diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md index ebd81acfb8..fa20c40fd3 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md @@ -22,7 +22,7 @@ allowTitleToDifferFromFilename: true There are some additional features that can help you to evaluate alerts in order to better prioritize and manage them. You can: * Check the validity of a secret, to see if the secret is still active. {% ifversion fpt or ghes %}**Applies to {% data variables.product.company_short %} tokens only**.{% endif %} For more information, see "[Checking a secret's validity](#checking-a-secrets-validity)."{% ifversion secret-scanning-validity-check-partner-patterns %} -* Perform an "on-demand" validity check, to get the most up to date validation status. For more information, see "[Performing an on-demand-validity-check](#performing-an-on-demand-validity-check)."{% endif %} +* Perform an "on-demand" validity check, to get the most up to date validation status. For more information, see "[Performing an on-demand validity check](#performing-an-on-demand-validity-check)."{% endif %} * Review a token's metadata. **Applies to {% data variables.product.company_short %} tokens only**. For example, to see when the token was last used. For more information, see "[Reviewing {% data variables.product.company_short %} token metadata](#reviewing-github-token-metadata)."{% ifversion secret-scanning-multi-repo-public-leak %} * Review the labels assigned to the alert. For more information, see "[Reviewing alert labels](#reviewing-alert-labels)."{% endif %} diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md index 695c708331..051ea20d55 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md @@ -19,18 +19,36 @@ allowTitleToDifferFromFilename: true ## Fixing alerts -Once a secret has been committed to a repository, you should consider the secret compromised. {% data variables.product.prodname_dotcom %} recommends the following actions for compromised secrets: +Once a secret has been committed to a repository, you should consider the secret compromised. {% data variables.product.github %} recommends the following actions for compromised secrets: -* For a compromised {% data variables.product.prodname_dotcom %} {% data variables.product.pat_generic %}, delete the compromised token, create a new token, and update any services that use the old token. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)." +* For a compromised {% data variables.product.github %} {% data variables.product.pat_generic %}: +{% ifversion secret-scanning-report-secret-github-pat %} + * Report the leaked token to {% data variables.product.github %}. {% data variables.product.github %} will then automatically revoke the token. For more information, see "[Reporting a leaked secret](#reporting-a-leaked-secret)." + * Update any services that use the old token.{% else %} + * Delete the compromised token, create a new token, and update any services that use the old token. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)."{% endif %} {%- ifversion token-audit-log %} * {% ifversion ghec %}If your organization is owned by an enterprise account, identify{% else %}Identify{% endif %} any actions taken by the compromised token on your enterprise's resources. For more information, see "[AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token)." {%- endif %} -* For all other secrets, first verify that the secret committed to {% data variables.product.product_name %} is valid. If so, create a new secret, update any services that use the old secret, and then delete the old secret. -{% ifversion fpt or ghec %} +* For all other secrets: + * First verify that the secret committed to {% data variables.product.product_name %} is valid. {% ifversion secret-scanning-validity-check-partner-patterns %}For more information, see "[Performing an on-demand validity check](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#performing-an-on-demand-validity-check).{% endif %} + * If the secret is valid, create a new secret, update any services that use the old secret, and then delete the old secret. + + {% ifversion fpt or ghec %} + + > [!NOTE] + > If a secret is detected in a public repository on {% data variables.product.github %} and the secret also matches a partner pattern, an alert is generated and the potential secret is reported to the service provider. For details of partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." + + {% endif %} + +{% ifversion secret-scanning-report-secret-github-pat %} + +### Reporting a leaked secret > [!NOTE] -> If a secret is detected in a public repository on {% data variables.product.prodname_dotcom %} and the secret also matches a partner pattern, an alert is generated and the potential secret is reported to the service provider. For details of partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." +> {% data reusables.secret-scanning.report-secret-pat-beta-note %} The feature is currently only available for {% data variables.product.github %} {% data variables.product.pat_generic %}s (v1 and v2). + +TODO {% endif %} diff --git a/data/features/secret-scanning-report-secret-github-pat.yml b/data/features/secret-scanning-report-secret-github-pat.yml new file mode 100644 index 0000000000..9bcefd7536 --- /dev/null +++ b/data/features/secret-scanning-report-secret-github-pat.yml @@ -0,0 +1,5 @@ +# Reference: #15374 +# Secret scanning one-click report and revocation (for GitHub PATs only) +versions: + ghec: '*' + ghes: '> 3.15' diff --git a/data/reusables/secret-scanning/report-secret-pat-beta-note.md b/data/reusables/secret-scanning/report-secret-pat-beta-note.md new file mode 100644 index 0000000000..4336617723 --- /dev/null +++ b/data/reusables/secret-scanning/report-secret-pat-beta-note.md @@ -0,0 +1 @@ +Reporting a leaked secret to {% data variables.product.github %} is in beta and subject to change.