From f16b789db3c834e6671994e4fca9a7dfbbd2cbe2 Mon Sep 17 00:00:00 2001
From: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Date: Tue, 9 Jul 2024 11:19:34 +0200
Subject: [PATCH 01/44] renamed 1 files
---
.../secret-scanning/{ => introduction}/about-secret-scanning.md | 0
1 file changed, 0 insertions(+), 0 deletions(-)
rename content/code-security/secret-scanning/{ => introduction}/about-secret-scanning.md (100%)
diff --git a/content/code-security/secret-scanning/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md
similarity index 100%
rename from content/code-security/secret-scanning/about-secret-scanning.md
rename to content/code-security/secret-scanning/introduction/about-secret-scanning.md
From 29cffd185047a8901db7c037330299b3bfb628b9 Mon Sep 17 00:00:00 2001
From: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Date: Tue, 9 Jul 2024 11:19:40 +0200
Subject: [PATCH 02/44] set redirect_from on 1 files
---
content/code-security/secret-scanning/index.md | 2 +-
.../secret-scanning/introduction/about-secret-scanning.md | 1 +
content/code-security/secret-scanning/introduction/index.md | 3 +++
data/learning-tracks/code-security.yml | 2 +-
4 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md
index 86fb7c3474..021bf02f7c 100644
--- a/content/code-security/secret-scanning/index.md
+++ b/content/code-security/secret-scanning/index.md
@@ -16,7 +16,6 @@ topics:
- Repositories
children:
- /introduction
- - /about-secret-scanning
- /configuring-secret-scanning-for-your-repositories
- /defining-custom-patterns-for-secret-scanning
- /about-the-regular-expression-generator-for-custom-patterns
@@ -33,3 +32,4 @@ children:
- /troubleshooting-secret-scanning-and-push-protection
- /secret-scanning-partnership-program
---
+
diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md
index e16760f2f9..a225b8cafe 100644
--- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md
+++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md
@@ -8,6 +8,7 @@ redirect_from:
- /articles/about-token-scanning-for-private-repositories
- /github/administering-a-repository/about-secret-scanning
- /code-security/secret-security/about-secret-scanning
+ - /code-security/secret-scanning/about-secret-scanning
versions:
fpt: '*'
ghes: '*'
diff --git a/content/code-security/secret-scanning/introduction/index.md b/content/code-security/secret-scanning/introduction/index.md
index f2fdc0ea85..aa04863ab5 100644
--- a/content/code-security/secret-scanning/introduction/index.md
+++ b/content/code-security/secret-scanning/introduction/index.md
@@ -12,4 +12,7 @@ type: overview
topics:
- Secret scanning
- Advanced Security
+children:
+ - /about-secret-scanning
---
+
diff --git a/data/learning-tracks/code-security.yml b/data/learning-tracks/code-security.yml
index 82650c37c2..83ed5fd783 100644
--- a/data/learning-tracks/code-security.yml
+++ b/data/learning-tracks/code-security.yml
@@ -112,7 +112,7 @@ secret_scanning:
Set up secret scanning to guard against accidental check-ins of tokens,
passwords, and other secrets to your repository.
guides:
- - /code-security/secret-scanning/about-secret-scanning
+ - /code-security/secret-scanning/introduction/about-secret-scanning
- >-
/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories
- >-
From e1bdfa4e55679622b1caf99c449e9857c5d682ea Mon Sep 17 00:00:00 2001
From: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Date: Tue, 9 Jul 2024 11:22:38 +0200
Subject: [PATCH 03/44] renamed 1 files
---
.../about-push-protection.md} | 0
1 file changed, 0 insertions(+), 0 deletions(-)
rename content/code-security/secret-scanning/{push-protection-for-repositories-and-organizations.md => introduction/about-push-protection.md} (100%)
diff --git a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md b/content/code-security/secret-scanning/introduction/about-push-protection.md
similarity index 100%
rename from content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md
rename to content/code-security/secret-scanning/introduction/about-push-protection.md
From 019575f97e54edcebae1d1636ce238250a691483 Mon Sep 17 00:00:00 2001
From: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Date: Tue, 9 Jul 2024 11:22:45 +0200
Subject: [PATCH 04/44] set redirect_from on 1 files
---
content/code-security/secret-scanning/index.md | 1 -
.../secret-scanning/introduction/about-push-protection.md | 1 +
content/code-security/secret-scanning/introduction/index.md | 1 +
3 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md
index 021bf02f7c..2c1e8ab0e9 100644
--- a/content/code-security/secret-scanning/index.md
+++ b/content/code-security/secret-scanning/index.md
@@ -24,7 +24,6 @@ children:
- /secret-scanning-patterns
- /about-the-detection-of-generic-secrets-with-secret-scanning
- /enabling-ai-powered-generic-secret-detection
- - /push-protection-for-repositories-and-organizations
- /push-protection-for-users
- /working-with-push-protection
- /pushing-a-branch-blocked-by-push-protection
diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md
index 9d10a0acb3..eb8598f9b1 100644
--- a/content/code-security/secret-scanning/introduction/about-push-protection.md
+++ b/content/code-security/secret-scanning/introduction/about-push-protection.md
@@ -9,6 +9,7 @@ versions:
redirect_from:
- /early-access/code-security/secret-scanning/protecting-pushes-with-secret-scanning
- /code-security/secret-scanning/protecting-pushes-with-secret-scanning
+ - /code-security/secret-scanning/push-protection-for-repositories-and-organizations
type: how_to
topics:
- Secret scanning
diff --git a/content/code-security/secret-scanning/introduction/index.md b/content/code-security/secret-scanning/introduction/index.md
index aa04863ab5..dc0e73a933 100644
--- a/content/code-security/secret-scanning/introduction/index.md
+++ b/content/code-security/secret-scanning/introduction/index.md
@@ -14,5 +14,6 @@ topics:
- Advanced Security
children:
- /about-secret-scanning
+ - /about-push-protection
---
From 355dce11eeae6993ae2f4eea783b70efe7803747 Mon Sep 17 00:00:00 2001
From: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Date: Tue, 9 Jul 2024 11:34:37 +0200
Subject: [PATCH 05/44] renamed 1 files
---
.../supported-secret-scanning-patterns.md} | 0
1 file changed, 0 insertions(+), 0 deletions(-)
rename content/code-security/secret-scanning/{secret-scanning-patterns.md => introduction/supported-secret-scanning-patterns.md} (100%)
diff --git a/content/code-security/secret-scanning/secret-scanning-patterns.md b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md
similarity index 100%
rename from content/code-security/secret-scanning/secret-scanning-patterns.md
rename to content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md
From 22b650c9a13ee6e2dedef5cdca9a311c8f47f851 Mon Sep 17 00:00:00 2001
From: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Date: Tue, 9 Jul 2024 11:34:44 +0200
Subject: [PATCH 06/44] set redirect_from on 1 files
---
content/code-security/secret-scanning/index.md | 1 -
content/code-security/secret-scanning/introduction/index.md | 1 +
.../introduction/supported-secret-scanning-patterns.md | 1 +
data/learning-tracks/code-security.yml | 2 +-
4 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md
index 2c1e8ab0e9..e17e515d5b 100644
--- a/content/code-security/secret-scanning/index.md
+++ b/content/code-security/secret-scanning/index.md
@@ -21,7 +21,6 @@ children:
- /about-the-regular-expression-generator-for-custom-patterns
- /generating-regular-expressions-for-custom-patterns-with-ai
- /managing-alerts-from-secret-scanning
- - /secret-scanning-patterns
- /about-the-detection-of-generic-secrets-with-secret-scanning
- /enabling-ai-powered-generic-secret-detection
- /push-protection-for-users
diff --git a/content/code-security/secret-scanning/introduction/index.md b/content/code-security/secret-scanning/introduction/index.md
index dc0e73a933..51fab79754 100644
--- a/content/code-security/secret-scanning/introduction/index.md
+++ b/content/code-security/secret-scanning/introduction/index.md
@@ -15,5 +15,6 @@ topics:
children:
- /about-secret-scanning
- /about-push-protection
+ - /supported-secret-scanning-patterns
---
diff --git a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md
index 595f8fb253..a61596619c 100644
--- a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md
+++ b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md
@@ -12,6 +12,7 @@ topics:
- Advanced Security
redirect_from:
- /code-security/secret-scanning/secret-scanning-partners
+ - /code-security/secret-scanning/secret-scanning-patterns
layout: inline
---
diff --git a/data/learning-tracks/code-security.yml b/data/learning-tracks/code-security.yml
index 83ed5fd783..5130dbaff5 100644
--- a/data/learning-tracks/code-security.yml
+++ b/data/learning-tracks/code-security.yml
@@ -120,7 +120,7 @@ secret_scanning:
%}/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning{%
endif %}
- /code-security/secret-scanning/managing-alerts-from-secret-scanning
- - /code-security/secret-scanning/secret-scanning-patterns
+ - /code-security/secret-scanning/introduction/supported-secret-scanning-patterns
- >-
{% ifversion secret-scanning-push-protection
%}/code-security/secret-scanning/push-protection-for-repositories-and-organizations{%
From f24c26e85b25b29d3f213a9588b5302bfa9c0ddf Mon Sep 17 00:00:00 2001
From: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Date: Tue, 9 Jul 2024 11:42:32 +0200
Subject: [PATCH 07/44] add brand new article
---
.../introduction/about-push-protection.md | 4 ++--
.../about-secret-scanning-for-partners.md | 12 ++++++++++++
.../secret-scanning/introduction/index.md | 2 +-
.../supported-secret-scanning-patterns.md | 3 ++-
4 files changed, 17 insertions(+), 4 deletions(-)
create mode 100644 content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md
index eb8598f9b1..86d6a86609 100644
--- a/content/code-security/secret-scanning/introduction/about-push-protection.md
+++ b/content/code-security/secret-scanning/introduction/about-push-protection.md
@@ -1,5 +1,5 @@
---
-title: Push protection for repositories and organizations
+title: About push protection
intro: 'With push protection for repositories and organizations, {% data variables.product.prodname_secret_scanning %} blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block.'
product: '{% data reusables.gated-features.push-protection-for-repos %}'
versions:
@@ -16,7 +16,7 @@ topics:
- Advanced Security
- Alerts
- Repositories
-shortTitle: Push protection for repositories
+shortTitle: Push protection
---
{% data reusables.secret-scanning.enterprise-enable-secret-scanning %}
diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
new file mode 100644
index 0000000000..f8cfb53571
--- /dev/null
+++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
@@ -0,0 +1,12 @@
+---
+title: About secret scanning for partners
+intro: 'TODO'
+versions:
+ fpt: '*'
+ ghes: '*'
+type: overview
+topics:
+ - Secret scanning
+ - Advanced Security
+shortTitle: Secret scanning for partners
+---
diff --git a/content/code-security/secret-scanning/introduction/index.md b/content/code-security/secret-scanning/introduction/index.md
index 51fab79754..506adc1289 100644
--- a/content/code-security/secret-scanning/introduction/index.md
+++ b/content/code-security/secret-scanning/introduction/index.md
@@ -15,6 +15,6 @@ topics:
children:
- /about-secret-scanning
- /about-push-protection
+ - /about-secret-scanning-for-partners
- /supported-secret-scanning-patterns
---
-
diff --git a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md
index a61596619c..d71229db64 100644
--- a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md
+++ b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md
@@ -1,5 +1,5 @@
---
-title: Secret scanning patterns
+title: Supported secret scanning patterns
intro: 'Lists of supported secrets and the partners that {% data variables.product.company_short %} works with to prevent fraudulent use of secrets that were committed accidentally.'
product: '{% data reusables.gated-features.secret-scanning %}'
versions:
@@ -14,6 +14,7 @@ redirect_from:
- /code-security/secret-scanning/secret-scanning-partners
- /code-security/secret-scanning/secret-scanning-patterns
layout: inline
+shortTitle: Supported patterns
---
{% data reusables.secret-scanning.enterprise-enable-secret-scanning %}
From 3e7b72a819900666964291a8a40a273a7063b7c1 Mon Sep 17 00:00:00 2001
From: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Date: Tue, 9 Jul 2024 12:00:46 +0200
Subject: [PATCH 08/44] trying to fix failing test
---
data/learning-tracks/code-security.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/data/learning-tracks/code-security.yml b/data/learning-tracks/code-security.yml
index 5130dbaff5..0a5af66553 100644
--- a/data/learning-tracks/code-security.yml
+++ b/data/learning-tracks/code-security.yml
@@ -123,7 +123,7 @@ secret_scanning:
- /code-security/secret-scanning/introduction/supported-secret-scanning-patterns
- >-
{% ifversion secret-scanning-push-protection
- %}/code-security/secret-scanning/push-protection-for-repositories-and-organizations{%
+ %}/code-security/secret-scanning/introduction/about-push-protection{%
endif %}
- >-
{% ifversion secret-scanning-push-protection-for-users
From 8c4dd85a4aff516c3da2f69f000ab9f4ad989840 Mon Sep 17 00:00:00 2001
From: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Date: Tue, 9 Jul 2024 14:36:00 +0200
Subject: [PATCH 09/44] make a start on this article
---
.../introduction/about-secret-scanning-for-partners.md | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
index f8cfb53571..a8eab359dd 100644
--- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
+++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
@@ -10,3 +10,9 @@ topics:
- Advanced Security
shortTitle: Secret scanning for partners
---
+
+## About {% data variables.secret-scanning.partner_alerts %}
+
+When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."
+
+You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories.
From fac345218e0ccb08fa017cb4f01587770276a135 Mon Sep 17 00:00:00 2001
From: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Date: Tue, 9 Jul 2024 18:01:24 +0200
Subject: [PATCH 10/44] more work
---
.../introduction/about-secret-scanning-for-partners.md | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
index a8eab359dd..bb92155920 100644
--- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
+++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
@@ -13,6 +13,12 @@ shortTitle: Secret scanning for partners
## About {% data variables.secret-scanning.partner_alerts %}
-When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."
+TODO: Provide high-level overview of partner program
+
+**Partner patterns.** Used to detect potential secrets in all public repositories as well as public npm packages.
You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories.
+
+When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."
+
+For more information about the partnership program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)."
From 45cfbe39e8bc52344b105b4ad72349991191c30c Mon Sep 17 00:00:00 2001
From: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Date: Fri, 19 Jul 2024 12:25:57 +0100
Subject: [PATCH 11/44] fix failing test
---
content/code-security/secret-scanning/index.md | 1 -
.../index.md | 2 +-
2 files changed, 1 insertion(+), 2 deletions(-)
diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md
index 14ed25efca..049fdbfd73 100644
--- a/content/code-security/secret-scanning/index.md
+++ b/content/code-security/secret-scanning/index.md
@@ -18,7 +18,6 @@ children:
- /introduction
- /configuring-secret-scanning-for-your-repositories
- /managing-alerts-from-secret-scanning
- - /secret-scanning-patterns
- /push-protection-for-repositories-and-organizations
- /push-protection-for-users
- /working-with-push-protection
diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md
index b9ce661324..1d7041f27b 100644
--- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md
+++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md
@@ -2,7 +2,7 @@
title: Using advanced secret scanning and push protection features
shortTitle: Advanced features
allowTitleToDifferFromFilename: true
-intro: 'Learn how you can customize {% data variables.secret-scanning.partner_alerts %} to meet the needs of your company..'
+intro: 'Learn how you can customize {% data variables.secret-scanning.partner_alerts %} to meet the needs of your company.'
product: '{% data reusables.gated-features.secret-scanning %}'
versions:
fpt: '*'
From 14a60c49edaf9bb95c0a6c9d4cca19b673359ded Mon Sep 17 00:00:00 2001
From: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Date: Fri, 19 Jul 2024 12:29:06 +0100
Subject: [PATCH 12/44] fix failing test
---
content/code-security/secret-scanning/index.md | 1 -
1 file changed, 1 deletion(-)
diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md
index 049fdbfd73..4a89e1e35d 100644
--- a/content/code-security/secret-scanning/index.md
+++ b/content/code-security/secret-scanning/index.md
@@ -18,7 +18,6 @@ children:
- /introduction
- /configuring-secret-scanning-for-your-repositories
- /managing-alerts-from-secret-scanning
- - /push-protection-for-repositories-and-organizations
- /push-protection-for-users
- /working-with-push-protection
- /pushing-a-branch-blocked-by-push-protection
From a5873041dd0fb5993e0ecef7e437f1a45538cce7 Mon Sep 17 00:00:00 2001
From: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Date: Fri, 19 Jul 2024 12:36:54 +0100
Subject: [PATCH 13/44] fix another failing test
---
.../introduction/about-secret-scanning-for-partners.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
index bb92155920..a1372cd50c 100644
--- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
+++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
@@ -19,6 +19,6 @@ TODO: Provide high-level overview of partner program
You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories.
-When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."
+When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."
For more information about the partnership program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)."
From 5135608acf9cac6e28672274a21ffd55859ffd57 Mon Sep 17 00:00:00 2001
From: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Date: Fri, 19 Jul 2024 14:35:22 +0100
Subject: [PATCH 14/44] more work
---
.../introduction/about-push-protection.md | 81 ++-----------------
1 file changed, 6 insertions(+), 75 deletions(-)
diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md
index b93ebabf71..910baeae25 100644
--- a/content/code-security/secret-scanning/introduction/about-push-protection.md
+++ b/content/code-security/secret-scanning/introduction/about-push-protection.md
@@ -1,6 +1,6 @@
---
title: About push protection
-intro: 'With push protection for repositories and organizations, {% data variables.product.prodname_secret_scanning %} blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block.'
+intro: 'TODO.'
product: '{% data reusables.gated-features.push-protection-for-repos %}'
versions:
fpt: '*'
@@ -19,22 +19,14 @@ topics:
shortTitle: Push protection
---
-{% data reusables.secret-scanning.enterprise-enable-secret-scanning %}
+Push protection is a {% data variables.product.prodname_secret_scanning %} that
## About push protection for repositories and organizations
{% data reusables.secret-scanning.pre-push-protection %} {% data reusables.secret-scanning.push-protection-overview %} {% data reusables.secret-scanning.push-protection-custom-pattern %} {% ifversion secret-scanning-push-protection-custom-patterns %}For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."{% endif %}
-{% data reusables.secret-scanning.push-protection-bypass %}
-
-{% data reusables.secret-scanning.bypass-reasons-and-alerts %}
-
-{% ifversion push-protection-delegated-bypass %}
-
By default, anyone with write access to the repository can choose to bypass push protection by specifying one of the bypass reasons outlined in the table. If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see "[Enabling delegated bypass for push protection](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)."
-{% endif %}
-
{% ifversion secret-scanning-bypass-filter %}
On the {% data variables.product.prodname_secret_scanning %} alerts page for a repository or organization, you can apply the `bypassed:true` filter to easily see which alerts are the result of a user bypassing push protection. For more information on viewing these alerts, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)."
@@ -57,74 +49,13 @@ If you are an organization owner or security manager, you can view metrics on ho
{% endnote %}
{% endif %}
-For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."
+For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md#supported-secrets)."
-## Enabling {% data variables.product.prodname_secret_scanning %} as a push protection
+## About push protection for users.
-For you to use {% data variables.product.prodname_secret_scanning %} as a push protection in public repositories, the {% ifversion secret-scanning-enterprise-level %}enterprise,{% endif %} organization{% ifversion secret-scanning-enterprise-level %},{% endif %} or repository needs to have {% data variables.product.prodname_secret_scanning %} enabled.{% ifversion secret-scanning-push-protection-private-internal %} To use {% data variables.product.prodname_secret_scanning %} as a push protection in private or internal repositories,{% ifversion secret-scanning-user-owned-repos %} or in user-owned repositories{% ifversion ghec %} for {% data variables.product.prodname_emus %}{% endif %},{% endif %} the enterprise or organization also needs to have {% data variables.product.prodname_GH_advanced_security %} enabled.{% endif %} For more information, see {% ifversion secret-scanning-enterprise-level %}"[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise),"{% endif %} "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)," "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)," and "[AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security)."
-
-Organization owners, security managers, and repository administrators can also enable push protection for {% data variables.product.prodname_secret_scanning %} via the API. For more information, see "[AUTOTITLE](/rest/repos#update-a-repository)" and expand the "Properties of the `security_and_analysis` object" section.
-
-Organization owners can provide a custom link that will be displayed when a push is blocked. This custom link can contain organization-specific resources and advice, such as directions on using a recommended secrets vault or who to contact for questions relating to the blocked secret.
-
-{% ifversion secret-scanning-enable-by-default-for-public-repos %}
-
-You can also enable push protection for all of your existing {% ifversion ghec %}user-owned {% endif %} public repositories through your personal account settings. For any new public repositories you create, push protection will be enabled by default. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#enabling-secret-scanning-alerts-for-users-for-all-your-public-repositories)."
-
-{% endif %}
-
-{% ifversion secret-scanning-enterprise-level-api %}
-Enterprise administrators can also enable or disable {% data variables.product.prodname_secret_scanning %} as a push protection for the enterprise via the API. For more information, see "[AUTOTITLE](/rest/enterprise-admin/code-security-and-analysis)."{% endif %}
-
-{% note %}
-
-**Note:** When you fork a repository with {% data variables.product.prodname_secret_scanning %} as a push protection enabled, this is not enabled by default on the fork. You can enable it on the fork the same way you enable it on a standalone repository.
-
-{% endnote %}
-
-{% ifversion secret-scanning-enterprise-level %}
-
-### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection for your enterprise
-
-{% data reusables.enterprise-accounts.access-enterprise %}
-{% data reusables.enterprise-accounts.settings-tab %}
-1. In the left sidebar, click **Code security and analysis**.
-{% data reusables.advanced-security.secret-scanning-push-protection-enterprise %}
-{% endif %}
-
-### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection for an organization
-
-{% ifversion security-configurations-ga %}
-You can find a set of repositories and enable or disable {% data variables.product.prodname_secret_scanning %} as a push protection for them all at the same time. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)."
-
-{% elsif security-configurations-beta-and-pre-beta %}
-
-You can use the organization settings page for "Code security and analysis" to enable or disable {% data variables.product.prodname_secret_scanning %} as a push protection for all existing repositories in an organization.
-
-{% data reusables.organizations.navigate-to-org %}
-{% data reusables.organizations.org_settings %}
-{% data reusables.organizations.security-and-analysis %}
-
-{% ifversion security-configurations-beta-only %}
- {% data reusables.security-configurations.changed-org-settings-security-configurations-callout %} For next steps on enabling push protection and other security features at scale with {% data variables.product.prodname_security_configurations %}, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)."
-{% endif %}
-
-{% data reusables.repositories.navigate-to-ghas-settings %}
-{% data reusables.advanced-security.secret-scanning-push-protection-org %}
-
-{% data reusables.security.note-securing-your-org %}
-{% endif %}
-
-### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection for a repository
-
-{% data reusables.repositories.navigate-to-repo %}
-{% data reusables.repositories.sidebar-settings %}
-{% data reusables.repositories.navigate-to-code-security-and-analysis %}
-{% data reusables.repositories.navigate-to-ghas-settings %}
-{% data reusables.advanced-security.secret-scanning-push-protection-repo %}
+TODO Add link to enabling article, which is new.
## Further reading
* "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection)"
-* "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)"{% ifversion push-protection-delegated-bypass %}
-* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)"{% endif %}
+* "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)"
From 45f4d60217af224411f5e313f00cf3b3f53142dd Mon Sep 17 00:00:00 2001
From: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Date: Fri, 19 Jul 2024 17:07:10 +0100
Subject: [PATCH 15/44] more work on new high level articles
---
.../secret-scanning/introduction/about-push-protection.md | 4 +++-
.../introduction/about-secret-scanning-for-partners.md | 6 +++++-
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md
index 910baeae25..33ab8c01f6 100644
--- a/content/code-security/secret-scanning/introduction/about-push-protection.md
+++ b/content/code-security/secret-scanning/introduction/about-push-protection.md
@@ -19,7 +19,9 @@ topics:
shortTitle: Push protection
---
-Push protection is a {% data variables.product.prodname_secret_scanning %} that
+Push protection is a {% data variables.product.prodname_secret_scanning %} feature that checks commits for highly identifiable secrets before these commits are pushed to a repository.
+
+You can apply push protection at repository/organization level, and for your user account on {% data variables.product.prodname_dotcom %}.
## About push protection for repositories and organizations
diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
index a1372cd50c..29cbf313f2 100644
--- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
+++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
@@ -3,7 +3,7 @@ title: About secret scanning for partners
intro: 'TODO'
versions:
fpt: '*'
- ghes: '*'
+ ghec: '*'
type: overview
topics:
- Secret scanning
@@ -13,6 +13,10 @@ shortTitle: Secret scanning for partners
## About {% data variables.secret-scanning.partner_alerts %}
+Partner alerts are alerts that are sent to the secret providers whenever a secret leak is reported for one of their secrets. {% data variables.product.product_name %} currently scans public repositories and public npm packages for secrets issued by specific service providers and alerts the relevant service provider whenever a secret is detected in a commit. For more information about {% data variables.secret-scanning.partner_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-partners)."
+
+{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %}
+
TODO: Provide high-level overview of partner program
**Partner patterns.** Used to detect potential secrets in all public repositories as well as public npm packages.
From cb5ece49325e55c69e0a5e6b6060e9c7d43588a3 Mon Sep 17 00:00:00 2001
From: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Date: Fri, 19 Jul 2024 18:37:44 +0100
Subject: [PATCH 16/44] a bit more work
---
.../about-secret-scanning-for-partners.md | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
index 29cbf313f2..610e2ddaa2 100644
--- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
+++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
@@ -13,16 +13,17 @@ shortTitle: Secret scanning for partners
## About {% data variables.secret-scanning.partner_alerts %}
-Partner alerts are alerts that are sent to the secret providers whenever a secret leak is reported for one of their secrets. {% data variables.product.product_name %} currently scans public repositories and public npm packages for secrets issued by specific service providers and alerts the relevant service provider whenever a secret is detected in a commit. For more information about {% data variables.secret-scanning.partner_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-partners)."
+{% data variables.product.product_name %} scans public repositories and public npm packages for secrets issued by specific service providers and alerts the relevant service provider whenever a secret is detected in a commit.
-{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %}
-
-TODO: Provide high-level overview of partner program
-
-**Partner patterns.** Used to detect potential secrets in all public repositories as well as public npm packages.
+{% data variables.product.prodname_secret_scanning %} generates partner alerts when it detects secrets from providers who joined our partnership program. For information about the partnership program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)."
You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories.
+Partner alerts are not displayed on {% data variables.product.prodname_dotcom %}. Instead, partner alerts are directly sent to the secret providers whenever a secret leak is reported for one of their secrets.
+
+For more information about {% data variables.secret-scanning.partner_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-partners)."
+{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %}
+
When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."
-For more information about the partnership program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)."
+TODO: apply scannability techniques
From 54440bcbfaa94cf6c8dc608d1c72f6bb5051d2fd Mon Sep 17 00:00:00 2001
From: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Date: Mon, 22 Jul 2024 16:44:53 +0100
Subject: [PATCH 17/44] more work
---
.../introduction/about-push-protection.md | 32 +++++++++++++------
.../push-protection-overview.md | 2 +-
2 files changed, 24 insertions(+), 10 deletions(-)
diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md
index 33ab8c01f6..faeaa0f556 100644
--- a/content/code-security/secret-scanning/introduction/about-push-protection.md
+++ b/content/code-security/secret-scanning/introduction/about-push-protection.md
@@ -21,22 +21,23 @@ shortTitle: Push protection
Push protection is a {% data variables.product.prodname_secret_scanning %} feature that checks commits for highly identifiable secrets before these commits are pushed to a repository.
-You can apply push protection at repository/organization level, and for your user account on {% data variables.product.prodname_dotcom %}.
+{% data reusables.secret-scanning.pre-push-protection %} {% data reusables.secret-scanning.push-protection-overview %}
+
+{% ifversion secret-scanning-push-protection-for-users %}
+
+You can enable push protection:
+
+* At repository/organization level, if you are a repository administrator or an organization owner For more information, see
+* For your account on {% data variables.product.prodname_dotcom %}, as a user.
## About push protection for repositories and organizations
-{% data reusables.secret-scanning.pre-push-protection %} {% data reusables.secret-scanning.push-protection-overview %} {% data reusables.secret-scanning.push-protection-custom-pattern %} {% ifversion secret-scanning-push-protection-custom-patterns %}For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."{% endif %}
+{% else %}
-By default, anyone with write access to the repository can choose to bypass push protection by specifying one of the bypass reasons outlined in the table. If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see "[Enabling delegated bypass for push protection](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)."
-
-{% ifversion secret-scanning-bypass-filter %}
-
-On the {% data variables.product.prodname_secret_scanning %} alerts page for a repository or organization, you can apply the `bypassed:true` filter to easily see which alerts are the result of a user bypassing push protection. For more information on viewing these alerts, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)."
+If you are a repository administrator or an organization owner, you can enable push protection at repository/organization level.
{% endif %}
-You can monitor security alerts to discover when users are bypassing push protections and creating alerts. For more information, see "[AUTOTITLE](/code-security/getting-started/auditing-security-alerts)."
-
{% ifversion security-overview-push-protection-metrics-page %}
If you are an organization owner or security manager, you can view metrics on how push protection is performing across your organization. For more information, see "[AUTOTITLE](/code-security/security-overview/viewing-metrics-for-secret-scanning-push-protection)."
@@ -51,12 +52,25 @@ If you are an organization owner or security manager, you can view metrics on ho
{% endnote %}
{% endif %}
+By default, anyone with write access to the repository can choose to bypass push protection by specifying one of the bypass reasons outlined in the table. If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see "[Enabling delegated bypass for push protection](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)."
+
+You can monitor security alerts to discover when users are bypassing push protections and creating alerts. For more information, see "[AUTOTITLE](/code-security/getting-started/auditing-security-alerts)."
+
For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md#supported-secrets)."
+{% ifversion secret-scanning-push-protection-for-users %}
+
## About push protection for users.
+{% endif %}
+
TODO Add link to enabling article, which is new.
+## Next steps
+
+Mention custom patterns at the end?
+{% data reusables.secret-scanning.push-protection-custom-pattern %} {% ifversion secret-scanning-push-protection-custom-patterns %}For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."{% endif %}
+
## Further reading
* "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection)"
diff --git a/data/reusables/secret-scanning/push-protection-overview.md b/data/reusables/secret-scanning/push-protection-overview.md
index 72c31dfbf9..09f4bf7aca 100644
--- a/data/reusables/secret-scanning/push-protection-overview.md
+++ b/data/reusables/secret-scanning/push-protection-overview.md
@@ -1 +1 @@
-When you enable push protection for your organization or repository, {% data variables.product.prodname_secret_scanning %} also checks pushes for supported secrets. {% data variables.product.prodname_secret_scanning_caps %} lists any secrets it detects so the author can review the secrets and remove them or, if {% ifversion push-protection-delegated-bypass %} permitted{%else%}needed{% endif %}, allow those secrets to be pushed.
+When you enable push protection for your organization or repository, {% data variables.product.prodname_secret_scanning %} also checks pushes for supported secrets. {% data variables.product.prodname_secret_scanning_caps %} lists any secrets it detects so the author can review the secrets and remove them or, if {% ifversion push-protection-delegated-bypass %} permitted{% else %}needed{% endif %}, allow those secrets to be pushed.
From a279583a43e8e8b5cd498427ea09da456910313a Mon Sep 17 00:00:00 2001
From: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Date: Tue, 23 Jul 2024 09:48:55 +0100
Subject: [PATCH 18/44] try to fix merg conflict
---
content/code-security/secret-scanning/index.md | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md
index 4a89e1e35d..b76531a3c6 100644
--- a/content/code-security/secret-scanning/index.md
+++ b/content/code-security/secret-scanning/index.md
@@ -18,9 +18,7 @@ children:
- /introduction
- /configuring-secret-scanning-for-your-repositories
- /managing-alerts-from-secret-scanning
- - /push-protection-for-users
- - /working-with-push-protection
- - /pushing-a-branch-blocked-by-push-protection
+ - /working-with-secret-scanning-and-push-protection
- /using-advanced-secret-scanning-and-push-protection-features
- /troubleshooting-secret-scanning-and-push-protection
- /secret-scanning-partnership-program
From 6a67a7fdaafa33691bedc9668c5e0a7f2f746e9f Mon Sep 17 00:00:00 2001
From: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Date: Tue, 23 Jul 2024 10:17:48 +0100
Subject: [PATCH 19/44] trying to get file to render
---
.../secret-scanning/introduction/about-push-protection.md | 6 ++++--
content/code-security/secret-scanning/introduction/index.md | 2 +-
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md
index faeaa0f556..9b41a1a65e 100644
--- a/content/code-security/secret-scanning/introduction/about-push-protection.md
+++ b/content/code-security/secret-scanning/introduction/about-push-protection.md
@@ -10,7 +10,7 @@ redirect_from:
- /early-access/code-security/secret-scanning/protecting-pushes-with-secret-scanning
- /code-security/secret-scanning/protecting-pushes-with-secret-scanning
- /code-security/secret-scanning/push-protection-for-repositories-and-organizations
-type: how_to
+type: overview
topics:
- Secret scanning
- Advanced Security
@@ -60,7 +60,9 @@ For information on the secrets and service providers supported for push protecti
{% ifversion secret-scanning-push-protection-for-users %}
-## About push protection for users.
+## About push protection for users
+
+Everyone across {% data variables.product.prodname_dotcom %} can enable push protection for themselves within your individual settings. This ensures your pushes are protected whenever you push to a public repository on {% data variables.product.prodname_dotcom %}, without relying on that repository to have push protection enabled. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)."
{% endif %}
diff --git a/content/code-security/secret-scanning/introduction/index.md b/content/code-security/secret-scanning/introduction/index.md
index 506adc1289..7c8fb7d1da 100644
--- a/content/code-security/secret-scanning/introduction/index.md
+++ b/content/code-security/secret-scanning/introduction/index.md
@@ -1,6 +1,6 @@
---
title: Introduction to secret scanning
-shortTitle: Secret scanning
+shortTitle: Introduction
allowTitleToDifferFromFilename: true
intro: 'Learn about {% data variables.product.prodname_secret_scanning_caps %} can keep your repositories secure by scanning them for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally.'
product: '{% data reusables.gated-features.secret-scanning %}'
From 8e73eb5f3df699f2e6e6203a3af79fb75b06819c Mon Sep 17 00:00:00 2001
From: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Date: Tue, 23 Jul 2024 11:18:34 +0100
Subject: [PATCH 20/44] trying to get file to render 2
---
.../secret-scanning/introduction/about-push-protection.md | 3 +--
.../secret-scanning/introduction/about-secret-scanning.md | 2 +-
2 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md
index 9b41a1a65e..c75445fccd 100644
--- a/content/code-security/secret-scanning/introduction/about-push-protection.md
+++ b/content/code-security/secret-scanning/introduction/about-push-protection.md
@@ -56,7 +56,7 @@ By default, anyone with write access to the repository can choose to bypass push
You can monitor security alerts to discover when users are bypassing push protections and creating alerts. For more information, see "[AUTOTITLE](/code-security/getting-started/auditing-security-alerts)."
-For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md#supported-secrets)."
+For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."
{% ifversion secret-scanning-push-protection-for-users %}
@@ -75,5 +75,4 @@ Mention custom patterns at the end?
## Further reading
-* "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection)"
* "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)"
diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md
index a225b8cafe..0f77704240 100644
--- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md
+++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md
@@ -1,5 +1,5 @@
---
-title: About secret scanning
+title: Secret scanning
intro: '{% data variables.product.product_name %} scans repositories for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally.'
product: '{% data reusables.gated-features.secret-scanning %}'
redirect_from:
From ff95b54e1fe24d5ba25ab25e0452938a8b3c64f8 Mon Sep 17 00:00:00 2001
From: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Date: Tue, 23 Jul 2024 11:23:10 +0100
Subject: [PATCH 21/44] trying to get file to render 3
---
.../secret-scanning/introduction/about-secret-scanning.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md
index 0f77704240..a225b8cafe 100644
--- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md
+++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md
@@ -1,5 +1,5 @@
---
-title: Secret scanning
+title: About secret scanning
intro: '{% data variables.product.product_name %} scans repositories for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally.'
product: '{% data reusables.gated-features.secret-scanning %}'
redirect_from:
From e77112068c1c9c9872c48876ebe8059e7e7d887a Mon Sep 17 00:00:00 2001
From: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Date: Tue, 23 Jul 2024 12:25:36 +0100
Subject: [PATCH 22/44] more work on push protection
---
.../introduction/about-push-protection.md | 56 ++++++++++---------
.../introduction/about-secret-scanning.md | 1 +
2 files changed, 31 insertions(+), 26 deletions(-)
diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md
index c75445fccd..d34ce3a7d1 100644
--- a/content/code-security/secret-scanning/introduction/about-push-protection.md
+++ b/content/code-security/secret-scanning/introduction/about-push-protection.md
@@ -1,6 +1,6 @@
---
title: About push protection
-intro: 'TODO.'
+intro: 'With push protection for repositories and organizations, {% data variables.product.prodname_secret_scanning %} blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block. TODO'
product: '{% data reusables.gated-features.push-protection-for-repos %}'
versions:
fpt: '*'
@@ -38,41 +38,45 @@ If you are a repository administrator or an organization owner, you can enable p
{% endif %}
-{% ifversion security-overview-push-protection-metrics-page %}
-
-If you are an organization owner or security manager, you can view metrics on how push protection is performing across your organization. For more information, see "[AUTOTITLE](/code-security/security-overview/viewing-metrics-for-secret-scanning-push-protection)."
-
-{% endif %}
-
-{% ifversion ghec or fpt %}
-{% note %}
-
-**Note:** The github.dev web-based editor doesn't support push protection. For more information about the editor, see "[AUTOTITLE](/codespaces/the-githubdev-web-based-editor)."
-
-{% endnote %}
-{% endif %}
-
-By default, anyone with write access to the repository can choose to bypass push protection by specifying one of the bypass reasons outlined in the table. If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see "[Enabling delegated bypass for push protection](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)."
-
-You can monitor security alerts to discover when users are bypassing push protections and creating alerts. For more information, see "[AUTOTITLE](/code-security/getting-started/auditing-security-alerts)."
-
-For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."
-
{% ifversion secret-scanning-push-protection-for-users %}
## About push protection for users
-Everyone across {% data variables.product.prodname_dotcom %} can enable push protection for themselves within your individual settings. This ensures your pushes are protected whenever you push to a public repository on {% data variables.product.prodname_dotcom %}, without relying on that repository to have push protection enabled. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)."
+Every user across {% data variables.product.prodname_dotcom %} can enable push protection for themselves within their individual settings.
+
+Enabling push protection for your user account means that your pushes are protected whenever you push to a public repository on {% data variables.product.prodname_dotcom %}, without relying on that repository to have push protection enabled. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)."
{% endif %}
-TODO Add link to enabling article, which is new.
+## What are the supported secrets
-## Next steps
+For information about the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."
-Mention custom patterns at the end?
-{% data reusables.secret-scanning.push-protection-custom-pattern %} {% ifversion secret-scanning-push-protection-custom-patterns %}For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."{% endif %}
+{% ifversion push-protection-delegated-bypass %}
+
+## Delegated bypass
+
+{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %}
+
+When you enable push protection, by default, anyone with write access to the repository can choose to bypass the protection by specifying a reason for allowing the push containing a secret. With delegated bypass, contributors to a repository are instead obligated to request "bypass privileges." The request is sent to a designated group of reviewers, who either approve or deny the request to bypass push protection.
+
+If the request to bypass push protection is approved, the contributor can push the commit containing the secret. If the request is denied, the contributor must remove the secret from the commit (or commits) containing the secret before pushing again.
+
+For information about delegated bypass for push protection, see "[Configuring delegated bypass for an organization](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)."
+
+{% endif %}
+
+{% ifversion secret-scanning-push-protection-custom-patterns %}
+
+## Custom patterns
+
+You can define custom patterns to identify secrets that are not detected by the default patterns supported by push protection. For example, you might have a secret pattern that is internal to your organization.
+
+{% data reusables.secret-scanning.push-protection-custom-pattern %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."
+
+{% endif %}
## Further reading
+* TODO: add link to enabling push protection
* "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)"
diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md
index a225b8cafe..92595aec49 100644
--- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md
+++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md
@@ -17,6 +17,7 @@ type: overview
topics:
- Secret scanning
- Advanced Security
+shortTitle: Secret scanning
---
{% data reusables.secret-scanning.enterprise-enable-secret-scanning %}
From ed448d505663ec6ddcd9a84c9562acd0cf332a3b Mon Sep 17 00:00:00 2001
From: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Date: Tue, 23 Jul 2024 13:34:59 +0100
Subject: [PATCH 23/44] version delegated bypass section
---
.../secret-scanning/introduction/about-push-protection.md | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md
index d34ce3a7d1..9bfd86ed14 100644
--- a/content/code-security/secret-scanning/introduction/about-push-protection.md
+++ b/content/code-security/secret-scanning/introduction/about-push-protection.md
@@ -27,17 +27,15 @@ Push protection is a {% data variables.product.prodname_secret_scanning %} featu
You can enable push protection:
-* At repository/organization level, if you are a repository administrator or an organization owner For more information, see
+* At repository/organization level, if you are a repository administrator or an organization owner.
* For your account on {% data variables.product.prodname_dotcom %}, as a user.
## About push protection for repositories and organizations
-{% else %}
+{% endif %}
If you are a repository administrator or an organization owner, you can enable push protection at repository/organization level.
-{% endif %}
-
{% ifversion secret-scanning-push-protection-for-users %}
## About push protection for users
@@ -62,7 +60,7 @@ When you enable push protection, by default, anyone with write access to the rep
If the request to bypass push protection is approved, the contributor can push the commit containing the secret. If the request is denied, the contributor must remove the secret from the commit (or commits) containing the secret before pushing again.
-For information about delegated bypass for push protection, see "[Configuring delegated bypass for an organization](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)."
+For information about delegated bypass for push protection, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)."
{% endif %}
From 3de6c358755a44231a63fe2c905296df55bc29b6 Mon Sep 17 00:00:00 2001
From: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Date: Tue, 23 Jul 2024 17:33:45 +0100
Subject: [PATCH 24/44] and more work
---
.../introduction/about-push-protection.md | 12 ++++++------
.../introduction/about-secret-scanning.md | 6 ++++++
2 files changed, 12 insertions(+), 6 deletions(-)
diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md
index 9bfd86ed14..2b6ea61119 100644
--- a/content/code-security/secret-scanning/introduction/about-push-protection.md
+++ b/content/code-security/secret-scanning/introduction/about-push-protection.md
@@ -1,6 +1,6 @@
---
title: About push protection
-intro: 'With push protection for repositories and organizations, {% data variables.product.prodname_secret_scanning %} blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block. TODO'
+intro: 'Push protection helps detect secrets in code as changes are pushed. Push protection blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block. TODO for users'
product: '{% data reusables.gated-features.push-protection-for-repos %}'
versions:
fpt: '*'
@@ -19,6 +19,8 @@ topics:
shortTitle: Push protection
---
+## What is push protection
+
Push protection is a {% data variables.product.prodname_secret_scanning %} feature that checks commits for highly identifiable secrets before these commits are pushed to a repository.
{% data reusables.secret-scanning.pre-push-protection %} {% data reusables.secret-scanning.push-protection-overview %}
@@ -48,7 +50,7 @@ Enabling push protection for your user account means that your pushes are protec
## What are the supported secrets
-For information about the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."
+For information about the secrets and service providers supported by push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."
{% ifversion push-protection-delegated-bypass %}
@@ -66,11 +68,9 @@ For information about delegated bypass for push protection, see "[AUTOTITLE](/co
{% ifversion secret-scanning-push-protection-custom-patterns %}
-## Custom patterns
+## Custom pattern support
-You can define custom patterns to identify secrets that are not detected by the default patterns supported by push protection. For example, you might have a secret pattern that is internal to your organization.
-
-{% data reusables.secret-scanning.push-protection-custom-pattern %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."
+You can define custom patterns to identify secrets that are not detected by the default patterns supported by push protection. For example, you might have a secret pattern that is internal to your organization. {% data reusables.secret-scanning.push-protection-custom-pattern %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."
{% endif %}
diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md
index 92595aec49..23f25e9ca5 100644
--- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md
+++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md
@@ -20,6 +20,8 @@ topics:
shortTitle: Secret scanning
---
+## What is {% data variables.product.prodname_secret_scanning %}
+
{% data reusables.secret-scanning.enterprise-enable-secret-scanning %}
@@ -59,6 +61,10 @@ If your project communicates with an external service, you might use a token or
{% endnote %}
+## What are the supported secrets
+
+For information about the secrets and service providers supported by {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."
+
{% ifversion fpt or ghec %}
## About {% data variables.secret-scanning.partner_alerts %}
From 4d9c74dd6ce0a712066704b62263ce38fc7f5a86 Mon Sep 17 00:00:00 2001
From: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Date: Thu, 25 Jul 2024 12:15:38 +0100
Subject: [PATCH 25/44] and more work
---
.../introduction/about-push-protection.md | 83 ++++++++++++++-----
.../introduction/about-secret-scanning.md | 77 +++++++++++++++--
2 files changed, 135 insertions(+), 25 deletions(-)
diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md
index 2b6ea61119..13082cc567 100644
--- a/content/code-security/secret-scanning/introduction/about-push-protection.md
+++ b/content/code-security/secret-scanning/introduction/about-push-protection.md
@@ -21,27 +21,61 @@ shortTitle: Push protection
## What is push protection
-Push protection is a {% data variables.product.prodname_secret_scanning %} feature that checks commits for highly identifiable secrets before these commits are pushed to a repository.
+Push protection is a {% data variables.product.prodname_secret_scanning %} feature that is designed to prevent sensitive information, such as secrets or tokens, from being pushed to your repository in the first place. Unlike {% data variables.product.prodname_secret_scanning %} , which detects secrets after they have been committed, push protection proactively scans your code for secrets during the push process and blocks the push if any are detected.
-{% data reusables.secret-scanning.pre-push-protection %} {% data reusables.secret-scanning.push-protection-overview %}
+Push protection helps you avoid the risks associated with exposed secrets, like unauthorized access to resources or services. With this feature, developers get immediate feedback and can address potential issues before they become a security concern.
+
+Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push. For some {% data variables.product.prodname_dotcom %} products, more advanced feature are available:
+
+* Delegated bypass—allows repository administrators or designated users to temporarily bypass the push protection mechanism. This can be useful in situations where a developer needs to push a commit that contains strings or patterns that resemble secrets but are actually safe and necessary for the project.This allows gives users with administrative rights more control about what is committed.
+* Custom patterns—allows you to define specific patterns or regular expressions that represent the types of secrets unique to your environment or organization. These patterns are used to identify sensitive information that might not be covered by the default scanning rules implemented by {% data variables.product.prodname_dotcom %}.
{% ifversion secret-scanning-push-protection-for-users %}
You can enable push protection:
-* At repository/organization level, if you are a repository administrator or an organization owner.
-* For your account on {% data variables.product.prodname_dotcom %}, as a user.
-
-## About push protection for repositories and organizations
+* At repository/organization level, if you are a repository administrator or an organization owner. This type of push protection is referred to as "push protection".
+* For your account on {% data variables.product.prodname_dotcom %}, as a user. This type of push protection is referred to as "push protection for users".
{% endif %}
-If you are a repository administrator or an organization owner, you can enable push protection at repository/organization level.
+## What are the benefits of push protection
+
+* **Proactive Security**—
+Push Protection acts as a front-line defense mechanism by scanning code for secrets at the time of the push. This proactive approach helps to catch potential issues before they are merged into your repository.
+
+* **Immediate Feedback**—
+Developers receive instant feedback if a potential secret is detected during a push attempt. This immediate notification allows for quick remediation, reducing the likelihood of sensitive information being exposed.
+
+* **Reduced Risk of Data Leaks**—
+By blocking commits that contain sensitive information, Push Protection significantly reduces the risk of accidental data leaks. This helps in safeguarding against unauthorized access to your infrastructure, services, and data.
+
+* **Efficient Secret Management**—
+Instead of retrospectively dealing with exposed secrets, developers can address issues at the source. This makes secret management more efficient and less time-consuming.
+
+* **Integration with CI/CD Pipelines**—
+Push Protection can be integrated into your Continuous Integration/Continuous Deployment (CI/CD) pipelines, ensuring that every push is scanned for secrets before it gets deployed. This adds an extra layer of security to your DevOps practices.
+
+* **Customizable Rules**—
+Organizations can define custom patterns for detecting secrets unique to their environment. This customization ensures that Push Protection can effectively identify and block even non-standard secrets.
+
+* **Delegated Bypass for Flexibility**—
+For cases where false positives occur or when certain patterns are necessary, the Delegated Bypass feature allows designated users to approve specific pushes. This provides flexibility without compromising overall security.
+
+* **Audit and Monitoring**—
+Push Protection maintains logs of all blocked attempts and bypass approvals. These logs can be audited to ensure compliance and to review any potential security incidents, thereby providing transparency and accountability.
+
+* **Collaboration and Education**—
+By frequently reminding developers of secure coding practices, Push Protection helps foster a culture of security within development teams. It serves as a constant reminder that security is everyone's responsibility.
+
+## Configuring push protection
+
+To use push protection, you need to have administrative access to the repository or organization you want to configure. Also, your repository or organization should be hosted on {% data variables.product.prodname_dotcom %}.
+
+Enabling and configuring push protection involves a few steps. For more information, see TODO: - link to enabling article.
{% ifversion secret-scanning-push-protection-for-users %}
-## About push protection for users
-
Every user across {% data variables.product.prodname_dotcom %} can enable push protection for themselves within their individual settings.
Enabling push protection for your user account means that your pushes are protected whenever you push to a public repository on {% data variables.product.prodname_dotcom %}, without relying on that repository to have push protection enabled. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)."
@@ -52,9 +86,29 @@ Enabling push protection for your user account means that your pushes are protec
For information about the secrets and service providers supported by push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."
+## Customizing push protection
+
+Once push protection is enabled, you can customize it further, if needed:
+
+### Integration with CI/CD Pipelines
+
+You can integrate push protection with your Continuous Integration/Continuous Deployment (CI/CD) pipelines to ensure that it runs scans during automated processes. This typically involves adding steps in your pipeline configuration file to call GitHub's APIs or using {% data variables.product.prodname_actions %}.
+
+### Handling false positives
+
+If push protection occasionally flags non-sensitive information, you can configure the system to recognize these as false positives. This may also involve adding specific rules or exceptions within your security settings.
+
+{% ifversion secret-scanning-push-protection-custom-patterns %}
+
+### Defining custom patterns
+
+If you have specific patterns or types of secrets that are unique to your environment, you can define custom patterns that push protection will use to identify secrets. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."
+
+{% endif %}
+
{% ifversion push-protection-delegated-bypass %}
-## Delegated bypass
+### Using delegated bypass
{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %}
@@ -66,15 +120,6 @@ For information about delegated bypass for push protection, see "[AUTOTITLE](/co
{% endif %}
-{% ifversion secret-scanning-push-protection-custom-patterns %}
-
-## Custom pattern support
-
-You can define custom patterns to identify secrets that are not detected by the default patterns supported by push protection. For example, you might have a secret pattern that is internal to your organization. {% data reusables.secret-scanning.push-protection-custom-pattern %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."
-
-{% endif %}
-
## Further reading
-* TODO: add link to enabling push protection
* "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)"
diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md
index 23f25e9ca5..eeeb5fc248 100644
--- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md
+++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md
@@ -22,9 +22,78 @@ shortTitle: Secret scanning
## What is {% data variables.product.prodname_secret_scanning %}
-{% data reusables.secret-scanning.enterprise-enable-secret-scanning %}
+{% data variables.product.prodname_secret_scanning_caps %} is a security feature that helps detect and prevent the accidental inclusion of sensitive information such as API keys, passwords, tokens, and other secrets in your repository. When enabled, {% data variables.product.prodname_secret_scanning %} scans commits in public repositories for known types of secrets and alerts repository administrators upon detection.
-
+For private repositories, {% data variables.product.prodname_secret_scanning %} is available if you have a {% data variables.product.prodname_GH_advanced_security %} (GHAS) license, providing additional scanning capabilities and custom patterns for detection.
+
+Below is a typical workflow:
+
+* Detection of secrets: {% data variables.product.prodname_secret_scanning_caps %}automatically scans your repository's contents for sensitive data, such as API keys, passwords, tokens, and other secrets. It looks for patterns and heuristics that match known types of secrets.
+
+* Alerts and notifications: When a potential secret is detected, {% data variables.product.prodname_dotcom %} generates an alert and notifies the relevant repository administrators and users. This notification includes details about the detected secret, such as its location in the repository.
+
+TODO:
+* Review Alerts: When a secret is detected, review the alert details provided by GitHub.
+
+* *Remediation: Take appropriate actions to remediate the exposure. This might include:
+ * Rotating the affected credential to ensure it is no longer usable.
+ * Removing the secret from the repository's history (using tools like BFG Repo-Cleaner or GitHub's built-in features).
+* Audit and Monitor: Regularly audit and monitor your repositories to ensure no other secrets are exposed.
+
+{% ifversion fpt or ghec %}
+
+* Integration with partners: {% data variables.product.prodname_dotcom %} works with various service providers to validate secrets. When a partner secret is detected, {% data variables.product.prodname_dotcom %} notifies the provider so they can take appropriate action, such as revoking the credential. For more information about the partnership program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)."
+
+{% endif %}
+
+## What are the benefits of {% data variables.product.prodname_secret_scanning %}
+
+* **Enhanced security**—{% data variables.product.prodname_secret_scanning_caps %} scans your repositories for sensitive information like API keys, passwords, tokens, and other secrets. By detecting these early, you can mitigate potential security risks before they are exploited by malicious actors.
+
+* **Automated detection**—The feature automatically scans your codebase, including commits, issues, and pull requests, ensuring continuous protection without requiring manual intervention. This automation helps in maintaining security even as your repository evolves.
+
+* **Real-time alerts**—When a secret is detected, {% data variables.product.prodname_secret_scanning %} provides real-time alerts to repository administrators and contributors. This immediate feedback allows for swift remediation actions.
+
+* **Historical scanning**—{% data variables.product.prodname_secret_scanning_caps %} can be configured to scan the entire commit history of your repository. This retrospective analysis helps in identifying and mitigating risks from previously committed secrets that may have gone unnoticed.
+
+{% ifversion fpt or ghec %}
+
+* **Integration with service providers**—{% data variables.product.prodname_dotcom %} partners with various service providers to validate detected secrets. When a secret is identified, {% data variables.product.prodname_dotcom %} notifies the corresponding service provider to take appropriate actions, such as revoking the exposed credential.
+
+{% endif %}
+
+* **Custom patterns**—Organizations can define custom patterns to detect proprietary or unique types of secrets that may not be covered by default patterns. This flexibility allows for tailored security measures specific to your environment.
+
+* **Educational value**—Developers receive notifications when secrets are detected, which serves as a learning opportunity. This ongoing education helps in fostering a culture of security awareness within the development team.
+
+* **Remediation guidance**—Along with alerts, {% data variables.product.prodname_dotcom %}provides remediation guidance, helping teams understand how to safely remove the sensitive information from their codebase and rotate the compromised credentials.
+
+## Enabling {% data variables.product.prodname_secret_scanning %}
+
+{% data variables.product.prodname_secret_scanning_caps %} is automatically enabled for all public repositories on GitHub.
+For private repositories, {% data variables.product.prodname_secret_scanning %} can be enabled as part of {% data variables.product.prodname_GH_advanced_security %}.
+
+For more information, see TODO: - link to enabling article.
+
+## What are the supported secrets
+
+For information about the secrets and service providers supported by {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."
+
+{% ifversion ghec or ghes %}
+
+## Custom patterns
+
+For advanced users, GitHub allows custom patterns to be added to Secret Scanning. This is useful if you have unique types of secrets that don’t match default patterns. Benefits are:
+
+* Tailored Security Detect secrets unique to your applications, APIs, or internal tools.
+* Increased Coverage Capture additional types of sensitive data that default patterns might miss.
+* Prevent Data Leaks Proactively identify and mitigate risks associated with exposed proprietary secrets.
+
+{% endif %}
+
+OLD
+
+{% data reusables.secret-scanning.enterprise-enable-secret-scanning %}
If your project communicates with an external service, you might use a token or private key for authentication. Tokens and private keys are examples of secrets that a service provider can issue. If you check a secret into a repository, anyone who has read access to the repository can use the secret to access the external service with your privileges. We recommend that you store secrets in a dedicated, secure location outside of the repository for your project.
@@ -61,10 +130,6 @@ If your project communicates with an external service, you might use a token or
{% endnote %}
-## What are the supported secrets
-
-For information about the secrets and service providers supported by {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."
-
{% ifversion fpt or ghec %}
## About {% data variables.secret-scanning.partner_alerts %}
From 02fe49d571ae9f559d3fa26244c2458ac562c0b0 Mon Sep 17 00:00:00 2001
From: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Date: Thu, 25 Jul 2024 15:22:48 +0100
Subject: [PATCH 26/44] more work on secret scanning and push protection
articles
---
.../introduction/about-push-protection.md | 39 ++++-------
.../about-secret-scanning-for-partners.md | 6 ++
.../introduction/about-secret-scanning.md | 70 ++++++-------------
3 files changed, 42 insertions(+), 73 deletions(-)
diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md
index 13082cc567..490a996840 100644
--- a/content/code-security/secret-scanning/introduction/about-push-protection.md
+++ b/content/code-security/secret-scanning/introduction/about-push-protection.md
@@ -1,6 +1,6 @@
---
title: About push protection
-intro: 'Push protection helps detect secrets in code as changes are pushed. Push protection blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block. TODO for users'
+intro: 'Push protection helps detect secrets in code as changes are pushed. Push protection blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block.{% ifversion secret-scanning-push-protection-for-users %} Push protection can be applied at the repository, organization, and user account level{% else %} You can apply push protection at repository or organization level{% endif %}.'
product: '{% data reusables.gated-features.push-protection-for-repos %}'
versions:
fpt: '*'
@@ -25,10 +25,7 @@ Push protection is a {% data variables.product.prodname_secret_scanning %} featu
Push protection helps you avoid the risks associated with exposed secrets, like unauthorized access to resources or services. With this feature, developers get immediate feedback and can address potential issues before they become a security concern.
-Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push. For some {% data variables.product.prodname_dotcom %} products, more advanced feature are available:
-
-* Delegated bypass—allows repository administrators or designated users to temporarily bypass the push protection mechanism. This can be useful in situations where a developer needs to push a commit that contains strings or patterns that resemble secrets but are actually safe and necessary for the project.This allows gives users with administrative rights more control about what is committed.
-* Custom patterns—allows you to define specific patterns or regular expressions that represent the types of secrets unique to your environment or organization. These patterns are used to identify sensitive information that might not be covered by the default scanning rules implemented by {% data variables.product.prodname_dotcom %}.
+Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push. For some {% data variables.product.prodname_dotcom %} products, more advanced features such as delegated bypass and the use of custom patterns are available:
{% ifversion secret-scanning-push-protection-for-users %}
@@ -41,32 +38,24 @@ You can enable push protection:
## What are the benefits of push protection
-* **Proactive Security**—
-Push Protection acts as a front-line defense mechanism by scanning code for secrets at the time of the push. This proactive approach helps to catch potential issues before they are merged into your repository.
+* **Proactive security**—Push protection acts as a frontline defense mechanism by scanning code for secrets at the time of the push. This proactive approach helps to catch potential issues before they are merged into your repository.
-* **Immediate Feedback**—
-Developers receive instant feedback if a potential secret is detected during a push attempt. This immediate notification allows for quick remediation, reducing the likelihood of sensitive information being exposed.
+* **Immediate feedback**—Developers receive instant feedback if a potential secret is detected during a push attempt. This immediate notification allows for quick remediation, reducing the likelihood of sensitive information being exposed.
-* **Reduced Risk of Data Leaks**—
-By blocking commits that contain sensitive information, Push Protection significantly reduces the risk of accidental data leaks. This helps in safeguarding against unauthorized access to your infrastructure, services, and data.
+* **Reduced risk of data leaks**—By blocking commits that contain sensitive information, push protection significantly reduces the risk of accidental data leaks. This helps in safeguarding against unauthorized access to your infrastructure, services, and data.
-* **Efficient Secret Management**—
-Instead of retrospectively dealing with exposed secrets, developers can address issues at the source. This makes secret management more efficient and less time-consuming.
+* **Efficient secret management**—Instead of retrospectively dealing with exposed secrets, developers can address issues at the source. This makes secret management more efficient and less time-consuming.
* **Integration with CI/CD Pipelines**—
Push Protection can be integrated into your Continuous Integration/Continuous Deployment (CI/CD) pipelines, ensuring that every push is scanned for secrets before it gets deployed. This adds an extra layer of security to your DevOps practices.
-* **Customizable Rules**—
-Organizations can define custom patterns for detecting secrets unique to their environment. This customization ensures that Push Protection can effectively identify and block even non-standard secrets.
+{% ifversion secret-scanning-push-protection-custom-patterns %}* **Ability to detect custom patterns**—Organizations can define custom patterns for detecting secrets unique to their environment. This customization ensures that push Protection can effectively identify and block even non-standard secrets.{% endif %}
-* **Delegated Bypass for Flexibility**—
-For cases where false positives occur or when certain patterns are necessary, the Delegated Bypass feature allows designated users to approve specific pushes. This provides flexibility without compromising overall security.
+{% ifversion push-protection-delegated-bypass %}* **Delegated bypass for flexibility**—For cases where false positives occur or when certain patterns are necessary, the delegated bypass feature allows designated users to approve specific pushes. This provides flexibility without compromising overall security.{% endif %}
-* **Audit and Monitoring**—
-Push Protection maintains logs of all blocked attempts and bypass approvals. These logs can be audited to ensure compliance and to review any potential security incidents, thereby providing transparency and accountability.
+* **Audit and monitoring**—Push protection maintains logs of all blocked attempts and bypass approvals. These logs can be audited to ensure compliance and to review any potential security incidents, thereby providing transparency and accountability.
-* **Collaboration and Education**—
-By frequently reminding developers of secure coding practices, Push Protection helps foster a culture of security within development teams. It serves as a constant reminder that security is everyone's responsibility.
+* **Collaboration and education**—By frequently reminding developers of secure coding practices, push protection helps foster a culture of security within development teams. It serves as a constant reminder that security is everyone's responsibility.
## Configuring push protection
@@ -76,7 +65,7 @@ Enabling and configuring push protection involves a few steps. For more informat
{% ifversion secret-scanning-push-protection-for-users %}
-Every user across {% data variables.product.prodname_dotcom %} can enable push protection for themselves within their individual settings.
+Every user across {% data variables.product.prodname_dotcom %} can also enable push protection for themselves within their individual settings.
Enabling push protection for your user account means that your pushes are protected whenever you push to a public repository on {% data variables.product.prodname_dotcom %}, without relying on that repository to have push protection enabled. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)."
@@ -102,7 +91,7 @@ If push protection occasionally flags non-sensitive information, you can configu
### Defining custom patterns
-If you have specific patterns or types of secrets that are unique to your environment, you can define custom patterns that push protection will use to identify secrets. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."
+If you have specific patterns or types of secrets that are unique to your environment or organization, you can define custom patterns that push protection will use to identify secrets. These patterns are used to identify sensitive information that might not be covered by the default scanning rules implemented by {% data variables.product.prodname_dotcom %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."
{% endif %}
@@ -122,4 +111,6 @@ For information about delegated bypass for push protection, see "[AUTOTITLE](/co
## Further reading
-* "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)"
+* "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)"{% ifversion secret-scanning-push-protection-custom-patterns %}
+* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)"{% endif %}{% ifversion push-protection-delegated-bypass %}
+* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)"{% endif %}
diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
index 610e2ddaa2..966201b428 100644
--- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
+++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
@@ -13,6 +13,12 @@ shortTitle: Secret scanning for partners
## About {% data variables.secret-scanning.partner_alerts %}
+When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."
+
+You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories.
+
+## About {% data variables.secret-scanning.partner_alerts %}
+
{% data variables.product.product_name %} scans public repositories and public npm packages for secrets issued by specific service providers and alerts the relevant service provider whenever a secret is detected in a commit.
{% data variables.product.prodname_secret_scanning %} generates partner alerts when it detects secrets from providers who joined our partnership program. For information about the partnership program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)."
diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md
index eeeb5fc248..28a4654766 100644
--- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md
+++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md
@@ -24,6 +24,10 @@ shortTitle: Secret scanning
{% data variables.product.prodname_secret_scanning_caps %} is a security feature that helps detect and prevent the accidental inclusion of sensitive information such as API keys, passwords, tokens, and other secrets in your repository. When enabled, {% data variables.product.prodname_secret_scanning %} scans commits in public repositories for known types of secrets and alerts repository administrators upon detection.
+{% data variables.product.prodname_secret_scanning_caps %} will scan your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repository for secrets{% ifversion ghec or ghes %}, even if the repository is archived{% endif %}.{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %}
+
+{% data reusables.secret-scanning.what-is-scanned %}
+
For private repositories, {% data variables.product.prodname_secret_scanning %} is available if you have a {% data variables.product.prodname_GH_advanced_security %} (GHAS) license, providing additional scanning capabilities and custom patterns for detection.
Below is a typical workflow:
@@ -62,15 +66,19 @@ TODO:
{% endif %}
+{% ifversion ghec or ghes %}
+
* **Custom patterns**—Organizations can define custom patterns to detect proprietary or unique types of secrets that may not be covered by default patterns. This flexibility allows for tailored security measures specific to your environment.
+{% endif %}
+
* **Educational value**—Developers receive notifications when secrets are detected, which serves as a learning opportunity. This ongoing education helps in fostering a culture of security awareness within the development team.
-* **Remediation guidance**—Along with alerts, {% data variables.product.prodname_dotcom %}provides remediation guidance, helping teams understand how to safely remove the sensitive information from their codebase and rotate the compromised credentials.
+* **Remediation guidance**—Along with alerts, we provide remediation guidance, helping teams understand how to safely remove the sensitive information from their codebase and rotate the compromised credentials.
## Enabling {% data variables.product.prodname_secret_scanning %}
-{% data variables.product.prodname_secret_scanning_caps %} is automatically enabled for all public repositories on GitHub.
+{% data variables.product.prodname_secret_scanning_caps %} is automatically enabled for all public repositories on {% data variables.product.prodname_dotcom %}.
For private repositories, {% data variables.product.prodname_secret_scanning %} can be enabled as part of {% data variables.product.prodname_GH_advanced_security %}.
For more information, see TODO: - link to enabling article.
@@ -79,9 +87,19 @@ For more information, see TODO: - link to enabling article.
For information about the secrets and service providers supported by {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."
+## Customizing {% data variables.product.prodname_secret_scanning %}
+
+Once {% data variables.product.prodname_secret_scanning %} is enabled, you can customize it further, if needed:
+
+### Detection of non-provider patterns
+
+### eneric secret detection
+
+### Validity checks
+
{% ifversion ghec or ghes %}
-## Custom patterns
+### Custom patterns
For advanced users, GitHub allows custom patterns to be added to Secret Scanning. This is useful if you have unique types of secrets that don’t match default patterns. Benefits are:
@@ -93,14 +111,6 @@ For advanced users, GitHub allows custom patterns to be added to Secret Scanning
OLD
-{% data reusables.secret-scanning.enterprise-enable-secret-scanning %}
-
-If your project communicates with an external service, you might use a token or private key for authentication. Tokens and private keys are examples of secrets that a service provider can issue. If you check a secret into a repository, anyone who has read access to the repository can use the secret to access the external service with your privileges. We recommend that you store secrets in a dedicated, secure location outside of the repository for your project.
-
-{% data variables.product.prodname_secret_scanning_caps %} will scan your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repository for secrets{% ifversion ghec or ghes %}, even if the repository is archived{% endif %}.{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %}
-
-{% data reusables.secret-scanning.what-is-scanned %}
-
{% ifversion fpt or ghec %}
{% data variables.product.prodname_secret_scanning_caps %} is available on {% data variables.product.prodname_dotcom_the_website %} in two forms:
@@ -118,28 +128,6 @@ If your project communicates with an external service, you might use a token or
{% data reusables.secret-scanning.push-protection-high-level %} To proceed, contributors must either remove the secret(s) from the push or, if needed, bypass the protection. {% ifversion push-protection-custom-link-orgs %}Admins can also specify a custom link that is displayed to the contributor when a push is blocked; the link can contain resources specific to the organization to aid contributors. {% endif %}For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning)."
-{% ifversion secret-scanning-push-protection-for-users %}
-
-{% data reusables.secret-scanning.push-protection-for-users %}
-
-{% endif %}
-
-{% note %}
-
-**Note:** When you fork a repository with {% data variables.product.prodname_secret_scanning %} or push protection enabled, these features are not enabled by default on the fork. You can enable {% data variables.product.prodname_secret_scanning %} or push protection on the fork the same way you enable them on a standalone repository.
-
-{% endnote %}
-
-{% ifversion fpt or ghec %}
-
-## About {% data variables.secret-scanning.partner_alerts %}
-
-When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."
-
-You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories.
-
-{% endif %}
-
## About {% data variables.secret-scanning.user_alerts %}{% ifversion ghes %} on {% data variables.product.product_name %}{% endif %}
{% data variables.secret-scanning.user_alerts_caps %} is available {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}on all repositories with a license for {% data variables.product.prodname_GH_advanced_security %}{% else %}for free on all public repositories, and for private and internal repositories that are owned by organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %}{% endif %}{% elsif fpt %}for free on all public repositories that you own{% else %}on all organization-owned repositories with a license for {% data variables.product.prodname_GH_advanced_security %}. The feature is not available on user-owned repositories{% endif %}. {% data reusables.secret-scanning.secret-scanning-user-owned-repos-beta %}
@@ -157,22 +145,6 @@ You can also define custom {% data variables.product.prodname_secret_scanning %}
{% ifversion secret-scanning-store-tokens %}
{% data variables.product.company_short %} stores detected secrets using symmetric encryption, both in transit and at rest.{% endif %}{% ifversion ghes %} To rotate the encryption keys used for storing the detected secrets, you can contact us by visiting {% data variables.contact.contact_ent_support %}.{% endif %}
-### Accessing {% data variables.secret-scanning.alerts %}
-
-{% data reusables.secret-scanning.secret-scanning-about-alerts %}
-
-* {% data variables.product.prodname_dotcom %} sends an email alert to the repository administrators and organization owners. You'll receive an alert if you are watching the repository{% ifversion secret-scanning-notification-settings %}, {% else %}, and {% endif %}if you have enabled notifications either for security alerts or for all the activity on the repository{% ifversion secret-scanning-notification-settings %}, and if, in your notification settings, you have selected to receive email notifications for the repositories that you are watching.{% else %}.{% endif %}
-* If the person who introduced the secret isn't ignoring the repository, {% data variables.product.prodname_dotcom %} will also send them an email alert. The email contains a link to the related {% data variables.product.prodname_secret_scanning %} alert. The person who introduced the secret can then view the alert in the repository, and resolve the alert.
-* {% data reusables.secret-scanning.repository-alert-location %}
-
-For more information about viewing and resolving {% data variables.secret-scanning.alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)."
-
-{% ifversion secret-scanning-notification-settings %}
-For more information on how to configure notifications for {% data variables.secret-scanning.alerts %}, see "[Configuring notifications for secret scanning alerts](/code-security/secret-scanning/managing-alerts-from-secret-scanning#configuring-notifications-for-secret-scanning-alerts)."
-{% endif %}
-
-Repository administrators and organization owners can grant users and teams access to {% data variables.secret-scanning.alerts %}. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts)."
-
{% ifversion ghec or ghes %}
You can use security overview to see an organization-level view of which repositories have enabled {% data variables.product.prodname_secret_scanning %} and the alerts found. For more information, see "[AUTOTITLE](/code-security/security-overview/about-security-overview)."
{% endif %}
From 03021332a63f35bd8a342d49490a0b3dad82672b Mon Sep 17 00:00:00 2001
From: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Date: Thu, 25 Jul 2024 15:50:43 +0100
Subject: [PATCH 27/44] fix failing linter test
---
.../introduction/about-push-protection.md | 8 ++---
.../introduction/about-secret-scanning.md | 36 +++++++++++--------
2 files changed, 25 insertions(+), 19 deletions(-)
diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md
index 490a996840..f5d332522b 100644
--- a/content/code-security/secret-scanning/introduction/about-push-protection.md
+++ b/content/code-security/secret-scanning/introduction/about-push-protection.md
@@ -46,7 +46,7 @@ You can enable push protection:
* **Efficient secret management**—Instead of retrospectively dealing with exposed secrets, developers can address issues at the source. This makes secret management more efficient and less time-consuming.
-* **Integration with CI/CD Pipelines**—
+* **Integration with CI/CD pipelines**—
Push Protection can be integrated into your Continuous Integration/Continuous Deployment (CI/CD) pipelines, ensuring that every push is scanned for secrets before it gets deployed. This adds an extra layer of security to your DevOps practices.
{% ifversion secret-scanning-push-protection-custom-patterns %}* **Ability to detect custom patterns**—Organizations can define custom patterns for detecting secrets unique to their environment. This customization ensures that push Protection can effectively identify and block even non-standard secrets.{% endif %}
@@ -65,9 +65,7 @@ Enabling and configuring push protection involves a few steps. For more informat
{% ifversion secret-scanning-push-protection-for-users %}
-Every user across {% data variables.product.prodname_dotcom %} can also enable push protection for themselves within their individual settings.
-
-Enabling push protection for your user account means that your pushes are protected whenever you push to a public repository on {% data variables.product.prodname_dotcom %}, without relying on that repository to have push protection enabled. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)."
+Every user across {% data variables.product.prodname_dotcom %} can also enable push protection for themselves within their individual settings. Enabling push protection for your user account means that your pushes are protected whenever you push to a public repository on {% data variables.product.prodname_dotcom %}, without relying on that repository to have push protection enabled. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)."
{% endif %}
@@ -79,7 +77,7 @@ For information about the secrets and service providers supported by push protec
Once push protection is enabled, you can customize it further, if needed:
-### Integration with CI/CD Pipelines
+### Integration with CI/CD pipelines
You can integrate push protection with your Continuous Integration/Continuous Deployment (CI/CD) pipelines to ensure that it runs scans during automated processes. This typically involves adding steps in your pipeline configuration file to call GitHub's APIs or using {% data variables.product.prodname_actions %}.
diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md
index 28a4654766..75e636bdb9 100644
--- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md
+++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md
@@ -30,19 +30,19 @@ shortTitle: Secret scanning
For private repositories, {% data variables.product.prodname_secret_scanning %} is available if you have a {% data variables.product.prodname_GH_advanced_security %} (GHAS) license, providing additional scanning capabilities and custom patterns for detection.
-Below is a typical workflow:
+Below is a typical workflow that explains how {% data variables.product.prodname_secret_scanning %} works:
-* Detection of secrets: {% data variables.product.prodname_secret_scanning_caps %}automatically scans your repository's contents for sensitive data, such as API keys, passwords, tokens, and other secrets. It looks for patterns and heuristics that match known types of secrets.
+* Detection of secrets: {% data variables.product.prodname_secret_scanning_caps %} automatically scans your repository's contents for sensitive data, such as API keys, passwords, tokens, and other secrets. It looks for patterns and heuristics that match known types of secrets.
-* Alerts and notifications: When a potential secret is detected, {% data variables.product.prodname_dotcom %} generates an alert and notifies the relevant repository administrators and users. This notification includes details about the detected secret, such as its location in the repository.
+* Alerts and notifications: When a potential secret is detected, {% data variables.product.prodname_dotcom %} generates an alert and notifies the relevant repository administrators and users. This notification includes details about the detected secret, such as its location in the repository. For more information about alert types and alert details, see TODO: - link to "About alerts" article.
-TODO:
-* Review Alerts: When a secret is detected, review the alert details provided by GitHub.
+* Review Alerts: When a secret is detected, you'll need to review the alert details provided.
-* *Remediation: Take appropriate actions to remediate the exposure. This might include:
+* *Remediation: You then need take appropriate actions to remediate the exposure. This might include:
* Rotating the affected credential to ensure it is no longer usable.
- * Removing the secret from the repository's history (using tools like BFG Repo-Cleaner or GitHub's built-in features).
-* Audit and Monitor: Regularly audit and monitor your repositories to ensure no other secrets are exposed.
+ * Removing the secret from the repository's history (using tools like BFG Repo-Cleaner or {% data variables.product.prodname_dotcom %}'s built-in features).
+
+* Audit and monitor: It's good practice to regularly audit and monitor your repositories to ensure no other secrets are exposed.
{% ifversion fpt or ghec %}
@@ -62,7 +62,7 @@ TODO:
{% ifversion fpt or ghec %}
-* **Integration with service providers**—{% data variables.product.prodname_dotcom %} partners with various service providers to validate detected secrets. When a secret is identified, {% data variables.product.prodname_dotcom %} notifies the corresponding service provider to take appropriate actions, such as revoking the exposed credential.
+* **Integration with service providers**—{% data variables.product.prodname_dotcom %} partners with various service providers to validate detected secrets. When a secret is identified, {% data variables.product.prodname_dotcom %} notifies the corresponding service provider to take appropriate actions, such as revoking the exposed credential. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)."
{% endif %}
@@ -91,17 +91,25 @@ For information about the secrets and service providers supported by {% data var
Once {% data variables.product.prodname_secret_scanning %} is enabled, you can customize it further, if needed:
+{% ifversion secret-scanning-non-provider-patterns %}
+
### Detection of non-provider patterns
-### eneric secret detection
+{% endif %}
-### Validity checks
+{% ifversion secret-scanning-ai-generic-secret-detection %}
+
+### Generic secret detection
+
+{% endif %}
+
+### Performing validity checks
{% ifversion ghec or ghes %}
-### Custom patterns
+### Defining custom patterns
-For advanced users, GitHub allows custom patterns to be added to Secret Scanning. This is useful if you have unique types of secrets that don’t match default patterns. Benefits are:
+You can define advanced users, GitHub allows custom patterns to be added to Secret Scanning. This is useful if you have unique types of secrets that don’t match default patterns. Benefits are:
* Tailored Security Detect secrets unique to your applications, APIs, or internal tools.
* Increased Coverage Capture additional types of sensitive data that default patterns might miss.
@@ -132,7 +140,7 @@ OLD
{% data variables.secret-scanning.user_alerts_caps %} is available {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}on all repositories with a license for {% data variables.product.prodname_GH_advanced_security %}{% else %}for free on all public repositories, and for private and internal repositories that are owned by organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %}{% endif %}{% elsif fpt %}for free on all public repositories that you own{% else %}on all organization-owned repositories with a license for {% data variables.product.prodname_GH_advanced_security %}. The feature is not available on user-owned repositories{% endif %}. {% data reusables.secret-scanning.secret-scanning-user-owned-repos-beta %}
-When you enable {% data variables.product.prodname_secret_scanning %} for a repository, {% data variables.product.prodname_dotcom %} scans the code for patterns that match secrets used by many service providers. {% ifversion secret-scanning-backfill-email %}When the scan is completed, {% data variables.product.prodname_dotcom %} sends an email alert to the enterprise and organization owners, even if no secrets were found.{% endif %} For more information about the repository content that is scanned, see the [beginning of this article](#about-secret-scanning).
+When you enable {% data variables.product.prodname_secret_scanning %} for a repository, {% data variables.product.prodname_dotcom %} scans the code for patterns that match secrets used by many service providers. {% ifversion secret-scanning-backfill-email %}When the scan is completed, {% data variables.product.prodname_dotcom %} sends an email alert to the enterprise and organization owners, even if no secrets were found.{% endif %}
When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. {% ifversion secret-scanning-backfills %}{% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled, and send alert notifications following the {% data variables.product.prodname_secret_scanning %} alert notification settings.{% endif %}{% ifversion secret-scanning-non-provider-patterns %} User alerts can be of two types: high confidence alerts, or non-provider alerts.{% endif %} For more information, see "{% ifversion fpt or ghec %}[About user alerts](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[{% data variables.product.prodname_secret_scanning_caps %} patterns](/code-security/secret-scanning/secret-scanning-patterns#about-user-secret-scanning-alerts){% endif %}."
From 523f53267f6fe7acacdf180670cd4fc6b70c528d Mon Sep 17 00:00:00 2001
From: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Date: Thu, 25 Jul 2024 17:01:51 +0100
Subject: [PATCH 28/44] fix failing check
---
.../secret-scanning/introduction/about-secret-scanning.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md
index 75e636bdb9..7c8440bc7e 100644
--- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md
+++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md
@@ -122,7 +122,7 @@ OLD
{% ifversion fpt or ghec %}
{% data variables.product.prodname_secret_scanning_caps %} is available on {% data variables.product.prodname_dotcom_the_website %} in two forms:
-1. **{% data variables.secret-scanning.partner_alerts_caps %}.** Runs automatically on all public repositories and public npm packages. Service providers can partner with {% data variables.product.company_short %} to provide their secret formats for scanning, hence the term "partners." {% data reusables.secret-scanning.partner-program-link %} Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner. For more information, see the "[About {% data variables.secret-scanning.partner_alerts %}](#about-secret-scanning-alerts-for-partners)" section below.
+1. **{% data variables.secret-scanning.partner_alerts_caps %}.** Runs automatically on all public repositories and public npm packages. Service providers can partner with {% data variables.product.company_short %} to provide their secret formats for scanning, hence the term "partners." {% data reusables.secret-scanning.partner-program-link %} Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner. For more information, see TODO:
1. **{% data variables.secret-scanning.user_alerts_caps %}.** These alerts are reported on {% data variables.product.prodname_dotcom_the_website %}{% ifversion secret-scanning-non-provider-patterns %} and can be high confidence alerts or non-provider alerts (such as private keys){% endif %}.
{% ifversion fpt %}The following users can enable and configure additional scanning:
From eaf5934c24ed57b7a939a6b333b531d5c7b0fb50 Mon Sep 17 00:00:00 2001
From: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Date: Fri, 26 Jul 2024 14:25:26 +0100
Subject: [PATCH 29/44] first commit
---
.../introduction/about-secret-scanning-for-partners.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
index 966201b428..ec06e4d9b5 100644
--- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
+++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
@@ -11,6 +11,8 @@ topics:
shortTitle: Secret scanning for partners
---
+TODO:
+
## About {% data variables.secret-scanning.partner_alerts %}
When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."
From 363265f87c65554018a350ad59f02b8c80f936a0 Mon Sep 17 00:00:00 2001
From: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Date: Fri, 26 Jul 2024 16:40:17 +0100
Subject: [PATCH 30/44] write new article
---
.../about-secret-scanning-for-partners.md | 30 ++++++++-----------
1 file changed, 13 insertions(+), 17 deletions(-)
diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
index ec06e4d9b5..6abb34d4b0 100644
--- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
+++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
@@ -1,6 +1,6 @@
---
title: About secret scanning for partners
-intro: 'TODO'
+intro: '{% data variables.product.prodname_secret_scanning_caps %} sends directly alerts to partners when partner secrets are found in codebases. This allows partners to promtply take action to secure their systems.'
versions:
fpt: '*'
ghec: '*'
@@ -11,27 +11,23 @@ topics:
shortTitle: Secret scanning for partners
---
-TODO:
-
## About {% data variables.secret-scanning.partner_alerts %}
-When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."
+{% data variables.product.product_name %} scans public repositories and public npm packages for secrets issued by specific service providers who joined our partnership program, and alerts the relevant service provider whenever a secret is detected in a commit. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For information about the partnership program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)."
-You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories.
+> [!NOTE]You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories.
-## About {% data variables.secret-scanning.partner_alerts %}
+The reason partner alerts are directly sent to the secret providers whenever a secret leak is reported for one of their secrets is because this way of proceeding helps ensure that secrets are not inadvertently exposed in public or private repositories. This workflow allows partner organizations to address the exposure prompt. The notification for regular alerts is different. Regular alerts are displayed on the repository's **Security** tab on {% data variables.product.prodname_dotcom %}.
-{% data variables.product.product_name %} scans public repositories and public npm packages for secrets issued by specific service providers and alerts the relevant service provider whenever a secret is detected in a commit.
-
-{% data variables.product.prodname_secret_scanning %} generates partner alerts when it detects secrets from providers who joined our partnership program. For information about the partnership program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)."
-
-You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories.
-
-Partner alerts are not displayed on {% data variables.product.prodname_dotcom %}. Instead, partner alerts are directly sent to the secret providers whenever a secret leak is reported for one of their secrets.
-
-For more information about {% data variables.secret-scanning.partner_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-partners)."
{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %}
-When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."
+## What are the supported secrets
-TODO: apply scannability techniques
+For information about the secrets and service providers supported by push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."
+
+## Further reading
+
+* "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)"
+* "[AUTOTITLE](/ccode-security/secret-scanning/introduction/supported-secret-scanning-patterns)"
+* "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection)"
+* TODO: add link to "About alerts" article
From 055b1179498358cd7158ec01174a93231fea0d99 Mon Sep 17 00:00:00 2001
From: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Date: Fri, 26 Jul 2024 16:47:50 +0100
Subject: [PATCH 31/44] fix typo
---
.../introduction/about-secret-scanning-for-partners.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
index 6abb34d4b0..35dc111201 100644
--- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
+++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
@@ -28,6 +28,6 @@ For information about the secrets and service providers supported by push protec
## Further reading
* "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)"
-* "[AUTOTITLE](/ccode-security/secret-scanning/introduction/supported-secret-scanning-patterns)"
+* "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)"
* "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection)"
* TODO: add link to "About alerts" article
From 45833a029757880bc61fcbae061e3cab2ca1394d Mon Sep 17 00:00:00 2001
From: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Date: Fri, 26 Jul 2024 16:59:25 +0100
Subject: [PATCH 32/44] improve
---
.../introduction/about-secret-scanning-for-partners.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
index 35dc111201..ea592ecb19 100644
--- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
+++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
@@ -1,6 +1,6 @@
---
title: About secret scanning for partners
-intro: '{% data variables.product.prodname_secret_scanning_caps %} sends directly alerts to partners when partner secrets are found in codebases. This allows partners to promtply take action to secure their systems.'
+intro: '{% data variables.product.prodname_secret_scanning_caps %} sends directly alerts to partners when any of the partner secrets are found in repositories on {% data variables.product.prodname_dotcom %}. This allows partners to promtply take action to secure their systems.'
versions:
fpt: '*'
ghec: '*'
@@ -17,7 +17,7 @@ shortTitle: Secret scanning for partners
> [!NOTE]You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories.
-The reason partner alerts are directly sent to the secret providers whenever a secret leak is reported for one of their secrets is because this way of proceeding helps ensure that secrets are not inadvertently exposed in public or private repositories. This workflow allows partner organizations to address the exposure prompt. The notification for regular alerts is different. Regular alerts are displayed on the repository's **Security** tab on {% data variables.product.prodname_dotcom %}.
+The reason partner alerts are directly sent to the secret providers whenever a secret leak is reported for one of their secrets is because this way of proceeding helps ensure that secrets are not inadvertently exposed in public or private repositories. This workflow allows partner organizations to address the exposure promptly. The notification for regular alerts is different. Regular alerts are displayed on the repository's **Security** tab on {% data variables.product.prodname_dotcom %}.
{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %}
From 725be04a34a61b5c531e44f75c506e1640e1f136 Mon Sep 17 00:00:00 2001
From: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Date: Mon, 29 Jul 2024 08:43:19 +0100
Subject: [PATCH 33/44] address review comments
---
.../introduction/about-secret-scanning-for-partners.md | 4 ++--
data/reusables/secret-scanning/partner-program-link.md | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
index ea592ecb19..dc13a08885 100644
--- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
+++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
@@ -13,11 +13,11 @@ shortTitle: Secret scanning for partners
## About {% data variables.secret-scanning.partner_alerts %}
-{% data variables.product.product_name %} scans public repositories and public npm packages for secrets issued by specific service providers who joined our partnership program, and alerts the relevant service provider whenever a secret is detected in a commit. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For information about the partnership program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)."
+{% data variables.product.product_name %} scans public repositories and public npm packages for secrets issued by specific service providers who joined our partnership program, and alerts the relevant service provider whenever a secret is detected in a commit. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. {% data reusables.secret-scanning.partner-program-link %}
> [!NOTE]You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories.
-The reason partner alerts are directly sent to the secret providers whenever a secret leak is reported for one of their secrets is because this way of proceeding helps ensure that secrets are not inadvertently exposed in public or private repositories. This workflow allows partner organizations to address the exposure promptly. The notification for regular alerts is different. Regular alerts are displayed on the repository's **Security** tab on {% data variables.product.prodname_dotcom %}.
+The reason partner alerts are directly sent to the secret providers whenever a secret leak is reported for one of their secrets is because this helps ensure that secrets are not inadvertently exposed in public or private repositories. The notification for regular alerts is different. Regular alerts are displayed on the repository's **Security** tab on {% data variables.product.prodname_dotcom %}.
{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %}
diff --git a/data/reusables/secret-scanning/partner-program-link.md b/data/reusables/secret-scanning/partner-program-link.md
index b91d576170..4d358da42e 100644
--- a/data/reusables/secret-scanning/partner-program-link.md
+++ b/data/reusables/secret-scanning/partner-program-link.md
@@ -1,5 +1,5 @@
{% ifversion fpt or ghec %}
-To find out about our partner program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partner-program)."
+To find out about our partner program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)."
{% else %}
-To find out about our partner program, see "[AUTOTITLE](/enterprise-cloud@latest/code-security/secret-scanning/secret-scanning-partner-program)" in the {% data variables.product.prodname_ghe_cloud %} documentation.
+To find out about our partner program, see "[AUTOTITLE](/enterprise-cloud@latest/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)" in the {% data variables.product.prodname_ghe_cloud %} documentation.
{% endif %}
From 97fb82ebd6a95e8e14702e32f2ef02e5f1283013 Mon Sep 17 00:00:00 2001
From: mc <42146119+mchammer01@users.noreply.github.com>
Date: Mon, 29 Jul 2024 08:47:35 +0100
Subject: [PATCH 34/44] Update
content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com>
---
.../introduction/about-secret-scanning-for-partners.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
index ea592ecb19..1945861321 100644
--- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
+++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
@@ -1,6 +1,6 @@
---
title: About secret scanning for partners
-intro: '{% data variables.product.prodname_secret_scanning_caps %} sends directly alerts to partners when any of the partner secrets are found in repositories on {% data variables.product.prodname_dotcom %}. This allows partners to promtply take action to secure their systems.'
+intro: '{% data variables.product.prodname_secret_scanning_caps %} sends alerts directly to partners when any of the partner's secrets are found in repositories on {% data variables.product.prodname_dotcom %}. This allows partners to promptly take action to secure their systems.'
versions:
fpt: '*'
ghec: '*'
From 85caff80c54fe408f61d423183962a64ec9e0d80 Mon Sep 17 00:00:00 2001
From: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Date: Mon, 29 Jul 2024 08:51:37 +0100
Subject: [PATCH 35/44] fix frontmatter issue
---
.../introduction/about-secret-scanning-for-partners.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
index fcaa95687c..10fbdb9873 100644
--- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
+++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md
@@ -1,6 +1,6 @@
---
title: About secret scanning for partners
-intro: '{% data variables.product.prodname_secret_scanning_caps %} sends alerts directly to partners when any of the partner's secrets are found in repositories on {% data variables.product.prodname_dotcom %}. This allows partners to promptly take action to secure their systems.'
+intro: '{% data variables.product.prodname_secret_scanning_caps %} sends alerts directly to partners when any of the partner''s secrets are found in repositories on {% data variables.product.prodname_dotcom %}. This allows partners to promptly take action to secure their systems.'
versions:
fpt: '*'
ghec: '*'
From d7930cab792c598908d497007442bddfdfe8fbad Mon Sep 17 00:00:00 2001
From: mc <42146119+mchammer01@users.noreply.github.com>
Date: Thu, 1 Aug 2024 12:00:38 +0100
Subject: [PATCH 36/44] Update
content/code-security/secret-scanning/introduction/about-push-protection.md
Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com>
---
.../secret-scanning/introduction/about-push-protection.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md
index f5d332522b..a93bd79a56 100644
--- a/content/code-security/secret-scanning/introduction/about-push-protection.md
+++ b/content/code-security/secret-scanning/introduction/about-push-protection.md
@@ -21,7 +21,7 @@ shortTitle: Push protection
## What is push protection
-Push protection is a {% data variables.product.prodname_secret_scanning %} feature that is designed to prevent sensitive information, such as secrets or tokens, from being pushed to your repository in the first place. Unlike {% data variables.product.prodname_secret_scanning %} , which detects secrets after they have been committed, push protection proactively scans your code for secrets during the push process and blocks the push if any are detected.
+Push protection is a {% data variables.product.prodname_secret_scanning %} feature that is designed to prevent sensitive information, such as secrets or tokens, from being pushed to your repository in the first place. Unlike {% data variables.product.prodname_secret_scanning %}, which detects secrets after they have been committed, push protection proactively scans your code for secrets during the push process and blocks the push if any are detected.
Push protection helps you avoid the risks associated with exposed secrets, like unauthorized access to resources or services. With this feature, developers get immediate feedback and can address potential issues before they become a security concern.
From 7ef9bed381b0e4ec40d5102aa7bbbc821495c4f7 Mon Sep 17 00:00:00 2001
From: mc <42146119+mchammer01@users.noreply.github.com>
Date: Thu, 1 Aug 2024 12:04:36 +0100
Subject: [PATCH 37/44] Update
content/code-security/secret-scanning/introduction/about-push-protection.md
Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com>
---
.../secret-scanning/introduction/about-push-protection.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md
index a93bd79a56..bd9c5b8f7e 100644
--- a/content/code-security/secret-scanning/introduction/about-push-protection.md
+++ b/content/code-security/secret-scanning/introduction/about-push-protection.md
@@ -31,8 +31,8 @@ Once enabled, if push protection detects a potential secret during a push attemp
You can enable push protection:
-* At repository/organization level, if you are a repository administrator or an organization owner. This type of push protection is referred to as "push protection".
-* For your account on {% data variables.product.prodname_dotcom %}, as a user. This type of push protection is referred to as "push protection for users".
+* At repository/organization level, if you are a repository administrator or an organization owner. You will see alerts in the **Security** tab of your repository when a contributor to the repository bypasses push protection.
+* For your account on {% data variables.product.prodname_dotcom %}, as a user. This type of push protection is referred to as "push protection for users". It protects you from pushing secrets to _any_ public repository on {% data variables.product.prodname_dotcom %}, but it doesn't generate alerts.
{% endif %}
From 5e9045db7a4e5bd34e637df6c017b5e5f98aa954 Mon Sep 17 00:00:00 2001
From: mc <42146119+mchammer01@users.noreply.github.com>
Date: Thu, 1 Aug 2024 12:05:11 +0100
Subject: [PATCH 38/44] Update
content/code-security/secret-scanning/introduction/about-push-protection.md
Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com>
---
.../secret-scanning/introduction/about-push-protection.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md
index bd9c5b8f7e..6cf2f9b279 100644
--- a/content/code-security/secret-scanning/introduction/about-push-protection.md
+++ b/content/code-security/secret-scanning/introduction/about-push-protection.md
@@ -25,7 +25,7 @@ Push protection is a {% data variables.product.prodname_secret_scanning %} featu
Push protection helps you avoid the risks associated with exposed secrets, like unauthorized access to resources or services. With this feature, developers get immediate feedback and can address potential issues before they become a security concern.
-Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push. For some {% data variables.product.prodname_dotcom %} products, more advanced features such as delegated bypass and the use of custom patterns are available:
+Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push. For some {% data variables.product.prodname_dotcom %} products, more advanced features such as delegated bypass and the use of custom patterns are available.
{% ifversion secret-scanning-push-protection-for-users %}
From 2640efb09e53d7826828058def2b31b2edbe7bc8 Mon Sep 17 00:00:00 2001
From: mc <42146119+mchammer01@users.noreply.github.com>
Date: Thu, 1 Aug 2024 12:06:02 +0100
Subject: [PATCH 39/44] Update
content/code-security/secret-scanning/introduction/about-push-protection.md
Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com>
---
.../secret-scanning/introduction/about-push-protection.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md
index 6cf2f9b279..f4b810f2e7 100644
--- a/content/code-security/secret-scanning/introduction/about-push-protection.md
+++ b/content/code-security/secret-scanning/introduction/about-push-protection.md
@@ -38,7 +38,7 @@ You can enable push protection:
## What are the benefits of push protection
-* **Proactive security**—Push protection acts as a frontline defense mechanism by scanning code for secrets at the time of the push. This proactive approach helps to catch potential issues before they are merged into your repository.
+* **Preventative security**—Push protection acts as a frontline defense mechanism by scanning code for secrets at the time of the push. This preventative approach helps to catch potential issues before they are merged into your repository.
* **Immediate feedback**—Developers receive instant feedback if a potential secret is detected during a push attempt. This immediate notification allows for quick remediation, reducing the likelihood of sensitive information being exposed.
From 804e280359bcf6b5adc6ffee71cf14e5ab09a996 Mon Sep 17 00:00:00 2001
From: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Date: Thu, 1 Aug 2024 12:08:33 +0100
Subject: [PATCH 40/44] what a mess
---
.../secret-scanning/introduction/about-push-protection.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md
index f4b810f2e7..4eb154eee4 100644
--- a/content/code-security/secret-scanning/introduction/about-push-protection.md
+++ b/content/code-security/secret-scanning/introduction/about-push-protection.md
@@ -19,19 +19,19 @@ topics:
shortTitle: Push protection
---
-## What is push protection
+## About push protection
Push protection is a {% data variables.product.prodname_secret_scanning %} feature that is designed to prevent sensitive information, such as secrets or tokens, from being pushed to your repository in the first place. Unlike {% data variables.product.prodname_secret_scanning %}, which detects secrets after they have been committed, push protection proactively scans your code for secrets during the push process and blocks the push if any are detected.
Push protection helps you avoid the risks associated with exposed secrets, like unauthorized access to resources or services. With this feature, developers get immediate feedback and can address potential issues before they become a security concern.
-Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push. For some {% data variables.product.prodname_dotcom %} products, more advanced features such as delegated bypass and the use of custom patterns are available.
+Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push. For some {% data variables.product.prodname_dotcom %} products, more advanced features such as delegated bypass and the use of custom patterns are available.
{% ifversion secret-scanning-push-protection-for-users %}
You can enable push protection:
-* At repository/organization level, if you are a repository administrator or an organization owner. You will see alerts in the **Security** tab of your repository when a contributor to the repository bypasses push protection.
+* At repository/organization level, if you are a repository administrator or an organization owner. You will see alerts in the **Security** tab of your repository when a contributor to the repository bypasses push protection.
* For your account on {% data variables.product.prodname_dotcom %}, as a user. This type of push protection is referred to as "push protection for users". It protects you from pushing secrets to _any_ public repository on {% data variables.product.prodname_dotcom %}, but it doesn't generate alerts.
{% endif %}
From 4cb9c8d8b52e36dd44debcdaea0b7c43c8bc33ce Mon Sep 17 00:00:00 2001
From: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Date: Thu, 1 Aug 2024 12:22:01 +0100
Subject: [PATCH 41/44] addressed more comments
---
.../introduction/about-push-protection.md | 35 +++++++------------
1 file changed, 12 insertions(+), 23 deletions(-)
diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md
index 4eb154eee4..2bcae81361 100644
--- a/content/code-security/secret-scanning/introduction/about-push-protection.md
+++ b/content/code-security/secret-scanning/introduction/about-push-protection.md
@@ -1,6 +1,6 @@
---
title: About push protection
-intro: 'Push protection helps detect secrets in code as changes are pushed. Push protection blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block.{% ifversion secret-scanning-push-protection-for-users %} Push protection can be applied at the repository, organization, and user account level{% else %} You can apply push protection at repository or organization level{% endif %}.'
+intro: 'Push protection blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block.{% ifversion secret-scanning-push-protection-for-users %} Push protection can be applied at the repository, organization, and user account level{% else %} You can apply push protection at repository or organization level{% endif %}.'
product: '{% data reusables.gated-features.push-protection-for-repos %}'
versions:
fpt: '*'
@@ -25,43 +25,31 @@ Push protection is a {% data variables.product.prodname_secret_scanning %} featu
Push protection helps you avoid the risks associated with exposed secrets, like unauthorized access to resources or services. With this feature, developers get immediate feedback and can address potential issues before they become a security concern.
-Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push. For some {% data variables.product.prodname_dotcom %} products, more advanced features such as delegated bypass and the use of custom patterns are available.
+Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push. For some {% data variables.product.prodname_dotcom %} products, more advanced features such as {% ifversion push-protection-delegated-bypass %}delegated bypass and {% endif %}the use of custom patterns are available.
{% ifversion secret-scanning-push-protection-for-users %}
You can enable push protection:
* At repository/organization level, if you are a repository administrator or an organization owner. You will see alerts in the **Security** tab of your repository when a contributor to the repository bypasses push protection.
-* For your account on {% data variables.product.prodname_dotcom %}, as a user. This type of push protection is referred to as "push protection for users". It protects you from pushing secrets to _any_ public repository on {% data variables.product.prodname_dotcom %}, but it doesn't generate alerts.
-
+* For your account on {% data variables.product.prodname_dotcom %}, as a user. This type of push protection is referred to as "push protection for users". It protects you from pushing secrets to _any_ public repository on {% data variables.product.prodname_dotcom %}, but no alerts are generated.
{% endif %}
-## What are the benefits of push protection
+## About the benefits of push protection
-* **Preventative security**—Push protection acts as a frontline defense mechanism by scanning code for secrets at the time of the push. This preventative approach helps to catch potential issues before they are merged into your repository.
+* **Preventative security**: Push protection acts as a frontline defense mechanism by scanning code for secrets at the time of the push. This preventative approach helps to catch potential issues before they are merged into your repository.
-* **Immediate feedback**—Developers receive instant feedback if a potential secret is detected during a push attempt. This immediate notification allows for quick remediation, reducing the likelihood of sensitive information being exposed.
+* **Immediate feedback**: Developers receive instant feedback if a potential secret is detected during a push attempt. This immediate notification allows for quick remediation, reducing the likelihood of sensitive information being exposed.
-* **Reduced risk of data leaks**—By blocking commits that contain sensitive information, push protection significantly reduces the risk of accidental data leaks. This helps in safeguarding against unauthorized access to your infrastructure, services, and data.
+* **Reduced risk of data leaks**: By blocking commits that contain sensitive information, push protection significantly reduces the risk of accidental data leaks. This helps in safeguarding against unauthorized access to your infrastructure, services, and data.
-* **Efficient secret management**—Instead of retrospectively dealing with exposed secrets, developers can address issues at the source. This makes secret management more efficient and less time-consuming.
+* **Efficient secret management**: Instead of retrospectively dealing with exposed secrets, developers can address issues at the source. This makes secret management more efficient and less time-consuming.
-* **Integration with CI/CD pipelines**—
-Push Protection can be integrated into your Continuous Integration/Continuous Deployment (CI/CD) pipelines, ensuring that every push is scanned for secrets before it gets deployed. This adds an extra layer of security to your DevOps practices.
+* **Integration with CI/CD pipelines**: Push Protection can be integrated into your Continuous Integration/Continuous Deployment (CI/CD) pipelines, ensuring that every push is scanned for secrets before it gets deployed. This adds an extra layer of security to your DevOps practices.
-{% ifversion secret-scanning-push-protection-custom-patterns %}* **Ability to detect custom patterns**—Organizations can define custom patterns for detecting secrets unique to their environment. This customization ensures that push Protection can effectively identify and block even non-standard secrets.{% endif %}
+{% ifversion secret-scanning-push-protection-custom-patterns %}* **Ability to detect custom patterns**: Organizations can define custom patterns for detecting secrets unique to their environment. This customization ensures that push Protection can effectively identify and block even non-standard secrets.{% endif %}
-{% ifversion push-protection-delegated-bypass %}* **Delegated bypass for flexibility**—For cases where false positives occur or when certain patterns are necessary, the delegated bypass feature allows designated users to approve specific pushes. This provides flexibility without compromising overall security.{% endif %}
-
-* **Audit and monitoring**—Push protection maintains logs of all blocked attempts and bypass approvals. These logs can be audited to ensure compliance and to review any potential security incidents, thereby providing transparency and accountability.
-
-* **Collaboration and education**—By frequently reminding developers of secure coding practices, push protection helps foster a culture of security within development teams. It serves as a constant reminder that security is everyone's responsibility.
-
-## Configuring push protection
-
-To use push protection, you need to have administrative access to the repository or organization you want to configure. Also, your repository or organization should be hosted on {% data variables.product.prodname_dotcom %}.
-
-Enabling and configuring push protection involves a few steps. For more information, see TODO: - link to enabling article.
+{% ifversion push-protection-delegated-bypass %}* **Delegated bypass for flexibility**: For cases where false positives occur or when certain patterns are necessary, the delegated bypass feature allows designated users to approve specific pushes. This provides flexibility without compromising overall security.{% endif %}
{% ifversion secret-scanning-push-protection-for-users %}
@@ -109,6 +97,7 @@ For information about delegated bypass for push protection, see "[AUTOTITLE](/co
## Further reading
+* TODO: add link to enabling push protection article
* "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)"{% ifversion secret-scanning-push-protection-custom-patterns %}
* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)"{% endif %}{% ifversion push-protection-delegated-bypass %}
* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)"{% endif %}
From 92ecffd52e25c3426b0073e8e52702069b4ea571 Mon Sep 17 00:00:00 2001
From: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Date: Thu, 1 Aug 2024 12:50:36 +0100
Subject: [PATCH 42/44] streamline
---
.../introduction/about-push-protection.md | 10 ++--------
1 file changed, 2 insertions(+), 8 deletions(-)
diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md
index 2bcae81361..1bf5ff2d18 100644
--- a/content/code-security/secret-scanning/introduction/about-push-protection.md
+++ b/content/code-security/secret-scanning/introduction/about-push-protection.md
@@ -77,7 +77,7 @@ If push protection occasionally flags non-sensitive information, you can configu
### Defining custom patterns
-If you have specific patterns or types of secrets that are unique to your environment or organization, you can define custom patterns that push protection will use to identify secrets. These patterns are used to identify sensitive information that might not be covered by the default scanning rules implemented by {% data variables.product.prodname_dotcom %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."
+If you have specific patterns or types of secrets that are unique to your environment or organization, you can define custom patterns that push protection will use to identify secrets. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."
{% endif %}
@@ -85,13 +85,7 @@ If you have specific patterns or types of secrets that are unique to your enviro
### Using delegated bypass
-{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %}
-
-When you enable push protection, by default, anyone with write access to the repository can choose to bypass the protection by specifying a reason for allowing the push containing a secret. With delegated bypass, contributors to a repository are instead obligated to request "bypass privileges." The request is sent to a designated group of reviewers, who either approve or deny the request to bypass push protection.
-
-If the request to bypass push protection is approved, the contributor can push the commit containing the secret. If the request is denied, the contributor must remove the secret from the commit (or commits) containing the secret before pushing again.
-
-For information about delegated bypass for push protection, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)."
+{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} For information about delegated bypass for push protection, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)."
{% endif %}
From 00079016b285dcb49c3349654b4868818e037c73 Mon Sep 17 00:00:00 2001
From: Anne-Marie <102995847+am-stead@users.noreply.github.com>
Date: Fri, 2 Aug 2024 13:06:22 +0000
Subject: [PATCH 43/44] add similar how it works section for missing content,
update customizing section
---
.../introduction/about-push-protection.md | 29 ++++++++++++-------
1 file changed, 18 insertions(+), 11 deletions(-)
diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md
index 1bf5ff2d18..490e9222c8 100644
--- a/content/code-security/secret-scanning/introduction/about-push-protection.md
+++ b/content/code-security/secret-scanning/introduction/about-push-protection.md
@@ -25,16 +25,27 @@ Push protection is a {% data variables.product.prodname_secret_scanning %} featu
Push protection helps you avoid the risks associated with exposed secrets, like unauthorized access to resources or services. With this feature, developers get immediate feedback and can address potential issues before they become a security concern.
-Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push. For some {% data variables.product.prodname_dotcom %} products, more advanced features such as {% ifversion push-protection-delegated-bypass %}delegated bypass and {% endif %}the use of custom patterns are available.
-
{% ifversion secret-scanning-push-protection-for-users %}
You can enable push protection:
* At repository/organization level, if you are a repository administrator or an organization owner. You will see alerts in the **Security** tab of your repository when a contributor to the repository bypasses push protection.
* For your account on {% data variables.product.prodname_dotcom %}, as a user. This type of push protection is referred to as "push protection for users". It protects you from pushing secrets to _any_ public repository on {% data variables.product.prodname_dotcom %}, but no alerts are generated.
+
{% endif %}
+For information about the secrets and service providers supported by push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."
+
+## How push protection works
+
+Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push.
+
+By default, anyone with write access to the repository can choose to bypass push protection by specifying one of the bypass reasons outlined in the table. {% data reusables.secret-scanning.push-protection-bypass %}
+
+{% data reusables.secret-scanning.bypass-reasons-and-alerts %}
+
+{% ifversion push-protection-delegated-bypass %} If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see "TODO: link to delegated bypass."{% endif %}
+
## About the benefits of push protection
* **Preventative security**: Push protection acts as a frontline defense mechanism by scanning code for secrets at the time of the push. This preventative approach helps to catch potential issues before they are merged into your repository.
@@ -57,27 +68,23 @@ Every user across {% data variables.product.prodname_dotcom %} can also enable p
{% endif %}
-## What are the supported secrets
-
-For information about the secrets and service providers supported by push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."
-
## Customizing push protection
-Once push protection is enabled, you can customize it further, if needed:
+Once push protection is enabled, you can customize it further:
### Integration with CI/CD pipelines
-You can integrate push protection with your Continuous Integration/Continuous Deployment (CI/CD) pipelines to ensure that it runs scans during automated processes. This typically involves adding steps in your pipeline configuration file to call GitHub's APIs or using {% data variables.product.prodname_actions %}.
+Integrate push protection with your Continuous Integration/Continuous Deployment (CI/CD) pipelines to ensure that it runs scans during automated processes. This typically involves adding steps in your pipeline configuration file to call GitHub's APIs or using {% data variables.product.prodname_actions %}. For more information, see "TODO - add link to something here?"
### Handling false positives
-If push protection occasionally flags non-sensitive information, you can configure the system to recognize these as false positives. This may also involve adding specific rules or exceptions within your security settings.
+If push protection occasionally flags non-sensitive information, you can configure the system to recognize these as false positives. For more information, see "TODO - not sure what to link to here?"
{% ifversion secret-scanning-push-protection-custom-patterns %}
### Defining custom patterns
-If you have specific patterns or types of secrets that are unique to your environment or organization, you can define custom patterns that push protection will use to identify secrets. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."
+Define custom patterns that push protection can use to identify secrets and block pushes containing these secrets. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."
{% endif %}
@@ -85,7 +92,7 @@ If you have specific patterns or types of secrets that are unique to your enviro
### Using delegated bypass
-{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} For information about delegated bypass for push protection, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)."
+Define contributors who can bypass push protection and add an approval process for other contributors. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)."
{% endif %}
From d72992de8f6ab7b24cb12c3566459bc419dc8bd7 Mon Sep 17 00:00:00 2001
From: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Date: Fri, 2 Aug 2024 18:56:03 +0100
Subject: [PATCH 44/44] fix formatting
---
data/learning-tracks/code-security.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/data/learning-tracks/code-security.yml b/data/learning-tracks/code-security.yml
index 638eb7258a..ab42d18f49 100644
--- a/data/learning-tracks/code-security.yml
+++ b/data/learning-tracks/code-security.yml
@@ -116,6 +116,7 @@ secret_scanning:
- /code-security/secret-scanning/about-secret-scanning
- /code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository
- /code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository
+ - >-
{% ifversion secret-scanning-validity-check-partner-patterns %}
/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository{% endif %}
- >-