diff --git a/assets/images/help/organizations/secret-scanning-custom-link.png b/assets/images/help/organizations/secret-scanning-custom-link.png
new file mode 100644
index 0000000000..64f0399aa4
Binary files /dev/null and b/assets/images/help/organizations/secret-scanning-custom-link.png differ
diff --git a/assets/images/help/repository/secret-scanning-push-protection-web-ui-commit-blocked-banner-with-link.png b/assets/images/help/repository/secret-scanning-push-protection-web-ui-commit-blocked-banner-with-link.png
new file mode 100644
index 0000000000..3734d88af9
Binary files /dev/null and b/assets/images/help/repository/secret-scanning-push-protection-web-ui-commit-blocked-banner-with-link.png differ
diff --git a/assets/images/help/repository/secret-scanning-push-protection-web-ui-commit-blocked-banner.png b/assets/images/help/repository/secret-scanning-push-protection-web-ui-commit-blocked-banner.png
index 3734d88af9..5756757b2e 100644
Binary files a/assets/images/help/repository/secret-scanning-push-protection-web-ui-commit-blocked-banner.png and b/assets/images/help/repository/secret-scanning-push-protection-web-ui-commit-blocked-banner.png differ
diff --git a/assets/images/help/repository/secret-scanning-push-protection-with-custom-link.png b/assets/images/help/repository/secret-scanning-push-protection-with-custom-link.png
new file mode 100644
index 0000000000..8b18a4493d
Binary files /dev/null and b/assets/images/help/repository/secret-scanning-push-protection-with-custom-link.png differ
diff --git a/content/code-security/secret-scanning/about-secret-scanning.md b/content/code-security/secret-scanning/about-secret-scanning.md
index 481ec138e4..0110c45c23 100644
--- a/content/code-security/secret-scanning/about-secret-scanning.md
+++ b/content/code-security/secret-scanning/about-secret-scanning.md
@@ -39,7 +39,7 @@ Service providers can partner with {% data variables.product.company_short %} to
{% ifversion secret-scanning-push-protection %}
-You can also enable {% data variables.product.prodname_secret_scanning %} as a push protection for a repository or an organization. When you enable this feature, {% data variables.product.prodname_secret_scanning %} prevents contributors from pushing code with a detected secret. To proceed, contributors must either remove the secret(s) from the push or, if needed, bypass the protection. For more information, see "[Protecting pushes with {% data variables.product.prodname_secret_scanning %}](/code-security/secret-scanning/protecting-pushes-with-secret-scanning)."
+You can also enable {% data variables.product.prodname_secret_scanning %} as a push protection for a repository or an organization. When you enable this feature, {% data variables.product.prodname_secret_scanning %} prevents contributors from pushing code with a detected secret. To proceed, contributors must either remove the secret(s) from the push or, if needed, bypass the protection. {% ifversion push-protection-custom-link-orgs %}Admins can also specify a custom link that is displayed to the contributor when a push is blocked; the link can contain resources specific to the organization to aid contributors. {% endif %}For more information, see "[Protecting pushes with {% data variables.product.prodname_secret_scanning %}](/code-security/secret-scanning/protecting-pushes-with-secret-scanning)."
{% endif %}
diff --git a/content/code-security/secret-scanning/protecting-pushes-with-secret-scanning.md b/content/code-security/secret-scanning/protecting-pushes-with-secret-scanning.md
index bc66e8cbe7..155c455d38 100644
--- a/content/code-security/secret-scanning/protecting-pushes-with-secret-scanning.md
+++ b/content/code-security/secret-scanning/protecting-pushes-with-secret-scanning.md
@@ -60,8 +60,20 @@ Organization owners, security managers, and repository administrators can enable
Up to five detected secrets will be displayed at a time on the command line. If a particular secret has already been detected in the repository and an alert already exists, {% data variables.product.prodname_dotcom %} will not block that secret.
+{% ifversion push-protection-custom-link-orgs %}
+
+Organization admins can provide a custom link that will be displayed when a push is blocked. This custom link can contain organization-specific resources and advice, such as directions on using a recommended secrets vault or who to contact for questions relating to the blocked secret.
+
+{% ifversion push-protection-custom-link-orgs-beta %}{% data reusables.advanced-security.custom-link-beta %}{% endif %}
+
+
+
+{% else %}
+
+{% endif %}
+
{% data reusables.secret-scanning.push-protection-remove-secret %} For more information about remediating blocked secrets, see "[Pushing a branch blocked by push protection](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection#resolving-a-blocked-push-on-the-command-line)."
If you confirm a secret is real and that you intend to fix it later, you should aim to remediate the secret as soon as possible. For example, you might revoke the secret and remove the secret from the repository's commit history. Real secrets that have been exposed must be revoked to avoid unauthorized access. You might consider first rotating the secret before revoking it. For more information, see "[Removing sensitive data from a repository](/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository)."
@@ -89,6 +101,14 @@ If {% data variables.product.prodname_dotcom %} blocks a secret that you believe
{% data variables.product.prodname_dotcom %} will only display one detected secret at a time in the web UI. If a particular secret has already been detected in the repository and an alert already exists, {% data variables.product.prodname_dotcom %} will not block that secret.
+{% ifversion push-protection-custom-link-orgs %}
+
+Organization admins can provide a custom link that will be displayed when a push is blocked. This custom link can contain resources and advice specific to your organization. For example, the custom link can point to a README file with information about the organization's secret vault, which teams and individuals to escalate questions to, or the organization's approved policy for working with secrets and rewriting commit history.
+
+{% ifversion push-protection-custom-link-orgs-beta %}{% data reusables.advanced-security.custom-link-beta %}{% endif %}
+
+{% endif %}
+
You can remove the secret from the file using the web UI. Once you remove the secret, the banner at the top of the page will change and tell you that you can now commit your changes.
diff --git a/content/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection.md b/content/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection.md
index 63fddd8cba..e6ece077b1 100644
--- a/content/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection.md
+++ b/content/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection.md
@@ -27,6 +27,14 @@ If {% data variables.product.prodname_dotcom %} blocks a secret that you believe
{% endtip %}
+{% ifversion push-protection-custom-link-orgs %}
+
+Organization admins can provide a custom link that will be included in the message from {% data variables.product.product_name %} when your push is blocked. This custom link can contain resources and advice specific to your organization and its policies.
+
+{% ifversion push-protection-custom-link-orgs-beta %}{% data reusables.advanced-security.custom-link-beta %}{% endif %}
+
+{% endif %}
+
## Resolving a blocked push on the command line
{% data reusables.secret-scanning.push-protection-command-line-choice %}
diff --git a/data/features/push-protection-custom-link-orgs-beta.yml b/data/features/push-protection-custom-link-orgs-beta.yml
new file mode 100644
index 0000000000..c418fb2a45
--- /dev/null
+++ b/data/features/push-protection-custom-link-orgs-beta.yml
@@ -0,0 +1,8 @@
+# Issue 7299
+# Push protection custom links beta flags
+# See "push-protection-custom-link-orgs" for the feature
+versions:
+ fpt: '*'
+ ghec: '*'
+ ghes: '>=3.7'
+ ghae: 'issue-7299'
diff --git a/data/features/push-protection-custom-link-orgs.yml b/data/features/push-protection-custom-link-orgs.yml
new file mode 100644
index 0000000000..56d088a28e
--- /dev/null
+++ b/data/features/push-protection-custom-link-orgs.yml
@@ -0,0 +1,8 @@
+# Issue 7299
+# Push protection custom links
+# See "push-protection-custom-link-orgs-beta" for the beta flags
+versions:
+ fpt: '*'
+ ghec: '*'
+ ghes: '>=3.7'
+ ghae: 'issue-7299'
diff --git a/data/graphql/ghae/schema.docs-ghae.graphql b/data/graphql/ghae/schema.docs-ghae.graphql
index 877384767f..459ca75db2 100644
--- a/data/graphql/ghae/schema.docs-ghae.graphql
+++ b/data/graphql/ghae/schema.docs-ghae.graphql
@@ -38740,6 +38740,11 @@ input TransferIssueInput {
"""
clientMutationId: String
+ """
+ Whether to create labels if they don't exist in the target repository (matched by name)
+ """
+ createLabelsIfMissing: Boolean = false
+
"""
The Node ID of the issue to be transferred
"""
diff --git a/data/graphql/ghec/schema.docs.graphql b/data/graphql/ghec/schema.docs.graphql
index fc6cf2b5a0..6eb65ea54e 100644
--- a/data/graphql/ghec/schema.docs.graphql
+++ b/data/graphql/ghec/schema.docs.graphql
@@ -47749,6 +47749,11 @@ input TransferIssueInput {
"""
clientMutationId: String
+ """
+ Whether to create labels if they don't exist in the target repository (matched by name)
+ """
+ createLabelsIfMissing: Boolean = false
+
"""
The Node ID of the issue to be transferred
"""
diff --git a/data/graphql/schema.docs.graphql b/data/graphql/schema.docs.graphql
index fc6cf2b5a0..6eb65ea54e 100644
--- a/data/graphql/schema.docs.graphql
+++ b/data/graphql/schema.docs.graphql
@@ -47749,6 +47749,11 @@ input TransferIssueInput {
"""
clientMutationId: String
+ """
+ Whether to create labels if they don't exist in the target repository (matched by name)
+ """
+ createLabelsIfMissing: Boolean = false
+
"""
The Node ID of the issue to be transferred
"""
diff --git a/data/reusables/advanced-security/custom-link-beta.md b/data/reusables/advanced-security/custom-link-beta.md
new file mode 100644
index 0000000000..a79fc22417
--- /dev/null
+++ b/data/reusables/advanced-security/custom-link-beta.md
@@ -0,0 +1,5 @@
+{% note %}
+
+**Note:** The ability to add resource links to blocked push messages is currently in public beta and subject to change.
+
+{% endnote %}
\ No newline at end of file
diff --git a/data/reusables/advanced-security/secret-scanning-push-protection-org.md b/data/reusables/advanced-security/secret-scanning-push-protection-org.md
index 92b7f4e392..136b2017e1 100644
--- a/data/reusables/advanced-security/secret-scanning-push-protection-org.md
+++ b/data/reusables/advanced-security/secret-scanning-push-protection-org.md
@@ -1,3 +1,7 @@
1. Under "{% data variables.product.prodname_secret_scanning_caps %}", under "Push protection", click **Enable all**.
-1. Optionally, click "Automatically enable for private repositories added to {% data variables.product.prodname_secret_scanning %}."
+1. Optionally, click "Automatically enable for private repositories added to {% data variables.product.prodname_secret_scanning %}."{% ifversion push-protection-custom-link-orgs %}
+1. Optionally, to include a custom link in the message that members will see when they attempt to push a secret, select **Add a resource link in the CLI and web UI when a commit is blocked**, then type a URL, and click **Save link**.
+ {% ifversion push-protection-custom-link-orgs-beta %}{% indented_data_reference reusables.advanced-security.custom-link-beta spaces=3 %}{% endif %}
+
+ {% endif %}
\ No newline at end of file
diff --git a/data/reusables/secret-scanning/push-protection-web-ui-choice.md b/data/reusables/secret-scanning/push-protection-web-ui-choice.md
index 31e85566d4..682eee5ec7 100644
--- a/data/reusables/secret-scanning/push-protection-web-ui-choice.md
+++ b/data/reusables/secret-scanning/push-protection-web-ui-choice.md
@@ -2,5 +2,12 @@ When you use the web UI to attempt to commit a supported secret to a repository
You will see a banner at the top of the page with information about the secret's location, and the secret will also be underlined in the file so you can easily find it.
+{% ifversion push-protection-custom-link-orgs %}
+
+ 
+
+{% else %}
+
-
\ No newline at end of file
+
+{% endif %}
\ No newline at end of file
diff --git a/lib/graphql/static/changelog.json b/lib/graphql/static/changelog.json
index 819ddc4eb8..d811cac959 100644
--- a/lib/graphql/static/changelog.json
+++ b/lib/graphql/static/changelog.json
@@ -1,4 +1,17 @@
[
+ {
+ "schemaChanges": [
+ {
+ "title": "The GraphQL schema includes these changes:",
+ "changes": [
+ "Input field createLabelsIfMissing was added to input object type TransferIssueInput
"
+ ]
+ }
+ ],
+ "previewChanges": [],
+ "upcomingChanges": [],
+ "date": "2022-08-24"
+ },
{
"schemaChanges": [
{
diff --git a/lib/graphql/static/schema-dotcom.json b/lib/graphql/static/schema-dotcom.json
index 388ea3d58d..ec6f4e93cb 100644
--- a/lib/graphql/static/schema-dotcom.json
+++ b/lib/graphql/static/schema-dotcom.json
@@ -87260,6 +87260,14 @@
"kind": "scalars",
"href": "/graphql/reference/scalars#string"
},
+ {
+ "name": "createLabelsIfMissing",
+ "description": "Whether to create labels if they don't exist in the target repository (matched by name).
",
+ "type": "Boolean",
+ "id": "boolean",
+ "kind": "scalars",
+ "href": "/graphql/reference/scalars#boolean"
+ },
{
"name": "issueId",
"description": "The Node ID of the issue to be transferred.
",
diff --git a/lib/graphql/static/schema-ghae.json b/lib/graphql/static/schema-ghae.json
index 4b5dc6b80f..529c868fe0 100644
--- a/lib/graphql/static/schema-ghae.json
+++ b/lib/graphql/static/schema-ghae.json
@@ -71048,6 +71048,14 @@
"kind": "scalars",
"href": "/graphql/reference/scalars#string"
},
+ {
+ "name": "createLabelsIfMissing",
+ "description": "Whether to create labels if they don't exist in the target repository (matched by name).
",
+ "type": "Boolean",
+ "id": "boolean",
+ "kind": "scalars",
+ "href": "/graphql/reference/scalars#boolean"
+ },
{
"name": "issueId",
"description": "The Node ID of the issue to be transferred.
",
diff --git a/lib/graphql/static/schema-ghec.json b/lib/graphql/static/schema-ghec.json
index 388ea3d58d..ec6f4e93cb 100644
--- a/lib/graphql/static/schema-ghec.json
+++ b/lib/graphql/static/schema-ghec.json
@@ -87260,6 +87260,14 @@
"kind": "scalars",
"href": "/graphql/reference/scalars#string"
},
+ {
+ "name": "createLabelsIfMissing",
+ "description": "Whether to create labels if they don't exist in the target repository (matched by name).
",
+ "type": "Boolean",
+ "id": "boolean",
+ "kind": "scalars",
+ "href": "/graphql/reference/scalars#boolean"
+ },
{
"name": "issueId",
"description": "The Node ID of the issue to be transferred.
",