Merge branch 'universe-2022-megabranch' into codespaces-universe-megabranch

.github/workflows/codeql.yml

@@ -33,6 +33,6 @@ jobs:
       - uses: actions/checkout@dcd71f646680f2efd8db4afa5ad64fdcba30e748
       - uses: github/codeql-action/init@1ed1437484560351c5be56cf73a48a279d116b78
         with:
-          languages: javascript # comma separated list of values from {go, python, javascript, java, cpp, csharp} (not YET ruby, sorry!)
+          languages: javascript # comma separated list of values from {go, python, javascript, java, cpp, csharp, ruby}
       - uses: github/codeql-action/analyze@1ed1437484560351c5be56cf73a48a279d116b78
         continue-on-error: true

content/actions/migrating-to-github-actions/automating-migration-with-github-actions-importer.md

@@ -0,0 +1,240 @@
+---
+title: Automating migration with GitHub Actions Importer
+intro: 'Use {% data variables.product.prodname_actions_importer %} to plan and automate your migration to {% data variables.product.prodname_actions %}.'
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '*'
+  ghae: '*'
+type: how_to
+miniTocMaxHeadingLevel: 3
+topics:
+  - Migration
+  - CI
+  - CD
+shortTitle: Automate migration with {% data variables.product.prodname_actions_importer %}
+---
+
+{% data reusables.actions.enterprise-beta %}
+{% data reusables.actions.enterprise-github-hosted-runners %}
+
+[Legal notice](#legal-notice)
+
+{% note %}
+
+**Note**: {% data variables.product.prodname_actions_importer %} is currently available as a public preview. Visit the [sign up page](https://github.com/features/actions-importer/signup) to request access to the preview. Once you are granted access you'll be able to use the `gh-actions-importer` CLI extension
+
+{% endnote %}
+
+## About {% data variables.product.prodname_actions_importer %}
+
+You can use {% data variables.product.prodname_actions_importer %} to plan and automatically migrate your CI/CD pipelines to {% data variables.product.prodname_actions %} from Azure DevOps, CircleCI, GitLab, Jenkins, and Travis CI.
+
+{% data variables.product.prodname_actions_importer %} is distributed as a Docker container, and uses a [{% data variables.product.prodname_dotcom %} CLI](https://cli.github.com) extension to interact with the container.
+
+Any workflow that is converted by the {% data variables.product.prodname_actions_importer %} should be inspected for correctness before using it as a production workload. The goal is to achieve an 80% conversion rate for every workflow, however, the actual conversion rate will depend on the makeup of each individual pipeline that is converted.
+
+## Supported CI platforms
+
+You can use {% data variables.product.prodname_actions_importer %} to migrate from the following platforms:
+
+- Azure DevOps
+- CircleCI
+- GitLab
+- Jenkins
+- Travis CI
+
+Once you are granted access to the preview, you will be able to access further reference documentation for each of the supported platforms.
+
+## Prerequisites
+
+{% data variables.product.prodname_actions_importer %} has the following requirements:
+
+- You must have been granted access to the public preview for the {% data variables.product.prodname_actions_importer %}.
+{%- ifversion ghes < 3.5 or ghae %}
+- Use a {% data variables.product.pat_generic %} with the `read:packages` scope enabled.
+{%- else %}
+- You must have credentials to authenticate to the {% data variables.product.prodname_registry %} {% data variables.product.prodname_container_registry %}. For more information, see "[Working with the Container registry](/packages/working-with-a-github-packages-registry/working-with-the-container-registry#authenticating-to-the-container-registry)."
+{% endif %}
+- An environment where you can run Linux-based containers, and can install the necessary tools.
+  - Docker is [installed](https://docs.docker.com/get-docker/) and running.
+  - [{% data variables.product.prodname_dotcom %} CLI](https://cli.github.com) is installed.
+
+  {% note %}
+
+  **Note**: The {% data variables.product.prodname_actions_importer %} container and CLI do not need to be installed on the same server as your CI platform.
+
+  {% endnote %}
+
+### Installing the {% data variables.product.prodname_actions_importer %} CLI extension
+
+1. Install the {% data variables.product.prodname_actions_importer %} CLI extension:
+
+   ```bash
+   $ gh extension install github/gh-actions-importer
+   ```
+1. Verify that the extension is installed:
+
+   ```bash
+   $ gh actions-importer -h
+   Options:
+     -?, -h, --help  Show help and usage information
+
+   Commands:
+     update     Update to the latest version of the GitHub Actions Importer.
+     version    Display the version of the GitHub Actions Importer.
+     configure  Start an interactive prompt to configure credentials used to authenticate with your CI server(s).
+     audit      Plan your CI/CD migration by analyzing your current CI/CD footprint.
+     forecast   Forecast GitHub Actions usage from historical pipeline utilization.
+     dry-run    Convert a pipeline to a GitHub Actions workflow and output its yaml file.
+     migrate    Convert a pipeline to a GitHub Actions workflow and open a pull request with the changes.
+   ```
+
+### Updating the {% data variables.product.prodname_actions_importer %} CLI
+
+To ensure you're running the latest version of {% data variables.product.prodname_actions_importer %}, you should regularly run the `update` command:
+
+```bash
+$ gh actions-importer update
+```
+
+You must be authenticated with the {% data variables.product.prodname_container_registry %} for this command to be successful. Alternatively, you can provide credentials using the `--username` and `--password-stdin` parameters:
+
+```bash
+$ echo $GITHUB_TOKEN | gh actions-importer update --username $GITHUB_HANDLE --password-stdin
+```
+
+### Authenticating at the command line
+
+You must configure credentials that allow {% data variables.product.prodname_actions_importer %} to communicate with {% data variables.product.prodname_dotcom %} and your current CI server. You can configure these credentials using environment variables or a `.env.local` file. The environment variables can be configured in an interactive prompt, by running the following command:
+
+```bash
+$ gh actions-importer configure
+```
+
+Once you are granted access to the preview, you will be able to access further reference documentation about using environment variables.
+
+## Using the {% data variables.product.prodname_actions_importer %} CLI
+
+Use the subcommands of `gh actions-importer` to begin your migration to {% data variables.product.prodname_actions %}, including `audit`, `forecast`, `dry-run`, and `migrate`.
+
+### Auditing your existing CI pipelines
+
+The `audit` subcommand can be used to plan your CI/CD migration by analyzing your current CI/CD footprint. This analysis can be used to plan a timeline for migrating to {% data variables.product.prodname_actions %}.
+
+To run an audit, use the following command to determine your available options:
+
+```bash
+$ gh actions-importer audit -h
+Description:
+  Plan your CI/CD migration by analyzing your current CI/CD footprint.
+
+[...]
+
+Commands:
+  azure-devops  An audit will output a list of data used in an Azure DevOps instance.
+  circle-ci     An audit will output a list of data used in a CircleCI instance.
+  gitlab        An audit will output a list of data used in a GitLab instance.
+  jenkins       An audit will output a list of data used in a Jenkins instance.
+  travis-ci     An audit will output a list of data used in a Travis CI instance.
+```
+
+Once you are granted access to the preview, you will be able to access further reference documentation about running an audit.
+
+### Forecasting usage
+
+The `forecast` subcommand reviews historical pipeline usage to create a forecast of {% data variables.product.prodname_actions %} usage.
+
+To run a forecast, use the following command to determine your available options:
+
+```bash
+$ gh actions-importer forecast -h
+Description:
+  Forecasts GitHub Actions usage from historical pipeline utilization.
+
+[...]
+
+Commands:
+  azure-devops  Forecasts GitHub Actions usage from historical Azure DevOps pipeline utilization.
+  jenkins       Forecasts GitHub Actions usage from historical Jenkins pipeline utilization.
+  gitlab        Forecasts GitHub Actions usage from historical GitLab pipeline utilization.
+  circle-ci     Forecasts GitHub Actions usage from historical CircleCI pipeline utilization.
+  travis-ci     Forecasts GitHub Actions usage from historical Travis CI pipeline utilization.
+  github        Forecasts GitHub Actions usage from historical GitHub pipeline utilization.
+```
+
+Once you are granted access to the preview, you will be able to access further reference documentation about running a forecast.
+
+### Testing the migration process
+
+The `dry-run` subcommand can be used to convert a pipeline to its {% data variables.product.prodname_actions %} equivalent, and then write the workflow to your local filesystem.
+
+To perform a dry run, use the following command to determine your available options:
+
+```bash
+$ gh actions-importer dry-run -h
+Description:
+  Convert a pipeline to a GitHub Actions workflow and output its yaml file.
+
+[...]
+
+Commands:
+  azure-devops  Convert an Azure DevOps pipeline to a GitHub Actions workflow and output its yaml file.
+  circle-ci     Convert a CircleCI pipeline to GitHub Actions workflows and output the yaml file(s).
+  gitlab        Convert a GitLab pipeline to a GitHub Actions workflow and output the yaml file.
+  jenkins       Convert a Jenkins job to a GitHub Actions workflow and output its yaml file.
+  travis-ci     Convert a Travis CI pipeline to a GitHub Actions workflow and output its yaml file.
+```
+
+Once you are granted access to the preview, you will be able to access further reference documentation about performing a dry run.
+
+### Migrating a pipeline to {% data variables.product.prodname_actions %}
+
+The `migrate` subcommand can be used to convert a pipeline to its GitHub Actions equivalent and then create a pull request with the contents.
+
+To run a migration, use the following command to determine your available options:
+
+```bash
+$ gh actions-importer migrate -h
+Description:
+  Convert a pipeline to a GitHub Actions workflow and open a pull request with the changes.
+
+[...]
+
+Commands:
+  azure-devops  Convert an Azure DevOps pipeline to a GitHub Actions workflow and open a pull request with the changes.
+  circle-ci     Convert a CircleCI pipeline to GitHub Actions workflows and open a pull request with the changes.
+  gitlab        Convert a GitLab pipeline to a GitHub Actions workflow and open a pull request with the changes.
+  jenkins       Convert a Jenkins job to a GitHub Actions workflow and open a pull request with the changes.
+  travis-ci     Convert a Travis CI pipeline to a GitHub Actions workflow and and open a pull request with the changes.
+```
+
+Once you are granted access to the preview, you will be able to access further reference documentation about running a migration.
+
+## Legal notice
+
+Portions have been adapted from https://github.com/github/gh-actions-importer/ under the MIT license:
+
+```
+MIT License
+
+Copyright (c) 2022 GitHub
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+```

content/actions/migrating-to-github-actions/index.md

@@ -11,6 +11,7 @@ redirect_from:
   - /actions/migrating-to-github-actions
   - /articles/migrating-github-actions-from-hcl-syntax-to-yaml-syntax
 children:
+  - /automating-migration-with-github-actions-importer
   - /migrating-from-azure-pipelines-to-github-actions
   - /migrating-from-circleci-to-github-actions
   - /migrating-from-gitlab-cicd-to-github-actions

content/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/migrating-your-enterprise-to-github-actions.md

@@ -48,7 +48,7 @@ Identify the gates and checks in your existing system and verify that you can im
 
 ### Identifying and validating migration tools
 
-Automated migration tools can translate your enterprise's workflows from the existing system's syntax to the syntax required by {% data variables.product.prodname_actions %}. Identify third-party tooling or contact your dedicated representative or {% data variables.contact.contact_enterprise_sales %} to ask about tools that {% data variables.product.company_short %} can provide.
+Automated migration tools can translate your enterprise's workflows from the existing system's syntax to the syntax required by {% data variables.product.prodname_actions %}. Identify third-party tooling or contact your dedicated representative or {% data variables.contact.contact_enterprise_sales %} to ask about tools that {% data variables.product.company_short %} can provide. For example, you can use the {% data variables.product.prodname_actions_importer %} to plan, scope, and migrate your CI pipelines to {% data variables.product.prodname_actions %} from various supported services. For more information, see "[Automating migration with {% data variables.product.prodname_actions_importer %}](/actions/migrating-to-github-actions/automating-migration-with-github-actions-importer)."
 
 After you've identified a tool to automate your migrations, validate the tool by running the tool on some test workflows and verifying that the results are as expected.
 

content/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/about-the-audit-log-for-your-enterprise.md

@@ -35,7 +35,8 @@ In addition to viewing your audit log, you can monitor activity in your enterpri
 
 As an enterprise owner{% ifversion ghes %} or site administrator{% endif %}, you can interact with the audit log data for your enterprise in several ways:
 - You can view the audit log for your enterprise. For more information, see "[Accessing the audit log for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/accessing-the-audit-log-for-your-enterprise)."
-- You can search the audit log for specific events{% ifversion ghec %} and export audit log data{% endif %}. For more information, see "[Searching the audit log for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/searching-the-audit-log-for-your-enterprise)"{% ifversion ghec %} and "[Exporting the audit log for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/exporting-audit-log-activity-for-your-enterprise)"{% endif %}.{% ifversion audit-data-retention-tab %}
+- You can search the audit log for specific events{% ifversion ghec %} and export audit log data{% endif %}. For more information, see "[Searching the audit log for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/searching-the-audit-log-for-your-enterprise)"{% ifversion ghec %} and "[Exporting the audit log for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/exporting-audit-log-activity-for-your-enterprise)"{% endif %}.{% ifversion token-audit-log %}
+- You can identify all events that were performed by a specific access token. For more information, see "[Identifying audit log events performed by an access token](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token)."{% endif %}{% ifversion audit-data-retention-tab %}
 - You can configure settings, such as the retention period for audit log events{% ifversion enable-git-events %} and whether Git events are included{% endif %}. For more information, see "[Configuring the audit log for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/configuring-the-audit-log-for-your-enterprise)."{% endif %}
 {%- ifversion enterprise-audit-log-ip-addresses %}
 - You can display the IP address associated with events in the audit log. For more information, see "[Displaying IP addresses in the audit log for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/displaying-ip-addresses-in-the-audit-log-for-your-enterprise)."

content/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token.md

@@ -0,0 +1,68 @@
+---
+title: Identifying audit log events performed by an access token
+shortTitle: Identify events by token
+intro: 'You can identify the actions performed by a specific {% data variables.product.pat_generic %} or OAuth token in your enterprise.'
+versions:
+  feature: token-audit-log
+---
+
+## About token data in the audit log
+
+In your enterprise's audit log, for any actions that were performed using a {% data variables.product.pat_generic %} or OAuth application for authentication, the event data will show the authentication method used and the SHA-256 hash of the token.
+
+If you learn that a token was compromised, you can understand the actions taken by the compromised token by searching your enterprise's audit log for all events associated with that token.
+
+Hashed token values are not included when you export the audit log.
+
+## Searching for events associated with a token
+
+When searching for events associated with a specific token, you can use the UI or REST API. In either case, you will need to know the SHA-256 hash of the token first.
+
+### Generating a SHA-256 hash value for a token
+
+If you only have a raw token value, you'll need to generate a SHA-256 hash before you can search for the token.
+
+For MacOS and Linux, you can use `echo -n TOKEN | openssl dgst -sha256 -binary | base64`, replacing TOKEN with the token value.
+
+For Powershell, you can use the following script to return a SHA-256 hash for a given string.
+
+```shell{:copy}
+Param (
+    [Parameter(Mandatory=$true)]
+    [string]
+    $ClearString
+)
+
+$hasher = [System.Security.Cryptography.HashAlgorithm]::Create('sha256')
+$hash = $hasher.ComputeHash([System.Text.Encoding]::UTF8.GetBytes($ClearString))
+
+$hashString = [System.BitConverter]::ToString($hash)
+$hashString.Replace('-', '')
+```
+
+### Searching on {% data variables.product.prodname_dotcom %}
+
+While searching the audit log on {% data variables.product.prodname_dotcom %}, include `hashed_token:"VALUE"` in your search query, replacing `VALUE` with the SHA-256 hash of the token. 
+
+{% note %}
+
+**Note:** Make sure to wrap the hashed token value in quotation marks.
+
+{% endnote %}
+
+### Searching with the REST API
+
+Before you can search for a token using the REST API, after you generate a SHA-256 hash, you also need to URI-escape the hash. Most major programming languages provide a utility for URI escaping. For example, [encodeURIComponent()](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURIComponent) encodes a string for JavaScript.
+
+Then, include `hashed_token:"VALUE"` in your search phrase, replacing VALUE with the URI-escaped hash. 
+
+For example, if the name of the enterprise account is `octo-corp`, the following curl command would search @octo-corp's audit log for all events that are associated with the token whose URI-encoded SHA-256 hash is `EH4L8o6PfCqipALbL%2BQT62lyqUtnI7ql0SPbkaQnjv8`.
+
+```
+curl --location --request GET 'https://api.github.com/enterprises/octo-corp/audit-log?phrase=hashed_token:"EH4L8o6PfCqipALbL%2BQT62lyqUtnI7ql0SPbkaQnjv8"' \
+--header 'Authorization: Basic TOKEN' \ 
+```
+
+## Further reading
+
+- "[Using the audit log API for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/using-the-audit-log-api-for-your-enterprise)"

content/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/index.md

@@ -14,6 +14,7 @@ children:
   - /configuring-the-audit-log-for-your-enterprise
   - /displaying-ip-addresses-in-the-audit-log-for-your-enterprise
   - /searching-the-audit-log-for-your-enterprise
+  - /identifying-audit-log-events-performed-by-an-access-token
   - /exporting-audit-log-activity-for-your-enterprise
   - /streaming-the-audit-log-for-your-enterprise
   - /using-the-audit-log-api-for-your-enterprise

content/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/searching-the-audit-log-for-your-enterprise.md

@@ -80,6 +80,9 @@ Key            | Value
 `org_id`       | ID of the organization affected by the action (if applicable)
 `business` | Name of the enterprise affected by the action (if applicable)
 `business_id` | ID of the enterprise affected by the action (if applicable)
+{%- ifversion token-audit-log %}
+`hashed_token` | The token used to authenticate for the action (if applicable, see "[Identifying audit log events performed by an access token](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token)")
+{%- endif %}
 
 To see actions grouped by category, you can also use the action qualifier as a `key:value` pair. For more information, see "[Search based on the action performed](#search-based-on-the-action-performed)."
 
@@ -130,3 +133,9 @@ Using the qualifier `country`, you can filter events in the audit log based on t
   * `country:de` finds all events that occurred in Germany.
   * `country:Mexico` finds all events that occurred in Mexico.
   * `country:"United States"` all finds events that occurred in the United States.
+
+{% ifversion token-audit-log %}
+### Search based on the token that performed the action
+
+Use the `hashed_token` qualifier to search based on the token that performed the action. Before you can search for a token, you must generate a SHA-256 hash. For more information, see "[Identifying audit log events performed by an access token](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token)."
+{% endif %}

content/code-security/adopting-github-advanced-security-at-scale/phase-6-rollout-and-scale-secret-scanning.md

@@ -65,7 +65,7 @@ Once you have decided on the secret types, you can do the following:
   
   {% ifversion not ghae %}
   
-  You can use the security overview to collect this information. For more information about using the security overview, see "[Filtering alerts in the security overview](/code-security/security-overview/filtering-alerts-in-the-security-overview)."
+  You can use the security overview to collect this information. For more information about using the security overview, see "[Filtering alerts in security overviews](/code-security/security-overview/filtering-alerts-in-the-security-overview)."
   
   {% endif %}
   

content/code-security/getting-started/adding-a-security-policy-to-your-repository.md

@@ -35,7 +35,7 @@ You can create a default security policy for your organization or personal accou
 {% endtip %}
 
 {% ifversion fpt or ghec %}
-After someone reports a security vulnerability in your project, you can use {% data variables.product.prodname_security_advisories %} to disclose, fix, and publish information about the vulnerability. For more information about the process of reporting and disclosing vulnerabilities in {% data variables.product.prodname_dotcom %}, see "[About coordinated disclosure of security vulnerabilities](/code-security/security-advisories/about-coordinated-disclosure-of-security-vulnerabilities#about-reporting-and-disclosing-vulnerabilities-in-projects-on-github)." For more information about repository security advisories, see "[About repository security advisories](/github/managing-security-vulnerabilities/about-github-security-advisories)."
+After someone reports a security vulnerability in your project, you can use {% data variables.product.prodname_security_advisories %} to disclose, fix, and publish information about the vulnerability. For more information about the process of reporting and disclosing vulnerabilities in {% data variables.product.prodname_dotcom %}, see "[About coordinated disclosure of security vulnerabilities](/code-security/security-advisories/guidance-on-reporting-and-writing/about-coordinated-disclosure-of-security-vulnerabilities#about-reporting-and-disclosing-vulnerabilities-in-projects-on-github)." For more information about repository security advisories, see "[About repository security advisories](/github/managing-security-vulnerabilities/about-github-security-advisories)."
 
 {% data reusables.repositories.github-security-lab %}
 {% endif %}

content/code-security/getting-started/github-security-features.md

@@ -61,7 +61,7 @@ You can find the dependency graph on the **Insights** tab for your repository. F
 {% ifversion security-overview-displayed-alerts %}
 ### Security overview
 
-The security overview allows you to review security configurations and alerts, making it easy to identify the repositories and organizations at greatest risk. For more information, see "[About the security overview](/code-security/security-overview/about-the-security-overview)."
+The security overview allows you to review security configurations and alerts, making it easy to identify the repositories and organizations at greatest risk. For more information, see "[About security overviews](/code-security/security-overview/about-the-security-overview)."
 
 {% else %}
 ### Security overview for repositories
@@ -114,7 +114,7 @@ Show the full impact of changes to dependencies and see details of any vulnerabl
 {% else %}
 ### Security overview for organizations{% ifversion ghes > 3.4 or ghae > 3.4 %}, enterprises,{% endif %} and teams
 
-Review the security configuration and alerts for your organization and identify the repositories at greatest risk. For more information, see "[About the security overview](/code-security/security-overview/about-the-security-overview)."
+Review the security configuration and alerts for your organization and identify the repositories at greatest risk. For more information, see "[About security overviews](/code-security/security-overview/about-the-security-overview)."
 {% endif %}
 
 ## Further reading

content/code-security/getting-started/securing-your-organization.md

@@ -128,7 +128,7 @@ You can view and manage alerts from security features to address dependencies an
 {% ifversion fpt or ghec %}If you have a security vulnerability, you can create a security advisory to privately discuss and fix the vulnerability. For more information, see "[About repository security advisories](/code-security/security-advisories/about-github-security-advisories)" and "[Creating a security advisory](/code-security/security-advisories/creating-a-security-advisory)."
 {% endif %}
 
-{% ifversion ghes or ghec or ghae %}You{% elsif fpt %}Organizations that use {% data variables.product.prodname_ghe_cloud %}{% endif %} can view, filter, and sort security alerts for repositories owned by {% ifversion ghes or ghec or ghae %}your{% elsif fpt %}their{% endif %} organization in the security overview. For more information, see{% ifversion ghes or ghec or ghae %} "[About the security overview](/code-security/security-overview/about-the-security-overview)."{% elsif fpt %} "[About the security overview](/enterprise-cloud@latest/code-security/security-overview/about-the-security-overview)" in the {% data variables.product.prodname_ghe_cloud %} documentation.{% endif %}
+{% ifversion ghes or ghec or ghae %}You{% elsif fpt %}Organizations that use {% data variables.product.prodname_ghe_cloud %}{% endif %} can view, filter, and sort security alerts for repositories owned by {% ifversion ghes or ghec or ghae %}your{% elsif fpt %}their{% endif %} organization in the security overview. For more information, see{% ifversion ghes or ghec or ghae %} "[About security overviews](/code-security/security-overview/about-the-security-overview)."{% elsif fpt %} "[About security overviews](/enterprise-cloud@latest/code-security/security-overview/about-the-security-overview)" in the {% data variables.product.prodname_ghe_cloud %} documentation.{% endif %}
 
 {% ifversion ghec %}
 ## Further reading

content/code-security/guides.md

@@ -53,8 +53,8 @@ includeGuides:
   - /code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/migrating-from-the-codeql-runner-to-codeql-cli
   - /code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/running-codeql-runner-in-your-ci-system
   - /code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/troubleshooting-codeql-runner-in-your-ci-system
-  - /code-security/repository-security-advisories/about-coordinated-disclosure-of-security-vulnerabilities
   - /code-security/repository-security-advisories/about-github-security-advisories-for-repositories
+  - /code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository
   - /code-security/repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory
   - /code-security/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability
   - /code-security/repository-security-advisories/creating-a-repository-security-advisory
@@ -63,7 +63,10 @@ includeGuides:
   - /code-security/repository-security-advisories/publishing-a-repository-security-advisory
   - /code-security/repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory
   - /code-security/repository-security-advisories/withdrawing-a-repository-security-advisory
-  - /code-security/repository-security-advisories/best-practices-for-writing-repository-security-advisories
+  - /code-security/security-advisories/guidance-on-reporting-and-writing/about-coordinated-disclosure-of-security-vulnerabilities
+  - /code-security/security-advisories/guidance-on-reporting-and-writing/best-practices-for-writing-repository-security-advisories
+  - /code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability
+  - /code-security/security-advisories/guidance-on-reporting-and-writing/managing-privately-reported-security-vulnerabilities
   - /code-security/security-overview/about-the-security-overview
   - /code-security/security-overview/filtering-alerts-in-the-security-overview
   - /code-security/security-overview/viewing-the-security-overview

content/code-security/index.md

@@ -23,7 +23,7 @@ featuredLinks:
   popular:
     - '{% ifversion ghes %}/admin/release-notes{% endif %}'
     - /code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-alerts-for-vulnerable-dependencies
-    - /code-security/repository-security-advisories/about-coordinated-disclosure-of-security-vulnerabilities
+    - /code-security/security-advisories/guidance-on-reporting-and-writing/about-coordinated-disclosure-of-security-vulnerabilities
     - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/keeping-your-actions-up-to-date-with-dependabot
     - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates
     - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/managing-encrypted-secrets-for-dependabot

content/code-security/secret-scanning/about-secret-scanning.md

@@ -96,7 +96,7 @@ For more information about viewing and resolving {% data variables.product.prodn
 Repository administrators and organization owners can grant users and teams access to {% data variables.product.prodname_secret_scanning %} alerts. For more information, see "[Managing security and analysis settings for your repository](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts)."
 
 {% ifversion ghec or ghes or ghae > 3.4 %}
-You can use the security overview to see an organization-level view of which repositories have enabled {% data variables.product.prodname_secret_scanning %} and the alerts found. For more information, see "[Viewing the security overview](/code-security/security-overview/viewing-the-security-overview)."
+You can use the security overview to see an organization-level view of which repositories have enabled {% data variables.product.prodname_secret_scanning %} and the alerts found. For more information, see "[Viewing security overviews](/code-security/security-overview/viewing-the-security-overview)."
 {% endif %}
 
 {%- ifversion ghec or ghes or ghae %}You can also use the REST API to 

content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md

@@ -70,6 +70,9 @@ shortTitle: Manage secret alerts
 Once a secret has been committed to a repository, you should consider the secret compromised. {% data variables.product.prodname_dotcom %} recommends the following actions for compromised secrets:
 
 - For a compromised {% data variables.product.prodname_dotcom %} {% data variables.product.pat_generic %}, delete the compromised token, create a new token, and update any services that use the old token. For more information, see "[Creating a {% data variables.product.pat_generic %} for the command line](/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line)."
+{%- ifversion token-audit-log %}
+  - {% ifversion ghec %}If your organization is owned by an enterprise account, identify{% else %}Identify{% endif %} any actions taken by the compromised token on your enterprise's resources. For more information, see "[Identifying audit log events performed by an access token](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token)."
+{%- endif %}
 - For all other secrets, first verify that the secret committed to {% data variables.product.product_name %} is valid. If so, create a new secret, update any services that use the old secret, and then delete the old secret.
 
 {% ifversion ghec %}

content/code-security/security-advisories/global-security-advisories/about-the-github-advisory-database.md

@@ -19,6 +19,8 @@ topics:
 
 {% data reusables.repositories.tracks-vulnerabilities %}
 
+Security advisories are published as JSON files in the Open Source Vulnerability (OSV) format. For more information about the OSV format, see "[Open Source Vulnerability format](https://ossf.github.io/osv-schema/)."
+
 ## About types of security advisories
 
 {% data reusables.advisory-database.beta-malware-advisories %}

content/code-security/security-advisories/guidance-on-reporting-and-writing/about-coordinated-disclosure-of-security-vulnerabilities.md

@@ -4,6 +4,7 @@ intro: Vulnerability disclosure is a coordinated effort between security reporte
 redirect_from:
   - /code-security/security-advisories/about-coordinated-disclosure-of-security-vulnerabilities
   - /code-security/repository-security-advisories/about-coordinated-disclosure-of-security-vulnerabilities
+  - /code-security/security-advisories/repository-security-advisories/about-coordinated-disclosure-of-security-vulnerabilities
 miniTocMaxHeadingLevel: 3
 versions:
   fpt: '*'
@@ -50,6 +51,13 @@ Publishing the details of a security vulnerability doesn't make maintainers look
 
 ## About reporting and disclosing vulnerabilities in projects on {% data variables.product.prodname_dotcom %}
 
+There are two processes available on {% data variables.product.prodname_dotcom %}:
+
+- The standard process: Vulnerability reporters get in touch with the repository maintainers, using contact information located in the security policy for the repository. The repository maintainers then create a draft repository advisory if required.  
+- Private vulnerability reporting: Vulnerability reporters disclose vulnerability details directly and privately to the repository maintainers by proposing a draft repository advisory and providing details of their findings.
+
+### Standard process
+
 The process for reporting and disclosing vulnerabilities for projects on {% data variables.product.prodname_dotcom_the_website %} is as follows:
 
  If you are a vulnerability reporter (for example, a security researcher) who would like report a vulnerability, first check if there is a security policy for the related repository. For more information, see "[About security policies](/code-security/getting-started/adding-a-security-policy-to-your-repository#about-security-policies)." If there is one, follow it to understand the process before contacting the security team for that repository. 
@@ -68,5 +76,19 @@ The process for reporting and disclosing vulnerabilities for projects on {% data
 
  As a maintainer, to disclose a vulnerability in your code, you first create a draft security advisory in the package's repository in {% data variables.product.prodname_dotcom %}. {% data reusables.security-advisory.security-advisory-overview %} For more information, see "[About repository security advisories](/code-security/repository-security-advisories/about-github-security-advisories-for-repositories)."
 
-
  To get started, see "[Creating a repository security advisory](/code-security/repository-security-advisories/creating-a-repository-security-advisory)."
+
+### Private vulnerability reporting
+
+{% data reusables.security-advisory.private-vulnerability-reporting-beta %}
+
+{% data reusables.security-advisory.private-vulnerability-reporting-enable %}
+
+ Private vulnerability reporting provides an easy way for vulnerability reporters to privately disclose security risks to repository maintainers, within {% data variables.product.prodname_dotcom %}, and in a way that immediately notifies the repository maintainers of the issue. For more information for security researchers and repository maintainers, see "[Privately reporting a security vulnerability](/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability)" and "[Managing privately reported security vulnerabilities](/code-security/security-advisories/guidance-on-reporting-and-writing/managing-privately-reported-security-vulnerabilities)", respectively.
+
+{% note %}
+
+**Note**:
+If the repository containing the vulnerability doesn't have private vulnerability reporting enabled, both security researchers and repository maintainers need to follow the instructions described in the "[Standard process](#standard-process)" section above.
+
+{% endnote %}

content/code-security/security-advisories/guidance-on-reporting-and-writing/index.md

@@ -11,6 +11,9 @@ topics:
   - Repositories
   - CVEs
 children:
+  - /about-coordinated-disclosure-of-security-vulnerabilities
   - /best-practices-for-writing-repository-security-advisories
+  - /privately-reporting-a-security-vulnerability
+  - /managing-privately-reported-security-vulnerabilities
 ---
 

content/code-security/security-advisories/guidance-on-reporting-and-writing/managing-privately-reported-security-vulnerabilities.md

@@ -0,0 +1,45 @@
+---
+title: Managing privately reported security vulnerabilities
+intro: Repository maintainers can manage security vulnerabilities that have been privately reported to them by security reseachers for repositories where private vulnerability reporting is enabled.
+permissions: 'Anyone with admin permissions to a repository can see, review, and manage privately-reported vulnerabilities for the repository.'
+versions:
+  fpt: '*'
+  ghec: '*'
+type: how_to
+miniTocMaxHeadingLevel: 3
+topics:
+  - Security advisories
+  - Vulnerabilities
+shortTitle: Manage vulnerability reports
+---
+
+{% data reusables.security-advisory.private-vulnerability-reporting-beta %}
+
+{% data reusables.security-advisory.private-vulnerability-reporting-enable %}
+
+## About privately reporting a security vulnerability
+
+Private vulnerability reporting makes it easy for security researchers to report vulnerabilities directly to you using a simple form. 
+
+When a security researcher reports a vulnerability privately, you are notified and can choose to either accept it, ask more questions, or reject it. If you accept the report, you're ready to collaborate on a fix for the vulnerability in private with the security researcher.
+
+## Managing security vulnerabilities that are privately reported
+
+{% data variables.product.prodname_dotcom %} notifies repository maintainers when security researchers privately report vulnerabilities in their repository, and sends notifications if maintainers watch the repository or if they have notifications enabled for the repository. For more information, see "[Configuring notifications](/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications)."
+
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.sidebar-security %}
+{% data reusables.repositories.sidebar-advisories %}
+1. Click the advisory you want to review. An advisory that is privately reported will have a status of `Needs triage`.
+  
+   ![Screenshot showing an example of advisory list](/assets/images/help/security/advisory-list.png)
+   
+2. Carefully review the report. You can:
+   - Collaborate with the security researcher on a patch in private, by clicking **Start a temporary private fork**. This gives you a place for further discussions with the contributor without changing the status of the proposed advisory from `Needs triage`.
+   - Accept the vulnerability report as a draft advisory on {% data variables.product.prodname_dotcom %}, by clicking **Accept and open as draft**. If you choose this option:
+      - This doesn't make the report public.
+      - The report becomes a draft repository security advisory and you can work on it in the same way as any draft advisory that you create.
+     For more information on security advisories, see "[About repository security advisories](/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories)."
+   - Reject the report by clicking **Close security advisory**. Where possible, you should add a comment explaining why you don't consider the report a security risk before you close the advisory.
+
+     ![Screenshot showing the options available to the repository maintainer when reviewing an externally submitted vulnerability report](/assets/images/help/security/advisory-maintainer-options.png)

content/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability.md

@@ -0,0 +1,70 @@
+---
+title: Privately reporting a security vulnerability
+intro: Some public repositories configure security advisories so that anyone can report security vulnerabilities directly and privately to the maintainers.
+versions:
+  fpt: '*'
+  ghec: '*'
+type: how_to
+miniTocMaxHeadingLevel: 3
+topics:
+  - Security advisories
+  - Vulnerabilities
+shortTitle: Privately reporting
+---
+
+{% data reusables.security-advisory.private-vulnerability-reporting-beta %}
+
+{% data reusables.security-advisory.private-vulnerability-reporting-enable %}
+
+## About privately reporting a security vulnerability
+
+Security researchers often feel responsible for alerting users to a vulnerability that could be exploited. If there are no clear instuctions about contacting maintainers of the repository containing the vulnerability, security researchers may have no other choice but to post about the vulnerability on social media, send direct messages to the maintainer, or even create public issues. This situation can potentially lead to a public disclosure of the vulnerability details.
+
+Private vulnerability reporting makes it easy for security researchers to report vulnerabilities directly to repository maintainer using a simple form. 
+
+For security researchers, the benefits of using private vulnerability reporting are: 
+- Less frustration, and less time spent trying to figure out how to contact the maintainer.
+- A smoother process for disclosing and discussing vulnerability details.
+- The opportunity to discuss vulnerability details privately with repository maintainer.
+
+{% note %}
+
+**Note:** If the repository doesn't have private vulnerabiliy reporting enabled, you need to initiate the reporting process by following the instructions in the security policy for the repository, or create an issue asking the maintainers for a preferred security contact. For more information, see "[About coordinated disclosure of security vulnerabilities](/code-security/security-advisories/guidance-on-reporting-and-writing/about-coordinated-disclosure-of-security-vulnerabilities#about-reporting-and-disclosing-vulnerabilities-in-projects-on-github)."
+
+{% endnote %}
+
+## Privately reporting a security vulnerability
+
+Security researchers can privately report a security vulnerability to repository maintainers.
+
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.sidebar-security %}
+{% data reusables.repositories.sidebar-advisories %}
+1. Click **Report a vulnerability** to open the advisory form.
+   
+   ![Screenshot showing the "Report a vulnerability" button](/assets/images/help/security/report-a-vulnerability-button.png)
+   
+2. Fill in the advisory details form.
+  {% tip %}
+  
+  **Tip:** In this form, only the title and description are mandatory. (In the general draft security advisory form, which the repository maintainer initiates, specifying the ecosystem is also required.) However, we recommend security researchers provide as much information as possible on the form so that the maintainers can make an informed decision about the submitted report.
+  
+  {% endtip %}
+  
+  For more information about the fields available and guidance on filling in the form, see "[Creating a repository security advisory](/code-security/security-advisories/repository-security-advisories/creating-a-repository-security-advisory)" and "[Best practices for writing repository security advisories](/code-security/security-advisories/guidance-on-reporting-and-writing/best-practices-for-writing-repository-security-advisories)."
+
+1. At the bottom of the form, click **Submit report**. {% data variables.product.prodname_dotcom %} will display a message letting you know that maintainers have been notified and that you have a pending credit for this security advisory.
+  
+  ![Screenshot showing the "Submit report" button](/assets/images/help/security/advisory-submit-report-button.png)
+  
+  {% tip %}
+  
+  **Tip:** When the report is submitted, {% data variables.product.prodname_dotcom %} automatically adds the reporter of the vulnerability as a collaborator and as a credited user on the proposed advisory.
+  
+  {% endtip %}
+
+1. Optionally, click **Start a temporary private fork** if you want to start to fix the issue. Note that only the repository maintainer can merge that private fork.
+  
+  ![Screenshot showing the "Start a temporary fork" button](/assets/images/help/security/advisory-start-a-temporary-private-fork-button.png)
+
+The next steps depend on the action taken by the repository maintainer. For more information, see "[Managing privately reported security vulnerabilities](/code-security/security-advisories/guidance-on-reporting-and-writing/managing-privately-reported-security-vulnerabilities)."

content/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories.md

@@ -24,7 +24,7 @@ topics:
 
 ## About repository security advisories
 
-{% data reusables.security-advisory.disclosing-vulnerabilities %} For more information, see "[About coordinated disclosure of security vulnerabilities](/code-security/repository-security-advisories/about-coordinated-disclosure-of-security-vulnerabilities)."
+{% data reusables.security-advisory.disclosing-vulnerabilities %} For more information, see "[About coordinated disclosure of security vulnerabilities](/code-security/security-advisories/guidance-on-reporting-and-writing/about-coordinated-disclosure-of-security-vulnerabilities)."
 
 {% data reusables.security-advisory.security-advisory-overview %}
 

content/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository.md

@@ -0,0 +1,44 @@
+---
+title: Configuring private vulnerability reporting for a repository
+intro: Owners and administrators of public repositories can allow security researchers to report vulnerabilities securely in the repository by enabling private vulnerability reporting.
+permissions: 'Anyone with admin permissions to a public repository can enable and disable private vulnerability reporting for the repository.'
+versions:
+  fpt: '*'
+  ghec: '*'
+type: how_to
+miniTocMaxHeadingLevel: 3
+topics:
+  - Security advisories
+  - Vulnerabilities
+shortTitle: Configure private vulnerability reporting
+---
+
+{% data reusables.security-advisory.private-vulnerability-reporting-beta %}
+
+## About privately reporting a security vulnerability
+
+Security researchers often feel responsible for alerting users to a vulnerability that could be exploited. If there are no clear instuctions about contacting maintainers of the repository containing the vulnerability, security researchers may have no other choice but to post about the vulnerability on social media, send direct messages to the maintainer, or even creat public issues. This situation can potentially lead to a public disclosure of the vulnerability details.
+
+{% data reusables.security-advisory.private-vulnerability-reporting-overview %}
+
+For maintainers, the benefits of using private vulnerability reporting are: 
+- Less risk of being contacted publicly, or via undesired means.
+- Receive reports in the same platform you resolve them in for simplicity
+- The security researcher creates or at least initiates the advisory report on the behalf of maintainers.
+- Maintainers receive reports in the same platform as the one used to discuss and resolve the advisories.
+- Vulnerability less likely to be in the public eye.
+- The opportunity to discuss vulnerability details privately with security researchers and collaborate on the patch.
+
+## Enabling or disabling private vulnerability reporting for a repository
+
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.sidebar-settings %}
+{% data reusables.repositories.navigate-to-code-security-and-analysis %}
+1. Under "Code security and analysis", to the right of "Private vulnerability reporting", click **Enable** or **Disable**, to enable or disable the feature, respectively.
+
+ ![Screenshot of the "Code security and analysis" page with the "Enable" button emphasized for private vulnerability reporting](/assets/images/help/security/private-vulnerability-reporting-enable-or-disable.png)
+
+When a maintainer enables private security reporting for their repository, security researchers will see a new button in the **Advisories** page of the repository. The security researcher can click this button to privately report a security vulnerability to the repository maintainer. 
+
+ ![Screenshot showing the "Report a vulnerability" button](/assets/images/help/security/report-a-vulnerability-button.png)
+   

content/code-security/security-advisories/repository-security-advisories/index.md

@@ -15,9 +15,9 @@ topics:
   - Repositories
   - CVEs
 children:
-  - /about-coordinated-disclosure-of-security-vulnerabilities
   - /about-repository-security-advisories
   - /permission-levels-for-repository-security-advisories
+  - /configuring-private-vulnerability-reporting-for-a-repository
   - /creating-a-repository-security-advisory
   - /editing-a-repository-security-advisory
   - /collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability

content/code-security/security-overview/about-the-security-overview.md

@@ -1,10 +1,11 @@
 ---
-title: About the security overview
+title: About security overviews
-intro: 'You can view, filter, and sort security alerts for repositories owned by your organization or team in one place: the Security Overview page.'
+intro: 'You can view, filter, and sort security alerts for repositories owned by your organization or team in the security overview pages.'
 permissions: '{% data reusables.security-overview.permissions %}'
 product: '{% data reusables.gated-features.security-overview %}'
 redirect_from:
   - /code-security/security-overview/exploring-security-alerts
+allowTitleToDifferFromFilename: true
 versions:
   fpt: '*'
   ghae: '*'
@@ -19,39 +20,83 @@ topics:
   - Dependencies
   - Organizations
   - Teams
-shortTitle: About security overview
+shortTitle: About security overviews
 ---
 
 {% ifversion ghes < 3.5 or ghae %}
 {% data reusables.security-overview.beta %}
 {% endif %}
 
-## About the security overview
+## About security overviews
 
-{% ifversion ghes or ghec or ghae %}You{% elsif fpt %}Organizations that use {% data variables.product.prodname_ghe_cloud %}{% endif %} can use the security overview for a high-level view of the security status of {% ifversion ghes or ghec or ghae %}your  {% elsif fpt %}their{% endif %} organization or to identify problematic repositories that require intervention. {% ifversion ghes or ghec or ghae %}You {% elsif fpt %}These organizations{% endif %} can view aggregate or repository-specific security information in the security overview. {% ifversion ghes or ghec or ghae %}You {% elsif fpt %} Organizations that use {% data variables.product.prodname_ghe_cloud %}{% endif %} can also use the security overview to see which security features are enabled for {% ifversion ghes or ghec or ghae %}your {% elsif fpt %}their {% endif %} repositories and to configure any available security features that are not currently in use. {% ifversion fpt %}For more information, see [the {% data variables.product.prodname_ghe_cloud %} documentation](/enterprise-cloud@latest/code-security/security-overview/about-the-security-overview).{% endif %}
+Security overviews provide high-level summaries of the security status of an organization or enterprise and make it easy to identify problematic repositories that require intervention. You can also use the security overviews to see which repositories have enabled specific security features and to configure any available security features that are not currently in use. {% ifversion fpt %}For more information, see [the {% data variables.product.prodname_ghe_cloud %} documentation](/enterprise-cloud@latest/code-security/security-overview/about-the-security-overview).{% endif %}
 
 {% ifversion ghec or ghes or ghae %}
-The security overview indicates whether {% ifversion fpt or ghes or ghec %}security{% endif %}{% ifversion ghae %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} features are enabled for repositories owned by your organization and consolidates alerts for each feature.{% ifversion fpt or ghes or ghec %} Security features include {% data variables.product.prodname_GH_advanced_security %} features, such as {% data variables.product.prodname_code_scanning %} and {% data variables.product.prodname_secret_scanning %}, as well as {% data variables.product.prodname_dependabot_alerts %}.{% endif %} For more information about {% data variables.product.prodname_GH_advanced_security %} features, see "[About {% data variables.product.prodname_GH_advanced_security %}](/get-started/learning-about-github/about-github-advanced-security)."{% ifversion fpt or ghes or ghec %} For more information about {% data variables.product.prodname_dependabot_alerts %}, see "[About {% data variables.product.prodname_dependabot_alerts %}](/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-alerts-for-vulnerable-dependencies#dependabot-alerts-for-vulnerable-dependencies)."{% endif %}
+Security overviews show which security features are enabled for repositories and consolidate alerts for each feature. 
 
-For more information about securing your code at the repository and organization levels, see "[Securing your repository](/code-security/getting-started/securing-your-repository)" and "[Securing your organization](/code-security/getting-started/securing-your-organization)."
+- Risk and coverage information about {% data variables.product.prodname_dependabot %} features and alerts is shown for all repositories. 
+- Risk and coverage information for {% data variables.product.prodname_GH_advanced_security %} features, such as {% data variables.product.prodname_code_scanning %} and {% data variables.product.prodname_secret_scanning %}, is shown only for enterprises that use {% data variables.product.prodname_GH_advanced_security %}.
 
-The application security team at your company can use the security overview for both broad and specific analyses of your organization's security status. For example, they can use the overview page to monitor adoption of features by your organization or by a specific team as you rollout {% data variables.product.prodname_GH_advanced_security %} to your enterprise, or to review all alerts of a specific type and severity level across all repositories in your organization.
+For more information, see "[About {% data variables.product.prodname_dependabot_alerts %}](/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-alerts-for-vulnerable-dependencies#dependabot-alerts-for-vulnerable-dependencies)" and "[About {% data variables.product.prodname_GH_advanced_security %}](/get-started/learning-about-github/about-github-advanced-security)."
 
-### About filtering and sorting alerts
+## About filtering and sorting alerts
 
-In the security overview, you can view, sort, and filter alerts to understand the security risks in your organization and in specific repositories. The security summary is highly interactive, allowing you to investigate specific categories of information, based on qualifiers like alert risk level, alert type, and feature enablement. You can also apply multiple filters to focus on narrower areas of interest. For example, you can identify private repositories that have a high number of {% data variables.product.prodname_dependabot_alerts %} or repositories that have no {% data variables.product.prodname_code_scanning %} alerts. For more information, see "[Filtering alerts in the security overview](/code-security/security-overview/filtering-alerts-in-the-security-overview)."
+Security overviews provide a powerful way to understand the security of a group of repositories. The views are interactive with filters that allow you to drill into the aggregated data and identify sources of high risk or low feature coverage. As you apply multiple filters to focus on narrower areas of interest, the data across the view changes to reflect your selection. For more information, see "[Filtering alerts in security overviews](/code-security/security-overview/filtering-alerts-in-the-security-overview)."
-
-{% ifversion security-overview-views %}
-
-In the security overview, there are dedicated views for each type of security alert, such as Dependabot, code scanning, and secret scanning alerts. You can use these views to limit your analysis to a specific set of alerts, and narrow the results further with a range of filters specific to each view. For example, in the secret scanning alert view, you can use the `Secret type` filter to view only secret scanning alerts for a specific secret, like a GitHub {% data variables.product.pat_generic %}. At the repository level, you can use the security overview to assess the specific repository's current security status, and configure any additional security features not yet in use on the repository.
 
+{% ifversion security-overview-alert-views %}
+There are also dedicated views for each type of security alert that you can use to limit your analysis to a specific set of alerts, and then narrow the results further with a range of filters specific to each view. For example, in the {% data variables.product.prodname_secret_scanning %} alert view, you can use the `Secret type` filter to view only {% data variables.product.prodname_secret_scanning %} alerts for a specific secret, like a GitHub {% data variables.product.pat_generic %}.
 {% endif %}
 
-![The security overview for an organization](/assets/images/help/organizations/security-overview.png)
+{% note %}
+
+**Note:** Security overviews display active alerts raised by security features. If there are no alerts in the security overview for a repository, undetected security vulnerabilities or code errors may still exist.
+
+{% endnote %}
+
+## About organization-level security overviews
+
+{% data reusables.security-overview.beta-org-risk-coverage %}
+
+You can find the security overviews on the **Security** tab for any organization that's owned by an enterprise. Each overview shows aggregated data that you can drill down into, as you add each filter, the data is updated to reflect the repositories or alerts that you've selected.
+
+The application security team at your company can use the different security overviews for both broad and specific analyses of your organization's security status. {% ifversion security-overview-org-risk-coverage %}For example, the team can use the "Security Coverage" page to monitor the adoption of features across your organization or by a specific team as you rollout {% data variables.product.prodname_GH_advanced_security %}, or use the "Security Risk" page to identify repositories with more than five open {% data variables.product.prodname_secret_scanning %} alerts.{% else %}For example, they can use the overview page to monitor adoption of features by your organization or by a specific team as you rollout {% data variables.product.prodname_GH_advanced_security %} to your enterprise, or to review all alerts of a specific type and severity level across all repositories in your organization.{% endif %}
+
+Organization owners and security managers for organizations have access to security overviews for their organizations. {% ifversion ghec or ghes > 3.6 or ghae > 3.6 %}Organization members can also access organization-level security overviews to view results for repositories where they have admin privileges or have been granted access to security alerts. For more information on managing security alert access, see "[Managing security and analysis settings for your repository](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository)."{% endif %}
+
+{% ifversion security-overview-org-risk-coverage %}
+### Security Risk view
+
+This view shows data about the repositories affected by different types of security alert. 
+
+- Use the **Type** and **Teams** drop-downs to add repository type and team filters.
+- Click **Open alerts** or **Repositories affected** to show only repositories with a specific type of security alert.
+
+In addition, when you click in the search box, a list of the full set of filters available is shown.
+
+![Screenshot of the Security Risk view for an organization](/assets/images/help/security-overview/security-risk-view.png)
+
+### Security Coverage view
+
+This view shows data about which repositories are using security features. 
+
+- Use the **Type** and **Teams** drop-downs to add repository type and team filters.
+- Click **Alerts enabled** and other features listed in the header to see only repositories with those features enabled.
+- Change any `FEATURE:enabled` filter to `FEATURE:not-enabled` in the search box to see repositories that haven't enabled a feature.
+- For any repository, click the ellipsis (**...**) then **Security Settings** to enable additional features.
+
+In addition, when you click in the search box, a list of the full set of filters available is shown.
+
+![Screenshot of the Security Coverage view for an organization](/assets/images/help/security-overview/security-coverage-view.png)
+
+{% else %}
+
+### Understanding the main security overview
+
+![Screenshot of the security overview for an organization](/assets/images/help/security-overview/security-overview-org-legacy.png)
 
 For each repository in the security overview, you will see icons for each type of security feature and how many alerts there are of each type. If a security feature is not enabled for a repository, the icon for that feature will be grayed out. In addition, a risk score is calculated for each repository based on its code scanning, Dependabot and secret scanning alerts. This score is in beta and should be used with caution. Its algorithm and approach is subject to change.
 
-![Icons in the security overview](/assets/images/help/organizations/security-overview-icons.png)
+![Icons in the security overview](/assets/images/help/security-overview/security-overview-icons.png)
 
 | Icon | Meaning |
 | -------- | -------- |
@@ -61,29 +106,29 @@ For each repository in the security overview, you will see icons for each type o
 | {% octicon "check" aria-label="Check" %} | The security feature is enabled, but does not raise alerts in this repository. |
 | {% octicon "x" aria-label="x" %} | The security feature is not supported in this repository. |
 
-The security overview displays active alerts raised by security features. If there are no alerts in the security overview for a repository, undetected security vulnerabilities or code errors may still exist.
+{% endif %}
-
-### About the organization-level security overview
-
-At the organization-level, the security overview displays aggregate and repository-specific security information for repositories owned by your organization. You can filter information by security features at the organization-level.
-
-Organization owners and security managers for organizations have access to the organization-level security overview. {% ifversion ghec or ghes > 3.6 or ghae > 3.6 %}Organization members can access the organization-level security overview to view results for repositories where they have admin privileges or have been granted access to security alerts. For more information on managing security alert access, see "[Managing security and analysis settings for your repository](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository)".{% endif %}
 
 {% ifversion ghec or ghes > 3.4 or ghae > 3.4 %}
-### About the enterprise-level security overview
+## About enterprise-level security overviews
-At the enterprise-level, the security overview displays aggregate and repository-specific security information for your enterprise. You can view repositories owned by your enterprise that have security alerts, view all security alerts, or security feature-specific alerts from across your enterprise.
 
-Organization owners and security managers for organizations in your enterprise have access to the enterprise-level security overview. They can view repositories and alerts for the organizations that they have full access to.
+You can find the security overviews on the **Code Security** tab for your enterprise. Each overview displays aggregated and repository-specific security information for your enterprise. You can view repositories owned by your enterprise that have security alerts, view all security alerts, or security feature-specific alerts from across your enterprise.
 
-Enterprise owners can only see alerts for organizations that they are an owner or a security manager of.{% ifversion ghec or ghes > 3.5 or ghae > 3.5 %} Enterprise owners can join an organization as an organization owner to see all of its alerts in the enterprise-level security overview. For more information, see "[Managing your role in an organization owned by your enterprise](/admin/user-management/managing-organizations-in-your-enterprise/managing-your-role-in-an-organization-owned-by-your-enterprise)."{% endif %}
+Enterprise owners can view alerts for organizations that they are an owner or a security manager of.{% ifversion ghec or ghes > 3.5 or ghae > 3.5 %} Enterprise owners can join an organization as an organization owner to see all of its alerts in the enterprise-level security overview. For more information, see "[Managing your role in an organization owned by your enterprise](/admin/user-management/managing-organizations-in-your-enterprise/managing-your-role-in-an-organization-owned-by-your-enterprise)."{% endif %}
 
-{% elsif fpt %}
+Organization owners and security managers for organizations in an enterprise have access to the enterprise-level security overview. They can view repositories and alerts for the organizations that they have full access to.
-### About the enterprise-level security overview
-At the enterprise-level, the security overview displays aggregate and repository-specific information for an enterprise. For more information, see "[About the enterprise-level security overview](/enterprise-cloud@latest/code-security/security-overview/about-the-security-overview#about-the-enterprise-level-security-overview)" in the {% data variables.product.prodname_ghe_cloud %} documentation.
 {% endif %}
 
 {% ifversion ghes < 3.7 or ghae < 3.7 %}
-### About the team-level security overview
+## About team-level security overviews
+
+You can find the security overviews on the **Security** tab for any team in an organization that's owned by an enterprise.
+
 At the team-level, the security overview displays repository-specific security information for repositories that the team has admin privileges for. For more information, see "[Managing team access to an organization repository](/organizations/managing-access-to-your-organizations-repositories/managing-team-access-to-an-organization-repository)."
 {% endif %}
+
+## Further reading
+
+- "[Securing your repository](/code-security/getting-started/securing-your-repository)"
+- "[Securing your organization](/code-security/getting-started/securing-your-organization)"
+- "[Introduction to adopting GitHub Advanced Security at scale](/code-security/adopting-github-advanced-security-at-scale/introduction-to-adopting-github-advanced-security-at-scale)"
 {% endif %}

content/code-security/security-overview/filtering-alerts-in-the-security-overview.md

@@ -1,8 +1,9 @@
 ---
-title: Filtering alerts in the security overview
+title: Filtering alerts in security overviews
 intro: Use filters to view specific categories of alerts
 permissions: '{% data reusables.security-overview.permissions %}'
 product: '{% data reusables.gated-features.security-overview %}'
+allowTitleToDifferFromFilename: true
 versions:
   ghae: '*'
   ghes: '*'
@@ -14,16 +15,16 @@ topics:
   - Alerts
   - Organizations
   - Teams
-shortTitle: Filtering alerts
+shortTitle: Filtering security overviews
 ---
 
 {% ifversion ghes < 3.5 or ghae %}
 {% data reusables.security-overview.beta %}
 {% endif %}
 
-## About filtering the security overview
+## About filtering security overviews
 
-You can use filters in the security overview to narrow your focus based on a range of factors, like alert risk level, alert type and feature enablement. Different filters are available depending on the specific view and whether your analysis is at the organization, team or repository level.
+You can use filters in a security overview to narrow your focus based on a range of factors, like alert risk level, alert type, and feature enablement. Different filters are available depending on the specific view{% ifversion ghec or ghes > 3.4 or ghae > 3.4 %} and whether you are viewing data at the enterpise or organization level{% endif %}.
 
 {% ifversion security-overview-displayed-alerts %}
 {% note %}
@@ -33,45 +34,56 @@ You can use filters in the security overview to narrow your focus based on a ran
 
 ## Filter by repository
 
-Available in all organization-level and team-level views.
-
 | Qualifier | Description |
 | -------- | -------- |
-| `repo:REPOSITORY-NAME` | Displays alerts for the specified repository. |
+| `repo:REPOSITORY-NAME` | Displays data for the specified repository. |
 
 ## Filter by whether security features are enabled
 
-Available in the organization-level and team-level overview.
+In the examples below, replace `:enabled` with `:not-enabled` to see repositories where security features are not enabled. These qualifiers are available in the main summary views.
 
 | Qualifier | Description |
 | -------- | -------- |
-| `code-scanning:enabled` | Display repositories that have {% data variables.product.prodname_code_scanning %} enabled. |
+| `code-scanning:enabled` | Display repositories that have set up {% data variables.product.prodname_code_scanning %}. | 
-| `code-scanning:not-enabled` | Display repositories that do not have {% data variables.product.prodname_code_scanning %} enabled. |
+| `dependabot:enabled` | Display repositories that have enabled {% data variables.product.prodname_dependabot_alerts %}. |
-| `secret-scanning:enabled` | Display repositories that have {% data variables.product.prodname_secret_scanning %} enabled. |
+| `secret-scanning:enabled` | Display repositories that have enabled {% data variables.product.prodname_secret_scanning %} alerts. {% ifversion security-overview-org-risk-coverage %} |
-| `secret-scanning:not-enabled` | Display repositories that have {% data variables.product.prodname_secret_scanning %} enabled. |
+| `any-feature:enabled` | Display repositories where at least one security feature is enabled. |{% else %}
-| `dependabot:enabled` | Display repositories that have {% data variables.product.prodname_dependabot_alerts %} enabled. |
+| `not-enabled:any` | Display repositories with at least one security feature that is not enabled. |{% endif %}
-| `dependabot:not-enabled` | Display repositories that do not have {% data variables.product.prodname_dependabot_alerts %} enabled. |
+
-| `not-enabled:any` | Display repositories with at least one security feature that is not enabled. |
+{% ifversion security-overview-org-risk-coverage %}
+The organization-level Security Coverage view includes extra filters.
+
+{% data reusables.security-overview.beta-org-risk-coverage %}
+
+| Qualifier | Description |
+| -------- | -------- |
+| `code-scanning-pull-request-alerts:enabled`| Display repositories that have configured {% data variables.product.prodname_code_scanning %} to run on pull requests. |
+| `dependabot-security-updates:enabled` | Display repositories that have enabled {% data variables.product.prodname_dependabot %} security updates.  |
+| `secret-scanning-push-protection:enabled` | Display repositories that have set up push protection for {% data variables.product.prodname_secret_scanning %}. |
+{% endif %}
 
 ## Filter by repository type
 
-Available in the organization-level and team-level overview.
+These qualifiers are available in the main summary views.
 
 | Qualifier | Description |
 | -------- | -------- |
 {%- ifversion ghes or ghec %}
 | `is:public` | Display public repositories. |
 {%- endif %}
-{%- ifversion ghes or ghec or ghae %}
 | `is:internal` | Display internal repositories. |
-{%- endif %}
 | `is:private` | Display private repositories. |
 | `archived:true` | Display archived repositories. |
-| `archived:true` | Display archived repositories. |
+| `archived:false` | Omit archived repositories. |
 
+{% ifversion ghec or ghes > 3.4 or ghae > 3.4 %}
 ## Filter by level of risk for repositories
 
-The level of risk for a repository is determined by the number and severity of alerts from security features. If one or more security features are not enabled for a repository, the repository will have an unknown level of risk. If a repository has no risks that are detected by security features, the repository will have a clear level of risk. Available in the organization-level overview.
+The level of risk for a repository is determined by the number and severity of alerts from security features. If one or more security features are not enabled for a repository, the repository will have an unknown level of risk. If a repository has no risks that are detected by security features, the repository will have a clear level of risk. 
+
+{% ifversion security-overview-org-risk-coverage %}
+These qualifiers are available in the enterprise-level view.
+{% endif %}
 
 | Qualifier | Description |
 | -------- | -------- |
@@ -80,10 +92,11 @@ The level of risk for a repository is determined by the number and severity of a
 | `risk:low` | Display repositories that are at low risk. |
 | `risk:unknown` | Display repositories that are at an unknown level of risk. |
 | `risk:clear` | Display repositories that have no detected level of risk. |
+{% endif %}
 
 ## Filter by number of alerts
 
-Available in the organization-level overview.
+{% ifversion security-overview-org-risk-coverage %}These qualifiers are available in the enterprise-level Overview and in the organization-level Security Risk view.{% else %}These qualifiers are available in the main summary views.{% endif %}
 
 | Qualifier | Description |
 | -------- | -------- |
@@ -94,7 +107,7 @@ Available in the organization-level overview.
 
 ## Filter by team
 
-Available in the organization-level overview.
+These qualifiers are available in the main summary views.
 
 | Qualifier | Description |
 | -------- | -------- |
@@ -102,17 +115,17 @@ Available in the organization-level overview.
 
 ## Filter by topic
 
-Available in the organization-level overview.
+These qualifiers are available in the main summary views.
 
 | Qualifier | Description |
 | -------- | -------- |
 | <code>topic:<em>TOPIC-NAME</em></code> | Displays repositories that are classified with *TOPIC-NAME*. |
 
-{% ifversion security-overview-views %}
+{% ifversion security-overview-alert-views %}
 
-## Filter by severity
+## Additional filters for {% data variables.product.prodname_code_scanning %} alert views
 
-Available in the code scanning alert views. All code scanning alerts have one of the categories shown below. You can click any result to see full details of the relevant rule, and the line of code that triggered the alert.
+All code scanning alerts have one of the categories shown below. You can click any result to see full details of the relevant query and the line of code that triggered the alert.
 
 | Qualifier | Description |
 | -------- | -------- |
@@ -125,9 +138,9 @@ Available in the code scanning alert views. All code scanning alerts have one of
 |`severity:note`|Displays {% data variables.product.prodname_code_scanning %} alerts categorized as notes.|
 
 {% ifversion dependabot-alerts-vulnerable-calls %}
-## Filter by {% data variables.product.prodname_dependabot %} alert type
+## Additional filters for {% data variables.product.prodname_dependabot %} alert views
 
-Available in the {% data variables.product.prodname_dependabot %} alert views. You can filter the view to show {% data variables.product.prodname_dependabot_alerts %} that are ready to fix or where additional information about exposure is available. You can click any result to see full details of the alert.
+You can filter the view to show {% data variables.product.prodname_dependabot_alerts %} that are ready to fix or where additional information about exposure is available. You can click any result to see full details of the alert.
 
 | Qualifier | Description |
 | -------- | -------- |
@@ -137,19 +150,13 @@ Available in the {% data variables.product.prodname_dependabot %} alert views. Y
 
 {% endif %}
 
-## Filter by secret types
+## Additional filters for {% data variables.product.prodname_secret_scanning %} alert views
-
-Available in the secret scanning alert views.
 
 | Qualifier | Description |
 | -------- | -------- |
-| `secret-type:SERVICE_PROVIDER` | Displays alerts for the specified secret and provider. For more information, see "[{% data variables.product.prodname_secret_scanning_caps %} patterns](/code-security/secret-scanning/secret-scanning-patterns)." |
+|`provider:PROVIDER_NAME` | Displays alerts for all secrets issues by the specified provider.  |
-| `secret-type:CUSTOM-PATTERN` | Displays alerts for secrets matching the specified custom pattern. For more information, see "[Defining custom patterns for secret scanning](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." |
+| `secret-type:SERVICE_PROVIDER` | Displays alerts for the specified secret and provider. |
+| `secret-type:CUSTOM-PATTERN` | Displays alerts for secrets matching the specified custom pattern.  |
 
-## Filter by provider
+For more information, see "[{% data variables.product.prodname_secret_scanning_caps %} patterns](/code-security/secret-scanning/secret-scanning-patterns)."
 
-Available in the secret scanning alert views.
-
-| Qualifier | Description |
-| -------- | -------- |
-|`provider:PROVIDER_NAME` | Displays alerts for all secrets issues by the specified provider. For more information, see "[{% data variables.product.prodname_secret_scanning_caps %} patterns](/code-security/secret-scanning/secret-scanning-patterns)." |

content/code-security/security-overview/viewing-the-security-overview.md

@@ -1,8 +1,9 @@
 ---
-title: Viewing the security overview
+title: Viewing security overviews
 intro: Navigate to the different views available in the security overview
 permissions: '{% data reusables.security-overview.permissions %}'
 product: '{% data reusables.gated-features.security-overview %}'
+allowTitleToDifferFromFilename: true
 versions:
   ghae: '>= 3.4'
   ghes: '*'
@@ -14,7 +15,7 @@ topics:
   - Alerts
   - Organizations
   - Teams
-shortTitle: View the security overview
+shortTitle: View security overviews
 ---
 
 {% ifversion ghes < 3.5 or ghae %}
@@ -23,48 +24,44 @@ shortTitle: View the security overview
 
 {% data reusables.security-overview.information-varies-GHAS %}
 
-## Viewing the security overview for an organization
+## Viewing the security overviews for an organization
+
+{% data reusables.security-overview.beta-org-risk-coverage %}
+
+{% ifversion security-overview-org-risk-coverage %}
+{% data reusables.organizations.navigate-to-org %}
+{% data reusables.organizations.security-overview %}
+1. Choose the overview you want to display from the options in the sidebar.
+1. Use the drop-down filters and search box to focus on the information of greatest interest. The "Security Risk" and "Security Coverage" views also have an interactive header that you can use to filter results.
+
+  ![Screenshot of the Security Risk view with interactive header highlighted](/assets/images/help/security-overview/security-risk-interactive-header.png)
+
+{% else %}
 
 {% data reusables.organizations.navigate-to-org %}
 {% data reusables.organizations.security-overview %}
 1. To view aggregate information about alert types, click **Show more**.
-  ![Show more button](/assets/images/help/organizations/security-overview-show-more-button.png)
+  ![Show more button](/assets/images/help/security-overview/security-overview-show-more-button.png)
 {% data reusables.organizations.filter-security-overview %}
-{% ifversion security-overview-views %}
+{% ifversion security-overview-alert-views %}
 {% data reusables.organizations.security-overview-feature-specific-page %}
-  ![Screenshot of the code scanning-specific page](/assets/images/help/organizations/security-overview-code-scanning-alerts.png)
+  ![Screenshot of the code scanning-specific page](/assets/images/help/security-overview/security-overview-code-scanning-alerts.png)
+{% endif %}
 
-## Viewing alerts across your organization
+{% endif %}
-
-{% data reusables.organizations.navigate-to-org %}
-{% data reusables.organizations.security-overview %}
-1. In the security sidebar, select the subset of alerts you want to view.
-![View alert subset](/assets/images/help/organizations/view-alert-subset.png)
-2. Optionally, filter the list of alerts. Each view has its own selection of available filters. You can click multiple filters in the drop-down filter menus to narrow your search. You can also type search qualifiers in the search field. For more information about the available qualifiers, see "[Filtering alerts in the security overview](/code-security/security-overview/filtering-alerts-in-the-security-overview)."
-  ![The drop-down filter menus and Search repositories field in the secret scanning view](/assets/images/help/organizations/secret-scanning-filter-alerts.png)
 
 {% ifversion ghec or ghes > 3.4 or ghae > 3.4 %}
-## Viewing the security overview for an enterprise
+## Viewing the security overviews for an enterprise
 
 {% data reusables.enterprise-accounts.access-enterprise-on-dotcom %}
 1. In the left sidebar, click {% octicon "shield" aria-label="The shield icon" %} **Code Security**.
 {% ifversion security-overview-feature-specific-alert-page %}
 {% data reusables.organizations.security-overview-feature-specific-page %}
 {% endif %}
-{% endif %}
-
-## Viewing alerts for a repository
-
-{% data reusables.repositories.navigate-to-repo %}
-1. Under your repository name, click **Security**.
-  ![Repository security tab](/assets/images/help/repository/security-tab.png)
-2. In the security sidebar, select the view you want to open.
-  ![Repository view alert subset](/assets/images/help/repository/repo-security-side-panel.png)
-3. Optionally, filter the list of alerts. Each view has its own selection of available filters. You can click multiple filters in the drop-down filter menus to narrow your search. You can also type search qualifiers in the search field. For more information about the available qualifiers, see "[Filtering alerts in the security overview](/code-security/security-overview/filtering-alerts-in-the-security-overview)."
-  ![Drop down filter menus in the repository secret scanning alerts view](/assets/images/help/repository/repo-code-scanning-filter-and-search.png)
 
 {% endif %}
 
+{% ifversion ghes < 3.7 or ghae < 3.7 %}
 ## Viewing the security overview for a team
 
 {% data reusables.profile.access_org %}
@@ -72,3 +69,4 @@ shortTitle: View the security overview
 {% data reusables.organizations.specific_team %}
 {% data reusables.organizations.team-security-overview %}
 {% data reusables.organizations.filter-security-overview %}
+{% endif %}

content/codespaces/customizing-your-codespace/changing-the-machine-type-for-your-codespace.md

@@ -36,7 +36,7 @@ For information on choosing a machine type when you create a codespace, see "[Cr
 
    !['Your codespaces' list](/assets/images/help/codespaces/your-codespaces-list.png)
 
-1. Click the ellipsis (**...**) to the right of the codespace you want to modify.
+{% data reusables.codespaces.ellipsis-settings %}
 1. Click **Change machine type**.
 
    !['Change machine type' menu option](/assets/images/help/codespaces/change-machine-type-menu-option.png)
@@ -68,7 +68,7 @@ You can use the `gh codespace edit --machine MACHINE-TYPE-NAME` {% data variable
    gh api /user/codespaces/CODESPACE-NAME
    ```
 
-   Replace `CODESPACE-NAME` with the permanent name of the codespace, for example `octocat-myrepo-gmc7`. The permanent names are listed under the **NAME** column in the list returned by `gh codespace list`.
+   Replace `CODESPACE-NAME` with the permanent name of the codespace, for example `octocat-literate-space-parakeet-mld5`. The permanent names are listed under the **NAME** column in the list returned by `gh codespace list`.
 
    If you're prompted to request the `codespace` scope, follow the instructions in the terminal.
 
@@ -79,7 +79,7 @@ You can use the `gh codespace edit --machine MACHINE-TYPE-NAME` {% data variable
    gh api /user/codespaces/CODESPACE-NAME/machines
    ```
 
-   Replace `CODESPACE-NAME` with the permanent name of the codespace, for example `octocat-myrepo-gmc7`.
+   Replace `CODESPACE-NAME` with the permanent name of the codespace, for example `octocat-literate-space-parakeet-mld5`.
 1. To change the machine type for a codespace, enter the following command.
 
    ```

content/codespaces/customizing-your-codespace/renaming-a-codespace.md

@@ -1,6 +1,7 @@
 ---
 title: Renaming a codespace
-intro: 'You can use the {% data variables.product.prodname_cli %} to change the codespace display name to one of your choice.'
+intro: 'You can change the codespace display name to one of your choice through {% data variables.product.prodname_dotcom_the_website %} or the {% data variables.product.prodname_cli %}.'
+product: '{% data reusables.gated-features.codespaces %}'
 versions:
   fpt: '*'
   ghec: '*'
@@ -31,11 +32,11 @@ To find the display name of a codespace:
 
 ### Permanent codespace names
 
-In addition to the display name, when you create a codespace, a permanent name is also assigned to the codespace. The name is a combination of your {% data variables.product.company_short %} handle, the repository name, and some random characters. For example: `octocat-myrepo-gmc7`. You can't change this name.
+In addition to the display name, when you create a codespace, a permanent name is also assigned to the codespace. The name is a combination of your {% data variables.product.company_short %} handle, and the auto-generated display name. For example: `octocat-literate-space-parakeet-mld5`. You can't change the permanent name.
 
 To find the permanent name of a codespace:
 
-* On {% data variables.product.product_name %}, the permanent name is shown in a pop-up when you hover over the **Open in browser** option on https://github.com/codespaces. 
+* On {% data variables.product.product_name %}, the permanent name is shown in a pop-up when you hover over the display name of a codespace on https://github.com/codespaces. 
 
    ![Screenshot of the codespace name shown on hover over](/assets/images/help/codespaces/find-codespace-name-github.png)
    
@@ -44,7 +45,11 @@ To find the permanent name of a codespace:
 
 ## Renaming a codespace
 
-Changing the display name of a codespace can be useful if you have multiple codespaces that you will be using for an extended period. An appropriate name helps you identify a codespace that you use for a particular purpose. You can change the display name for your codespace by using the {% data variables.product.prodname_cli %}.
+Changing the display name of a codespace can be useful if you have multiple codespaces that you will be using for an extended period. An appropriate name helps you identify a codespace that you use for a particular purpose. 
+
+{% cli %}
+
+You can change the display name for your codespace by using the {% data variables.product.prodname_cli %}.
 
 To rename a codespace, use the `gh codespace edit` subcommand:
 
@@ -55,3 +60,20 @@ gh codespace edit -c PERMANENT-CODESPACE-NAME -d NEW-DISPLAY-NAME
 In this example, replace `PERMANENT-CODESPACE-NAME` with the permanent name of the codespace whose display name you want to change. Replace `NEW-DISPLAY-NAME` with the display name you want to use for this codespace.
 
 For more information, see "[Using {% data variables.product.prodname_github_codespaces %} with {% data variables.product.prodname_cli %}](/codespaces/developing-in-codespaces/using-github-codespaces-with-github-cli#rename-a-codespace)."
+
+{% endcli %}
+
+{% webui %}
+
+You can change the display name for your codespace on {% data variables.product.prodname_dotcom_the_website %}.
+
+{% data reusables.codespaces.your-codespaces-procedure-step %}
+
+    The current display name for each of your codespaces is displayed.
+
+{% data reusables.codespaces.ellipsis-settings %}
+1. Click **Rename**.
+
+1. In the prompt, under "Change display name to..." type your desired display name and click **OK**.
+
+{% endwebui %}

content/codespaces/developing-in-codespaces/default-environment-variables-for-your-codespace.md

@@ -26,7 +26,7 @@ topics:
 
 | Environment variable | Description |
 | ---------------------|------------ |
-| `CODESPACE_NAME` | The name of the codespace For example, `monalisa-github-hello-world-2f2fsdf2e` |
+| `CODESPACE_NAME` | The name of the codespace For example, `octocat-literate-space-parakeet-mld5` |
 | `CODESPACES` | Always `true` while in a codespace |
 | `GIT_COMMITTER_EMAIL` | The email for the "author" field of future `git` commits. |
 | `GIT_COMMITTER_NAME` | The name for the "committer" field of future `git` commits. |

content/codespaces/troubleshooting/working-with-support-for-github-codespaces.md

@@ -12,16 +12,16 @@ redirect_from:
   - /codespaces/troubleshooting/working-with-support-for-codespaces
 ---
 
-Before support can help you with problems with codespaces, you need to know the name of the codespace and its codespaces ID (identifier). In addition, support may ask you to share some logs with them. For more information, see "[{% data variables.product.prodname_github_codespaces %} logs](/codespaces/troubleshooting/github-codespaces-logs)" and "[About GitHub Support](/github/working-with-github-support/about-github-support)."
+Before support can help you with problems with codespaces, you need to know the permanent name of the codespace and its codespaces ID (identifier). In addition, support may ask you to share some logs with them. For more information, see "[{% data variables.product.prodname_github_codespaces %} logs](/codespaces/troubleshooting/github-codespaces-logs)" and "[About GitHub Support](/github/working-with-github-support/about-github-support)."
 
 ## Codespace names
 
-Each codespace has a unique name that is a combination of your {% data variables.product.company_short %} handle, the repository name, and some random characters. The additional characters allow you to have codespaces for different branches in the same repository. For example: `octocat-myrepo-gmc7`.
+Each codespace has a unique name that is a combination of your {% data variables.product.company_short %} handle, two or three automatically generated words, and some random characters. For example: `octocat-literate-space-parakeet-mld5`. The two or three automatically generated words also form the initial display name of your codespace, in this case, `literate-space-parakeet`. You can change the display name for a codespace, but this will not affect the permanent name. For more information, see "[Renaming a codespace](/codespaces/customizing-your-codespace/renaming-a-codespace)."
 
 To find the name of a codespace:
 
-- Open the codespace in the browser. The subdomain of the URL is the name of the codespace. For example: `https://octocat-myrepo-gmc7.github.dev` is the URL for the `octocat-myrepo-gmc7` codespace.
+- Open the codespace in the browser. The subdomain of the URL is the name of the codespace. For example: `https://octocat-literate-space-parakeet-mld5.github.dev` is the URL for the `octocat-literate-space-parakeet-mld5` codespace.
-- If you cannot open a codespace, you can access the name in {% data variables.product.product_name %} on https://github.com/codespaces. The name is shown in a pop-up when you hover over the **Open in browser** option on https://github.com/codespaces. 
+- If you cannot open a codespace, you can access the name in {% data variables.product.product_name %} on https://github.com/codespaces. The name is shown in a pop-up when you hover over the display name of a codespace on https://github.com/codespaces. 
   ![Codespace name shown on hover over](/assets/images/help/codespaces/find-codespace-name-github.png)
 
 The name the codespace is also included in many of the log files. For example, in the codespace logs as the value of `friendlyName`, in the {% data variables.product.prodname_github_codespaces %} extension log after `making GET request for`, and in the browser console log after `clientUrl`. For more information, see "[{% data variables.product.prodname_github_codespaces %} logs](/codespaces/troubleshooting/github-codespaces-logs)."

content/education/explore-the-benefits-of-teaching-and-learning-with-github-education/github-global-campus-for-students/about-github-global-campus-for-students.md

@@ -33,6 +33,15 @@ Once you are a verified {% data variables.product.prodname_global_campus %} stud
 - Stay in the know on what the community is interested in by rewatching recent [Campus TV](https://www.twitch.tv/githubeducation) episodes. Campus TV is created by {% data variables.product.prodname_dotcom %} and student community leaders and can be watched live or on demand.
 - Discover student-created repositories from GitHub Community Exchange. For more information, see "[About GitHub Community Exchange](/education/explore-the-benefits-of-teaching-and-learning-with-github-education/github-global-campus-for-students/about-github-community-exchange)."
 
+A free subscription for {% data variables.product.prodname_copilot %} is available to verified students with {% data variables.product.prodname_education %}. You will be automatically notified about the free subscription when you visit the {% data variables.product.prodname_copilot %} subscription page in your account settings. For more information about subscribing to and using {% data variables.product.prodname_copilot %}, see "[Managing your {% data variables.product.prodname_copilot %} subscription](/billing/managing-billing-for-github-copilot/managing-your-github-copilot-subscription#setting-up-a-trial-of-github-copilot)" and "[About {% data variables.product.prodname_copilot %}](/copilot/overview-of-github-copilot/about-github-copilot)."
+
+{% data reusables.education.student-codespaces-benefit %} For more information on getting started with {% data variables.product.prodname_github_codespaces %}, see "[{% data variables.product.prodname_github_codespaces %} overview](/codespaces/overview)."
+
+{% note %}
+
+**Note:** {% data reusables.education.note-on-student-codespaces-usage %} For more information, see "[Using {% data variables.product.prodname_github_codespaces %} with {% data variables.product.prodname_classroom %}](/education/manage-coursework-with-github-classroom/integrate-github-classroom-with-an-ide/using-github-codespaces-with-github-classroom)."
+
+{% endnote %}
 ## Further reading
 
 - "[About {% data variables.product.prodname_global_campus %} for teachers](/education/explore-the-benefits-of-teaching-and-learning-with-github-education/github-global-campus-for-teachers/about-github-global-campus-for-teachers)"