This commit is contained in:
Anne-Marie
@@ -186,7 +186,7 @@ When you participate in certain programs, {% data variables.product.prodname_dot
|
||||
| {% octicon "star-fill" aria-label="The star icon" %} | **Pro** | If you use {% data variables.product.prodname_pro %} you'll get a PRO badge on your profile. For more information about {% data variables.product.prodname_pro %}, see "[AUTOTITLE](/get-started/learning-about-github/githubs-plans#github-pro)." |
|
||||
| {% octicon "lock" aria-label="The lock icon" %} | **Security Bug Bounty Hunter** | If you helped out hunting down security vulnerabilities, you'll get a Security Bug Bounty Hunter badge on your profile. For more information about the {% data variables.product.prodname_dotcom %} Security program, see [{% data variables.product.prodname_dotcom %} Security](https://bounty.github.com/). |
|
||||
| {% octicon "mortar-board" aria-label="The mortar-board icon" %} | **{% data variables.product.prodname_dotcom %} Campus Expert** | If you participate in the {% data variables.product.prodname_campus_program %}, you will get a {% data variables.product.prodname_dotcom %} Campus Expert badge on your profile. For more information about the Campus Experts program, see [Campus Experts](https://education.github.com/experts). |
|
||||
| {% octicon "shield" aria-label="The shield icon" %} | **Security advisory credit** | If a security advisory you submit to the [{% data variables.product.prodname_dotcom %} Advisory Database](https://github.com/advisories) is accepted, you'll get a Security advisory credit badge on your profile. For more information about {% data variables.product.prodname_dotcom %} Security Advisories, see [{% data variables.product.prodname_dotcom %} Security Advisories](/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories). |
|
||||
| {% octicon "shield" aria-label="The shield icon" %} | **Security advisory credit** | If a security advisory you submit to the [{% data variables.product.prodname_dotcom %} Advisory Database](https://github.com/advisories) is accepted, you'll get a Security advisory credit badge on your profile. For more information about {% data variables.product.prodname_dotcom %} Security Advisories, see [{% data variables.product.prodname_dotcom %} Security Advisories](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories). |
|
||||
|
||||
{% endif %}
|
||||
|
||||
|
||||
@@ -51,7 +51,7 @@ The repository owner has full control of the repository. In addition to the acti
|
||||
| Manage data use for a private repository | "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories)" |{% endif %}
|
||||
| Define code owners for the repository | "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners)" |
|
||||
| Archive the repository | "[AUTOTITLE](/repositories/archiving-a-github-repository/archiving-repositories)" |{% ifversion fpt or ghec %}
|
||||
| Create security advisories | "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories)" |
|
||||
| Create security advisories | "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories)" |
|
||||
| Display a sponsor button | "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository)" |{% endif %}
|
||||
| Allow or disallow auto-merge for pull requests | "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-auto-merge-for-pull-requests-in-your-repository)" |
|
||||
| Manage webhooks and deploy keys | "[AUTOTITLE](/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys)" |
|
||||
|
||||
@@ -63,7 +63,7 @@ The scope of the events that appear in your enterprise's audit log depend on whe
|
||||
|
||||
| Action | Description
|
||||
|--------|-------------
|
||||
| `advisory_credit.accept` | Someone accepted credit for a security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/editing-a-repository-security-advisory)."
|
||||
| `advisory_credit.accept` | Someone accepted credit for a security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory)."
|
||||
| `advisory_credit.create` | The administrator of a security advisory added someone to the credit section.
|
||||
| `advisory_credit.decline` | Someone declined credit for a security advisory.
|
||||
| `advisory_credit.destroy` | The administrator of a security advisory removed someone from the credit section.
|
||||
@@ -1215,7 +1215,7 @@ Before you'll see `git` category actions, you must enable Git events in the audi
|
||||
|
||||
| Action | Description
|
||||
|--------|-------------
|
||||
| `repository_advisory.close` | Someone closed a security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories)."
|
||||
| `repository_advisory.close` | Someone closed a security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories)."
|
||||
| `repository_advisory.cve_request` | Someone requested a CVE (Common Vulnerabilities and Exposures) number from {% data variables.product.prodname_dotcom %} for a draft security advisory.
|
||||
| `repository_advisory.github_broadcast` | {% data variables.product.prodname_dotcom %} made a security advisory public in the {% data variables.product.prodname_advisory_database %}.
|
||||
| `repository_advisory.github_withdraw` | {% data variables.product.prodname_dotcom %} withdrew a security advisory that was published in error.
|
||||
@@ -1275,7 +1275,6 @@ Before you'll see `git` category actions, you must enable Git events in the audi
|
||||
|
||||
{%- ifversion secret-scanning-validity-check-audit-log %}
|
||||
|
||||
|
||||
## `repository_secret_scanning_automatic_validity_checks` category actions
|
||||
|
||||
| Action | Description
|
||||
|
||||
@@ -45,7 +45,7 @@ If your code depends on a package with a security vulnerability, this can cause
|
||||
{% data variables.product.prodname_dependabot %} performs a scan to detect insecure dependencies, and sends {% data variables.product.prodname_dependabot_alerts %} when:
|
||||
|
||||
{% ifversion fpt or ghec %}
|
||||
- A new advisory is added to the {% data variables.product.prodname_advisory_database %}. For more information, see "[AUTOTITLE](/code-security/security-advisories/global-security-advisories/browsing-security-advisories-in-the-github-advisory-database)."{% else %}
|
||||
- A new advisory is added to the {% data variables.product.prodname_advisory_database %}. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/browsing-security-advisories-in-the-github-advisory-database)."{% else %}
|
||||
- New advisory data is synchronized to {% data variables.location.product_location %} each hour from {% data variables.product.prodname_dotcom_the_website %}. {% data reusables.security-advisory.link-browsing-advisory-db %}{% endif %}
|
||||
{% note %}
|
||||
|
||||
|
||||
@@ -121,7 +121,7 @@ For more information, see "[Reviewing and fixing alerts](#reviewing-and-fixing-a
|
||||
{% endif %}
|
||||
1. Click the alert that you would like to view.
|
||||
{% ifversion dependabot-filter-label-security-advisory %}
|
||||
1. Optionally, to suggest an improvement to the related security advisory, on the right-hand side of the alert details page, click **Suggest improvements for this advisory on the {% data variables.product.prodname_advisory_database %}**. For more information, see "[AUTOTITLE](/code-security/security-advisories/global-security-advisories/editing-security-advisories-in-the-github-advisory-database)."
|
||||
1. Optionally, to suggest an improvement to the related security advisory, on the right-hand side of the alert details page, click **Suggest improvements for this advisory on the {% data variables.product.prodname_advisory_database %}**. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database)."
|
||||
|
||||
|
||||
{% endif %}
|
||||
|
||||
@@ -35,7 +35,7 @@ You can create a default security policy for your organization or personal accou
|
||||
{% endtip %}
|
||||
|
||||
{% ifversion fpt or ghec %}
|
||||
After someone reports a security vulnerability in your project, you can use {% data variables.product.prodname_security_advisories %} to disclose, fix, and publish information about the vulnerability. For more information about the process of reporting and disclosing vulnerabilities in {% data variables.product.prodname_dotcom %}, see "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing/about-coordinated-disclosure-of-security-vulnerabilities#about-reporting-and-disclosing-vulnerabilities-in-projects-on-github)." For more information about repository security advisories, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories)."
|
||||
After someone reports a security vulnerability in your project, you can use {% data variables.product.prodname_security_advisories %} to disclose, fix, and publish information about the vulnerability. For more information about the process of reporting and disclosing vulnerabilities in {% data variables.product.prodname_dotcom %}, see "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/about-coordinated-disclosure-of-security-vulnerabilities#about-reporting-and-disclosing-vulnerabilities-in-projects-on-github)." For more information about repository security advisories, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories)."
|
||||
|
||||
{% data reusables.repositories.github-security-lab %}
|
||||
{% endif %}
|
||||
|
||||
@@ -83,11 +83,11 @@ If {% data variables.product.prodname_dependabot_alerts %} are enabled for a rep
|
||||
|
||||
1. Optionally, you can also explore the information on the right-side of the page. Some of the information shown in the screenshot may not apply to every alert.
|
||||
- Severity
|
||||
- CVSS metrics—we use CVSS levels to assign severity levels. For more information, see "[AUTOTITLE](/code-security/security-advisories/global-security-advisories/about-the-github-advisory-database#about-cvss-levels)."
|
||||
- CVSS metrics—we use CVSS levels to assign severity levels. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#about-cvss-levels)."
|
||||
- Tags
|
||||
- Weaknesses—list of CWEs related to the vulnerability, if applicable
|
||||
- CVE ID—unique CVE identifier for the vulnerability, if applicable
|
||||
- GHSA ID—unique identifier of the corresponding advisory on the {% data variables.product.prodname_advisory_database %}. For more information, see "[AUTOTITLE](/code-security/security-advisories/global-security-advisories/about-the-github-advisory-database#about-ghsa-ids)."
|
||||
- GHSA ID—unique identifier of the corresponding advisory on the {% data variables.product.prodname_advisory_database %}. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#about-ghsa-ids)."
|
||||
- Option to navigate to the advisory on the {% data variables.product.prodname_advisory_database %}
|
||||
- Option to see all of your repositories that are affected by this vulnerability
|
||||
- Option to suggest improvements for this advisory on the {% data variables.product.prodname_advisory_database %}
|
||||
@@ -140,6 +140,6 @@ For more information about configuring {% data variables.product.prodname_depend
|
||||
|
||||
For more information about viewing pull requests opened by {% data variables.product.prodname_dependabot %}, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#viewing-dependabot-pull-requests)."
|
||||
|
||||
For more information about the security advisories that contribute to {% data variables.product.prodname_dependabot_alerts %}, see "[AUTOTITLE](/code-security/security-advisories/global-security-advisories/browsing-security-advisories-in-the-github-advisory-database)."
|
||||
For more information about the security advisories that contribute to {% data variables.product.prodname_dependabot_alerts %}, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/browsing-security-advisories-in-the-github-advisory-database)."
|
||||
|
||||
For more information about configuring notifications about {% data variables.product.prodname_dependabot_alerts %}, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-notifications-for-dependabot-alerts)."
|
||||
@@ -30,7 +30,7 @@ Make it easy for your users to confidentially report security vulnerabilities th
|
||||
|
||||
### Security advisories
|
||||
|
||||
Privately discuss and fix security vulnerabilities in your repository's code. You can then publish a security advisory to alert your community to the vulnerability and encourage community members to upgrade. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories)."
|
||||
Privately discuss and fix security vulnerabilities in your repository's code. You can then publish a security advisory to alert your community to the vulnerability and encourage community members to upgrade. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories)."
|
||||
|
||||
{% endif %}
|
||||
{% ifversion fpt or ghec or ghes %}
|
||||
|
||||
@@ -156,5 +156,5 @@ You can view and manage alerts from security features to address dependencies an
|
||||
|
||||
You can also use {% data variables.product.prodname_dotcom %}'s tools to audit responses to security alerts. For more information, see "[AUTOTITLE](/code-security/getting-started/auditing-security-alerts)".
|
||||
|
||||
{% ifversion fpt or ghec %}If you have a security vulnerability, you can create a security advisory to privately discuss and fix the vulnerability. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories)" and "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/creating-a-repository-security-advisory)."
|
||||
{% ifversion fpt or ghec %}If you have a security vulnerability, you can create a security advisory to privately discuss and fix the vulnerability. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories)" and "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory)."
|
||||
{% endif %}
|
||||
|
||||
@@ -57,21 +57,21 @@ includeGuides:
|
||||
- /code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/configuring-codeql-cli-in-your-ci-system
|
||||
- /code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/installing-codeql-cli-in-your-ci-system
|
||||
- /code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/migrating-from-the-codeql-runner-to-codeql-cli
|
||||
- /code-security/security-advisories/repository-security-advisories/about-repository-security-advisories
|
||||
- /code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository
|
||||
- /code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-an-organization
|
||||
- /code-security/security-advisories/repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory
|
||||
- /code-security/security-advisories/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability
|
||||
- /code-security/security-advisories/repository-security-advisories/creating-a-repository-security-advisory
|
||||
- /code-security/security-advisories/repository-security-advisories/editing-a-repository-security-advisory
|
||||
- /code-security/security-advisories/repository-security-advisories/permission-levels-for-repository-security-advisories
|
||||
- /code-security/security-advisories/repository-security-advisories/publishing-a-repository-security-advisory
|
||||
- /code-security/security-advisories/repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory
|
||||
- /code-security/security-advisories/repository-security-advisories/withdrawing-a-repository-security-advisory
|
||||
- /code-security/security-advisories/guidance-on-reporting-and-writing/about-coordinated-disclosure-of-security-vulnerabilities
|
||||
- /code-security/security-advisories/guidance-on-reporting-and-writing/best-practices-for-writing-repository-security-advisories
|
||||
- /code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability
|
||||
- /code-security/security-advisories/guidance-on-reporting-and-writing/managing-privately-reported-security-vulnerabilities
|
||||
- /code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories
|
||||
- /code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository
|
||||
- /code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-an-organization
|
||||
- /code-security/security-advisories/working-with-repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory
|
||||
- /code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability
|
||||
- /code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory
|
||||
- /code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory
|
||||
- /code-security/security-advisories/working-with-repository-security-advisories/permission-levels-for-repository-security-advisories
|
||||
- /code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory
|
||||
- /code-security/security-advisories/working-with-repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory
|
||||
- /code-security/security-advisories/working-with-repository-security-advisories/withdrawing-a-repository-security-advisory
|
||||
- /code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/about-coordinated-disclosure-of-security-vulnerabilities
|
||||
- /code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/best-practices-for-writing-repository-security-advisories
|
||||
- /code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability
|
||||
- /code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/managing-privately-reported-security-vulnerabilities
|
||||
- /code-security/security-overview/about-security-overview
|
||||
- /code-security/security-overview/filtering-alerts-in-security-overview
|
||||
- /code-security/security-overview/assessing-code-security-risk
|
||||
@@ -88,10 +88,10 @@ includeGuides:
|
||||
- /code-security/dependabot/dependabot-alerts/about-dependabot-alerts
|
||||
- /code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts
|
||||
- /code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates
|
||||
- /code-security/security-advisories/global-security-advisories/about-the-github-advisory-database
|
||||
- /code-security/security-advisories/global-security-advisories/about-global-security-advisories
|
||||
- /code-security/security-advisories/global-security-advisories/browsing-security-advisories-in-the-github-advisory-database
|
||||
- /code-security/security-advisories/global-security-advisories/editing-security-advisories-in-the-github-advisory-database
|
||||
- /code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database
|
||||
- /code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-global-security-advisories
|
||||
- /code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/browsing-security-advisories-in-the-github-advisory-database
|
||||
- /code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database
|
||||
- /code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates
|
||||
- /code-security/dependabot/dependabot-alerts/configuring-notifications-for-dependabot-alerts
|
||||
- /code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors
|
||||
@@ -104,4 +104,3 @@ includeGuides:
|
||||
- /code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api
|
||||
- /code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository
|
||||
---
|
||||
|
||||
|
||||
@@ -8,7 +8,7 @@ featuredLinks:
|
||||
startHere:
|
||||
- /code-security/getting-started/securing-your-repository
|
||||
- /code-security/getting-started/securing-your-organization
|
||||
- '{% ifversion fpt or ghec %}/code-security/security-advisories/repository-security-advisories/creating-a-repository-security-advisory{% endif %}'
|
||||
- '{% ifversion fpt or ghec %}/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory{% endif %}'
|
||||
- '{% ifversion code-scanning-without-workflow %}/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning{% endif %}'
|
||||
- '{% ifversion ghes < 3.9 or ghae < 3.9 %}/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning{% endif %}'
|
||||
guideCards:
|
||||
@@ -23,7 +23,7 @@ featuredLinks:
|
||||
popular:
|
||||
- '{% ifversion ghes %}/admin/release-notes{% endif %}'
|
||||
- /code-security/dependabot/dependabot-alerts/about-dependabot-alerts
|
||||
- /code-security/security-advisories/guidance-on-reporting-and-writing/about-coordinated-disclosure-of-security-vulnerabilities
|
||||
- /code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/about-coordinated-disclosure-of-security-vulnerabilities
|
||||
- /code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot
|
||||
- /code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
|
||||
- /code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
---
|
||||
title: Keeping secrets secure with secret scanning
|
||||
shortTitle: Secret scanning
|
||||
allowTitleToDifferFromFilename: true
|
||||
intro: 'Let {% data variables.product.company_short %} do the hard work of ensuring that tokens, private keys, and other code secrets are not exposed in your repository.'
|
||||
product: '{% data reusables.gated-features.secret-scanning %}'
|
||||
redirect_from:
|
||||
|
||||
@@ -5,6 +5,7 @@ redirect_from:
|
||||
- /code-security/security-advisories/about-coordinated-disclosure-of-security-vulnerabilities
|
||||
- /code-security/repository-security-advisories/about-coordinated-disclosure-of-security-vulnerabilities
|
||||
- /code-security/security-advisories/repository-security-advisories/about-coordinated-disclosure-of-security-vulnerabilities
|
||||
- /code-security/security-advisories/guidance-on-reporting-and-writing/about-coordinated-disclosure-of-security-vulnerabilities
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
@@ -73,15 +74,15 @@ The process for reporting and disclosing vulnerabilities for projects on {% data
|
||||
|
||||
If you are a maintainer, you can take ownership of the process at the very beginning of the pipeline by setting up a security policy for your repository, or otherwise making security reporting instructions clearly available, for example in your project’s README file. For information about adding a security policy, see "[AUTOTITLE](/code-security/getting-started/adding-a-security-policy-to-your-repository#about-security-policies)." If there is no security policy, it's likely that a vulnerability reporter will try to email you or otherwise privately contact you. Alternatively, someone may open a (public) issue with details of a security issue.
|
||||
|
||||
As a maintainer, to disclose a vulnerability in your code, you first create a draft security advisory in the package's repository in {% data variables.product.prodname_dotcom %}. {% data reusables.security-advisory.security-advisory-overview %} For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories)."
|
||||
As a maintainer, to disclose a vulnerability in your code, you first create a draft security advisory in the package's repository in {% data variables.product.prodname_dotcom %}. {% data reusables.security-advisory.security-advisory-overview %} For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories)."
|
||||
|
||||
To get started, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/creating-a-repository-security-advisory)."
|
||||
To get started, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory)."
|
||||
|
||||
### Private vulnerability reporting
|
||||
|
||||
{% data reusables.security-advisory.private-vulnerability-reporting-enable %}
|
||||
|
||||
Private vulnerability reporting provides an easy way for vulnerability reporters to privately disclose security risks to repository maintainers, within {% data variables.product.prodname_dotcom %}, and in a way that immediately notifies the repository maintainers of the issue. For more information for security researchers and repository maintainers, see "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability)" and "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing/managing-privately-reported-security-vulnerabilities)", respectively.
|
||||
Private vulnerability reporting provides an easy way for vulnerability reporters to privately disclose security risks to repository maintainers, within {% data variables.product.prodname_dotcom %}, and in a way that immediately notifies the repository maintainers of the issue. For more information for security researchers and repository maintainers, see "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability)" and "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/managing-privately-reported-security-vulnerabilities)", respectively.
|
||||
|
||||
{% note %}
|
||||
|
||||
@@ -11,6 +11,7 @@ topics:
|
||||
shortTitle: Best practices
|
||||
redirect_from:
|
||||
- /code-security/repository-security-advisories/best-practices-for-writing-repository-security-advisories
|
||||
- /code-security/security-advisories/guidance-on-reporting-and-writing/best-practices-for-writing-repository-security-advisories
|
||||
---
|
||||
|
||||
Anyone with admin permissions to a repository can create and edit a security advisory.
|
||||
@@ -19,7 +20,7 @@ Anyone with admin permissions to a repository can create and edit a security adv
|
||||
|
||||
## About security advisories for repositories
|
||||
|
||||
{% data reusables.security-advisory.security-advisory-overview %} For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories)."
|
||||
{% data reusables.security-advisory.security-advisory-overview %} For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories)."
|
||||
|
||||
## Best practices
|
||||
|
||||
@@ -30,13 +31,13 @@ If you follow the syntax for the {% data variables.product.prodname_advisory_dat
|
||||
- {% data variables.product.prodname_dependabot %} will have the information to accurately identify repositories that are affected and send them {% data variables.product.prodname_dependabot_alerts %} to notify them.
|
||||
- Community members are less likely to suggest edits to your advisory to fix missing or incorrect information.
|
||||
|
||||
You add or edit a repository advisory using the _Draft security advisory_ form. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/creating-a-repository-security-advisory)."
|
||||
You add or edit a repository advisory using the _Draft security advisory_ form. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory)."
|
||||
|
||||
You suggest an improvement to an existing global advisory using the _Improve security advisory_ form. For more information, see "[AUTOTITLE](/code-security/security-advisories/global-security-advisories/editing-security-advisories-in-the-github-advisory-database)."
|
||||
You suggest an improvement to an existing global advisory using the _Improve security advisory_ form. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database)."
|
||||
|
||||
### Ecosystem
|
||||
|
||||
You need to assign the advisory to one of our supported ecosystems using the **Ecosystem** field. For more information about the ecosystems we support, see "[AUTOTITLE](/code-security/security-advisories/global-security-advisories/browsing-security-advisories-in-the-github-advisory-database#github-reviewed-advisories)."
|
||||
You need to assign the advisory to one of our supported ecosystems using the **Ecosystem** field. For more information about the ecosystems we support, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/browsing-security-advisories-in-the-github-advisory-database#github-reviewed-advisories)."
|
||||
|
||||
|
||||
|
||||
@@ -2,6 +2,8 @@
|
||||
title: Guidance on reporting and writing information about vulnerabilities
|
||||
shortTitle: Guidance on reporting and writing
|
||||
intro: Best practices for writing security advisories and managing privately reported security vulnerabilities.
|
||||
redirect_from:
|
||||
- /code-security/security-advisories/guidance-on-reporting-and-writing
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
@@ -16,4 +18,3 @@ children:
|
||||
- /privately-reporting-a-security-vulnerability
|
||||
- /managing-privately-reported-security-vulnerabilities
|
||||
---
|
||||
|
||||
@@ -10,6 +10,8 @@ topics:
|
||||
- Security advisories
|
||||
- Vulnerabilities
|
||||
shortTitle: Manage vulnerability reports
|
||||
redirect_from:
|
||||
- /code-security/security-advisories/guidance-on-reporting-and-writing/managing-privately-reported-security-vulnerabilities
|
||||
---
|
||||
|
||||
{% data reusables.security-advisory.private-vulnerability-reporting-enable %}
|
||||
@@ -24,7 +26,7 @@ When a security researcher reports a vulnerability privately, you are notified a
|
||||
|
||||
{% data reusables.security-advisory.private-vulnerability-reporting-configure-notifications %}
|
||||
|
||||
For more information about configuring notification preferences, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository#configuring-notifications-for-private-vulnerability-reporting)."
|
||||
For more information about configuring notification preferences, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository#configuring-notifications-for-private-vulnerability-reporting)."
|
||||
|
||||
{% data reusables.repositories.navigate-to-repo %}
|
||||
{% data reusables.repositories.sidebar-security %}
|
||||
@@ -38,7 +40,7 @@ For more information about configuring notification preferences, see "[AUTOTITLE
|
||||
- To accept the reported vulnerability, click **Accept and open as draft** to accept the vulnerability report as a draft advisory on {% data variables.product.prodname_dotcom %}. If you choose this option:
|
||||
- This doesn't make the report public.
|
||||
- The report becomes a draft repository security advisory and you can work on it in the same way as any draft advisory that you create.
|
||||
For more information on security advisories, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories)."
|
||||
For more information on security advisories, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories)."
|
||||
- To ask for more information, or to open a discussion with the reporter, you can comment on the advisory. Any comments are visible only to the reporter and to any collaborators on the advisory.
|
||||
- If you have enough information to determine that the problem the reporter describes is not a security risk, click **Close security advisory**. Where possible, you should add a comment explaining why you don't consider the report a security risk before you close the advisory.
|
||||
|
||||
@@ -9,6 +9,8 @@ topics:
|
||||
- Security advisories
|
||||
- Vulnerabilities
|
||||
shortTitle: Privately reporting
|
||||
redirect_from:
|
||||
- /code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability
|
||||
---
|
||||
|
||||
{% data reusables.security-advisory.private-vulnerability-reporting-enable %}
|
||||
@@ -16,7 +18,7 @@ shortTitle: Privately reporting
|
||||
{% note %}
|
||||
|
||||
**Notes:**
|
||||
- If you have admin or security permissions for a public repository, you don't need to submit a vulnerability report. Instead, you can create a draft security advisory directly. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/creating-a-repository-security-advisory)."
|
||||
- If you have admin or security permissions for a public repository, you don't need to submit a vulnerability report. Instead, you can create a draft security advisory directly. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory)."
|
||||
- The ability to privately report a vulnerability in a repository is not related to the presence of a `SECURITY.md` file in that repository's root or `docs` directory.
|
||||
- The `SECURITY.md` file contains the security policy for the repository. Repository administrators can add and use this file to provide _public_ instructions for how to report a security vulnerability in their repository. For more information, see "[AUTOTITLE](/code-security/getting-started/adding-a-security-policy-to-your-repository)."
|
||||
- You can only report a vulnerability privately for repositories where private vulnerability reporting is enabled, and you don't have to follow the instructions in the `SECURITY.md` file. This reporting process is fully private, and {% data variables.product.prodname_dotcom %} notifies the repository administrators directly about your submission.
|
||||
@@ -38,8 +40,8 @@ For security researchers, the benefits of using private vulnerability reporting
|
||||
|
||||
## Privately reporting a security vulnerability
|
||||
|
||||
If you do not have admin or security permissions for a public repository, you can still privately report a security vulnerability to repository maintainers. You can also evaluate the general security of a public repository and suggest a security policy. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/evaluating-the-security-settings-of-a-repository)."
|
||||
If you do not have admin or security permissions for a public repository, you can still privately report a security vulnerability to repository maintainers. You can also evaluate the general security of a public repository and suggest a security policy. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/evaluating-the-security-settings-of-a-repository)."
|
||||
|
||||
{% data reusables.security-advisory.reporting-a-vulnerability-non-admin %}
|
||||
|
||||
The next steps depend on the action taken by the repository maintainer. For more information, see "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing/managing-privately-reported-security-vulnerabilities)."
|
||||
The next steps depend on the action taken by the repository maintainer. For more information, see "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/managing-privately-reported-security-vulnerabilities)."
|
||||
@@ -1,6 +1,7 @@
|
||||
---
|
||||
title: Working with security advisories
|
||||
shortTitle: Security advisories
|
||||
allowTitleToDifferFromFilename: true
|
||||
intro: 'Learn how to work with security advisories on {% data variables.product.prodname_dotcom %},{% ifversion fpt or ghec %} whether you want to contribute to an existing global advisory, or create a security advisory for a repository,{% endif %} improving collaboration between repository maintainers and security researchers.'
|
||||
versions:
|
||||
fpt: '*'
|
||||
@@ -13,8 +14,7 @@ topics:
|
||||
- Repositories
|
||||
- CVEs
|
||||
children:
|
||||
- /global-security-advisories
|
||||
- /repository-security-advisories
|
||||
- /guidance-on-reporting-and-writing
|
||||
- /working-with-global-security-advisories-from-the-github-advisory-database
|
||||
- /working-with-repository-security-advisories
|
||||
- /guidance-on-reporting-and-writing-information-about-vulnerabilities
|
||||
---
|
||||
|
||||
|
||||
@@ -1,45 +0,0 @@
|
||||
---
|
||||
title: Permission levels for repository security advisories
|
||||
intro: The actions you can take in a repository security advisory depend on whether you have admin or write permissions to the security advisory.
|
||||
redirect_from:
|
||||
- /articles/permission-levels-for-maintainer-security-advisories
|
||||
- /github/managing-security-vulnerabilities/permission-levels-for-maintainer-security-advisories
|
||||
- /github/managing-security-vulnerabilities/permission-levels-for-security-advisories
|
||||
- /code-security/security-advisories/permission-levels-for-security-advisories
|
||||
- /code-security/repository-security-advisories/permission-levels-for-repository-security-advisories
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
type: reference
|
||||
topics:
|
||||
- Security advisories
|
||||
- Vulnerabilities
|
||||
- Permissions
|
||||
shortTitle: Permission levels
|
||||
---
|
||||
This article applies only to repository-level security advisories. Anyone can contribute to global security advisories in the {% data variables.product.prodname_advisory_database %} at [github.com/advisories](https://github.com/advisories). Edits to global advisories will not change or affect how the advisory appears on the repository. For more information, see "[AUTOTITLE](/code-security/security-advisories/global-security-advisories/editing-security-advisories-in-the-github-advisory-database)."
|
||||
|
||||
## Permissions overview
|
||||
|
||||
{% data reusables.repositories.security-advisory-admin-permissions %} For more information about adding a collaborator to a security advisory, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory)."
|
||||
|
||||
Action | Write permissions | Admin permissions |
|
||||
------ | ----------------- | ----------------- |
|
||||
See a draft security advisory | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Add collaborators to the security advisory (see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory)") | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Edit and delete any comments in the security advisory | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Create a temporary private fork in the security advisory (see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)") | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Add changes to a temporary private fork in the security advisory (see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)") | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Create pull requests in a temporary private fork (see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)") | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Merge changes in the security advisory (see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)") | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Add and edit metadata in the security advisory (see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/publishing-a-repository-security-advisory)") | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Add and remove credits for a security advisory (see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/editing-a-repository-security-advisory)") | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Close the draft security advisory | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Publish the security advisory (see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/publishing-a-repository-security-advisory)") | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
|
||||
## Further reading
|
||||
|
||||
- "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory)"
|
||||
- "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)"
|
||||
- "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory)"
|
||||
- "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/withdrawing-a-repository-security-advisory)"
|
||||
@@ -12,22 +12,24 @@ topics:
|
||||
- Alerts
|
||||
- Vulnerabilities
|
||||
- CVEs
|
||||
redirect_from:
|
||||
- /code-security/security-advisories/global-security-advisories/about-global-security-advisories
|
||||
---
|
||||
|
||||
## About global security advisories
|
||||
|
||||
{% ifversion fpt or ghec %}There are two types of advisories: global security advisories and repository security advisories. For more information about repository security advisories, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories)."{% endif %}
|
||||
{% ifversion fpt or ghec %}There are two types of advisories: global security advisories and repository security advisories. For more information about repository security advisories, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories)."{% endif %}
|
||||
|
||||
Global security advisories are grouped into two categories: {% data variables.product.company_short %}-reviewed advisories and unreviewed advisories.
|
||||
- {% data variables.product.company_short %}-reviewed advisories are security vulnerabilities{% ifversion GH-advisory-db-supports-malware %} or malware{% endif %} that have been mapped to packages in ecosystems we support.
|
||||
- Unreviewed advisories are security vulnerabilites that we publish automatically into the {% data variables.product.prodname_advisory_database %}, directly from the National Vulnerability Database feed.
|
||||
|
||||
For more information about the {% data variables.product.prodname_advisory_database %}, see "[AUTOTITLE](/code-security/security-advisories/global-security-advisories/about-the-github-advisory-database)."
|
||||
For more information about the {% data variables.product.prodname_advisory_database %}, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database)."
|
||||
|
||||
{% data reusables.security-advisory.global-advisories %}
|
||||
|
||||
Every repository advisory is reviewed by the {% data variables.product.prodname_security %} curation team for consideration as a global advisory. We publish security advisories for any of the ecosystems supported by the dependency graph to the {% data variables.product.prodname_advisory_database %} on [github.com/advisories](https://github.com/advisories).
|
||||
|
||||
You can access any advisory in the {% data variables.product.prodname_advisory_database %}. For more information, see "[AUTOTITLE](/code-security/security-advisories/global-security-advisories/browsing-security-advisories-in-the-github-advisory-database)."
|
||||
You can access any advisory in the {% data variables.product.prodname_advisory_database %}. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/browsing-security-advisories-in-the-github-advisory-database)."
|
||||
|
||||
You can suggest improvements to any advisory in the {% data variables.product.prodname_advisory_database %}. For more information, see "[AUTOTITLE](/code-security/security-advisories/global-security-advisories/editing-security-advisories-in-the-github-advisory-database)."
|
||||
You can suggest improvements to any advisory in the {% data variables.product.prodname_advisory_database %}. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database)."
|
||||
@@ -12,6 +12,8 @@ topics:
|
||||
- Alerts
|
||||
- Vulnerabilities
|
||||
- CVEs
|
||||
redirect_from:
|
||||
- /code-security/security-advisories/global-security-advisories/about-the-github-advisory-database
|
||||
---
|
||||
|
||||
## About the {% data variables.product.prodname_advisory_database %}
|
||||
@@ -8,6 +8,7 @@ redirect_from:
|
||||
- /code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/browsing-security-vulnerabilities-in-the-github-advisory-database
|
||||
- /code-security/dependabot/dependabot-alerts/browsing-security-vulnerabilities-in-the-github-advisory-database
|
||||
- /code-security/dependabot/dependabot-alerts/browsing-security-advisories-in-the-github-advisory-database
|
||||
- /code-security/security-advisories/global-security-advisories/browsing-security-advisories-in-the-github-advisory-database
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
@@ -45,7 +46,7 @@ Additionally, you can access the {% data variables.product.prodname_advisory_dat
|
||||
|
||||
## Editing an advisory in the {% data variables.product.prodname_advisory_database %}
|
||||
|
||||
You can suggest improvements to any advisory in the {% data variables.product.prodname_advisory_database %}. For more information, see "[AUTOTITLE](/code-security/security-advisories/global-security-advisories/editing-security-advisories-in-the-github-advisory-database)."
|
||||
You can suggest improvements to any advisory in the {% data variables.product.prodname_advisory_database %}. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database)."
|
||||
|
||||
## Searching the {% data variables.product.prodname_advisory_database %}
|
||||
|
||||
@@ -75,7 +76,7 @@ You can search the database, and use qualifiers to narrow your search. For examp
|
||||
| `created:YYYY-MM-DD`| [**created:2021-01-13**](https://github.com/advisories?utf8=%E2%9C%93&query=created%3A2021-01-13) will show only advisories created on this date. |
|
||||
| `updated:YYYY-MM-DD`| [**updated:2021-01-13**](https://github.com/advisories?utf8=%E2%9C%93&query=updated%3A2021-01-13) will show only advisories updated on this date. |
|
||||
|
||||
A `GHSA-ID` qualifier is a unique ID that we at {% data variables.product.prodname_dotcom %} automatically assign to every advisory in the {% data variables.product.prodname_advisory_database %}. For more information about these identifiers, see "[About the {% data variables.product.prodname_advisory_database %}](/code-security/security-advisories/global-security-advisories/about-the-github-advisory-database#about-ghsa-ids)."
|
||||
A `GHSA-ID` qualifier is a unique ID that we at {% data variables.product.prodname_dotcom %} automatically assign to every advisory in the {% data variables.product.prodname_advisory_database %}. For more information about these identifiers, see "[About the {% data variables.product.prodname_advisory_database %}](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#about-ghsa-ids)."
|
||||
|
||||
## Viewing your vulnerable repositories
|
||||
|
||||
@@ -105,7 +106,7 @@ You can use your local advisory database to check whether a specific security vu
|
||||
{% endnote %}
|
||||
1. Click an advisory to view details.{% ifversion GH-advisory-db-supports-malware %} By default, you will see {% data variables.product.company_short %}-reviewed advisories for security vulnerabilities. To show malware advisories, use `type:malware` in the search bar.{% endif %}
|
||||
|
||||
You can also suggest improvements to any advisory directly from your local advisory database. For more information, see "[AUTOTITLE](/code-security/security-advisories/global-security-advisories/editing-security-advisories-in-the-github-advisory-database#editing-advisories-from-your-github-enterprise-server-instance)".
|
||||
You can also suggest improvements to any advisory directly from your local advisory database. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database#editing-advisories-from-your-github-enterprise-server-instance)".
|
||||
|
||||
### Viewing vulnerable repositories for {% data variables.location.product_location %}
|
||||
|
||||
@@ -5,6 +5,7 @@ redirect_from:
|
||||
- /code-security/security-advisories/editing-security-advisories-in-the-github-advisory-database
|
||||
- /code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/editing-security-advisories-in-the-github-advisory-database
|
||||
- /code-security/dependabot/dependabot-alerts/editing-security-advisories-in-the-github-advisory-database
|
||||
- /code-security/security-advisories/global-security-advisories/editing-security-advisories-in-the-github-advisory-database
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
@@ -22,20 +23,20 @@ shortTitle: Edit Advisory Database
|
||||
|
||||
## Editing advisories in the {% data variables.product.prodname_advisory_database %}
|
||||
|
||||
The advisories in the {% data variables.product.prodname_advisory_database %} are global security advisories. For more information about global security advisories, see "[AUTOTITLE](/code-security/security-advisories/global-security-advisories/about-global-security-advisories)."
|
||||
The advisories in the {% data variables.product.prodname_advisory_database %} are global security advisories. For more information about global security advisories, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-global-security-advisories)."
|
||||
|
||||
Anyone can suggest improvements on any global security advisory in the {% data variables.product.prodname_advisory_database %}. You can edit or add any detail, including additionally affected ecosystems, severity level or description of who is impacted. The {% data variables.product.prodname_security %} curation team will review the submitted improvements and publish them onto the {% data variables.product.prodname_advisory_database %} if accepted.
|
||||
|
||||
{% ifversion security-advisories-credit-types %}
|
||||
If we accept and publish the improvement, the person who submitted the improvement will automatically be assigned a credit type of "Analyst". For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/creating-a-repository-security-advisory#about-credits-for-repository-security-advisories)."{% endif %}
|
||||
If we accept and publish the improvement, the person who submitted the improvement will automatically be assigned a credit type of "Analyst". For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory#about-credits-for-repository-security-advisories)."{% endif %}
|
||||
|
||||
{% ifversion fpt or ghec %}
|
||||
Only repository owners and administrators can edit repository-level security advisories. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/editing-a-repository-security-advisory)."{% endif %}
|
||||
Only repository owners and administrators can edit repository-level security advisories. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory)."{% endif %}
|
||||
|
||||
1. Navigate to https://github.com/advisories.
|
||||
1. Select the security advisory you would like to contribute to.
|
||||
1. On the right-hand side of the page, click the **Suggest improvements for this vulnerability** link.
|
||||
1. In the "Improve security advisory" form, make the desired improvements. You can edit or add any detail.{% ifversion fpt or ghec %} For information about correctly specifying information on the form, including affected versions, see "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing/best-practices-for-writing-repository-security-advisories)."{% endif %}{% ifversion security-advisories-reason-for-change %}
|
||||
1. In the "Improve security advisory" form, make the desired improvements. You can edit or add any detail.{% ifversion fpt or ghec %} For information about correctly specifying information on the form, including affected versions, see "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/best-practices-for-writing-repository-security-advisories)."{% endif %}{% ifversion security-advisories-reason-for-change %}
|
||||
1. Under **Reason for change**, explain why you want to make this improvement. If you include links to supporting material this will help our reviewers.
|
||||
{% endif %}
|
||||
1. When you finish editing the advisory, click **Submit improvements**.
|
||||
@@ -2,6 +2,8 @@
|
||||
title: Working with global security advisories from the GitHub Advisory Database
|
||||
shortTitle: Global security advisories
|
||||
intro: 'Browse the {% data variables.product.prodname_advisory_database %} and submit improvements to any global security advisory.'
|
||||
redirect_from:
|
||||
- /code-security/security-advisories/global-security-advisories
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghes: '*'
|
||||
@@ -18,4 +20,3 @@ children:
|
||||
- /browsing-security-advisories-in-the-github-advisory-database
|
||||
- /editing-security-advisories-in-the-github-advisory-database
|
||||
---
|
||||
|
||||
@@ -8,6 +8,7 @@ redirect_from:
|
||||
- /github/managing-security-vulnerabilities/about-github-security-advisories
|
||||
- /code-security/security-advisories/about-github-security-advisories
|
||||
- /code-security/repository-security-advisories/about-github-security-advisories-for-repositories
|
||||
- /code-security/security-advisories/repository-security-advisories/about-repository-security-advisories
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
@@ -24,15 +25,15 @@ topics:
|
||||
|
||||
## About repository security advisories
|
||||
|
||||
{% data reusables.security-advisory.disclosing-vulnerabilities %} For more information, see "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing/about-coordinated-disclosure-of-security-vulnerabilities)."
|
||||
{% data reusables.security-advisory.disclosing-vulnerabilities %} For more information, see "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/about-coordinated-disclosure-of-security-vulnerabilities)."
|
||||
|
||||
{% data reusables.security-advisory.security-advisory-overview %}
|
||||
|
||||
With repository security advisories, you can:
|
||||
|
||||
1. Create a draft security advisory, and use the draft to privately discuss the impact of the vulnerability on your project. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/creating-a-repository-security-advisory)."
|
||||
1. Create a draft security advisory, and use the draft to privately discuss the impact of the vulnerability on your project. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory)."
|
||||
1. Privately collaborate to fix the vulnerability in a temporary private fork.
|
||||
1. Publish the security advisory to alert your community of the vulnerability once a patch is released. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/publishing-a-repository-security-advisory)."
|
||||
1. Publish the security advisory to alert your community of the vulnerability once a patch is released. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory)."
|
||||
|
||||
{% data reusables.repositories.security-advisories-republishing %}
|
||||
|
||||
@@ -40,11 +41,11 @@ With repository security advisories, you can:
|
||||
You can also use the REST API to create, list, and update repository security advisories. For more information, see "[AUTOTITLE](/rest/security-advisories/repository-advisories)" in the REST API documentation.
|
||||
{% endif %}
|
||||
|
||||
You can give credit to individuals who contributed to a security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/editing-a-repository-security-advisory#about-credits-for-security-advisories)."
|
||||
You can give credit to individuals who contributed to a security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory#about-credits-for-security-advisories)."
|
||||
|
||||
{% data reusables.repositories.security-guidelines %}
|
||||
|
||||
If you created a security advisory in your repository, the security advisory will stay in your repository. We publish security advisories for any of the ecosystems supported by the dependency graph to the {% data variables.product.prodname_advisory_database %} on [github.com/advisories](https://github.com/advisories). Anyone can submit a change to an advisory published in the {% data variables.product.prodname_advisory_database %}. For more information, see "[AUTOTITLE](/code-security/security-advisories/global-security-advisories/editing-security-advisories-in-the-github-advisory-database)."
|
||||
If you created a security advisory in your repository, the security advisory will stay in your repository. We publish security advisories for any of the ecosystems supported by the dependency graph to the {% data variables.product.prodname_advisory_database %} on [github.com/advisories](https://github.com/advisories). Anyone can submit a change to an advisory published in the {% data variables.product.prodname_advisory_database %}. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database)."
|
||||
|
||||
If a security advisory is specifically for npm, we also publish the advisory to the npm security advisories. For more information, see [npmjs.com/advisories](https://www.npmjs.com/advisories).
|
||||
|
||||
@@ -59,7 +60,7 @@ If a security advisory is specifically for npm, we also publish the advisory to
|
||||
When you create a security advisory for a public repository on {% data variables.product.prodname_dotcom %}, you have the option of providing an existing CVE identification number for the security vulnerability. {% data reusables.repositories.request-security-advisory-cve-id %}
|
||||
|
||||
Once you've published the security advisory and {% data variables.product.prodname_dotcom %} has assigned a CVE identification number to the vulnerability, {% data variables.product.prodname_dotcom %} publishes the CVE to the MITRE database.
|
||||
For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/publishing-a-repository-security-advisory)."
|
||||
For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory)."
|
||||
|
||||
## {% data variables.product.prodname_dependabot_alerts %} for published security advisories
|
||||
|
||||
@@ -7,6 +7,7 @@ redirect_from:
|
||||
- /github/managing-security-vulnerabilities/adding-a-collaborator-to-a-security-advisory
|
||||
- /code-security/security-advisories/adding-a-collaborator-to-a-security-advisory
|
||||
- /code-security/repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory
|
||||
- /code-security/security-advisories/repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
@@ -24,11 +25,11 @@ People with admin permissions to a security advisory can add collaborators to th
|
||||
|
||||
## Adding a collaborator to a security advisory
|
||||
|
||||
Collaborators have write permissions to the security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/permission-levels-for-repository-security-advisories)."
|
||||
Collaborators have write permissions to the security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/permission-levels-for-repository-security-advisories)."
|
||||
|
||||
{% note %}
|
||||
|
||||
{% data reusables.repositories.security-advisory-collaborators-public-repositories %} For more information about removing a collaborator on a security advisory, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory)."
|
||||
{% data reusables.repositories.security-advisory-collaborators-public-repositories %} For more information about removing a collaborator on a security advisory, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory)."
|
||||
|
||||
{% endnote %}
|
||||
|
||||
@@ -42,6 +43,6 @@ Collaborators have write permissions to the security advisory. For more informat
|
||||
|
||||
## Further reading
|
||||
|
||||
- "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/permission-levels-for-repository-security-advisories)"
|
||||
- "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)"
|
||||
- "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory)."
|
||||
- "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/permission-levels-for-repository-security-advisories)"
|
||||
- "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)"
|
||||
- "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory)."
|
||||
@@ -6,6 +6,7 @@ redirect_from:
|
||||
- /github/managing-security-vulnerabilities/collaborating-in-a-temporary-private-fork-to-resolve-a-security-vulnerability
|
||||
- /code-security/security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-security-vulnerability
|
||||
- /code-security/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability
|
||||
- /code-security/security-advisories/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
@@ -22,7 +23,7 @@ shortTitle: Temporary private forks
|
||||
|
||||
## Prerequisites
|
||||
|
||||
Before you can collaborate in a temporary private fork, you must create a draft security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/creating-a-repository-security-advisory)."
|
||||
Before you can collaborate in a temporary private fork, you must create a draft security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory)."
|
||||
|
||||
## Creating a temporary private fork
|
||||
|
||||
@@ -51,7 +52,7 @@ For example, if you create a temporary private fork in a repository called `octo
|
||||
|
||||
## Adding collaborators to a temporary private fork
|
||||
|
||||
Anyone with admin permissions to a security advisory can add additional collaborators to the security advisory, and collaborators on the security advisory can access the temporary private fork. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory)."
|
||||
Anyone with admin permissions to a security advisory can add additional collaborators to the security advisory, and collaborators on the security advisory can access the temporary private fork. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory)."
|
||||
|
||||
## Adding changes to a temporary private fork
|
||||
|
||||
@@ -107,9 +108,9 @@ Additionally, there can be no merge conflicts, and {% data variables.product.pro
|
||||
|
||||
{% endnote %}
|
||||
|
||||
After you merge changes in a security advisory, you can publish the security advisory to alert your community about the security vulnerability in previous versions of your project. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/publishing-a-repository-security-advisory)."
|
||||
After you merge changes in a security advisory, you can publish the security advisory to alert your community about the security vulnerability in previous versions of your project. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory)."
|
||||
|
||||
## Further reading
|
||||
|
||||
- "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/permission-levels-for-repository-security-advisories)"
|
||||
- "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/publishing-a-repository-security-advisory)"
|
||||
- "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/permission-levels-for-repository-security-advisories)"
|
||||
- "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory)"
|
||||
@@ -10,6 +10,8 @@ topics:
|
||||
- Security advisories
|
||||
- Vulnerabilities
|
||||
shortTitle: Configure for a repository
|
||||
redirect_from:
|
||||
- /code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository
|
||||
---
|
||||
|
||||
## About privately reporting a security vulnerability
|
||||
@@ -21,7 +23,7 @@ Security researchers often feel responsible for alerting users to a vulnerabilit
|
||||
For maintainers, the benefits of using private vulnerability reporting are:
|
||||
{% data reusables.security-advisory.private-vulnerability-reporting-benefits %}
|
||||
|
||||
The instructions in this article refer to enablement at repository level. For information about enabling the feature at organization level, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-an-organization)."
|
||||
The instructions in this article refer to enablement at repository level. For information about enabling the feature at organization level, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-an-organization)."
|
||||
|
||||
## Enabling or disabling private vulnerability reporting for a repository
|
||||
|
||||
@@ -10,6 +10,8 @@ topics:
|
||||
- Security advisories
|
||||
- Vulnerabilities
|
||||
shortTitle: Configure for an organization
|
||||
redirect_from:
|
||||
- /code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-an-organization
|
||||
---
|
||||
|
||||
## About privately reporting a security vulnerability
|
||||
@@ -21,11 +23,11 @@ Security researchers often feel responsible for alerting users to a vulnerabilit
|
||||
For organization owners and security managers, the benefits of using private vulnerability reporting are:
|
||||
{% data reusables.security-advisory.private-vulnerability-reporting-benefits %}
|
||||
|
||||
The instructions below refer to enablement at organization level. For information about enabling the feature for a repository, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository)."
|
||||
The instructions below refer to enablement at organization level. For information about enabling the feature for a repository, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository)."
|
||||
|
||||
{% data reusables.security-advisory.private-vulnerability-reporting-configure-notifications %}
|
||||
|
||||
For more information about configuring notification preferences, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository#configuring-notifications-for-private-vulnerability-reporting)."
|
||||
For more information about configuring notification preferences, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository#configuring-notifications-for-private-vulnerability-reporting)."
|
||||
|
||||
## Enabling or disabling private vulnerability reporting for all the existing public repositories in an organization
|
||||
|
||||
@@ -8,6 +8,7 @@ redirect_from:
|
||||
- /github/managing-security-vulnerabilities/creating-a-security-advisory
|
||||
- /code-security/security-advisories/creating-a-security-advisory
|
||||
- /code-security/repository-security-advisories/creating-a-repository-security-advisory
|
||||
- /code-security/security-advisories/repository-security-advisories/creating-a-repository-security-advisory
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
@@ -79,7 +80,7 @@ If someone accepts credit, the person's username appears in the "Credits" sectio
|
||||
## Next steps
|
||||
|
||||
- Comment on the draft security advisory to discuss the vulnerability with your team.
|
||||
- Add collaborators to the security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory)."
|
||||
- Privately collaborate to fix the vulnerability in a temporary private fork. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)."
|
||||
- Add individuals who should receive credit for contributing to the security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/editing-a-repository-security-advisory#about-credits-for-security-advisories)."
|
||||
- Publish the security advisory to notify your community of the security vulnerability. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/publishing-a-repository-security-advisory)."
|
||||
- Add collaborators to the security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory)."
|
||||
- Privately collaborate to fix the vulnerability in a temporary private fork. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)."
|
||||
- Add individuals who should receive credit for contributing to the security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory#about-credits-for-security-advisories)."
|
||||
- Publish the security advisory to notify your community of the security vulnerability. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory)."
|
||||
@@ -6,6 +6,7 @@ redirect_from:
|
||||
- /github/managing-security-vulnerabilities/editing-a-security-advisory
|
||||
- /code-security/security-advisories/editing-a-security-advisory
|
||||
- /code-security/repository-security-advisories/editing-a-repository-security-advisory
|
||||
- /code-security/security-advisories/repository-security-advisories/editing-a-repository-security-advisory
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
@@ -36,7 +37,7 @@ You can also use the REST API to edit repository security advisories. For more i
|
||||
{% data reusables.repositories.security-advisory-edit-cwe %}
|
||||
1. Optionally, under "Credits", remove existing credits, or use the search box to find additional people you want to credit on the security advisory, then click their username to add them.
|
||||
{% ifversion security-advisories-credit-types %}
|
||||
- Use the dropdown menu next to the name of the person you're crediting to assign a credit type. For more information about credit types, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/creating-a-repository-security-advisory#about-credits-for-repository-security-advisories)."
|
||||
- Use the dropdown menu next to the name of the person you're crediting to assign a credit type. For more information about credit types, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory#about-credits-for-repository-security-advisories)."
|
||||
|
||||
|
||||
|
||||
@@ -47,4 +48,4 @@ You can also use the REST API to edit repository security advisories. For more i
|
||||
|
||||
## Further reading
|
||||
|
||||
- "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/withdrawing-a-repository-security-advisory)"
|
||||
- "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/withdrawing-a-repository-security-advisory)"
|
||||
@@ -10,6 +10,8 @@ topics:
|
||||
- Security advisories
|
||||
- Vulnerabilities
|
||||
shortTitle: Evaluate repository security
|
||||
redirect_from:
|
||||
- /code-security/security-advisories/repository-security-advisories/evaluating-the-security-settings-of-a-repository
|
||||
---
|
||||
|
||||
## About evaluating a repository's security settings
|
||||
@@ -6,6 +6,7 @@ redirect_from:
|
||||
- /articles/managing-security-vulnerabilities-in-your-project
|
||||
- /github/managing-security-vulnerabilities/managing-security-vulnerabilities-in-your-project
|
||||
- /code-security/repository-security-advisories
|
||||
- /code-security/security-advisories/repository-security-advisories
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
@@ -28,4 +29,3 @@ children:
|
||||
- /removing-a-collaborator-from-a-repository-security-advisory
|
||||
- /withdrawing-a-repository-security-advisory
|
||||
---
|
||||
|
||||
@@ -0,0 +1,46 @@
|
||||
---
|
||||
title: Permission levels for repository security advisories
|
||||
intro: The actions you can take in a repository security advisory depend on whether you have admin or write permissions to the security advisory.
|
||||
redirect_from:
|
||||
- /articles/permission-levels-for-maintainer-security-advisories
|
||||
- /github/managing-security-vulnerabilities/permission-levels-for-maintainer-security-advisories
|
||||
- /github/managing-security-vulnerabilities/permission-levels-for-security-advisories
|
||||
- /code-security/security-advisories/permission-levels-for-security-advisories
|
||||
- /code-security/repository-security-advisories/permission-levels-for-repository-security-advisories
|
||||
- /code-security/security-advisories/repository-security-advisories/permission-levels-for-repository-security-advisories
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
type: reference
|
||||
topics:
|
||||
- Security advisories
|
||||
- Vulnerabilities
|
||||
- Permissions
|
||||
shortTitle: Permission levels
|
||||
---
|
||||
This article applies only to repository-level security advisories. Anyone can contribute to global security advisories in the {% data variables.product.prodname_advisory_database %} at [github.com/advisories](https://github.com/advisories). Edits to global advisories will not change or affect how the advisory appears on the repository. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database)."
|
||||
|
||||
## Permissions overview
|
||||
|
||||
{% data reusables.repositories.security-advisory-admin-permissions %} For more information about adding a collaborator to a security advisory, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory)."
|
||||
|
||||
Action | Write permissions | Admin permissions |
|
||||
------ | ----------------- | ----------------- |
|
||||
See a draft security advisory | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Add collaborators to the security advisory (see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory)") | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Edit and delete any comments in the security advisory | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Create a temporary private fork in the security advisory (see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)") | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Add changes to a temporary private fork in the security advisory (see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)") | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Create pull requests in a temporary private fork (see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)") | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Merge changes in the security advisory (see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)") | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Add and edit metadata in the security advisory (see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory)") | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Add and remove credits for a security advisory (see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory)") | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Close the draft security advisory | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Publish the security advisory (see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory)") | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
|
||||
## Further reading
|
||||
|
||||
- "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory)"
|
||||
- "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)"
|
||||
- "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory)"
|
||||
- "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/withdrawing-a-repository-security-advisory)"
|
||||
@@ -7,6 +7,7 @@ redirect_from:
|
||||
- /github/managing-security-vulnerabilities/publishing-a-security-advisory
|
||||
- /code-security/security-advisories/publishing-a-security-advisory
|
||||
- /code-security/repository-security-advisories/publishing-a-repository-security-advisory
|
||||
- /code-security/security-advisories/repository-security-advisories/publishing-a-repository-security-advisory
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
@@ -26,9 +27,9 @@ Anyone with admin permissions to a security advisory can publish the security ad
|
||||
|
||||
## Prerequisites
|
||||
|
||||
Before you can publish a security advisory or request a CVE identification number, you must create a draft security advisory and provide information about the versions of your project affected by the security vulnerability. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/creating-a-repository-security-advisory)."
|
||||
Before you can publish a security advisory or request a CVE identification number, you must create a draft security advisory and provide information about the versions of your project affected by the security vulnerability. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory)."
|
||||
|
||||
If you've created a security advisory but haven't yet provided details about the versions of your project that the security vulnerability affects, you can edit the security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/editing-a-repository-security-advisory)."
|
||||
If you've created a security advisory but haven't yet provided details about the versions of your project that the security vulnerability affects, you can edit the security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory)."
|
||||
|
||||
## About publishing a security advisory
|
||||
|
||||
@@ -36,7 +37,7 @@ When you publish a security advisory, you notify your community about the securi
|
||||
|
||||
{% data reusables.repositories.security-advisories-republishing %}
|
||||
|
||||
Before you publish a security advisory, you can privately collaborate to fix the vulnerability in a temporary private fork. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)."
|
||||
Before you publish a security advisory, you can privately collaborate to fix the vulnerability in a temporary private fork. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)."
|
||||
|
||||
{% warning %}
|
||||
|
||||
@@ -63,7 +64,7 @@ When you publish a draft advisory from a public repository, everyone is able to
|
||||
|
||||
After you publish a security advisory, the URL for the security advisory will remain the same as before you published the security advisory. Anyone with read access to the repository can see the security advisory. Collaborators on the security advisory can continue to view past conversations, including the full comment stream, in the security advisory unless someone with admin permissions removes the collaborator from the security advisory.
|
||||
|
||||
If you need to update or correct information in a security advisory that you've published, you can edit the security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/editing-a-repository-security-advisory)."
|
||||
If you need to update or correct information in a security advisory that you've published, you can edit the security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory)."
|
||||
|
||||
## Publishing a security advisory
|
||||
|
||||
@@ -89,7 +90,7 @@ Publishing a security advisory deletes the temporary private fork for the securi
|
||||
|
||||
## Requesting a CVE identification number (Optional)
|
||||
|
||||
{% data reusables.repositories.request-security-advisory-cve-id %} For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories#cve-identification-numbers)."
|
||||
{% data reusables.repositories.request-security-advisory-cve-id %} For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories#cve-identification-numbers)."
|
||||
|
||||
{% data reusables.repositories.navigate-to-repo %}
|
||||
{% data reusables.repositories.sidebar-security %}
|
||||
@@ -101,4 +102,4 @@ Publishing a security advisory deletes the temporary private fork for the securi
|
||||
|
||||
## Further reading
|
||||
|
||||
- "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/withdrawing-a-repository-security-advisory)"
|
||||
- "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/withdrawing-a-repository-security-advisory)"
|
||||
@@ -5,6 +5,7 @@ redirect_from:
|
||||
- /github/managing-security-vulnerabilities/removing-a-collaborator-from-a-security-advisory
|
||||
- /code-security/security-advisories/removing-a-collaborator-from-a-security-advisory
|
||||
- /code-security/repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory
|
||||
- /code-security/security-advisories/repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
@@ -35,5 +36,5 @@ People with admin permissions to a security advisory can remove collaborators fr
|
||||
|
||||
## Further reading
|
||||
|
||||
- "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/permission-levels-for-repository-security-advisories)"
|
||||
- "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory)"
|
||||
- "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/permission-levels-for-repository-security-advisories)"
|
||||
- "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory)"
|
||||
@@ -5,6 +5,7 @@ redirect_from:
|
||||
- /github/managing-security-vulnerabilities/withdrawing-a-security-advisory
|
||||
- /code-security/security-advisories/withdrawing-a-security-advisory
|
||||
- /code-security/repository-security-advisories/withdrawing-a-repository-security-advisory
|
||||
- /code-security/security-advisories/repository-security-advisories/withdrawing-a-repository-security-advisory
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
@@ -21,4 +22,4 @@ If you publish a security advisory in error, you can withdraw the security advis
|
||||
|
||||
## Further reading
|
||||
|
||||
- "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/editing-a-repository-security-advisory)"
|
||||
- "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory)"
|
||||
@@ -1,6 +1,7 @@
|
||||
---
|
||||
title: Securing your software supply chain
|
||||
shortTitle: Supply chain security
|
||||
allowTitleToDifferFromFilename: true
|
||||
intro: 'Visualize, maintain, and secure the dependencies in your software supply chain.'
|
||||
redirect_from:
|
||||
- /categories/managing-security-vulnerabilities
|
||||
@@ -18,4 +19,3 @@ children:
|
||||
- /understanding-your-software-supply-chain
|
||||
- /end-to-end-supply-chain
|
||||
---
|
||||
|
||||
|
||||
@@ -37,7 +37,7 @@ shortTitle: Audit log events
|
||||
|
||||
| Action | Description
|
||||
|------------------|-------------------
|
||||
| `accept` | Triggered when someone accepts credit for a security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/editing-a-repository-security-advisory)."
|
||||
| `accept` | Triggered when someone accepts credit for a security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory)."
|
||||
| `create` | Triggered when the administrator of a security advisory adds someone to the credit section.
|
||||
| `decline` | Triggered when someone declines credit for a security advisory.
|
||||
| `destroy` | Triggered when the administrator of a security advisory removes someone from the credit section.
|
||||
@@ -577,7 +577,7 @@ For more information, see "[AUTOTITLE](/organizations/managing-organization-sett
|
||||
|
||||
| Action | Description
|
||||
|------------------|-------------------
|
||||
| `close` | Triggered when someone closes a security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories)."
|
||||
| `close` | Triggered when someone closes a security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories)."
|
||||
| `cve_request` | Triggered when someone requests a CVE (Common Vulnerabilities and Exposures) number from {% data variables.product.prodname_dotcom %} for a draft security advisory.
|
||||
| `github_broadcast` | Triggered when {% data variables.product.prodname_dotcom %} makes a security advisory public in the {% data variables.product.prodname_advisory_database %}.
|
||||
| `github_withdraw` | Triggered when {% data variables.product.prodname_dotcom %} withdraws a security advisory that was published in error.
|
||||
@@ -624,7 +624,6 @@ For more information, see "[AUTOTITLE](/organizations/managing-organization-sett
|
||||
|
||||
{% endif %}{% ifversion secret-scanning-validity-check-audit-log %}
|
||||
|
||||
|
||||
## `repository_secret_scanning_automatic_validity_checks` category actions
|
||||
|
||||
| Action | Description
|
||||
|
||||
@@ -37,7 +37,7 @@ To search for specific events, use the `action` qualifier in your query. Actions
|
||||
| Category name | Description
|
||||
|------------------|-------------------{% ifversion fpt or ghec %}
|
||||
| `account` | Contains all activities related to your organization account.{% endif %}{% ifversion fpt or ghec %}
|
||||
| `advisory_credit` | Contains all activities related to crediting a contributor for a security advisory in the {% data variables.product.prodname_advisory_database %}. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories)."{% endif %}{% ifversion pat-v2%}
|
||||
| `advisory_credit` | Contains all activities related to crediting a contributor for a security advisory in the {% data variables.product.prodname_advisory_database %}. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories)."{% endif %}{% ifversion pat-v2%}
|
||||
| `auto_approve_personal_access_token_requests` | Contains activities related to your organization's approval policy for {% data variables.product.pat_v2 %}s. For more information, see "[AUTOTITLE](/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization)."{% endif %}{% ifversion fpt or ghec %}
|
||||
| `billing` | Contains all activities related to your organization's billing.{% endif %}{% ifversion fpt or ghec %}
|
||||
| `business` | Contains activities related to business settings for an enterprise. |{% endif %}{% ifversion fpt or ghec %}
|
||||
@@ -73,7 +73,7 @@ To search for specific events, use the `action` qualifier in your query. Actions
|
||||
| `project` | Contains all activities related to project boards.
|
||||
| `protected_branch` | Contains all activities related to protected branches.
|
||||
| `repo` | Contains activities related to the repositories owned by your organization.{% ifversion fpt or ghec %}
|
||||
| `repository_advisory` | Contains repository-level activities related to security advisories in the {% data variables.product.prodname_advisory_database %}. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories)."
|
||||
| `repository_advisory` | Contains repository-level activities related to security advisories in the {% data variables.product.prodname_advisory_database %}. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories)."
|
||||
| `repository_content_analysis` | Contains all activities related to enabling or disabling data use for a private repository. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories)."{% endif %}{% ifversion fpt or ghec %}
|
||||
| `repository_dependency_graph` | Contains repository-level activities related to enabling or disabling the dependency graph for a {% ifversion fpt or ghec %}private {% endif %}repository. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)."{% endif %}{% ifversion ghes or ghae or ghec %}
|
||||
| `repository_secret_scanning` | Contains repository-level activities related to {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)." {% endif %}{% ifversion secret-scanning-validity-check-audit-log %}
|
||||
|
||||
@@ -162,7 +162,7 @@ In this section, you can find the access required for security features, such as
|
||||
| Receive [{% data variables.product.prodname_dependabot_alerts %} for insecure dependencies](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) in a repository | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% ifversion dependabot-alerts-permissions-write-maintain %}{% octicon "check" aria-label="Yes" %}{% endif %} | {% ifversion dependabot-alerts-permissions-write-maintain %}{% octicon "check" aria-label="Yes" %}{% endif %} | {% octicon "check" aria-label="Yes" %} |
|
||||
| [Dismiss {% data variables.product.prodname_dependabot_alerts %}](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts) | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% ifversion dependabot-alerts-permissions-write-maintain %}{% octicon "check" aria-label="Yes" %}{% endif %} | {% ifversion dependabot-alerts-permissions-write-maintain %}{% octicon "check" aria-label="Yes" %}{% endif %} | {% octicon "check" aria-label="Yes" %} |{% ifversion ghes or ghae or ghec %}<!--Not available for FPT-->
|
||||
| [Designate additional people or teams to receive security alerts](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts) | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} |{% endif %}{% ifversion fpt or ghec %}
|
||||
| Create [security advisories](/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories) | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} |{% endif %}{% ifversion ghes or ghae or ghec %} <!--Not available for FPT-->
|
||||
| Create [security advisories](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories) | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} |{% endif %}{% ifversion ghes or ghae or ghec %} <!--Not available for FPT-->
|
||||
| Manage access to {% data variables.product.prodname_GH_advanced_security %} features (see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)") | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} |{% endif %}{% ifversion fpt or ghec %}<!--Set at site-level for GHES and GHAE-->
|
||||
| [Enable the dependency graph](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository) for a private repository | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} |{% endif %}{% ifversion ghes or ghae or ghec %}
|
||||
| [View dependency reviews](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review) | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} |{% endif %}
|
||||
|
||||
@@ -23,7 +23,7 @@ You can help people understand and use your package by providing a description a
|
||||
{% data reusables.package_registry.public-or-private-packages %} A repository can be connected to more than one package. To prevent confusion, make sure the README and description clearly provide information about each package.
|
||||
|
||||
{% ifversion fpt or ghec %}
|
||||
If a new version of a package fixes a security vulnerability, you should publish a security advisory in your repository. {% data variables.product.prodname_dotcom %} reviews each published security advisory and may use it to send {% data variables.product.prodname_dependabot_alerts %} to affected repositories. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories)."
|
||||
If a new version of a package fixes a security vulnerability, you should publish a security advisory in your repository. {% data variables.product.prodname_dotcom %} reviews each published security advisory and may use it to send {% data variables.product.prodname_dependabot_alerts %} to affected repositories. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories)."
|
||||
{% endif %}
|
||||
|
||||
## Publishing a package
|
||||
|
||||
@@ -36,7 +36,7 @@ When viewing the details for a release, the creation date for each release asset
|
||||
{% ifversion fpt or ghec %}
|
||||
People with admin permissions to a repository can choose whether {% data variables.large_files.product_name_long %} ({% data variables.large_files.product_name_short %}) objects are included in the ZIP files and tarballs that {% data variables.product.product_name %} creates for each release. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-git-lfs-objects-in-archives-of-your-repository)."
|
||||
|
||||
If a release fixes a security vulnerability, you should publish a security advisory in your repository. {% data variables.product.prodname_dotcom %} reviews each published security advisory and may use it to send {% data variables.product.prodname_dependabot_alerts %} to affected repositories. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories)."
|
||||
If a release fixes a security vulnerability, you should publish a security advisory in your repository. {% data variables.product.prodname_dotcom %} reviews each published security advisory and may use it to send {% data variables.product.prodname_dependabot_alerts %} to affected repositories. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories)."
|
||||
|
||||
You can view the **Dependents** tab of the dependency graph to see which repositories and packages depend on code in your repository, and may therefore be affected by a new release. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)."
|
||||
{% endif %}
|
||||
|
||||
@@ -5,37 +5,37 @@ security_advisories:
|
||||
vulnerability and get a CVE.
|
||||
guides:
|
||||
- >-
|
||||
/code-security/security-advisories/guidance-on-reporting-and-writing/about-coordinated-disclosure-of-security-vulnerabilities
|
||||
/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/about-coordinated-disclosure-of-security-vulnerabilities
|
||||
- >-
|
||||
/code-security/security-advisories/global-security-advisories/about-the-github-advisory-database
|
||||
/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database
|
||||
- >-
|
||||
/code-security/security-advisories/global-security-advisories/about-global-security-advisories
|
||||
/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-global-security-advisories
|
||||
- >-
|
||||
/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories
|
||||
/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories
|
||||
- >-
|
||||
/code-security/security-advisories/guidance-on-reporting-and-writing/best-practices-for-writing-repository-security-advisories
|
||||
/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/best-practices-for-writing-repository-security-advisories
|
||||
- >-
|
||||
/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability
|
||||
/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability
|
||||
- >-
|
||||
/code-security/security-advisories/guidance-on-reporting-and-writing/managing-privately-reported-security-vulnerabilities
|
||||
/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/managing-privately-reported-security-vulnerabilities
|
||||
- >-
|
||||
/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository
|
||||
/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository
|
||||
- >-
|
||||
/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-an-organization
|
||||
/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-an-organization
|
||||
- >-
|
||||
/code-security/security-advisories/repository-security-advisories/creating-a-repository-security-advisory
|
||||
/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory
|
||||
- >-
|
||||
/code-security/security-advisories/repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory
|
||||
/code-security/security-advisories/working-with-repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory
|
||||
- >-
|
||||
/code-security/security-advisories/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability
|
||||
/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability
|
||||
- >-
|
||||
/code-security/security-advisories/repository-security-advisories/publishing-a-repository-security-advisory
|
||||
/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory
|
||||
- >-
|
||||
/code-security/security-advisories/repository-security-advisories/editing-a-repository-security-advisory
|
||||
/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory
|
||||
- >-
|
||||
/code-security/security-advisories/repository-security-advisories/withdrawing-a-repository-security-advisory
|
||||
/code-security/security-advisories/working-with-repository-security-advisories/withdrawing-a-repository-security-advisory
|
||||
- >-
|
||||
/code-security/security-advisories/repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory
|
||||
/code-security/security-advisories/working-with-repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory
|
||||
dependabot_alerts:
|
||||
title: Get notifications for insecure dependencies
|
||||
description: >-
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
|------------------|-------------------
|
||||
{%- ifversion fpt or ghec %}
|
||||
| `account` | Contains activities related to an organization account.
|
||||
| `advisory_credit` | Contains activities related to crediting a contributor for a security advisory in the {% data variables.product.prodname_advisory_database %}. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories)."
|
||||
| `advisory_credit` | Contains activities related to crediting a contributor for a security advisory in the {% data variables.product.prodname_advisory_database %}. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories)."
|
||||
{%- endif %}
|
||||
| `artifact` | Contains activities related to {% data variables.product.prodname_actions %} workflow run artifacts.
|
||||
{%- ifversion audit-log-streaming %}
|
||||
@@ -134,7 +134,7 @@
|
||||
| `pull_request_review_comment` | Contains activities related to pull request review comments.
|
||||
| `repo` | Contains activities related to the repositories owned by an organization.
|
||||
{%- ifversion fpt or ghec %}
|
||||
| `repository_advisory` | Contains repository-level activities related to security advisories in the {% data variables.product.prodname_advisory_database %}. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories)."
|
||||
| `repository_advisory` | Contains repository-level activities related to security advisories in the {% data variables.product.prodname_advisory_database %}. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories)."
|
||||
| `repository_content_analysis` | Contains activities related to enabling or disabling data use for a private repository. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories)."
|
||||
| `repository_dependency_graph` | Contains repository-level activities related to enabling or disabling the dependency graph for a {% ifversion fpt or ghec %}private {% endif %}repository. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)."
|
||||
{%- endif %}
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
{% data variables.product.prodname_dotcom %} will review each published security advisory, add it to the {% data variables.product.prodname_advisory_database %}, and may use the security advisory to send {% data variables.product.prodname_dependabot_alerts %} to affected repositories. If the security advisory comes from a fork, we'll only send an alert if the fork owns a package, published under a unique name, on a public package registry. This process can take up to 72 hours and {% data variables.product.prodname_dotcom %} may contact you for more information.
|
||||
|
||||
For more information about {% data variables.product.prodname_dependabot_alerts %}, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts#dependabot-alerts-for-vulnerable-dependencies)" and "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-dependabot-security-updates)." For more information about {% data variables.product.prodname_advisory_database %}, see "[AUTOTITLE](/code-security/security-advisories/global-security-advisories/browsing-security-advisories-in-the-github-advisory-database)."
|
||||
For more information about {% data variables.product.prodname_dependabot_alerts %}, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts#dependabot-alerts-for-vulnerable-dependencies)" and "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-dependabot-security-updates)." For more information about {% data variables.product.prodname_advisory_database %}, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/browsing-security-advisories-in-the-github-advisory-database)."
|
||||
|
||||
@@ -1 +1 @@
|
||||
1. Use the **CVE identifier** dropdown menu to specify whether you already have a CVE identifier or plan to request one from {% data variables.product.prodname_dotcom %} later. If you have an existing CVE identifier, select **I have an existing CVE identifier** to display an **Existing CVE** field, and type the CVE identifier in the field. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories#cve-identification-numbers)."
|
||||
1. Use the **CVE identifier** dropdown menu to specify whether you already have a CVE identifier or plan to request one from {% data variables.product.prodname_dotcom %} later. If you have an existing CVE identifier, select **I have an existing CVE identifier** to display an **Existing CVE** field, and type the CVE identifier in the field. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories#cve-identification-numbers)."
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
1. Under "Affected products", define the ecosystem, package name, affected/patched versions, and vulnerable functions for the security vulnerability that this security advisory describes. If applicable, you can add multiple affected products to the same advisory by clicking **Add another affected product**.
|
||||
|
||||
For information about how to specify information on the form, including affected versions, see "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing/best-practices-for-writing-repository-security-advisories)."
|
||||
For information about how to specify information on the form, including affected versions, see "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/best-practices-for-writing-repository-security-advisories)."
|
||||
|
||||
@@ -1 +1 @@
|
||||
For more information, see "[AUTOTITLE](/code-security/security-advisories/global-security-advisories/browsing-security-advisories-in-the-github-advisory-database)."
|
||||
For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/browsing-security-advisories-in-the-github-advisory-database)."
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
{% note %}
|
||||
|
||||
**Note:** If the repository doesn't have private vulnerability reporting enabled, you need to initiate the reporting process by following the instructions in the security policy for the repository, or create an issue asking the maintainers for a preferred security contact. For more information, see "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing/about-coordinated-disclosure-of-security-vulnerabilities#about-reporting-and-disclosing-vulnerabilities-in-projects-on-github)."
|
||||
**Note:** If the repository doesn't have private vulnerability reporting enabled, you need to initiate the reporting process by following the instructions in the security policy for the repository, or create an issue asking the maintainers for a preferred security contact. For more information, see "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/about-coordinated-disclosure-of-security-vulnerabilities#about-reporting-and-disclosing-vulnerabilities-in-projects-on-github)."
|
||||
|
||||
{% endnote %}
|
||||
|
||||
@@ -1 +1 @@
|
||||
Owners and administrators of public repositories can enable private vulnerability reporting on their repositories. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository)."
|
||||
Owners and administrators of public repositories can enable private vulnerability reporting on their repositories. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository)."
|
||||
|
||||
@@ -8,7 +8,7 @@
|
||||
|
||||
{% endtip %}
|
||||
|
||||
For more information about the fields available and guidance on filling in the form, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/creating-a-repository-security-advisory)" and "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing/best-practices-for-writing-repository-security-advisories)."
|
||||
For more information about the fields available and guidance on filling in the form, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory)" and "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/best-practices-for-writing-repository-security-advisories)."
|
||||
|
||||
1. At the bottom of the form, click **Submit report**. {% data variables.product.prodname_dotcom %} will display a message letting you know that maintainers have been notified and that you have a pending credit for this security advisory.
|
||||
|
||||
|
||||
@@ -2,6 +2,6 @@
|
||||
|
||||
**Note**: This article applies to editing repository-level advisories as a repository owner.
|
||||
|
||||
Users who are not repository owners can contribute to global security advisories in the {% data variables.product.prodname_advisory_database %} at [github.com/advisories](https://github.com/advisories). Edits to global advisories will not change or affect how the advisory appears on the repository. For more information, see "[AUTOTITLE](/code-security/security-advisories/global-security-advisories/editing-security-advisories-in-the-github-advisory-database)."
|
||||
Users who are not repository owners can contribute to global security advisories in the {% data variables.product.prodname_advisory_database %} at [github.com/advisories](https://github.com/advisories). Edits to global advisories will not change or affect how the advisory appears on the repository. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database)."
|
||||
|
||||
{% endnote %}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
{% note %}
|
||||
|
||||
**Note:** If you are a security researcher, you should directly contact maintainers to ask them to create security advisories or issue CVEs on your behalf in repositories that you don't administer. However, if private vulnerabiliy reporting is enabled for the repository, you can _privately_ report a vulnerability yourself. For more information, see "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability)."
|
||||
**Note:** If you are a security researcher, you should directly contact maintainers to ask them to create security advisories or issue CVEs on your behalf in repositories that you don't administer. However, if private vulnerabiliy reporting is enabled for the repository, you can _privately_ report a vulnerability yourself. For more information, see "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability)."
|
||||
|
||||
{% endnote %}
|
||||
|
||||
Reference in New Issue
Block a user