu. {% ifversion enforce-security-configurations-beta %}This feature is in beta, and is subject to change.{% endif %}
>[!NOTE]
{% data reusables.code-scanning.custom-security-configuration-enforcement-edge-cases %}

2
content/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/applying-a-custom-security-configuration.md
View File

@@ -28,7 +28,7 @@ After you create a {% data variables.product.prodname_custom_security_configurat
* To select all repositories displayed on the current page of the repository table, select **NUMBER repositories**.
* After selecting **NUMBER repositories**, to select _all_ repositories in your organization that match any filters you have applied, click **Select all**.{% ifversion enforce-security-configurations %}
>[!NOTE]
> The repository table will show which repositories have an enforced configuration (beta). This means that repository owners will be blocked from changing features that have been enabled or disabled in the configuration, but features that are not set aren't enforced.{% endif %}
> The repository table will show which repositories have an enforced configuration{% ifversion enforce-security-configurations-beta %} (beta){% endif %}. This means that repository owners will be blocked from changing features that have been enabled or disabled in the configuration, but features that are not set aren't enforced.{% endif %}
1. Select the **Apply configuration** {% octicon "triangle-down" aria-hidden="true" %} dropdown menu, then click **YOUR-CONFIGURATION-NAME**.
{% data reusables.security-configurations.apply-configuration-by-default %}

2
content/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration.md
View File

@@ -55,7 +55,7 @@ With {% data variables.product.prodname_custom_security_configurations %}, you c
1. Optionally, in the "Policy" section, you can choose to automatically apply the {% data variables.product.prodname_security_configuration %} to newly created repositories depending on their visibility. Select the **None** {% octicon "triangle-down" aria-hidden="true" %} dropdown menu, then click **Public**, or **Private and internal**, or both.
{% data reusables.security-configurations.default-configuration-exception-repo-transfers %}{% ifversion enforce-security-configurations %}
1. Optionally, in the "Policy" section, you can enforce the configuration and block repository owners from changing features that are enabled or disabled by the configuration (features that are not set aren't enforced). Next to "Enforce configuration", select **Enforce** from the dropdown menu. This feature is in beta, and is subject to change.
1. Optionally, in the "Policy" section, you can enforce the configuration and block repository owners from changing features that are enabled or disabled by the configuration (features that are not set aren't enforced). Next to "Enforce configuration", select **Enforce** from the dropdown menu.{% ifversion enforce-security-configurations-beta %} This feature is in beta, and is subject to change.{% endif %}
>[!NOTE]
{% data reusables.code-scanning.custom-security-configuration-enforcement-edge-cases %}

2
content/code-security/securing-your-organization/troubleshooting-security-configurations/a-repository-is-using-advanced-setup-for-code-scanning.md
View File

@@ -13,6 +13,8 @@ topics:
- Security
---
{% data reusables.security-configurations.security-configurations-beta-note-short %}
## About the problem
You cannot successfully apply a {% data variables.product.prodname_security_configuration %} with {% data variables.product.prodname_code_scanning %} default setup enabled to a target repository that uses advanced setup for {% data variables.product.prodname_code_scanning %}. Advanced setups are tailored to the specific security needs of their repositories, so they are not intended to be overridden at scale.

6
content/code-security/securing-your-organization/troubleshooting-security-configurations/not-enough-github-advanced-security-licenses.md
View File

@@ -11,11 +11,7 @@ topics:
- Security
---
{% note %}
**Note:** {% data reusables.security-configurations.security-configurations-beta-note-short %}
{% endnote %}
{% data reusables.security-configurations.security-configurations-beta-note-short %}
You must have an available {% data variables.product.prodname_GH_advanced_security %} (GHAS) license for each unique active committer to enable GHAS features on a private{% ifversion ghec or ghes %} or internal{% endif %} repository. To learn about GHAS licensing, as well as unique and active committers, see "[AUTOTITLE](/billing/managing-billing-for-github-advanced-security/about-billing-for-github-advanced-security)."

28
content/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-an-organization.md
View File

@@ -29,33 +29,9 @@ The instructions below refer to enablement at organization level. For informatio
For more information about configuring notification preferences, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository#configuring-notifications-for-private-vulnerability-reporting)."
## Enabling or disabling private vulnerability reporting for all the existing public repositories in an organization
## Enabling or disabling private vulnerability reporting for public repositories added to the organization
{% data reusables.profile.access_org %}
{% data reusables.profile.org_settings %}
{% data reusables.organizations.security-and-analysis %}
{% ifversion security-configurations %}
{% data reusables.security-configurations.changed-org-settings-security-configurations-callout %} For next steps on enabling private vulnerability reporting and other security features at scale with {% data variables.product.prodname_security_configurations %}, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)."
{% endif %}
1. Under "Code security and analysis", to the right of "Private vulnerability reporting", click **Enable all** or **Disable all**, to enable or disable the feature for all the public repositories within the organization, respectively.
![Screenshot of the "Code security and analysis" page with the "Disable all" and the "Enable all" button emphasized for private vulnerability reporting.](/assets/images/help/security/private-vulnerability-reporting-enable-or-disable-org.png)
## Enabling or disabling private vulnerability reporting for new public repositories added to the organization
{% data reusables.profile.access_org %}
{% data reusables.profile.org_settings %}
{% data reusables.organizations.security-and-analysis %}
{% ifversion security-configurations %}
{% data reusables.security-configurations.changed-org-settings-security-configurations-callout %} For next steps on setting a default {% data variables.product.prodname_security_configuration %} for new public repositories that will automatically enable private vulnerability reporting, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)."
{% endif %}
1. Under "Code security and analysis", to the right of the feature, click **Automatically enable for new public repositories**.
![Screenshot of the "Code security and analysis" page with the "Automatically enable for new public repositories" checkbox emphasized for private vulnerability reporting.](/assets/images/help/security/private-vulnerability-reporting-enable-or-disable-org-new-repos.png)
1. To the right of "Private vulnerability reporting", click **Enable all** or **Disable all**, to enable or disable the feature for all new public repositories that will be added to the organization, respectively.
You can enable or disable private vulnerability reporting for new public repositories added to the organization using the {% data variables.product.prodname_github_security_configuration %}, or you can create a {% data variables.product.prodname_custom_security_configuration %}. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)" and "[AUTOTITLE](/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration)."
## What having private vulnerability reporting enabled for a repository looks like for a security researcher

6
content/code-security/security-overview/about-security-overview.md
View File

@@ -60,7 +60,7 @@ There are also dedicated views for each type of security alert that you can use
## About security overview for organizations
The application security team at your company can use the different views for both broad and specific analyses of your organization's security status. {% ifversion security-overview-org-risk-coverage %} For example, {% ifversion security-overview-dashboard %}the team can use the "Overview" dashboard view (beta) to track your organization's security landscape and progression{% else %}the team can use the "Coverage" view to monitor the adoption of features across your organization or by a specific team as you roll out {% data variables.product.prodname_GH_advanced_security %}, or use the "Risk" view to identify repositories with more than five open {% data variables.secret-scanning.alerts %}{% endif %}. {% else %}For example, they can use the overview page to monitor adoption of features by your organization or by a specific team as you roll out {% data variables.product.prodname_GH_advanced_security %} to your enterprise, or to review all alerts of a specific type and severity level across all repositories in your organization.{% endif %} {% ifversion code-security-multi-repo-enablement %}You can also use security overview to find a set of repositories and enable or disable security features for them all at the same time. For more information, see "[AUTOTITLE](/code-security/security-overview/enabling-security-features-for-multiple-repositories)."{% endif %}
The application security team at your company can use the different views for both broad and specific analyses of your organization's security status. {% ifversion security-overview-org-risk-coverage %} For example, {% ifversion security-overview-dashboard %}the team can use the "Overview" dashboard view (beta) to track your organization's security landscape and progression{% else %}the team can use the "Coverage" view to monitor the adoption of features across your organization or by a specific team as you roll out {% data variables.product.prodname_GH_advanced_security %}, or use the "Risk" view to identify repositories with more than five open {% data variables.secret-scanning.alerts %}{% endif %}. {% else %}For example, they can use the overview page to monitor adoption of features by your organization or by a specific team as you roll out {% data variables.product.prodname_GH_advanced_security %} to your enterprise, or to review all alerts of a specific type and severity level across all repositories in your organization.{% endif %} {% ifversion code-security-multi-repo-enablement %}{% ifversion security-configurations-beta-and-pre-beta %}You can also use security overview to find a set of repositories and enable or disable security features for them all at the same time. For more information, see "[AUTOTITLE](/code-security/security-overview/enabling-security-features-for-multiple-repositories)."{% endif %}{% endif %}
You can find security overview on the **Security** tab for any organization that's owned by an enterprise. Each view shows a summary of the data that you have access to. As you add filters, all data and metrics across the view change to reflect the repositories or alerts that you've selected. For information about permissions, see "[Permission to view data in security overview](#permission-to-view-data-in-security-overview)."
@@ -135,7 +135,7 @@ If you are an organization member, you can view security overview for the organi
| Organization member with | Overview dashboard (beta) view | Risk and alerts views | Coverage view |
|--------------------|-------------|---------------------|---------|
| `admin` access for one or more repositories | View data for those repositories | View data for those repositories | View data for those repositories, and enable and disable security features |
| `admin` access for one or more repositories | View data for those repositories | View data for those repositories | View data for those repositories{% ifversion security-configurations-beta-and-pre-beta %}, and enable and disable security features{% endif %} |
| `write` access for one or more repositories | View {% data variables.product.prodname_code_scanning %} and {% data variables.product.prodname_dependabot %} data for those repositories | View {% data variables.product.prodname_code_scanning %} and {% data variables.product.prodname_dependabot %} data for those repositories | No access for those repositories |
| Security alert access for one or more repositories | View all security alert data for those repositories | View all security alert data for those repositories | No access for those repositories
| Custom organization role with permission to view one or more types of security alert | View allowed alert data for all repositories | View allowed alert data for all repositories in all views | No access |
@@ -176,7 +176,7 @@ For more information about access to security alerts and related views, see "[AU
{% endnote %}
{% endif %}
In the enterprise-level security overview, you can see data for all organizations where you are an organization owner or security manager. However, you cannot use the enterprise-level security overview to enable and disable security features. For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)."
In the enterprise-level security overview, you can see data for all organizations where you are an organization owner or security manager. {% ifversion security-configurations-beta-and-pre-beta %}However, you cannot use the enterprise-level security overview to enable and disable security features.{% endif %} For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)."
{% endif %}
{% ifversion ghec %}

7
content/code-security/security-overview/assessing-adoption-code-security.md
View File

@@ -55,8 +55,11 @@ In the list of repositories, the "Paused" label under "{% data variables.product
![Screenshot of the header section of the "Security coverage" view on the "Security" tab for an organization. The options for filtering are outlined in dark orange, including "enabled" and "not enabled" links, "Teams" selector, archived repositories, and search field.](/assets/images/help/security-overview/security-coverage-view-highlights.png)
{% ifversion security-configurations-ga %}
1. You can optionally enable code security features for a repository or selected repositories using the {% data variables.product.prodname_github_security_configuration %}, or you can create a {% data variables.product.prodname_custom_security_configuration %}. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)" and "[AUTOTITLE](/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration)."
{% endif %}
{% ifversion security-configurations-beta-and-pre-beta %}
1. Optionally, click **{% octicon "gear" aria-hidden="true" %} Security settings** to enable code security features for a repository and click **Save security settings** to confirm the changes. If a feature is not shown, it has more complex configuration requirements and you need to use the repository settings dialog. For more information, see "[AUTOTITLE](/code-security/getting-started/securing-your-repository)."
{% ifversion code-security-multi-repo-enablement %}
1. Optionally, select some or all of the repositories that match your current search and click **Security settings** in the table header to display a side panel where you can enable security features for the selected repositories. When you've finished, click **Apply changes** to confirm the changes. For more information, see "[AUTOTITLE](/code-security/security-overview/enabling-security-features-for-multiple-repositories)."
{% endif %}
@@ -68,7 +71,9 @@ In the list of repositories, the "Paused" label under "{% data variables.product
You can view data to assess the enablement of code security features across organizations in an enterprise. {% data reusables.security-overview.information-varies-GHAS %}
{% ifversion security-configurations-beta-and-pre-beta %}
In the enterprise-level view, you can view data about the enablement of features, but you cannot enable or disable features. For more information about enabling features, see "[AUTOTITLE](/code-security/security-overview/enabling-security-features-for-multiple-repositories)."
{% endif %}
{% data reusables.security-overview.enterprise-filters-tip %}

2
content/code-security/security-overview/enabling-security-features-for-multiple-repositories.md
View File

@@ -6,7 +6,7 @@ permissions: '{% data reusables.security-overview.permissions %}'
product: '{% data reusables.gated-features.security-overview %}'
allowTitleToDifferFromFilename: true
versions:
feature: code-security-multi-repo-enablement
feature: security-configurations-beta-and-pre-beta
type: how_to
topics:
- Security overview

6
content/get-started/learning-about-github/about-github-advanced-security.md
View File

@@ -88,11 +88,7 @@ To learn about what you need to know to plan your {% data variables.product.prod
{% ifversion security-configurations %}
{% data reusables.security-configurations.enable-security-features-with-gh-config %}
{% note %}
**Note:** {% data reusables.security-configurations.security-configurations-beta-note-short %}
{% endnote %}
{% data reusables.security-configurations.security-configurations-beta-note-short %}
{% endif %}
{%- ifversion ghes %}

25
content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization.md
View File

@@ -26,15 +26,13 @@ shortTitle: Manage security & analysis
{% ifversion security-configurations %}
{% data reusables.security-configurations.enable-security-features-with-gh-config %}
{% note %}
**Note:** {% data reusables.security-configurations.security-configurations-beta-note-short %}
{% endnote %}
{% data reusables.security-configurations.security-configurations-beta-note-short %}
{% endif %}
{% data reusables.security.security-and-analysis-features-enable-read-only %}
{% ifversion security-configurations-beta-and-pre-beta %}
## Displaying the security and analysis settings
{% data reusables.profile.access_org %}
@@ -118,8 +116,16 @@ You can use security overview to find a set of repositories and enable or disabl
1. Go to the security and analysis settings for your organization. For more information, see "[Displaying the security and analysis settings](#displaying-the-security-and-analysis-settings)."
1. Under "Code security and analysis", locate the feature, enable or disable the feature by default for new repositories{% ifversion fpt or ghec %}, or all new private repositories,{% endif %} in your organization.
{% endif %}
## Allowing {% data variables.product.prodname_dependabot %} to access private{% ifversion ghec or ghes %} or internal{% endif %} dependencies
{% ifversion security-configurations-ga %}
You can use {% data variables.product.prodname_security_configurations %} to allow {% data variables.product.prodname_dependabot %} to access private{% ifversion ghec or ghes %} or internal{% endif %} dependencies. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#granting-dependabot-access-to-private-and-internal-repositories)."
{% elsif security-configurations-beta-and-pre-beta %}
{% data variables.product.prodname_dependabot %} can check for outdated dependency references in a project and automatically generate a pull request to update them. To do this, {% data variables.product.prodname_dependabot %} must have access to all of the targeted dependency files. Typically, version updates will fail if one or more dependencies are inaccessible. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates)."
By default, {% data variables.product.prodname_dependabot %} can't update dependencies that are located in private{% ifversion ghec or ghes %} or internal{% endif %} repositories, or private{% ifversion ghec or ghes %} or internal{% endif %} package registries. However, if a dependency is in a private{% ifversion ghec or ghes %} or internal{% endif %} {% data variables.product.prodname_dotcom %} repository within the same organization as the project that uses that dependency, you can allow {% data variables.product.prodname_dependabot %} to update the version successfully by giving it access to the host repository.
@@ -145,10 +151,18 @@ To allow {% data variables.product.prodname_dependabot %} to access a private{%
1. A list of matching repositories in the organization is displayed, click the repository you want to allow access to and this adds the repository to the allowed list.
1. Optionally, to remove a repository from the list, to the right of the repository, click {% octicon "x" aria-label="The X icon" %}.
{% endif %}
{% ifversion ghes or ghec %}
## Removing access to {% data variables.product.prodname_GH_advanced_security %} from individual repositories in an organization
{% ifversion security-configurations-ga %}
You can use {% data variables.product.prodname_security_configurations %} to remove access to {% data variables.product.prodname_GH_advanced_security %} from individual repositories in an organization. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/managing-the-security-of-your-organization/managing-your-github-advanced-security-license-usage#turning-off-github-advanced-security-features-on-select-repositories-in-your-organization)."
{% elsif security-configurations-beta-and-pre-beta %}
You can manage access to {% data variables.product.prodname_GH_advanced_security %} features for a repository from its "Settings" tab. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)." However, you can also disable {% data variables.product.prodname_GH_advanced_security %} features for a repository from the "Settings" tab for the organization.
1. Go to the security and analysis settings for your organization. For more information, see "[Displaying the security and analysis settings](#displaying-the-security-and-analysis-settings)."
@@ -164,6 +178,7 @@ You can manage access to {% data variables.product.prodname_GH_advanced_security
{% endnote %}
{% endif %}
{% endif %}
## Further reading

9
content/organizations/managing-peoples-access-to-your-organization-with-roles/managing-security-managers-in-your-organization.md
View File

@@ -36,9 +36,14 @@ You can assign the security manager role to a maximum of 10 teams in your organi
{% data reusables.profile.access_org %}
{% data reusables.profile.org_settings %}
{% data reusables.organizations.security-and-analysis %}
{% ifversion security-configurations %}
{% ifversion security-configurations-beta-and-pre-beta %}
{% data reusables.organizations.security-and-analysis %}
{% else %}
1. In the "Security" section of the sidebar, click **{% octicon "codescan" aria-hidden="true" %} Code security** then **Global settings**.
{% endif %}
{% ifversion security-configurations-beta-only %}
{% data reusables.security-configurations.changed-org-settings-global-settings-callout %} For next steps on assigning the security manager role in your organization with {% data variables.product.prodname_global_settings %}, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#creating-security-managers-for-your-organization)."
{% endif %}

3
data/features/enforce-security-configurations-beta.yml Normal file
View File

@@ -0,0 +1,3 @@
# Reference: #13288
versions:
ghes: '3.14'

3
data/features/security-configurations-beta-and-pre-beta.yml Normal file
View File

@@ -0,0 +1,3 @@
# Reference: #13288
versions:
ghes: '>3.8 <3.15'

3
data/features/security-configurations-beta-only.yml Normal file
View File

@@ -0,0 +1,3 @@
# Reference: #13288
versions:
ghes: '>3.12 <3.15'

6
data/features/security-configurations-ga.yml Normal file
View File

@@ -0,0 +1,6 @@
# Reference: #13288
# Documentation for security configurations and global settings.
versions:
fpt: '*'
ghec: '*'
ghes: '>3.14'

1
data/reusables/advanced-security/secret-scanning-new-custom-pattern-org.md Normal file
View File

@@ -0,0 +1 @@
{% ifversion security-configurations-ga %}1. Under "Custom patterns", click **New pattern**.{% else %}1. Under "Secret scanning", under "Custom patterns", click **New pattern**.{% endif %}

2
data/reusables/dependabot/dependabot-grouped-security-updates-how-enable.md
View File

@@ -1,4 +1,4 @@
You can enable grouped pull requests for {% data variables.product.prodname_dependabot_security_updates %} in one, or both, of the following ways.
* To group as many available security updates together as possible, across directories and per ecosystem, enable grouping in the "Code security and analysis" settings for your organization or repository.
* To group as many available security updates together as possible, across directories and per ecosystem, enable grouping in the "Code security and analysis" settings for your repository{% ifversion security-configurations-beta-and-pre-beta %}or organization{% elsif security-configurations-ga %}, or in "Global settings" under "Code security" for your organization{% endif %}.
* For more granular control of grouping, such as grouping by package name, development/production dependencies,{% ifversion dependabot-updates-multidirectory-support %} SemVer level, or across multiple directories per ecosystem{% else %} or SemVer level{% endif %}, add configuration options to the `dependabot.yml` configuration file in your repository.

3
data/reusables/security-configurations/managing-GHAS-licenses.md
View File

@@ -1 +1,2 @@
With {% data variables.product.prodname_security_configurations %}, you can manage {% data variables.product.prodname_GH_advanced_security %} feature enablement and license usage for your organization. See "[AUTOTITLE](/code-security/securing-your-organization/managing-the-security-of-your-organization/managing-your-github-advanced-security-license-usage)."
>[!NOTE]
> With {% data variables.product.prodname_security_configurations %}, you can manage {% data variables.product.prodname_GH_advanced_security %} feature enablement and license usage for your organization. See "[AUTOTITLE](/code-security/securing-your-organization/managing-the-security-of-your-organization/managing-your-github-advanced-security-license-usage)."

9
data/reusables/security-configurations/security-configurations-beta-note-opt-out.md
View File

@@ -1,7 +1,6 @@
{% note %}
{% ifversion security-configurations-beta-only %}
**Note:** {% data variables.product.prodname_security_configurations_caps %} and {% data variables.product.prodname_global_settings %} are in beta and subject to change. To provide feedback on these features, see the [feedback discussion](https://github.com/orgs/community/discussions/114519).
>[!NOTE]
> {% data variables.product.prodname_security_configurations_caps %} and {% data variables.product.prodname_global_settings %} are in beta and subject to change.
{% ifversion fpt or ghec %} To learn how to opt out of {% data variables.product.prodname_security_configurations %} and {% data variables.product.prodname_global_settings %}, see "[AUTOTITLE](/get-started/using-github/exploring-early-access-releases-with-feature-preview#exploring-beta-releases-with-feature-preview)."{% endif %}
{% endnote %}
{% endif %}

2
data/reusables/security-configurations/security-configurations-beta-note-short.md
View File

@@ -1 +1 @@
{% data variables.product.prodname_security_configurations_caps %} and {% data variables.product.prodname_global_settings %} are in beta and subject to change.
{% ifversion security-configurations-beta-only %} {% data variables.product.prodname_security_configurations_caps %} and {% data variables.product.prodname_global_settings %} are in beta and subject to change. {% endif %}

7
data/reusables/security-configurations/security-configurations-beta-note.md
View File

@@ -1,5 +1,6 @@
{% note %}
{% ifversion security-configurations-beta-only %}
**Note:** {% data variables.product.prodname_security_configurations_caps %} and {% data variables.product.prodname_global_settings %} are in beta and subject to change. To provide feedback on these features, see the [feedback discussion](https://github.com/orgs/community/discussions/114519).
>[!NOTE]
> {% data variables.product.prodname_security_configurations_caps %} and {% data variables.product.prodname_global_settings %} are in beta and subject to change. To provide feedback on these features, see the [feedback discussion](https://github.com/orgs/community/discussions/114519).
{% endnote %}
{% endif %}