From 5139a87e93e3d4c0a4c236bebf299ce91a8054dc Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Tue, 2 Jul 2024 13:22:51 +0000 Subject: [PATCH 001/275] create first map topic to test --- .../managing-secret-scanning-alerts/index.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 content/code-security/secret-scanning/managing-secret-scanning-alerts/index.md diff --git a/content/code-security/secret-scanning/managing-secret-scanning-alerts/index.md b/content/code-security/secret-scanning/managing-secret-scanning-alerts/index.md new file mode 100644 index 0000000000..5b2aabd06a --- /dev/null +++ b/content/code-security/secret-scanning/managing-secret-scanning-alerts/index.md @@ -0,0 +1,19 @@ +--- +title: Managing alerts for secret scanning and push protection +shortTitle: Manage secret scanning alerts +allowTitleToDifferFromFilename: true +intro: 'Learn how to view, evaluate and resolve alerts for secrets checked in to your repository.' +product: '{% data reusables.gated-features.secret-scanning %}' +redirect_from: + - /github/administering-a-repository/managing-alerts-from-secret-scanning + - /code-security/secret-security/managing-alerts-from-secret-scanning + - /code-security/secret-scanning/managing-alerts-from-secret-scanning +versions: + fpt: '*' + ghes: '*' + ghec: '*' +topics: + - Secret scanning + - Advanced Security + - Repositories +--- \ No newline at end of file From 0bdc04e61f25e31bb114187770fece0699de2432 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Tue, 2 Jul 2024 13:43:53 +0000 Subject: [PATCH 002/275] adding to index.md file --- content/code-security/secret-scanning/index.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 927350e49a..5fa2442d0e 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -30,4 +30,5 @@ children: - /working-with-push-protection - /pushing-a-branch-blocked-by-push-protection - /troubleshooting-secret-scanning + - /managing-alerts-from-secret-scanning --- From f16c05e24654531b728d15e7dcf9e353913da29a Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Wed, 3 Jul 2024 17:10:26 +0200 Subject: [PATCH 003/275] add map topic for advanced features --- content/code-security/secret-scanning/index.md | 1 + .../index.md | 15 +++++++++++++++ 2 files changed, 16 insertions(+) create mode 100644 content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 5fa2442d0e..74ee8245d6 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -31,4 +31,5 @@ children: - /pushing-a-branch-blocked-by-push-protection - /troubleshooting-secret-scanning - /managing-alerts-from-secret-scanning + - /using-advanced-secret-scanning-and-push-protection-features --- diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md new file mode 100644 index 0000000000..97ebaf0dde --- /dev/null +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md @@ -0,0 +1,15 @@ +--- +title: Using advanced secret scanning and push protection features +shortTitle: Advanced features +allowTitleToDifferFromFilename: true +intro: 'Learn how use advanced features for {% data variables.product.prodname_secret_scanning_caps %} and push protection.' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +topics: + - Secret scanning + - Advanced Security + - Repositories +--- From cda98f19ca9ffb9fdbf6ad7ccac3a6ffe5d060ef Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Thu, 4 Jul 2024 14:20:09 +0100 Subject: [PATCH 004/275] Delete content/code-security/secret-scanning/managing-secret-scanning-alerts/index.md --- .../managing-secret-scanning-alerts/index.md | 19 ------------------- 1 file changed, 19 deletions(-) delete mode 100644 content/code-security/secret-scanning/managing-secret-scanning-alerts/index.md diff --git a/content/code-security/secret-scanning/managing-secret-scanning-alerts/index.md b/content/code-security/secret-scanning/managing-secret-scanning-alerts/index.md deleted file mode 100644 index 5b2aabd06a..0000000000 --- a/content/code-security/secret-scanning/managing-secret-scanning-alerts/index.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: Managing alerts for secret scanning and push protection -shortTitle: Manage secret scanning alerts -allowTitleToDifferFromFilename: true -intro: 'Learn how to view, evaluate and resolve alerts for secrets checked in to your repository.' -product: '{% data reusables.gated-features.secret-scanning %}' -redirect_from: - - /github/administering-a-repository/managing-alerts-from-secret-scanning - - /code-security/secret-security/managing-alerts-from-secret-scanning - - /code-security/secret-scanning/managing-alerts-from-secret-scanning -versions: - fpt: '*' - ghes: '*' - ghec: '*' -topics: - - Secret scanning - - Advanced Security - - Repositories ---- \ No newline at end of file From fa3fb094ce60e4bcabfae12156b03a71322caf04 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Thu, 4 Jul 2024 14:20:28 +0100 Subject: [PATCH 005/275] Update content/code-security/secret-scanning/index.md --- content/code-security/secret-scanning/index.md | 1 - 1 file changed, 1 deletion(-) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 74ee8245d6..f22cad513a 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -30,6 +30,5 @@ children: - /working-with-push-protection - /pushing-a-branch-blocked-by-push-protection - /troubleshooting-secret-scanning - - /managing-alerts-from-secret-scanning - /using-advanced-secret-scanning-and-push-protection-features --- From 37a812d62537d293f10cbdcda6a0d9412cef8dec Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 15:50:58 +0200 Subject: [PATCH 006/275] Update index.md --- content/code-security/secret-scanning/index.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index f22cad513a..1187a0a8b4 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -31,4 +31,5 @@ children: - /pushing-a-branch-blocked-by-push-protection - /troubleshooting-secret-scanning - /using-advanced-secret-scanning-and-push-protection-features + - /secret-scanning-partnership-program --- From 1f77a34583f389f5369413a02776fc948e7f5eb1 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 16:06:19 +0200 Subject: [PATCH 007/275] add new map topic --- .../Secret scanning partnership program/index.md | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 content/code-security/secret-scanning/Secret scanning partnership program/index.md diff --git a/content/code-security/secret-scanning/Secret scanning partnership program/index.md b/content/code-security/secret-scanning/Secret scanning partnership program/index.md new file mode 100644 index 0000000000..3e693f2adc --- /dev/null +++ b/content/code-security/secret-scanning/Secret scanning partnership program/index.md @@ -0,0 +1,10 @@ +--- +title: Secret scanning partnership program +intro: 'As a service provider, you can partner with {% data variables.product.prodname_dotcom %} to have your secret token formats secured through secret scanning, which searches for accidental commits of your secret format and can be sent to a service provider''s verify endpoint.' +versions: + fpt: '*' + ghec: '*' +topics: + - API +shortTitle: Partner program +--- From cff02de222615280201cbef066046f3895113370 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 16:12:30 +0200 Subject: [PATCH 008/275] argh --- .../index.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename content/code-security/secret-scanning/{Secret scanning partnership program => secret-scanning-partnership-program}/index.md (100%) diff --git a/content/code-security/secret-scanning/Secret scanning partnership program/index.md b/content/code-security/secret-scanning/secret-scanning-partnership-program/index.md similarity index 100% rename from content/code-security/secret-scanning/Secret scanning partnership program/index.md rename to content/code-security/secret-scanning/secret-scanning-partnership-program/index.md From 76885f0846625632f65af5a246bee0c56df8dcc4 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 16:23:07 +0200 Subject: [PATCH 009/275] renamed 1 files --- .../secret-scanning-partner-program.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename content/code-security/secret-scanning/{ => secret-scanning-partnership-program}/secret-scanning-partner-program.md (100%) diff --git a/content/code-security/secret-scanning/secret-scanning-partner-program.md b/content/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program.md similarity index 100% rename from content/code-security/secret-scanning/secret-scanning-partner-program.md rename to content/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program.md From 545eba670569c33acaa8d1742644f0d4661be158 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 16:23:14 +0200 Subject: [PATCH 010/275] set redirect_from on 1 files --- content/code-security/secret-scanning/index.md | 2 +- .../secret-scanning-partnership-program/index.md | 3 +++ .../secret-scanning-partner-program.md | 1 + 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 1187a0a8b4..e3176e066d 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -16,7 +16,6 @@ topics: - Repositories children: - /about-secret-scanning - - /secret-scanning-partner-program - /configuring-secret-scanning-for-your-repositories - /defining-custom-patterns-for-secret-scanning - /about-the-regular-expression-generator-for-custom-patterns @@ -33,3 +32,4 @@ children: - /using-advanced-secret-scanning-and-push-protection-features - /secret-scanning-partnership-program --- + diff --git a/content/code-security/secret-scanning/secret-scanning-partnership-program/index.md b/content/code-security/secret-scanning/secret-scanning-partnership-program/index.md index 3e693f2adc..cdf66c1e93 100644 --- a/content/code-security/secret-scanning/secret-scanning-partnership-program/index.md +++ b/content/code-security/secret-scanning/secret-scanning-partnership-program/index.md @@ -7,4 +7,7 @@ versions: topics: - API shortTitle: Partner program +children: + - /secret-scanning-partner-program --- + diff --git a/content/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program.md b/content/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program.md index 742fc7fd79..5cd9360061 100644 --- a/content/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program.md +++ b/content/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program.md @@ -6,6 +6,7 @@ redirect_from: - /partnerships/secret-scanning - /developers/overview/secret-scanning - /developers/overview/secret-scanning-partner-program + - /code-security/secret-scanning/secret-scanning-partner-program versions: fpt: '*' ghec: '*' From 649f8ed052a292d0bee58569ce3805296a9b662e Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 16:36:10 +0200 Subject: [PATCH 011/275] add more topics --- .../secret-scanning-partner-program.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program.md b/content/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program.md index 5cd9360061..a8adbf25d7 100644 --- a/content/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program.md +++ b/content/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program.md @@ -12,6 +12,8 @@ versions: ghec: '*' topics: - API + - Secret scanning + - Advanced Security shortTitle: Partner program --- From 70779492f438b74af321c59cb22d8cd20658cca5 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 16:43:11 +0200 Subject: [PATCH 012/275] add new map topic --- content/code-security/secret-scanning/index.md | 1 + .../index.md | 15 +++++++++++++++ 2 files changed, 16 insertions(+) create mode 100644 content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/index.md diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 1187a0a8b4..91a05da35c 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -31,5 +31,6 @@ children: - /pushing-a-branch-blocked-by-push-protection - /troubleshooting-secret-scanning - /using-advanced-secret-scanning-and-push-protection-features + - /troubleshooting-secret-scanning-and-push-protection - /secret-scanning-partnership-program --- diff --git a/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/index.md b/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/index.md new file mode 100644 index 0000000000..d5dceeaa2a --- /dev/null +++ b/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/index.md @@ -0,0 +1,15 @@ +--- +title: Troubleshooting secret scanning and push protection +shortTitle: Troubleshoot secret scanning +intro: 'If you have problems with {% data variables.product.prodname_secret_scanning %} or push protection, you can use these tips to help resolve issues.' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +type: how_to +topics: + - Secret scanning + - Advanced Security + - Troubleshooting +--- From 89944ad0800a7ea914214ace2a773418eeae0c96 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 16:51:36 +0200 Subject: [PATCH 013/275] renamed 1 files --- .../troubleshooting-secret-scanning.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename content/code-security/secret-scanning/{ => troubleshooting-secret-scanning-and-push-protection}/troubleshooting-secret-scanning.md (100%) diff --git a/content/code-security/secret-scanning/troubleshooting-secret-scanning.md b/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md similarity index 100% rename from content/code-security/secret-scanning/troubleshooting-secret-scanning.md rename to content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md From 891669119dfc738d382c04387fcfd901102cff6a Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 16:51:42 +0200 Subject: [PATCH 014/275] set redirect_from on 1 files --- content/code-security/secret-scanning/index.md | 2 +- .../index.md | 3 +++ .../troubleshooting-secret-scanning.md | 2 ++ data/learning-tracks/code-security.yml | 2 +- 4 files changed, 7 insertions(+), 2 deletions(-) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 91a05da35c..b249216ecd 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -29,8 +29,8 @@ children: - /push-protection-for-users - /working-with-push-protection - /pushing-a-branch-blocked-by-push-protection - - /troubleshooting-secret-scanning - /using-advanced-secret-scanning-and-push-protection-features - /troubleshooting-secret-scanning-and-push-protection - /secret-scanning-partnership-program --- + diff --git a/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/index.md b/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/index.md index d5dceeaa2a..8cbdd7d96b 100644 --- a/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/index.md +++ b/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/index.md @@ -12,4 +12,7 @@ topics: - Secret scanning - Advanced Security - Troubleshooting +children: + - /troubleshooting-secret-scanning --- + diff --git a/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md b/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md index 829a21c724..17b73d4f1d 100644 --- a/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md +++ b/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md @@ -12,6 +12,8 @@ topics: - Secret scanning - Advanced Security - Troubleshooting +redirect_from: + - /code-security/secret-scanning/troubleshooting-secret-scanning --- {% data reusables.secret-scanning.enterprise-enable-secret-scanning %} diff --git a/data/learning-tracks/code-security.yml b/data/learning-tracks/code-security.yml index bd2bb21f1b..82650c37c2 100644 --- a/data/learning-tracks/code-security.yml +++ b/data/learning-tracks/code-security.yml @@ -132,7 +132,7 @@ secret_scanning: {% ifversion secret-scanning-push-protection %}/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection{% endif %} - - /code-security/secret-scanning/troubleshooting-secret-scanning + - /code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning security_alerts: title: Explore and manage security alerts description: Learn where to find and resolve security alerts. From ebd865f15027961855419fbd2d2da7717c0916e6 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 16:58:14 +0200 Subject: [PATCH 015/275] updated intro to make it different from the folder intro --- .../troubleshooting-secret-scanning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md b/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md index 17b73d4f1d..0624bb862c 100644 --- a/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md +++ b/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md @@ -1,7 +1,7 @@ --- title: Troubleshooting secret scanning shortTitle: Troubleshoot secret scanning -intro: 'If you have problems with {% data variables.product.prodname_secret_scanning %}, you can use these tips to help resolve issues.' +intro: 'When using {% data variables.product.prodname_secret_scanning %} to detect secrets in your repository, or about to be committed into your repository, you may need to troubleshoot unexpected issues.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' From 13f16747ec28294fcaf4d3f00118440af6583e6a Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 17:13:04 +0200 Subject: [PATCH 016/275] Update content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com> --- .../troubleshooting-secret-scanning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md b/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md index 0624bb862c..9572785a2c 100644 --- a/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md +++ b/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md @@ -1,7 +1,7 @@ --- title: Troubleshooting secret scanning shortTitle: Troubleshoot secret scanning -intro: 'When using {% data variables.product.prodname_secret_scanning %} to detect secrets in your repository, or about to be committed into your repository, you may need to troubleshoot unexpected issues.' +intro: 'When using {% data variables.product.prodname_secret_scanning %} to detect secrets in your repository, or secrets about to be committed into your repository, you may need to troubleshoot unexpected issues.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' From 09deb20f16ad7846e626a431ee73cb9fa9c0e9fb Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 21:04:19 +0200 Subject: [PATCH 017/275] add new map topic + index --- .../generic-secret-detection/index.md | 13 +++++++++++++ .../index.md | 2 ++ 2 files changed, 15 insertions(+) create mode 100644 content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/index.md diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/index.md new file mode 100644 index 0000000000..e4152f6471 --- /dev/null +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/index.md @@ -0,0 +1,13 @@ +--- +title: Generic secret detection +shortTitle: Generic secret detection +allowTitleToDifferFromFilename: true +intro: 'TODO' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + feature: secret-scanning-ai-generic-secret-detection +topics: + - Secret scanning + - Advanced Security + - Repositories +--- diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md index 97ebaf0dde..721a71fd42 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md @@ -12,4 +12,6 @@ topics: - Secret scanning - Advanced Security - Repositories +children: + - /generic-secret-detection --- From a8fcd79a0087c15e8038cdbfef9ac93cf2a980ed Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 21:09:41 +0200 Subject: [PATCH 018/275] adding custom patterns map topic --- .../custom-patterns/index.md | 14 ++++++++++++++ .../index.md | 1 + 2 files changed, 15 insertions(+) create mode 100644 content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md new file mode 100644 index 0000000000..e6f34a7173 --- /dev/null +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md @@ -0,0 +1,14 @@ +--- +title: Custom patterns +shortTitle: Custom patterns +allowTitleToDifferFromFilename: true +intro: 'TODO' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + ghes: '*' + ghec: '*' +topics: + - Secret scanning + - Advanced Security + - Repositories +--- diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md index 721a71fd42..3c14e4a17e 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md @@ -14,4 +14,5 @@ topics: - Repositories children: - /generic-secret-detection + - /custom-patterns --- From 0314f53db35cc129b84ae73515a0debe8e902677 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 21:12:01 +0200 Subject: [PATCH 019/275] add map topic for delegated bypass --- .../delegated-bypass-for-push-protection/index.md | 15 +++++++++++++++ .../index.md | 1 + 2 files changed, 16 insertions(+) create mode 100644 content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md new file mode 100644 index 0000000000..deda1f34fc --- /dev/null +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md @@ -0,0 +1,15 @@ +--- +title: Delegated bypass for push protection +shortTitle: Delegated bypass +allowTitleToDifferFromFilename: true +intro: 'TODO' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +topics: + - Secret scanning + - Advanced Security + - Repositories +--- diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md index 3c14e4a17e..0335fc4e61 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md @@ -15,4 +15,5 @@ topics: children: - /generic-secret-detection - /custom-patterns + - /delegated-bypass-for-push-protection --- From 1f6477ac4d64bfbac66515979b3c0d033d6b00d0 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 21:29:02 +0200 Subject: [PATCH 020/275] renamed 1 files --- ...about-the-detection-of-generic-secrets-with-secret-scanning.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename content/code-security/secret-scanning/{ => using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection}/about-the-detection-of-generic-secrets-with-secret-scanning.md (100%) diff --git a/content/code-security/secret-scanning/about-the-detection-of-generic-secrets-with-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning.md similarity index 100% rename from content/code-security/secret-scanning/about-the-detection-of-generic-secrets-with-secret-scanning.md rename to content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning.md From b3a6560ddaa511968352136cff0fb57bb4102850 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 21:29:19 +0200 Subject: [PATCH 021/275] set redirect_from on 1 files --- content/code-security/secret-scanning/index.md | 1 - ...-the-detection-of-generic-secrets-with-secret-scanning.md | 2 ++ .../generic-secret-detection/index.md | 5 ++++- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 39f4e2aa6c..226c3d83a9 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -22,7 +22,6 @@ children: - /generating-regular-expressions-for-custom-patterns-with-ai - /managing-alerts-from-secret-scanning - /secret-scanning-patterns - - /about-the-detection-of-generic-secrets-with-secret-scanning - /enabling-ai-powered-generic-secret-detection - /push-protection-for-repositories-and-organizations - /push-protection-for-users diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning.md index fd62a76201..522a1e7c8a 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning.md @@ -10,6 +10,8 @@ topics: - Secret scanning - Advanced Security - AI +redirect_from: + - /code-security/secret-scanning/about-the-detection-of-generic-secrets-with-secret-scanning --- diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/index.md index e4152f6471..2b8619076d 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/index.md @@ -2,7 +2,7 @@ title: Generic secret detection shortTitle: Generic secret detection allowTitleToDifferFromFilename: true -intro: 'TODO' +intro: TODO product: '{% data reusables.gated-features.secret-scanning %}' versions: feature: secret-scanning-ai-generic-secret-detection @@ -10,4 +10,7 @@ topics: - Secret scanning - Advanced Security - Repositories +children: + - /about-the-detection-of-generic-secrets-with-secret-scanning --- + From ccbaf4c1f8230be715b3f7054f83941e61943f6d Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 21:35:24 +0200 Subject: [PATCH 022/275] renamed 1 files --- .../enabling-ai-powered-generic-secret-detection.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename content/code-security/secret-scanning/{ => using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection}/enabling-ai-powered-generic-secret-detection.md (100%) diff --git a/content/code-security/secret-scanning/enabling-ai-powered-generic-secret-detection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection.md similarity index 100% rename from content/code-security/secret-scanning/enabling-ai-powered-generic-secret-detection.md rename to content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection.md From 8bbffe01d21e409c5c3fdedb8ac48e274568bc14 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 21:35:31 +0200 Subject: [PATCH 023/275] set redirect_from on 1 files --- content/code-security/secret-scanning/index.md | 1 - .../enabling-ai-powered-generic-secret-detection.md | 2 ++ .../generic-secret-detection/index.md | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 226c3d83a9..1c928cd6c0 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -22,7 +22,6 @@ children: - /generating-regular-expressions-for-custom-patterns-with-ai - /managing-alerts-from-secret-scanning - /secret-scanning-patterns - - /enabling-ai-powered-generic-secret-detection - /push-protection-for-repositories-and-organizations - /push-protection-for-users - /working-with-push-protection diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection.md index a0a2d6489f..a726134ee1 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection.md @@ -9,6 +9,8 @@ topics: - Secret scanning - Advanced Security - AI +redirect_from: + - /code-security/secret-scanning/enabling-ai-powered-generic-secret-detection --- {% data reusables.secret-scanning.generic-secret-detection-ai %} diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/index.md index 2b8619076d..2c18e9b932 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/index.md @@ -12,5 +12,6 @@ topics: - Repositories children: - /about-the-detection-of-generic-secrets-with-secret-scanning + - /enabling-ai-powered-generic-secret-detection --- From 91e1651c2a4a877c438f7ec0feb69caf85ceeb1a Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 21:39:49 +0200 Subject: [PATCH 024/275] fix link --- .../enabling-ai-powered-generic-secret-detection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection.md index a726134ee1..c53fee5c44 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection.md @@ -31,5 +31,5 @@ For information on how to view alerts for generic secrets that have been detecte ## Further reading -* [AUTOTITLE](/code-security/secret-scanning/about-the-detection-of-generic-secrets-with-secret-scanning) +* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning) * [AUTOTITLE](/code-security/secret-scanning/about-secret-scanning) From 7232782a2bb66a113adfdccca71884a00f2d79af Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 21:42:27 +0200 Subject: [PATCH 025/275] renamed 1 files --- .../defining-custom-patterns-for-secret-scanning.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename content/code-security/secret-scanning/{ => using-advanced-secret-scanning-and-push-protection-features/custom-patterns}/defining-custom-patterns-for-secret-scanning.md (100%) diff --git a/content/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md similarity index 100% rename from content/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning.md rename to content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md From 2142c6da739488dcee9ad99c1606c6d0f12e7ef4 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 4 Jul 2024 21:42:34 +0200 Subject: [PATCH 026/275] set redirect_from on 1 files --- content/code-security/secret-scanning/index.md | 1 - .../defining-custom-patterns-for-secret-scanning.md | 1 + .../custom-patterns/index.md | 5 ++++- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 1c928cd6c0..5533ea7f43 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -17,7 +17,6 @@ topics: children: - /about-secret-scanning - /configuring-secret-scanning-for-your-repositories - - /defining-custom-patterns-for-secret-scanning - /about-the-regular-expression-generator-for-custom-patterns - /generating-regular-expressions-for-custom-patterns-with-ai - /managing-alerts-from-secret-scanning diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md index b29c3d1325..0616faf486 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md @@ -5,6 +5,7 @@ intro: 'You can define your own custom patterns to extend the capabilities of {% product: '{% data reusables.gated-features.secret-scanning %}' redirect_from: - /code-security/secret-security/defining-custom-patterns-for-secret-scanning + - /code-security/secret-scanning/defining-custom-patterns-for-secret-scanning versions: ghes: '*' ghec: '*' diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md index e6f34a7173..26b40cfc58 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md @@ -2,7 +2,7 @@ title: Custom patterns shortTitle: Custom patterns allowTitleToDifferFromFilename: true -intro: 'TODO' +intro: TODO product: '{% data reusables.gated-features.secret-scanning %}' versions: ghes: '*' @@ -11,4 +11,7 @@ topics: - Secret scanning - Advanced Security - Repositories +children: + - /defining-custom-patterns-for-secret-scanning --- + From b0ef45d6ef57bbe72976ff5fe64088a93ec3cf9c Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 5 Jul 2024 08:30:48 +0200 Subject: [PATCH 027/275] renamed 1 files --- .../about-the-regular-expression-generator-for-custom-patterns.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename content/code-security/secret-scanning/{ => using-advanced-secret-scanning-and-push-protection-features/custom-patterns}/about-the-regular-expression-generator-for-custom-patterns.md (100%) diff --git a/content/code-security/secret-scanning/about-the-regular-expression-generator-for-custom-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-the-regular-expression-generator-for-custom-patterns.md similarity index 100% rename from content/code-security/secret-scanning/about-the-regular-expression-generator-for-custom-patterns.md rename to content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-the-regular-expression-generator-for-custom-patterns.md From 8c83f377842986b463074a5fb87784dde192fbf7 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 5 Jul 2024 08:31:07 +0200 Subject: [PATCH 028/275] set redirect_from on 1 files --- content/code-security/secret-scanning/index.md | 1 - ...bout-the-regular-expression-generator-for-custom-patterns.md | 2 ++ .../custom-patterns/index.md | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 5533ea7f43..25932b358f 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -17,7 +17,6 @@ topics: children: - /about-secret-scanning - /configuring-secret-scanning-for-your-repositories - - /about-the-regular-expression-generator-for-custom-patterns - /generating-regular-expressions-for-custom-patterns-with-ai - /managing-alerts-from-secret-scanning - /secret-scanning-patterns diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-the-regular-expression-generator-for-custom-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-the-regular-expression-generator-for-custom-patterns.md index fa61ea51e2..9eb2ee340f 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-the-regular-expression-generator-for-custom-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-the-regular-expression-generator-for-custom-patterns.md @@ -11,6 +11,8 @@ topics: - Advanced Security - Secret scanning - AI +redirect_from: + - /code-security/secret-scanning/about-the-regular-expression-generator-for-custom-patterns --- diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md index 26b40cfc58..8fbdbb75d1 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md @@ -13,5 +13,6 @@ topics: - Repositories children: - /defining-custom-patterns-for-secret-scanning + - /about-the-regular-expression-generator-for-custom-patterns --- From e68fbe95d645343120eef59c6bc476f81d56910b Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 5 Jul 2024 09:22:26 +0200 Subject: [PATCH 029/275] renamed 1 files --- .../generating-regular-expressions-for-custom-patterns-with-ai.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename content/code-security/secret-scanning/{ => using-advanced-secret-scanning-and-push-protection-features/custom-patterns}/generating-regular-expressions-for-custom-patterns-with-ai.md (100%) diff --git a/content/code-security/secret-scanning/generating-regular-expressions-for-custom-patterns-with-ai.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai.md similarity index 100% rename from content/code-security/secret-scanning/generating-regular-expressions-for-custom-patterns-with-ai.md rename to content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai.md From 7291b8b9e1c2795614b2366f21759aaf7ae809f1 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 5 Jul 2024 09:22:33 +0200 Subject: [PATCH 030/275] set redirect_from on 1 files --- content/code-security/secret-scanning/index.md | 1 - ...enerating-regular-expressions-for-custom-patterns-with-ai.md | 2 ++ .../custom-patterns/index.md | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 25932b358f..1aaca7e75c 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -17,7 +17,6 @@ topics: children: - /about-secret-scanning - /configuring-secret-scanning-for-your-repositories - - /generating-regular-expressions-for-custom-patterns-with-ai - /managing-alerts-from-secret-scanning - /secret-scanning-patterns - /push-protection-for-repositories-and-organizations diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai.md index 1980dddad5..12190d6d50 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai.md @@ -10,6 +10,8 @@ topics: - Advanced Security - Secret scanning - AI +redirect_from: + - /code-security/secret-scanning/generating-regular-expressions-for-custom-patterns-with-ai --- {% data reusables.secret-scanning.beta-custom-pattern-regular-expression-generator %} diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md index 8fbdbb75d1..9fe3ec7691 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md @@ -14,5 +14,6 @@ topics: children: - /defining-custom-patterns-for-secret-scanning - /about-the-regular-expression-generator-for-custom-patterns + - /generating-regular-expressions-for-custom-patterns-with-ai --- From 5c6aa949bf2c46b26872067abc0bd060664ba862 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 5 Jul 2024 09:27:23 +0200 Subject: [PATCH 031/275] add new article about metrics --- ...ing-custom-patterns-for-secret-scanning.md | 21 -------------- .../custom-patterns/index.md | 2 +- .../metrics-for-custom-patterns.md | 29 +++++++++++++++++++ 3 files changed, 30 insertions(+), 22 deletions(-) create mode 100644 content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md index 0616faf486..2f67f6e55f 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md @@ -189,24 +189,3 @@ When you save a change to a custom pattern, this closes all the {% data variable 1. To the right of the custom pattern you want to remove, click {% octicon "trash" aria-label="Remove pattern" %}. 1. Review the confirmation, and select a method for dealing with any open alerts relating to the custom pattern. 1. Click **Yes, delete this pattern**. - -{% ifversion secret-scanning-custom-patterns-metrics %} - -## Metrics for custom patterns - -Organization owners and people with admin permissions can see an overview of the activity for custom patterns. The overview includes alert and push protection activity for the custom pattern during the last 30 days. - -{% note %} - -**Note:** Metrics for custom patterns are in public beta and subject to change. - -{% endnote %} - -### Viewing metrics for custom patterns - -{% data reusables.secret-scanning.view-custom-pattern %} -1. Under "{% data variables.product.prodname_secret_scanning_caps %}", click the custom pattern you want to view. - -The metrics are displayed under the custom pattern's name. - -{% endif %} diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md index 9fe3ec7691..4a197149da 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md @@ -15,5 +15,5 @@ children: - /defining-custom-patterns-for-secret-scanning - /about-the-regular-expression-generator-for-custom-patterns - /generating-regular-expressions-for-custom-patterns-with-ai + - /metrics-for-custom-patterns --- - diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md new file mode 100644 index 0000000000..32e46f9c4f --- /dev/null +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md @@ -0,0 +1,29 @@ +--- +title: Metrics for custom patterns +shortTitle: Custom pattern metrics +intro: 'TODO' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + feature: secret-scanning-custom-patterns-metrics +type: how_to +topics: + - Advanced Security + - Secret scanning +--- + +## Metrics for custom patterns + +Organization owners and people with admin permissions can see an overview of the activity for custom patterns. The overview includes alert and push protection activity for the custom pattern during the last 30 days. + +{% note %} + +**Note:** Metrics for custom patterns are in public beta and subject to change. + +{% endnote %} + +## Viewing metrics for custom patterns + +{% data reusables.secret-scanning.view-custom-pattern %} +1. Under "{% data variables.product.prodname_secret_scanning_caps %}", click the custom pattern you want to view. + +The metrics are displayed under the custom pattern's name. From 065e95007b1d3027526cd18b79889615e06d6f1c Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 5 Jul 2024 10:00:57 +0200 Subject: [PATCH 032/275] more work on custom patterns --- ...tion-for-repositories-and-organizations.md | 70 ---------------- ...ing-custom-patterns-for-secret-scanning.md | 81 +++++++++++++++---- .../custom-patterns/index.md | 1 + .../managing-custom-patterns.md | 34 ++++++++ .../secret-scanning/view-custom-pattern.md | 4 +- 5 files changed, 102 insertions(+), 88 deletions(-) create mode 100644 content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md diff --git a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md index 9d10a0acb3..94b9ca4ddd 100644 --- a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md +++ b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md @@ -122,76 +122,6 @@ You can use the organization settings page for "Code security and analysis" to e {% data reusables.repositories.navigate-to-ghas-settings %} {% data reusables.advanced-security.secret-scanning-push-protection-repo %} -{% ifversion secret-scanning-push-protection-custom-patterns %} - -## Enabling push protection for a custom pattern - -You can enable {% data variables.product.prodname_secret_scanning %} as a push protection for custom patterns stored at {% ifversion ghec or ghes %}the enterprise, organization, or repository level{% else%} the organization or repository level{% endif %}. - -{% ifversion ghec or ghes %} - -### Enabling push protection for a custom pattern stored in an enterprise - -{% data reusables.secret-scanning.push-protection-enterprise-note %} - -Before enabling push protection for a custom pattern at enterprise level, you must also{% ifversion custom-pattern-dry-run-ga %} test your custom patterns using dry runs. {% data reusables.secret-scanning.dry-runs-enterprise-permissions %}{% else %} test your custom patterns in a repository before defining them for your entire enterprise, as there is no dry-run functionality. That way, you can avoid creating excess false-positive {% data variables.secret-scanning.alerts %}.{% endif %} - -{% data reusables.enterprise-accounts.access-enterprise %} -{% data reusables.enterprise-accounts.policies-tab %}{% ifversion security-feature-enablement-policies %} -{% data reusables.enterprise-accounts.code-security-and-analysis-policies %} -1. Under "Code security and analysis", click **Security features**.{% else %} -{% data reusables.enterprise-accounts.advanced-security-policies %} -{% data reusables.enterprise-accounts.advanced-security-security-features %}{% endif %} -{% data reusables.advanced-security.secret-scanning-edit-custom-pattern %} - - {% ifversion custom-pattern-dry-run-ga %} - >[!NOTE] At the enterprise level, you can only edit and enable push protection for custom patterns that you created. - {%- endif %} - -1. To enable push protection for your custom pattern, scroll down to "Push Protection", and click **Enable**. - - {% data reusables.secret-scanning.custom-pattern-push-protection-enable-button %} - - ![Screenshot of the custom pattern page with the button to enable push protection highlighted with a dark orange outline.](/assets/images/help/repository/secret-scanning-custom-pattern-enable-push-protection.png) - -{% endif %} - -### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection in an organization for a custom pattern - -Before enabling push protection for a custom pattern at organization level, you must ensure that you enable {% data variables.product.prodname_secret_scanning %} for the repositories that you want to scan in your organization. To enable {% data variables.product.prodname_secret_scanning %} on all repositories in your organization, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)." - -{% data reusables.profile.access_org %} -{% data reusables.profile.org_settings %} -{% data reusables.organizations.security-and-analysis %} - -{% ifversion security-configurations %} - {% data reusables.security-configurations.changed-org-settings-global-settings-callout %} For next steps on managing custom patterns for your organization with {% data variables.product.prodname_global_settings %}, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#defining-custom-patterns)." For information on enabling push protection for specific custom patterns, reference the following steps. -{% endif %} - -{% data reusables.repositories.navigate-to-ghas-settings %} -{% data reusables.advanced-security.secret-scanning-edit-custom-pattern %} -1. To enable push protection for your custom pattern, scroll down to "Push Protection", and click **Enable**. -{% indented_data_reference reusables.secret-scanning.push-protection-org-notes spaces=3 %} - - ![Screenshot of the "Push protection" section of the custom pattern page. A button, labeled "Enable", is outlined in dark orange.](/assets/images/help/repository/secret-scanning-custom-pattern-enable-push-protection.png) - -### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection in a repository for a custom pattern - -Before enabling push protection for a custom pattern at repository level, you must define the custom pattern for the repository, and test it in the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)." - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-settings %} -{% data reusables.repositories.navigate-to-code-security-and-analysis %} -{% data reusables.repositories.navigate-to-ghas-settings %} -{% data reusables.advanced-security.secret-scanning-edit-custom-pattern %} -1. To enable push protection for your custom pattern, scroll down to "Push Protection", and click **Enable**. - - {% data reusables.secret-scanning.custom-pattern-push-protection-enable-button %} - - ![Screenshot of the "Push protection" section of the custom pattern page. A button, labeled "Enable", is outlined in dark orange.](/assets/images/help/repository/secret-scanning-custom-pattern-enable-push-protection.png) - -{% endif %} - {% ifversion push-protection-delegated-bypass %} ## Enabling delegated bypass for push protection diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md index 2f67f6e55f..19443b0f83 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md @@ -169,23 +169,72 @@ Before defining a custom pattern, you must ensure that you enable secret scannin After your pattern is created, {% data variables.product.prodname_secret_scanning %} scans for any secrets in repositories within your enterprise's organizations with {% data variables.product.prodname_GH_advanced_security %} enabled, including their entire Git history on all branches. Organization owners and repository administrators will be alerted to any secrets found, and can review the alert in the repository where the secret is found. For more information on viewing {% data variables.secret-scanning.alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." -## Editing a custom pattern +{% ifversion secret-scanning-push-protection-custom-patterns %} -When you save a change to a custom pattern, this closes all the {% data variables.secret-scanning.alerts %} that were created using the previous version of the pattern. -{% data reusables.secret-scanning.view-custom-pattern %} -1. Under "{% data variables.product.prodname_secret_scanning_caps %}", to the right of the custom pattern you want to edit, click {% octicon "pencil" aria-label="Edit pattern" %}. -{%- ifversion custom-pattern-dry-run-ga %} -1. When you're ready to test your edited custom pattern, to identify matches without creating alerts, click **Save and dry run**. -{%- endif %} -1. When you have reviewed and tested your changes, click **Publish changes**.{% ifversion secret-scanning-push-protection-custom-patterns %} -{% data reusables.advanced-security.secret-scanning-enable-push-protection-custom-pattern %} -1. Optionally, to disable push protection for your custom pattern, click **Disable**. +## Enabling push protection for a custom pattern - ![Screenshot of the custom pattern page with the button to disable push protection highlighted with a dark orange outline.](/assets/images/help/repository/secret-scanning-disable-push-protection-custom-pattern.png){% endif %} +You can enable {% data variables.product.prodname_secret_scanning %} as a push protection for custom patterns stored at {% ifversion ghec or ghes %}the enterprise, organization, or repository level{% else%} the organization or repository level{% endif %}. -## Removing a custom pattern +{% ifversion ghec or ghes %} -{% data reusables.secret-scanning.view-custom-pattern %} -1. To the right of the custom pattern you want to remove, click {% octicon "trash" aria-label="Remove pattern" %}. -1. Review the confirmation, and select a method for dealing with any open alerts relating to the custom pattern. -1. Click **Yes, delete this pattern**. +### Enabling push protection for a custom pattern stored in an enterprise + +{% data reusables.secret-scanning.push-protection-enterprise-note %} + +Before enabling push protection for a custom pattern at enterprise level, you must also{% ifversion custom-pattern-dry-run-ga %} test your custom patterns using dry runs. {% data reusables.secret-scanning.dry-runs-enterprise-permissions %}{% else %} test your custom patterns in a repository before defining them for your entire enterprise, as there is no dry-run functionality. That way, you can avoid creating excess false-positive {% data variables.secret-scanning.alerts %}.{% endif %} + +{% data reusables.enterprise-accounts.access-enterprise %} +{% data reusables.enterprise-accounts.policies-tab %}{% ifversion security-feature-enablement-policies %} +{% data reusables.enterprise-accounts.code-security-and-analysis-policies %} +1. Under "Code security and analysis", click **Security features**.{% else %} +{% data reusables.enterprise-accounts.advanced-security-policies %} +{% data reusables.enterprise-accounts.advanced-security-security-features %}{% endif %} +{% data reusables.advanced-security.secret-scanning-edit-custom-pattern %} + + {% ifversion custom-pattern-dry-run-ga %} + >[!NOTE] At the enterprise level, you can only edit and enable push protection for custom patterns that you created. + {%- endif %} + +1. To enable push protection for your custom pattern, scroll down to "Push Protection", and click **Enable**. + + {% data reusables.secret-scanning.custom-pattern-push-protection-enable-button %} + + ![Screenshot of the custom pattern page with the button to enable push protection highlighted with a dark orange outline.](/assets/images/help/repository/secret-scanning-custom-pattern-enable-push-protection.png) + +{% endif %} + +### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection in an organization for a custom pattern + +Before enabling push protection for a custom pattern at organization level, you must ensure that you enable {% data variables.product.prodname_secret_scanning %} for the repositories that you want to scan in your organization. To enable {% data variables.product.prodname_secret_scanning %} on all repositories in your organization, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)." + +{% data reusables.profile.access_org %} +{% data reusables.profile.org_settings %} +{% data reusables.organizations.security-and-analysis %} + +{% ifversion security-configurations %} + {% data reusables.security-configurations.changed-org-settings-global-settings-callout %} For next steps on managing custom patterns for your organization with {% data variables.product.prodname_global_settings %}, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#defining-custom-patterns)." For information on enabling push protection for specific custom patterns, reference the following steps. +{% endif %} + +{% data reusables.repositories.navigate-to-ghas-settings %} +{% data reusables.advanced-security.secret-scanning-edit-custom-pattern %} +1. To enable push protection for your custom pattern, scroll down to "Push Protection", and click **Enable**. +{% indented_data_reference reusables.secret-scanning.push-protection-org-notes spaces=3 %} + + ![Screenshot of the "Push protection" section of the custom pattern page. A button, labeled "Enable", is outlined in dark orange.](/assets/images/help/repository/secret-scanning-custom-pattern-enable-push-protection.png) + +### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection in a repository for a custom pattern + +Before enabling push protection for a custom pattern at repository level, you must define the custom pattern for the repository, and test it in the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)." + +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.sidebar-settings %} +{% data reusables.repositories.navigate-to-code-security-and-analysis %} +{% data reusables.repositories.navigate-to-ghas-settings %} +{% data reusables.advanced-security.secret-scanning-edit-custom-pattern %} +1. To enable push protection for your custom pattern, scroll down to "Push Protection", and click **Enable**. + + {% data reusables.secret-scanning.custom-pattern-push-protection-enable-button %} + + ![Screenshot of the "Push protection" section of the custom pattern page. A button, labeled "Enable", is outlined in dark orange.](/assets/images/help/repository/secret-scanning-custom-pattern-enable-push-protection.png) + +{% endif %} diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md index 4a197149da..ccf24a9934 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md @@ -13,6 +13,7 @@ topics: - Repositories children: - /defining-custom-patterns-for-secret-scanning + - /managing-custom-patterns - /about-the-regular-expression-generator-for-custom-patterns - /generating-regular-expressions-for-custom-patterns-with-ai - /metrics-for-custom-patterns diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md new file mode 100644 index 0000000000..4f699e0062 --- /dev/null +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md @@ -0,0 +1,34 @@ +--- +title: Managing custom patterns for secret +shortTitle: Manage custom patterns +intro: 'TODO' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + ghes: '*' + ghec: '*' +type: how_to +topics: + - Advanced Security + - Secret scanning +--- + +## Editing a custom pattern + +When you save a change to a custom pattern, this closes all the {% data variables.secret-scanning.alerts %} that were created using the previous version of the pattern. +{% data reusables.secret-scanning.view-custom-pattern %} +1. Under "{% data variables.product.prodname_secret_scanning_caps %}", to the right of the custom pattern you want to edit, click {% octicon "pencil" aria-label="Edit pattern" %}. +{%- ifversion custom-pattern-dry-run-ga %} +1. When you're ready to test your edited custom pattern, to identify matches without creating alerts, click **Save and dry run**. +{%- endif %} +1. When you have reviewed and tested your changes, click **Publish changes**.{% ifversion secret-scanning-push-protection-custom-patterns %} +{% data reusables.advanced-security.secret-scanning-enable-push-protection-custom-pattern %} +1. Optionally, to disable push protection for your custom pattern, click **Disable**. + + ![Screenshot of the custom pattern page with the button to disable push protection highlighted with a dark orange outline.](/assets/images/help/repository/secret-scanning-disable-push-protection-custom-pattern.png){% endif %} + +## Removing a custom pattern + +{% data reusables.secret-scanning.view-custom-pattern %} +1. To the right of the custom pattern you want to remove, click {% octicon "trash" aria-label="Remove pattern" %}. +1. Review the confirmation, and select a method for dealing with any open alerts relating to the custom pattern. +1. Click **Yes, delete this pattern**. diff --git a/data/reusables/secret-scanning/view-custom-pattern.md b/data/reusables/secret-scanning/view-custom-pattern.md index 01fb785318..be93ccf9d8 100644 --- a/data/reusables/secret-scanning/view-custom-pattern.md +++ b/data/reusables/secret-scanning/view-custom-pattern.md @@ -1,3 +1,3 @@ 1. Navigate to where the custom pattern was created. A custom pattern can be created in a repository, organization, or enterprise account. - * For a repository or organization, display the "Security & analysis" settings for the repository or organization where the custom pattern was created. For more information, see "[Defining a custom pattern for a repository](#defining-a-custom-pattern-for-a-repository)" or "[Defining a custom pattern for an organization](#defining-a-custom-pattern-for-an-organization)". - * For an enterprise, under "Policies" display the "Advanced Security" area, and then click **Security features**. For more information, see "[Defining a custom pattern for an enterprise account](#defining-a-custom-pattern-for-an-enterprise-account)" above. + * For a repository or organization, display the "Security & analysis" settings for the repository or organization where the custom pattern was created. For more information, see "[Defining a custom pattern for a repository](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)" or "[Defining a custom pattern for an organization](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization)". + * For an enterprise, under "Policies" display the "Advanced Security" area, and then click **Security features**. For more information, see "[Defining a custom pattern for an enterprise account](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-enterprise-account)." From be742c0e2d6ef3ec213a6fbeaedef9e366eb9c3f Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 5 Jul 2024 10:24:54 +0200 Subject: [PATCH 033/275] move content between articles --- ...ing-custom-patterns-for-secret-scanning.md | 72 +------------------ .../managing-custom-patterns.md | 70 ++++++++++++++++++ ...ret-scanning-add-custom-pattern-details.md | 2 +- 3 files changed, 72 insertions(+), 72 deletions(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md index 19443b0f83..e311257f0d 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md @@ -46,7 +46,7 @@ For simple tokens you will usually only need to specify a secret format. The oth ### Using the regular expression generator -{% data reusables.secret-scanning.regular-expression-generator-overview %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-the-regular-expression-generator-for-custom-patterns)" and "[AUTOTITLE](/code-security/secret-scanning/generating-regular-expressions-for-custom-patterns-with-ai)." +{% data reusables.secret-scanning.regular-expression-generator-overview %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-the-regular-expression-generator-for-custom-patterns)" and "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai)." {% endif %} @@ -168,73 +168,3 @@ Before defining a custom pattern, you must ensure that you enable secret scannin {% indented_data_reference reusables.secret-scanning.push-protection-enterprise-note spaces=3 %}{% endif %} After your pattern is created, {% data variables.product.prodname_secret_scanning %} scans for any secrets in repositories within your enterprise's organizations with {% data variables.product.prodname_GH_advanced_security %} enabled, including their entire Git history on all branches. Organization owners and repository administrators will be alerted to any secrets found, and can review the alert in the repository where the secret is found. For more information on viewing {% data variables.secret-scanning.alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." - -{% ifversion secret-scanning-push-protection-custom-patterns %} - -## Enabling push protection for a custom pattern - -You can enable {% data variables.product.prodname_secret_scanning %} as a push protection for custom patterns stored at {% ifversion ghec or ghes %}the enterprise, organization, or repository level{% else%} the organization or repository level{% endif %}. - -{% ifversion ghec or ghes %} - -### Enabling push protection for a custom pattern stored in an enterprise - -{% data reusables.secret-scanning.push-protection-enterprise-note %} - -Before enabling push protection for a custom pattern at enterprise level, you must also{% ifversion custom-pattern-dry-run-ga %} test your custom patterns using dry runs. {% data reusables.secret-scanning.dry-runs-enterprise-permissions %}{% else %} test your custom patterns in a repository before defining them for your entire enterprise, as there is no dry-run functionality. That way, you can avoid creating excess false-positive {% data variables.secret-scanning.alerts %}.{% endif %} - -{% data reusables.enterprise-accounts.access-enterprise %} -{% data reusables.enterprise-accounts.policies-tab %}{% ifversion security-feature-enablement-policies %} -{% data reusables.enterprise-accounts.code-security-and-analysis-policies %} -1. Under "Code security and analysis", click **Security features**.{% else %} -{% data reusables.enterprise-accounts.advanced-security-policies %} -{% data reusables.enterprise-accounts.advanced-security-security-features %}{% endif %} -{% data reusables.advanced-security.secret-scanning-edit-custom-pattern %} - - {% ifversion custom-pattern-dry-run-ga %} - >[!NOTE] At the enterprise level, you can only edit and enable push protection for custom patterns that you created. - {%- endif %} - -1. To enable push protection for your custom pattern, scroll down to "Push Protection", and click **Enable**. - - {% data reusables.secret-scanning.custom-pattern-push-protection-enable-button %} - - ![Screenshot of the custom pattern page with the button to enable push protection highlighted with a dark orange outline.](/assets/images/help/repository/secret-scanning-custom-pattern-enable-push-protection.png) - -{% endif %} - -### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection in an organization for a custom pattern - -Before enabling push protection for a custom pattern at organization level, you must ensure that you enable {% data variables.product.prodname_secret_scanning %} for the repositories that you want to scan in your organization. To enable {% data variables.product.prodname_secret_scanning %} on all repositories in your organization, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)." - -{% data reusables.profile.access_org %} -{% data reusables.profile.org_settings %} -{% data reusables.organizations.security-and-analysis %} - -{% ifversion security-configurations %} - {% data reusables.security-configurations.changed-org-settings-global-settings-callout %} For next steps on managing custom patterns for your organization with {% data variables.product.prodname_global_settings %}, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#defining-custom-patterns)." For information on enabling push protection for specific custom patterns, reference the following steps. -{% endif %} - -{% data reusables.repositories.navigate-to-ghas-settings %} -{% data reusables.advanced-security.secret-scanning-edit-custom-pattern %} -1. To enable push protection for your custom pattern, scroll down to "Push Protection", and click **Enable**. -{% indented_data_reference reusables.secret-scanning.push-protection-org-notes spaces=3 %} - - ![Screenshot of the "Push protection" section of the custom pattern page. A button, labeled "Enable", is outlined in dark orange.](/assets/images/help/repository/secret-scanning-custom-pattern-enable-push-protection.png) - -### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection in a repository for a custom pattern - -Before enabling push protection for a custom pattern at repository level, you must define the custom pattern for the repository, and test it in the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)." - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-settings %} -{% data reusables.repositories.navigate-to-code-security-and-analysis %} -{% data reusables.repositories.navigate-to-ghas-settings %} -{% data reusables.advanced-security.secret-scanning-edit-custom-pattern %} -1. To enable push protection for your custom pattern, scroll down to "Push Protection", and click **Enable**. - - {% data reusables.secret-scanning.custom-pattern-push-protection-enable-button %} - - ![Screenshot of the "Push protection" section of the custom pattern page. A button, labeled "Enable", is outlined in dark orange.](/assets/images/help/repository/secret-scanning-custom-pattern-enable-push-protection.png) - -{% endif %} diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md index 4f699e0062..0ca27fdbc0 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md @@ -32,3 +32,73 @@ When you save a change to a custom pattern, this closes all the {% data variable 1. To the right of the custom pattern you want to remove, click {% octicon "trash" aria-label="Remove pattern" %}. 1. Review the confirmation, and select a method for dealing with any open alerts relating to the custom pattern. 1. Click **Yes, delete this pattern**. + +{% ifversion secret-scanning-push-protection-custom-patterns %} + +## Enabling push protection for a custom pattern + +You can enable {% data variables.product.prodname_secret_scanning %} as a push protection for custom patterns stored at {% ifversion ghec or ghes %}the enterprise, organization, or repository level{% else%} the organization or repository level{% endif %}. + +{% ifversion ghec or ghes %} + +### Enabling push protection for a custom pattern stored in an enterprise + +{% data reusables.secret-scanning.push-protection-enterprise-note %} + +Before enabling push protection for a custom pattern at enterprise level, you must also{% ifversion custom-pattern-dry-run-ga %} test your custom patterns using dry runs. {% data reusables.secret-scanning.dry-runs-enterprise-permissions %}{% else %} test your custom patterns in a repository before defining them for your entire enterprise, as there is no dry-run functionality. That way, you can avoid creating excess false-positive {% data variables.secret-scanning.alerts %}.{% endif %} + +{% data reusables.enterprise-accounts.access-enterprise %} +{% data reusables.enterprise-accounts.policies-tab %}{% ifversion security-feature-enablement-policies %} +{% data reusables.enterprise-accounts.code-security-and-analysis-policies %} +1. Under "Code security and analysis", click **Security features**.{% else %} +{% data reusables.enterprise-accounts.advanced-security-policies %} +{% data reusables.enterprise-accounts.advanced-security-security-features %}{% endif %} +{% data reusables.advanced-security.secret-scanning-edit-custom-pattern %} + + {% ifversion custom-pattern-dry-run-ga %} + >[!NOTE] At the enterprise level, you can only edit and enable push protection for custom patterns that you created. + {%- endif %} + +1. To enable push protection for your custom pattern, scroll down to "Push Protection", and click **Enable**. + + {% data reusables.secret-scanning.custom-pattern-push-protection-enable-button %} + + ![Screenshot of the custom pattern page with the button to enable push protection highlighted with a dark orange outline.](/assets/images/help/repository/secret-scanning-custom-pattern-enable-push-protection.png) + +{% endif %} + +### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection in an organization for a custom pattern + +Before enabling push protection for a custom pattern at organization level, you must ensure that you enable {% data variables.product.prodname_secret_scanning %} for the repositories that you want to scan in your organization. To enable {% data variables.product.prodname_secret_scanning %} on all repositories in your organization, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)." + +{% data reusables.profile.access_org %} +{% data reusables.profile.org_settings %} +{% data reusables.organizations.security-and-analysis %} + +{% ifversion security-configurations %} + {% data reusables.security-configurations.changed-org-settings-global-settings-callout %} For next steps on managing custom patterns for your organization with {% data variables.product.prodname_global_settings %}, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#defining-custom-patterns)." For information on enabling push protection for specific custom patterns, reference the following steps. +{% endif %} + +{% data reusables.repositories.navigate-to-ghas-settings %} +{% data reusables.advanced-security.secret-scanning-edit-custom-pattern %} +1. To enable push protection for your custom pattern, scroll down to "Push Protection", and click **Enable**. +{% indented_data_reference reusables.secret-scanning.push-protection-org-notes spaces=3 %} + + ![Screenshot of the "Push protection" section of the custom pattern page. A button, labeled "Enable", is outlined in dark orange.](/assets/images/help/repository/secret-scanning-custom-pattern-enable-push-protection.png) + +### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection in a repository for a custom pattern + +Before enabling push protection for a custom pattern at repository level, you must define the custom pattern for the repository, and test it in the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)." + +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.sidebar-settings %} +{% data reusables.repositories.navigate-to-code-security-and-analysis %} +{% data reusables.repositories.navigate-to-ghas-settings %} +{% data reusables.advanced-security.secret-scanning-edit-custom-pattern %} +1. To enable push protection for your custom pattern, scroll down to "Push Protection", and click **Enable**. + + {% data reusables.secret-scanning.custom-pattern-push-protection-enable-button %} + + ![Screenshot of the "Push protection" section of the custom pattern page. A button, labeled "Enable", is outlined in dark orange.](/assets/images/help/repository/secret-scanning-custom-pattern-enable-push-protection.png) + +{% endif %} diff --git a/data/reusables/advanced-security/secret-scanning-add-custom-pattern-details.md b/data/reusables/advanced-security/secret-scanning-add-custom-pattern-details.md index eeb175416e..8fb34723f3 100644 --- a/data/reusables/advanced-security/secret-scanning-add-custom-pattern-details.md +++ b/data/reusables/advanced-security/secret-scanning-add-custom-pattern-details.md @@ -1,6 +1,6 @@ 1. Enter the details for your new custom pattern. You must at least provide the name for your pattern, and a regular expression for the format of your secret pattern. 1. In the "Pattern name" field, type a name for your pattern. - 1. In the "Secret format" field, type a regular expression for the format of your secret pattern.{% ifversion secret-scanning-custom-pattern-ai-generated %} Alternatively, you can use the generator to generate a regular expression for you. For more information, see "[AUTOTITLE](/code-security/secret-scanning/generating-regular-expressions-for-custom-patterns-with-ai)."{% endif %} + 1. In the "Secret format" field, type a regular expression for the format of your secret pattern.{% ifversion secret-scanning-custom-pattern-ai-generated %} Alternatively, you can use the generator to generate a regular expression for you. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai)."{% endif %} 1. You can click **More options {% octicon "chevron-down" aria-label="down" %}** to provide other surrounding content or additional match requirements for the secret format. 1. Provide a sample test string to make sure your configuration is matching the patterns you expect. From 6d0e26bb116ac544350743abac680e59de33e944 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 5 Jul 2024 11:55:04 +0200 Subject: [PATCH 034/275] fixing TODOs and updating links --- .../custom-patterns/managing-custom-patterns.md | 6 ++++-- .../custom-patterns/metrics-for-custom-patterns.md | 4 +++- .../delegated-bypass-for-push-protection/index.md | 2 +- .../index.md | 2 +- data/learning-tracks/code-security.yml | 4 ++-- 5 files changed, 11 insertions(+), 7 deletions(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md index 0ca27fdbc0..60f4242c4c 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md @@ -1,7 +1,7 @@ --- -title: Managing custom patterns for secret +title: Managing custom patterns for secret scanning shortTitle: Manage custom patterns -intro: 'TODO' +intro: 'You can view, edit, and remove custom patterns, as well as enable push protection for custom patterns.' product: '{% data reusables.gated-features.secret-scanning %}' versions: ghes: '*' @@ -12,6 +12,8 @@ topics: - Secret scanning --- +TODO + ## Editing a custom pattern When you save a change to a custom pattern, this closes all the {% data variables.secret-scanning.alerts %} that were created using the previous version of the pattern. diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md index 32e46f9c4f..eb63079f0d 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md @@ -1,7 +1,7 @@ --- title: Metrics for custom patterns shortTitle: Custom pattern metrics -intro: 'TODO' +intro: 'You can view alert metrics for custom patterns at the repository, organization, and enterprise levels, from within {% data variables.product.product_name %}.' product: '{% data reusables.gated-features.secret-scanning %}' versions: feature: secret-scanning-custom-patterns-metrics @@ -11,6 +11,8 @@ topics: - Secret scanning --- +TODO + ## Metrics for custom patterns Organization owners and people with admin permissions can see an overview of the activity for custom patterns. The overview includes alert and push protection activity for the custom pattern during the last 30 days. diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md index deda1f34fc..71df8e2faf 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md @@ -2,7 +2,7 @@ title: Delegated bypass for push protection shortTitle: Delegated bypass allowTitleToDifferFromFilename: true -intro: 'TODO' +intro: 'With delegated bypass, contributors can propose bypassing a block and members of the bypass list can review those bypass requests to allow or deny the content.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md index 0335fc4e61..8e9ebb3bb0 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md @@ -2,7 +2,7 @@ title: Using advanced secret scanning and push protection features shortTitle: Advanced features allowTitleToDifferFromFilename: true -intro: 'Learn how use advanced features for {% data variables.product.prodname_secret_scanning_caps %} and push protection.' +intro: 'TODO.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' diff --git a/data/learning-tracks/code-security.yml b/data/learning-tracks/code-security.yml index 82650c37c2..113f87c0ca 100644 --- a/data/learning-tracks/code-security.yml +++ b/data/learning-tracks/code-security.yml @@ -117,7 +117,7 @@ secret_scanning: /code-security/secret-scanning/configuring-secret-scanning-for-your-repositories - >- {% ifversion not fpt - %}/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning{% + %}/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning{% endif %} - /code-security/secret-scanning/managing-alerts-from-secret-scanning - /code-security/secret-scanning/secret-scanning-patterns @@ -132,7 +132,7 @@ secret_scanning: {% ifversion secret-scanning-push-protection %}/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection{% endif %} - - /code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning + - /code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md security_alerts: title: Explore and manage security alerts description: Learn where to find and resolve security alerts. From 2437b7d162a0b021b2477f417714340672ccfa3f Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 5 Jul 2024 14:23:18 +0200 Subject: [PATCH 035/275] complete work on custom patterns --- ...he-regular-expression-generator-for-custom-patterns.md | 6 +++--- .../defining-custom-patterns-for-secret-scanning.md | 4 ++++ ...ing-regular-expressions-for-custom-patterns-with-ai.md | 2 +- .../custom-patterns/managing-custom-patterns.md | 7 ++++--- .../custom-patterns/metrics-for-custom-patterns.md | 8 +------- ...scanning-generate-regular-expression-custom-pattern.md | 2 +- data/reusables/secret-scanning/link-to-push-protection.md | 2 +- 7 files changed, 15 insertions(+), 16 deletions(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-the-regular-expression-generator-for-custom-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-the-regular-expression-generator-for-custom-patterns.md index 9eb2ee340f..0c42e2838d 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-the-regular-expression-generator-for-custom-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-the-regular-expression-generator-for-custom-patterns.md @@ -37,7 +37,7 @@ The model returns up to three regular expressions for you to review. You can cli Some results may be quite similar, and some results may not find every instance of the secret that the pattern is intended to detect. It is also possible that the regular expression generator may produce results which are invalid or inappropriate. -When you click **Use result** on a regular expression, the expression and any examples inputted will be copied over to the main custom pattern form. There, you can perform a dry run of the pattern to see how it performs across your repository or organization.{% ifversion secret-scanning-custom-pattern-ai-generated %} For more information on how to define a custom pattern for your repository or organization, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." {% endif %} +When you click **Use result** on a regular expression, the expression and any examples inputted will be copied over to the main custom pattern form. There, you can perform a dry run of the pattern to see how it performs across your repository or organization.{% ifversion secret-scanning-custom-pattern-ai-generated %} For more information on how to define a custom pattern for your repository or organization, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." {% endif %} ## Improving performance for the {% data variables.secret-scanning.custom-pattern-regular-expression-generator %} @@ -63,7 +63,7 @@ Note that the {% data variables.secret-scanning.custom-pattern-regular-expressio ## Next steps -* [AUTOTITLE](/code-security/secret-scanning/generating-regular-expressions-for-custom-patterns-with-ai) +* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai) * [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning) {% endif %} @@ -75,6 +75,6 @@ Note that the {% data variables.secret-scanning.custom-pattern-regular-expressio {% endif %} {% ifversion secret-scanning-custom-pattern-ai-generated %} -* [AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning) +* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning) * [AUTOTITLE](/code-security/secret-scanning/about-secret-scanning) {% endif %} diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md index e311257f0d..5a1aa2124d 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md @@ -168,3 +168,7 @@ Before defining a custom pattern, you must ensure that you enable secret scannin {% indented_data_reference reusables.secret-scanning.push-protection-enterprise-note spaces=3 %}{% endif %} After your pattern is created, {% data variables.product.prodname_secret_scanning %} scans for any secrets in repositories within your enterprise's organizations with {% data variables.product.prodname_GH_advanced_security %} enabled, including their entire Git history on all branches. Organization owners and repository administrators will be alerted to any secrets found, and can review the alert in the repository where the secret is found. For more information on viewing {% data variables.secret-scanning.alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." + +## Further reading + +* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns)" diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai.md index 12190d6d50..fdbfe20316 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai.md @@ -51,4 +51,4 @@ redirect_from: ## Further reading -* "[AUTOTITLE](/code-security/secret-scanning/about-the-regular-expression-generator-for-custom-patterns)" +* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-the-regular-expression-generator-for-custom-patterns)" diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md index 60f4242c4c..b04e5ed74f 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md @@ -12,11 +12,12 @@ topics: - Secret scanning --- -TODO +Custom patterns are user-defined patterns that you can use to identify secrets that are not detected by the default patterns supported by {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." ## Editing a custom pattern When you save a change to a custom pattern, this closes all the {% data variables.secret-scanning.alerts %} that were created using the previous version of the pattern. + {% data reusables.secret-scanning.view-custom-pattern %} 1. Under "{% data variables.product.prodname_secret_scanning_caps %}", to the right of the custom pattern you want to edit, click {% octicon "pencil" aria-label="Edit pattern" %}. {%- ifversion custom-pattern-dry-run-ga %} @@ -39,7 +40,7 @@ When you save a change to a custom pattern, this closes all the {% data variable ## Enabling push protection for a custom pattern -You can enable {% data variables.product.prodname_secret_scanning %} as a push protection for custom patterns stored at {% ifversion ghec or ghes %}the enterprise, organization, or repository level{% else%} the organization or repository level{% endif %}. +You can enable {% data variables.product.prodname_secret_scanning %} as a push protection for custom patterns stored at {% ifversion ghec or ghes %}the enterprise, organization, or repository level{% else %} the organization or repository level{% endif %}. {% ifversion ghec or ghes %} @@ -90,7 +91,7 @@ Before enabling push protection for a custom pattern at organization level, you ### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection in a repository for a custom pattern -Before enabling push protection for a custom pattern at repository level, you must define the custom pattern for the repository, and test it in the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)." +Before enabling push protection for a custom pattern at repository level, you must define the custom pattern for the repository, and test it in the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)." {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-settings %} diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md index eb63079f0d..ae45e17f4d 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md @@ -11,17 +11,11 @@ topics: - Secret scanning --- -TODO - ## Metrics for custom patterns Organization owners and people with admin permissions can see an overview of the activity for custom patterns. The overview includes alert and push protection activity for the custom pattern during the last 30 days. -{% note %} - -**Note:** Metrics for custom patterns are in public beta and subject to change. - -{% endnote %} +> [!NOTE] Metrics for custom patterns are in public beta and subject to change. ## Viewing metrics for custom patterns diff --git a/data/reusables/advanced-security/secret-scanning-generate-regular-expression-custom-pattern.md b/data/reusables/advanced-security/secret-scanning-generate-regular-expression-custom-pattern.md index d3185001c9..f82f220592 100644 --- a/data/reusables/advanced-security/secret-scanning-generate-regular-expression-custom-pattern.md +++ b/data/reusables/advanced-security/secret-scanning-generate-regular-expression-custom-pattern.md @@ -3,7 +3,7 @@ {% note %} - **Note:** You can enter a regular expression manually instead of using the generator, by typing a regular expression for the format of your secret pattern in the "Secret format" field. For more information, see "[Defining a custom pattern for a repository](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)" or "[Defining a custom pattern for an organization](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization)." + **Note:** You can enter a regular expression manually instead of using the generator, by typing a regular expression for the format of your secret pattern in the "Secret format" field. For more information, see "[Defining a custom pattern for a repository](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)" or "[Defining a custom pattern for an organization](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization)." {% endnote %} diff --git a/data/reusables/secret-scanning/link-to-push-protection.md b/data/reusables/secret-scanning/link-to-push-protection.md index eb0f3fee21..5975dd27ff 100644 --- a/data/reusables/secret-scanning/link-to-push-protection.md +++ b/data/reusables/secret-scanning/link-to-push-protection.md @@ -1 +1 @@ -You can configure {% data variables.product.prodname_secret_scanning %} to check pushes for custom patterns before commits are merged into the default branch. For more information, see "[Enabling push protection for a custom pattern](/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-push-protection-for-a-custom-pattern)." +You can configure {% data variables.product.prodname_secret_scanning %} to check pushes for custom patterns before commits are merged into the default branch. For more information, see "[Enabling push protection for a custom pattern](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns#enabling-push-protection-for-a-custom-pattern)." From 9f06589c409e49bd783ef1f782a667c568c65d13 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 5 Jul 2024 14:31:38 +0200 Subject: [PATCH 036/275] fix more links --- ...out-the-detection-of-generic-secrets-with-secret-scanning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning.md index 522a1e7c8a..6ced8e219b 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning.md @@ -76,7 +76,7 @@ Generic secret detection has been subject to Responsible AI Red Teaming and {% d ## Next steps -* [AUTOTITLE](/code-security/secret-scanning/enabling-ai-powered-generic-secret-detection) +* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection) * [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning) {% endif %} From 73b229132631fe212a832be6d4dce07b91d18ded Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 5 Jul 2024 15:34:38 +0200 Subject: [PATCH 037/275] removed remaining TODOs --- .../custom-patterns/index.md | 2 +- .../generic-secret-detection/index.md | 3 +-- .../index.md | 2 +- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md index ccf24a9934..bb8f6e9f7b 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md @@ -2,7 +2,7 @@ title: Custom patterns shortTitle: Custom patterns allowTitleToDifferFromFilename: true -intro: TODO +intro: 'You can extend the capabilities of {% data variables.product.prodname_secret_scanning %} by instructing the feature to search for your own patterns. These patterns, which can range from your servce API keys to connection strings into cloud resources, are referred to as custom patterns.' product: '{% data reusables.gated-features.secret-scanning %}' versions: ghes: '*' diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/index.md index 2c18e9b932..7604bae592 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/index.md @@ -2,7 +2,7 @@ title: Generic secret detection shortTitle: Generic secret detection allowTitleToDifferFromFilename: true -intro: TODO +intro: 'You can use AI in combination with {% data variables.product.prodname_secret_scanning %} to detect unstructured passwords in git content.' product: '{% data reusables.gated-features.secret-scanning %}' versions: feature: secret-scanning-ai-generic-secret-detection @@ -14,4 +14,3 @@ children: - /about-the-detection-of-generic-secrets-with-secret-scanning - /enabling-ai-powered-generic-secret-detection --- - diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md index 8e9ebb3bb0..0ca68429c6 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md @@ -2,7 +2,7 @@ title: Using advanced secret scanning and push protection features shortTitle: Advanced features allowTitleToDifferFromFilename: true -intro: 'TODO.' +intro: 'Learn more about advanced capabilities of {% data variables.secret-scanning.partner_alerts_caps %} and push protection, and assess whether your organization or repository could benefit from using these features.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' From 8e88bd9d7482fe4831cc30d3007ade9f710cae49 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 5 Jul 2024 16:56:35 +0200 Subject: [PATCH 038/275] made a start on delegated bypass --- .../managing-custom-patterns.md | 2 +- ...out-delegated-bypass-for-push-protection.md | 18 ++++++++++++++++++ ...ing-delegated-bypass-for-push-protection.md | 0 .../index.md | 4 +++- ...ging-requests- to-bypass-push-protection.md | 0 5 files changed, 22 insertions(+), 2 deletions(-) create mode 100644 content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md create mode 100644 content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md create mode 100644 content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests- to-bypass-push-protection.md diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md index b04e5ed74f..4574695776 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md @@ -1,5 +1,5 @@ --- -title: Managing custom patterns for secret scanning +title: Managing custom patterns shortTitle: Manage custom patterns intro: 'You can view, edit, and remove custom patterns, as well as enable push protection for custom patterns.' product: '{% data reusables.gated-features.secret-scanning %}' diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md new file mode 100644 index 0000000000..7c65ea9807 --- /dev/null +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md @@ -0,0 +1,18 @@ +--- +title: About delegated bypass for push protection +intro: 'TODO' +product: '{% data reusables.gated-features.push-protection-for-repos %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +type: overview +topics: + - Secret scanning + - Advanced Security + - Alerts + - Repositories +shortTitle: Delegated bypass +--- + +TODO diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md new file mode 100644 index 0000000000..e69de29bb2 diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md index 71df8e2faf..8a491ed5b5 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md @@ -2,7 +2,7 @@ title: Delegated bypass for push protection shortTitle: Delegated bypass allowTitleToDifferFromFilename: true -intro: 'With delegated bypass, contributors can propose bypassing a block and members of the bypass list can review those bypass requests to allow or deny the content.' +intro: 'With delegated bypass, contributors can propose bypassing a blocked push and members of the bypass list can review those bypass requests to allow or deny the content.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' @@ -12,4 +12,6 @@ topics: - Secret scanning - Advanced Security - Repositories +children: + - /about-delegated-bypass-for-push-protection --- diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests- to-bypass-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests- to-bypass-push-protection.md new file mode 100644 index 0000000000..e69de29bb2 From 17d09a98f54a8da334ef736a4cabbcaea88fa25d Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 5 Jul 2024 16:59:35 +0200 Subject: [PATCH 039/275] fix for failing checks --- ...ging-requests- to-bypass-push-protection.md | 0 ...aging-requests-to-bypass-push-protection.md | 18 ++++++++++++++++++ 2 files changed, 18 insertions(+) delete mode 100644 content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests- to-bypass-push-protection.md create mode 100644 content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests- to-bypass-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests- to-bypass-push-protection.md deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md new file mode 100644 index 0000000000..f79f795998 --- /dev/null +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md @@ -0,0 +1,18 @@ +--- +title: Managing requests to bypass push protection +intro: 'TODO' +product: '{% data reusables.gated-features.push-protection-for-repos %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +type: how_to +topics: + - Secret scanning + - Advanced Security + - Alerts + - Repositories +shortTitle: Manage bypass requests +--- + +TODO From 846399ef943ceb2c74e47f6472f92edebe623303 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 5 Jul 2024 17:13:03 +0200 Subject: [PATCH 040/275] fix more failing tests --- .../delegated-bypass-for-push-protection/index.md | 2 ++ data/learning-tracks/code-security.yml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md index 8a491ed5b5..4903671147 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md @@ -14,4 +14,6 @@ topics: - Repositories children: - /about-delegated-bypass-for-push-protection + - /enabling-delegated-bypass-for-push-protection + - /managing-requests-to-bypass-push-protection --- diff --git a/data/learning-tracks/code-security.yml b/data/learning-tracks/code-security.yml index 113f87c0ca..daa509a42e 100644 --- a/data/learning-tracks/code-security.yml +++ b/data/learning-tracks/code-security.yml @@ -132,7 +132,7 @@ secret_scanning: {% ifversion secret-scanning-push-protection %}/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection{% endif %} - - /code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md + - /code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning security_alerts: title: Explore and manage security alerts description: Learn where to find and resolve security alerts. From c069ab52474f78f74d1ef8fb3a4b4d45be4bd9eb Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 5 Jul 2024 17:20:49 +0200 Subject: [PATCH 041/275] I am going nuts --- ...ing-delegated-bypass-for-push-protection.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md index e69de29bb2..89a0c70e2d 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md @@ -0,0 +1,18 @@ +--- +title: Enabling delegated bypass for push protection +intro: 'TODO' +product: '{% data reusables.gated-features.push-protection-for-repos %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +type: overview +topics: + - Secret scanning + - Advanced Security + - Alerts + - Repositories +shortTitle: Delegated bypass +--- + +TODO From e35c958dadf2a529e28ddcf0f0283b1da0db3ce6 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 5 Jul 2024 17:41:01 +0200 Subject: [PATCH 042/275] move content across articles --- ...tion-for-repositories-and-organizations.md | 75 ------------------- ...ng-delegated-bypass-for-push-protection.md | 51 +++++++++++-- ...ging-requests-to-bypass-push-protection.md | 32 +++++++- 3 files changed, 73 insertions(+), 85 deletions(-) diff --git a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md index 94b9ca4ddd..6424e4b38d 100644 --- a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md +++ b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md @@ -122,81 +122,6 @@ You can use the organization settings page for "Code security and analysis" to e {% data reusables.repositories.navigate-to-ghas-settings %} {% data reusables.advanced-security.secret-scanning-push-protection-repo %} -{% ifversion push-protection-delegated-bypass %} - -## Enabling delegated bypass for push protection - -{% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} - -Delegated bypass for push protection lets you control who can bypass push protection and which blocked pushes should be allowed. - -When you enable push protection, by default, anyone with write access to the repository can choose to bypass the protection by specifying a reason for allowing the push containing a secret. With delegated bypass, contributors to a repository are instead obligated to request "bypass privileges." The request is sent to a designated group of reviewers, who either approve or deny the request to bypass push protection. - -If the request to bypass push protection is approved, the contributor can push the commit containing the secret. If the request is denied, the contributor must remove the secret from the commit (or commits) containing the secret before pushing again. - -To configure delegated bypass, organization owners or repository administrators first create a "bypass list". The bypass list comprises specific roles and teams, such as the security team or repository administrators, who oversee requests from non-members to bypass push protection. For more information, see "[Configuring delegated bypass for an organization](#configuring-delegated-bypass-for-an-organization)" and "[Configuring delegated bypass for a repository](#configuring-delegated-bypass-for-a-repository)." - -Members of the bypass list view and manage requests through the "Push protection bypass" page in the **Security** tab of the repository. For more information, see "[Managing requests to bypass push protection](#managing-requests-to-bypass-push-protection)." - -Members of the bypass list are still protected from accidentally pushing secrets to a repository. When a member of the bypass list attempts to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. Members of the bypass list do not have to request bypass privileges from other members in order to override the block. - -### Configuring delegated bypass for an organization - -{% data reusables.organizations.navigate-to-org %} -{% data reusables.organizations.org_settings %} -{% data reusables.organizations.security-and-analysis %} -{% ifversion security-configurations %} - {% data reusables.security-configurations.changed-org-settings-global-settings-callout %} -{% endif %} -{% data reusables.repositories.navigate-to-ghas-settings %} -1. Under "Push protection", to the right of "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}", select the dropdown menu, then click **Specific roles or teams**. -1. Under "Bypass list", click **Add role or team**. - >[!NOTE] You can't add secret teams to the bypass list. -1. In the dialog box, select the roles and teams that you want to add to the bypass list, then click **Add selected**. - -### Configuring delegated bypass for a repository - ->[!NOTE] If an organization owner configures delegated bypass at the organization-level, the repository-level settings are disabled. - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-settings %} -{% data reusables.repositories.navigate-to-code-security-and-analysis %} -{% data reusables.repositories.navigate-to-ghas-settings %} -1. Under "Push protection", to the right of "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}", select the dropdown menu, then click **Specific roles or teams**. -1. Under "Bypass list", click **Add role or team**. - >[!NOTE] You can't add secret teams to the bypass list. -1. In the dialog box, select the roles and teams that you want to add to the bypass list, then click **Add selected**. - -## Managing requests to bypass push protection - -You can view and manage all requests for bypass privileges on the "Push protection bypass" page, located under the **Security** tab of the repository. - -You can filter requests by approver (member of the bypass list), requester (contributor making the request), timeframe, and status. The following statuses are assigned to a request: - -|Status|Description| -|---------|-----------| -|`Cancelled`| The request has been cancelled by the contributor.| -|`Completed`|The request has been approved and the commit(s) have been pushed to the repository.| -|`Denied`|The request has been reviewed and denied.| -|`Expired`| The request has expired. Requests are valid for 7 days. | -|`Open`| The request has either not yet been reviewed, or has been approved but the commit(s) have not been pushed to the repository. | - -When a contributor requests bypass privileges to push a commit containing a secret, members of the bypass list all receive an email notification containing a link to the request. Members of the bypass list then have 7 days to review and either approve or deny the request before the request expires. - -The contributor is notified of the decision by email and must take the required action. If the request is approved, the contributor can push the commit containing the secret to the repository. If the request is denied, the contributor must remove the secret from the commit in order to successfully push the commit to the repository. - -### Managing requests to bypass push protection at the repository-level - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-security %} -{% data reusables.repositories.bypass-requests-settings %} -1. Select the **All statuses** dropdown menu, then click **Open** to view requests that are awaiting review. -1. Click the request that you want to review. -1. Review the details of the request. -1. To allow the contributor to push the commit containing the secret, click **Approve bypass request**. Or, to require the contributor to remove the secret from the commit, click **Deny bypass request**. - -{% endif %} - ## Further reading * "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection)" diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md index 89a0c70e2d..360c49ea79 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md @@ -3,16 +3,55 @@ title: Enabling delegated bypass for push protection intro: 'TODO' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: - fpt: '*' - ghes: '*' - ghec: '*' -type: overview + feature: push-protection-delegated-bypass +type: how_to topics: - Secret scanning - Advanced Security - Alerts - Repositories -shortTitle: Delegated bypass +shortTitle: Enable delegated bypass --- -TODO +## Enabling delegated bypass for push protection + +{% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} + +Delegated bypass for push protection lets you control who can bypass push protection and which blocked pushes should be allowed. + +When you enable push protection, by default, anyone with write access to the repository can choose to bypass the protection by specifying a reason for allowing the push containing a secret. With delegated bypass, contributors to a repository are instead obligated to request "bypass privileges." The request is sent to a designated group of reviewers, who either approve or deny the request to bypass push protection. + +If the request to bypass push protection is approved, the contributor can push the commit containing the secret. If the request is denied, the contributor must remove the secret from the commit (or commits) containing the secret before pushing again. + +To configure delegated bypass, organization owners or repository administrators first create a "bypass list". The bypass list comprises specific roles and teams, such as the security team or repository administrators, who oversee requests from non-members to bypass push protection. For more information, see "[Configuring delegated bypass for an organization](#configuring-delegated-bypass-for-an-organization)" and "[Configuring delegated bypass for a repository](#configuring-delegated-bypass-for-a-repository)." + +Members of the bypass list view and manage requests through the "Push protection bypass" page in the **Security** tab of the repository. For more information, see "[Managing requests to bypass push protection](#managing-requests-to-bypass-push-protection)." + +Members of the bypass list are still protected from accidentally pushing secrets to a repository. When a member of the bypass list attempts to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. Members of the bypass list do not have to request bypass privileges from other members in order to override the block. + +### Configuring delegated bypass for an organization + +{% data reusables.organizations.navigate-to-org %} +{% data reusables.organizations.org_settings %} +{% data reusables.organizations.security-and-analysis %} +{% ifversion security-configurations %} + {% data reusables.security-configurations.changed-org-settings-global-settings-callout %} +{% endif %} +{% data reusables.repositories.navigate-to-ghas-settings %} +1. Under "Push protection", to the right of "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}", select the dropdown menu, then click **Specific roles or teams**. +1. Under "Bypass list", click **Add role or team**. + >[!NOTE] You can't add secret teams to the bypass list. +1. In the dialog box, select the roles and teams that you want to add to the bypass list, then click **Add selected**. + +### Configuring delegated bypass for a repository + +>[!NOTE] If an organization owner configures delegated bypass at the organization-level, the repository-level settings are disabled. + +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.sidebar-settings %} +{% data reusables.repositories.navigate-to-code-security-and-analysis %} +{% data reusables.repositories.navigate-to-ghas-settings %} +1. Under "Push protection", to the right of "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}", select the dropdown menu, then click **Specific roles or teams**. +1. Under "Bypass list", click **Add role or team**. + >[!NOTE] You can't add secret teams to the bypass list. +1. In the dialog box, select the roles and teams that you want to add to the bypass list, then click **Add selected**. diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md index f79f795998..2d59321711 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md @@ -3,9 +3,7 @@ title: Managing requests to bypass push protection intro: 'TODO' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: - fpt: '*' - ghes: '*' - ghec: '*' + feature: push-protection-delegated-bypass type: how_to topics: - Secret scanning @@ -15,4 +13,30 @@ topics: shortTitle: Manage bypass requests --- -TODO +## Managing requests to bypass push protection + +You can view and manage all requests for bypass privileges on the "Push protection bypass" page, located under the **Security** tab of the repository. + +You can filter requests by approver (member of the bypass list), requester (contributor making the request), timeframe, and status. The following statuses are assigned to a request: + +|Status|Description| +|---------|-----------| +|`Cancelled`| The request has been cancelled by the contributor.| +|`Completed`|The request has been approved and the commit(s) have been pushed to the repository.| +|`Denied`|The request has been reviewed and denied.| +|`Expired`| The request has expired. Requests are valid for 7 days. | +|`Open`| The request has either not yet been reviewed, or has been approved but the commit(s) have not been pushed to the repository. | + +When a contributor requests bypass privileges to push a commit containing a secret, members of the bypass list all receive an email notification containing a link to the request. Members of the bypass list then have 7 days to review and either approve or deny the request before the request expires. + +The contributor is notified of the decision by email and must take the required action. If the request is approved, the contributor can push the commit containing the secret to the repository. If the request is denied, the contributor must remove the secret from the commit in order to successfully push the commit to the repository. + +### Managing requests to bypass push protection at the repository-level + +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.sidebar-security %} +{% data reusables.repositories.bypass-requests-settings %} +1. Select the **All statuses** dropdown menu, then click **Open** to view requests that are awaiting review. +1. Click the request that you want to review. +1. Review the details of the request. +1. To allow the contributor to push the commit containing the secret, click **Approve bypass request**. Or, to require the contributor to remove the secret from the commit, click **Deny bypass request**. From df3e6572f5844cf89ea263d838bfc6489678fa5c Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 8 Jul 2024 14:13:25 +0200 Subject: [PATCH 043/275] work --- .../push-protection-for-repositories-and-organizations.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md index 6424e4b38d..8679f7522a 100644 --- a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md +++ b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md @@ -122,6 +122,8 @@ You can use the organization settings page for "Code security and analysis" to e {% data reusables.repositories.navigate-to-ghas-settings %} {% data reusables.advanced-security.secret-scanning-push-protection-repo %} +TODO: add sentence about delegated bypass and link to new articles. + ## Further reading * "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection)" From 8dcc31f48efde65554dbb81436657dceae533079 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 8 Jul 2024 14:22:47 +0200 Subject: [PATCH 044/275] add link to further reading --- .../defining-custom-patterns-for-secret-scanning.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md index 5a1aa2124d..2e539d0b80 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md @@ -172,3 +172,4 @@ After your pattern is created, {% data variables.product.prodname_secret_scannin ## Further reading * "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns)" +* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns)" From fc0ea3da3ef8814d07a70a42e9ba7b79d0f356f2 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 8 Jul 2024 14:51:39 +0200 Subject: [PATCH 045/275] more work on delegated bypass --- .../about-delegated-bypass-for-push-protection.md | 10 ++++++---- .../enabling-delegated-bypass-for-push-protection.md | 8 +++++--- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md index 7c65ea9807..be950951ed 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md @@ -3,9 +3,7 @@ title: About delegated bypass for push protection intro: 'TODO' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: - fpt: '*' - ghes: '*' - ghec: '*' + feature: push-protection-delegated-bypass type: overview topics: - Secret scanning @@ -15,4 +13,8 @@ topics: shortTitle: Delegated bypass --- -TODO +TODO: + +## About delegated bypass for push protection + +{% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md index 360c49ea79..b97a77b340 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md @@ -1,6 +1,6 @@ --- title: Enabling delegated bypass for push protection -intro: 'TODO' +intro: 'You can enable ' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: feature: push-protection-delegated-bypass @@ -17,7 +17,7 @@ shortTitle: Enable delegated bypass {% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} -Delegated bypass for push protection lets you control who can bypass push protection and which blocked pushes should be allowed. +Delegated bypass for push protection lets you control who can bypass push protection and which blocked pushes should be allowed. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." When you enable push protection, by default, anyone with write access to the repository can choose to bypass the protection by specifying a reason for allowing the push containing a secret. With delegated bypass, contributors to a repository are instead obligated to request "bypass privileges." The request is sent to a designated group of reviewers, who either approve or deny the request to bypass push protection. @@ -25,7 +25,7 @@ If the request to bypass push protection is approved, the contributor can push t To configure delegated bypass, organization owners or repository administrators first create a "bypass list". The bypass list comprises specific roles and teams, such as the security team or repository administrators, who oversee requests from non-members to bypass push protection. For more information, see "[Configuring delegated bypass for an organization](#configuring-delegated-bypass-for-an-organization)" and "[Configuring delegated bypass for a repository](#configuring-delegated-bypass-for-a-repository)." -Members of the bypass list view and manage requests through the "Push protection bypass" page in the **Security** tab of the repository. For more information, see "[Managing requests to bypass push protection](#managing-requests-to-bypass-push-protection)." +Members of the bypass list view and manage requests through the "Push protection bypass" page in the **Security** tab of the repository. For more information, see "[Managing requests to bypass push protection](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection)." Members of the bypass list are still protected from accidentally pushing secrets to a repository. When a member of the bypass list attempts to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. Members of the bypass list do not have to request bypass privileges from other members in order to override the block. @@ -53,5 +53,7 @@ Members of the bypass list are still protected from accidentally pushing secrets {% data reusables.repositories.navigate-to-ghas-settings %} 1. Under "Push protection", to the right of "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}", select the dropdown menu, then click **Specific roles or teams**. 1. Under "Bypass list", click **Add role or team**. + >[!NOTE] You can't add secret teams to the bypass list. + 1. In the dialog box, select the roles and teams that you want to add to the bypass list, then click **Add selected**. From 8d34e2de8b912b8e87540ab5665e2fbc764c51ae Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 8 Jul 2024 20:53:14 +0200 Subject: [PATCH 046/275] more work on delegated bypass --- .../about-delegated-bypass-for-push-protection.md | 8 ++++++-- ...abling-delegated-bypass-for-push-protection.md | 15 ++++----------- ...managing-requests-to-bypass-push-protection.md | 11 +++++++++-- .../push-protection-delegated-bypass-intro.md | 1 + .../push-protection-delegated-bypass-overview.md | 9 +++++++++ 5 files changed, 29 insertions(+), 15 deletions(-) create mode 100644 data/reusables/secret-scanning/push-protection-delegated-bypass-intro.md create mode 100644 data/reusables/secret-scanning/push-protection-delegated-bypass-overview.md diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md index be950951ed..eb091f9bc4 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md @@ -13,8 +13,12 @@ topics: shortTitle: Delegated bypass --- -TODO: - ## About delegated bypass for push protection {% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} + +{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} + +{% data reusables.secret-scanning.push-protection-delegated-bypass-overview %} + +For information about enabling delegated bypass, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)." diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md index b97a77b340..e4e51cc1dc 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md @@ -1,7 +1,8 @@ --- title: Enabling delegated bypass for push protection -intro: 'You can enable ' +intro: 'You can enable delegated bypass for your organization or repositotory so that you have full control over who can bypass blocks, and which blocks are allowed.' product: '{% data reusables.gated-features.push-protection-for-repos %}' +permissions: 'Organization owners and repository administrators can enable delegated bypass for push protection for their organization and repository, respectively.' versions: feature: push-protection-delegated-bypass type: how_to @@ -17,17 +18,9 @@ shortTitle: Enable delegated bypass {% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} -Delegated bypass for push protection lets you control who can bypass push protection and which blocked pushes should be allowed. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." +{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." -When you enable push protection, by default, anyone with write access to the repository can choose to bypass the protection by specifying a reason for allowing the push containing a secret. With delegated bypass, contributors to a repository are instead obligated to request "bypass privileges." The request is sent to a designated group of reviewers, who either approve or deny the request to bypass push protection. - -If the request to bypass push protection is approved, the contributor can push the commit containing the secret. If the request is denied, the contributor must remove the secret from the commit (or commits) containing the secret before pushing again. - -To configure delegated bypass, organization owners or repository administrators first create a "bypass list". The bypass list comprises specific roles and teams, such as the security team or repository administrators, who oversee requests from non-members to bypass push protection. For more information, see "[Configuring delegated bypass for an organization](#configuring-delegated-bypass-for-an-organization)" and "[Configuring delegated bypass for a repository](#configuring-delegated-bypass-for-a-repository)." - -Members of the bypass list view and manage requests through the "Push protection bypass" page in the **Security** tab of the repository. For more information, see "[Managing requests to bypass push protection](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection)." - -Members of the bypass list are still protected from accidentally pushing secrets to a repository. When a member of the bypass list attempts to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. Members of the bypass list do not have to request bypass privileges from other members in order to override the block. +To enable this feature, you first need to create a bypass list to add roles and teams who will manage request to bypass push protection. This step is included in the sections below. ### Configuring delegated bypass for an organization diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md index 2d59321711..063eb8f663 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md @@ -1,7 +1,8 @@ --- title: Managing requests to bypass push protection -intro: 'TODO' +intro: 'As a member of the bypass list for an organization or repository, you can process bypass requests from other members of the organization or repository.' product: '{% data reusables.gated-features.push-protection-for-repos %}' +permissions: 'Members of the bypass listcan process requests from non-members to bypass push protection.' versions: feature: push-protection-delegated-bypass type: how_to @@ -15,7 +16,13 @@ shortTitle: Manage bypass requests ## Managing requests to bypass push protection -You can view and manage all requests for bypass privileges on the "Push protection bypass" page, located under the **Security** tab of the repository. +{% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} + +{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." + +Members of the bypass list can view and manage all requests for bypass privileges on the "Push protection bypass" page, located under the **Security** tab of the repository. + +> [!NOTE] Members of the bypass list are still protected from accidentally pushing secrets to a repository. When a member of the bypass list attempts to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. Members of the bypass list do not have to request bypass privileges from other members in order to override the block. You can filter requests by approver (member of the bypass list), requester (contributor making the request), timeframe, and status. The following statuses are assigned to a request: diff --git a/data/reusables/secret-scanning/push-protection-delegated-bypass-intro.md b/data/reusables/secret-scanning/push-protection-delegated-bypass-intro.md new file mode 100644 index 0000000000..812d54293d --- /dev/null +++ b/data/reusables/secret-scanning/push-protection-delegated-bypass-intro.md @@ -0,0 +1 @@ +Delegated bypass for push protection lets you control who can bypass push protection and which blocked pushes should be allowed. diff --git a/data/reusables/secret-scanning/push-protection-delegated-bypass-overview.md b/data/reusables/secret-scanning/push-protection-delegated-bypass-overview.md new file mode 100644 index 0000000000..274a575f4d --- /dev/null +++ b/data/reusables/secret-scanning/push-protection-delegated-bypass-overview.md @@ -0,0 +1,9 @@ +When you enable push protection, by default, anyone with write access to the repository can choose to bypass the protection by specifying a reason for allowing the push containing a secret. With delegated bypass, contributors to a repository are instead obligated to request "bypass privileges." The request is sent to a designated group of reviewers, who either approve or deny the request to bypass push protection. + +If the request to bypass push protection is approved, the contributor can push the commit containing the secret. If the request is denied, the contributor must remove the secret from the commit (or commits) containing the secret before pushing again. + +To configure delegated bypass, organization owners or repository administrators need to first create a "bypass list". The bypass list comprises specific roles and teams, such as the security team or repository administrators, who oversee requests from non-members to bypass push protection. For more information, see "[Configuring delegated bypass for an organization](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection#configuring-delegated-bypass-for-an-organization)" and "[Configuring delegated bypass for a repository](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection#configuring-delegated-bypass-for-a-repository)." + +Members of the bypass list view and manage requests through the "Push protection bypass" page in the **Security** tab of the repository. For more information, see "[Managing requests to bypass push protection](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection)." + +Members of the bypass list are still protected from accidentally pushing secrets to a repository. When a member of the bypass list attempts to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. Members of the bypass list do not have to request bypass privileges from other members in order to override the block. From 1cdfcc872024f298e440adfd0b06ec3fa8731d99 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 8 Jul 2024 20:57:16 +0200 Subject: [PATCH 047/275] fix TODO --- .../about-delegated-bypass-for-push-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md index eb091f9bc4..3674812d5a 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md @@ -1,6 +1,6 @@ --- title: About delegated bypass for push protection -intro: 'TODO' +intro: 'With delegated bypass, you can control which teams or roles have the ability to bypass push protection in your organization or repository.' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: feature: push-protection-delegated-bypass From dde39a721d7146cd0914e140a3ad895ea722a2e8 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 8 Jul 2024 21:09:54 +0200 Subject: [PATCH 048/275] fix typo --- .../enabling-delegated-bypass-for-push-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md index e4e51cc1dc..667edff41d 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md @@ -1,6 +1,6 @@ --- title: Enabling delegated bypass for push protection -intro: 'You can enable delegated bypass for your organization or repositotory so that you have full control over who can bypass blocks, and which blocks are allowed.' +intro: 'You can enable delegated bypass for your organization or repository so that you have full control over who can bypass blocks, and which blocks are allowed.' product: '{% data reusables.gated-features.push-protection-for-repos %}' permissions: 'Organization owners and repository administrators can enable delegated bypass for push protection for their organization and repository, respectively.' versions: From 08aa48d234fe62ee5c9111dcac4cb17ce5be861c Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 8 Jul 2024 21:20:39 +0200 Subject: [PATCH 049/275] fix failing test hopefully --- .../push-protection-for-repositories-and-organizations.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md index 8679f7522a..f96fba9437 100644 --- a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md +++ b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md @@ -30,7 +30,7 @@ shortTitle: Push protection for repositories {% ifversion push-protection-delegated-bypass %} -By default, anyone with write access to the repository can choose to bypass push protection by specifying one of the bypass reasons outlined in the table. If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see "[Enabling delegated bypass for push protection](#enabling-delegated-bypass-for-push-protection)." +By default, anyone with write access to the repository can choose to bypass push protection by specifying one of the bypass reasons outlined in the table. If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see "[Enabling delegated bypass for push protection](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)." {% endif %} @@ -122,8 +122,6 @@ You can use the organization settings page for "Code security and analysis" to e {% data reusables.repositories.navigate-to-ghas-settings %} {% data reusables.advanced-security.secret-scanning-push-protection-repo %} -TODO: add sentence about delegated bypass and link to new articles. - ## Further reading * "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection)" From 8fbe293db71fd4085135c2ae65c4c301da2a2520 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 8 Jul 2024 21:45:12 +0200 Subject: [PATCH 050/275] made a start --- .../index.md | 1 + ...-secret-scanning-for-non-provider-patterns.md | 16 ++++++++++++++++ .../non-provider-patterns/index.md | 15 +++++++++++++++ 3 files changed, 32 insertions(+) create mode 100644 content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md create mode 100644 content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md index 0ca68429c6..85f8f4a6ad 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md @@ -13,6 +13,7 @@ topics: - Advanced Security - Repositories children: + - /non-provider-patterns - /generic-secret-detection - /custom-patterns - /delegated-bypass-for-push-protection diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md new file mode 100644 index 0000000000..af6bdc4bc1 --- /dev/null +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md @@ -0,0 +1,16 @@ +--- +title: Enabling secret scanning for non provider patterns +intro: 'TODO' +product: '{% data reusables.gated-features.push-protection-for-repos %}' +versions: + feature: secret-scanning-non-provider-patterns +type: how_to +topics: + - Secret scanning + - Advanced Security + - Alerts + - Repositories +shortTitle: Enable for non-provider patterns +--- + +TODO diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md new file mode 100644 index 0000000000..b22c0aa5c3 --- /dev/null +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md @@ -0,0 +1,15 @@ +--- +title: Non provider patterns +shortTitle: Non-provider patterns +allowTitleToDifferFromFilename: true +intro: 'TODO.' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + feature: secret-scanning-non-provider-patterns +topics: + - Secret scanning + - Advanced Security + - Repositories +children: + - /enabling-secret-scanning-for-non-provider-patterns +--- From 3bb16bc6393a8f7c62050d1d574c35334e387ea9 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 8 Jul 2024 21:51:47 +0200 Subject: [PATCH 051/275] add hyphen --- .../enabling-secret-scanning-for-non-provider-patterns.md | 3 ++- .../non-provider-patterns/index.md | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md index af6bdc4bc1..42fa784ee3 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md @@ -1,5 +1,6 @@ --- -title: Enabling secret scanning for non provider patterns +title: Enabling secret scanning for non-provider patterns +allowTitleToDifferFromFilename: true intro: 'TODO' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md index b22c0aa5c3..c0ab1f1bed 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md @@ -1,5 +1,5 @@ --- -title: Non provider patterns +title: Non-provider patterns shortTitle: Non-provider patterns allowTitleToDifferFromFilename: true intro: 'TODO.' From b8fccec4f84ce076c6a7be2d5e32fe2271c2597a Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 8 Jul 2024 22:00:18 +0200 Subject: [PATCH 052/275] made a start on procedural section --- ...ing-secret-scanning-for-your-repositories.md | 17 +---------------- ...secret-scanning-for-non-provider-patterns.md | 13 ++++++++++++- 2 files changed, 13 insertions(+), 17 deletions(-) diff --git a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md index 47b87aecc5..9094ac6586 100644 --- a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md +++ b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md @@ -82,22 +82,7 @@ You can also use the REST API to enable validity checks for partner patterns for {% endif %} -{% ifversion secret-scanning-non-provider-patterns %} - -### Enabling scanning for non-provider patterns - -{% data reusables.secret-scanning.non-provider-patterns-beta %} - -You can enable scanning for non-provider patterns. Non-provider patterns correspond to secrets such as private keys and they have a higher ratio of false positives. - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-settings %} -{% data reusables.repositories.navigate-to-code-security-and-analysis %} -1. Under {% data variables.product.prodname_secret_scanning_caps %}, select the checkbox next to "Scan for non-provider patterns". - -For more information about non-provider patterns, see "{% ifversion fpt or ghec %}[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-secret-scanning-alerts){% endif %}." - -{% endif %} +TODO: removed non-provider pattern enablement here. {% ifversion secret-scanning-enable-by-default-for-public-repos %} diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md index 42fa784ee3..f39b8f757e 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md @@ -14,4 +14,15 @@ topics: shortTitle: Enable for non-provider patterns --- -TODO +## Enabling scanning for non-provider patterns + +{% data reusables.secret-scanning.non-provider-patterns-beta %} + +You can enable scanning for non-provider patterns. Non-provider patterns correspond to secrets such as private keys and they have a higher ratio of false positives. + +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.sidebar-settings %} +{% data reusables.repositories.navigate-to-code-security-and-analysis %} +1. Under {% data variables.product.prodname_secret_scanning_caps %}, select the checkbox next to "Scan for non-provider patterns". + +For more information about non-provider patterns, see "{% ifversion fpt or ghec %}[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-secret-scanning-alerts){% endif %}." From a816d8499b43b78694061964902e15494249495b Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 8 Jul 2024 22:04:36 +0200 Subject: [PATCH 053/275] fix linter text by adding appropriate versioning --- .../defining-custom-patterns-for-secret-scanning.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md index 2e539d0b80..4eb763efa0 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md @@ -171,5 +171,5 @@ After your pattern is created, {% data variables.product.prodname_secret_scannin ## Further reading -* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns)" -* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns)" +* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns)" {% ifversion secret-scanning-custom-patterns-metrics %} +* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns)"{% endif %} From a3c58f7c4cb5f4868c73de97c5164fa999b83e60 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 8 Jul 2024 22:25:06 +0200 Subject: [PATCH 054/275] fix broken links --- .../configuring-secret-scanning-for-your-repositories.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md index 9094ac6586..868d5aea20 100644 --- a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md +++ b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md @@ -54,7 +54,7 @@ A repository administrator can choose to disable {% data variables.product.prodn You can enable the following additional {% data variables.product.prodname_secret_scanning %} feature{% ifversion ghec or ghes %}s{% endif %} through your repository's "Code security and analysis" settings: * **Push protection**. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-secret-scanning-as-a-push-protection-for-a-repository)."{% ifversion secret-scanning-validity-check-partner-patterns %} * **Validity checks for partner patterns**. For more infomation, see "[Enabling validity checks for partner patterns](#enabling-validity-checks-for-partner-patterns)."{% endif %}{% ifversion secret-scanning-non-provider-patterns %} -* **Scanning for non-provider patterns**. For more information, see "[Enabling scanning for non-provider patterns](#enabling-scanning-for-non-provider-patterns)."{% endif %}{% ifversion secret-scanning-ai-generic-secret-detection%} +* **Scanning for non-provider patterns**. For more information, see "[Enabling scanning for non-provider patterns](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns)."{% endif %}{% ifversion secret-scanning-ai-generic-secret-detection%} * **AI-powered generic secret detection**. For more information, see "[AUTOTITLE](/code-security/secret-scanning/enabling-ai-powered-generic-secret-detection)."{% endif %}{% ifversion secret-scanning-push-protection-custom-patterns %} * **Scanning for custom patterns**. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)."{% endif %} From 7339dbc52b2c168843b043d71d17622fa35f679e Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 09:56:35 +0200 Subject: [PATCH 055/275] fix TODOs --- .../enabling-secret-scanning-for-non-provider-patterns.md | 2 +- .../non-provider-patterns/index.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md index f39b8f757e..3824c2ad97 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md @@ -1,7 +1,7 @@ --- title: Enabling secret scanning for non-provider patterns allowTitleToDifferFromFilename: true -intro: 'TODO' +intro: 'You can enable {% data variables.product.prodname_secret_scanning %} for non-provider patterns at repository and organization level.' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: feature: secret-scanning-non-provider-patterns diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md index c0ab1f1bed..7981affb00 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md @@ -2,7 +2,7 @@ title: Non-provider patterns shortTitle: Non-provider patterns allowTitleToDifferFromFilename: true -intro: 'TODO.' +intro: 'Non-provider patterns, such as private keys are patterns with a high false positive ratio. By default, {% data variables.product.prodname_secret_scanning %} doesn''t scans for this pattern type, but you can override this behavior.' product: '{% data reusables.gated-features.secret-scanning %}' versions: feature: secret-scanning-non-provider-patterns From d16aeaf25eb36b4edae682ea31ad91526f668181 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 10:20:46 +0200 Subject: [PATCH 056/275] tidying up loose ends --- .../configuring-secret-scanning-for-your-repositories.md | 2 -- .../enabling-secret-scanning-for-non-provider-patterns.md | 6 +++++- .../non-provider-patterns/index.md | 2 +- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md index 868d5aea20..938e3b4460 100644 --- a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md +++ b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md @@ -82,8 +82,6 @@ You can also use the REST API to enable validity checks for partner patterns for {% endif %} -TODO: removed non-provider pattern enablement here. - {% ifversion secret-scanning-enable-by-default-for-public-repos %} ## Enabling {% data variables.secret-scanning.user_alerts %} for all your {% ifversion ghec %}user-owned {% endif %}public repositories diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md index 3824c2ad97..916ef7ed19 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md @@ -1,7 +1,7 @@ --- title: Enabling secret scanning for non-provider patterns allowTitleToDifferFromFilename: true -intro: 'You can enable {% data variables.product.prodname_secret_scanning %} for non-provider patterns at repository and organization level.' +intro: 'You can enable {% data variables.product.prodname_secret_scanning %} for non-provider patterns at the repository and organization levels.' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: feature: secret-scanning-non-provider-patterns @@ -26,3 +26,7 @@ You can enable scanning for non-provider patterns. Non-provider patterns corresp 1. Under {% data variables.product.prodname_secret_scanning_caps %}, select the checkbox next to "Scan for non-provider patterns". For more information about non-provider patterns, see "{% ifversion fpt or ghec %}[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-secret-scanning-alerts){% endif %}." + +## Further reading + +* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)" diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md index 7981affb00..5d0ff4b441 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md @@ -2,7 +2,7 @@ title: Non-provider patterns shortTitle: Non-provider patterns allowTitleToDifferFromFilename: true -intro: 'Non-provider patterns, such as private keys are patterns with a high false positive ratio. By default, {% data variables.product.prodname_secret_scanning %} doesn''t scans for this pattern type, but you can override this behavior.' +intro: 'Non-provider patterns, such as private keys are patterns with a high false positive ratio. By default, {% data variables.product.prodname_secret_scanning %} doesn''t scans for this type of pattern, but you can override the default behavior.' product: '{% data reusables.gated-features.secret-scanning %}' versions: feature: secret-scanning-non-provider-patterns From 1a8bdc8f8f9e4da6d9f7017251d1e4b8540d8711 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 10:24:49 +0200 Subject: [PATCH 057/275] typos typos --- .../non-provider-patterns/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md index 5d0ff4b441..4a97751ff2 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md @@ -2,7 +2,7 @@ title: Non-provider patterns shortTitle: Non-provider patterns allowTitleToDifferFromFilename: true -intro: 'Non-provider patterns, such as private keys are patterns with a high false positive ratio. By default, {% data variables.product.prodname_secret_scanning %} doesn''t scans for this type of pattern, but you can override the default behavior.' +intro: 'Non-provider patterns, such as private keys, are patterns with a high false positive ratio. By default, {% data variables.product.prodname_secret_scanning %} doesn''t scan for this type of pattern, but you can override the default behavior.' product: '{% data reusables.gated-features.secret-scanning %}' versions: feature: secret-scanning-non-provider-patterns From 78974ea6aa1f10c9118abbb1b08d587900b12d6c Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 10:37:37 +0200 Subject: [PATCH 058/275] add new introductory map topic --- .../secret-scanning/introduction/index.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 content/code-security/secret-scanning/introduction/index.md diff --git a/content/code-security/secret-scanning/introduction/index.md b/content/code-security/secret-scanning/introduction/index.md new file mode 100644 index 0000000000..f2fdc0ea85 --- /dev/null +++ b/content/code-security/secret-scanning/introduction/index.md @@ -0,0 +1,15 @@ +--- +title: Introduction to secret scanning +shortTitle: Secret scanning +allowTitleToDifferFromFilename: true +intro: 'Learn about {% data variables.product.prodname_secret_scanning_caps %} can keep your repositories secure by scanning them for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally.' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +type: overview +topics: + - Secret scanning + - Advanced Security +--- From c1b01b2945da6fb15ff405cfc5662c9832958b7e Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 10:46:43 +0200 Subject: [PATCH 059/275] add link to global index file --- content/code-security/secret-scanning/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 39f4e2aa6c..86fb7c3474 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -15,6 +15,7 @@ topics: - Advanced Security - Repositories children: + - /introduction - /about-secret-scanning - /configuring-secret-scanning-for-your-repositories - /defining-custom-patterns-for-secret-scanning @@ -32,4 +33,3 @@ children: - /troubleshooting-secret-scanning-and-push-protection - /secret-scanning-partnership-program --- - From f16b789db3c834e6671994e4fca9a7dfbbd2cbe2 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 11:19:34 +0200 Subject: [PATCH 060/275] renamed 1 files --- .../secret-scanning/{ => introduction}/about-secret-scanning.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename content/code-security/secret-scanning/{ => introduction}/about-secret-scanning.md (100%) diff --git a/content/code-security/secret-scanning/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md similarity index 100% rename from content/code-security/secret-scanning/about-secret-scanning.md rename to content/code-security/secret-scanning/introduction/about-secret-scanning.md From 29cffd185047a8901db7c037330299b3bfb628b9 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 11:19:40 +0200 Subject: [PATCH 061/275] set redirect_from on 1 files --- content/code-security/secret-scanning/index.md | 2 +- .../secret-scanning/introduction/about-secret-scanning.md | 1 + content/code-security/secret-scanning/introduction/index.md | 3 +++ data/learning-tracks/code-security.yml | 2 +- 4 files changed, 6 insertions(+), 2 deletions(-) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 86fb7c3474..021bf02f7c 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -16,7 +16,6 @@ topics: - Repositories children: - /introduction - - /about-secret-scanning - /configuring-secret-scanning-for-your-repositories - /defining-custom-patterns-for-secret-scanning - /about-the-regular-expression-generator-for-custom-patterns @@ -33,3 +32,4 @@ children: - /troubleshooting-secret-scanning-and-push-protection - /secret-scanning-partnership-program --- + diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index e16760f2f9..a225b8cafe 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -8,6 +8,7 @@ redirect_from: - /articles/about-token-scanning-for-private-repositories - /github/administering-a-repository/about-secret-scanning - /code-security/secret-security/about-secret-scanning + - /code-security/secret-scanning/about-secret-scanning versions: fpt: '*' ghes: '*' diff --git a/content/code-security/secret-scanning/introduction/index.md b/content/code-security/secret-scanning/introduction/index.md index f2fdc0ea85..aa04863ab5 100644 --- a/content/code-security/secret-scanning/introduction/index.md +++ b/content/code-security/secret-scanning/introduction/index.md @@ -12,4 +12,7 @@ type: overview topics: - Secret scanning - Advanced Security +children: + - /about-secret-scanning --- + diff --git a/data/learning-tracks/code-security.yml b/data/learning-tracks/code-security.yml index 82650c37c2..83ed5fd783 100644 --- a/data/learning-tracks/code-security.yml +++ b/data/learning-tracks/code-security.yml @@ -112,7 +112,7 @@ secret_scanning: Set up secret scanning to guard against accidental check-ins of tokens, passwords, and other secrets to your repository. guides: - - /code-security/secret-scanning/about-secret-scanning + - /code-security/secret-scanning/introduction/about-secret-scanning - >- /code-security/secret-scanning/configuring-secret-scanning-for-your-repositories - >- From e1bdfa4e55679622b1caf99c449e9857c5d682ea Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 11:22:38 +0200 Subject: [PATCH 062/275] renamed 1 files --- .../about-push-protection.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename content/code-security/secret-scanning/{push-protection-for-repositories-and-organizations.md => introduction/about-push-protection.md} (100%) diff --git a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md b/content/code-security/secret-scanning/introduction/about-push-protection.md similarity index 100% rename from content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md rename to content/code-security/secret-scanning/introduction/about-push-protection.md From 019575f97e54edcebae1d1636ce238250a691483 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 11:22:45 +0200 Subject: [PATCH 063/275] set redirect_from on 1 files --- content/code-security/secret-scanning/index.md | 1 - .../secret-scanning/introduction/about-push-protection.md | 1 + content/code-security/secret-scanning/introduction/index.md | 1 + 3 files changed, 2 insertions(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 021bf02f7c..2c1e8ab0e9 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -24,7 +24,6 @@ children: - /secret-scanning-patterns - /about-the-detection-of-generic-secrets-with-secret-scanning - /enabling-ai-powered-generic-secret-detection - - /push-protection-for-repositories-and-organizations - /push-protection-for-users - /working-with-push-protection - /pushing-a-branch-blocked-by-push-protection diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index 9d10a0acb3..eb8598f9b1 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -9,6 +9,7 @@ versions: redirect_from: - /early-access/code-security/secret-scanning/protecting-pushes-with-secret-scanning - /code-security/secret-scanning/protecting-pushes-with-secret-scanning + - /code-security/secret-scanning/push-protection-for-repositories-and-organizations type: how_to topics: - Secret scanning diff --git a/content/code-security/secret-scanning/introduction/index.md b/content/code-security/secret-scanning/introduction/index.md index aa04863ab5..dc0e73a933 100644 --- a/content/code-security/secret-scanning/introduction/index.md +++ b/content/code-security/secret-scanning/introduction/index.md @@ -14,5 +14,6 @@ topics: - Advanced Security children: - /about-secret-scanning + - /about-push-protection --- From 355dce11eeae6993ae2f4eea783b70efe7803747 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 11:34:37 +0200 Subject: [PATCH 064/275] renamed 1 files --- .../supported-secret-scanning-patterns.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename content/code-security/secret-scanning/{secret-scanning-patterns.md => introduction/supported-secret-scanning-patterns.md} (100%) diff --git a/content/code-security/secret-scanning/secret-scanning-patterns.md b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md similarity index 100% rename from content/code-security/secret-scanning/secret-scanning-patterns.md rename to content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md From 22b650c9a13ee6e2dedef5cdca9a311c8f47f851 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 11:34:44 +0200 Subject: [PATCH 065/275] set redirect_from on 1 files --- content/code-security/secret-scanning/index.md | 1 - content/code-security/secret-scanning/introduction/index.md | 1 + .../introduction/supported-secret-scanning-patterns.md | 1 + data/learning-tracks/code-security.yml | 2 +- 4 files changed, 3 insertions(+), 2 deletions(-) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 2c1e8ab0e9..e17e515d5b 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -21,7 +21,6 @@ children: - /about-the-regular-expression-generator-for-custom-patterns - /generating-regular-expressions-for-custom-patterns-with-ai - /managing-alerts-from-secret-scanning - - /secret-scanning-patterns - /about-the-detection-of-generic-secrets-with-secret-scanning - /enabling-ai-powered-generic-secret-detection - /push-protection-for-users diff --git a/content/code-security/secret-scanning/introduction/index.md b/content/code-security/secret-scanning/introduction/index.md index dc0e73a933..51fab79754 100644 --- a/content/code-security/secret-scanning/introduction/index.md +++ b/content/code-security/secret-scanning/introduction/index.md @@ -15,5 +15,6 @@ topics: children: - /about-secret-scanning - /about-push-protection + - /supported-secret-scanning-patterns --- diff --git a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md index 595f8fb253..a61596619c 100644 --- a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md +++ b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md @@ -12,6 +12,7 @@ topics: - Advanced Security redirect_from: - /code-security/secret-scanning/secret-scanning-partners + - /code-security/secret-scanning/secret-scanning-patterns layout: inline --- diff --git a/data/learning-tracks/code-security.yml b/data/learning-tracks/code-security.yml index 83ed5fd783..5130dbaff5 100644 --- a/data/learning-tracks/code-security.yml +++ b/data/learning-tracks/code-security.yml @@ -120,7 +120,7 @@ secret_scanning: %}/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning{% endif %} - /code-security/secret-scanning/managing-alerts-from-secret-scanning - - /code-security/secret-scanning/secret-scanning-patterns + - /code-security/secret-scanning/introduction/supported-secret-scanning-patterns - >- {% ifversion secret-scanning-push-protection %}/code-security/secret-scanning/push-protection-for-repositories-and-organizations{% From f24c26e85b25b29d3f213a9588b5302bfa9c0ddf Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 11:42:32 +0200 Subject: [PATCH 066/275] add brand new article --- .../introduction/about-push-protection.md | 4 ++-- .../about-secret-scanning-for-partners.md | 12 ++++++++++++ .../secret-scanning/introduction/index.md | 2 +- .../supported-secret-scanning-patterns.md | 3 ++- 4 files changed, 17 insertions(+), 4 deletions(-) create mode 100644 content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index eb8598f9b1..86d6a86609 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -1,5 +1,5 @@ --- -title: Push protection for repositories and organizations +title: About push protection intro: 'With push protection for repositories and organizations, {% data variables.product.prodname_secret_scanning %} blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block.' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: @@ -16,7 +16,7 @@ topics: - Advanced Security - Alerts - Repositories -shortTitle: Push protection for repositories +shortTitle: Push protection --- {% data reusables.secret-scanning.enterprise-enable-secret-scanning %} diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md new file mode 100644 index 0000000000..f8cfb53571 --- /dev/null +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md @@ -0,0 +1,12 @@ +--- +title: About secret scanning for partners +intro: 'TODO' +versions: + fpt: '*' + ghes: '*' +type: overview +topics: + - Secret scanning + - Advanced Security +shortTitle: Secret scanning for partners +--- diff --git a/content/code-security/secret-scanning/introduction/index.md b/content/code-security/secret-scanning/introduction/index.md index 51fab79754..506adc1289 100644 --- a/content/code-security/secret-scanning/introduction/index.md +++ b/content/code-security/secret-scanning/introduction/index.md @@ -15,6 +15,6 @@ topics: children: - /about-secret-scanning - /about-push-protection + - /about-secret-scanning-for-partners - /supported-secret-scanning-patterns --- - diff --git a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md index a61596619c..d71229db64 100644 --- a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md +++ b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md @@ -1,5 +1,5 @@ --- -title: Secret scanning patterns +title: Supported secret scanning patterns intro: 'Lists of supported secrets and the partners that {% data variables.product.company_short %} works with to prevent fraudulent use of secrets that were committed accidentally.' product: '{% data reusables.gated-features.secret-scanning %}' versions: @@ -14,6 +14,7 @@ redirect_from: - /code-security/secret-scanning/secret-scanning-partners - /code-security/secret-scanning/secret-scanning-patterns layout: inline +shortTitle: Supported patterns --- {% data reusables.secret-scanning.enterprise-enable-secret-scanning %} From 3e7b72a819900666964291a8a40a273a7063b7c1 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 12:00:46 +0200 Subject: [PATCH 067/275] trying to fix failing test --- data/learning-tracks/code-security.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/learning-tracks/code-security.yml b/data/learning-tracks/code-security.yml index 5130dbaff5..0a5af66553 100644 --- a/data/learning-tracks/code-security.yml +++ b/data/learning-tracks/code-security.yml @@ -123,7 +123,7 @@ secret_scanning: - /code-security/secret-scanning/introduction/supported-secret-scanning-patterns - >- {% ifversion secret-scanning-push-protection - %}/code-security/secret-scanning/push-protection-for-repositories-and-organizations{% + %}/code-security/secret-scanning/introduction/about-push-protection{% endif %} - >- {% ifversion secret-scanning-push-protection-for-users From 242b01db770a2e90f15c153e031826d04ac273c4 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 12:57:27 +0200 Subject: [PATCH 068/275] Update content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md Co-authored-by: Felicity Chapman --- .../custom-patterns/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md index bb8f6e9f7b..dcf8018023 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md @@ -2,7 +2,7 @@ title: Custom patterns shortTitle: Custom patterns allowTitleToDifferFromFilename: true -intro: 'You can extend the capabilities of {% data variables.product.prodname_secret_scanning %} by instructing the feature to search for your own patterns. These patterns, which can range from your servce API keys to connection strings into cloud resources, are referred to as custom patterns.' +intro: 'You can extend the capabilities of {% data variables.product.prodname_secret_scanning %} to search for your own patterns. These custom patterns can range from your service API keys to connection strings into cloud resources.' product: '{% data reusables.gated-features.secret-scanning %}' versions: ghes: '*' From e47882cd1d8edbc092624267df54aee33a74ffcb Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 12:58:21 +0200 Subject: [PATCH 069/275] Update content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md Co-authored-by: Felicity Chapman --- .../custom-patterns/metrics-for-custom-patterns.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md index ae45e17f4d..619db12b1b 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md @@ -1,7 +1,7 @@ --- title: Metrics for custom patterns shortTitle: Custom pattern metrics -intro: 'You can view alert metrics for custom patterns at the repository, organization, and enterprise levels, from within {% data variables.product.product_name %}.' +intro: 'You can view alert metrics for custom patterns at the repository, organization, and enterprise levels.' product: '{% data reusables.gated-features.secret-scanning %}' versions: feature: secret-scanning-custom-patterns-metrics From a149295589587ac3bb98132fd2b1b074083ce5c5 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 13:00:05 +0200 Subject: [PATCH 070/275] Update content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md Co-authored-by: Felicity Chapman --- .../index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md index 0ca68429c6..9741aca909 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md @@ -2,7 +2,7 @@ title: Using advanced secret scanning and push protection features shortTitle: Advanced features allowTitleToDifferFromFilename: true -intro: 'Learn more about advanced capabilities of {% data variables.secret-scanning.partner_alerts_caps %} and push protection, and assess whether your organization or repository could benefit from using these features.' +intro: 'Learn how you can customize {% data variables.secret-scanning.partner_alerts %} to meet the needs of your company..' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' From 8c2349d67d3c78224b6e77cd0c7efadfa530386e Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 13:01:32 +0200 Subject: [PATCH 071/275] Update content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md Co-authored-by: Felicity Chapman --- .../delegated-bypass-for-push-protection/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md index 4903671147..c22caaba11 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md @@ -2,7 +2,7 @@ title: Delegated bypass for push protection shortTitle: Delegated bypass allowTitleToDifferFromFilename: true -intro: 'With delegated bypass, contributors can propose bypassing a blocked push and members of the bypass list can review those bypass requests to allow or deny the content.' +intro: 'You can control the ability to bypass push protection by setting up a reviewers group to assess requests. When a contributor proposes bypassing protections, any member of the bypass list can approve or block the request. product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' From 22491eb1116f54c29605fcedad4e7ad353cae400 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 14:00:55 +0200 Subject: [PATCH 072/275] hopefully fix failing test --- src/fixtures/fixtures/versionless-redirects.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/fixtures/fixtures/versionless-redirects.txt b/src/fixtures/fixtures/versionless-redirects.txt index 9340d6a358..2ed338b1ff 100644 --- a/src/fixtures/fixtures/versionless-redirects.txt +++ b/src/fixtures/fixtures/versionless-redirects.txt @@ -378,7 +378,7 @@ # FPT versioning for these files was removed as part of github/docs-content#5642 -/enterprise-cloud@latest/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning +/enterprise-cloud@latest/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning - /code-security/secret-security/defining-custom-patterns-for-secret-scanning - /code-security/secret-scanning/defining-custom-patterns-for-secret-scanning From 204899db9d17d2e117da34d8ce780e8d8ddb962e Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 14:17:40 +0200 Subject: [PATCH 073/275] Update src/fixtures/fixtures/versionless-redirects.txt --- src/fixtures/fixtures/versionless-redirects.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/fixtures/fixtures/versionless-redirects.txt b/src/fixtures/fixtures/versionless-redirects.txt index 2ed338b1ff..9340d6a358 100644 --- a/src/fixtures/fixtures/versionless-redirects.txt +++ b/src/fixtures/fixtures/versionless-redirects.txt @@ -378,7 +378,7 @@ # FPT versioning for these files was removed as part of github/docs-content#5642 -/enterprise-cloud@latest/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning +/enterprise-cloud@latest/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning - /code-security/secret-security/defining-custom-patterns-for-secret-scanning - /code-security/secret-scanning/defining-custom-patterns-for-secret-scanning From 1ec9ea0366e3f2b88a66882421e7fce100b64736 Mon Sep 17 00:00:00 2001 From: Felicity Chapman Date: Tue, 9 Jul 2024 13:27:05 +0100 Subject: [PATCH 074/275] Update index.md to add missing quote --- .../delegated-bypass-for-push-protection/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md index c22caaba11..6546c4d8f3 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md @@ -2,7 +2,7 @@ title: Delegated bypass for push protection shortTitle: Delegated bypass allowTitleToDifferFromFilename: true -intro: 'You can control the ability to bypass push protection by setting up a reviewers group to assess requests. When a contributor proposes bypassing protections, any member of the bypass list can approve or block the request. +intro: 'You can control the ability to bypass push protection by setting up a reviewers group to assess requests. When a contributor proposes bypassing protections, any member of the bypass list can approve or block the request.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' From 16c85818a076e8eedf69909b67060ab14bf81027 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 14:30:07 +0200 Subject: [PATCH 075/275] Update content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md --- .../delegated-bypass-for-push-protection/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md index c22caaba11..6546c4d8f3 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md @@ -2,7 +2,7 @@ title: Delegated bypass for push protection shortTitle: Delegated bypass allowTitleToDifferFromFilename: true -intro: 'You can control the ability to bypass push protection by setting up a reviewers group to assess requests. When a contributor proposes bypassing protections, any member of the bypass list can approve or block the request. +intro: 'You can control the ability to bypass push protection by setting up a reviewers group to assess requests. When a contributor proposes bypassing protections, any member of the bypass list can approve or block the request.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' From 8c4dd85a4aff516c3da2f69f000ab9f4ad989840 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 14:36:00 +0200 Subject: [PATCH 076/275] make a start on this article --- .../introduction/about-secret-scanning-for-partners.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md index f8cfb53571..a8eab359dd 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md @@ -10,3 +10,9 @@ topics: - Advanced Security shortTitle: Secret scanning for partners --- + +## About {% data variables.secret-scanning.partner_alerts %} + +When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." + +You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories. From f1a1c988ee9d08373580b7624a15a74ec20d78ee Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 14:38:31 +0200 Subject: [PATCH 077/275] trying to fix the failing test again --- src/fixtures/fixtures/versionless-redirects.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/fixtures/fixtures/versionless-redirects.txt b/src/fixtures/fixtures/versionless-redirects.txt index 9340d6a358..2ed338b1ff 100644 --- a/src/fixtures/fixtures/versionless-redirects.txt +++ b/src/fixtures/fixtures/versionless-redirects.txt @@ -378,7 +378,7 @@ # FPT versioning for these files was removed as part of github/docs-content#5642 -/enterprise-cloud@latest/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning +/enterprise-cloud@latest/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning - /code-security/secret-security/defining-custom-patterns-for-secret-scanning - /code-security/secret-scanning/defining-custom-patterns-for-secret-scanning From d601e9ebd7b2543958401ded39412d3868c5e779 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 15:15:50 +0200 Subject: [PATCH 078/275] Update content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md Co-authored-by: Felicity Chapman --- .../about-delegated-bypass-for-push-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md index 3674812d5a..95e974880a 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md @@ -1,6 +1,6 @@ --- title: About delegated bypass for push protection -intro: 'With delegated bypass, you can control which teams or roles have the ability to bypass push protection in your organization or repository.' +intro: 'You can control which teams or roles have the ability to bypass push protection in your organization or repository.' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: feature: push-protection-delegated-bypass From be948a1adaa47e0e77c36c8b2ca2fb7dbd3d2f64 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 15:16:13 +0200 Subject: [PATCH 079/275] Update data/reusables/secret-scanning/push-protection-delegated-bypass-intro.md Co-authored-by: Felicity Chapman --- .../secret-scanning/push-protection-delegated-bypass-intro.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/reusables/secret-scanning/push-protection-delegated-bypass-intro.md b/data/reusables/secret-scanning/push-protection-delegated-bypass-intro.md index 812d54293d..cffdc83e63 100644 --- a/data/reusables/secret-scanning/push-protection-delegated-bypass-intro.md +++ b/data/reusables/secret-scanning/push-protection-delegated-bypass-intro.md @@ -1 +1 @@ -Delegated bypass for push protection lets you control who can bypass push protection and which blocked pushes should be allowed. +Delegated bypass for push protection lets you define contributors who can bypass push protection and adds an approval process for other contributors. From a590917fcae6acd538a5f9ca582971a7a26bf625 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 15:22:14 +0200 Subject: [PATCH 080/275] Update content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md Co-authored-by: Felicity Chapman --- .../enabling-delegated-bypass-for-push-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md index 667edff41d..12fe1b2947 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md @@ -1,6 +1,6 @@ --- title: Enabling delegated bypass for push protection -intro: 'You can enable delegated bypass for your organization or repository so that you have full control over who can bypass blocks, and which blocks are allowed.' +intro: 'You can use delegated bypass for your organization or repository to control who can push commits that contain secrets identified by {% data variables.product.prodname_secret_scanning %}.' product: '{% data reusables.gated-features.push-protection-for-repos %}' permissions: 'Organization owners and repository administrators can enable delegated bypass for push protection for their organization and repository, respectively.' versions: From fac345218e0ccb08fa017cb4f01587770276a135 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 18:01:24 +0200 Subject: [PATCH 081/275] more work --- .../introduction/about-secret-scanning-for-partners.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md index a8eab359dd..bb92155920 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md @@ -13,6 +13,12 @@ shortTitle: Secret scanning for partners ## About {% data variables.secret-scanning.partner_alerts %} -When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." +TODO: Provide high-level overview of partner program + +**Partner patterns.** Used to detect potential secrets in all public repositories as well as public npm packages. You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories. + +When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." + +For more information about the partnership program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." From 9f4a97972c27d1a15dd55b8b72087dd376429403 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Wed, 10 Jul 2024 08:48:13 +0000 Subject: [PATCH 082/275] new map topic, new index, enable article --- .../index.md | 15 ++++++++++ ...anning-for-your-user-owned-repositories.md | 28 +++++++++++++++++++ 2 files changed, 43 insertions(+) create mode 100644 content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md create mode 100644 content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md new file mode 100644 index 0000000000..49133826ef --- /dev/null +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md @@ -0,0 +1,15 @@ +--- +title: Working with secret scanning and push protection +shortTitle: Work with secret scanning +allowTitleToDifferFromFilename: true +intro: 'TODO' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +topics: + - Secret scanning + - Advanced Security + - Repositories +--- diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md new file mode 100644 index 0000000000..3e55f4e4b5 --- /dev/null +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md @@ -0,0 +1,28 @@ +--- +title: Enabling secret scanning alerts for your user-owned repositories +shortTitle: Secret scanning alerts for user-owned repositories +intro: 'TODO' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: secret-scanning-enable-by-default-for-public-repos +type: how_to +topics: + - Secret scanning + - Advanced Security + - Troubleshooting +redirect_from: + - /TODO +--- + +## About {% data variables.secret-scanning.user_alerts %} for all your {% ifversion ghec %}user-owned {% endif %}public repositories + +You can enable {% data variables.product.prodname_secret_scanning %} for all of your existing {% ifversion ghec %}user-owned {% endif %}public repositories through your personal account settings. + +>! NOTE +> As of March 11, 2024, {% data variables.product.prodname_secret_scanning %} and push protection will be enabled by default for all new {% ifversion ghec %}user-owned {% endif %}public repositories that you create. You can still choose to disable these features for an individual repository in the repository's "Code security and analysis" settings page. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-public-repositories)". + +## Enabling {% data variables.secret-scanning.user_alerts %} for all your {% ifversion ghec %}user-owned {% endif %}public repositories + +{% data reusables.user-settings.access_settings %} +{% data reusables.user-settings.security-analysis %} +1. Under "Code security and analysis", to the right of "{% data variables.product.prodname_secret_scanning_caps %}", click **Disable all** or **Enable all**. +{% data reusables.secret-scanning.push-protection-optional-enable %} From 9e8dd32ec43c2cc4a7dc888576b9299e118a8c7b Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Wed, 10 Jul 2024 08:55:42 +0000 Subject: [PATCH 083/275] renamed 1 files --- .../push-protection-for-users.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename content/code-security/secret-scanning/{ => working-with-secret-scanning-and-push-protection}/push-protection-for-users.md (100%) diff --git a/content/code-security/secret-scanning/push-protection-for-users.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md similarity index 100% rename from content/code-security/secret-scanning/push-protection-for-users.md rename to content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md From 4b9f5c083029b146ce6cfc920b722fc76c2b4358 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Wed, 10 Jul 2024 08:55:45 +0000 Subject: [PATCH 084/275] set redirect_from on 1 files --- content/code-security/secret-scanning/index.md | 2 +- .../index.md | 5 ++++- .../push-protection-for-users.md | 2 ++ 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 86fb7c3474..ac614c5718 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -26,10 +26,10 @@ children: - /about-the-detection-of-generic-secrets-with-secret-scanning - /enabling-ai-powered-generic-secret-detection - /push-protection-for-repositories-and-organizations - - /push-protection-for-users - /working-with-push-protection - /pushing-a-branch-blocked-by-push-protection - /using-advanced-secret-scanning-and-push-protection-features - /troubleshooting-secret-scanning-and-push-protection - /secret-scanning-partnership-program --- + diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md index 49133826ef..0308ee8755 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md @@ -2,7 +2,7 @@ title: Working with secret scanning and push protection shortTitle: Work with secret scanning allowTitleToDifferFromFilename: true -intro: 'TODO' +intro: TODO product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' @@ -12,4 +12,7 @@ topics: - Secret scanning - Advanced Security - Repositories +children: + - /push-protection-for-users --- + diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md index 46de326d80..c15343611c 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md @@ -10,6 +10,8 @@ topics: - Advanced Security - Alerts - User account +redirect_from: + - /code-security/secret-scanning/push-protection-for-users --- ## About push protection for users From 425d942c8a7836da02a385cd0c8b3431288f86d6 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Wed, 10 Jul 2024 09:05:50 +0000 Subject: [PATCH 085/275] create new article cmd line - add redirect to index --- .../index.md | 3 +++ ...with-push-protection-from-the-command-line.md | 16 ++++++++++++++++ 2 files changed, 19 insertions(+) create mode 100644 content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md index 0308ee8755..d2de1faaf0 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md @@ -13,6 +13,9 @@ topics: - Advanced Security - Repositories children: + - /secret-scanning-for-your-user-owned-repositories - /push-protection-for-users +redirect_from: + - /code-security/secret-scanning/working-with-push-protection --- diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md new file mode 100644 index 0000000000..d4ceeb505c --- /dev/null +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md @@ -0,0 +1,16 @@ +--- +title: Working with push protection from the command line +shortTitle: Push protection from the command line +intro: 'TODO' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +type: how_to +topics: + - Secret scanning + - Advanced Security + - Alerts + - Repositories +--- From 214380526a8e0a255bcb18b72ce6048f001db6f3 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Wed, 10 Jul 2024 12:16:48 +0000 Subject: [PATCH 086/275] more edits --- .../code-security/secret-scanning/index.md | 1 + .../index.md | 2 + ...anning-for-your-user-owned-repositories.md | 3 +- ...h-push-protection-from-the-command-line.md | 153 +++++++++++++++++- 4 files changed, 157 insertions(+), 2 deletions(-) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index ac614c5718..159014016d 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -28,6 +28,7 @@ children: - /push-protection-for-repositories-and-organizations - /working-with-push-protection - /pushing-a-branch-blocked-by-push-protection + - /working-with-secret-scanning-and-push-protection - /using-advanced-secret-scanning-and-push-protection-features - /troubleshooting-secret-scanning-and-push-protection - /secret-scanning-partnership-program diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md index d2de1faaf0..ea975f0e4e 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md @@ -15,7 +15,9 @@ topics: children: - /secret-scanning-for-your-user-owned-repositories - /push-protection-for-users + - /working-with-push-protection-from-the-command-line redirect_from: - /code-security/secret-scanning/working-with-push-protection + - /code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection --- diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md index 3e55f4e4b5..87d634f155 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md @@ -3,7 +3,8 @@ title: Enabling secret scanning alerts for your user-owned repositories shortTitle: Secret scanning alerts for user-owned repositories intro: 'TODO' product: '{% data reusables.gated-features.secret-scanning %}' -versions: secret-scanning-enable-by-default-for-public-repos +versions: + feature: secret-scanning-enable-by-default-for-public-repos type: how_to topics: - Secret scanning diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md index d4ceeb505c..8c415c04b2 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md @@ -1,6 +1,6 @@ --- title: Working with push protection from the command line -shortTitle: Push protection from the command line +shortTitle: Work with push protection from the command line intro: 'TODO' product: '{% data reusables.gated-features.secret-scanning %}' versions: @@ -14,3 +14,154 @@ topics: - Alerts - Repositories --- + +## About push protection from the command line + +Push protection prevents you from accidentally committing secrets to a repository by blocking pushes containing supported secrets. + +When you attempt to push a supported secret from the command line to a repository secured by push protection, {% data variables.product.prodname_dotcom %} will block the push. + +You should either: + +* **Remove** the secret from your branch. For more information, see "[Resolving a blocked push from the command line](#resolving-a-blocked-push-from-the-command-line)." +* **Follow a provided URL** {% ifversion push-protection-delegated-bypass %}to see what options are available to you{% endif %} to allow the push. For more information, see "[Bypassing push protection when working from the command line](#bypassing-push-protection-when-working-from-the-command-line)"{% ifversion push-protection-delegated-bypass %} and "[Requesting bypass privileges when working from the command line](#requesting-bypass-privileges-when-working-from-the-command-line){% endif %}." + +Up to five detected secrets will be displayed at a time on the command line. If a particular secret has already been detected in the repository and an alert already exists, {% data variables.product.prodname_dotcom %} will not block that secret. + +{% data reusables.secret-scanning.push-protection-remove-secret %} For more information about remediating blocked secrets, see "[Resolving a blocked push from the command line](#resolving-a-blocked-push-from-the-command-line)." + +If you confirm a secret is real and that you intend to fix it later, you should aim to remediate the secret as soon as possible. For example, you might revoke the secret and remove the secret from the repository's commit history. Real secrets that have been exposed must be revoked to avoid unauthorized access. You might consider first rotating the secret before revoking it. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository)." + +{% data reusables.secret-scanning.push-protection-multiple-branch-note %} + +In some cases, you may need to bypass the block on a secret. {% ifversion push-protection-delegated-bypass %} Whether or not you are able to bypass the block depends on the permissions that have been set for you by your repository administrator or organization owner. + +You may be able to bypass the block by specifying a reason for allowing the push. {% endif %} For more information on how to bypass push protection and push a blocked secret, see "[Bypassing push protection when working from the command line](#bypassing-push-protection-when-working-from-the-command-line)." + +{% ifversion push-protection-delegated-bypass %} Alternatively, you may be required to submit a request for "bypass privileges" in order to push the secret. For information on how to request permission to bypass push protection and push the blocked secret, see "[Requesting bypass privileges when working with the command line](#requesting-bypass-privileges-when-working-with-the-command-line)." + +{% endif %} + +## Resolving a blocked push from the command line + +To resolve a blocked push, you must remove the secret from all of the commits it appears in. +* If the secret was introduced by your latest commit, see "[Removing a secret introduced by the latest commit on your branch](#removing-a-secret-introduced-by-the-latest-commit-on-your-branch)." +* If the secret appears in multiple earlier commits, see "[Removing a secret introduced by an earlier commit on your branch](#removing-a-secret-introduced-by-an-earlier-commit-on-your-branch)." + +### Removing a secret introduced by the latest commit on your branch + +If the blocked secret was introduced by the latest commit on your branch, you can follow the guidance below. + +1. Remove the secret from your code. +1. To commit the changes, run `git commit --amend`. This updates the original commit that introduced the secret instead of creating a new commit. +1. Push your changes with `git push`. + +### Removing a secret introduced by an earlier commit on your branch + +You can also remove the secret if the secret appears in an earlier commit in the Git history. To do so, you will need to identify which commit first introduced the secret and modify the commit history with an interactive rebase. + +1. Examine the error message that displayed when you tried to push your branch, which lists all of the commits that contain the secret. + + ```text + remote: —— {% data variables.product.prodname_dotcom %} {% data variables.product.pat_generic_title_case %} —————————————————————— + remote: locations: + remote: - commit: 8728dbe67 + remote: path: README.md:4 + remote: - commit: 03d69e5d3 + remote: path: README.md:4 + remote: - commit: 8053f7b27 + remote: path: README.md:4 + ``` + +1. Next, run `git log` to see a full history of all the commits on your branch, along with their corresponding timestamps. + + ```text + test-repo (test-branch)]$ git log + commit 8053f7b27 (HEAD -> main) + Author: Octocat <1000+octocat@users.noreply.github.com + Date: Tue Jan 30 13:03:37 2024 +0100 + + my fourth commit message + + commit 03d69e5d3 + Author: Octocat <1000+octocat@users.noreply.github.com> + Date: Tue Jan 30 13:02:59 2024 +0100 + + my third commit message + + commit 8728dbe67 + Author: Octocat <1000+octocat@users.noreply.github.com + Date: Tue Jan 30 13:01:36 2024 +0100 + + my second commit message + + commit 6057cbe51 + Author: Octocat <1000+octocat@users.noreply.github.com + Date: Tue Jan 30 12:58:24 2024 +0100 + + my first commit message + +1. Focusing only on the commits that contain the secret, use the output of `git log` to identify which commit comes _earliest_ in your Git history. + * In the example, commit `8728dbe67` was the first commit to contain the secret. +1. Start an interactive rebase with `git rebase -i ~1`. + * For ``, use the commit identified in step 3. For example, `git rebase -i 8728dbe67~1`. +1. In the editor, choose to edit the commit identified in step 3 by changing `pick` to `edit` on the first line of the text. + + ```text + edit 8728dbe67 my second commit message + pick 03d69e5d3 my third commit message + pick 8053f7b27 my fourth commit message + ``` + +1. Save and close the editor to start the interactive rebase. +1. Remove the secret from your code. +1. Commit your changes using `git commit --amend`. +1. Run `git rebase --continue` to finish the rebase. +1. Push your changes with `git push`. + +## Bypassing push protection when working from the command line + +If {% data variables.product.prodname_dotcom %} blocks a secret that you believe is safe to push, you {% ifversion push-protection-delegated-bypass %}may be able to {% else %}can {% endif %}bypass the block by specifying a reason for allowing the secret to be pushed. + +{% data reusables.secret-scanning.push-protection-allow-secrets-alerts %} + +{% data reusables.secret-scanning.push-protection-allow-email %} + +{% ifversion push-protection-delegated-bypass %} + +If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to push the blocked secret. For more information, see "[Requesting bypass privileges when working from the command line](#requesting-bypass-privileges-when-working-from-the-command-line)." + +{% endif %} + +{% data reusables.secret-scanning.push-protection-visit-URL %} +{% data reusables.secret-scanning.push-protection-choose-allow-secret-options %} +{% data reusables.secret-scanning.push-protection-public-repos-bypass %} +1. Click **Allow me to push this secret**. +1. Reattempt the push on the command line within three hours. If you have not pushed within three hours, you will need to repeat this process. + +{% ifversion push-protection-delegated-bypass %} + +## Requesting bypass privileges when working from the command line + +{% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} + +If your push has been blocked by push protection and you believe the secret is safe to push, you can request permission to bypass the block. Your request is sent to a designated group of reviewers, who will either approve or deny the request. + +Requests expire after 7 days. + +{% data reusables.secret-scanning.push-protection-visit-URL %} +{% data reusables.secret-scanning.push-protection-bypass-request-add-comment %} +{% data reusables.secret-scanning.push-protection-submit-bypass-request %} +{% data reusables.secret-scanning.push-protection-bypass-request-check-email %} + +{% data reusables.secret-scanning.push-protection-bypass-request-decision-email %} + +If your request is approved, you can push the commit (or commits) containing the secret to the repository, as well as any future commits that contain the same secret. + +If your request is denied, you will need to remove the secret from all commits containing the secret before pushing again. For information on how to remove a blocked secret, see "[Resolving a blocked push from the command line](#resolving-a-blocked-push-from-the-command-line)." + +{% endif %} + +## Further reading + +* TODO From 264263a00566ade2dd4460272f978b5aaab8f1f4 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Mon, 15 Jul 2024 13:30:07 +0100 Subject: [PATCH 087/275] fix linter --- .../index.md | 4 +- ...g-with-push-protection-in-the-github-ui.md | 163 ++++++++++++++++++ 2 files changed, 165 insertions(+), 2 deletions(-) create mode 100644 content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md index ea975f0e4e..8a1abc5f94 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md @@ -2,7 +2,7 @@ title: Working with secret scanning and push protection shortTitle: Work with secret scanning allowTitleToDifferFromFilename: true -intro: TODO +intro: 'TODO' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' @@ -16,8 +16,8 @@ children: - /secret-scanning-for-your-user-owned-repositories - /push-protection-for-users - /working-with-push-protection-from-the-command-line + - /working-with-push-protection-in-the-github-ui redirect_from: - /code-security/secret-scanning/working-with-push-protection - /code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection --- - diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md new file mode 100644 index 0000000000..02e9ac957e --- /dev/null +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md @@ -0,0 +1,163 @@ +--- +title: Working with push protection in the GitHub UI +shortTitle: Work with push protection in the GitHub UI +intro: 'TODO' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +type: how_to +topics: + - Secret scanning + - Advanced Security + - Alerts + - Repositories +--- + +## About push protection in the {% data variables.product.prodname_dotcom %} UI + +Push protection prevents you from accidentally committing secrets to a repository by blocking commits containing supported secrets. + +{% data reusables.secret-scanning.push-protection-web-ui-choice %} + +You should either: + +* **Remove** the secret from the commit. For more information, see "[Resolving a blocked commit in the {% data variables.product.prodname_dotcom %} UI](#resolving-a-blocked-commit-in-the-github-ui)." +* **Review** the instructions in the dialog box {% ifversion push-protection-delegated-bypass %}to see what options are available to you{% endif %} to allow the push. For more information, see "[Bypassing push protection when working in the {% data variables.product.prodname_dotcom %} UI](#bypassing-push-protection-when-working-in-the-github-ui)"{% ifversion push-protection-delegated-bypass %} and "[Requesting bypass privileges when working in the {% data variables.product.prodname_dotcom %} UI](#requesting-bypass-privileges-when-working-in-the-github-ui){% endif %}." + +{% ifversion push-protection-block-uploads %} + +{% data variables.product.prodname_dotcom %} will also block the commit if you attempt to upload files containing supported secrets. The dialog box will show you which files contain the secret. You should remove the secret from the files before attempting to upload the files again. + +{% data reusables.secret-scanning.push-protection-web-UI-uploads-beta %} + +{% endif %} + +{% data variables.product.prodname_dotcom %} will only display one detected secret at a time in the web UI. If a particular secret has already been detected in the repository and an alert already exists, {% data variables.product.prodname_dotcom %} will not block that secret. + +Organization owners can provide a custom link that will be displayed when a push is blocked. This custom link can contain resources and advice specific to your organization. For example, the custom link can point to a README file with information about the organization's secret vault, which teams and individuals to escalate questions to, or the organization's approved policy for working with secrets and rewriting commit history. + +You may be able to bypass the block by specifying a reason for allowing the secret to be committed. For more information on how to bypass push protection and commit the blocked secret, see "[Bypassing push protection when working in the {% data variables.product.prodname_dotcom %} UI](#bypassing-push-protection-when-working-in-the-github-ui)." + +{% ifversion push-protection-delegated-bypass %} Alternatively, you may be required to submit a request for "bypass privileges" in order to commit the secret. For information on how to request permission to bypass push protection and allow the secret, see "[Requesting bypass privileges when working in the {% data variables.product.prodname_dotcom %} UI](#requesting-bypass-privileges-when-working-in-the-github-ui)." + +{% endif %} + +## Resolving a blocked push from the command line + +TODO +To resolve a blocked push, you must remove the secret from all of the commits it appears in. +* If the secret was introduced by your latest commit, see "[Removing a secret introduced by the latest commit on your branch](#removing-a-secret-introduced-by-the-latest-commit-on-your-branch)." +* If the secret appears in multiple earlier commits, see "[Removing a secret introduced by an earlier commit on your branch](#removing-a-secret-introduced-by-an-earlier-commit-on-your-branch)." + +### Removing a secret introduced by the latest commit on your branch + +If the blocked secret was introduced by the latest commit on your branch, you can follow the guidance below. + +1. Remove the secret from your code. +1. To commit the changes, run `git commit --amend`. This updates the original commit that introduced the secret instead of creating a new commit. +1. Push your changes with `git push`. + +### Removing a secret introduced by an earlier commit on your branch + +You can also remove the secret if the secret appears in an earlier commit in the Git history. To do so, you will need to identify which commit first introduced the secret and modify the commit history with an interactive rebase. + +1. Examine the error message that displayed when you tried to push your branch, which lists all of the commits that contain the secret. + + ```text + remote: —— {% data variables.product.prodname_dotcom %} {% data variables.product.pat_generic_title_case %} —————————————————————— + remote: locations: + remote: - commit: 8728dbe67 + remote: path: README.md:4 + remote: - commit: 03d69e5d3 + remote: path: README.md:4 + remote: - commit: 8053f7b27 + remote: path: README.md:4 + ``` + +1. Next, run `git log` to see a full history of all the commits on your branch, along with their corresponding timestamps. + + ```text + test-repo (test-branch)]$ git log + commit 8053f7b27 (HEAD -> main) + Author: Octocat <1000+octocat@users.noreply.github.com + Date: Tue Jan 30 13:03:37 2024 +0100 + + my fourth commit message + + commit 03d69e5d3 + Author: Octocat <1000+octocat@users.noreply.github.com> + Date: Tue Jan 30 13:02:59 2024 +0100 + + my third commit message + + commit 8728dbe67 + Author: Octocat <1000+octocat@users.noreply.github.com + Date: Tue Jan 30 13:01:36 2024 +0100 + + my second commit message + + commit 6057cbe51 + Author: Octocat <1000+octocat@users.noreply.github.com + Date: Tue Jan 30 12:58:24 2024 +0100 + + my first commit message + +1. Focusing only on the commits that contain the secret, use the output of `git log` to identify which commit comes _earliest_ in your Git history. + * In the example, commit `8728dbe67` was the first commit to contain the secret. +1. Start an interactive rebase with `git rebase -i ~1`. + * For ``, use the commit identified in step 3. For example, `git rebase -i 8728dbe67~1`. +1. In the editor, choose to edit the commit identified in step 3 by changing `pick` to `edit` on the first line of the text. + + ```text + edit 8728dbe67 my second commit message + pick 03d69e5d3 my third commit message + pick 8053f7b27 my fourth commit message + ``` + +1. Save and close the editor to start the interactive rebase. +1. Remove the secret from your code. +1. Commit your changes using `git commit --amend`. +1. Run `git rebase --continue` to finish the rebase. +1. Push your changes with `git push`. + +## Bypassing push protection when working in the {% data variables.product.prodname_dotcom %} UI + +If {% data variables.product.prodname_dotcom %} blocks a secret that you believe is safe to commit, you {% ifversion push-protection-delegated-bypass %}may be able to {% else %}can {% endif %}bypass the block by specifying a reason for allowing the secret. + +{% data reusables.secret-scanning.push-protection-allow-secrets-alerts %} + +{% data reusables.secret-scanning.push-protection-allow-email %} + +1. In dialog box that appeared when {% data variables.product.prodname_dotcom %} blocked your commit, review the name and location of the secret. +{% data reusables.secret-scanning.push-protection-choose-allow-secret-options %} +{% data reusables.secret-scanning.push-protection-public-repos-bypass %} +1. Click **Allow secret**. + +{% ifversion push-protection-delegated-bypass %} + +## Requesting bypass privileges when working in the {% data variables.product.prodname_dotcom %} UI + +{% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} + +If your push has been blocked by push protection and you believe the secret is safe to push, you can request permission to bypass the block. Your request is sent to a designated group of reviewers, who will either approve or deny the request. + +Requests expire after 7 days. + +{% data reusables.secret-scanning.push-protection-visit-URL %} +{% data reusables.secret-scanning.push-protection-bypass-request-add-comment %} +{% data reusables.secret-scanning.push-protection-submit-bypass-request %} +{% data reusables.secret-scanning.push-protection-bypass-request-check-email %} + +{% data reusables.secret-scanning.push-protection-bypass-request-decision-email %} + +If your request is approved, you can push the commit (or commits) containing the secret to the repository, as well as any future commits that contain the same secret. + +If your request is denied, you will need to remove the secret from all commits containing the secret before pushing again. For information on how to remove a blocked secret, see "[Resolving a blocked push from the command line](#resolving-a-blocked-push-from-the-command-line)." + +{% endif %} + +## Further reading + +* TODO From c8bf36d79636b5454d0d8d51840075e08d2edb68 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Mon, 15 Jul 2024 16:53:18 +0100 Subject: [PATCH 088/275] finishing UI section --- ...g-with-push-protection-in-the-github-ui.md | 87 ++----------------- 1 file changed, 8 insertions(+), 79 deletions(-) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md index 02e9ac957e..fe9a8770db 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md @@ -44,83 +44,11 @@ You may be able to bypass the block by specifying a reason for allowing the secr {% endif %} -## Resolving a blocked push from the command line +## Resolving a blocked commit in the {% data variables.product.prodname_dotcom %} UI -TODO -To resolve a blocked push, you must remove the secret from all of the commits it appears in. -* If the secret was introduced by your latest commit, see "[Removing a secret introduced by the latest commit on your branch](#removing-a-secret-introduced-by-the-latest-commit-on-your-branch)." -* If the secret appears in multiple earlier commits, see "[Removing a secret introduced by an earlier commit on your branch](#removing-a-secret-introduced-by-an-earlier-commit-on-your-branch)." +{% data reusables.secret-scanning.push-protection-web-ui-choice %} -### Removing a secret introduced by the latest commit on your branch - -If the blocked secret was introduced by the latest commit on your branch, you can follow the guidance below. - -1. Remove the secret from your code. -1. To commit the changes, run `git commit --amend`. This updates the original commit that introduced the secret instead of creating a new commit. -1. Push your changes with `git push`. - -### Removing a secret introduced by an earlier commit on your branch - -You can also remove the secret if the secret appears in an earlier commit in the Git history. To do so, you will need to identify which commit first introduced the secret and modify the commit history with an interactive rebase. - -1. Examine the error message that displayed when you tried to push your branch, which lists all of the commits that contain the secret. - - ```text - remote: —— {% data variables.product.prodname_dotcom %} {% data variables.product.pat_generic_title_case %} —————————————————————— - remote: locations: - remote: - commit: 8728dbe67 - remote: path: README.md:4 - remote: - commit: 03d69e5d3 - remote: path: README.md:4 - remote: - commit: 8053f7b27 - remote: path: README.md:4 - ``` - -1. Next, run `git log` to see a full history of all the commits on your branch, along with their corresponding timestamps. - - ```text - test-repo (test-branch)]$ git log - commit 8053f7b27 (HEAD -> main) - Author: Octocat <1000+octocat@users.noreply.github.com - Date: Tue Jan 30 13:03:37 2024 +0100 - - my fourth commit message - - commit 03d69e5d3 - Author: Octocat <1000+octocat@users.noreply.github.com> - Date: Tue Jan 30 13:02:59 2024 +0100 - - my third commit message - - commit 8728dbe67 - Author: Octocat <1000+octocat@users.noreply.github.com - Date: Tue Jan 30 13:01:36 2024 +0100 - - my second commit message - - commit 6057cbe51 - Author: Octocat <1000+octocat@users.noreply.github.com - Date: Tue Jan 30 12:58:24 2024 +0100 - - my first commit message - -1. Focusing only on the commits that contain the secret, use the output of `git log` to identify which commit comes _earliest_ in your Git history. - * In the example, commit `8728dbe67` was the first commit to contain the secret. -1. Start an interactive rebase with `git rebase -i ~1`. - * For ``, use the commit identified in step 3. For example, `git rebase -i 8728dbe67~1`. -1. In the editor, choose to edit the commit identified in step 3 by changing `pick` to `edit` on the first line of the text. - - ```text - edit 8728dbe67 my second commit message - pick 03d69e5d3 my third commit message - pick 8053f7b27 my fourth commit message - ``` - -1. Save and close the editor to start the interactive rebase. -1. Remove the secret from your code. -1. Commit your changes using `git commit --amend`. -1. Run `git rebase --continue` to finish the rebase. -1. Push your changes with `git push`. +To resolve a blocked commit in the web UI, you need to remove the secret from the file. Once you remove the secret, you will be able to commit your changes. ## Bypassing push protection when working in the {% data variables.product.prodname_dotcom %} UI @@ -141,20 +69,21 @@ If {% data variables.product.prodname_dotcom %} blocks a secret that you believe {% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} -If your push has been blocked by push protection and you believe the secret is safe to push, you can request permission to bypass the block. Your request is sent to a designated group of reviewers, who will either approve or deny the request. +If your commit has been blocked by push protection, you can request permission to bypass the block. The request is sent to a designated group of reviewers, who will either approve or deny the request. Requests expire after 7 days. -{% data reusables.secret-scanning.push-protection-visit-URL %} +1. In dialog box that appeared when {% data variables.product.prodname_dotcom %} blocked your commit, review the name and location of the secret. +1. Click **Start request**. The request will open in a new tab. {% data reusables.secret-scanning.push-protection-bypass-request-add-comment %} {% data reusables.secret-scanning.push-protection-submit-bypass-request %} {% data reusables.secret-scanning.push-protection-bypass-request-check-email %} {% data reusables.secret-scanning.push-protection-bypass-request-decision-email %} -If your request is approved, you can push the commit (or commits) containing the secret to the repository, as well as any future commits that contain the same secret. +If your request is approved, you can commit the changes containing the secret to the file. You can also commit any future changes that contain the same secret. -If your request is denied, you will need to remove the secret from all commits containing the secret before pushing again. For information on how to remove a blocked secret, see "[Resolving a blocked push from the command line](#resolving-a-blocked-push-from-the-command-line)." +If your request is denied, you will need to remove the secret from the file before you can commit your changes. {% endif %} From 89966b8644871f59064dd2ec4ba933060b1a5f0f Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Mon, 15 Jul 2024 16:54:28 +0100 Subject: [PATCH 089/275] removing old article --- .../code-security/secret-scanning/index.md | 2 - .../working-with-push-protection.md | 161 ------------------ 2 files changed, 163 deletions(-) delete mode 100644 content/code-security/secret-scanning/working-with-push-protection.md diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 159014016d..6ed4b56d74 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -26,11 +26,9 @@ children: - /about-the-detection-of-generic-secrets-with-secret-scanning - /enabling-ai-powered-generic-secret-detection - /push-protection-for-repositories-and-organizations - - /working-with-push-protection - /pushing-a-branch-blocked-by-push-protection - /working-with-secret-scanning-and-push-protection - /using-advanced-secret-scanning-and-push-protection-features - /troubleshooting-secret-scanning-and-push-protection - /secret-scanning-partnership-program --- - diff --git a/content/code-security/secret-scanning/working-with-push-protection.md b/content/code-security/secret-scanning/working-with-push-protection.md deleted file mode 100644 index aad2145164..0000000000 --- a/content/code-security/secret-scanning/working-with-push-protection.md +++ /dev/null @@ -1,161 +0,0 @@ ---- -title: Working with push protection -intro: 'Push protection proactively secures you against leaked secrets in your repositories by blocking pushes containing secrets. To push a commit containing a secret, you must specify a reason for bypassing the block{% ifversion push-protection-delegated-bypass %}, or, if required, request bypass privileges to bypass the block{% endif %}.' -product: '{% data reusables.gated-features.push-protection-for-repos %}' -versions: - fpt: '*' - ghes: '*' - ghec: '*' -type: how_to -topics: - - Secret scanning - - Advanced Security - - Alerts - - Repositories -shortTitle: Work with push protection ---- - -## About working with push protection - -Push protection prevents you from accidentally committing secrets to a repository by blocking pushes containing supported secrets. - -You can work with push protection from the command line or from the web UI. - -For more information on working with push protection, including how to bypass the block if necessary, see "[Using push protection from the command line](#using-push-protection-from-the-command-line)" and "[Using push protection from the web UI](#using-push-protection-from-the-web-ui)" in this article. - -## Using push protection from the command line - -{% data reusables.secret-scanning.push-protection-command-line-choice %} - -Up to five detected secrets will be displayed at a time on the command line. If a particular secret has already been detected in the repository and an alert already exists, {% data variables.product.prodname_dotcom %} will not block that secret. - -{% data reusables.secret-scanning.push-protection-remove-secret %} For more information about remediating blocked secrets, see "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection#resolving-a-blocked-push-on-the-command-line)." - -If you confirm a secret is real and that you intend to fix it later, you should aim to remediate the secret as soon as possible. For example, you might revoke the secret and remove the secret from the repository's commit history. Real secrets that have been exposed must be revoked to avoid unauthorized access. You might consider first rotating the secret before revoking it. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository)." - -{% data reusables.secret-scanning.push-protection-multiple-branch-note %} - -In some cases, you may need to bypass the block on a secret. {% ifversion push-protection-delegated-bypass %} Whether or not you are able to bypass the block depends on the permissions that have been set for you by your repository administrator or organization owner. - -You may be able to bypass the block by specifying a reason for allowing the push. {% endif %} For more information on how to bypass push protection and push a blocked secret, see "[Bypassing push protection when working with the command line](#bypassing-push-protection-when-working-with-the-command-line)." - -{% ifversion push-protection-delegated-bypass %} Alternatively, you may be required to submit a request for "bypass privileges" in order to push the secret. For information on how to request permission to bypass push protection and push the blocked secret, see "[Requesting bypass privileges when working with the command line](#requesting-bypass-privileges-when-working-with-the-command-line)." - -{% endif %} - -### Bypassing push protection when working with the command line - -If {% data variables.product.prodname_dotcom %} blocks a secret that you believe is safe to push, you {% ifversion push-protection-delegated-bypass %}may be able to {% else %}can {% endif %}bypass the block by specifying a reason for allowing the secret to be pushed. - -{% data reusables.secret-scanning.push-protection-allow-secrets-alerts %} - -{% data reusables.secret-scanning.push-protection-allow-email %} - -{% ifversion push-protection-delegated-bypass %} - -If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to push the blocked secret. For more information, see "[Requesting bypass privileges when working with the command line](#requesting-bypass-privileges-when-working-with-the-command-line)." - -{% endif %} - -{% data reusables.secret-scanning.push-protection-visit-URL %} -{% data reusables.secret-scanning.push-protection-choose-allow-secret-options %} -{% data reusables.secret-scanning.push-protection-public-repos-bypass %} -1. Click **Allow me to push this secret**. -1. Reattempt the push on the command line within three hours. If you have not pushed within three hours, you will need to repeat this process. - -{% ifversion push-protection-delegated-bypass %} - -### Requesting bypass privileges when working with the command line - -{% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} - -If your push has been blocked by push protection and you believe the secret is safe to push, you can request permission to bypass the block. Your request is sent to a designated group of reviewers, who will either approve or deny the request. - -Requests expire after 7 days. - -{% data reusables.secret-scanning.push-protection-visit-URL %} -{% data reusables.secret-scanning.push-protection-bypass-request-add-comment %} -{% data reusables.secret-scanning.push-protection-submit-bypass-request %} -{% data reusables.secret-scanning.push-protection-bypass-request-check-email %} - -{% data reusables.secret-scanning.push-protection-bypass-request-decision-email %} - -If your request is approved, you can push the commit (or commits) containing the secret to the repository, as well as any future commits that contain the same secret. - -If your request is denied, you will need to remove the secret from all commits containing the secret before pushing again. For information on how to remove a blocked secret, see "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection#resolving-a-blocked-push-on-the-command-line)." - -{% endif %} - -## Using push protection from the web UI - -{% data reusables.secret-scanning.push-protection-web-ui-choice %} - -For a blocked commit, you can remove the secret from the file using the web UI. Once you remove the secret, you will be able to commit your changes. - -{% ifversion push-protection-block-uploads %} - -{% data variables.product.prodname_dotcom %} will also block the commit if you attempt to upload files containing supported secrets. The dialog box will show you which files contain the secret. You should remove the secret from the files before attempting to upload the files again. - -{% data reusables.secret-scanning.push-protection-web-UI-uploads-beta %} - -{% endif %} - -{% data variables.product.prodname_dotcom %} will only display one detected secret at a time in the web UI. If a particular secret has already been detected in the repository and an alert already exists, {% data variables.product.prodname_dotcom %} will not block that secret. - -Organization owners can provide a custom link that will be displayed when a push is blocked. This custom link can contain resources and advice specific to your organization. For example, the custom link can point to a README file with information about the organization's secret vault, which teams and individuals to escalate questions to, or the organization's approved policy for working with secrets and rewriting commit history. - -You may be able to bypass the block by specifying a reason for allowing the secret. For more information on how to bypass push protection and commit the blocked secret, see "[Bypassing push protection when working with the web UI](#bypassing-push-protection-when-working-with-the-web-ui)." - -{% ifversion push-protection-delegated-bypass %} Alternatively, you may be required to submit a request for "bypass privileges" in order to commit your changes. For information on how to request permission to bypass push protection and allow the commit containing the secret, see "[Requesting bypass privileges when working with the web UI](#requesting-bypass-privileges-when-working-with-the-web-ui)."{% endif %} - -### Bypassing push protection when working with the web UI - -{% data reusables.secret-scanning.push-protection-remove-secret %} For more information about remediating blocked secrets, see "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection#resolving-a-blocked-push-in-the-web-ui)." - -If you confirm a secret is real and that you intend to fix it later, you should aim to remediate the secret as soon as possible. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository)." - -If {% data variables.product.prodname_dotcom %} blocks a secret that you believe is safe to commit, you {% ifversion push-protection-delegated-bypass %}may be able to {% else %}can {% endif %}bypass the block by specifying a reason for allowing the secret. - -{% data reusables.secret-scanning.push-protection-allow-secrets-alerts %} - -{% data reusables.secret-scanning.push-protection-allow-email %} - -{% ifversion push-protection-delegated-bypass %} - -If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to commit your changes. For more information, see "[Requesting bypass privileges when working with the web UI](#requesting-bypass-privileges-when-working-with-the-web-ui)." - -{% endif %} - -1. In dialog box that appeared when {% data variables.product.prodname_dotcom %} blocked your commit, review the name and location of the secret. -{% data reusables.secret-scanning.push-protection-choose-allow-secret-options %} -{% data reusables.secret-scanning.push-protection-public-repos-bypass %} -1. Click **Allow secret**. - -{% ifversion push-protection-delegated-bypass %} - -### Requesting bypass privileges when working with the web UI - -{% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} - -If your commit has been blocked by push protection, you can request permission to bypass the block. The request is sent to a designated group of reviewers, who will either approve or deny the request. - -Requests expire after 7 days. - -1. In dialog box that appeared when {% data variables.product.prodname_dotcom %} blocked your commit, review the name and location of the secret. -1. Click **Start request**. The request will open in a new tab. -{% data reusables.secret-scanning.push-protection-bypass-request-add-comment %} -{% data reusables.secret-scanning.push-protection-submit-bypass-request %} -{% data reusables.secret-scanning.push-protection-bypass-request-check-email %} - -{% data reusables.secret-scanning.push-protection-bypass-request-decision-email %} - -If your request is approved, you can commit the changes containing the secret to the file. You can also commit any future changes that contain the same secret. - -If your request is denied, you will need to remove the secret from the file before you can commit your changes. - -{% endif %} - -## Further reading - -* "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection)" -* "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)" From 65d6b1cf43ab8a054424af881943a9caa1b02952 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Mon, 15 Jul 2024 16:55:25 +0100 Subject: [PATCH 090/275] removing second article --- ...ing-a-branch-blocked-by-push-protection.md | 117 ------------------ 1 file changed, 117 deletions(-) delete mode 100644 content/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection.md diff --git a/content/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection.md b/content/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection.md deleted file mode 100644 index 6a40a2960f..0000000000 --- a/content/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection.md +++ /dev/null @@ -1,117 +0,0 @@ ---- -title: Pushing a branch blocked by push protection -intro: 'Push protection proactively protects you against leaked secrets in your repositories. You can resolve blocked pushes and, once the detected secret is removed, you can push changes to your working branch from the command line or the web UI.' -product: '{% data reusables.gated-features.push-protection-users-and-repos %}' -versions: - fpt: '*' - ghes: '*' - ghec: '*' -type: how_to -topics: - - Secret scanning - - Advanced Security - - Alerts - - Repositories -shortTitle: Push a blocked branch ---- - -## About push protection - -Push protection helps to prevent security leaks by scanning for secrets before you push changes to your repository. - -When you try to push a secret to a repository secured by push protection, {% data variables.product.prodname_dotcom %} blocks the push. You must remove the secret from your branch before pushing again. For more information on how to resolve a blocked push, see "[Resolving a blocked push on the command line](#resolving-a-blocked-push-on-the-command-line)" and "[Resolving a blocked commit in the web UI](#resolving-a-blocked-commit-in-the-web-ui)" in this article. - -If you believe it's safe to allow the secret, you {% ifversion push-protection-delegated-bypass %}may {% endif %}have the option to bypass the protection. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)." - -For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." - -## Resolving a blocked push on the command line - -{% data reusables.secret-scanning.push-protection-command-line-choice %} - -{% data reusables.secret-scanning.push-protection-multiple-branch-note %} - -### Removing a secret introduced by the latest commit on your branch - -If the blocked secret was introduced by the latest commit on your branch, you can follow the guidance below. - -1. Remove the secret from your code. -1. To commit the changes, run `git commit --amend`. This updates the original commit that introduced the secret instead of creating a new commit. -1. Push your changes with `git push`. - -### Removing a secret introduced by an earlier commit on your branch - -You can also remove the secret if the secret appears in an earlier commit in the Git history. To do so, you will need to identify which commit first introduced the secret and modify the commit history with an interactive rebase. - -1. Examine the error message that displayed when you tried to push your branch, which lists all of the commits that contain the secret. - - ```text - remote: —— {% data variables.product.prodname_dotcom %} {% data variables.product.pat_generic_title_case %} —————————————————————— - remote: locations: - remote: - commit: 8728dbe67 - remote: path: README.md:4 - remote: - commit: 03d69e5d3 - remote: path: README.md:4 - remote: - commit: 8053f7b27 - remote: path: README.md:4 - ``` - -1. Next, run `git log` to see a full history of all the commits on your branch, along with their corresponding timestamps. - - ```text - test-repo (test-branch)]$ git log - commit 8053f7b27 (HEAD -> main) - Author: Octocat <1000+octocat@users.noreply.github.com - Date: Tue Jan 30 13:03:37 2024 +0100 - - my fourth commit message - - commit 03d69e5d3 - Author: Octocat <1000+octocat@users.noreply.github.com> - Date: Tue Jan 30 13:02:59 2024 +0100 - - my third commit message - - commit 8728dbe67 - Author: Octocat <1000+octocat@users.noreply.github.com - Date: Tue Jan 30 13:01:36 2024 +0100 - - my second commit message - - commit 6057cbe51 - Author: Octocat <1000+octocat@users.noreply.github.com - Date: Tue Jan 30 12:58:24 2024 +0100 - - my first commit message - -1. Focusing only on the commits that contain the secret, use the output of `git log` to identify which commit comes _earliest_ in your Git history. - * In the example, commit `8728dbe67` was the first commit to contain the secret. -1. Start an interactive rebase with `git rebase -i ~1`. - * For ``, use the commit identified in step 3. For example, `git rebase -i 8728dbe67~1`. -1. In the editor, choose to edit the commit identified in step 3 by changing `pick` to `edit` on the first line of the text. - - ```text - edit 8728dbe67 my second commit message - pick 03d69e5d3 my third commit message - pick 8053f7b27 my fourth commit message - ``` - -1. Save and close the editor to start the interactive rebase. -1. Remove the secret from your code. -1. Commit your changes using `git commit --amend`. -1. Run `git rebase --continue` to finish the rebase. -1. Push your changes with `git push`. - -## Resolving a blocked commit in the web UI - -{% data reusables.secret-scanning.push-protection-web-ui-choice %} - -To resolve a blocked commit in the web UI, you need to remove the secret from the file. Once you remove the secret, you will be able to commit your changes. - -Alternatively, if you determine that it's safe to allow the secret, use the options displayed in the dialog box to bypass push protection. For more information about bypassing push protection from the web UI, see "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection#bypassing-push-protection-when-working-with-the-web-ui)." - -# Further reading - -* "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)" -* "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)"{% ifversion secret-scanning-push-protection-for-users %} -* "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-users)"{% endif %} From 17fa7a7b40d8237245433cc9b1f4b60e30de6aa9 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Mon, 15 Jul 2024 17:04:12 +0100 Subject: [PATCH 091/275] removing from index --- content/code-security/secret-scanning/index.md | 1 - 1 file changed, 1 deletion(-) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 6ed4b56d74..622c992bdb 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -26,7 +26,6 @@ children: - /about-the-detection-of-generic-secrets-with-secret-scanning - /enabling-ai-powered-generic-secret-detection - /push-protection-for-repositories-and-organizations - - /pushing-a-branch-blocked-by-push-protection - /working-with-secret-scanning-and-push-protection - /using-advanced-secret-scanning-and-push-protection-features - /troubleshooting-secret-scanning-and-push-protection From 10aea3c9a599ca715f1a8119e6121a9fc51e2234 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Tue, 16 Jul 2024 09:38:11 +0100 Subject: [PATCH 092/275] minor edits --- ...h-push-protection-from-the-command-line.md | 22 +++------------- ...g-with-push-protection-in-the-github-ui.md | 26 +++++++------------ 2 files changed, 14 insertions(+), 34 deletions(-) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md index 8c415c04b2..c3e2c97bd5 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md @@ -1,5 +1,5 @@ --- -title: Working with push protection from the command line +title: Working with push protection from the command line shortTitle: Work with push protection from the command line intro: 'TODO' product: '{% data reusables.gated-features.secret-scanning %}' @@ -24,24 +24,14 @@ When you attempt to push a supported secret from the command line to a repositor You should either: * **Remove** the secret from your branch. For more information, see "[Resolving a blocked push from the command line](#resolving-a-blocked-push-from-the-command-line)." -* **Follow a provided URL** {% ifversion push-protection-delegated-bypass %}to see what options are available to you{% endif %} to allow the push. For more information, see "[Bypassing push protection when working from the command line](#bypassing-push-protection-when-working-from-the-command-line)"{% ifversion push-protection-delegated-bypass %} and "[Requesting bypass privileges when working from the command line](#requesting-bypass-privileges-when-working-from-the-command-line){% endif %}." +* **Follow a provided URL** {% ifversion push-protection-delegated-bypass %}to see what options are available to you{% endif %} to allow the push. For more information, see "[Bypassing push protection when working from the command line](#bypassing-push-protection-when-working-from-the-command-line){% ifversion push-protection-delegated-bypass %}" and "[Requesting bypass privileges when working from the command line](#requesting-bypass-privileges-when-working-from-the-command-line){% endif %}." Up to five detected secrets will be displayed at a time on the command line. If a particular secret has already been detected in the repository and an alert already exists, {% data variables.product.prodname_dotcom %} will not block that secret. -{% data reusables.secret-scanning.push-protection-remove-secret %} For more information about remediating blocked secrets, see "[Resolving a blocked push from the command line](#resolving-a-blocked-push-from-the-command-line)." - If you confirm a secret is real and that you intend to fix it later, you should aim to remediate the secret as soon as possible. For example, you might revoke the secret and remove the secret from the repository's commit history. Real secrets that have been exposed must be revoked to avoid unauthorized access. You might consider first rotating the secret before revoking it. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository)." {% data reusables.secret-scanning.push-protection-multiple-branch-note %} -In some cases, you may need to bypass the block on a secret. {% ifversion push-protection-delegated-bypass %} Whether or not you are able to bypass the block depends on the permissions that have been set for you by your repository administrator or organization owner. - -You may be able to bypass the block by specifying a reason for allowing the push. {% endif %} For more information on how to bypass push protection and push a blocked secret, see "[Bypassing push protection when working from the command line](#bypassing-push-protection-when-working-from-the-command-line)." - -{% ifversion push-protection-delegated-bypass %} Alternatively, you may be required to submit a request for "bypass privileges" in order to push the secret. For information on how to request permission to bypass push protection and push the blocked secret, see "[Requesting bypass privileges when working with the command line](#requesting-bypass-privileges-when-working-with-the-command-line)." - -{% endif %} - ## Resolving a blocked push from the command line To resolve a blocked push, you must remove the secret from all of the commits it appears in. @@ -127,11 +117,7 @@ If {% data variables.product.prodname_dotcom %} blocks a secret that you believe {% data reusables.secret-scanning.push-protection-allow-email %} -{% ifversion push-protection-delegated-bypass %} - -If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to push the blocked secret. For more information, see "[Requesting bypass privileges when working from the command line](#requesting-bypass-privileges-when-working-from-the-command-line)." - -{% endif %} +If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to push the blocked secret. For more information, see "[Requesting bypass privileges when working from the command line](/enterprise-cloud@latest/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line#requesting-bypass-privileges-when-working-from-the-command-line)" in the {% data variables.product.prodname_ghe_cloud %} documentation. {% data reusables.secret-scanning.push-protection-visit-URL %} {% data reusables.secret-scanning.push-protection-choose-allow-secret-options %} @@ -164,4 +150,4 @@ If your request is denied, you will need to remove the secret from all commits c ## Further reading -* TODO +* [AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md index fe9a8770db..ee2320af53 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md @@ -17,33 +17,25 @@ topics: ## About push protection in the {% data variables.product.prodname_dotcom %} UI -Push protection prevents you from accidentally committing secrets to a repository by blocking commits containing supported secrets. - -{% data reusables.secret-scanning.push-protection-web-ui-choice %} - -You should either: - -* **Remove** the secret from the commit. For more information, see "[Resolving a blocked commit in the {% data variables.product.prodname_dotcom %} UI](#resolving-a-blocked-commit-in-the-github-ui)." -* **Review** the instructions in the dialog box {% ifversion push-protection-delegated-bypass %}to see what options are available to you{% endif %} to allow the push. For more information, see "[Bypassing push protection when working in the {% data variables.product.prodname_dotcom %} UI](#bypassing-push-protection-when-working-in-the-github-ui)"{% ifversion push-protection-delegated-bypass %} and "[Requesting bypass privileges when working in the {% data variables.product.prodname_dotcom %} UI](#requesting-bypass-privileges-when-working-in-the-github-ui){% endif %}." +When you are creating and editing files in the {% data variables.product.prodname_dotcom %} UI, push protection prevents you from accidentally committing secrets to a repository by blocking commits containing supported secrets. {% ifversion push-protection-block-uploads %} -{% data variables.product.prodname_dotcom %} will also block the commit if you attempt to upload files containing supported secrets. The dialog box will show you which files contain the secret. You should remove the secret from the files before attempting to upload the files again. +{% data variables.product.prodname_dotcom %} will also block the commit if you attempt to upload files containing supported secrets. {% data reusables.secret-scanning.push-protection-web-UI-uploads-beta %} {% endif %} +You should either: + +* **Remove** the secret from the commit. For more information, see "[Resolving a blocked commit in the {% data variables.product.prodname_dotcom %} UI](#resolving-a-blocked-commit-in-the-github-ui)." +* **Review** the instructions in the dialog box {% ifversion push-protection-delegated-bypass %}to see what options are available to you{% endif %} to allow the push. For more information, see "[Bypassing push protection when working in the {% data variables.product.prodname_dotcom %} UI](#bypassing-push-protection-when-working-in-the-github-ui){% ifversion push-protection-delegated-bypass %}" and "[Requesting bypass privileges when working in the {% data variables.product.prodname_dotcom %} UI](#requesting-bypass-privileges-when-working-in-the-github-ui){% endif %}." + {% data variables.product.prodname_dotcom %} will only display one detected secret at a time in the web UI. If a particular secret has already been detected in the repository and an alert already exists, {% data variables.product.prodname_dotcom %} will not block that secret. Organization owners can provide a custom link that will be displayed when a push is blocked. This custom link can contain resources and advice specific to your organization. For example, the custom link can point to a README file with information about the organization's secret vault, which teams and individuals to escalate questions to, or the organization's approved policy for working with secrets and rewriting commit history. -You may be able to bypass the block by specifying a reason for allowing the secret to be committed. For more information on how to bypass push protection and commit the blocked secret, see "[Bypassing push protection when working in the {% data variables.product.prodname_dotcom %} UI](#bypassing-push-protection-when-working-in-the-github-ui)." - -{% ifversion push-protection-delegated-bypass %} Alternatively, you may be required to submit a request for "bypass privileges" in order to commit the secret. For information on how to request permission to bypass push protection and allow the secret, see "[Requesting bypass privileges when working in the {% data variables.product.prodname_dotcom %} UI](#requesting-bypass-privileges-when-working-in-the-github-ui)." - -{% endif %} - ## Resolving a blocked commit in the {% data variables.product.prodname_dotcom %} UI {% data reusables.secret-scanning.push-protection-web-ui-choice %} @@ -63,6 +55,8 @@ If {% data variables.product.prodname_dotcom %} blocks a secret that you believe {% data reusables.secret-scanning.push-protection-public-repos-bypass %} 1. Click **Allow secret**. +If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to push the blocked secret. For more information, see "[Requesting bypass privileges when working from the command line](/enterprise-cloud@latest/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui#requesting-bypass-privileges-when-working-in-the-github-ui)" in the {% data variables.product.prodname_ghe_cloud %} documentation. + {% ifversion push-protection-delegated-bypass %} ## Requesting bypass privileges when working in the {% data variables.product.prodname_dotcom %} UI @@ -89,4 +83,4 @@ If your request is denied, you will need to remove the secret from the file befo ## Further reading -* TODO +* [AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line) From b6eabae0ed15dc9d75ed8ff7739c3041e5eca8ec Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Tue, 16 Jul 2024 10:17:00 +0100 Subject: [PATCH 093/275] adding intros --- .../index.md | 2 +- .../secret-scanning-for-your-user-owned-repositories.md | 5 ++--- .../working-with-push-protection-from-the-command-line.md | 2 +- .../working-with-push-protection-in-the-github-ui.md | 2 +- 4 files changed, 5 insertions(+), 6 deletions(-) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md index 8a1abc5f94..fea26a8e2b 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md @@ -2,7 +2,7 @@ title: Working with secret scanning and push protection shortTitle: Work with secret scanning allowTitleToDifferFromFilename: true -intro: 'TODO' +intro: '{% data variables.product.prodname_secret_scanning_caps %} scans for and detects secrets that have been checked into a repository. Push protection proactively secures you against leaking secrets by blocking pushes containing secrets.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md index 87d634f155..ca93c2894d 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md @@ -1,9 +1,8 @@ --- -title: Enabling secret scanning alerts for your user-owned repositories +title: Enabling secret scanning alerts for your user-owned repositories shortTitle: Secret scanning alerts for user-owned repositories intro: 'TODO' -product: '{% data reusables.gated-features.secret-scanning %}' -versions: +versions: feature: secret-scanning-enable-by-default-for-public-repos type: how_to topics: diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md index c3e2c97bd5..0e87b1988e 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md @@ -1,7 +1,7 @@ --- title: Working with push protection from the command line shortTitle: Work with push protection from the command line -intro: 'TODO' +intro: 'Push protection proactively secures you against leaked secrets in your repositories by blocking pushes containing secrets.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md index ee2320af53..22f5716935 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md @@ -1,7 +1,7 @@ --- title: Working with push protection in the GitHub UI shortTitle: Work with push protection in the GitHub UI -intro: 'TODO' +intro: 'Push protection proactively secures you against leaked secrets in your repositories by blocking commits containing secrets.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' From 94b19a4d1dbdf8ca71484353cd72e2801ea4f40b Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Tue, 16 Jul 2024 11:29:18 +0100 Subject: [PATCH 094/275] fix test --- .../secret-scanning-for-your-user-owned-repositories.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md index ca93c2894d..407a25ff7b 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md @@ -2,6 +2,7 @@ title: Enabling secret scanning alerts for your user-owned repositories shortTitle: Secret scanning alerts for user-owned repositories intro: 'TODO' +allowTitleToDifferFromFilename: true versions: feature: secret-scanning-enable-by-default-for-public-repos type: how_to From 0db4f0aefff0af03455524eb46d793272e7a4c2d Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Tue, 16 Jul 2024 11:38:23 +0100 Subject: [PATCH 095/275] fix learning tracks --- data/learning-tracks/code-security.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/data/learning-tracks/code-security.yml b/data/learning-tracks/code-security.yml index 82650c37c2..4b518db729 100644 --- a/data/learning-tracks/code-security.yml +++ b/data/learning-tracks/code-security.yml @@ -127,10 +127,14 @@ secret_scanning: endif %} - >- {% ifversion secret-scanning-push-protection-for-users - %}/code-security/secret-scanning/push-protection-for-users{% endif %} + %}/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users{% endif %} - >- {% ifversion secret-scanning-push-protection - %}/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection{% + %}/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line{% + endif %} + - >- + {% ifversion secret-scanning-push-protection + %}/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui{% endif %} - /code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning security_alerts: From fd163c783a1de07f159d490c5170050783f96934 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 18 Jul 2024 12:18:40 +0100 Subject: [PATCH 096/275] Update content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md Co-authored-by: Felicity Chapman --- .../non-provider-patterns/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md index 4a97751ff2..8ee2edb916 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md @@ -2,7 +2,7 @@ title: Non-provider patterns shortTitle: Non-provider patterns allowTitleToDifferFromFilename: true -intro: 'Non-provider patterns, such as private keys, are patterns with a high false positive ratio. By default, {% data variables.product.prodname_secret_scanning %} doesn''t scan for this type of pattern, but you can override the default behavior.' +intro: '{% data variables.product.prodname_secret_scanning_caps %} can also alert you to the potential use of other types of secret in code, for example: HTTP authentication headers, connection strings, and private keys. These non-provider patterns are more difficult to detect reliably so this feature is not enabled by default.' product: '{% data reusables.gated-features.secret-scanning %}' versions: feature: secret-scanning-non-provider-patterns From a8d121e7719007f9b7e73f6912ad6d2a4ec2bf41 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 18 Jul 2024 12:18:55 +0100 Subject: [PATCH 097/275] Update content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md Co-authored-by: Felicity Chapman --- .../enabling-secret-scanning-for-non-provider-patterns.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md index 916ef7ed19..6106ed66d6 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md @@ -1,7 +1,7 @@ --- title: Enabling secret scanning for non-provider patterns allowTitleToDifferFromFilename: true -intro: 'You can enable {% data variables.product.prodname_secret_scanning %} for non-provider patterns at the repository and organization levels.' +intro: 'You can enable {% data variables.product.prodname_secret_scanning %} to detect additional potential secrets at the repository and organization levels.' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: feature: secret-scanning-non-provider-patterns From 6580b3d80f4329f72fba2078f8ebb94b626a6fab Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 18 Jul 2024 13:44:04 +0100 Subject: [PATCH 098/275] apply Felicitys suggestion --- .../enabling-secret-scanning-for-non-provider-patterns.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md index 916ef7ed19..2e416174c0 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md @@ -20,12 +20,18 @@ shortTitle: Enable for non-provider patterns You can enable scanning for non-provider patterns. Non-provider patterns correspond to secrets such as private keys and they have a higher ratio of false positives. +For more information about non-provider patterns, see "{% ifversion fpt or ghec %}[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-secret-scanning-alerts){% endif %}." + +### Enabling detection of non-provider patterns for a repository + {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-settings %} {% data reusables.repositories.navigate-to-code-security-and-analysis %} 1. Under {% data variables.product.prodname_secret_scanning_caps %}, select the checkbox next to "Scan for non-provider patterns". -For more information about non-provider patterns, see "{% ifversion fpt or ghec %}[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-secret-scanning-alerts){% endif %}." +### Enabling detection of non-provider patterns for an organization + +You can enable scanning for non-provider patterns at the organization level. For more information, see "[Configuring global secret scanning settings](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#configuring-global-secret-scanning-settings)." ## Further reading From bdc538b5eac3976016045f55a7cff32760223330 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 18 Jul 2024 13:56:21 +0100 Subject: [PATCH 099/275] apply required versioning --- ...abling-secret-scanning-for-non-provider-patterns.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md index 2d21bf860b..2da05bbaa3 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md @@ -1,7 +1,7 @@ --- title: Enabling secret scanning for non-provider patterns allowTitleToDifferFromFilename: true -intro: 'You can enable {% data variables.product.prodname_secret_scanning %} to detect additional potential secrets at the repository and organization levels.' +intro: 'You can enable {% data variables.product.prodname_secret_scanning %} to detect additional potential secrets at the {% ifversion security-configurations %}repository and organization levels{% else %} repository level{% endif %}.' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: feature: secret-scanning-non-provider-patterns @@ -22,17 +22,25 @@ You can enable scanning for non-provider patterns. Non-provider patterns corresp For more information about non-provider patterns, see "{% ifversion fpt or ghec %}[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-secret-scanning-alerts){% endif %}." +{% ifversion security-configurations %} + ### Enabling detection of non-provider patterns for a repository +{%endif %} + {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-settings %} {% data reusables.repositories.navigate-to-code-security-and-analysis %} 1. Under {% data variables.product.prodname_secret_scanning_caps %}, select the checkbox next to "Scan for non-provider patterns". +{% ifversion security-configurations %} + ### Enabling detection of non-provider patterns for an organization You can enable scanning for non-provider patterns at the organization level. For more information, see "[Configuring global secret scanning settings](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#configuring-global-secret-scanning-settings)." +{% endif %} + ## Further reading * "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)" From 194c7c21eeb5507a9ffc3948384d104fd544f110 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 18 Jul 2024 13:56:56 +0100 Subject: [PATCH 100/275] remove superfluous space --- .../enabling-secret-scanning-for-non-provider-patterns.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md index 2da05bbaa3..f34762c6bf 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md @@ -1,7 +1,7 @@ --- title: Enabling secret scanning for non-provider patterns allowTitleToDifferFromFilename: true -intro: 'You can enable {% data variables.product.prodname_secret_scanning %} to detect additional potential secrets at the {% ifversion security-configurations %}repository and organization levels{% else %} repository level{% endif %}.' +intro: 'You can enable {% data variables.product.prodname_secret_scanning %} to detect additional potential secrets at the {% ifversion security-configurations %}repository and organization levels{% else %}repository level{% endif %}.' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: feature: secret-scanning-non-provider-patterns From 212ea5c72445f78ed540441b7a99ff237064d3c9 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 18 Jul 2024 15:03:25 +0100 Subject: [PATCH 101/275] Update content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md Co-authored-by: Felicity Chapman --- .../managing-requests-to-bypass-push-protection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md index 063eb8f663..4ed5edcad5 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md @@ -18,9 +18,9 @@ shortTitle: Manage bypass requests {% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} -{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." +{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} -Members of the bypass list can view and manage all requests for bypass privileges on the "Push protection bypass" page, located under the **Security** tab of the repository. +An organization owner or repository administrator defines which roles and teams are included in a bypass list. Members of the bypass list can view and manage all requests for bypass privileges on the "Push protection bypass" page, located under the **Security** tab of the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection." > [!NOTE] Members of the bypass list are still protected from accidentally pushing secrets to a repository. When a member of the bypass list attempts to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. Members of the bypass list do not have to request bypass privileges from other members in order to override the block. From 261cf0b8262dfed801681d162baab95031837492 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 18 Jul 2024 15:05:44 +0100 Subject: [PATCH 102/275] Update content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md Co-authored-by: Felicity Chapman --- .../managing-requests-to-bypass-push-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md index 4ed5edcad5..ae4724e610 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md @@ -1,6 +1,6 @@ --- title: Managing requests to bypass push protection -intro: 'As a member of the bypass list for an organization or repository, you can process bypass requests from other members of the organization or repository.' +intro: 'As a member of the bypass list for an organization or repository, you can review bypass requests from other members of the organization or repository.' product: '{% data reusables.gated-features.push-protection-for-repos %}' permissions: 'Members of the bypass listcan process requests from non-members to bypass push protection.' versions: From 452df4db810709f847fc32dd12427fdea51c4572 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 18 Jul 2024 15:31:26 +0100 Subject: [PATCH 103/275] add Felicitys suggestion --- .../enabling-delegated-bypass-for-push-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md index 12fe1b2947..6d6d6e0316 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md @@ -20,7 +20,7 @@ shortTitle: Enable delegated bypass {% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." -To enable this feature, you first need to create a bypass list to add roles and teams who will manage request to bypass push protection. This step is included in the sections below. +When you enable this feature, you will create a bypass list of roles and teams who can manage requests to bypass push protection. If you don't already have appropriate teams or roles to use, you should create additional teams before you start. ### Configuring delegated bypass for an organization From 332ad21934c74c38d8b863af5692400ad59ee68d Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 18 Jul 2024 15:33:16 +0100 Subject: [PATCH 104/275] moved note as suggested --- .../enabling-delegated-bypass-for-push-protection.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md index 6d6d6e0316..20c95220e0 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md @@ -22,6 +22,8 @@ shortTitle: Enable delegated bypass When you enable this feature, you will create a bypass list of roles and teams who can manage requests to bypass push protection. If you don't already have appropriate teams or roles to use, you should create additional teams before you start. +>[!NOTE] You can't add secret teams to the bypass list. + ### Configuring delegated bypass for an organization {% data reusables.organizations.navigate-to-org %} @@ -33,7 +35,6 @@ When you enable this feature, you will create a bypass list of roles and teams w {% data reusables.repositories.navigate-to-ghas-settings %} 1. Under "Push protection", to the right of "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}", select the dropdown menu, then click **Specific roles or teams**. 1. Under "Bypass list", click **Add role or team**. - >[!NOTE] You can't add secret teams to the bypass list. 1. In the dialog box, select the roles and teams that you want to add to the bypass list, then click **Add selected**. ### Configuring delegated bypass for a repository From 43e02c7d9ef173345d5fd501abf63d75c5e0d8b5 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 18 Jul 2024 15:33:58 +0100 Subject: [PATCH 105/275] Update content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md Co-authored-by: Felicity Chapman --- .../managing-requests-to-bypass-push-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md index ae4724e610..3a3437f5c0 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md @@ -2,7 +2,7 @@ title: Managing requests to bypass push protection intro: 'As a member of the bypass list for an organization or repository, you can review bypass requests from other members of the organization or repository.' product: '{% data reusables.gated-features.push-protection-for-repos %}' -permissions: 'Members of the bypass listcan process requests from non-members to bypass push protection.' +permissions: 'Members of the bypass list can process requests from non-members to bypass push protection.' versions: feature: push-protection-delegated-bypass type: how_to From 170eddcacf1723dad028fee324cff197a9884094 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 18 Jul 2024 15:39:12 +0100 Subject: [PATCH 106/275] addressed more comments add added missing parenthesis --- .../push-protection-for-repositories-and-organizations.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md index f96fba9437..6fad831be8 100644 --- a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md +++ b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md @@ -126,3 +126,4 @@ You can use the organization settings page for "Code security and analysis" to e * "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection)" * "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)" +* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)" From 6300de58ca0210bfb297ca36f8a4d90de67a39ea Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 18 Jul 2024 15:41:23 +0100 Subject: [PATCH 107/275] addressed more comments --- ...ging-requests-to-bypass-push-protection.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md index 3a3437f5c0..87d5907ec1 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md @@ -20,10 +20,20 @@ shortTitle: Manage bypass requests {% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} -An organization owner or repository administrator defines which roles and teams are included in a bypass list. Members of the bypass list can view and manage all requests for bypass privileges on the "Push protection bypass" page, located under the **Security** tab of the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection." +An organization owner or repository administrator defines which roles and teams are included in a bypass list. Members of the bypass list can view and manage all requests for bypass privileges on the "Push protection bypass" page, located under the **Security** tab of the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)." > [!NOTE] Members of the bypass list are still protected from accidentally pushing secrets to a repository. When a member of the bypass list attempts to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. Members of the bypass list do not have to request bypass privileges from other members in order to override the block. +### Managing requests to bypass push protection at the repository-level + +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.sidebar-security %} +{% data reusables.repositories.bypass-requests-settings %} +1. Select the **All statuses** dropdown menu, then click **Open** to view requests that are awaiting review. +1. Click the request that you want to review. +1. Review the details of the request. +1. To allow the contributor to push the commit containing the secret, click **Approve bypass request**. Or, to require the contributor to remove the secret from the commit, click **Deny bypass request**. + You can filter requests by approver (member of the bypass list), requester (contributor making the request), timeframe, and status. The following statuses are assigned to a request: |Status|Description| @@ -37,13 +47,3 @@ You can filter requests by approver (member of the bypass list), requester (cont When a contributor requests bypass privileges to push a commit containing a secret, members of the bypass list all receive an email notification containing a link to the request. Members of the bypass list then have 7 days to review and either approve or deny the request before the request expires. The contributor is notified of the decision by email and must take the required action. If the request is approved, the contributor can push the commit containing the secret to the repository. If the request is denied, the contributor must remove the secret from the commit in order to successfully push the commit to the repository. - -### Managing requests to bypass push protection at the repository-level - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-security %} -{% data reusables.repositories.bypass-requests-settings %} -1. Select the **All statuses** dropdown menu, then click **Open** to view requests that are awaiting review. -1. Click the request that you want to review. -1. Review the details of the request. -1. To allow the contributor to push the commit containing the secret, click **Approve bypass request**. Or, to require the contributor to remove the secret from the commit, click **Deny bypass request**. From 329a2d27ac4c6e6a310757cb3b8693788a46210e Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 18 Jul 2024 15:42:18 +0100 Subject: [PATCH 108/275] add heading --- .../managing-requests-to-bypass-push-protection.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md index 87d5907ec1..65ee3f08cf 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md @@ -34,6 +34,8 @@ An organization owner or repository administrator defines which roles and teams 1. Review the details of the request. 1. To allow the contributor to push the commit containing the secret, click **Approve bypass request**. Or, to require the contributor to remove the secret from the commit, click **Deny bypass request**. +### Filtering by request status + You can filter requests by approver (member of the bypass list), requester (contributor making the request), timeframe, and status. The following statuses are assigned to a request: |Status|Description| From ed4809755a1d5adb87f66b2a46db188ae0579a40 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 18 Jul 2024 16:01:07 +0100 Subject: [PATCH 109/275] add versioning to fix test failure --- .../push-protection-for-repositories-and-organizations.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md index 6fad831be8..8685f584d0 100644 --- a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md +++ b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md @@ -125,5 +125,5 @@ You can use the organization settings page for "Code security and analysis" to e ## Further reading * "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection)" -* "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)" -* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)" +* "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)"{% ifversion push-protection-delegated-bypass %} +* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)"{% endif %} From 6de98b640f2c5bb5370159f00c309907f38811df Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 19 Jul 2024 08:34:27 +0100 Subject: [PATCH 110/275] address anoter comment --- .../managing-requests-to-bypass-push-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md index 65ee3f08cf..2308595dd8 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md @@ -29,7 +29,7 @@ An organization owner or repository administrator defines which roles and teams {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-security %} {% data reusables.repositories.bypass-requests-settings %} -1. Select the **All statuses** dropdown menu, then click **Open** to view requests that are awaiting review. +1. Select the **All statuses** dropdown menu, then click **Open** to view requests that are awaiting review, or that have been approved but for which the commits haven't been pushed yet. 1. Click the request that you want to review. 1. Review the details of the request. 1. To allow the contributor to push the commit containing the secret, click **Approve bypass request**. Or, to require the contributor to remove the secret from the commit, click **Deny bypass request**. From 394780335694c7195bcd4530a7619fa9c91b7c0a Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 19 Jul 2024 08:40:15 +0100 Subject: [PATCH 111/275] improve --- .../managing-requests-to-bypass-push-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md index 2308595dd8..8dbb251678 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md @@ -29,7 +29,7 @@ An organization owner or repository administrator defines which roles and teams {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-security %} {% data reusables.repositories.bypass-requests-settings %} -1. Select the **All statuses** dropdown menu, then click **Open** to view requests that are awaiting review, or that have been approved but for which the commits haven't been pushed yet. +1. Select the **All statuses** dropdown menu, then click **Open** to view requests that are awaiting review, or that have been approved but for which the commits haven't been pushed to the repository yet. 1. Click the request that you want to review. 1. Review the details of the request. 1. To allow the contributor to push the commit containing the secret, click **Approve bypass request**. Or, to require the contributor to remove the secret from the commit, click **Deny bypass request**. From 45cfbe39e8bc52344b105b4ad72349991191c30c Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 19 Jul 2024 12:25:57 +0100 Subject: [PATCH 112/275] fix failing test --- content/code-security/secret-scanning/index.md | 1 - .../index.md | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 14ed25efca..049fdbfd73 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -18,7 +18,6 @@ children: - /introduction - /configuring-secret-scanning-for-your-repositories - /managing-alerts-from-secret-scanning - - /secret-scanning-patterns - /push-protection-for-repositories-and-organizations - /push-protection-for-users - /working-with-push-protection diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md index b9ce661324..1d7041f27b 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md @@ -2,7 +2,7 @@ title: Using advanced secret scanning and push protection features shortTitle: Advanced features allowTitleToDifferFromFilename: true -intro: 'Learn how you can customize {% data variables.secret-scanning.partner_alerts %} to meet the needs of your company..' +intro: 'Learn how you can customize {% data variables.secret-scanning.partner_alerts %} to meet the needs of your company.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' From 14a60c49edaf9bb95c0a6c9d4cca19b673359ded Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 19 Jul 2024 12:29:06 +0100 Subject: [PATCH 113/275] fix failing test --- content/code-security/secret-scanning/index.md | 1 - 1 file changed, 1 deletion(-) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 049fdbfd73..4a89e1e35d 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -18,7 +18,6 @@ children: - /introduction - /configuring-secret-scanning-for-your-repositories - /managing-alerts-from-secret-scanning - - /push-protection-for-repositories-and-organizations - /push-protection-for-users - /working-with-push-protection - /pushing-a-branch-blocked-by-push-protection From a5873041dd0fb5993e0ecef7e437f1a45538cce7 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 19 Jul 2024 12:36:54 +0100 Subject: [PATCH 114/275] fix another failing test --- .../introduction/about-secret-scanning-for-partners.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md index bb92155920..a1372cd50c 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md @@ -19,6 +19,6 @@ TODO: Provide high-level overview of partner program You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories. -When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." +When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." For more information about the partnership program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." From c5a9eb6b038387e633980ae8a39300dc59513514 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 19 Jul 2024 12:43:04 +0100 Subject: [PATCH 115/275] add missing redirect --- ...generating-regular-expressions-for-custom-patterns-with-ai.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai.md index b8144155c0..d0bd68b2a1 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai.md @@ -12,6 +12,7 @@ topics: - AI redirect_from: - /code-security/secret-scanning/generating-regular-expressions-for-custom-patterns-with-ai + - /code-security/secret-scanning/about-generating-regular-expressions-with-ai.md --- ## Generating a regular expression for a repository with AI From 32ddc5db1142b002cce18502c65e4d30446b8b53 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 19 Jul 2024 12:49:37 +0100 Subject: [PATCH 116/275] add to the correct article duh --- .../about-generating-regular-expressions-with-ai.md | 1 + ...generating-regular-expressions-for-custom-patterns-with-ai.md | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-generating-regular-expressions-with-ai.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-generating-regular-expressions-with-ai.md index 740a14bba5..f40e85f4a1 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-generating-regular-expressions-with-ai.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-generating-regular-expressions-with-ai.md @@ -13,6 +13,7 @@ topics: - AI redirect_from: - /code-security/secret-scanning/about-the-regular-expression-generator-for-custom-patterns + - /code-security/secret-scanning/about-generating-regular-expressions-with-ai.md --- diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai.md index d0bd68b2a1..b8144155c0 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai.md @@ -12,7 +12,6 @@ topics: - AI redirect_from: - /code-security/secret-scanning/generating-regular-expressions-for-custom-patterns-with-ai - - /code-security/secret-scanning/about-generating-regular-expressions-with-ai.md --- ## Generating a regular expression for a repository with AI From 5135608acf9cac6e28672274a21ffd55859ffd57 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 19 Jul 2024 14:35:22 +0100 Subject: [PATCH 117/275] more work --- .../introduction/about-push-protection.md | 81 ++----------------- 1 file changed, 6 insertions(+), 75 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index b93ebabf71..910baeae25 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -1,6 +1,6 @@ --- title: About push protection -intro: 'With push protection for repositories and organizations, {% data variables.product.prodname_secret_scanning %} blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block.' +intro: 'TODO.' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: fpt: '*' @@ -19,22 +19,14 @@ topics: shortTitle: Push protection --- -{% data reusables.secret-scanning.enterprise-enable-secret-scanning %} +Push protection is a {% data variables.product.prodname_secret_scanning %} that ## About push protection for repositories and organizations {% data reusables.secret-scanning.pre-push-protection %} {% data reusables.secret-scanning.push-protection-overview %} {% data reusables.secret-scanning.push-protection-custom-pattern %} {% ifversion secret-scanning-push-protection-custom-patterns %}For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."{% endif %} -{% data reusables.secret-scanning.push-protection-bypass %} - -{% data reusables.secret-scanning.bypass-reasons-and-alerts %} - -{% ifversion push-protection-delegated-bypass %} - By default, anyone with write access to the repository can choose to bypass push protection by specifying one of the bypass reasons outlined in the table. If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see "[Enabling delegated bypass for push protection](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)." -{% endif %} - {% ifversion secret-scanning-bypass-filter %} On the {% data variables.product.prodname_secret_scanning %} alerts page for a repository or organization, you can apply the `bypassed:true` filter to easily see which alerts are the result of a user bypassing push protection. For more information on viewing these alerts, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." @@ -57,74 +49,13 @@ If you are an organization owner or security manager, you can view metrics on ho {% endnote %} {% endif %} -For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." +For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md#supported-secrets)." -## Enabling {% data variables.product.prodname_secret_scanning %} as a push protection +## About push protection for users. -For you to use {% data variables.product.prodname_secret_scanning %} as a push protection in public repositories, the {% ifversion secret-scanning-enterprise-level %}enterprise,{% endif %} organization{% ifversion secret-scanning-enterprise-level %},{% endif %} or repository needs to have {% data variables.product.prodname_secret_scanning %} enabled.{% ifversion secret-scanning-push-protection-private-internal %} To use {% data variables.product.prodname_secret_scanning %} as a push protection in private or internal repositories,{% ifversion secret-scanning-user-owned-repos %} or in user-owned repositories{% ifversion ghec %} for {% data variables.product.prodname_emus %}{% endif %},{% endif %} the enterprise or organization also needs to have {% data variables.product.prodname_GH_advanced_security %} enabled.{% endif %} For more information, see {% ifversion secret-scanning-enterprise-level %}"[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise),"{% endif %} "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)," "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)," and "[AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security)." - -Organization owners, security managers, and repository administrators can also enable push protection for {% data variables.product.prodname_secret_scanning %} via the API. For more information, see "[AUTOTITLE](/rest/repos#update-a-repository)" and expand the "Properties of the `security_and_analysis` object" section. - -Organization owners can provide a custom link that will be displayed when a push is blocked. This custom link can contain organization-specific resources and advice, such as directions on using a recommended secrets vault or who to contact for questions relating to the blocked secret. - -{% ifversion secret-scanning-enable-by-default-for-public-repos %} - -You can also enable push protection for all of your existing {% ifversion ghec %}user-owned {% endif %} public repositories through your personal account settings. For any new public repositories you create, push protection will be enabled by default. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#enabling-secret-scanning-alerts-for-users-for-all-your-public-repositories)." - -{% endif %} - -{% ifversion secret-scanning-enterprise-level-api %} -Enterprise administrators can also enable or disable {% data variables.product.prodname_secret_scanning %} as a push protection for the enterprise via the API. For more information, see "[AUTOTITLE](/rest/enterprise-admin/code-security-and-analysis)."{% endif %} - -{% note %} - -**Note:** When you fork a repository with {% data variables.product.prodname_secret_scanning %} as a push protection enabled, this is not enabled by default on the fork. You can enable it on the fork the same way you enable it on a standalone repository. - -{% endnote %} - -{% ifversion secret-scanning-enterprise-level %} - -### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection for your enterprise - -{% data reusables.enterprise-accounts.access-enterprise %} -{% data reusables.enterprise-accounts.settings-tab %} -1. In the left sidebar, click **Code security and analysis**. -{% data reusables.advanced-security.secret-scanning-push-protection-enterprise %} -{% endif %} - -### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection for an organization - -{% ifversion security-configurations-ga %} -You can find a set of repositories and enable or disable {% data variables.product.prodname_secret_scanning %} as a push protection for them all at the same time. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)." - -{% elsif security-configurations-beta-and-pre-beta %} - -You can use the organization settings page for "Code security and analysis" to enable or disable {% data variables.product.prodname_secret_scanning %} as a push protection for all existing repositories in an organization. - -{% data reusables.organizations.navigate-to-org %} -{% data reusables.organizations.org_settings %} -{% data reusables.organizations.security-and-analysis %} - -{% ifversion security-configurations-beta-only %} - {% data reusables.security-configurations.changed-org-settings-security-configurations-callout %} For next steps on enabling push protection and other security features at scale with {% data variables.product.prodname_security_configurations %}, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)." -{% endif %} - -{% data reusables.repositories.navigate-to-ghas-settings %} -{% data reusables.advanced-security.secret-scanning-push-protection-org %} - -{% data reusables.security.note-securing-your-org %} -{% endif %} - -### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection for a repository - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-settings %} -{% data reusables.repositories.navigate-to-code-security-and-analysis %} -{% data reusables.repositories.navigate-to-ghas-settings %} -{% data reusables.advanced-security.secret-scanning-push-protection-repo %} +TODO Add link to enabling article, which is new. ## Further reading * "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection)" -* "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)"{% ifversion push-protection-delegated-bypass %} -* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)"{% endif %} +* "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)" From 22a3f70cc773447db5a4c399167f653007f9b516 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 19 Jul 2024 14:43:21 +0100 Subject: [PATCH 118/275] transfer updates from the other PR --- ...g-secret-scanning-for-your-repositories.md | 22 +----- ...-folders-and-files-from-secret-scanning.md | 71 +++++++++++++++++++ .../index.md | 1 + data/learning-tracks/code-security.yml | 2 + 4 files changed, 75 insertions(+), 21 deletions(-) create mode 100644 content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md diff --git a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md index 938e3b4460..cd465ce7ff 100644 --- a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md +++ b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md @@ -102,27 +102,7 @@ You can enable {% data variables.product.prodname_secret_scanning %} for all of ## Excluding directories from {% data variables.secret-scanning.user_alerts %} -You can configure a _secret_scanning.yml_ file to exclude directories from {% data variables.product.prodname_secret_scanning %}, including when you use push protection. For example, you can exclude directories that contain tests or randomly generated content. - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.files.add-file %} -1. In the file name field, type _.github/secret_scanning.yml_. -1. Under **Edit new file**, type `paths-ignore:` followed by the paths you want to exclude from {% data variables.product.prodname_secret_scanning %}. - - ``` yaml - paths-ignore: - - "foo/bar/*.js" - ``` - - You can use special characters, such as `*` to filter paths. For more information about filter patterns, see "[Workflow syntax for GitHub Actions](/actions/reference/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet)." - - {% note %} - - **Notes:** - * If there are more than 1,000 entries in `paths-ignore`, {% data variables.product.prodname_secret_scanning %} will only exclude the first 1,000 directories from scans. - * If `secret_scanning.yml` is larger than 1 MB, {% data variables.product.prodname_secret_scanning %} will ignore the entire file. - - {% endnote %} +You can configure a `secret_scanning.yml` file to exclude directories from {% data variables.product.prodname_secret_scanning %}, including when you use push protection. For more information, see "[AUTOTITLE](/code-security/secret-scanning/excluding-folders-and-files-from-secret-scanning)." You can also ignore individual alerts from {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md new file mode 100644 index 0000000000..f07b77edbb --- /dev/null +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md @@ -0,0 +1,71 @@ +--- +title: Excluding folders and files from secret scanning +intro: 'You can customize {% data variables.product.prodname_secret_scanning %} to exclude directories or files from analysis, by configuring a `secret_scanning.yml` file in your repository.' +product: '{% data reusables.gated-features.secret-scanning %}' +shortTitle: Exclude folders and files +versions: + fpt: '*' + ghes: '*' + ghec: '*' +type: how_to +topics: + - Secret scanning + - Advanced Security + - Repositories +--- + +## About {% data variables.product.prodname_secret_scanning %} + +{% data variables.product.prodname_secret_scanning_caps %} automatically detects tokens or credentials that have been checked into a {% ifversion ghec %}user-owned {% endif %}public repository. You can view {% ifversion fpt or ghec %}{% data variables.secret-scanning.user_alerts %}{% else %}alerts{% endif %} for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-users)." + +## About excluding directories from {% data variables.secret-scanning.user_alerts %} + +You may have a reason to commit a secret to a repository, such as when you want to provide a fake secret in documentation, or in an example application. In these scenarios, you can quickly dismiss the alert and document the reasons. However, there may be cases where you want to ignore a directory entirely to avoid creating false positive alerts at scale. For example, you might have a monolithic application with several integrations containing a file of dummy keys that could set off numerous false alerts to triage. + +You can configure a `secret_scanning.yml` file to exclude directories from {% data variables.product.prodname_secret_scanning %}, including when you use push protection. + +## Excluding directories from {% data variables.secret-scanning.user_alerts %} + +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.files.add-file %} +1. In the file name field, type _.github/secret_scanning.yml_. +1. Under **Edit new file**, type `paths-ignore:` followed by the paths you want to exclude from {% data variables.product.prodname_secret_scanning %}. + + ``` yaml copy + paths-ignore: + - "docs/**" + ``` + + This tells {% data variables.product.prodname_secret_scanning %} to ignore everything in the `docs` directory. You can use this example file as a template to add the files and folders you’d like to exclude from your own repositories. + + You can also use special characters, such as `*` to filter paths. For more information about filter patterns, see "[Workflow syntax for GitHub Actions](/actions/reference/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet)." + + ``` yaml copy + paths-ignore: + - "foo/bar/*.js" + ``` + + {% note %} + + **Notes:** + * If there are more than 1,000 entries in `paths-ignore`, {% data variables.product.prodname_secret_scanning %} will only exclude the first 1,000 directories from scans. + * If `secret_scanning.yml` is larger than 1 MB, {% data variables.product.prodname_secret_scanning %} will ignore the entire file. + + {% endnote %} + +## Verifying that the folder is excluded from {% data variables.product.prodname_secret_scanning %} + +1. Open a file in a directory that you have excluded from secret scanning +1. Paste a pre-invalidated secret, or a test secret. +1. Commit the change. +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.sidebar-security %} There should be no new open alerts for the secret you just introduced into the `README.md` file. + +## Best practices + +Best practices include: + +* Minimizing the number of directories excluded and being as precise as possible when defining exclusions. This ensures that the instructions are as clear as possible, and that exclusions work as intended. +* Explaining why a particular file or folder is excluded in a comment in the `secret_scanning.yml` file. As with regular code, using comments clarifies your intend, making it easier for others to understand the desired behavior. +* Reviewing the `secret_scanning.yml` file on a regular basis. Some exclusions may no longer apply with time, and it is good practice to keep the file clean and current. The use of comments, as advised above, can help with this. +* Informing the security team what files and folders you've excluded, and why. Good communication is vital in ensuring that everyone is on the same page, and understands why specific folders or files are excluded. diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md index b9ce661324..76c0002b6e 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md @@ -13,6 +13,7 @@ topics: - Advanced Security - Repositories children: + - /excluding-folders-and-files-from-secret-scanning - /non-provider-patterns - /generic-secret-detection - /custom-patterns diff --git a/data/learning-tracks/code-security.yml b/data/learning-tracks/code-security.yml index daa509a42e..9d28c71c57 100644 --- a/data/learning-tracks/code-security.yml +++ b/data/learning-tracks/code-security.yml @@ -115,6 +115,8 @@ secret_scanning: - /code-security/secret-scanning/about-secret-scanning - >- /code-security/secret-scanning/configuring-secret-scanning-for-your-repositories + - >- + /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md - >- {% ifversion not fpt %}/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning{% From 48a892344e90e9e17816ebb5b814140f31af0568 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Fri, 19 Jul 2024 14:48:02 +0100 Subject: [PATCH 119/275] Update content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md --- .../excluding-folders-and-files-from-secret-scanning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md index f07b77edbb..615d45ac73 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md @@ -59,7 +59,7 @@ You can configure a `secret_scanning.yml` file to exclude directories from {% da 1. Paste a pre-invalidated secret, or a test secret. 1. Commit the change. {% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-security %} There should be no new open alerts for the secret you just introduced into the `README.md` file. +{% data reusables.repositories.sidebar-security %} There should be no new open alerts for the secret you just introduced into the file. ## Best practices From fc654ddebaf00aaaf81f9b6a5f0b389cc14fb983 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 19 Jul 2024 15:29:46 +0100 Subject: [PATCH 120/275] more updates --- .../configuring-secret-scanning-for-your-repositories.md | 2 +- .../excluding-folders-and-files-from-secret-scanning.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md index cd465ce7ff..8f6d95f427 100644 --- a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md +++ b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md @@ -102,7 +102,7 @@ You can enable {% data variables.product.prodname_secret_scanning %} for all of ## Excluding directories from {% data variables.secret-scanning.user_alerts %} -You can configure a `secret_scanning.yml` file to exclude directories from {% data variables.product.prodname_secret_scanning %}, including when you use push protection. For more information, see "[AUTOTITLE](/code-security/secret-scanning/excluding-folders-and-files-from-secret-scanning)." +You can configure a `secret_scanning.yml` file to exclude directories from {% data variables.product.prodname_secret_scanning %}, including when you use push protection. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning)." You can also ignore individual alerts from {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md index f07b77edbb..615d45ac73 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md @@ -59,7 +59,7 @@ You can configure a `secret_scanning.yml` file to exclude directories from {% da 1. Paste a pre-invalidated secret, or a test secret. 1. Commit the change. {% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-security %} There should be no new open alerts for the secret you just introduced into the `README.md` file. +{% data reusables.repositories.sidebar-security %} There should be no new open alerts for the secret you just introduced into the file. ## Best practices From 7bb2334a44acf382153aef823b229aaeae519236 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 19 Jul 2024 15:34:09 +0100 Subject: [PATCH 121/275] oops --- data/learning-tracks/code-security.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/learning-tracks/code-security.yml b/data/learning-tracks/code-security.yml index 9d28c71c57..1fb8646103 100644 --- a/data/learning-tracks/code-security.yml +++ b/data/learning-tracks/code-security.yml @@ -116,7 +116,7 @@ secret_scanning: - >- /code-security/secret-scanning/configuring-secret-scanning-for-your-repositories - >- - /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md + /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning - >- {% ifversion not fpt %}/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning{% From 45f4d60217af224411f5e313f00cf3b3f53142dd Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 19 Jul 2024 17:07:10 +0100 Subject: [PATCH 122/275] more work on new high level articles --- .../secret-scanning/introduction/about-push-protection.md | 4 +++- .../introduction/about-secret-scanning-for-partners.md | 6 +++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index 910baeae25..33ab8c01f6 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -19,7 +19,9 @@ topics: shortTitle: Push protection --- -Push protection is a {% data variables.product.prodname_secret_scanning %} that +Push protection is a {% data variables.product.prodname_secret_scanning %} feature that checks commits for highly identifiable secrets before these commits are pushed to a repository. + +You can apply push protection at repository/organization level, and for your user account on {% data variables.product.prodname_dotcom %}. ## About push protection for repositories and organizations diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md index a1372cd50c..29cbf313f2 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md @@ -3,7 +3,7 @@ title: About secret scanning for partners intro: 'TODO' versions: fpt: '*' - ghes: '*' + ghec: '*' type: overview topics: - Secret scanning @@ -13,6 +13,10 @@ shortTitle: Secret scanning for partners ## About {% data variables.secret-scanning.partner_alerts %} +Partner alerts are alerts that are sent to the secret providers whenever a secret leak is reported for one of their secrets. {% data variables.product.product_name %} currently scans public repositories and public npm packages for secrets issued by specific service providers and alerts the relevant service provider whenever a secret is detected in a commit. For more information about {% data variables.secret-scanning.partner_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-partners)." + +{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} + TODO: Provide high-level overview of partner program **Partner patterns.** Used to detect potential secrets in all public repositories as well as public npm packages. From 59620faeb0a7fccd9a9c111a8ef593fbed1848b0 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 19 Jul 2024 17:38:07 +0100 Subject: [PATCH 123/275] Update content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md Co-authored-by: Felicity Chapman --- .../secret-scanning-for-your-user-owned-repositories.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md index 407a25ff7b..8a591ec76f 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md @@ -1,7 +1,7 @@ --- title: Enabling secret scanning alerts for your user-owned repositories shortTitle: Secret scanning alerts for user-owned repositories -intro: 'TODO' +intro: 'You can protect yourself from accidentally leaking secrets from your {% ifversion ghec %}user-owned {% endif %}public repositories using {% data variables.product.prodname_secret_scanning %} and push protection.' allowTitleToDifferFromFilename: true versions: feature: secret-scanning-enable-by-default-for-public-repos From bc6f8ec065984df67bec4f9ad7df89d7b0130656 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 19 Jul 2024 17:38:30 +0100 Subject: [PATCH 124/275] Update content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md Co-authored-by: Felicity Chapman --- .../working-with-push-protection-from-the-command-line.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md index 0e87b1988e..38386ca776 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md @@ -1,6 +1,6 @@ --- title: Working with push protection from the command line -shortTitle: Work with push protection from the command line +shortTitle: Push protection on the command line intro: 'Push protection proactively secures you against leaked secrets in your repositories by blocking pushes containing secrets.' product: '{% data reusables.gated-features.secret-scanning %}' versions: From f64d6b8cbd904f2e4b88e59245bf76d450b52592 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 19 Jul 2024 17:39:18 +0100 Subject: [PATCH 125/275] Update content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md Co-authored-by: Felicity Chapman --- .../working-with-push-protection-from-the-command-line.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md index 38386ca776..7ee0b6c7ea 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md @@ -32,7 +32,7 @@ If you confirm a secret is real and that you intend to fix it later, you should {% data reusables.secret-scanning.push-protection-multiple-branch-note %} -## Resolving a blocked push from the command line +## Resolving a blocked push To resolve a blocked push, you must remove the secret from all of the commits it appears in. * If the secret was introduced by your latest commit, see "[Removing a secret introduced by the latest commit on your branch](#removing-a-secret-introduced-by-the-latest-commit-on-your-branch)." From c78e9f7a76d56a53ac4ffb368d009eae9b2e7d4e Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 19 Jul 2024 17:39:32 +0100 Subject: [PATCH 126/275] Update content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md Co-authored-by: Felicity Chapman --- .../working-with-push-protection-in-the-github-ui.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md index 22f5716935..c01b5cfdef 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md @@ -36,7 +36,7 @@ You should either: Organization owners can provide a custom link that will be displayed when a push is blocked. This custom link can contain resources and advice specific to your organization. For example, the custom link can point to a README file with information about the organization's secret vault, which teams and individuals to escalate questions to, or the organization's approved policy for working with secrets and rewriting commit history. -## Resolving a blocked commit in the {% data variables.product.prodname_dotcom %} UI +## Resolving a blocked commit {% data reusables.secret-scanning.push-protection-web-ui-choice %} From 819f7b64e70e340b35275de4fefdce244a914225 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 19 Jul 2024 17:39:58 +0100 Subject: [PATCH 127/275] Update content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md Co-authored-by: Felicity Chapman --- .../working-with-push-protection-in-the-github-ui.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md index c01b5cfdef..6754ad5d38 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md @@ -42,7 +42,7 @@ Organization owners can provide a custom link that will be displayed when a push To resolve a blocked commit in the web UI, you need to remove the secret from the file. Once you remove the secret, you will be able to commit your changes. -## Bypassing push protection when working in the {% data variables.product.prodname_dotcom %} UI +## Bypassing push protection If {% data variables.product.prodname_dotcom %} blocks a secret that you believe is safe to commit, you {% ifversion push-protection-delegated-bypass %}may be able to {% else %}can {% endif %}bypass the block by specifying a reason for allowing the secret. From c6343f05331b5029d1c78af5a1726d0db98c3638 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 19 Jul 2024 17:40:06 +0100 Subject: [PATCH 128/275] Update content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md Co-authored-by: Felicity Chapman --- .../working-with-push-protection-in-the-github-ui.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md index 6754ad5d38..bf22d85d64 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md @@ -59,7 +59,7 @@ If you don't see the option to bypass the block, the repository administrator or {% ifversion push-protection-delegated-bypass %} -## Requesting bypass privileges when working in the {% data variables.product.prodname_dotcom %} UI +## Requesting bypass privileges {% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} From 16eccb2d11b5672ab6479c31990f333f65a87d64 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 19 Jul 2024 17:40:47 +0100 Subject: [PATCH 129/275] Update content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md Co-authored-by: Felicity Chapman --- .../working-with-push-protection-from-the-command-line.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md index 7ee0b6c7ea..04fd3e50d2 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md @@ -109,7 +109,7 @@ You can also remove the secret if the secret appears in an earlier commit in the 1. Run `git rebase --continue` to finish the rebase. 1. Push your changes with `git push`. -## Bypassing push protection when working from the command line +## Bypassing push protection If {% data variables.product.prodname_dotcom %} blocks a secret that you believe is safe to push, you {% ifversion push-protection-delegated-bypass %}may be able to {% else %}can {% endif %}bypass the block by specifying a reason for allowing the secret to be pushed. From 600476ac66bada2ad4599cce4c3c97a0a0581762 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 19 Jul 2024 17:49:13 +0100 Subject: [PATCH 130/275] Update content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md Co-authored-by: Felicity Chapman --- .../working-with-push-protection-from-the-command-line.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md index 04fd3e50d2..f009fb0b5f 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md @@ -127,7 +127,7 @@ If you don't see the option to bypass the block, the repository administrator or {% ifversion push-protection-delegated-bypass %} -## Requesting bypass privileges when working from the command line +## Requesting bypass privileges {% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} From 380beba0242138aab52ec69936100e2f59ecae17 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 19 Jul 2024 17:49:30 +0100 Subject: [PATCH 131/275] Update content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md Co-authored-by: Felicity Chapman --- .../secret-scanning-for-your-user-owned-repositories.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md index 8a591ec76f..e8a5583141 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md @@ -18,7 +18,7 @@ redirect_from: You can enable {% data variables.product.prodname_secret_scanning %} for all of your existing {% ifversion ghec %}user-owned {% endif %}public repositories through your personal account settings. ->! NOTE +> [! NOTE] > As of March 11, 2024, {% data variables.product.prodname_secret_scanning %} and push protection will be enabled by default for all new {% ifversion ghec %}user-owned {% endif %}public repositories that you create. You can still choose to disable these features for an individual repository in the repository's "Code security and analysis" settings page. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-public-repositories)". ## Enabling {% data variables.secret-scanning.user_alerts %} for all your {% ifversion ghec %}user-owned {% endif %}public repositories From dfc2848dda561b231ad6796db817e52b43a18621 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 19 Jul 2024 17:49:46 +0100 Subject: [PATCH 132/275] Update content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md Co-authored-by: Felicity Chapman --- .../working-with-push-protection-in-the-github-ui.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md index bf22d85d64..d887b50628 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md @@ -1,7 +1,7 @@ --- title: Working with push protection in the GitHub UI shortTitle: Work with push protection in the GitHub UI -intro: 'Push protection proactively secures you against leaked secrets in your repositories by blocking commits containing secrets.' +intro: 'Learn your options for unblocking your commit when {% data variables.product.prodname_secret_scanning %} detects a secret in your changes.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' From cb5ece49325e55c69e0a5e6b6060e9c7d43588a3 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 19 Jul 2024 18:37:44 +0100 Subject: [PATCH 133/275] a bit more work --- .../about-secret-scanning-for-partners.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md index 29cbf313f2..610e2ddaa2 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md @@ -13,16 +13,17 @@ shortTitle: Secret scanning for partners ## About {% data variables.secret-scanning.partner_alerts %} -Partner alerts are alerts that are sent to the secret providers whenever a secret leak is reported for one of their secrets. {% data variables.product.product_name %} currently scans public repositories and public npm packages for secrets issued by specific service providers and alerts the relevant service provider whenever a secret is detected in a commit. For more information about {% data variables.secret-scanning.partner_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-partners)." +{% data variables.product.product_name %} scans public repositories and public npm packages for secrets issued by specific service providers and alerts the relevant service provider whenever a secret is detected in a commit. -{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} - -TODO: Provide high-level overview of partner program - -**Partner patterns.** Used to detect potential secrets in all public repositories as well as public npm packages. +{% data variables.product.prodname_secret_scanning %} generates partner alerts when it detects secrets from providers who joined our partnership program. For information about the partnership program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories. +Partner alerts are not displayed on {% data variables.product.prodname_dotcom %}. Instead, partner alerts are directly sent to the secret providers whenever a secret leak is reported for one of their secrets. + +For more information about {% data variables.secret-scanning.partner_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-partners)." +{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} + When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." -For more information about the partnership program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." +TODO: apply scannability techniques From 42310e314afa58ab0ac061bd76d9e39e9124ed77 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 19 Jul 2024 21:19:31 +0100 Subject: [PATCH 134/275] apply some review feedback --- .../secret-scanning-for-your-user-owned-repositories.md | 3 +++ .../working-with-push-protection-from-the-command-line.md | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md index e8a5583141..c6c464c837 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md @@ -18,9 +18,12 @@ redirect_from: You can enable {% data variables.product.prodname_secret_scanning %} for all of your existing {% ifversion ghec %}user-owned {% endif %}public repositories through your personal account settings. + > [! NOTE] > As of March 11, 2024, {% data variables.product.prodname_secret_scanning %} and push protection will be enabled by default for all new {% ifversion ghec %}user-owned {% endif %}public repositories that you create. You can still choose to disable these features for an individual repository in the repository's "Code security and analysis" settings page. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-public-repositories)". + + ## Enabling {% data variables.secret-scanning.user_alerts %} for all your {% ifversion ghec %}user-owned {% endif %}public repositories {% data reusables.user-settings.access_settings %} diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md index f009fb0b5f..d5ab99d2da 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md @@ -36,7 +36,7 @@ If you confirm a secret is real and that you intend to fix it later, you should To resolve a blocked push, you must remove the secret from all of the commits it appears in. * If the secret was introduced by your latest commit, see "[Removing a secret introduced by the latest commit on your branch](#removing-a-secret-introduced-by-the-latest-commit-on-your-branch)." -* If the secret appears in multiple earlier commits, see "[Removing a secret introduced by an earlier commit on your branch](#removing-a-secret-introduced-by-an-earlier-commit-on-your-branch)." +* If the secret appears in earlier commits, see "[Removing a secret introduced by an earlier commit on your branch](#removing-a-secret-introduced-by-an-earlier-commit-on-your-branch)." ### Removing a secret introduced by the latest commit on your branch From 1854f25db49571237856c8d391315bffa9265f95 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 19 Jul 2024 21:20:55 +0100 Subject: [PATCH 135/275] apply review feedback 2 --- .../working-with-push-protection-in-the-github-ui.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md index d887b50628..b96ffaec21 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md @@ -1,6 +1,6 @@ --- title: Working with push protection in the GitHub UI -shortTitle: Work with push protection in the GitHub UI +shortTitle: Push protection in the GitHub UI intro: 'Learn your options for unblocking your commit when {% data variables.product.prodname_secret_scanning %} detects a secret in your changes.' product: '{% data reusables.gated-features.secret-scanning %}' versions: From 61b63d6d906f3d52f811a2538eab9093fe9601c9 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 19 Jul 2024 21:27:43 +0100 Subject: [PATCH 136/275] removing old content from old article --- ...ng-secret-scanning-for-your-repositories.md | 18 ------------------ ...th-push-protection-from-the-command-line.md | 2 +- 2 files changed, 1 insertion(+), 19 deletions(-) diff --git a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md index 47b87aecc5..38371c85a2 100644 --- a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md +++ b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md @@ -99,24 +99,6 @@ For more information about non-provider patterns, see "{% ifversion fpt or ghec {% endif %} -{% ifversion secret-scanning-enable-by-default-for-public-repos %} - -## Enabling {% data variables.secret-scanning.user_alerts %} for all your {% ifversion ghec %}user-owned {% endif %}public repositories - -You can enable {% data variables.product.prodname_secret_scanning %} for all of your existing {% ifversion ghec %}user-owned {% endif %}public repositories through your personal account settings. -{% note %} - -**Note**: As of March 11, 2024, {% data variables.product.prodname_secret_scanning %} and push protection will be enabled by default for all new {% ifversion ghec %}user-owned {% endif %}public repositories that you create. You can still choose to disable these features for an individual repository in the repository's "Code security and analysis" settings page. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-public-repositories)". - -{% endnote %} - -{% data reusables.user-settings.access_settings %} -{% data reusables.user-settings.security-analysis %} -1. Under "Code security and analysis", to the right of "{% data variables.product.prodname_secret_scanning_caps %}", click **Disable all** or **Enable all**. -{% data reusables.secret-scanning.push-protection-optional-enable %} - -{% endif %} - ## Excluding directories from {% data variables.secret-scanning.user_alerts %} You can configure a _secret_scanning.yml_ file to exclude directories from {% data variables.product.prodname_secret_scanning %}, including when you use push protection. For example, you can exclude directories that contain tests or randomly generated content. diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md index d5ab99d2da..0c61671750 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md @@ -1,7 +1,7 @@ --- title: Working with push protection from the command line shortTitle: Push protection on the command line -intro: 'Push protection proactively secures you against leaked secrets in your repositories by blocking pushes containing secrets.' +intro: 'Learn your options for unblocking your push from the command line to {% data variables.product.prodname_dotcom %} if {% data variables.product.prodname_secret_scanning %} detects a secret in your changes.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' From 54440bcbfaa94cf6c8dc608d1c72f6bb5051d2fd Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 22 Jul 2024 16:44:53 +0100 Subject: [PATCH 137/275] more work --- .../introduction/about-push-protection.md | 32 +++++++++++++------ .../push-protection-overview.md | 2 +- 2 files changed, 24 insertions(+), 10 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index 33ab8c01f6..faeaa0f556 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -21,22 +21,23 @@ shortTitle: Push protection Push protection is a {% data variables.product.prodname_secret_scanning %} feature that checks commits for highly identifiable secrets before these commits are pushed to a repository. -You can apply push protection at repository/organization level, and for your user account on {% data variables.product.prodname_dotcom %}. +{% data reusables.secret-scanning.pre-push-protection %} {% data reusables.secret-scanning.push-protection-overview %} + +{% ifversion secret-scanning-push-protection-for-users %} + +You can enable push protection: + +* At repository/organization level, if you are a repository administrator or an organization owner For more information, see +* For your account on {% data variables.product.prodname_dotcom %}, as a user. ## About push protection for repositories and organizations -{% data reusables.secret-scanning.pre-push-protection %} {% data reusables.secret-scanning.push-protection-overview %} {% data reusables.secret-scanning.push-protection-custom-pattern %} {% ifversion secret-scanning-push-protection-custom-patterns %}For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."{% endif %} +{% else %} -By default, anyone with write access to the repository can choose to bypass push protection by specifying one of the bypass reasons outlined in the table. If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see "[Enabling delegated bypass for push protection](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)." - -{% ifversion secret-scanning-bypass-filter %} - -On the {% data variables.product.prodname_secret_scanning %} alerts page for a repository or organization, you can apply the `bypassed:true` filter to easily see which alerts are the result of a user bypassing push protection. For more information on viewing these alerts, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." +If you are a repository administrator or an organization owner, you can enable push protection at repository/organization level. {% endif %} -You can monitor security alerts to discover when users are bypassing push protections and creating alerts. For more information, see "[AUTOTITLE](/code-security/getting-started/auditing-security-alerts)." - {% ifversion security-overview-push-protection-metrics-page %} If you are an organization owner or security manager, you can view metrics on how push protection is performing across your organization. For more information, see "[AUTOTITLE](/code-security/security-overview/viewing-metrics-for-secret-scanning-push-protection)." @@ -51,12 +52,25 @@ If you are an organization owner or security manager, you can view metrics on ho {% endnote %} {% endif %} +By default, anyone with write access to the repository can choose to bypass push protection by specifying one of the bypass reasons outlined in the table. If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see "[Enabling delegated bypass for push protection](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)." + +You can monitor security alerts to discover when users are bypassing push protections and creating alerts. For more information, see "[AUTOTITLE](/code-security/getting-started/auditing-security-alerts)." + For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md#supported-secrets)." +{% ifversion secret-scanning-push-protection-for-users %} + ## About push protection for users. +{% endif %} + TODO Add link to enabling article, which is new. +## Next steps + +Mention custom patterns at the end? +{% data reusables.secret-scanning.push-protection-custom-pattern %} {% ifversion secret-scanning-push-protection-custom-patterns %}For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."{% endif %} + ## Further reading * "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection)" diff --git a/data/reusables/secret-scanning/push-protection-overview.md b/data/reusables/secret-scanning/push-protection-overview.md index 72c31dfbf9..09f4bf7aca 100644 --- a/data/reusables/secret-scanning/push-protection-overview.md +++ b/data/reusables/secret-scanning/push-protection-overview.md @@ -1 +1 @@ -When you enable push protection for your organization or repository, {% data variables.product.prodname_secret_scanning %} also checks pushes for supported secrets. {% data variables.product.prodname_secret_scanning_caps %} lists any secrets it detects so the author can review the secrets and remove them or, if {% ifversion push-protection-delegated-bypass %} permitted{%else%}needed{% endif %}, allow those secrets to be pushed. +When you enable push protection for your organization or repository, {% data variables.product.prodname_secret_scanning %} also checks pushes for supported secrets. {% data variables.product.prodname_secret_scanning_caps %} lists any secrets it detects so the author can review the secrets and remove them or, if {% ifversion push-protection-delegated-bypass %} permitted{% else %}needed{% endif %}, allow those secrets to be pushed. From c33b8da0229e8346c1de21700738df3f32bdaa80 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Mon, 22 Jul 2024 16:39:34 +0000 Subject: [PATCH 138/275] create index file --- .../index.md | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md new file mode 100644 index 0000000000..a24ef0ce60 --- /dev/null +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md @@ -0,0 +1,20 @@ +--- +title: Managing alerts from secret scanning +intro: 'You can view, evaluate and resolve alerts for secrets checked in to your repository.' +product: '{% data reusables.gated-features.secret-scanning %}' +redirect_from: + - /github/administering-a-repository/managing-alerts-from-secret-scanning + - /code-security/secret-security/managing-alerts-from-secret-scanning + - /code-security/secret-scanning/managing-alerts-from-secret-scanning +versions: + fpt: '*' + ghes: '*' + ghec: '*' +type: how_to +topics: + - Secret scanning + - Advanced Security + - Alerts + - Repositories +shortTitle: Managing alerts +--- \ No newline at end of file From 40620d076136fd182120ebb470d3e83d031d6b03 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Mon, 22 Jul 2024 16:46:39 +0000 Subject: [PATCH 139/275] adding empty children, updating index file --- .../managing-alerts-from-secret-scanning/about-alerts.md | 0 .../evaluating-alerts.md | 0 .../managing-alerts-from-secret-scanning/index.md | 8 +++++++- .../monitoring-alerts.md | 0 .../resolving-alerts.md | 0 .../viewing-alerts.md | 0 6 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md create mode 100644 content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md create mode 100644 content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md create mode 100644 content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md create mode 100644 content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md new file mode 100644 index 0000000000..e69de29bb2 diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md new file mode 100644 index 0000000000..e69de29bb2 diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md index a24ef0ce60..582c69e084 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md @@ -17,4 +17,10 @@ topics: - Alerts - Repositories shortTitle: Managing alerts ---- \ No newline at end of file +children: + - /about-alerts + - /viewing-alerts + - /evaluating-alerts + - /resolving-alerts + - /monitoring-alerts +--- diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md new file mode 100644 index 0000000000..e69de29bb2 diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md new file mode 100644 index 0000000000..e69de29bb2 diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md new file mode 100644 index 0000000000..e69de29bb2 From 2d86dea83ba5c61d8f157eca252e0448d05e20e4 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Mon, 22 Jul 2024 17:37:09 +0000 Subject: [PATCH 140/275] filling out articles --- .../evaluating-alerts.md | 101 ++++++++++++++++++ .../resolving-alerts.md | 50 +++++++++ .../viewing-alerts.md | 54 ++++++++++ 3 files changed, 205 insertions(+) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md index e69de29bb2..f9b95cbea1 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md @@ -0,0 +1,101 @@ +--- +title: Evaluating alerts from secret scanning +intro: 'You can view alerts for secrets checked in to your repository and you can use filters to help you prioritize alerts.' +permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view secret scanning alerts for the repository.' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +type: how_to +topics: + - Secret scanning + - Advanced Security + - Alerts + - Repositories +shortTitle: Evaluate alerts +--- + +## About evaluating alerts + +There are some additional features that can help you to evaluate alerts in order to better prioritize and manage them. You can: + +* Check the validity of a secret, to see if the secret is still active. {% ifversion fpt or ghes %}**Applies to {% data variables.product.company_short %} tokens only**.{% endif %} For more information, see "[Checking a secret's validity](#checking-a-secrets-validity)."{% ifversion secret-scanning-validity-check-partner-patterns %} +* Perform an "on-demand" validity check, to get the most up to date validiation status. For more information, see "[Performing an on-demand-validity-check](#performing-an-on-demand-validity-check)."{% endif %}{% ifversion secret-scanning-github-token-metadata %} +* Review a token's metadata. **Applies to {% data variables.product.company_short %} tokens only**. For example, to see when the token was last used. For more information, see "[Reviewing {% data variables.product.company_short %} token metadata](#reviewing-github-token-metadata)."{% endif %} + +## Checking a secret's validity + +{% ifversion secret-scanning-validity-check-partner-patterns %} + +{% data reusables.secret-scanning.validity-check-partner-patterns-beta %} + +{% endif %} + +Validity checks help you prioritize alerts by telling you which secrets are `active` or `inactive`. An `active` secret is one that could still be exploited, so these alerts should be reviewed and remediated as a priority. + +By default, {% data variables.product.company_short %} checks the validity of {% data variables.product.company_short %} tokens and displays the validitation status of the token in the alert view. + +{% ifversion fpt %} + +Organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %} can also enable validity checks for partner patterns. For more information, see "[Checking a secret's validity](/enterprise-cloud@latest/code-security/secret-scanning/managing-alerts-from-secret-scanning#checking-a-secrets-validity)" in the {% data variables.product.prodname_ghe_cloud %} documentation. + +{% endif %} + +{% ifversion secret-scanning-validity-check-partner-patterns %} + +You can additionally choose to enable validity checks for partner patterns. Once enabled, {% data variables.product.company_short %} will periodically check the validity of a detected credential by sending the secret directly to the provider, as part of {% data variables.product.company_short %}'s formal secret scanning partnership program. {% data variables.product.company_short %} typically makes GET requests to check the validity of the credential, picks the least intrusive endpoints, and selects endpoints that don't return any personal information. + +{% data variables.product.company_short %} displays the validation status of the secret in the alert view. + +{% endif %} + +{% data reusables.secret-scanning.validity-check-table %} + +{% ifversion secret-scanning-validity-check-partner-patterns %} + +{% data reusables.gated-features.partner-pattern-validity-check-ghas %} + +For information on how to enable validity checks for partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#enabling-validity-checks-for-partner-patterns)," and for information on which partner patterns are currently supported, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#high-confidence-patterns)." + +{% endif %} + +You can use the REST API to retrieve a list of the most recent validation status for each of your tokens. For more information, see "[AUTOTITLE](/rest/secret-scanning)" in the REST API documentation. You can also use webhooks to be notified of activity relating to a {% data variables.product.prodname_secret_scanning %} alert. For more information, see the `secret_scanning_alert` event in "[AUTOTITLE](/webhooks/webhook-events-and-payloads?actionType=created#secret_scanning_alert)." + +{% ifversion secret-scanning-validity-check-partner-patterns %} + +## Performing an on-demand validity check + +Once you have enabled validity checks for partner patterns for your repository, you can perform an "on-demand" validity check for any supported secret by clicking {% octicon "sync" aria-hidden="true" %} **Verify secret** in the alert view. {% data variables.product.company_short %} will send the pattern to the relevant partner and display the validation status of the secret in the alert view. + +![Screenshot of the UI showing a {% data variables.product.prodname_secret_scanning %} alert. A button, labeled "Verify secret" is highlighted with an orange outline.](/assets/images/help/security/secret-scanning-verify-secret.png) + +{% endif %} + +{% ifversion secret-scanning-github-token-metadata %} + +## Reviewing {% data variables.product.company_short %} token metadata + +> [!NOTE] +> Metadata for {% data variables.product.company_short %} tokens is currently in public beta and subject to change. + +In the view for an active {% data variables.product.company_short %} token alert, you can review certain metadata about the token. This metadata may help you identify the token and decide what remediation steps to take. + +Tokens, like {% data variables.product.pat_generic %} and other credentials, are considered personal information. For more information about using {% data variables.product.company_short %} tokens, see [GitHub's Privacy Statement](/free-pro-team@latest/site-policy/privacy-policies/github-privacy-statement) and [Acceptable Use Policies](/free-pro-team@latest/site-policy/acceptable-use-policies/github-acceptable-use-policies). + + ![Screenshot of the UI for a {% data variables.product.company_short %} token, showing the token metadata.](/assets/images/help/repository/secret-scanning-github-token-metadata.png) + + Metadata for {% data variables.product.company_short %} tokens is available for active tokens in any repository with secret scanning enabled. If a token has been revoked or its status cannot be validated, metadata will not be available. {% data variables.product.company_short %} auto-revokes {% data variables.product.company_short %} tokens in public repositories, so metadata for {% data variables.product.company_short %} tokens in public repositories is unlikely to be available. The following metadata is available for active {% data variables.product.company_short %} tokens: + +|Metadata|Description| +|-------------------------|--------------------------------------------------------------------------------| +|Secret name| The name given to the {% data variables.product.company_short %} token by its creator| +|Secret owner| The {% data variables.product.company_short %} handle of the token's owner| +|Created on| Date the token was created| +|Expired on| Date the token expired| +|Last used on| Date the token was last used| +|Access| Whether the token has organization access| + +{% ifversion secret-scanning-user-owned-repos %}{% data reusables.secret-scanning.secret-scanning-user-owned-repo-access %} If access is granted, {% data variables.product.prodname_dotcom %} will notify the owner of the repository containing the leaked secret, report the action in the repository owner and enterprise audit logs, and enable access for 2 hours.{% ifversion ghec %} For more information, see "[AUTOTITLE](/admin/managing-accounts-and-repositories/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise)."{% endif %}{% endif %} + +{% endif %} diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md index e69de29bb2..449ea0e96a 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md @@ -0,0 +1,50 @@ +--- +title: Resolving alerts from secret scanning +intro: 'You can should fix and close alerts for secrets checked in to your repository and you can use filters to help you prioritize alerts.' +permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view secret scanning alerts for the repository.' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +type: how_to +topics: + - Secret scanning + - Advanced Security + - Alerts + - Repositories +shortTitle: Evaluate alerts +--- + +## Fixing alerts + +Once a secret has been committed to a repository, you should consider the secret compromised. {% data variables.product.prodname_dotcom %} recommends the following actions for compromised secrets: + +* For a compromised {% data variables.product.prodname_dotcom %} {% data variables.product.pat_generic %}, delete the compromised token, create a new token, and update any services that use the old token. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)." +{%- ifversion token-audit-log %} + * {% ifversion ghec %}If your organization is owned by an enterprise account, identify{% else %}Identify{% endif %} any actions taken by the compromised token on your enterprise's resources. For more information, see "[AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token)." +{%- endif %} +* For all other secrets, first verify that the secret committed to {% data variables.product.product_name %} is valid. If so, create a new secret, update any services that use the old secret, and then delete the old secret. + +{% ifversion fpt or ghec %} + +> [!NOTE] +> If a secret is detected in a public repository on {% data variables.product.prodname_dotcom_the_website %} and the secret also matches a partner pattern, an alert is generated and the potential secret is reported to the service provider. For details of partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." + +{% endif %} + +## Closing alerts + +> [!NOTE] +>{% data variables.product.prodname_secret_scanning_caps %} doesn't automatically close alerts when the corresponding token has been removed from the repository. You must manually close these alerts in the alert list on {% data variables.product.prodname_dotcom %}. + +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.sidebar-security %} +1. In the left sidebar, under "Vulnerability alerts", click **{% data variables.product.prodname_secret_scanning_caps %}**. +1. Under "{% data variables.product.prodname_secret_scanning_caps %}", click the alert you want to view. +1. To dismiss an alert, select the "Close as" dropdown menu and click a reason for resolving an alert. + + ![Screenshot of a {% data variables.product.prodname_secret_scanning %} alert. A dropdown menu, titled "Close as", is expanded and highlighted in a dark orange outline.](/assets/images/help/repository/secret-scanning-dismiss-alert-web-ui-link-partner-documentation.png) + +1. Optionally, in the "Comment" field, add a dismissal comment. The dismissal comment will be added to the alert timeline and can be used as justification during auditing and reporting. You can view the history of all dismissed alerts and dismissal comments in the alert timeline. You can also retrieve or set a comment by using the {% data variables.product.prodname_secret_scanning_caps %} API. The comment is contained in the `resolution_comment` field. For more information, see "[AUTOTITLE](/rest/secret-scanning#update-a-secret-scanning-alert)" in the REST API documentation. +1. Click **Close alert**. diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md index e69de29bb2..f43a3de734 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md @@ -0,0 +1,54 @@ +--- +title: Viewing and filtering alerts from secret scanning +intro: 'You can view alerts for secrets checked in to your repository and you can use filters to help you prioritize alerts.' +permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view secret scanning alerts for the repository.' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +type: how_to +topics: + - Secret scanning + - Advanced Security + - Alerts + - Repositories +shortTitle: View alerts +--- + +## Viewing alerts + +Alerts for {% data variables.product.prodname_secret_scanning %} are displayed under the **Security** tab of the repository. + +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.sidebar-security %} +1. In the left sidebar, under "Vulnerability alerts", click **{% data variables.product.prodname_secret_scanning_caps %}**. {% ifversion secret-scanning-non-provider-patterns %} +1. Optionally, toggle to "Other" to see alerts for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %} or generic secrets detected using AI{% endif %}.{% endif %} +1. Under "{% data variables.product.prodname_secret_scanning_caps %}", click the alert you want to view. + {% ifversion secret-scanning-user-owned-repos %} + + > [!NOTE] + > {% data reusables.secret-scanning.secret-scanning-user-owned-repo-access %} + + {% endif %} + +## Filtering alerts + +You can apply various filters to the alerts list to help you find the alerts you're interested in. You can use the dropdown menus above the alerts list, or input the qualifiers listed in the table into the search bar. + +|Qualifier|Description| +|---------|-----------| +|`is:open`|Displays open alerts.| +|`is:closed`|Displays closed alerts.| +| {% ifversion secret-scanning-bypass-filter %} | +|`bypassed: true`|Displays alerts for secrets where push protection has been bypassed. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)."| +| {% endif %} | +|`validity:active`| Displays alerts for secrets that are still active. {% ifversion fpt %}Applies to {% data variables.product.company_short %} tokens only.{% endif %} For more information about validity statuses, see "[Checking a secret's validity](#checking-a-secrets-validity)."| +|`validity:inactive`| Displays alerts for secrets that are no longer active.| +|`validity:unknown`| Displays alerts for secrets where the validity status of the secret is unknown.| +|`secret-type:SECRET-NAME`| Displays alerts for a specific secret type, for example, `secret-type:github_personal_access_token`. For a list of supported secret types, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secret)." | +|`provider:PROVIDER-NAME`|Displays alerts for a specific provider, for example, `provider:github`. For a list of supported partners, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."| +| {% ifversion secret-scanning-non-provider-patterns %} | +|`confidence:high`| Displays alerts for high-confidence secrets, which relate to supported secrets and custom patterns. For a list of supported high-confidence patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#high-confidence-patterns)." | +|`confidence:other`| Displays alerts for non-provider patterns, such as private keys{% ifversion secret-scanning-ai-generic-secret-detection %}, and AI-detected generic secrets, such as passwords{% endif %}. For a list of supported non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns)." {% ifversion secret-scanning-ai-generic-secret-detection %}For more information about AI-detected generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/about-the-detection-of-generic-secrets-with-secret-scanning)."{% endif %}| +| {% endif %} | From b340d5ddfb407621eb738be1c0775c5a6039738a Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Mon, 22 Jul 2024 20:15:31 +0000 Subject: [PATCH 141/275] more edits --- .../monitoring-alerts.md | 53 +++++++++++++++++++ .../resolving-alerts.md | 6 +-- 2 files changed, 56 insertions(+), 3 deletions(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md index e69de29bb2..9884c11164 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md @@ -0,0 +1,53 @@ +--- +title: Monitoring alerts from secret scanning +intro: 'Learn how and when {% data variables.product.product_name %} will notify you about a secret scanning alert.' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +type: how_to +topics: + - Secret scanning + - Advanced Security + - Alerts + - Repositories +shortTitle: Monitor alerts +--- + +## Configuring notifications for {% data variables.secret-scanning.alerts %} + +In addition to Notifications are different for incremental scans and historical scans. + +### Incremental scans + +{% data reusables.secret-scanning.secret-scanning-configure-notifications %} + +{% data reusables.repositories.navigate-to-repo %} +1. To start watching the repository, select **{% octicon "eye" aria-hidden="true" %} Watch**. + + ![Screenshot of the repository's main page. A dropdown menu, titled "Watch", is highlighted with an orange outline.](/assets/images/help/repository/repository-watch-dropdown.png) + +1. In the dropdown menu, click **All Activity**. Alternatively, to only subscribe to security alerts, click **Custom**, then click **Security alerts**. +1. Navigate to the notification settings for your personal account. These are available at [https://github.com/settings/notifications](https://github.com/settings/notifications). +1. On your notification settings page, under "Subscriptions", then under "Watching", select the **Notify me** dropdown. +1. Select "Email" as a notification option, then click **Save**. + + ![Screenshot of the notification settings for a user account. An element header, titled "Subscriptions", and a sub-header, titled "Watching", are shown. A checkbox, titled "Email", is highlighted with an orange outline.](/assets/images/help/notifications/repository-watching-notification-options.png) + +{% data reusables.notifications.watch-settings %} + +### Historical scans + +For historical scans, {% data variables.product.product_name %} notifies the following users: + +* Organization owners, enterprise owners, and security managers—whenever a historical scan is complete, even if no secrets are found. +* Repository administrators, security managers, and users with custom roles with read/write access—whenever a historical scan detects a secret, and according to their notification preferences. + +We do _not_ notify commit authors. + +{% data reusables.notifications.watch-settings %} + +## Auditing responses to secret scanning alerts + +{% data reusables.secret-scanning.audit-secret-scanning-events %} diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md index 449ea0e96a..5635a4ecbf 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md @@ -1,7 +1,7 @@ --- title: Resolving alerts from secret scanning -intro: 'You can should fix and close alerts for secrets checked in to your repository and you can use filters to help you prioritize alerts.' -permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view secret scanning alerts for the repository.' +intro: 'After reviewing the details of alert, you should fix and then close the alert.' +permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can dismiss secret scanning alerts for the repository.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' @@ -13,7 +13,7 @@ topics: - Advanced Security - Alerts - Repositories -shortTitle: Evaluate alerts +shortTitle: Resolve alerts --- ## Fixing alerts From ce4e0da55e3025df3805812f85ed178dd2ca1773 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Tue, 23 Jul 2024 07:58:04 +0100 Subject: [PATCH 142/275] removing SS for your user-owned repos from new map topic and putting back --- ...g-secret-scanning-for-your-repositories.md | 18 +++++++++++ .../index.md | 1 - ...anning-for-your-user-owned-repositories.md | 32 ------------------- 3 files changed, 18 insertions(+), 33 deletions(-) delete mode 100644 content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md diff --git a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md index 212a382950..630e10e96a 100644 --- a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md +++ b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md @@ -99,6 +99,24 @@ For more information about non-provider patterns, see "{% ifversion fpt or ghec {% endif %} +{% ifversion secret-scanning-enable-by-default-for-public-repos %} + +## Enabling {% data variables.secret-scanning.user_alerts %} for all your {% ifversion ghec %}user-owned {% endif %}public repositories + +You can enable {% data variables.product.prodname_secret_scanning %} for all of your existing {% ifversion ghec %}user-owned {% endif %}public repositories through your personal account settings. +{% note %} + +**Note**: As of March 11, 2024, {% data variables.product.prodname_secret_scanning %} and push protection will be enabled by default for all new {% ifversion ghec %}user-owned {% endif %}public repositories that you create. You can still choose to disable these features for an individual repository in the repository's "Code security and analysis" settings page. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-public-repositories)". + +{% endnote %} + +{% data reusables.user-settings.access_settings %} +{% data reusables.user-settings.security-analysis %} +1. Under "Code security and analysis", to the right of "{% data variables.product.prodname_secret_scanning_caps %}", click **Disable all** or **Enable all**. +{% data reusables.secret-scanning.push-protection-optional-enable %} + +{% endif %} + ## Excluding directories from {% data variables.secret-scanning.user_alerts %} You can configure a `secret_scanning.yml` file to exclude directories from {% data variables.product.prodname_secret_scanning %}, including when you use push protection. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning)." diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md index fea26a8e2b..4a5ba48627 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md @@ -13,7 +13,6 @@ topics: - Advanced Security - Repositories children: - - /secret-scanning-for-your-user-owned-repositories - /push-protection-for-users - /working-with-push-protection-from-the-command-line - /working-with-push-protection-in-the-github-ui diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md deleted file mode 100644 index c6c464c837..0000000000 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/secret-scanning-for-your-user-owned-repositories.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -title: Enabling secret scanning alerts for your user-owned repositories -shortTitle: Secret scanning alerts for user-owned repositories -intro: 'You can protect yourself from accidentally leaking secrets from your {% ifversion ghec %}user-owned {% endif %}public repositories using {% data variables.product.prodname_secret_scanning %} and push protection.' -allowTitleToDifferFromFilename: true -versions: - feature: secret-scanning-enable-by-default-for-public-repos -type: how_to -topics: - - Secret scanning - - Advanced Security - - Troubleshooting -redirect_from: - - /TODO ---- - -## About {% data variables.secret-scanning.user_alerts %} for all your {% ifversion ghec %}user-owned {% endif %}public repositories - -You can enable {% data variables.product.prodname_secret_scanning %} for all of your existing {% ifversion ghec %}user-owned {% endif %}public repositories through your personal account settings. - - -> [! NOTE] -> As of March 11, 2024, {% data variables.product.prodname_secret_scanning %} and push protection will be enabled by default for all new {% ifversion ghec %}user-owned {% endif %}public repositories that you create. You can still choose to disable these features for an individual repository in the repository's "Code security and analysis" settings page. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-public-repositories)". - - - -## Enabling {% data variables.secret-scanning.user_alerts %} for all your {% ifversion ghec %}user-owned {% endif %}public repositories - -{% data reusables.user-settings.access_settings %} -{% data reusables.user-settings.security-analysis %} -1. Under "Code security and analysis", to the right of "{% data variables.product.prodname_secret_scanning_caps %}", click **Disable all** or **Enable all**. -{% data reusables.secret-scanning.push-protection-optional-enable %} From 9b72e9e9dc42f99add6bc571f22172632003e3a6 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Tue, 23 Jul 2024 08:18:42 +0100 Subject: [PATCH 143/275] correcting links --- .../working-with-push-protection-from-the-command-line.md | 8 ++++---- .../working-with-push-protection-in-the-github-ui.md | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md index 0c61671750..ba531a5aea 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md @@ -23,8 +23,8 @@ When you attempt to push a supported secret from the command line to a repositor You should either: -* **Remove** the secret from your branch. For more information, see "[Resolving a blocked push from the command line](#resolving-a-blocked-push-from-the-command-line)." -* **Follow a provided URL** {% ifversion push-protection-delegated-bypass %}to see what options are available to you{% endif %} to allow the push. For more information, see "[Bypassing push protection when working from the command line](#bypassing-push-protection-when-working-from-the-command-line){% ifversion push-protection-delegated-bypass %}" and "[Requesting bypass privileges when working from the command line](#requesting-bypass-privileges-when-working-from-the-command-line){% endif %}." +* **Remove** the secret from your branch. For more information, see "[Resolving a blocked push](#resolving-a-blocked-push)." +* **Follow a provided URL** {% ifversion push-protection-delegated-bypass %}to see what options are available to you{% endif %} to allow the push. For more information, see "[Bypassing push protection](#bypassing-push-protection){% ifversion push-protection-delegated-bypass %}" and "[Requesting bypass privileges](#requesting-bypass-privileges){% endif %}." Up to five detected secrets will be displayed at a time on the command line. If a particular secret has already been detected in the repository and an alert already exists, {% data variables.product.prodname_dotcom %} will not block that secret. @@ -117,7 +117,7 @@ If {% data variables.product.prodname_dotcom %} blocks a secret that you believe {% data reusables.secret-scanning.push-protection-allow-email %} -If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to push the blocked secret. For more information, see "[Requesting bypass privileges when working from the command line](/enterprise-cloud@latest/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line#requesting-bypass-privileges-when-working-from-the-command-line)" in the {% data variables.product.prodname_ghe_cloud %} documentation. +If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to push the blocked secret. For more information, see "[Requesting bypass privileges](/enterprise-cloud@latest/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line#requesting-bypass-privileges)" in the {% data variables.product.prodname_ghe_cloud %} documentation. {% data reusables.secret-scanning.push-protection-visit-URL %} {% data reusables.secret-scanning.push-protection-choose-allow-secret-options %} @@ -144,7 +144,7 @@ Requests expire after 7 days. If your request is approved, you can push the commit (or commits) containing the secret to the repository, as well as any future commits that contain the same secret. -If your request is denied, you will need to remove the secret from all commits containing the secret before pushing again. For information on how to remove a blocked secret, see "[Resolving a blocked push from the command line](#resolving-a-blocked-push-from-the-command-line)." +If your request is denied, you will need to remove the secret from all commits containing the secret before pushing again. For information on how to remove a blocked secret, see "[Resolving a blocked push](#resolving-a-blocked-push)." {% endif %} diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md index b96ffaec21..247828019a 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md @@ -29,8 +29,8 @@ When you are creating and editing files in the {% data variables.product.prodnam You should either: -* **Remove** the secret from the commit. For more information, see "[Resolving a blocked commit in the {% data variables.product.prodname_dotcom %} UI](#resolving-a-blocked-commit-in-the-github-ui)." -* **Review** the instructions in the dialog box {% ifversion push-protection-delegated-bypass %}to see what options are available to you{% endif %} to allow the push. For more information, see "[Bypassing push protection when working in the {% data variables.product.prodname_dotcom %} UI](#bypassing-push-protection-when-working-in-the-github-ui){% ifversion push-protection-delegated-bypass %}" and "[Requesting bypass privileges when working in the {% data variables.product.prodname_dotcom %} UI](#requesting-bypass-privileges-when-working-in-the-github-ui){% endif %}." +* **Remove** the secret from the commit. For more information, see "[Resolving a blocked commit](#resolving-a-blocked-commit)." +* **Review** the instructions in the dialog box {% ifversion push-protection-delegated-bypass %}to see what options are available to you{% endif %} to allow the push. For more information, see "[Bypassing push protection](#bypassing-push-protection){% ifversion push-protection-delegated-bypass %}" and "[Requesting bypass privileges](#requesting-bypass-privileges){% endif %}." {% data variables.product.prodname_dotcom %} will only display one detected secret at a time in the web UI. If a particular secret has already been detected in the repository and an alert already exists, {% data variables.product.prodname_dotcom %} will not block that secret. @@ -55,7 +55,7 @@ If {% data variables.product.prodname_dotcom %} blocks a secret that you believe {% data reusables.secret-scanning.push-protection-public-repos-bypass %} 1. Click **Allow secret**. -If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to push the blocked secret. For more information, see "[Requesting bypass privileges when working from the command line](/enterprise-cloud@latest/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui#requesting-bypass-privileges-when-working-in-the-github-ui)" in the {% data variables.product.prodname_ghe_cloud %} documentation. +If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to push the blocked secret. For more information, see "[Requesting bypass privileges](/enterprise-cloud@latest/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui#requesting-bypass-privileges)" in the {% data variables.product.prodname_ghe_cloud %} documentation. {% ifversion push-protection-delegated-bypass %} From a279583a43e8e8b5cd498427ea09da456910313a Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 23 Jul 2024 09:48:55 +0100 Subject: [PATCH 144/275] try to fix merg conflict --- content/code-security/secret-scanning/index.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 4a89e1e35d..b76531a3c6 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -18,9 +18,7 @@ children: - /introduction - /configuring-secret-scanning-for-your-repositories - /managing-alerts-from-secret-scanning - - /push-protection-for-users - - /working-with-push-protection - - /pushing-a-branch-blocked-by-push-protection + - /working-with-secret-scanning-and-push-protection - /using-advanced-secret-scanning-and-push-protection-features - /troubleshooting-secret-scanning-and-push-protection - /secret-scanning-partnership-program From 6a67a7fdaafa33691bedc9668c5e0a7f2f746e9f Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 23 Jul 2024 10:17:48 +0100 Subject: [PATCH 145/275] trying to get file to render --- .../secret-scanning/introduction/about-push-protection.md | 6 ++++-- content/code-security/secret-scanning/introduction/index.md | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index faeaa0f556..9b41a1a65e 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -10,7 +10,7 @@ redirect_from: - /early-access/code-security/secret-scanning/protecting-pushes-with-secret-scanning - /code-security/secret-scanning/protecting-pushes-with-secret-scanning - /code-security/secret-scanning/push-protection-for-repositories-and-organizations -type: how_to +type: overview topics: - Secret scanning - Advanced Security @@ -60,7 +60,9 @@ For information on the secrets and service providers supported for push protecti {% ifversion secret-scanning-push-protection-for-users %} -## About push protection for users. +## About push protection for users + +Everyone across {% data variables.product.prodname_dotcom %} can enable push protection for themselves within your individual settings. This ensures your pushes are protected whenever you push to a public repository on {% data variables.product.prodname_dotcom %}, without relying on that repository to have push protection enabled. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)." {% endif %} diff --git a/content/code-security/secret-scanning/introduction/index.md b/content/code-security/secret-scanning/introduction/index.md index 506adc1289..7c8fb7d1da 100644 --- a/content/code-security/secret-scanning/introduction/index.md +++ b/content/code-security/secret-scanning/introduction/index.md @@ -1,6 +1,6 @@ --- title: Introduction to secret scanning -shortTitle: Secret scanning +shortTitle: Introduction allowTitleToDifferFromFilename: true intro: 'Learn about {% data variables.product.prodname_secret_scanning_caps %} can keep your repositories secure by scanning them for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally.' product: '{% data reusables.gated-features.secret-scanning %}' From 8e73eb5f3df699f2e6e6203a3af79fb75b06819c Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 23 Jul 2024 11:18:34 +0100 Subject: [PATCH 146/275] trying to get file to render 2 --- .../secret-scanning/introduction/about-push-protection.md | 3 +-- .../secret-scanning/introduction/about-secret-scanning.md | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index 9b41a1a65e..c75445fccd 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -56,7 +56,7 @@ By default, anyone with write access to the repository can choose to bypass push You can monitor security alerts to discover when users are bypassing push protections and creating alerts. For more information, see "[AUTOTITLE](/code-security/getting-started/auditing-security-alerts)." -For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md#supported-secrets)." +For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." {% ifversion secret-scanning-push-protection-for-users %} @@ -75,5 +75,4 @@ Mention custom patterns at the end? ## Further reading -* "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection)" * "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)" diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index a225b8cafe..0f77704240 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -1,5 +1,5 @@ --- -title: About secret scanning +title: Secret scanning intro: '{% data variables.product.product_name %} scans repositories for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally.' product: '{% data reusables.gated-features.secret-scanning %}' redirect_from: From ff95b54e1fe24d5ba25ab25e0452938a8b3c64f8 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 23 Jul 2024 11:23:10 +0100 Subject: [PATCH 147/275] trying to get file to render 3 --- .../secret-scanning/introduction/about-secret-scanning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 0f77704240..a225b8cafe 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -1,5 +1,5 @@ --- -title: Secret scanning +title: About secret scanning intro: '{% data variables.product.product_name %} scans repositories for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally.' product: '{% data reusables.gated-features.secret-scanning %}' redirect_from: From e77112068c1c9c9872c48876ebe8059e7e7d887a Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 23 Jul 2024 12:25:36 +0100 Subject: [PATCH 148/275] more work on push protection --- .../introduction/about-push-protection.md | 56 ++++++++++--------- .../introduction/about-secret-scanning.md | 1 + 2 files changed, 31 insertions(+), 26 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index c75445fccd..d34ce3a7d1 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -1,6 +1,6 @@ --- title: About push protection -intro: 'TODO.' +intro: 'With push protection for repositories and organizations, {% data variables.product.prodname_secret_scanning %} blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block. TODO' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: fpt: '*' @@ -38,41 +38,45 @@ If you are a repository administrator or an organization owner, you can enable p {% endif %} -{% ifversion security-overview-push-protection-metrics-page %} - -If you are an organization owner or security manager, you can view metrics on how push protection is performing across your organization. For more information, see "[AUTOTITLE](/code-security/security-overview/viewing-metrics-for-secret-scanning-push-protection)." - -{% endif %} - -{% ifversion ghec or fpt %} -{% note %} - -**Note:** The github.dev web-based editor doesn't support push protection. For more information about the editor, see "[AUTOTITLE](/codespaces/the-githubdev-web-based-editor)." - -{% endnote %} -{% endif %} - -By default, anyone with write access to the repository can choose to bypass push protection by specifying one of the bypass reasons outlined in the table. If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see "[Enabling delegated bypass for push protection](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)." - -You can monitor security alerts to discover when users are bypassing push protections and creating alerts. For more information, see "[AUTOTITLE](/code-security/getting-started/auditing-security-alerts)." - -For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." - {% ifversion secret-scanning-push-protection-for-users %} ## About push protection for users -Everyone across {% data variables.product.prodname_dotcom %} can enable push protection for themselves within your individual settings. This ensures your pushes are protected whenever you push to a public repository on {% data variables.product.prodname_dotcom %}, without relying on that repository to have push protection enabled. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)." +Every user across {% data variables.product.prodname_dotcom %} can enable push protection for themselves within their individual settings. + +Enabling push protection for your user account means that your pushes are protected whenever you push to a public repository on {% data variables.product.prodname_dotcom %}, without relying on that repository to have push protection enabled. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)." {% endif %} -TODO Add link to enabling article, which is new. +## What are the supported secrets -## Next steps +For information about the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." -Mention custom patterns at the end? -{% data reusables.secret-scanning.push-protection-custom-pattern %} {% ifversion secret-scanning-push-protection-custom-patterns %}For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."{% endif %} +{% ifversion push-protection-delegated-bypass %} + +## Delegated bypass + +{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} + +When you enable push protection, by default, anyone with write access to the repository can choose to bypass the protection by specifying a reason for allowing the push containing a secret. With delegated bypass, contributors to a repository are instead obligated to request "bypass privileges." The request is sent to a designated group of reviewers, who either approve or deny the request to bypass push protection. + +If the request to bypass push protection is approved, the contributor can push the commit containing the secret. If the request is denied, the contributor must remove the secret from the commit (or commits) containing the secret before pushing again. + +For information about delegated bypass for push protection, see "[Configuring delegated bypass for an organization](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." + +{% endif %} + +{% ifversion secret-scanning-push-protection-custom-patterns %} + +## Custom patterns + +You can define custom patterns to identify secrets that are not detected by the default patterns supported by push protection. For example, you might have a secret pattern that is internal to your organization. + +{% data reusables.secret-scanning.push-protection-custom-pattern %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." + +{% endif %} ## Further reading +* TODO: add link to enabling push protection * "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)" diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index a225b8cafe..92595aec49 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -17,6 +17,7 @@ type: overview topics: - Secret scanning - Advanced Security +shortTitle: Secret scanning --- {% data reusables.secret-scanning.enterprise-enable-secret-scanning %} From ed448d505663ec6ddcd9a84c9562acd0cf332a3b Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 23 Jul 2024 13:34:59 +0100 Subject: [PATCH 149/275] version delegated bypass section --- .../secret-scanning/introduction/about-push-protection.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index d34ce3a7d1..9bfd86ed14 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -27,17 +27,15 @@ Push protection is a {% data variables.product.prodname_secret_scanning %} featu You can enable push protection: -* At repository/organization level, if you are a repository administrator or an organization owner For more information, see +* At repository/organization level, if you are a repository administrator or an organization owner. * For your account on {% data variables.product.prodname_dotcom %}, as a user. ## About push protection for repositories and organizations -{% else %} +{% endif %} If you are a repository administrator or an organization owner, you can enable push protection at repository/organization level. -{% endif %} - {% ifversion secret-scanning-push-protection-for-users %} ## About push protection for users @@ -62,7 +60,7 @@ When you enable push protection, by default, anyone with write access to the rep If the request to bypass push protection is approved, the contributor can push the commit containing the secret. If the request is denied, the contributor must remove the secret from the commit (or commits) containing the secret before pushing again. -For information about delegated bypass for push protection, see "[Configuring delegated bypass for an organization](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." +For information about delegated bypass for push protection, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." {% endif %} From 3de6c358755a44231a63fe2c905296df55bc29b6 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 23 Jul 2024 17:33:45 +0100 Subject: [PATCH 150/275] and more work --- .../introduction/about-push-protection.md | 12 ++++++------ .../introduction/about-secret-scanning.md | 6 ++++++ 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index 9bfd86ed14..2b6ea61119 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -1,6 +1,6 @@ --- title: About push protection -intro: 'With push protection for repositories and organizations, {% data variables.product.prodname_secret_scanning %} blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block. TODO' +intro: 'Push protection helps detect secrets in code as changes are pushed. Push protection blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block. TODO for users' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: fpt: '*' @@ -19,6 +19,8 @@ topics: shortTitle: Push protection --- +## What is push protection + Push protection is a {% data variables.product.prodname_secret_scanning %} feature that checks commits for highly identifiable secrets before these commits are pushed to a repository. {% data reusables.secret-scanning.pre-push-protection %} {% data reusables.secret-scanning.push-protection-overview %} @@ -48,7 +50,7 @@ Enabling push protection for your user account means that your pushes are protec ## What are the supported secrets -For information about the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." +For information about the secrets and service providers supported by push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." {% ifversion push-protection-delegated-bypass %} @@ -66,11 +68,9 @@ For information about delegated bypass for push protection, see "[AUTOTITLE](/co {% ifversion secret-scanning-push-protection-custom-patterns %} -## Custom patterns +## Custom pattern support -You can define custom patterns to identify secrets that are not detected by the default patterns supported by push protection. For example, you might have a secret pattern that is internal to your organization. - -{% data reusables.secret-scanning.push-protection-custom-pattern %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." +You can define custom patterns to identify secrets that are not detected by the default patterns supported by push protection. For example, you might have a secret pattern that is internal to your organization. {% data reusables.secret-scanning.push-protection-custom-pattern %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." {% endif %} diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 92595aec49..23f25e9ca5 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -20,6 +20,8 @@ topics: shortTitle: Secret scanning --- +## What is {% data variables.product.prodname_secret_scanning %} + {% data reusables.secret-scanning.enterprise-enable-secret-scanning %} @@ -59,6 +61,10 @@ If your project communicates with an external service, you might use a token or {% endnote %} +## What are the supported secrets + +For information about the secrets and service providers supported by {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." + {% ifversion fpt or ghec %} ## About {% data variables.secret-scanning.partner_alerts %} From f8d90dfb327fc59024f7638b3db469a5b82425b6 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Tue, 23 Jul 2024 21:14:17 +0000 Subject: [PATCH 151/275] working on about alerts --- .../managing-alerts-from-secret-scanning.md | 236 ------------------ .../about-alerts.md | 17 ++ .../viewing-alerts.md | 36 ++- 3 files changed, 51 insertions(+), 238 deletions(-) delete mode 100644 content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md deleted file mode 100644 index e66b2d79c5..0000000000 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md +++ /dev/null @@ -1,236 +0,0 @@ ---- -title: Managing alerts from secret scanning -intro: 'You can view, evaluate and resolve alerts for secrets checked in to your repository.' -permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view and dismiss secret scanning alerts for the repository.' -product: '{% data reusables.gated-features.secret-scanning %}' -redirect_from: - - /github/administering-a-repository/managing-alerts-from-secret-scanning - - /code-security/secret-security/managing-alerts-from-secret-scanning -versions: - fpt: '*' - ghes: '*' - ghec: '*' -type: how_to -topics: - - Secret scanning - - Advanced Security - - Alerts - - Repositories -shortTitle: Manage secret alerts ---- -## About the {% data variables.product.prodname_secret_scanning %} alerts page - -{% data reusables.secret-scanning.secret-scanning-about-alerts %} {% data reusables.secret-scanning.repository-alert-location %} - -{% ifversion secret-scanning-non-provider-patterns %} -To help you triage alerts more effectively, {% data variables.product.company_short %} separates alerts into two lists: -* **High confidence** alerts. -* **Other** alerts. - -![Screenshot of the {% data variables.product.prodname_secret_scanning %} alert view. The button to toggle between "High confidence" and "Other" alerts is highlighted with an orange outline.](/assets/images/help/security/secret-scanning-high-confidence-alert-view.png) - -### High confidence alerts list - -The "High confidence" alerts list displays alerts that relate to supported patterns and specified custom patterns. This list is always the default view for the alerts page. - -### Other alerts list - -The "Other" alerts list displays alerts that relate to non-provider patterns (such as private keys){% ifversion secret-scanning-ai-generic-secret-detection %}, or generic secrets detected using AI (such as passwords){% endif %}. These types of alerts have a higher rate of false positives. - -In addition, alerts that fall into this category: -* Are limited in quantity to 5000 alerts per repository (this includes open and closed alerts). -* Are not shown in the summary views for security overview, only in the "{% data variables.product.prodname_secret_scanning_caps %}" view. -* Only have the first five detected locations shown on {% data variables.product.prodname_dotcom %} for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %}, and only the first detected location shown for AI-detected generic secrets{% endif %}. - -For {% data variables.product.company_short %} to scan for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %} and generic secrets{% endif %}, you must first enable the feature{% ifversion secret-scanning-ai-generic-secret-detection %}s{% endif %} for your repository or organization. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#enabling-scanning-for-non-provider-patterns){% ifversion secret-scanning-ai-generic-secret-detection %}" and "[AUTOTITLE](/code-security/secret-scanning/enabling-ai-powered-generic-secret-detection){% endif %}." - -{% endif %} - -## Viewing alerts - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-security %} -1. In the left sidebar, under "Vulnerability alerts", click **{% data variables.product.prodname_secret_scanning_caps %}**. {% ifversion secret-scanning-non-provider-patterns %} -1. Optionally, toggle to "Other" to see alerts for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %} or generic secrets detected using AI{% endif %}.{% endif %} -1. Under "{% data variables.product.prodname_secret_scanning_caps %}", click the alert you want to view. - {% ifversion secret-scanning-user-owned-repos %} - - > [!NOTE] - > {% data reusables.secret-scanning.secret-scanning-user-owned-repo-access %} - - {% endif %} - -## Filtering alerts - -You can apply various filters to the alerts list to help you find the alerts you're interested in. You can use the dropdown menus above the alerts list, or input the qualifiers listed in the table into the search bar. - -|Qualifier|Description| -|---------|-----------| -|`is:open`|Displays open alerts.| -|`is:closed`|Displays closed alerts.| -| {% ifversion secret-scanning-bypass-filter %} | -|`bypassed: true`|Displays alerts for secrets where push protection has been bypassed. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)."| -| {% endif %} | -|`validity:active`| Displays alerts for secrets that are still active. {% ifversion fpt %}Applies to {% data variables.product.company_short %} tokens only.{% endif %} For more information about validity statuses, see "[Checking a secret's validity](#checking-a-secrets-validity)."| -|`validity:inactive`| Displays alerts for secrets that are no longer active.| -|`validity:unknown`| Displays alerts for secrets where the validity status of the secret is unknown.| -|`secret-type:SECRET-NAME`| Displays alerts for a specific secret type, for example, `secret-type:github_personal_access_token`. For a list of supported secret types, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secret)." | -|`provider:PROVIDER-NAME`|Displays alerts for a specific provider, for example, `provider:github`. For a list of supported partners, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."| -| {% ifversion secret-scanning-non-provider-patterns %} | -|`confidence:high`| Displays alerts for high-confidence secrets, which relate to supported secrets and custom patterns. For a list of supported high-confidence patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#high-confidence-patterns)." | -|`confidence:other`| Displays alerts for non-provider patterns, such as private keys{% ifversion secret-scanning-ai-generic-secret-detection %}, and AI-detected generic secrets, such as passwords{% endif %}. For a list of supported non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns)." {% ifversion secret-scanning-ai-generic-secret-detection %}For more information AI-detected generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/about-the-detection-of-generic-secrets-with-secret-scanning)."{% endif %}| -| {% endif %} | - -## Evaluating alerts - -There are some additional features that can help you to evaluate alerts in order to better prioritize and manage them. You can: - -* Check the validity of a secret, to see if the secret is still active. {% ifversion fpt or ghes %}**Applies to {% data variables.product.company_short %} tokens only**.{% endif %} For more information, see "[Checking a secret's validity](#checking-a-secrets-validity)."{% ifversion secret-scanning-validity-check-partner-patterns %} -* Perform an "on-demand" validity check, to get the most up to date validiation status. For more information, see "[Performing an on-demand-validity-check](#performing-an-on-demand-validity-check)."{% endif %}{% ifversion secret-scanning-github-token-metadata %} -* Review a token's metadata. **Applies to {% data variables.product.company_short %} tokens only**. For example, to see when the token was last used. For more information, see "[Reviewing {% data variables.product.company_short %} token metadata](#reviewing-github-token-metadata)."{% endif %} - -### Checking a secret's validity - -{% ifversion secret-scanning-validity-check-partner-patterns %} - -{% data reusables.secret-scanning.validity-check-partner-patterns-beta %} - -{% endif %} - -Validity checks help you prioritize alerts by telling you which secrets are `active` or `inactive`. An `active` secret is one that could still be exploited, so these alerts should be reviewed and remediated as a priority. - -By default, {% data variables.product.company_short %} checks the validity of {% data variables.product.company_short %} tokens and displays the validitation status of the token in the alert view. - -{% ifversion fpt %} - -Organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %} can also enable validity checks for partner patterns. For more information, see "[Checking a secret's validity](/enterprise-cloud@latest/code-security/secret-scanning/managing-alerts-from-secret-scanning#checking-a-secrets-validity)" in the {% data variables.product.prodname_ghe_cloud %} documentation. - -{% endif %} - -{% ifversion secret-scanning-validity-check-partner-patterns %} - -You can additionally choose to enable validity checks for partner patterns. Once enabled, {% data variables.product.company_short %} will periodically check the validity of a detected credential by sending the secret directly to the provider, as part of {% data variables.product.company_short %}'s formal secret scanning partnership program. {% data variables.product.company_short %} typically makes GET requests to check the validity of the credential, picks the least intrusive endpoints, and selects endpoints that don't return any personal information. - -{% data variables.product.company_short %} displays the validation status of the secret in the alert view. - -{% endif %} - -{% data reusables.secret-scanning.validity-check-table %} - -{% ifversion secret-scanning-validity-check-partner-patterns %} - -{% data reusables.gated-features.partner-pattern-validity-check-ghas %} - -For information on how to enable validity checks for partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#enabling-validity-checks-for-partner-patterns)," and for information on which partner patterns are currently supported, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#high-confidence-patterns)." - -{% endif %} - -You can use the REST API to retrieve a list of the most recent validation status for each of your tokens. For more information, see "[AUTOTITLE](/rest/secret-scanning)" in the REST API documentation. You can also use webhooks to be notified of activity relating to a {% data variables.product.prodname_secret_scanning %} alert. For more information, see the `secret_scanning_alert` event in "[AUTOTITLE](/webhooks/webhook-events-and-payloads?actionType=created#secret_scanning_alert)." - -{% ifversion secret-scanning-validity-check-partner-patterns %} - -### Performing an on-demand validity check - -Once you have enabled validity checks for partner patterns for your repository, you can perform an "on-demand" validity check for any supported secret by clicking {% octicon "sync" aria-hidden="true" %} **Verify secret** in the alert view. {% data variables.product.company_short %} will send the pattern to the relevant partner and display the validation status of the secret in the alert view. - -![Screenshot of the UI showing a {% data variables.product.prodname_secret_scanning %} alert. A button, labeled "Verify secret" is highlighted with an orange outline.](/assets/images/help/security/secret-scanning-verify-secret.png) - -{% endif %} - -{% ifversion secret-scanning-github-token-metadata %} - -### Reviewing {% data variables.product.company_short %} token metadata - -> [!NOTE] -> Metadata for {% data variables.product.company_short %} tokens is currently in public beta and subject to change. - -In the view for an active {% data variables.product.company_short %} token alert, you can review certain metadata about the token. This metadata may help you identify the token and decide what remediation steps to take. - -Tokens, like {% data variables.product.pat_generic %} and other credentials, are considered personal information. For more information about using {% data variables.product.company_short %} tokens, see [GitHub's Privacy Statement](/free-pro-team@latest/site-policy/privacy-policies/github-privacy-statement) and [Acceptable Use Policies](/free-pro-team@latest/site-policy/acceptable-use-policies/github-acceptable-use-policies). - - ![Screenshot of the UI for a {% data variables.product.company_short %} token, showing the token metadata.](/assets/images/help/repository/secret-scanning-github-token-metadata.png) - - Metadata for {% data variables.product.company_short %} tokens is available for active tokens in any repository with secret scanning enabled. If a token has been revoked or its status cannot be validated, metadata will not be available. {% data variables.product.company_short %} auto-revokes {% data variables.product.company_short %} tokens in public repositories, so metadata for {% data variables.product.company_short %} tokens in public repositories is unlikely to be available. The following metadata is available for active {% data variables.product.company_short %} tokens: - -|Metadata|Description| -|-------------------------|--------------------------------------------------------------------------------| -|Secret name| The name given to the {% data variables.product.company_short %} token by its creator| -|Secret owner| The {% data variables.product.company_short %} handle of the token's owner| -|Created on| Date the token was created| -|Expired on| Date the token expired| -|Last used on| Date the token was last used| -|Access| Whether the token has organization access| - -{% ifversion secret-scanning-user-owned-repos %}{% data reusables.secret-scanning.secret-scanning-user-owned-repo-access %} If access is granted, {% data variables.product.prodname_dotcom %} will notify the owner of the repository containing the leaked secret, report the action in the repository owner and enterprise audit logs, and enable access for 2 hours.{% ifversion ghec %} For more information, see "[AUTOTITLE](/admin/managing-accounts-and-repositories/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise)."{% endif %}{% endif %} - -{% endif %} - -## Fixing alerts - -Once a secret has been committed to a repository, you should consider the secret compromised. {% data variables.product.prodname_dotcom %} recommends the following actions for compromised secrets: - -* For a compromised {% data variables.product.prodname_dotcom %} {% data variables.product.pat_generic %}, delete the compromised token, create a new token, and update any services that use the old token. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)." -{%- ifversion token-audit-log %} - * {% ifversion ghec %}If your organization is owned by an enterprise account, identify{% else %}Identify{% endif %} any actions taken by the compromised token on your enterprise's resources. For more information, see "[AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token)." -{%- endif %} -* For all other secrets, first verify that the secret committed to {% data variables.product.product_name %} is valid. If so, create a new secret, update any services that use the old secret, and then delete the old secret. - -{% ifversion fpt or ghec %} - -> [!NOTE] -> If a secret is detected in a public repository on {% data variables.product.prodname_dotcom_the_website %} and the secret also matches a partner pattern, an alert is generated and the potential secret is reported to the service provider. For details of partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." - -{% endif %} - -## Closing alerts - -> [!NOTE] ->{% data variables.product.prodname_secret_scanning_caps %} doesn't automatically close alerts when the corresponding token has been removed from the repository. You must manually close these alerts in the alert list on {% data variables.product.prodname_dotcom %}. - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-security %} -1. In the left sidebar, under "Vulnerability alerts", click **{% data variables.product.prodname_secret_scanning_caps %}**. -1. Under "{% data variables.product.prodname_secret_scanning_caps %}", click the alert you want to view. -1. To dismiss an alert, select the "Close as" dropdown menu and click a reason for resolving an alert. - - ![Screenshot of a {% data variables.product.prodname_secret_scanning %} alert. A dropdown menu, titled "Close as", is expanded and highlighted in a dark orange outline.](/assets/images/help/repository/secret-scanning-dismiss-alert-web-ui-link-partner-documentation.png) - -1. Optionally, in the "Comment" field, add a dismissal comment. The dismissal comment will be added to the alert timeline and can be used as justification during auditing and reporting. You can view the history of all dismissed alerts and dismissal comments in the alert timeline. You can also retrieve or set a comment by using the {% data variables.product.prodname_secret_scanning_caps %} API. The comment is contained in the `resolution_comment` field. For more information, see "[AUTOTITLE](/rest/secret-scanning#update-a-secret-scanning-alert)" in the REST API documentation. -1. Click **Close alert**. - -## Configuring notifications for {% data variables.secret-scanning.alerts %} - -Notifications are different for incremental scans and historical scans. - -### Incremental scans - -{% data reusables.secret-scanning.secret-scanning-configure-notifications %} - -{% data reusables.repositories.navigate-to-repo %} -1. To start watching the repository, select **{% octicon "eye" aria-hidden="true" %} Watch**. - - ![Screenshot of the repository's main page. A dropdown menu, titled "Watch", is highlighted with an orange outline.](/assets/images/help/repository/repository-watch-dropdown.png) - -1. In the dropdown menu, click **All Activity**. Alternatively, to only subscribe to security alerts, click **Custom**, then click **Security alerts**. -1. Navigate to the notification settings for your personal account. These are available at [https://github.com/settings/notifications](https://github.com/settings/notifications). -1. On your notification settings page, under "Subscriptions", then under "Watching", select the **Notify me** dropdown. -1. Select "Email" as a notification option, then click **Save**. - - ![Screenshot of the notification settings for a user account. An element header, titled "Subscriptions", and a sub-header, titled "Watching", are shown. A checkbox, titled "Email", is highlighted with an orange outline.](/assets/images/help/notifications/repository-watching-notification-options.png) - -{% data reusables.notifications.watch-settings %} - -### Historical scans - -For historical scans, {% data variables.product.product_name %} notifies the following users: - -* Organization owners, enterprise owners, and security managers—whenever a historical scan is complete, even if no secrets are found. -* Repository administrators, security managers, and users with custom roles with read/write access—whenever a historical scan detects a secret, and according to their notification preferences. - -We do _not_ notify commit authors. - -{% data reusables.notifications.watch-settings %} - -## Auditing responses to secret scanning alerts - -{% data reusables.secret-scanning.audit-secret-scanning-events %} diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index e69de29bb2..048108f998 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -0,0 +1,17 @@ +--- +title: About secret scanning alerts +intro: 'Learn about the different types of {% data variables.product.prodname_secret_scanning %} alerts for your repository.' +permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can manage secret scanning alerts for the repository.' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +type: how_to +topics: + - Secret scanning + - Advanced Security + - Alerts + - Repositories +shortTitle: About alerts +--- diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md index f43a3de734..b28d4722c7 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md @@ -1,7 +1,7 @@ --- title: Viewing and filtering alerts from secret scanning -intro: 'You can view alerts for secrets checked in to your repository and you can use filters to help you prioritize alerts.' -permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view secret scanning alerts for the repository.' +intro: 'Learn how to find and filter {% data variables.secret-scanning.user_alerts_caps %} alerts for your repository.' +permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view {% data variables.secret-scanning.user_alerts_caps %} for the repository.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' @@ -16,6 +16,34 @@ topics: shortTitle: View alerts --- +## About the {% data variables.product.prodname_secret_scanning %} alerts page + +{% data reusables.secret-scanning.secret-scanning-about-alerts %} {% data reusables.secret-scanning.repository-alert-location %} + +{% ifversion secret-scanning-non-provider-patterns %} +To help you triage alerts more effectively, {% data variables.product.company_short %} separates alerts into two lists: +* **High confidence** alerts. +* **Other** alerts. + +![Screenshot of the {% data variables.product.prodname_secret_scanning %} alert view. The button to toggle between "High confidence" and "Other" alerts is highlighted with an orange outline.](/assets/images/help/security/secret-scanning-high-confidence-alert-view.png) + +### High confidence alerts list + +The "High confidence" alerts list displays alerts that relate to supported patterns and specified custom patterns. This list is always the default view for the alerts page. + +### Other alerts list + +The "Other" alerts list displays alerts that relate to non-provider patterns (such as private keys){% ifversion secret-scanning-ai-generic-secret-detection %}, or generic secrets detected using AI (such as passwords){% endif %}. These types of alerts have a higher rate of false positives. + +In addition, alerts that fall into this category: +* Are limited in quantity to 5000 alerts per repository (this includes open and closed alerts). +* Are not shown in the summary views for security overview, only in the "{% data variables.product.prodname_secret_scanning_caps %}" view. +* Only have the first five detected locations shown on {% data variables.product.prodname_dotcom %} for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %}, and only the first detected location shown for AI-detected generic secrets{% endif %}. + +For {% data variables.product.company_short %} to scan for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %} and generic secrets{% endif %}, you must first enable the feature{% ifversion secret-scanning-ai-generic-secret-detection %}s{% endif %} for your repository or organization. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#enabling-scanning-for-non-provider-patterns){% ifversion secret-scanning-ai-generic-secret-detection %}" and "[AUTOTITLE](/code-security/secret-scanning/enabling-ai-powered-generic-secret-detection){% endif %}." + +{% endif %} + ## Viewing alerts Alerts for {% data variables.product.prodname_secret_scanning %} are displayed under the **Security** tab of the repository. @@ -52,3 +80,7 @@ You can apply various filters to the alerts list to help you find the alerts you |`confidence:high`| Displays alerts for high-confidence secrets, which relate to supported secrets and custom patterns. For a list of supported high-confidence patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#high-confidence-patterns)." | |`confidence:other`| Displays alerts for non-provider patterns, such as private keys{% ifversion secret-scanning-ai-generic-secret-detection %}, and AI-detected generic secrets, such as passwords{% endif %}. For a list of supported non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns)." {% ifversion secret-scanning-ai-generic-secret-detection %}For more information about AI-detected generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/about-the-detection-of-generic-secrets-with-secret-scanning)."{% endif %}| | {% endif %} | + +## Next steps + +* [AUTOTITLE](/TODO) From 3b120a8944308f4a649c6aa78f86b5c40d8b1ebc Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Tue, 23 Jul 2024 21:32:32 +0000 Subject: [PATCH 152/275] new articles --- ...ing-push-protection-for-your-repository.md | 17 ++++++++++++++ ...ing-secret-scanning-for-your-repository.md | 17 ++++++++++++++ ...ing-validity-checks-for-your-repository.md | 19 ++++++++++++++++ .../index.md | 22 +++++++++++++++++++ 4 files changed, 75 insertions(+) create mode 100644 content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md create mode 100644 content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md create mode 100644 content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md create mode 100644 content/code-security/secret-scanning/enabling-secret-scanning-features/index.md diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md new file mode 100644 index 0000000000..f701685312 --- /dev/null +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md @@ -0,0 +1,17 @@ +--- +title: TODO +shortTitle: TODO +intro: 'TODO.' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +type: how_to +topics: + - Secret scanning + - Advanced Security + - Alerts +--- + +## About enabling push protection diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md new file mode 100644 index 0000000000..2e7f156350 --- /dev/null +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md @@ -0,0 +1,17 @@ +--- +title: TODO +shortTitle: TODO +intro: 'TODO.' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +type: how_to +topics: + - Secret scanning + - Advanced Security + - Alerts +--- + +## About enabling diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md new file mode 100644 index 0000000000..13c0416a8b --- /dev/null +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md @@ -0,0 +1,19 @@ +--- +title: TODO +shortTitle: TODO +intro: 'TODO.' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +type: how_to +topics: + - Secret scanning + - Advanced Security + - Alerts +--- + +## About validity checks + +## TODO diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md new file mode 100644 index 0000000000..203755a35b --- /dev/null +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md @@ -0,0 +1,22 @@ +--- +title: Enabling secret scanning features +shortTitle: Enable secret scanning +allowTitleToDifferFromFilename: true +intro: '{% data variables.product.prodname_secret_scanning_caps %} scans for and detects secrets that have been checked into a repository. Push protection proactively secures you against leaking secrets by blocking pushes containing secrets.' +product: '{% data reusables.gated-features.secret-scanning %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +topics: + - Secret scanning + - Advanced Security + - Repositories +children: + - /enabling-secret-scanning-for-your-repository + - /enabling-push-protection-for-your-repository + - /enabling-validity-checks-for-your-repository +redirect_from: + - /code-security/secret-scanning/configuring-secret-scanning-for-your-repositories + - /code-security/secret-scanning/push-protection-for-repositories-and-organizations +--- From 99a31f53602cdcd2645a7d9e53ad72596a12a603 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Wed, 24 Jul 2024 06:42:17 +0000 Subject: [PATCH 153/275] first draft validity checks --- ...ing-validity-checks-for-your-repository.md | 32 +++++++++++++++---- 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md index 13c0416a8b..adc659fae9 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md @@ -1,12 +1,10 @@ --- -title: TODO -shortTitle: TODO +title: Enabling validity checks for your repository +shortTitle: Enable validity checks intro: 'TODO.' -product: '{% data reusables.gated-features.secret-scanning %}' +product: '{% data reusables.gated-features.partner-pattern-validity-check-ghas %}' versions: - fpt: '*' - ghes: '*' - ghec: '*' + feature: secret-scanning-validity-check-partner-patterns type: how_to topics: - Secret scanning @@ -16,4 +14,24 @@ topics: ## About validity checks -## TODO +You can choose to enable validity checks for partner patterns for your repository. Once enabled, {% data variables.product.company_short %} will periodically check the validity of a detected credential by sending the secret directly to the provider, as part of {% data variables.product.company_short %}'s formal secret scanning partnership program. + +{% data variables.product.company_short %} displays the validation status of the secret in the alert view, so you can see if the secret is `active`, `inactive`, or if the validation status is `unknown`. You can optionally perform an "on-demand" validity check for the secret in the alert view. + +You can also filter by validity status on the alerts page, to help you prioritize which alerts you need to take action on. + +> [!NOTE] +> {% data variables.product.company_short %} typically makes GET requests to check the validity of the credential, picks the least intrusive endpoints, and selects endpoints that don't return any personal information. + +For more information on using validity checks, see "Checking a secret's validity" in "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning#checking-a-secrets-validity)." + +## Enabling validity checks + +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.sidebar-settings %} +{% data reusables.repositories.navigate-to-code-security-and-analysis %} +{% data reusables.secret-scanning.validity-check-auto-enable %} + +You can also use the REST API to enable validity checks for partner patterns for your repository. For more information, see "[AUTOTITLE](/rest/repos/repos#update-a-repository)." + +Alternatively, organization owners and enterprise administrators can enable the feature for all repositories in the organization or enterprise settings. For more information on enabling at the organization-level, see "[AUTOTITLE](/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration)." For more information on enabling at the enterprise-level, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)" and "[AUTOTITLE](/rest/enterprise-admin/code-security-and-analysis#update-code-security-and-analysis-features-for-an-enterprise)." From 0556b126e3854ee531278e1065503b7a43a57662 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Wed, 24 Jul 2024 06:54:09 +0000 Subject: [PATCH 154/275] more edits to validity checks --- .../enabling-validity-checks-for-your-repository.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md index adc659fae9..deae5c4edc 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md @@ -1,7 +1,7 @@ --- title: Enabling validity checks for your repository shortTitle: Enable validity checks -intro: 'TODO.' +intro: 'Validity checks tell you if a secret is active or inactive, which can help you to prioritize remediation of alerts.' product: '{% data reusables.gated-features.partner-pattern-validity-check-ghas %}' versions: feature: secret-scanning-validity-check-partner-patterns @@ -18,12 +18,12 @@ You can choose to enable validity checks for partner patterns for your repositor {% data variables.product.company_short %} displays the validation status of the secret in the alert view, so you can see if the secret is `active`, `inactive`, or if the validation status is `unknown`. You can optionally perform an "on-demand" validity check for the secret in the alert view. -You can also filter by validity status on the alerts page, to help you prioritize which alerts you need to take action on. +You can also filter by validation status on the alerts page, to help you prioritize which alerts you need to take action on. > [!NOTE] > {% data variables.product.company_short %} typically makes GET requests to check the validity of the credential, picks the least intrusive endpoints, and selects endpoints that don't return any personal information. -For more information on using validity checks, see "Checking a secret's validity" in "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning#checking-a-secrets-validity)." +For more information on using validity checks, see "[AUTOTITLE](/TODO)." ## Enabling validity checks From 047b4c4c9504618889d0999ee8f3621d822f55ca Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Wed, 24 Jul 2024 07:33:35 +0000 Subject: [PATCH 155/275] first draft enable SS article --- ...ing-secret-scanning-for-your-repository.md | 36 ++++++++++++++++--- ...ing-validity-checks-for-your-repository.md | 2 +- 2 files changed, 33 insertions(+), 5 deletions(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md index 2e7f156350..4627dd805f 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md @@ -1,7 +1,7 @@ --- -title: TODO -shortTitle: TODO -intro: 'TODO.' +title: Enabling secret scanning for your repository +shortTitle: Enable secret scanning +intro: '{% data variables.product.prodname_secret_scanning %} scans your repositories for leaked secrets and generates alerts.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' @@ -14,4 +14,32 @@ topics: - Alerts --- -## About enabling +## About enabling {% data variables.secret-scanning.user_alerts %} + +You can enable {% data variables.secret-scanning.user_alerts %} for any {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}repository{% else %} repository that is owned by an organization, and for repositories owned by user accounts when using {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_emus %}{% endif %}{% elsif fpt %}free public repository that you own{% else %}repository that is owned by an organization{% endif %}. Once enabled, {% data reusables.secret-scanning.secret-scanning-process %}{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %} {% data reusables.secret-scanning.what-is-scanned %} + +You can also enable {% data variables.product.prodname_secret_scanning %} for multiple repositories in an organization at the same time. For more information, see "[AUTOTITLE](/code-security/getting-started/securing-your-organization)." + +{% ifversion secret-scanning-enterprise-level %} +{% note %} + +**Note:** If your organization is owned by an enterprise account, an enterprise owner can also enable {% data variables.product.prodname_secret_scanning %} at the enterprise level. For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)." + +{% endnote %} +{% endif %} + +A repository administrator can choose to disable {% data variables.product.prodname_secret_scanning %} for a repository at any time. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)." + +## Enabling {% data variables.secret-scanning.user_alerts %} + +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.sidebar-settings %} +{% data reusables.repositories.navigate-to-code-security-and-analysis %}{% ifversion ghec or ghes %} +1. If {% data variables.product.prodname_advanced_security %} is not already enabled for the repository, to the right of "{% data variables.product.prodname_GH_advanced_security %}", click **Enable**. +1. Review the impact of enabling {% data variables.product.prodname_advanced_security %}, then click **Enable {% data variables.product.prodname_GH_advanced_security %} for this repository**. +1. When you enable {% data variables.product.prodname_advanced_security %}, {% data variables.product.prodname_secret_scanning %} may automatically be enabled for the repository due to the organization's settings. If "{% data variables.product.prodname_secret_scanning_caps %}" is shown with an **Enable** button, you still need to enable {% data variables.product.prodname_secret_scanning %} by clicking **Enable**. If you see a **Disable** button, {% data variables.product.prodname_secret_scanning %} is already enabled. + + ![Screenshot of the "{% data variables.product.prodname_secret_scanning_caps %}" section of the "Code security and analysis" page, with the "Enable" button highlighted in a dark orange outline.](/assets/images/help/repository/enable-secret-scanning-alerts.png){% endif %}{% ifversion fpt %} +1. Scroll down to the bottom of the page, and click **Enable** for {% data variables.product.prodname_secret_scanning %}. If you see a **Disable** button, it means that {% data variables.product.prodname_secret_scanning %} is already enabled for the repository. + + ![Screenshot of the "{% data variables.product.prodname_secret_scanning_caps %}" section of the "Code security and analysis" page, with the "Enable" button highlighted in a dark orange outline.](/assets/images/help/repository/enable-secret-scanning-alerts.png){% endif %} diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md index deae5c4edc..913d275990 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md @@ -1,7 +1,7 @@ --- title: Enabling validity checks for your repository shortTitle: Enable validity checks -intro: 'Validity checks tell you if a secret is active or inactive, which can help you to prioritize remediation of alerts.' +intro: 'Validity checks tell you if a secret is active or inactive, which can help you to prioritize the remediation of alerts.' product: '{% data reusables.gated-features.partner-pattern-validity-check-ghas %}' versions: feature: secret-scanning-validity-check-partner-patterns From 92f11f8af6aca1957f392d3aa80d66eb9d33a243 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Wed, 24 Jul 2024 08:10:10 +0000 Subject: [PATCH 156/275] first edits --- ...ing-push-protection-for-your-repository.md | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md index f701685312..cd48da8e7f 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md @@ -1,7 +1,7 @@ --- -title: TODO -shortTitle: TODO -intro: 'TODO.' +title: Enabling push protection for your repository +shortTitle: Enable push protection +intro: 'With push protection, {% data variables.product.prodname_secret_scanning %} blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' @@ -12,6 +12,19 @@ topics: - Secret scanning - Advanced Security - Alerts +redirect_from: + - /early-access/code-security/secret-scanning/protecting-pushes-with-secret-scanning + - /code-security/secret-scanning/protecting-pushes-with-secret-scanning --- ## About enabling push protection + +TODO + +## Enabling push protection + +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.sidebar-settings %} +{% data reusables.repositories.navigate-to-code-security-and-analysis %} +{% data reusables.repositories.navigate-to-ghas-settings %} +{% data reusables.advanced-security.secret-scanning-push-protection-repo %} From 50e080613742db35d932385f83e68640f5939d7a Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Wed, 24 Jul 2024 10:36:05 +0000 Subject: [PATCH 157/275] edits to about alerts --- .../about-alerts.md | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index 048108f998..e39294d2e1 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -15,3 +15,56 @@ topics: - Repositories shortTitle: About alerts --- + +## About the different types of {% data variables.product.prodname_secret_scanning %} alerts + +There are three types of {% data variables.product.prodname_secret_scanning %} alerts: + +* **{% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts**: When [GitHub] detects a supported secret in a repository that has {% data variables.product.prodname_secret_scanning %} enabled, a {% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alert is generated and displayed in the **Security** tab of the repository. +* **Push protection alerts**: When a contributor pushes a supported secret to a repository that has push protection enabled, a push protection alert is generated and displayed in the **Security** tab of the repository. +* **Partner alerts**: Unlike other alerts, partner alerts are sent directly to the secret providers whenever a secret leak is reported for one of their secrets, as part of {% data variables.product.prodname_secret_scanning %}'s partner program. + +### About {% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts + +{% ifversion fpt or ghec %}User alerts are alerts that are reported to users on {% data variables.product.prodname_dotcom %}. {% endif %}When {% data variables.secret-scanning.user_alerts %} {% ifversion fpt or ghec %}are{% else %}is{% endif %} enabled, {% data variables.product.prodname_dotcom %} scans repositories for secrets issued by a large variety of service providers and generates {% data variables.secret-scanning.alerts %}. + +{% ifversion secret-scanning-non-provider-patterns %}{% ifversion fpt or ghec %}User {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts can be of the following types: + +* High confidence alerts, which relate to supported patterns and specified custom patterns. +* Non-provider alerts, which have a higher ratio of false positives, and correspond to secrets such as private keys. + +{% data variables.product.prodname_dotcom %} displays non-provider alerts in a different list to high confidence alerts, making triaging a better experience for users. For more information, see "[AUTOTITLE](/TODO)." + +{% data reusables.secret-scanning.non-provider-patterns-beta %} + +{% endif %} + +You can see these alerts on the **Security** tab of the repository. {% ifversion fpt or ghec %}For more information about {% data variables.secret-scanning.user_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-users)."{% endif %} + +{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} + +If you use the REST API for secret scanning, you can use the `Secret type` to report on secrets from specific issuers. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/rest/secret-scanning)." + +{% ifversion ghes or ghec %} +{% note %} + +**Note:** You can also define custom {% data variables.product.prodname_secret_scanning %} patterns for your repository, organization, or enterprise. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." + +{% endnote %} +{% endif %} + +### About push protection alerts + +Push protection alerts are user alerts that are reported by push protection. {% data variables.product.prodname_secret_scanning_caps %} as a push protection currently scans repositories for secrets issued by some service providers. + +{% ifversion secret-scanning-push-protection-for-users %}Push protection alerts are not created for secrets that are bypassed with user-based push protection only. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-users)."{% endif %} + +{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} + +{% data reusables.secret-scanning.push-protection-older-tokens %} For more information about push protection limitations, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning#push-protection-and-pattern-versions)." + +### About partner alerts + +Partner alerts are alerts that are sent to the secret providers whenever a secret leak is reported for one of their secrets. {% data variables.product.product_name %} currently scans public repositories and public npm packages for secrets issued by specific service providers and alerts the relevant service provider whenever a secret is detected in a commit. For more information about {% data variables.secret-scanning.partner_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-partners)." + +{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} From 4acf7f3fb71460eed3d69e95c7a9b7f21c657d45 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Wed, 24 Jul 2024 13:52:48 +0000 Subject: [PATCH 158/275] more edits --- .../managing-alerts-from-secret-scanning/about-alerts.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index e39294d2e1..4afa1ba039 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -18,11 +18,11 @@ shortTitle: About alerts ## About the different types of {% data variables.product.prodname_secret_scanning %} alerts -There are three types of {% data variables.product.prodname_secret_scanning %} alerts: +There are {% ifversion fpt or ghec %}three{% else %}two{% endif %} types of {% data variables.product.prodname_secret_scanning %} alerts: * **{% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts**: When [GitHub] detects a supported secret in a repository that has {% data variables.product.prodname_secret_scanning %} enabled, a {% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alert is generated and displayed in the **Security** tab of the repository. -* **Push protection alerts**: When a contributor pushes a supported secret to a repository that has push protection enabled, a push protection alert is generated and displayed in the **Security** tab of the repository. -* **Partner alerts**: Unlike other alerts, partner alerts are sent directly to the secret providers whenever a secret leak is reported for one of their secrets, as part of {% data variables.product.prodname_secret_scanning %}'s partner program. +* **Push protection alerts**: When a contributor bypasses push protection to push a secret to the repository that has {% data variables.product.prodname_secret_scanning %} and push protection enabled, an alert is generated and displayed in the **Security** tab of the repository.{% ifversion fpt or ghec %} +* **Partner alerts**: When [GitHub] detects a leaked secret in a public repository or npm package, an alert is sent directly to the secret provider if they are part of GitHub's secret scanning partner program. Partner alerts are not displayed in the **Security** tab of the repository.{% endif %} ### About {% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts @@ -31,7 +31,7 @@ There are three types of {% data variables.product.prodname_secret_scanning %} a {% ifversion secret-scanning-non-provider-patterns %}{% ifversion fpt or ghec %}User {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts can be of the following types: * High confidence alerts, which relate to supported patterns and specified custom patterns. -* Non-provider alerts, which have a higher ratio of false positives, and correspond to secrets such as private keys. +* Non-provider alerts, which have a higher ratio of false positives, and correspond to secrets such as private keys{% ifversion secret-scanning-ai-generic-secret-detection %}or AI-detected generic secrets{% endif %}. {% data variables.product.prodname_dotcom %} displays non-provider alerts in a different list to high confidence alerts, making triaging a better experience for users. For more information, see "[AUTOTITLE](/TODO)." From cd28dbdff94221a4603dc4986d313651504f483d Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Thu, 25 Jul 2024 09:56:44 +0000 Subject: [PATCH 159/275] fixing links --- .../about-alerts.md | 23 ++++++++++--------- .../evaluating-alerts.md | 1 + .../index.md | 2 +- .../monitoring-alerts.md | 1 + .../resolving-alerts.md | 1 + .../viewing-alerts.md | 1 + 6 files changed, 17 insertions(+), 12 deletions(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index 4afa1ba039..0100d00567 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -1,6 +1,6 @@ --- title: About secret scanning alerts -intro: 'Learn about the different types of {% data variables.product.prodname_secret_scanning %} alerts for your repository.' +intro: 'Learn about the different types of {% data variables.product.prodname_secret_scanning %} alerts.' permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can manage secret scanning alerts for the repository.' product: '{% data reusables.gated-features.secret-scanning %}' versions: @@ -14,15 +14,16 @@ topics: - Alerts - Repositories shortTitle: About alerts +allowTitleToDifferFromFilename: true --- -## About the different types of {% data variables.product.prodname_secret_scanning %} alerts +## About different types of {% data variables.product.prodname_secret_scanning %} alerts There are {% ifversion fpt or ghec %}three{% else %}two{% endif %} types of {% data variables.product.prodname_secret_scanning %} alerts: -* **{% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts**: When [GitHub] detects a supported secret in a repository that has {% data variables.product.prodname_secret_scanning %} enabled, a {% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alert is generated and displayed in the **Security** tab of the repository. -* **Push protection alerts**: When a contributor bypasses push protection to push a secret to the repository that has {% data variables.product.prodname_secret_scanning %} and push protection enabled, an alert is generated and displayed in the **Security** tab of the repository.{% ifversion fpt or ghec %} -* **Partner alerts**: When [GitHub] detects a leaked secret in a public repository or npm package, an alert is sent directly to the secret provider if they are part of GitHub's secret scanning partner program. Partner alerts are not displayed in the **Security** tab of the repository.{% endif %} +* **{% ifversion fpt or ghec %}User {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts**: When {% data variables.product.company_short %} detects a supported secret in a repository that has {% data variables.product.prodname_secret_scanning %} enabled, a {% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alert is generated and displayed in the **Security** tab of the repository. +* **Push protection alerts**: When a contributor bypasses push protection to push a secret to the repository that has {% data variables.product.prodname_secret_scanning %} and push protection enabled, a push protection alert is generated and displayed in the **Security** tab of the repository.{% ifversion fpt or ghec %} +* **Partner alerts**: When {% data variables.product.company_short %} detects a leaked secret in a public repository or npm package, an alert is sent directly to the secret provider, if they are part of {% data variables.product.company_short %}'s secret scanning partner program. Partner alerts are not applicable to repository administrators, so you do not need to take any action for this type of alert.{% endif %} ### About {% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts @@ -33,13 +34,13 @@ There are {% ifversion fpt or ghec %}three{% else %}two{% endif %} types of {% d * High confidence alerts, which relate to supported patterns and specified custom patterns. * Non-provider alerts, which have a higher ratio of false positives, and correspond to secrets such as private keys{% ifversion secret-scanning-ai-generic-secret-detection %}or AI-detected generic secrets{% endif %}. -{% data variables.product.prodname_dotcom %} displays non-provider alerts in a different list to high confidence alerts, making triaging a better experience for users. For more information, see "[AUTOTITLE](/TODO)." +{% data variables.product.prodname_dotcom %} displays non-provider alerts in a different list to high confidence alerts, making triaging a better experience for users. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)." {% data reusables.secret-scanning.non-provider-patterns-beta %} {% endif %} -You can see these alerts on the **Security** tab of the repository. {% ifversion fpt or ghec %}For more information about {% data variables.secret-scanning.user_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-users)."{% endif %} +You can see these alerts on the **Security** tab of the repository. {% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} @@ -48,7 +49,7 @@ If you use the REST API for secret scanning, you can use the `Secret type` to re {% ifversion ghes or ghec %} {% note %} -**Note:** You can also define custom {% data variables.product.prodname_secret_scanning %} patterns for your repository, organization, or enterprise. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." +**Note:** You can also define custom {% data variables.product.prodname_secret_scanning %} patterns for your repository, organization, or enterprise. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." {% endnote %} {% endif %} @@ -57,14 +58,14 @@ If you use the REST API for secret scanning, you can use the `Secret type` to re Push protection alerts are user alerts that are reported by push protection. {% data variables.product.prodname_secret_scanning_caps %} as a push protection currently scans repositories for secrets issued by some service providers. -{% ifversion secret-scanning-push-protection-for-users %}Push protection alerts are not created for secrets that are bypassed with user-based push protection only. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-users)."{% endif %} +{% ifversion secret-scanning-push-protection-for-users %}Push protection alerts are not created for secrets that are bypassed with user-based push protection only. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)."{% endif %} {% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} -{% data reusables.secret-scanning.push-protection-older-tokens %} For more information about push protection limitations, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning#push-protection-and-pattern-versions)." +{% data reusables.secret-scanning.push-protection-older-tokens %} For more information about push protection limitations, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning#push-protection-limitations)." ### About partner alerts -Partner alerts are alerts that are sent to the secret providers whenever a secret leak is reported for one of their secrets. {% data variables.product.product_name %} currently scans public repositories and public npm packages for secrets issued by specific service providers and alerts the relevant service provider whenever a secret is detected in a commit. For more information about {% data variables.secret-scanning.partner_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-partners)." +Partner alerts are alerts that are sent to the secret providers whenever a secret leak is reported for one of their secrets. {% data variables.product.product_name %} currently scans public repositories and public npm packages for secrets issued by specific service providers and alerts the relevant service provider whenever a secret is detected in a commit. For more information about {% data variables.secret-scanning.partner_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." {% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md index f9b95cbea1..fad8d98554 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md @@ -14,6 +14,7 @@ topics: - Alerts - Repositories shortTitle: Evaluate alerts +allowTitleToDifferFromFilename: true --- ## About evaluating alerts diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md index 582c69e084..3c805b6188 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md @@ -1,6 +1,6 @@ --- title: Managing alerts from secret scanning -intro: 'You can view, evaluate and resolve alerts for secrets checked in to your repository.' +intro: 'Learn how to find, evaluate and resolve alerts for secrets checked in to your repository.' product: '{% data reusables.gated-features.secret-scanning %}' redirect_from: - /github/administering-a-repository/managing-alerts-from-secret-scanning diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md index 9884c11164..50214f73ce 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md @@ -13,6 +13,7 @@ topics: - Alerts - Repositories shortTitle: Monitor alerts +allowTitleToDifferFromFilename: true --- ## Configuring notifications for {% data variables.secret-scanning.alerts %} diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md index 5635a4ecbf..98b339df99 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md @@ -14,6 +14,7 @@ topics: - Alerts - Repositories shortTitle: Resolve alerts +allowTitleToDifferFromFilename: true --- ## Fixing alerts diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md index b28d4722c7..c77715f4c5 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md @@ -14,6 +14,7 @@ topics: - Alerts - Repositories shortTitle: View alerts +allowTitleToDifferFromFilename: true --- ## About the {% data variables.product.prodname_secret_scanning %} alerts page From 4d9c74dd6ce0a712066704b62263ce38fc7f5a86 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 25 Jul 2024 12:15:38 +0100 Subject: [PATCH 160/275] and more work --- .../introduction/about-push-protection.md | 83 ++++++++++++++----- .../introduction/about-secret-scanning.md | 77 +++++++++++++++-- 2 files changed, 135 insertions(+), 25 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index 2b6ea61119..13082cc567 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -21,27 +21,61 @@ shortTitle: Push protection ## What is push protection -Push protection is a {% data variables.product.prodname_secret_scanning %} feature that checks commits for highly identifiable secrets before these commits are pushed to a repository. +Push protection is a {% data variables.product.prodname_secret_scanning %} feature that is designed to prevent sensitive information, such as secrets or tokens, from being pushed to your repository in the first place. Unlike {% data variables.product.prodname_secret_scanning %} , which detects secrets after they have been committed, push protection proactively scans your code for secrets during the push process and blocks the push if any are detected. -{% data reusables.secret-scanning.pre-push-protection %} {% data reusables.secret-scanning.push-protection-overview %} +Push protection helps you avoid the risks associated with exposed secrets, like unauthorized access to resources or services. With this feature, developers get immediate feedback and can address potential issues before they become a security concern. + +Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push. For some {% data variables.product.prodname_dotcom %} products, more advanced feature are available: + +* Delegated bypass—allows repository administrators or designated users to temporarily bypass the push protection mechanism. This can be useful in situations where a developer needs to push a commit that contains strings or patterns that resemble secrets but are actually safe and necessary for the project.This allows gives users with administrative rights more control about what is committed. +* Custom patterns—allows you to define specific patterns or regular expressions that represent the types of secrets unique to your environment or organization. These patterns are used to identify sensitive information that might not be covered by the default scanning rules implemented by {% data variables.product.prodname_dotcom %}. {% ifversion secret-scanning-push-protection-for-users %} You can enable push protection: -* At repository/organization level, if you are a repository administrator or an organization owner. -* For your account on {% data variables.product.prodname_dotcom %}, as a user. - -## About push protection for repositories and organizations +* At repository/organization level, if you are a repository administrator or an organization owner. This type of push protection is referred to as "push protection". +* For your account on {% data variables.product.prodname_dotcom %}, as a user. This type of push protection is referred to as "push protection for users". {% endif %} -If you are a repository administrator or an organization owner, you can enable push protection at repository/organization level. +## What are the benefits of push protection + +* **Proactive Security**— +Push Protection acts as a front-line defense mechanism by scanning code for secrets at the time of the push. This proactive approach helps to catch potential issues before they are merged into your repository. + +* **Immediate Feedback**— +Developers receive instant feedback if a potential secret is detected during a push attempt. This immediate notification allows for quick remediation, reducing the likelihood of sensitive information being exposed. + +* **Reduced Risk of Data Leaks**— +By blocking commits that contain sensitive information, Push Protection significantly reduces the risk of accidental data leaks. This helps in safeguarding against unauthorized access to your infrastructure, services, and data. + +* **Efficient Secret Management**— +Instead of retrospectively dealing with exposed secrets, developers can address issues at the source. This makes secret management more efficient and less time-consuming. + +* **Integration with CI/CD Pipelines**— +Push Protection can be integrated into your Continuous Integration/Continuous Deployment (CI/CD) pipelines, ensuring that every push is scanned for secrets before it gets deployed. This adds an extra layer of security to your DevOps practices. + +* **Customizable Rules**— +Organizations can define custom patterns for detecting secrets unique to their environment. This customization ensures that Push Protection can effectively identify and block even non-standard secrets. + +* **Delegated Bypass for Flexibility**— +For cases where false positives occur or when certain patterns are necessary, the Delegated Bypass feature allows designated users to approve specific pushes. This provides flexibility without compromising overall security. + +* **Audit and Monitoring**— +Push Protection maintains logs of all blocked attempts and bypass approvals. These logs can be audited to ensure compliance and to review any potential security incidents, thereby providing transparency and accountability. + +* **Collaboration and Education**— +By frequently reminding developers of secure coding practices, Push Protection helps foster a culture of security within development teams. It serves as a constant reminder that security is everyone's responsibility. + +## Configuring push protection + +To use push protection, you need to have administrative access to the repository or organization you want to configure. Also, your repository or organization should be hosted on {% data variables.product.prodname_dotcom %}. + +Enabling and configuring push protection involves a few steps. For more information, see TODO: - link to enabling article. {% ifversion secret-scanning-push-protection-for-users %} -## About push protection for users - Every user across {% data variables.product.prodname_dotcom %} can enable push protection for themselves within their individual settings. Enabling push protection for your user account means that your pushes are protected whenever you push to a public repository on {% data variables.product.prodname_dotcom %}, without relying on that repository to have push protection enabled. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)." @@ -52,9 +86,29 @@ Enabling push protection for your user account means that your pushes are protec For information about the secrets and service providers supported by push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." +## Customizing push protection + +Once push protection is enabled, you can customize it further, if needed: + +### Integration with CI/CD Pipelines + +You can integrate push protection with your Continuous Integration/Continuous Deployment (CI/CD) pipelines to ensure that it runs scans during automated processes. This typically involves adding steps in your pipeline configuration file to call GitHub's APIs or using {% data variables.product.prodname_actions %}. + +### Handling false positives + +If push protection occasionally flags non-sensitive information, you can configure the system to recognize these as false positives. This may also involve adding specific rules or exceptions within your security settings. + +{% ifversion secret-scanning-push-protection-custom-patterns %} + +### Defining custom patterns + +If you have specific patterns or types of secrets that are unique to your environment, you can define custom patterns that push protection will use to identify secrets. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." + +{% endif %} + {% ifversion push-protection-delegated-bypass %} -## Delegated bypass +### Using delegated bypass {% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} @@ -66,15 +120,6 @@ For information about delegated bypass for push protection, see "[AUTOTITLE](/co {% endif %} -{% ifversion secret-scanning-push-protection-custom-patterns %} - -## Custom pattern support - -You can define custom patterns to identify secrets that are not detected by the default patterns supported by push protection. For example, you might have a secret pattern that is internal to your organization. {% data reusables.secret-scanning.push-protection-custom-pattern %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." - -{% endif %} - ## Further reading -* TODO: add link to enabling push protection * "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)" diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 23f25e9ca5..eeeb5fc248 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -22,9 +22,78 @@ shortTitle: Secret scanning ## What is {% data variables.product.prodname_secret_scanning %} -{% data reusables.secret-scanning.enterprise-enable-secret-scanning %} +{% data variables.product.prodname_secret_scanning_caps %} is a security feature that helps detect and prevent the accidental inclusion of sensitive information such as API keys, passwords, tokens, and other secrets in your repository. When enabled, {% data variables.product.prodname_secret_scanning %} scans commits in public repositories for known types of secrets and alerts repository administrators upon detection. - +For private repositories, {% data variables.product.prodname_secret_scanning %} is available if you have a {% data variables.product.prodname_GH_advanced_security %} (GHAS) license, providing additional scanning capabilities and custom patterns for detection. + +Below is a typical workflow: + +* Detection of secrets: {% data variables.product.prodname_secret_scanning_caps %}automatically scans your repository's contents for sensitive data, such as API keys, passwords, tokens, and other secrets. It looks for patterns and heuristics that match known types of secrets. + +* Alerts and notifications: When a potential secret is detected, {% data variables.product.prodname_dotcom %} generates an alert and notifies the relevant repository administrators and users. This notification includes details about the detected secret, such as its location in the repository. + +TODO: +* Review Alerts: When a secret is detected, review the alert details provided by GitHub. + +* *Remediation: Take appropriate actions to remediate the exposure. This might include: + * Rotating the affected credential to ensure it is no longer usable. + * Removing the secret from the repository's history (using tools like BFG Repo-Cleaner or GitHub's built-in features). +* Audit and Monitor: Regularly audit and monitor your repositories to ensure no other secrets are exposed. + +{% ifversion fpt or ghec %} + +* Integration with partners: {% data variables.product.prodname_dotcom %} works with various service providers to validate secrets. When a partner secret is detected, {% data variables.product.prodname_dotcom %} notifies the provider so they can take appropriate action, such as revoking the credential. For more information about the partnership program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." + +{% endif %} + +## What are the benefits of {% data variables.product.prodname_secret_scanning %} + +* **Enhanced security**—{% data variables.product.prodname_secret_scanning_caps %} scans your repositories for sensitive information like API keys, passwords, tokens, and other secrets. By detecting these early, you can mitigate potential security risks before they are exploited by malicious actors. + +* **Automated detection**—The feature automatically scans your codebase, including commits, issues, and pull requests, ensuring continuous protection without requiring manual intervention. This automation helps in maintaining security even as your repository evolves. + +* **Real-time alerts**—When a secret is detected, {% data variables.product.prodname_secret_scanning %} provides real-time alerts to repository administrators and contributors. This immediate feedback allows for swift remediation actions. + +* **Historical scanning**—{% data variables.product.prodname_secret_scanning_caps %} can be configured to scan the entire commit history of your repository. This retrospective analysis helps in identifying and mitigating risks from previously committed secrets that may have gone unnoticed. + +{% ifversion fpt or ghec %} + +* **Integration with service providers**—{% data variables.product.prodname_dotcom %} partners with various service providers to validate detected secrets. When a secret is identified, {% data variables.product.prodname_dotcom %} notifies the corresponding service provider to take appropriate actions, such as revoking the exposed credential. + +{% endif %} + +* **Custom patterns**—Organizations can define custom patterns to detect proprietary or unique types of secrets that may not be covered by default patterns. This flexibility allows for tailored security measures specific to your environment. + +* **Educational value**—Developers receive notifications when secrets are detected, which serves as a learning opportunity. This ongoing education helps in fostering a culture of security awareness within the development team. + +* **Remediation guidance**—Along with alerts, {% data variables.product.prodname_dotcom %}provides remediation guidance, helping teams understand how to safely remove the sensitive information from their codebase and rotate the compromised credentials. + +## Enabling {% data variables.product.prodname_secret_scanning %} + +{% data variables.product.prodname_secret_scanning_caps %} is automatically enabled for all public repositories on GitHub. +For private repositories, {% data variables.product.prodname_secret_scanning %} can be enabled as part of {% data variables.product.prodname_GH_advanced_security %}. + +For more information, see TODO: - link to enabling article. + +## What are the supported secrets + +For information about the secrets and service providers supported by {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." + +{% ifversion ghec or ghes %} + +## Custom patterns + +For advanced users, GitHub allows custom patterns to be added to Secret Scanning. This is useful if you have unique types of secrets that don’t match default patterns. Benefits are: + +* Tailored Security Detect secrets unique to your applications, APIs, or internal tools. +* Increased Coverage Capture additional types of sensitive data that default patterns might miss. +* Prevent Data Leaks Proactively identify and mitigate risks associated with exposed proprietary secrets. + +{% endif %} + +OLD + +{% data reusables.secret-scanning.enterprise-enable-secret-scanning %} If your project communicates with an external service, you might use a token or private key for authentication. Tokens and private keys are examples of secrets that a service provider can issue. If you check a secret into a repository, anyone who has read access to the repository can use the secret to access the external service with your privileges. We recommend that you store secrets in a dedicated, secure location outside of the repository for your project. @@ -61,10 +130,6 @@ If your project communicates with an external service, you might use a token or {% endnote %} -## What are the supported secrets - -For information about the secrets and service providers supported by {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." - {% ifversion fpt or ghec %} ## About {% data variables.secret-scanning.partner_alerts %} From 949e499d188e638cd98029265536c7a5ef94df13 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Thu, 25 Jul 2024 11:23:02 +0000 Subject: [PATCH 161/275] fix links in veiwing alerts --- .../managing-alerts-from-secret-scanning/viewing-alerts.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md index c77715f4c5..f7f9d3ec9c 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md @@ -41,7 +41,7 @@ In addition, alerts that fall into this category: * Are not shown in the summary views for security overview, only in the "{% data variables.product.prodname_secret_scanning_caps %}" view. * Only have the first five detected locations shown on {% data variables.product.prodname_dotcom %} for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %}, and only the first detected location shown for AI-detected generic secrets{% endif %}. -For {% data variables.product.company_short %} to scan for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %} and generic secrets{% endif %}, you must first enable the feature{% ifversion secret-scanning-ai-generic-secret-detection %}s{% endif %} for your repository or organization. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#enabling-scanning-for-non-provider-patterns){% ifversion secret-scanning-ai-generic-secret-detection %}" and "[AUTOTITLE](/code-security/secret-scanning/enabling-ai-powered-generic-secret-detection){% endif %}." +For {% data variables.product.company_short %} to scan for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %} and generic secrets{% endif %}, you must first enable the feature{% ifversion secret-scanning-ai-generic-secret-detection %}s{% endif %} for your repository or organization. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns){% ifversion secret-scanning-ai-generic-secret-detection %}" and "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection){% endif %}." {% endif %} @@ -84,4 +84,4 @@ You can apply various filters to the alerts list to help you find the alerts you ## Next steps -* [AUTOTITLE](/TODO) +TODO From 02fe49d571ae9f559d3fa26244c2458ac562c0b0 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 25 Jul 2024 15:22:48 +0100 Subject: [PATCH 162/275] more work on secret scanning and push protection articles --- .../introduction/about-push-protection.md | 39 ++++------- .../about-secret-scanning-for-partners.md | 6 ++ .../introduction/about-secret-scanning.md | 70 ++++++------------- 3 files changed, 42 insertions(+), 73 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index 13082cc567..490a996840 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -1,6 +1,6 @@ --- title: About push protection -intro: 'Push protection helps detect secrets in code as changes are pushed. Push protection blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block. TODO for users' +intro: 'Push protection helps detect secrets in code as changes are pushed. Push protection blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block.{% ifversion secret-scanning-push-protection-for-users %} Push protection can be applied at the repository, organization, and user account level{% else %} You can apply push protection at repository or organization level{% endif %}.' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: fpt: '*' @@ -25,10 +25,7 @@ Push protection is a {% data variables.product.prodname_secret_scanning %} featu Push protection helps you avoid the risks associated with exposed secrets, like unauthorized access to resources or services. With this feature, developers get immediate feedback and can address potential issues before they become a security concern. -Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push. For some {% data variables.product.prodname_dotcom %} products, more advanced feature are available: - -* Delegated bypass—allows repository administrators or designated users to temporarily bypass the push protection mechanism. This can be useful in situations where a developer needs to push a commit that contains strings or patterns that resemble secrets but are actually safe and necessary for the project.This allows gives users with administrative rights more control about what is committed. -* Custom patterns—allows you to define specific patterns or regular expressions that represent the types of secrets unique to your environment or organization. These patterns are used to identify sensitive information that might not be covered by the default scanning rules implemented by {% data variables.product.prodname_dotcom %}. +Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push. For some {% data variables.product.prodname_dotcom %} products, more advanced features such as delegated bypass and the use of custom patterns are available: {% ifversion secret-scanning-push-protection-for-users %} @@ -41,32 +38,24 @@ You can enable push protection: ## What are the benefits of push protection -* **Proactive Security**— -Push Protection acts as a front-line defense mechanism by scanning code for secrets at the time of the push. This proactive approach helps to catch potential issues before they are merged into your repository. +* **Proactive security**—Push protection acts as a frontline defense mechanism by scanning code for secrets at the time of the push. This proactive approach helps to catch potential issues before they are merged into your repository. -* **Immediate Feedback**— -Developers receive instant feedback if a potential secret is detected during a push attempt. This immediate notification allows for quick remediation, reducing the likelihood of sensitive information being exposed. +* **Immediate feedback**—Developers receive instant feedback if a potential secret is detected during a push attempt. This immediate notification allows for quick remediation, reducing the likelihood of sensitive information being exposed. -* **Reduced Risk of Data Leaks**— -By blocking commits that contain sensitive information, Push Protection significantly reduces the risk of accidental data leaks. This helps in safeguarding against unauthorized access to your infrastructure, services, and data. +* **Reduced risk of data leaks**—By blocking commits that contain sensitive information, push protection significantly reduces the risk of accidental data leaks. This helps in safeguarding against unauthorized access to your infrastructure, services, and data. -* **Efficient Secret Management**— -Instead of retrospectively dealing with exposed secrets, developers can address issues at the source. This makes secret management more efficient and less time-consuming. +* **Efficient secret management**—Instead of retrospectively dealing with exposed secrets, developers can address issues at the source. This makes secret management more efficient and less time-consuming. * **Integration with CI/CD Pipelines**— Push Protection can be integrated into your Continuous Integration/Continuous Deployment (CI/CD) pipelines, ensuring that every push is scanned for secrets before it gets deployed. This adds an extra layer of security to your DevOps practices. -* **Customizable Rules**— -Organizations can define custom patterns for detecting secrets unique to their environment. This customization ensures that Push Protection can effectively identify and block even non-standard secrets. +{% ifversion secret-scanning-push-protection-custom-patterns %}* **Ability to detect custom patterns**—Organizations can define custom patterns for detecting secrets unique to their environment. This customization ensures that push Protection can effectively identify and block even non-standard secrets.{% endif %} -* **Delegated Bypass for Flexibility**— -For cases where false positives occur or when certain patterns are necessary, the Delegated Bypass feature allows designated users to approve specific pushes. This provides flexibility without compromising overall security. +{% ifversion push-protection-delegated-bypass %}* **Delegated bypass for flexibility**—For cases where false positives occur or when certain patterns are necessary, the delegated bypass feature allows designated users to approve specific pushes. This provides flexibility without compromising overall security.{% endif %} -* **Audit and Monitoring**— -Push Protection maintains logs of all blocked attempts and bypass approvals. These logs can be audited to ensure compliance and to review any potential security incidents, thereby providing transparency and accountability. +* **Audit and monitoring**—Push protection maintains logs of all blocked attempts and bypass approvals. These logs can be audited to ensure compliance and to review any potential security incidents, thereby providing transparency and accountability. -* **Collaboration and Education**— -By frequently reminding developers of secure coding practices, Push Protection helps foster a culture of security within development teams. It serves as a constant reminder that security is everyone's responsibility. +* **Collaboration and education**—By frequently reminding developers of secure coding practices, push protection helps foster a culture of security within development teams. It serves as a constant reminder that security is everyone's responsibility. ## Configuring push protection @@ -76,7 +65,7 @@ Enabling and configuring push protection involves a few steps. For more informat {% ifversion secret-scanning-push-protection-for-users %} -Every user across {% data variables.product.prodname_dotcom %} can enable push protection for themselves within their individual settings. +Every user across {% data variables.product.prodname_dotcom %} can also enable push protection for themselves within their individual settings. Enabling push protection for your user account means that your pushes are protected whenever you push to a public repository on {% data variables.product.prodname_dotcom %}, without relying on that repository to have push protection enabled. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)." @@ -102,7 +91,7 @@ If push protection occasionally flags non-sensitive information, you can configu ### Defining custom patterns -If you have specific patterns or types of secrets that are unique to your environment, you can define custom patterns that push protection will use to identify secrets. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." +If you have specific patterns or types of secrets that are unique to your environment or organization, you can define custom patterns that push protection will use to identify secrets. These patterns are used to identify sensitive information that might not be covered by the default scanning rules implemented by {% data variables.product.prodname_dotcom %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." {% endif %} @@ -122,4 +111,6 @@ For information about delegated bypass for push protection, see "[AUTOTITLE](/co ## Further reading -* "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)" +* "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)"{% ifversion secret-scanning-push-protection-custom-patterns %} +* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)"{% endif %}{% ifversion push-protection-delegated-bypass %} +* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)"{% endif %} diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md index 610e2ddaa2..966201b428 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md @@ -13,6 +13,12 @@ shortTitle: Secret scanning for partners ## About {% data variables.secret-scanning.partner_alerts %} +When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." + +You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories. + +## About {% data variables.secret-scanning.partner_alerts %} + {% data variables.product.product_name %} scans public repositories and public npm packages for secrets issued by specific service providers and alerts the relevant service provider whenever a secret is detected in a commit. {% data variables.product.prodname_secret_scanning %} generates partner alerts when it detects secrets from providers who joined our partnership program. For information about the partnership program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index eeeb5fc248..28a4654766 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -24,6 +24,10 @@ shortTitle: Secret scanning {% data variables.product.prodname_secret_scanning_caps %} is a security feature that helps detect and prevent the accidental inclusion of sensitive information such as API keys, passwords, tokens, and other secrets in your repository. When enabled, {% data variables.product.prodname_secret_scanning %} scans commits in public repositories for known types of secrets and alerts repository administrators upon detection. +{% data variables.product.prodname_secret_scanning_caps %} will scan your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repository for secrets{% ifversion ghec or ghes %}, even if the repository is archived{% endif %}.{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %} + +{% data reusables.secret-scanning.what-is-scanned %} + For private repositories, {% data variables.product.prodname_secret_scanning %} is available if you have a {% data variables.product.prodname_GH_advanced_security %} (GHAS) license, providing additional scanning capabilities and custom patterns for detection. Below is a typical workflow: @@ -62,15 +66,19 @@ TODO: {% endif %} +{% ifversion ghec or ghes %} + * **Custom patterns**—Organizations can define custom patterns to detect proprietary or unique types of secrets that may not be covered by default patterns. This flexibility allows for tailored security measures specific to your environment. +{% endif %} + * **Educational value**—Developers receive notifications when secrets are detected, which serves as a learning opportunity. This ongoing education helps in fostering a culture of security awareness within the development team. -* **Remediation guidance**—Along with alerts, {% data variables.product.prodname_dotcom %}provides remediation guidance, helping teams understand how to safely remove the sensitive information from their codebase and rotate the compromised credentials. +* **Remediation guidance**—Along with alerts, we provide remediation guidance, helping teams understand how to safely remove the sensitive information from their codebase and rotate the compromised credentials. ## Enabling {% data variables.product.prodname_secret_scanning %} -{% data variables.product.prodname_secret_scanning_caps %} is automatically enabled for all public repositories on GitHub. +{% data variables.product.prodname_secret_scanning_caps %} is automatically enabled for all public repositories on {% data variables.product.prodname_dotcom %}. For private repositories, {% data variables.product.prodname_secret_scanning %} can be enabled as part of {% data variables.product.prodname_GH_advanced_security %}. For more information, see TODO: - link to enabling article. @@ -79,9 +87,19 @@ For more information, see TODO: - link to enabling article. For information about the secrets and service providers supported by {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." +## Customizing {% data variables.product.prodname_secret_scanning %} + +Once {% data variables.product.prodname_secret_scanning %} is enabled, you can customize it further, if needed: + +### Detection of non-provider patterns + +### eneric secret detection + +### Validity checks + {% ifversion ghec or ghes %} -## Custom patterns +### Custom patterns For advanced users, GitHub allows custom patterns to be added to Secret Scanning. This is useful if you have unique types of secrets that don’t match default patterns. Benefits are: @@ -93,14 +111,6 @@ For advanced users, GitHub allows custom patterns to be added to Secret Scanning OLD -{% data reusables.secret-scanning.enterprise-enable-secret-scanning %} - -If your project communicates with an external service, you might use a token or private key for authentication. Tokens and private keys are examples of secrets that a service provider can issue. If you check a secret into a repository, anyone who has read access to the repository can use the secret to access the external service with your privileges. We recommend that you store secrets in a dedicated, secure location outside of the repository for your project. - -{% data variables.product.prodname_secret_scanning_caps %} will scan your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repository for secrets{% ifversion ghec or ghes %}, even if the repository is archived{% endif %}.{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %} - -{% data reusables.secret-scanning.what-is-scanned %} - {% ifversion fpt or ghec %} {% data variables.product.prodname_secret_scanning_caps %} is available on {% data variables.product.prodname_dotcom_the_website %} in two forms: @@ -118,28 +128,6 @@ If your project communicates with an external service, you might use a token or {% data reusables.secret-scanning.push-protection-high-level %} To proceed, contributors must either remove the secret(s) from the push or, if needed, bypass the protection. {% ifversion push-protection-custom-link-orgs %}Admins can also specify a custom link that is displayed to the contributor when a push is blocked; the link can contain resources specific to the organization to aid contributors. {% endif %}For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning)." -{% ifversion secret-scanning-push-protection-for-users %} - -{% data reusables.secret-scanning.push-protection-for-users %} - -{% endif %} - -{% note %} - -**Note:** When you fork a repository with {% data variables.product.prodname_secret_scanning %} or push protection enabled, these features are not enabled by default on the fork. You can enable {% data variables.product.prodname_secret_scanning %} or push protection on the fork the same way you enable them on a standalone repository. - -{% endnote %} - -{% ifversion fpt or ghec %} - -## About {% data variables.secret-scanning.partner_alerts %} - -When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." - -You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories. - -{% endif %} - ## About {% data variables.secret-scanning.user_alerts %}{% ifversion ghes %} on {% data variables.product.product_name %}{% endif %} {% data variables.secret-scanning.user_alerts_caps %} is available {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}on all repositories with a license for {% data variables.product.prodname_GH_advanced_security %}{% else %}for free on all public repositories, and for private and internal repositories that are owned by organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %}{% endif %}{% elsif fpt %}for free on all public repositories that you own{% else %}on all organization-owned repositories with a license for {% data variables.product.prodname_GH_advanced_security %}. The feature is not available on user-owned repositories{% endif %}. {% data reusables.secret-scanning.secret-scanning-user-owned-repos-beta %} @@ -157,22 +145,6 @@ You can also define custom {% data variables.product.prodname_secret_scanning %} {% ifversion secret-scanning-store-tokens %} {% data variables.product.company_short %} stores detected secrets using symmetric encryption, both in transit and at rest.{% endif %}{% ifversion ghes %} To rotate the encryption keys used for storing the detected secrets, you can contact us by visiting {% data variables.contact.contact_ent_support %}.{% endif %} -### Accessing {% data variables.secret-scanning.alerts %} - -{% data reusables.secret-scanning.secret-scanning-about-alerts %} - -* {% data variables.product.prodname_dotcom %} sends an email alert to the repository administrators and organization owners. You'll receive an alert if you are watching the repository{% ifversion secret-scanning-notification-settings %}, {% else %}, and {% endif %}if you have enabled notifications either for security alerts or for all the activity on the repository{% ifversion secret-scanning-notification-settings %}, and if, in your notification settings, you have selected to receive email notifications for the repositories that you are watching.{% else %}.{% endif %} -* If the person who introduced the secret isn't ignoring the repository, {% data variables.product.prodname_dotcom %} will also send them an email alert. The email contains a link to the related {% data variables.product.prodname_secret_scanning %} alert. The person who introduced the secret can then view the alert in the repository, and resolve the alert. -* {% data reusables.secret-scanning.repository-alert-location %} - -For more information about viewing and resolving {% data variables.secret-scanning.alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." - -{% ifversion secret-scanning-notification-settings %} -For more information on how to configure notifications for {% data variables.secret-scanning.alerts %}, see "[Configuring notifications for secret scanning alerts](/code-security/secret-scanning/managing-alerts-from-secret-scanning#configuring-notifications-for-secret-scanning-alerts)." -{% endif %} - -Repository administrators and organization owners can grant users and teams access to {% data variables.secret-scanning.alerts %}. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts)." - {% ifversion ghec or ghes %} You can use security overview to see an organization-level view of which repositories have enabled {% data variables.product.prodname_secret_scanning %} and the alerts found. For more information, see "[AUTOTITLE](/code-security/security-overview/about-security-overview)." {% endif %} From 03021332a63f35bd8a342d49490a0b3dad82672b Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 25 Jul 2024 15:50:43 +0100 Subject: [PATCH 163/275] fix failing linter test --- .../introduction/about-push-protection.md | 8 ++--- .../introduction/about-secret-scanning.md | 36 +++++++++++-------- 2 files changed, 25 insertions(+), 19 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index 490a996840..f5d332522b 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -46,7 +46,7 @@ You can enable push protection: * **Efficient secret management**—Instead of retrospectively dealing with exposed secrets, developers can address issues at the source. This makes secret management more efficient and less time-consuming. -* **Integration with CI/CD Pipelines**— +* **Integration with CI/CD pipelines**— Push Protection can be integrated into your Continuous Integration/Continuous Deployment (CI/CD) pipelines, ensuring that every push is scanned for secrets before it gets deployed. This adds an extra layer of security to your DevOps practices. {% ifversion secret-scanning-push-protection-custom-patterns %}* **Ability to detect custom patterns**—Organizations can define custom patterns for detecting secrets unique to their environment. This customization ensures that push Protection can effectively identify and block even non-standard secrets.{% endif %} @@ -65,9 +65,7 @@ Enabling and configuring push protection involves a few steps. For more informat {% ifversion secret-scanning-push-protection-for-users %} -Every user across {% data variables.product.prodname_dotcom %} can also enable push protection for themselves within their individual settings. - -Enabling push protection for your user account means that your pushes are protected whenever you push to a public repository on {% data variables.product.prodname_dotcom %}, without relying on that repository to have push protection enabled. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)." +Every user across {% data variables.product.prodname_dotcom %} can also enable push protection for themselves within their individual settings. Enabling push protection for your user account means that your pushes are protected whenever you push to a public repository on {% data variables.product.prodname_dotcom %}, without relying on that repository to have push protection enabled. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)." {% endif %} @@ -79,7 +77,7 @@ For information about the secrets and service providers supported by push protec Once push protection is enabled, you can customize it further, if needed: -### Integration with CI/CD Pipelines +### Integration with CI/CD pipelines You can integrate push protection with your Continuous Integration/Continuous Deployment (CI/CD) pipelines to ensure that it runs scans during automated processes. This typically involves adding steps in your pipeline configuration file to call GitHub's APIs or using {% data variables.product.prodname_actions %}. diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 28a4654766..75e636bdb9 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -30,19 +30,19 @@ shortTitle: Secret scanning For private repositories, {% data variables.product.prodname_secret_scanning %} is available if you have a {% data variables.product.prodname_GH_advanced_security %} (GHAS) license, providing additional scanning capabilities and custom patterns for detection. -Below is a typical workflow: +Below is a typical workflow that explains how {% data variables.product.prodname_secret_scanning %} works: -* Detection of secrets: {% data variables.product.prodname_secret_scanning_caps %}automatically scans your repository's contents for sensitive data, such as API keys, passwords, tokens, and other secrets. It looks for patterns and heuristics that match known types of secrets. +* Detection of secrets: {% data variables.product.prodname_secret_scanning_caps %} automatically scans your repository's contents for sensitive data, such as API keys, passwords, tokens, and other secrets. It looks for patterns and heuristics that match known types of secrets. -* Alerts and notifications: When a potential secret is detected, {% data variables.product.prodname_dotcom %} generates an alert and notifies the relevant repository administrators and users. This notification includes details about the detected secret, such as its location in the repository. +* Alerts and notifications: When a potential secret is detected, {% data variables.product.prodname_dotcom %} generates an alert and notifies the relevant repository administrators and users. This notification includes details about the detected secret, such as its location in the repository. For more information about alert types and alert details, see TODO: - link to "About alerts" article. -TODO: -* Review Alerts: When a secret is detected, review the alert details provided by GitHub. +* Review Alerts: When a secret is detected, you'll need to review the alert details provided. -* *Remediation: Take appropriate actions to remediate the exposure. This might include: +* *Remediation: You then need take appropriate actions to remediate the exposure. This might include: * Rotating the affected credential to ensure it is no longer usable. - * Removing the secret from the repository's history (using tools like BFG Repo-Cleaner or GitHub's built-in features). -* Audit and Monitor: Regularly audit and monitor your repositories to ensure no other secrets are exposed. + * Removing the secret from the repository's history (using tools like BFG Repo-Cleaner or {% data variables.product.prodname_dotcom %}'s built-in features). + +* Audit and monitor: It's good practice to regularly audit and monitor your repositories to ensure no other secrets are exposed. {% ifversion fpt or ghec %} @@ -62,7 +62,7 @@ TODO: {% ifversion fpt or ghec %} -* **Integration with service providers**—{% data variables.product.prodname_dotcom %} partners with various service providers to validate detected secrets. When a secret is identified, {% data variables.product.prodname_dotcom %} notifies the corresponding service provider to take appropriate actions, such as revoking the exposed credential. +* **Integration with service providers**—{% data variables.product.prodname_dotcom %} partners with various service providers to validate detected secrets. When a secret is identified, {% data variables.product.prodname_dotcom %} notifies the corresponding service provider to take appropriate actions, such as revoking the exposed credential. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." {% endif %} @@ -91,17 +91,25 @@ For information about the secrets and service providers supported by {% data var Once {% data variables.product.prodname_secret_scanning %} is enabled, you can customize it further, if needed: +{% ifversion secret-scanning-non-provider-patterns %} + ### Detection of non-provider patterns -### eneric secret detection +{% endif %} -### Validity checks +{% ifversion secret-scanning-ai-generic-secret-detection %} + +### Generic secret detection + +{% endif %} + +### Performing validity checks {% ifversion ghec or ghes %} -### Custom patterns +### Defining custom patterns -For advanced users, GitHub allows custom patterns to be added to Secret Scanning. This is useful if you have unique types of secrets that don’t match default patterns. Benefits are: +You can define advanced users, GitHub allows custom patterns to be added to Secret Scanning. This is useful if you have unique types of secrets that don’t match default patterns. Benefits are: * Tailored Security Detect secrets unique to your applications, APIs, or internal tools. * Increased Coverage Capture additional types of sensitive data that default patterns might miss. @@ -132,7 +140,7 @@ OLD {% data variables.secret-scanning.user_alerts_caps %} is available {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}on all repositories with a license for {% data variables.product.prodname_GH_advanced_security %}{% else %}for free on all public repositories, and for private and internal repositories that are owned by organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %}{% endif %}{% elsif fpt %}for free on all public repositories that you own{% else %}on all organization-owned repositories with a license for {% data variables.product.prodname_GH_advanced_security %}. The feature is not available on user-owned repositories{% endif %}. {% data reusables.secret-scanning.secret-scanning-user-owned-repos-beta %} -When you enable {% data variables.product.prodname_secret_scanning %} for a repository, {% data variables.product.prodname_dotcom %} scans the code for patterns that match secrets used by many service providers. {% ifversion secret-scanning-backfill-email %}When the scan is completed, {% data variables.product.prodname_dotcom %} sends an email alert to the enterprise and organization owners, even if no secrets were found.{% endif %} For more information about the repository content that is scanned, see the [beginning of this article](#about-secret-scanning). +When you enable {% data variables.product.prodname_secret_scanning %} for a repository, {% data variables.product.prodname_dotcom %} scans the code for patterns that match secrets used by many service providers. {% ifversion secret-scanning-backfill-email %}When the scan is completed, {% data variables.product.prodname_dotcom %} sends an email alert to the enterprise and organization owners, even if no secrets were found.{% endif %} When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. {% ifversion secret-scanning-backfills %}{% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled, and send alert notifications following the {% data variables.product.prodname_secret_scanning %} alert notification settings.{% endif %}{% ifversion secret-scanning-non-provider-patterns %} User alerts can be of two types: high confidence alerts, or non-provider alerts.{% endif %} For more information, see "{% ifversion fpt or ghec %}[About user alerts](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[{% data variables.product.prodname_secret_scanning_caps %} patterns](/code-security/secret-scanning/secret-scanning-patterns#about-user-secret-scanning-alerts){% endif %}." From dac79eeb7e15fadddc423b39cf5922a57adcf960 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 25 Jul 2024 16:56:46 +0100 Subject: [PATCH 164/275] add skeleton --- .../secret-scanning/introduction/about-secret-scanning.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 75e636bdb9..1af3654fd5 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -36,9 +36,9 @@ Below is a typical workflow that explains how {% data variables.product.prodname * Alerts and notifications: When a potential secret is detected, {% data variables.product.prodname_dotcom %} generates an alert and notifies the relevant repository administrators and users. This notification includes details about the detected secret, such as its location in the repository. For more information about alert types and alert details, see TODO: - link to "About alerts" article. -* Review Alerts: When a secret is detected, you'll need to review the alert details provided. +* Review of alerts: When a secret is detected, you'll need to review the alert details provided. -* *Remediation: You then need take appropriate actions to remediate the exposure. This might include: +* Alert remediation: You then need take appropriate actions to remediate the exposure. This might include: * Rotating the affected credential to ensure it is no longer usable. * Removing the secret from the repository's history (using tools like BFG Repo-Cleaner or {% data variables.product.prodname_dotcom %}'s built-in features). @@ -109,7 +109,8 @@ Once {% data variables.product.prodname_secret_scanning %} is enabled, you can c ### Defining custom patterns -You can define advanced users, GitHub allows custom patterns to be added to Secret Scanning. This is useful if you have unique types of secrets that don’t match default patterns. Benefits are: +You can scan custom patterns with {% data variables.product.prodname_secret_scanning %} +. This is useful if you have unique types of secrets that don’t match default patterns. Benefits are: * Tailored Security Detect secrets unique to your applications, APIs, or internal tools. * Increased Coverage Capture additional types of sensitive data that default patterns might miss. From 523f53267f6fe7acacdf180670cd4fc6b70c528d Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 25 Jul 2024 17:01:51 +0100 Subject: [PATCH 165/275] fix failing check --- .../secret-scanning/introduction/about-secret-scanning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 75e636bdb9..7c8440bc7e 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -122,7 +122,7 @@ OLD {% ifversion fpt or ghec %} {% data variables.product.prodname_secret_scanning_caps %} is available on {% data variables.product.prodname_dotcom_the_website %} in two forms: -1. **{% data variables.secret-scanning.partner_alerts_caps %}.** Runs automatically on all public repositories and public npm packages. Service providers can partner with {% data variables.product.company_short %} to provide their secret formats for scanning, hence the term "partners." {% data reusables.secret-scanning.partner-program-link %} Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner. For more information, see the "[About {% data variables.secret-scanning.partner_alerts %}](#about-secret-scanning-alerts-for-partners)" section below. +1. **{% data variables.secret-scanning.partner_alerts_caps %}.** Runs automatically on all public repositories and public npm packages. Service providers can partner with {% data variables.product.company_short %} to provide their secret formats for scanning, hence the term "partners." {% data reusables.secret-scanning.partner-program-link %} Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner. For more information, see TODO: 1. **{% data variables.secret-scanning.user_alerts_caps %}.** These alerts are reported on {% data variables.product.prodname_dotcom_the_website %}{% ifversion secret-scanning-non-provider-patterns %} and can be high confidence alerts or non-provider alerts (such as private keys){% endif %}. {% ifversion fpt %}The following users can enable and configure additional scanning: From 5c2b50dcfe1ee9cc2c7303fc83033752e2fe6e16 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 25 Jul 2024 17:17:50 +0100 Subject: [PATCH 166/275] start work on non-provider patterns --- .../introduction/about-secret-scanning.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 81a7977a57..81788fb196 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -95,16 +95,35 @@ Once {% data variables.product.prodname_secret_scanning %} is enabled, you can c ### Detection of non-provider patterns +Non-provider patterns refer to patterns used to identify secrets that are not specific to any particular service provider. These patterns are general and can apply to a wide range of sensitive data types. Here are a few examples of non-provider patterns: + +* Generic API Keys: Identifiable by common structural attributes like specific lengths or character sets. For example, a string of 32 alphanumeric characters. +* Tokens: Generic patterns used to detect various types of tokens that might be common across different services. +* Private Keys: Patterns identifying sections of code that look like private keys, such as those used in SSH or GPG. + +For more information about + {% endif %} {% ifversion secret-scanning-ai-generic-secret-detection %} ### Generic secret detection +TODO: +or generic secrets detected using AI (such as passwords) + {% endif %} +{% ifversion secret-scanning-validity-check-partner-patterns %} + ### Performing validity checks +{% data reusables.secret-scanning.validity-check-partner-patterns-beta %} + +TODO: + +{% endif %} + {% ifversion ghec or ghes %} ### Defining custom patterns From 995561e3ad47c5b6e727eb793aa17c6e47bd87c7 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 26 Jul 2024 09:13:23 +0100 Subject: [PATCH 167/275] work on advanced secret scanning features --- .../introduction/about-secret-scanning.md | 20 ++++++++++++++----- .../managing-alerts-from-secret-scanning.md | 4 +--- .../secret-scanning/validity-checks-intro.md | 3 +++ 3 files changed, 19 insertions(+), 8 deletions(-) create mode 100644 data/reusables/secret-scanning/validity-checks-intro.md diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 81788fb196..5af2cc1eda 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -97,11 +97,13 @@ Once {% data variables.product.prodname_secret_scanning %} is enabled, you can c Non-provider patterns refer to patterns used to identify secrets that are not specific to any particular service provider. These patterns are general and can apply to a wide range of sensitive data types. Here are a few examples of non-provider patterns: -* Generic API Keys: Identifiable by common structural attributes like specific lengths or character sets. For example, a string of 32 alphanumeric characters. +* Generic API Keys: Identifiable by common structural attributes like specific lengths or character sets (for example, a string of 32 alphanumeric characters). * Tokens: Generic patterns used to detect various types of tokens that might be common across different services. * Private Keys: Patterns identifying sections of code that look like private keys, such as those used in SSH or GPG. -For more information about +Non-provider pattern detection is not enabled by default because the feature can potentially generate a high ratio of false positives. + +For more information about non-provider pattern detection, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns)." {% endif %} @@ -109,8 +111,11 @@ For more information about ### Generic secret detection -TODO: -or generic secrets detected using AI (such as passwords) +You can also enable generic secret detection to instruct {% data variables.product.prodname_secret_scanning %} to search your codebase for generic secrets. Generic secrets are unstructured secrets, such as passwords. + +{% data variables.product.prodname_secret_scanning_caps %} uses AI to detect unstructured passwords in git content and generate an alert. Alerts for passwords appear in a separated tab from regular {% data variables.product.prodname_secret_scanning %} alerts. + +For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection\about-the-detection-of-generic-secrets-with-secret-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection)." {% endif %} @@ -120,7 +125,11 @@ or generic secrets detected using AI (such as passwords) {% data reusables.secret-scanning.validity-check-partner-patterns-beta %} -TODO: +{% data reusables.secret-scanning.validity-checks-intro %} + +You can + +For more information, see TODO: article about validity checks. {% endif %} @@ -128,6 +137,7 @@ TODO: ### Defining custom patterns +TODO: You can scan custom patterns with {% data variables.product.prodname_secret_scanning %} . This is useful if you have unique types of secrets that don’t match default patterns. Benefits are: diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md index e66b2d79c5..c64e43a088 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md @@ -97,9 +97,7 @@ There are some additional features that can help you to evaluate alerts in order {% endif %} -Validity checks help you prioritize alerts by telling you which secrets are `active` or `inactive`. An `active` secret is one that could still be exploited, so these alerts should be reviewed and remediated as a priority. - -By default, {% data variables.product.company_short %} checks the validity of {% data variables.product.company_short %} tokens and displays the validitation status of the token in the alert view. +{% data reusables.secret-scanning.validity-checks-intro %} {% ifversion fpt %} diff --git a/data/reusables/secret-scanning/validity-checks-intro.md b/data/reusables/secret-scanning/validity-checks-intro.md new file mode 100644 index 0000000000..506c7a0dad --- /dev/null +++ b/data/reusables/secret-scanning/validity-checks-intro.md @@ -0,0 +1,3 @@ +Validity checks help you prioritize alerts by telling you which secrets are `active` or `inactive`. An `active` secret is one that could still be exploited, so these alerts should be reviewed and remediated as a priority. + +By default, {% data variables.product.company_short %} checks the validity of {% data variables.product.company_short %} tokens and displays the validitation status of the token in the alert view. From f3655843b8ebb0c62c9490de356631de438e4427 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 26 Jul 2024 10:40:54 +0100 Subject: [PATCH 168/275] more work on secret scanning article --- .../introduction/about-secret-scanning.md | 32 +++++++------------ 1 file changed, 12 insertions(+), 20 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 5af2cc1eda..381e805acd 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -30,6 +30,8 @@ shortTitle: Secret scanning For private repositories, {% data variables.product.prodname_secret_scanning %} is available if you have a {% data variables.product.prodname_GH_advanced_security %} (GHAS) license, providing additional scanning capabilities and custom patterns for detection. +When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. {% ifversion secret-scanning-backfills %}{% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled, and send alert notifications following the {% data variables.product.prodname_secret_scanning %} alert notification settings.{% endif %} For more information, see "{% ifversion fpt or ghec %}[About user alerts](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[{% data variables.product.prodname_secret_scanning_caps %} patterns](/code-security/secret-scanning/secret-scanning-patterns#about-user-secret-scanning-alerts){% endif %}." + Below is a typical workflow that explains how {% data variables.product.prodname_secret_scanning %} works: * Detection of secrets: {% data variables.product.prodname_secret_scanning_caps %} automatically scans your repository's contents for sensitive data, such as API keys, passwords, tokens, and other secrets. It looks for patterns and heuristics that match known types of secrets. @@ -119,31 +121,31 @@ For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-adva {% endif %} -{% ifversion secret-scanning-validity-check-partner-patterns %} - ### Performing validity checks {% data reusables.secret-scanning.validity-check-partner-patterns-beta %} {% data reusables.secret-scanning.validity-checks-intro %} -You can +{% ifversion secret-scanning-validity-check-partner-patterns %} -For more information, see TODO: article about validity checks. +Organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %} can also enable validity checks for supported partner patterns in their repository, organization, or enterprise level code security settings. Wewill automatically check validation for patterns on a cadence by sending the pattern to our relevant partner provider. You can use the validation status on leaked secrets to help prioritize secrets needing remediation action. {% endif %} +For more information, see TODO: article about validity checks. + {% ifversion ghec or ghes %} ### Defining custom patterns -TODO: -You can scan custom patterns with {% data variables.product.prodname_secret_scanning %} -. This is useful if you have unique types of secrets that don’t match default patterns. Benefits are: +You can define custom patterns and ask {% data variables.product.prodname_secret_scanning %} to scan for these user-defined patterns. This is useful if you have unique types of secrets that don’t match default patterns. This tailored security feature allows for increased coverage as custom pattern detection captures additional types of sensitive data that default patterns might miss, and allows for detection of secrets unique to your applications, APIs, or internal tools. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." -* Tailored Security Detect secrets unique to your applications, APIs, or internal tools. -* Increased Coverage Capture additional types of sensitive data that default patterns might miss. -* Prevent Data Leaks Proactively identify and mitigate risks associated with exposed proprietary secrets. +{% ifversion secret-scanning-custom-pattern-ai-generated %} + +You can use AI to generate regular expressions that will capture all your custom patterns. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-generating-regular-expressions-with-ai)." + +{% endif %} {% endif %} @@ -164,22 +166,12 @@ OLD {% data reusables.secret-scanning.audit-secret-scanning-events %} -{% data reusables.secret-scanning.push-protection-high-level %} To proceed, contributors must either remove the secret(s) from the push or, if needed, bypass the protection. {% ifversion push-protection-custom-link-orgs %}Admins can also specify a custom link that is displayed to the contributor when a push is blocked; the link can contain resources specific to the organization to aid contributors. {% endif %}For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning)." - ## About {% data variables.secret-scanning.user_alerts %}{% ifversion ghes %} on {% data variables.product.product_name %}{% endif %} {% data variables.secret-scanning.user_alerts_caps %} is available {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}on all repositories with a license for {% data variables.product.prodname_GH_advanced_security %}{% else %}for free on all public repositories, and for private and internal repositories that are owned by organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %}{% endif %}{% elsif fpt %}for free on all public repositories that you own{% else %}on all organization-owned repositories with a license for {% data variables.product.prodname_GH_advanced_security %}. The feature is not available on user-owned repositories{% endif %}. {% data reusables.secret-scanning.secret-scanning-user-owned-repos-beta %} -When you enable {% data variables.product.prodname_secret_scanning %} for a repository, {% data variables.product.prodname_dotcom %} scans the code for patterns that match secrets used by many service providers. {% ifversion secret-scanning-backfill-email %}When the scan is completed, {% data variables.product.prodname_dotcom %} sends an email alert to the enterprise and organization owners, even if no secrets were found.{% endif %} - -When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. {% ifversion secret-scanning-backfills %}{% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled, and send alert notifications following the {% data variables.product.prodname_secret_scanning %} alert notification settings.{% endif %}{% ifversion secret-scanning-non-provider-patterns %} User alerts can be of two types: high confidence alerts, or non-provider alerts.{% endif %} For more information, see "{% ifversion fpt or ghec %}[About user alerts](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[{% data variables.product.prodname_secret_scanning_caps %} patterns](/code-security/secret-scanning/secret-scanning-patterns#about-user-secret-scanning-alerts){% endif %}." - If you're a repository administrator, you can enable {% data variables.secret-scanning.user_alerts %} for any {% ifversion fpt %}public{% endif %} repository{% ifversion ghec or ghes %}, including archived repositories{% endif %}. Organization owners can also enable {% data variables.secret-scanning.user_alerts %} for all {% ifversion fpt %}public {% endif %}repositories or for all new {% ifversion fpt %}public {% endif %}repositories within an organization. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)" and "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)." -{% data reusables.secret-scanning.secret-scanning-user-owned-enablement %} - -You can also define custom {% data variables.product.prodname_secret_scanning %} patterns for a repository, organization, or enterprise. For more information, see "[AUTOTITLE]({% ifversion fpt %}/enterprise-cloud@latest{% endif %}/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning){% ifversion fpt %}" in the {% data variables.product.prodname_ghe_cloud %} documentation.{% else %}."{% endif %} - {% ifversion secret-scanning-store-tokens %} {% data variables.product.company_short %} stores detected secrets using symmetric encryption, both in transit and at rest.{% endif %}{% ifversion ghes %} To rotate the encryption keys used for storing the detected secrets, you can contact us by visiting {% data variables.contact.contact_ent_support %}.{% endif %} From d25d0cfcbb7bd40964e79b584cb8b39cfd5906b2 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 26 Jul 2024 12:57:41 +0100 Subject: [PATCH 169/275] fix link --- .../introduction/about-secret-scanning.md | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 381e805acd..8f8108cecd 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -32,6 +32,12 @@ For private repositories, {% data variables.product.prodname_secret_scanning %} When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. {% ifversion secret-scanning-backfills %}{% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled, and send alert notifications following the {% data variables.product.prodname_secret_scanning %} alert notification settings.{% endif %} For more information, see "{% ifversion fpt or ghec %}[About user alerts](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[{% data variables.product.prodname_secret_scanning_caps %} patterns](/code-security/secret-scanning/secret-scanning-patterns#about-user-secret-scanning-alerts){% endif %}." +{% ifversion ghec or ghes %} +You can use security overview to see an organization-level view of which repositories have enabled {% data variables.product.prodname_secret_scanning %} and the alerts found. For more information, see "[AUTOTITLE](/code-security/security-overview/about-security-overview)." +{% endif %} + +You can also use the REST API to monitor results from {% data variables.product.prodname_secret_scanning %} across your repositories{% ifversion ghes %} or your organization{% endif %}. For more information about API endpoints, see "[AUTOTITLE](/rest/secret-scanning)." + Below is a typical workflow that explains how {% data variables.product.prodname_secret_scanning %} works: * Detection of secrets: {% data variables.product.prodname_secret_scanning_caps %} automatically scans your repository's contents for sensitive data, such as API keys, passwords, tokens, and other secrets. It looks for patterns and heuristics that match known types of secrets. @@ -117,7 +123,7 @@ You can also enable generic secret detection to instruct {% data variables.produ {% data variables.product.prodname_secret_scanning_caps %} uses AI to detect unstructured passwords in git content and generate an alert. Alerts for passwords appear in a separated tab from regular {% data variables.product.prodname_secret_scanning %} alerts. -For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection\about-the-detection-of-generic-secrets-with-secret-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection)." +For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection)." {% endif %} @@ -175,18 +181,8 @@ If you're a repository administrator, you can enable {% data variables.secret-sc {% ifversion secret-scanning-store-tokens %} {% data variables.product.company_short %} stores detected secrets using symmetric encryption, both in transit and at rest.{% endif %}{% ifversion ghes %} To rotate the encryption keys used for storing the detected secrets, you can contact us by visiting {% data variables.contact.contact_ent_support %}.{% endif %} -{% ifversion ghec or ghes %} -You can use security overview to see an organization-level view of which repositories have enabled {% data variables.product.prodname_secret_scanning %} and the alerts found. For more information, see "[AUTOTITLE](/code-security/security-overview/about-security-overview)." -{% endif %} - -You can also use the REST API to monitor results from {% data variables.product.prodname_secret_scanning %} across your repositories{% ifversion ghes %} or your organization{% endif %}. For more information about API endpoints, see "[AUTOTITLE](/rest/secret-scanning)." - ## Further reading * "[AUTOTITLE](/code-security/getting-started/securing-your-repository)" * "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure)" * "[AUTOTITLE](/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization)" -{%- ifversion fpt or ghec %} -* "[AUTOTITLE](/codespaces/managing-your-codespaces/managing-encrypted-secrets-for-your-codespaces)"{% endif %} -* "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#storing-credentials-for-dependabot-to-use)" -* "[AUTOTITLE](/actions/security-guides/encrypted-secrets)" From fcbcae22d8c6be67dc8d68853e74c4a82246b8c5 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 26 Jul 2024 12:31:15 +0000 Subject: [PATCH 170/275] working on conceptual info --- .../about-alerts.md | 47 ++++++++----------- 1 file changed, 19 insertions(+), 28 deletions(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index 0100d00567..1cb2c7624b 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -17,54 +17,45 @@ shortTitle: About alerts allowTitleToDifferFromFilename: true --- -## About different types of {% data variables.product.prodname_secret_scanning %} alerts +## About types of alerts There are {% ifversion fpt or ghec %}three{% else %}two{% endif %} types of {% data variables.product.prodname_secret_scanning %} alerts: -* **{% ifversion fpt or ghec %}User {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts**: When {% data variables.product.company_short %} detects a supported secret in a repository that has {% data variables.product.prodname_secret_scanning %} enabled, a {% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alert is generated and displayed in the **Security** tab of the repository. -* **Push protection alerts**: When a contributor bypasses push protection to push a secret to the repository that has {% data variables.product.prodname_secret_scanning %} and push protection enabled, a push protection alert is generated and displayed in the **Security** tab of the repository.{% ifversion fpt or ghec %} -* **Partner alerts**: When {% data variables.product.company_short %} detects a leaked secret in a public repository or npm package, an alert is sent directly to the secret provider, if they are part of {% data variables.product.company_short %}'s secret scanning partner program. Partner alerts are not applicable to repository administrators, so you do not need to take any action for this type of alert.{% endif %} +* **{% ifversion fpt or ghec %}User {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts**: Reported to users in the **Security** tab of the repository, when a supported secret is detected in the repository. +* **Push protection alerts**: Reported to users in the **Security** tab of the repository, when a contributor bypasses push protection. {% ifversion fpt or ghec %} +* **Partner alerts**: Reported directly to secret providers that are part of {% data variables.product.prodname_secret_scanning %}'s partner program. These alerts are not reported in the **Security** tab of the repository.{% endif %} -### About {% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts +## About {% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts -{% ifversion fpt or ghec %}User alerts are alerts that are reported to users on {% data variables.product.prodname_dotcom %}. {% endif %}When {% data variables.secret-scanning.user_alerts %} {% ifversion fpt or ghec %}are{% else %}is{% endif %} enabled, {% data variables.product.prodname_dotcom %} scans repositories for secrets issued by a large variety of service providers and generates {% data variables.secret-scanning.alerts %}. +When {% data variables.product.company_short %} detects a supported secret in a repository that has {% data variables.product.prodname_secret_scanning %} enabled, a {% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alert is generated and displayed in the **Security** tab of the repository. {% ifversion secret-scanning-non-provider-patterns %}{% ifversion fpt or ghec %}User {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts can be of the following types: * High confidence alerts, which relate to supported patterns and specified custom patterns. -* Non-provider alerts, which have a higher ratio of false positives, and correspond to secrets such as private keys{% ifversion secret-scanning-ai-generic-secret-detection %}or AI-detected generic secrets{% endif %}. +* Other alerts, which have a higher ratio of false positives, and correspond to secrets such as private keys{% ifversion secret-scanning-ai-generic-secret-detection %} or AI-detected generic secrets{% endif %}. -{% data variables.product.prodname_dotcom %} displays non-provider alerts in a different list to high confidence alerts, making triaging a better experience for users. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)." +{% data variables.product.prodname_dotcom %} displays these "other" alerts in a different list to high confidence alerts, making triaging a better experience for users. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)." {% data reusables.secret-scanning.non-provider-patterns-beta %} {% endif %} -You can see these alerts on the **Security** tab of the repository. +{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} + +## About push protection alerts + +Push protection scans pushes from contributors for supported secrets. If push protection detects a supported secret, it will block the push. When a contributor bypasses push protection to push a secret to the repository, a push protection alert is generated and displayed in the **Security** tab of the repository. {% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} -If you use the REST API for secret scanning, you can use the `Secret type` to report on secrets from specific issuers. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/rest/secret-scanning)." +>[!NOTE] +> {% ifversion secret-scanning-push-protection-for-users %}You can also enable push protection for your personal account, which prevents you from accidentally pushing supported secrets to _any_ public repository. Push protection alerts are _not_ created when you bypass this user-based push protection only. Alerts are only created if the repository itself has push protection enabled. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)."{% endif %} +> +> {% data reusables.secret-scanning.push-protection-older-tokens %} For more information about push protection limitations, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning#push-protection-and-pattern-versions)." -{% ifversion ghes or ghec %} -{% note %} +## About partner alerts -**Note:** You can also define custom {% data variables.product.prodname_secret_scanning %} patterns for your repository, organization, or enterprise. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." - -{% endnote %} -{% endif %} - -### About push protection alerts - -Push protection alerts are user alerts that are reported by push protection. {% data variables.product.prodname_secret_scanning_caps %} as a push protection currently scans repositories for secrets issued by some service providers. - -{% ifversion secret-scanning-push-protection-for-users %}Push protection alerts are not created for secrets that are bypassed with user-based push protection only. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)."{% endif %} - -{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} - -{% data reusables.secret-scanning.push-protection-older-tokens %} For more information about push protection limitations, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning#push-protection-limitations)." - -### About partner alerts +When {% data variables.product.company_short %} detects a leaked secret in a public repository or npm package, an alert is sent directly to the secret provider, if they are part of {% data variables.product.company_short %}'s secret scanning partner program. Partner alerts are not applicable to repository administrators, so you do not need to take any action for this type of alert. Partner alerts are alerts that are sent to the secret providers whenever a secret leak is reported for one of their secrets. {% data variables.product.product_name %} currently scans public repositories and public npm packages for secrets issued by specific service providers and alerts the relevant service provider whenever a secret is detected in a commit. For more information about {% data variables.secret-scanning.partner_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." From a96cfc5ba694aed335cd4ef77db2da4936747ad9 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 26 Jul 2024 14:21:07 +0100 Subject: [PATCH 171/275] getting bored with this work --- .../secret-scanning/introduction/about-secret-scanning.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 8f8108cecd..345e7ef5bc 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -28,7 +28,9 @@ shortTitle: Secret scanning {% data reusables.secret-scanning.what-is-scanned %} -For private repositories, {% data variables.product.prodname_secret_scanning %} is available if you have a {% data variables.product.prodname_GH_advanced_security %} (GHAS) license, providing additional scanning capabilities and custom patterns for detection. + {% ifversion secret-scanning-backfills %}{% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled, and send alert notifications following the {% data variables.product.prodname_secret_scanning %} alert notification settings.{% endif %} + +{% data variables.secret-scanning.user_alerts_caps %} is available {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}on all repositories with a license for {% data variables.product.prodname_GH_advanced_security %}{% else %}for free on all public repositories, and for private and internal repositories that are owned by organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %}{% endif %}{% elsif fpt %}for free on all public repositories that you own{% else %}on all organization-owned repositories with a license for {% data variables.product.prodname_GH_advanced_security %}. The feature is not available on user-owned repositories{% endif %}. When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. {% ifversion secret-scanning-backfills %}{% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled, and send alert notifications following the {% data variables.product.prodname_secret_scanning %} alert notification settings.{% endif %} For more information, see "{% ifversion fpt or ghec %}[About user alerts](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[{% data variables.product.prodname_secret_scanning_caps %} patterns](/code-security/secret-scanning/secret-scanning-patterns#about-user-secret-scanning-alerts){% endif %}." From eaf5934c24ed57b7a939a6b333b531d5c7b0fb50 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 26 Jul 2024 14:25:26 +0100 Subject: [PATCH 172/275] first commit --- .../introduction/about-secret-scanning-for-partners.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md index 966201b428..ec06e4d9b5 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md @@ -11,6 +11,8 @@ topics: shortTitle: Secret scanning for partners --- +TODO: + ## About {% data variables.secret-scanning.partner_alerts %} When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." From 464e39cda29c0ba6cda750e310a8d923dddc24e5 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 26 Jul 2024 14:53:33 +0000 Subject: [PATCH 173/275] more edits to map topic --- .../managing-alerts-from-secret-scanning/about-alerts.md | 2 +- .../managing-alerts-from-secret-scanning/evaluating-alerts.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index 1cb2c7624b..20391928f9 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -44,7 +44,7 @@ When {% data variables.product.company_short %} detects a supported secret in a ## About push protection alerts -Push protection scans pushes from contributors for supported secrets. If push protection detects a supported secret, it will block the push. When a contributor bypasses push protection to push a secret to the repository, a push protection alert is generated and displayed in the **Security** tab of the repository. +Push protection scans pushes for supported secrets. If push protection detects a supported secret, it will block the push. When a contributor bypasses push protection to push a secret to the repository, a push protection alert is generated and displayed in the **Security** tab of the repository. To see all push protection alerts for a repository, you must filter by `bypassed: true` on the alerts page. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts#filtering-alerts)." {% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md index fad8d98554..679d665606 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md @@ -1,6 +1,6 @@ --- title: Evaluating alerts from secret scanning -intro: 'You can view alerts for secrets checked in to your repository and you can use filters to help you prioritize alerts.' +intro: 'There are some additional features that can help you evaluate alerts and prioritize their remediation, such as checking the secret''s validity.' permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view secret scanning alerts for the repository.' product: '{% data reusables.gated-features.secret-scanning %}' versions: @@ -22,7 +22,7 @@ allowTitleToDifferFromFilename: true There are some additional features that can help you to evaluate alerts in order to better prioritize and manage them. You can: * Check the validity of a secret, to see if the secret is still active. {% ifversion fpt or ghes %}**Applies to {% data variables.product.company_short %} tokens only**.{% endif %} For more information, see "[Checking a secret's validity](#checking-a-secrets-validity)."{% ifversion secret-scanning-validity-check-partner-patterns %} -* Perform an "on-demand" validity check, to get the most up to date validiation status. For more information, see "[Performing an on-demand-validity-check](#performing-an-on-demand-validity-check)."{% endif %}{% ifversion secret-scanning-github-token-metadata %} +* Perform an "on-demand" validity check, to get the most up to date validation status. For more information, see "[Performing an on-demand-validity-check](#performing-an-on-demand-validity-check)."{% endif %}{% ifversion secret-scanning-github-token-metadata %} * Review a token's metadata. **Applies to {% data variables.product.company_short %} tokens only**. For example, to see when the token was last used. For more information, see "[Reviewing {% data variables.product.company_short %} token metadata](#reviewing-github-token-metadata)."{% endif %} ## Checking a secret's validity From 363265f87c65554018a350ad59f02b8c80f936a0 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 26 Jul 2024 16:40:17 +0100 Subject: [PATCH 174/275] write new article --- .../about-secret-scanning-for-partners.md | 30 ++++++++----------- 1 file changed, 13 insertions(+), 17 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md index ec06e4d9b5..6abb34d4b0 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md @@ -1,6 +1,6 @@ --- title: About secret scanning for partners -intro: 'TODO' +intro: '{% data variables.product.prodname_secret_scanning_caps %} sends directly alerts to partners when partner secrets are found in codebases. This allows partners to promtply take action to secure their systems.' versions: fpt: '*' ghec: '*' @@ -11,27 +11,23 @@ topics: shortTitle: Secret scanning for partners --- -TODO: - ## About {% data variables.secret-scanning.partner_alerts %} -When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." +{% data variables.product.product_name %} scans public repositories and public npm packages for secrets issued by specific service providers who joined our partnership program, and alerts the relevant service provider whenever a secret is detected in a commit. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For information about the partnership program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." -You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories. +> [!NOTE]You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories. -## About {% data variables.secret-scanning.partner_alerts %} +The reason partner alerts are directly sent to the secret providers whenever a secret leak is reported for one of their secrets is because this way of proceeding helps ensure that secrets are not inadvertently exposed in public or private repositories. This workflow allows partner organizations to address the exposure prompt. The notification for regular alerts is different. Regular alerts are displayed on the repository's **Security** tab on {% data variables.product.prodname_dotcom %}. -{% data variables.product.product_name %} scans public repositories and public npm packages for secrets issued by specific service providers and alerts the relevant service provider whenever a secret is detected in a commit. - -{% data variables.product.prodname_secret_scanning %} generates partner alerts when it detects secrets from providers who joined our partnership program. For information about the partnership program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." - -You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories. - -Partner alerts are not displayed on {% data variables.product.prodname_dotcom %}. Instead, partner alerts are directly sent to the secret providers whenever a secret leak is reported for one of their secrets. - -For more information about {% data variables.secret-scanning.partner_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-partners)." {% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} -When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." +## What are the supported secrets -TODO: apply scannability techniques +For information about the secrets and service providers supported by push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." + +## Further reading + +* "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)" +* "[AUTOTITLE](/ccode-security/secret-scanning/introduction/supported-secret-scanning-patterns)" +* "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection)" +* TODO: add link to "About alerts" article From 055b1179498358cd7158ec01174a93231fea0d99 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 26 Jul 2024 16:47:50 +0100 Subject: [PATCH 175/275] fix typo --- .../introduction/about-secret-scanning-for-partners.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md index 6abb34d4b0..35dc111201 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md @@ -28,6 +28,6 @@ For information about the secrets and service providers supported by push protec ## Further reading * "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)" -* "[AUTOTITLE](/ccode-security/secret-scanning/introduction/supported-secret-scanning-patterns)" +* "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)" * "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection)" * TODO: add link to "About alerts" article From 45833a029757880bc61fcbae061e3cab2ca1394d Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 26 Jul 2024 16:59:25 +0100 Subject: [PATCH 176/275] improve --- .../introduction/about-secret-scanning-for-partners.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md index 35dc111201..ea592ecb19 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md @@ -1,6 +1,6 @@ --- title: About secret scanning for partners -intro: '{% data variables.product.prodname_secret_scanning_caps %} sends directly alerts to partners when partner secrets are found in codebases. This allows partners to promtply take action to secure their systems.' +intro: '{% data variables.product.prodname_secret_scanning_caps %} sends directly alerts to partners when any of the partner secrets are found in repositories on {% data variables.product.prodname_dotcom %}. This allows partners to promtply take action to secure their systems.' versions: fpt: '*' ghec: '*' @@ -17,7 +17,7 @@ shortTitle: Secret scanning for partners > [!NOTE]You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories. -The reason partner alerts are directly sent to the secret providers whenever a secret leak is reported for one of their secrets is because this way of proceeding helps ensure that secrets are not inadvertently exposed in public or private repositories. This workflow allows partner organizations to address the exposure prompt. The notification for regular alerts is different. Regular alerts are displayed on the repository's **Security** tab on {% data variables.product.prodname_dotcom %}. +The reason partner alerts are directly sent to the secret providers whenever a secret leak is reported for one of their secrets is because this way of proceeding helps ensure that secrets are not inadvertently exposed in public or private repositories. This workflow allows partner organizations to address the exposure promptly. The notification for regular alerts is different. Regular alerts are displayed on the repository's **Security** tab on {% data variables.product.prodname_dotcom %}. {% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} From 4b7cf61c37960a3b86747806d2a186e44a7e5194 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 26 Jul 2024 17:01:27 +0100 Subject: [PATCH 177/275] add TODO --- .../secret-scanning/introduction/about-secret-scanning.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 345e7ef5bc..f622344df2 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -30,6 +30,8 @@ shortTitle: Secret scanning {% ifversion secret-scanning-backfills %}{% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled, and send alert notifications following the {% data variables.product.prodname_secret_scanning %} alert notification settings.{% endif %} +TODO: mention alerts somewhere in this article, not necessarily here, and make the distinction between partner alerts and regular alerts. + {% data variables.secret-scanning.user_alerts_caps %} is available {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}on all repositories with a license for {% data variables.product.prodname_GH_advanced_security %}{% else %}for free on all public repositories, and for private and internal repositories that are owned by organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %}{% endif %}{% elsif fpt %}for free on all public repositories that you own{% else %}on all organization-owned repositories with a license for {% data variables.product.prodname_GH_advanced_security %}. The feature is not available on user-owned repositories{% endif %}. When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. {% ifversion secret-scanning-backfills %}{% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled, and send alert notifications following the {% data variables.product.prodname_secret_scanning %} alert notification settings.{% endif %} For more information, see "{% ifversion fpt or ghec %}[About user alerts](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[{% data variables.product.prodname_secret_scanning_caps %} patterns](/code-security/secret-scanning/secret-scanning-patterns#about-user-secret-scanning-alerts){% endif %}." From e45fe55e489258a6d1661a0a162b3e7a747351f6 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 26 Jul 2024 17:02:06 +0100 Subject: [PATCH 178/275] add another TODO --- .../secret-scanning/introduction/about-secret-scanning.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index f622344df2..be6e5b2412 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -190,3 +190,4 @@ If you're a repository administrator, you can enable {% data variables.secret-sc * "[AUTOTITLE](/code-security/getting-started/securing-your-repository)" * "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure)" * "[AUTOTITLE](/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization)" +TODO: review links From 725be04a34a61b5c531e44f75c506e1640e1f136 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 29 Jul 2024 08:43:19 +0100 Subject: [PATCH 179/275] address review comments --- .../introduction/about-secret-scanning-for-partners.md | 4 ++-- data/reusables/secret-scanning/partner-program-link.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md index ea592ecb19..dc13a08885 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md @@ -13,11 +13,11 @@ shortTitle: Secret scanning for partners ## About {% data variables.secret-scanning.partner_alerts %} -{% data variables.product.product_name %} scans public repositories and public npm packages for secrets issued by specific service providers who joined our partnership program, and alerts the relevant service provider whenever a secret is detected in a commit. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For information about the partnership program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." +{% data variables.product.product_name %} scans public repositories and public npm packages for secrets issued by specific service providers who joined our partnership program, and alerts the relevant service provider whenever a secret is detected in a commit. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. {% data reusables.secret-scanning.partner-program-link %} > [!NOTE]You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories. -The reason partner alerts are directly sent to the secret providers whenever a secret leak is reported for one of their secrets is because this way of proceeding helps ensure that secrets are not inadvertently exposed in public or private repositories. This workflow allows partner organizations to address the exposure promptly. The notification for regular alerts is different. Regular alerts are displayed on the repository's **Security** tab on {% data variables.product.prodname_dotcom %}. +The reason partner alerts are directly sent to the secret providers whenever a secret leak is reported for one of their secrets is because this helps ensure that secrets are not inadvertently exposed in public or private repositories. The notification for regular alerts is different. Regular alerts are displayed on the repository's **Security** tab on {% data variables.product.prodname_dotcom %}. {% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} diff --git a/data/reusables/secret-scanning/partner-program-link.md b/data/reusables/secret-scanning/partner-program-link.md index b91d576170..4d358da42e 100644 --- a/data/reusables/secret-scanning/partner-program-link.md +++ b/data/reusables/secret-scanning/partner-program-link.md @@ -1,5 +1,5 @@ {% ifversion fpt or ghec %} -To find out about our partner program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partner-program)." +To find out about our partner program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." {% else %} -To find out about our partner program, see "[AUTOTITLE](/enterprise-cloud@latest/code-security/secret-scanning/secret-scanning-partner-program)" in the {% data variables.product.prodname_ghe_cloud %} documentation. +To find out about our partner program, see "[AUTOTITLE](/enterprise-cloud@latest/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)" in the {% data variables.product.prodname_ghe_cloud %} documentation. {% endif %} From 97fb82ebd6a95e8e14702e32f2ef02e5f1283013 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Mon, 29 Jul 2024 08:47:35 +0100 Subject: [PATCH 180/275] Update content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com> --- .../introduction/about-secret-scanning-for-partners.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md index ea592ecb19..1945861321 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md @@ -1,6 +1,6 @@ --- title: About secret scanning for partners -intro: '{% data variables.product.prodname_secret_scanning_caps %} sends directly alerts to partners when any of the partner secrets are found in repositories on {% data variables.product.prodname_dotcom %}. This allows partners to promtply take action to secure their systems.' +intro: '{% data variables.product.prodname_secret_scanning_caps %} sends alerts directly to partners when any of the partner's secrets are found in repositories on {% data variables.product.prodname_dotcom %}. This allows partners to promptly take action to secure their systems.' versions: fpt: '*' ghec: '*' From 85caff80c54fe408f61d423183962a64ec9e0d80 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 29 Jul 2024 08:51:37 +0100 Subject: [PATCH 181/275] fix frontmatter issue --- .../introduction/about-secret-scanning-for-partners.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md index fcaa95687c..10fbdb9873 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md @@ -1,6 +1,6 @@ --- title: About secret scanning for partners -intro: '{% data variables.product.prodname_secret_scanning_caps %} sends alerts directly to partners when any of the partner's secrets are found in repositories on {% data variables.product.prodname_dotcom %}. This allows partners to promptly take action to secure their systems.' +intro: '{% data variables.product.prodname_secret_scanning_caps %} sends alerts directly to partners when any of the partner''s secrets are found in repositories on {% data variables.product.prodname_dotcom %}. This allows partners to promptly take action to secure their systems.' versions: fpt: '*' ghec: '*' From 074e8b58386e72351cbf05b69d010e721b022406 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 30 Jul 2024 08:40:48 +0100 Subject: [PATCH 182/275] fix stupid error --- .../introduction/about-secret-scanning.md | 65 ++++++++++--------- 1 file changed, 33 insertions(+), 32 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index be6e5b2412..4cb4a7161a 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -24,23 +24,25 @@ shortTitle: Secret scanning {% data variables.product.prodname_secret_scanning_caps %} is a security feature that helps detect and prevent the accidental inclusion of sensitive information such as API keys, passwords, tokens, and other secrets in your repository. When enabled, {% data variables.product.prodname_secret_scanning %} scans commits in public repositories for known types of secrets and alerts repository administrators upon detection. -{% data variables.product.prodname_secret_scanning_caps %} will scan your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repository for secrets{% ifversion ghec or ghes %}, even if the repository is archived{% endif %}.{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %} +{% data variables.product.prodname_secret_scanning_caps %} scans your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repository for secrets{% ifversion ghec or ghes %}, even if the repository is archived{% endif %}.{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %} + +{% ifversion secret-scanning-backfills %}{% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled.{% endif %} {% data reusables.secret-scanning.what-is-scanned %} - {% ifversion secret-scanning-backfills %}{% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled, and send alert notifications following the {% data variables.product.prodname_secret_scanning %} alert notification settings.{% endif %} +When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. Alerts are reported on {% data variables.product.prodname_dotcom_the_website %}, where you can view, evaluate, and manage (fix or dismiss) them. For more information, see TODO: link to Managing alerts. -TODO: mention alerts somewhere in this article, not necessarily here, and make the distinction between partner alerts and regular alerts. +{% ifversion fpt or ghec %} Additionally, we automatically run {% data variables.product.prodname_secret_scanning %} for partner patterns on all public repositories and public npm packages. This is a partnership program that Service providers can partner with {% data variables.product.company_short %} to provide their secret formats for scanning{% endif %}{% data reusables.secret-scanning.partner-program-link %} Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner, and aren't displayed on {% data variables.product.prodname_dotcom_the_website %}. -{% data variables.secret-scanning.user_alerts_caps %} is available {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}on all repositories with a license for {% data variables.product.prodname_GH_advanced_security %}{% else %}for free on all public repositories, and for private and internal repositories that are owned by organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %}{% endif %}{% elsif fpt %}for free on all public repositories that you own{% else %}on all organization-owned repositories with a license for {% data variables.product.prodname_GH_advanced_security %}. The feature is not available on user-owned repositories{% endif %}. - -When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. {% ifversion secret-scanning-backfills %}{% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled, and send alert notifications following the {% data variables.product.prodname_secret_scanning %} alert notification settings.{% endif %} For more information, see "{% ifversion fpt or ghec %}[About user alerts](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[{% data variables.product.prodname_secret_scanning_caps %} patterns](/code-security/secret-scanning/secret-scanning-patterns#about-user-secret-scanning-alerts){% endif %}." +You can use the REST API to monitor results from {% data variables.product.prodname_secret_scanning %} across your repositories{% ifversion ghes %} or your organization{% endif %}. For more information about API endpoints, see "[AUTOTITLE](/rest/secret-scanning)." {% ifversion ghec or ghes %} -You can use security overview to see an organization-level view of which repositories have enabled {% data variables.product.prodname_secret_scanning %} and the alerts found. For more information, see "[AUTOTITLE](/code-security/security-overview/about-security-overview)." +You can also use security overview to see an organization-level view of which repositories have enabled {% data variables.product.prodname_secret_scanning %} and the alerts found. For more information, see "[AUTOTITLE](/code-security/security-overview/about-security-overview)." {% endif %} -You can also use the REST API to monitor results from {% data variables.product.prodname_secret_scanning %} across your repositories{% ifversion ghes %} or your organization{% endif %}. For more information about API endpoints, see "[AUTOTITLE](/rest/secret-scanning)." +{% data reusables.secret-scanning.audit-secret-scanning-events %} + +## How {% data variables.product.prodname_secret_scanning %} works Below is a typical workflow that explains how {% data variables.product.prodname_secret_scanning %} works: @@ -51,8 +53,8 @@ Below is a typical workflow that explains how {% data variables.product.prodname * Review of alerts: When a secret is detected, you'll need to review the alert details provided. * Alert remediation: You then need take appropriate actions to remediate the exposure. This might include: - * Rotating the affected credential to ensure it is no longer usable. - * Removing the secret from the repository's history (using tools like BFG Repo-Cleaner or {% data variables.product.prodname_dotcom %}'s built-in features). + *Rotating the affected credential to ensure it is no longer usable. + *Removing the secret from the repository's history (using tools like BFG Repo-Cleaner or {% data variables.product.prodname_dotcom %}'s built-in features). * Audit and monitor: It's good practice to regularly audit and monitor your repositories to ensure no other secrets are exposed. @@ -88,17 +90,28 @@ Below is a typical workflow that explains how {% data variables.product.prodname * **Remediation guidance**—Along with alerts, we provide remediation guidance, helping teams understand how to safely remove the sensitive information from their codebase and rotate the compromised credentials. +## What are the supported secrets + +For information about the secrets and service providers supported by {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." + ## Enabling {% data variables.product.prodname_secret_scanning %} +{% data variables.secret-scanning.user_alerts_caps %} is available {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}on all repositories with a license for {% data variables.product.prodname_GH_advanced_security %}{% else %}for free on all public repositories, and for private and internal repositories that are owned by organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %}{% endif %}{% elsif fpt %}for free on all public repositories that you own{% else %}on all organization-owned repositories with a license for {% data variables.product.prodname_GH_advanced_security %}. The feature is not available on user-owned repositories{% endif %}. + {% data variables.product.prodname_secret_scanning_caps %} is automatically enabled for all public repositories on {% data variables.product.prodname_dotcom %}. For private repositories, {% data variables.product.prodname_secret_scanning %} can be enabled as part of {% data variables.product.prodname_GH_advanced_security %}. +{% data variables.secret-scanning.user_alerts_caps %} is available {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}on all repositories with a license for {% data variables.product.prodname_GH_advanced_security %}{% else %}for free on all public repositories, and for private and internal repositories that are owned by organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %}{% endif %}{% elsif fpt %}for free on all public repositories that you own{% else %}on all organization-owned repositories with a license for {% data variables.product.prodname_GH_advanced_security %}. The feature is not available on user-owned repositories{% endif %}. {% data reusables.secret-scanning.secret-scanning-user-owned-repos-beta %} + +If you're a repository administrator, you can enable {% data variables.secret-scanning.user_alerts %} for any {% ifversion fpt %}public{% endif %} repository{% ifversion ghec or ghes %}, including archived repositories{% endif %}. Organization owners can also enable {% data variables.secret-scanning.user_alerts %} for all {% ifversion fpt %}public {% endif %}repositories or for all new {% ifversion fpt %}public {% endif %}repositories within an organization. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)" and "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)." + +{% ifversion fpt %}The following users can enable and configure additional scanning: + *Owners of repositories on {% data variables.product.prodname_dotcom_the_website %}, on any _public_ repositories they own. + *Organizations owning _public_ repositories, on any of these repositories. + *Organizations using {% data variables.product.prodname_ghe_cloud %}, on any public repositories (for free), and on any private and internal repositories, when you have a license for {% data variables.product.prodname_GH_advanced_security %}.{% elsif ghec %}You can enable and configure additional scanning for repositories owned by organizations that use {% data variables.product.prodname_ghe_cloud %} for any public repositories (for free), and for private and internal repositories when you have a license for {% data variables.product.prodname_GH_advanced_security %}. Enterprise owners can manage the automatic enablement of {% data variables.product.prodname_GH_advanced_security %} for new repositories owned by {% data variables.product.prodname_emus %} with an enterprise level setting.{% endif %} + For more information, see TODO: - link to enabling article. -## What are the supported secrets - -For information about the secrets and service providers supported by {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." - ## Customizing {% data variables.product.prodname_secret_scanning %} Once {% data variables.product.prodname_secret_scanning %} is enabled, you can customize it further, if needed: @@ -162,32 +175,20 @@ You can use AI to generate regular expressions that will capture all your custom OLD {% ifversion fpt or ghec %} -{% data variables.product.prodname_secret_scanning_caps %} is available on {% data variables.product.prodname_dotcom_the_website %} in two forms: -1. **{% data variables.secret-scanning.partner_alerts_caps %}.** Runs automatically on all public repositories and public npm packages. Service providers can partner with {% data variables.product.company_short %} to provide their secret formats for scanning, hence the term "partners." {% data reusables.secret-scanning.partner-program-link %} Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner. For more information, see TODO: +1. **{% data variables.secret-scanning.partner_alerts_caps %}** Runs automatically on all public repositories and public npm packages. Service providers can partner with {% data variables.product.company_short %} to provide their secret formats for scanning, hence the term "partners." {% data reusables.secret-scanning.partner-program-link %} Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner. For more information, see TODO: -1. **{% data variables.secret-scanning.user_alerts_caps %}.** These alerts are reported on {% data variables.product.prodname_dotcom_the_website %}{% ifversion secret-scanning-non-provider-patterns %} and can be high confidence alerts or non-provider alerts (such as private keys){% endif %}. - {% ifversion fpt %}The following users can enable and configure additional scanning: - * Owners of repositories on {% data variables.product.prodname_dotcom_the_website %}, on any _public_ repositories they own. - * Organizations owning _public_ repositories, on any of these repositories. - * Organizations using {% data variables.product.prodname_ghe_cloud %}, on any public repositories (for free), and on any private and internal repositories, when you have a license for {% data variables.product.prodname_GH_advanced_security %}.{% elsif ghec %}You can enable and configure additional scanning for repositories owned by organizations that use {% data variables.product.prodname_ghe_cloud %} for any public repositories (for free), and for private and internal repositories when you have a license for {% data variables.product.prodname_GH_advanced_security %}. Enterprise owners can manage the automatic enablement of {% data variables.product.prodname_GH_advanced_security %} for new repositories owned by {% data variables.product.prodname_emus %} with an enterprise level setting.{% endif %} +Any strings that match patterns provided by secret scanning partners, by other service providers, or defined by you or your organization, are reported as alerts in the **Security** tab of repositories. If a string in a public repository matches a partner pattern, it is also reported to the partner. For more information, see the "[About {% data variables.secret-scanning.user_alerts %}](#about-secret-scanning-alerts-for-users)" section below.{% endif %} - Any strings that match patterns provided by secret scanning partners, by other service providers, or defined by you or your organization, are reported as alerts in the **Security** tab of repositories. If a string in a public repository matches a partner pattern, it is also reported to the partner. For more information, see the "[About {% data variables.secret-scanning.user_alerts %}](#about-secret-scanning-alerts-for-users)" section below.{% endif %} - -{% data reusables.secret-scanning.audit-secret-scanning-events %} - -## About {% data variables.secret-scanning.user_alerts %}{% ifversion ghes %} on {% data variables.product.product_name %}{% endif %} - -{% data variables.secret-scanning.user_alerts_caps %} is available {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}on all repositories with a license for {% data variables.product.prodname_GH_advanced_security %}{% else %}for free on all public repositories, and for private and internal repositories that are owned by organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %}{% endif %}{% elsif fpt %}for free on all public repositories that you own{% else %}on all organization-owned repositories with a license for {% data variables.product.prodname_GH_advanced_security %}. The feature is not available on user-owned repositories{% endif %}. {% data reusables.secret-scanning.secret-scanning-user-owned-repos-beta %} - -If you're a repository administrator, you can enable {% data variables.secret-scanning.user_alerts %} for any {% ifversion fpt %}public{% endif %} repository{% ifversion ghec or ghes %}, including archived repositories{% endif %}. Organization owners can also enable {% data variables.secret-scanning.user_alerts %} for all {% ifversion fpt %}public {% endif %}repositories or for all new {% ifversion fpt %}public {% endif %}repositories within an organization. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)" and "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)." +About {% data variables.secret-scanning.user_alerts %}{% ifversion ghes %} on {% data variables.product.product_name %}{% endif %} {% ifversion secret-scanning-store-tokens %} {% data variables.product.company_short %} stores detected secrets using symmetric encryption, both in transit and at rest.{% endif %}{% ifversion ghes %} To rotate the encryption keys used for storing the detected secrets, you can contact us by visiting {% data variables.contact.contact_ent_support %}.{% endif %} ## Further reading +* "[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection) +* "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection) +* "[AUTOTITLE](/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization)" * "[AUTOTITLE](/code-security/getting-started/securing-your-repository)" * "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure)" -* "[AUTOTITLE](/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization)" -TODO: review links From ce5ac0daacbb2562a2486629f0d7f943477f366a Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Tue, 30 Jul 2024 10:56:39 +0000 Subject: [PATCH 183/275] more edits --- ...ing-push-protection-for-your-repository.md | 26 +++++++++++++++++-- ...ing-secret-scanning-for-your-repository.md | 7 +++-- .../code-security/secret-scanning/index.md | 1 + .../secret-scanning-custom-link-on-block.yml | 2 +- 4 files changed, 29 insertions(+), 7 deletions(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md index cd48da8e7f..312c4f74a0 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md @@ -19,12 +19,34 @@ redirect_from: ## About enabling push protection -TODO +To enable push protection for a repository, you must first enable {% data variables.product.prodname_secret_scanning %}. You can then enable push protection in the repository's "Code security and analysis" settings page following the steps outlined in this article. -## Enabling push protection +{% ifversion secret-scanning-push-protection-for-users %} + +You can additionally enable push protection for your own personal account, which prevents you from pushing secrets to _any_ public repository on [GitHub]. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)." + +{% endif %} + +If you're an organization owner, you can enable push protection for multiple repositories at a time{% ifversion security-configurations-ga %} using a security configuration{% endif %}. For more information, see {% ifversion security-configurations-ga %}"[AUTOTITLE](/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration){% else %}"[AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-organization#enabling-security-features-in-your-organization){% endif %}." + +Organization owners, security managers, and repository administrators can also enable push protection for {% data variables.product.prodname_secret_scanning %} via the API. For more information, see "[AUTOTITLE](/rest/repos#update-a-repository)" and expand the "Properties of the `security_and_analysis` object" section. + +{% ifversion secret-scanning-enterprise-level %} + +>[!NOTE] +> If your organization is owned by an enterprise account, an enterprise owner can also enable push protection at the enterprise level. For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)." + +{% endif %} + +## Enabling push protection for a repository {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-settings %} {% data reusables.repositories.navigate-to-code-security-and-analysis %} {% data reusables.repositories.navigate-to-ghas-settings %} {% data reusables.advanced-security.secret-scanning-push-protection-repo %} + +## Further reading + +* "[AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security)" +* "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)" diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md index 4627dd805f..56c4c04cf1 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md @@ -18,14 +18,13 @@ topics: You can enable {% data variables.secret-scanning.user_alerts %} for any {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}repository{% else %} repository that is owned by an organization, and for repositories owned by user accounts when using {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_emus %}{% endif %}{% elsif fpt %}free public repository that you own{% else %}repository that is owned by an organization{% endif %}. Once enabled, {% data reusables.secret-scanning.secret-scanning-process %}{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %} {% data reusables.secret-scanning.what-is-scanned %} -You can also enable {% data variables.product.prodname_secret_scanning %} for multiple repositories in an organization at the same time. For more information, see "[AUTOTITLE](/code-security/getting-started/securing-your-organization)." +You can also enable {% data variables.product.prodname_secret_scanning %} for multiple repositories in an organization at the same time. For more information, see {% ifversion security-configurations-ga %}"[AUTOTITLE](/code-security/getting-started/securing-your-organization){% else %}"[AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-organization#enabling-security-features-in-your-organization)"{% endif %}." {% ifversion secret-scanning-enterprise-level %} -{% note %} -**Note:** If your organization is owned by an enterprise account, an enterprise owner can also enable {% data variables.product.prodname_secret_scanning %} at the enterprise level. For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)." +>[!NOTE] +> If your organization is owned by an enterprise account, an enterprise owner can also enable {% data variables.product.prodname_secret_scanning %} at the enterprise level. For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)." -{% endnote %} {% endif %} A repository administrator can choose to disable {% data variables.product.prodname_secret_scanning %} for a repository at any time. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)." diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index ca46b445c5..2a0fe5813b 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -16,6 +16,7 @@ topics: - Repositories children: - /introduction + - /enabling-secret-scanning-features - /about-secret-scanning - /configuring-secret-scanning-for-your-repositories - /managing-alerts-from-secret-scanning diff --git a/data/features/secret-scanning-custom-link-on-block.yml b/data/features/secret-scanning-custom-link-on-block.yml index 7f0a595d72..323d4f9496 100644 --- a/data/features/secret-scanning-custom-link-on-block.yml +++ b/data/features/secret-scanning-custom-link-on-block.yml @@ -1,5 +1,5 @@ # Reference: #8384. -# Documentation for secret scanning: custom link on block. +# Documentation for secret scanning: on block. versions: ghec: '*' ghes: '>=3.8' From 141b78276bd801ec2deea4c44e99298c094ddd1a Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 30 Jul 2024 12:15:16 +0100 Subject: [PATCH 184/275] fix failing check --- .../introduction/supported-secret-scanning-patterns.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md index cfca6c8282..9f280300e1 100644 --- a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md +++ b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md @@ -60,7 +60,7 @@ Partner alerts are alerts that are sent to the secret providers whenever a secre {% endif %} -You can see these alerts on the **Security** tab of the repository. {% ifversion fpt or ghec %}For more information about {% data variables.secret-scanning.user_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-users)."{% endif %} +You can see these alerts on the **Security** tab of the repository. {% ifversion fpt or ghec %}For more information about {% data variables.secret-scanning.user_alerts %}, see TODO: About secret scanning alerts for users{% endif %} {% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} From 406706c8f6b3fa49536c42f7d7d93f3675e9b3e2 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 30 Jul 2024 12:26:32 +0100 Subject: [PATCH 185/275] fix failing check --- .../secret-scanning/introduction/about-secret-scanning.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 4cb4a7161a..3c0e3fe5e3 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -146,8 +146,6 @@ For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-adva ### Performing validity checks -{% data reusables.secret-scanning.validity-check-partner-patterns-beta %} - {% data reusables.secret-scanning.validity-checks-intro %} {% ifversion secret-scanning-validity-check-partner-patterns %} @@ -178,7 +176,7 @@ OLD 1. **{% data variables.secret-scanning.partner_alerts_caps %}** Runs automatically on all public repositories and public npm packages. Service providers can partner with {% data variables.product.company_short %} to provide their secret formats for scanning, hence the term "partners." {% data reusables.secret-scanning.partner-program-link %} Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner. For more information, see TODO: -Any strings that match patterns provided by secret scanning partners, by other service providers, or defined by you or your organization, are reported as alerts in the **Security** tab of repositories. If a string in a public repository matches a partner pattern, it is also reported to the partner. For more information, see the "[About {% data variables.secret-scanning.user_alerts %}](#about-secret-scanning-alerts-for-users)" section below.{% endif %} +Any strings that match patterns provided by secret scanning partners, by other service providers, or defined by you or your organization, are reported as alerts in the **Security** tab of repositories. If a string in a public repository matches a partner pattern, it is also reported to the partner. For more information, see TODO: the About secret scanning for users section below.{% endif %} About {% data variables.secret-scanning.user_alerts %}{% ifversion ghes %} on {% data variables.product.product_name %}{% endif %} From bb246e681d8b6890c0973e206ff5f4b2fd9fe676 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Tue, 30 Jul 2024 11:29:40 +0000 Subject: [PATCH 186/275] more edits --- .../enabling-secret-scanning-for-your-repository.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md index 56c4c04cf1..5fafa7358d 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md @@ -18,7 +18,7 @@ topics: You can enable {% data variables.secret-scanning.user_alerts %} for any {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}repository{% else %} repository that is owned by an organization, and for repositories owned by user accounts when using {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_emus %}{% endif %}{% elsif fpt %}free public repository that you own{% else %}repository that is owned by an organization{% endif %}. Once enabled, {% data reusables.secret-scanning.secret-scanning-process %}{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %} {% data reusables.secret-scanning.what-is-scanned %} -You can also enable {% data variables.product.prodname_secret_scanning %} for multiple repositories in an organization at the same time. For more information, see {% ifversion security-configurations-ga %}"[AUTOTITLE](/code-security/getting-started/securing-your-organization){% else %}"[AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-organization#enabling-security-features-in-your-organization)"{% endif %}." +You can also enable {% data variables.product.prodname_secret_scanning %} for multiple repositories in an organization at the same time. For more information, see {% ifversion security-configurations-ga %}"[AUTOTITLE](/code-security/securing-your-organization){% else %}"[AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-organization#enabling-security-features-in-your-organization)"{% endif %}." {% ifversion secret-scanning-enterprise-level %} From 9d383d7348e0b792fe25570ee9c51e61639fb154 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Tue, 30 Jul 2024 11:48:08 +0000 Subject: [PATCH 187/275] more edits --- .../enabling-push-protection-for-your-repository.md | 3 +-- .../enabling-secret-scanning-for-your-repository.md | 9 ++++----- .../enabling-validity-checks-for-your-repository.md | 2 +- 3 files changed, 6 insertions(+), 8 deletions(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md index 312c4f74a0..c829b5e628 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md @@ -33,8 +33,7 @@ Organization owners, security managers, and repository administrators can also e {% ifversion secret-scanning-enterprise-level %} ->[!NOTE] -> If your organization is owned by an enterprise account, an enterprise owner can also enable push protection at the enterprise level. For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)." +If your organization is owned by an enterprise account, an enterprise owner can also enable push protection at the enterprise level. For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)." {% endif %} diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md index 5fafa7358d..9a3a297192 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md @@ -1,7 +1,7 @@ --- title: Enabling secret scanning for your repository shortTitle: Enable secret scanning -intro: '{% data variables.product.prodname_secret_scanning %} scans your repositories for leaked secrets and generates alerts.' +intro: '{% data variables.product.prodname_secret_scanning_caps %} scans your repositories for leaked secrets and generates alerts.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' @@ -16,14 +16,13 @@ topics: ## About enabling {% data variables.secret-scanning.user_alerts %} -You can enable {% data variables.secret-scanning.user_alerts %} for any {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}repository{% else %} repository that is owned by an organization, and for repositories owned by user accounts when using {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_emus %}{% endif %}{% elsif fpt %}free public repository that you own{% else %}repository that is owned by an organization{% endif %}. Once enabled, {% data reusables.secret-scanning.secret-scanning-process %}{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %} {% data reusables.secret-scanning.what-is-scanned %} +You can enable {% data variables.secret-scanning.user_alerts %} for any {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}repository{% else %} repository that is owned by an organization, and for repositories owned by user accounts when using {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_emus %}{% endif %}{% elsif fpt %}free public repository that you own{% else %}repository that is owned by an organization{% endif %}. -You can also enable {% data variables.product.prodname_secret_scanning %} for multiple repositories in an organization at the same time. For more information, see {% ifversion security-configurations-ga %}"[AUTOTITLE](/code-security/securing-your-organization){% else %}"[AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-organization#enabling-security-features-in-your-organization)"{% endif %}." +If you're an organization owner, you can enable {% data variables.product.prodname_secret_scanning %} for multiple repositories at the same time{% ifversion security-configurations-ga %} using a security configuration{% endif %}. For more information, see {% ifversion security-configurations-ga %}"[AUTOTITLE](/code-security/securing-your-organization){% else %}"[AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-organization#enabling-security-features-in-your-organization)"{% endif %}." {% ifversion secret-scanning-enterprise-level %} ->[!NOTE] -> If your organization is owned by an enterprise account, an enterprise owner can also enable {% data variables.product.prodname_secret_scanning %} at the enterprise level. For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)." +If your organization is owned by an enterprise account, an enterprise owner can also enable {% data variables.product.prodname_secret_scanning %} at the enterprise level. For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)." {% endif %} diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md index 913d275990..3f4c5375db 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md @@ -23,7 +23,7 @@ You can also filter by validation status on the alerts page, to help you priorit > [!NOTE] > {% data variables.product.company_short %} typically makes GET requests to check the validity of the credential, picks the least intrusive endpoints, and selects endpoints that don't return any personal information. -For more information on using validity checks, see "[AUTOTITLE](/TODO)." +For more information on using validity checks, see "TODO." ## Enabling validity checks From a8ef9d9c6df186433223c87f5bafeafcf1d6bb96 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 30 Jul 2024 12:50:29 +0100 Subject: [PATCH 188/275] more work on partner patterns --- .../introduction/about-secret-scanning.md | 20 +++++++------------ 1 file changed, 7 insertions(+), 13 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 3c0e3fe5e3..a10ca50046 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -24,15 +24,15 @@ shortTitle: Secret scanning {% data variables.product.prodname_secret_scanning_caps %} is a security feature that helps detect and prevent the accidental inclusion of sensitive information such as API keys, passwords, tokens, and other secrets in your repository. When enabled, {% data variables.product.prodname_secret_scanning %} scans commits in public repositories for known types of secrets and alerts repository administrators upon detection. -{% data variables.product.prodname_secret_scanning_caps %} scans your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repository for secrets{% ifversion ghec or ghes %}, even if the repository is archived{% endif %}.{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %} - -{% ifversion secret-scanning-backfills %}{% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled.{% endif %} +{% data variables.product.prodname_secret_scanning_caps %} scans your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repository for secrets{% ifversion ghec or ghes %}, even if the repository is archived{% endif %}.{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %}{% ifversion secret-scanning-backfills %}{% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled.{% endif %} {% data reusables.secret-scanning.what-is-scanned %} -When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. Alerts are reported on {% data variables.product.prodname_dotcom_the_website %}, where you can view, evaluate, and manage (fix or dismiss) them. For more information, see TODO: link to Managing alerts. +When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. Alerts are reported on the **Security** tab of repositories in {% data variables.product.prodname_dotcom_the_website %}, where you can view, evaluate, and manage (fix or dismiss) them. For more information, see TODO: link to Managing alerts. -{% ifversion fpt or ghec %} Additionally, we automatically run {% data variables.product.prodname_secret_scanning %} for partner patterns on all public repositories and public npm packages. This is a partnership program that Service providers can partner with {% data variables.product.company_short %} to provide their secret formats for scanning{% endif %}{% data reusables.secret-scanning.partner-program-link %} Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner, and aren't displayed on {% data variables.product.prodname_dotcom_the_website %}. +{% ifversion fpt or ghec %}Service providers can partner with {% data variables.product.company_short %} to provide their secret formats for scanning. We automatically run {% data variables.product.prodname_secret_scanning %} for partner patterns on all public repositories and public npm packages.{% data reusables.secret-scanning.partner-program-link %} + +Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner, and aren't displayed on {% data variables.product.prodname_dotcom_the_website %}. For more information, see TODO: link to about secret scanning for partner alerts.{% endif %} You can use the REST API to monitor results from {% data variables.product.prodname_secret_scanning %} across your repositories{% ifversion ghes %} or your organization{% endif %}. For more information about API endpoints, see "[AUTOTITLE](/rest/secret-scanning)." @@ -53,8 +53,8 @@ Below is a typical workflow that explains how {% data variables.product.prodname * Review of alerts: When a secret is detected, you'll need to review the alert details provided. * Alert remediation: You then need take appropriate actions to remediate the exposure. This might include: - *Rotating the affected credential to ensure it is no longer usable. - *Removing the secret from the repository's history (using tools like BFG Repo-Cleaner or {% data variables.product.prodname_dotcom %}'s built-in features). + * Rotating the affected credential to ensure it is no longer usable. + * Removing the secret from the repository's history (using tools like BFG Repo-Cleaner or {% data variables.product.prodname_dotcom %}'s built-in features). * Audit and monitor: It's good practice to regularly audit and monitor your repositories to ensure no other secrets are exposed. @@ -172,12 +172,6 @@ You can use AI to generate regular expressions that will capture all your custom OLD -{% ifversion fpt or ghec %} - -1. **{% data variables.secret-scanning.partner_alerts_caps %}** Runs automatically on all public repositories and public npm packages. Service providers can partner with {% data variables.product.company_short %} to provide their secret formats for scanning, hence the term "partners." {% data reusables.secret-scanning.partner-program-link %} Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner. For more information, see TODO: - -Any strings that match patterns provided by secret scanning partners, by other service providers, or defined by you or your organization, are reported as alerts in the **Security** tab of repositories. If a string in a public repository matches a partner pattern, it is also reported to the partner. For more information, see TODO: the About secret scanning for users section below.{% endif %} - About {% data variables.secret-scanning.user_alerts %}{% ifversion ghes %} on {% data variables.product.product_name %}{% endif %} {% ifversion secret-scanning-store-tokens %} From e1a66f145410b05a598ac74aa9364257aaeb0f9f Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 30 Jul 2024 14:23:48 +0100 Subject: [PATCH 189/275] more work on secret scanning conceptual article --- .../introduction/about-secret-scanning.md | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index a10ca50046..cfabf3fa73 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -28,7 +28,7 @@ shortTitle: Secret scanning {% data reusables.secret-scanning.what-is-scanned %} -When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. Alerts are reported on the **Security** tab of repositories in {% data variables.product.prodname_dotcom_the_website %}, where you can view, evaluate, and manage (fix or dismiss) them. For more information, see TODO: link to Managing alerts. +When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. Alerts are reported on the **Security** tab of repositories on {% data variables.product.product_name %}, where you can view, evaluate, and manage (fix or dismiss) them. For more information, see TODO: link to Managing alerts. {% ifversion fpt or ghec %}Service providers can partner with {% data variables.product.company_short %} to provide their secret formats for scanning. We automatically run {% data variables.product.prodname_secret_scanning %} for partner patterns on all public repositories and public npm packages.{% data reusables.secret-scanning.partner-program-link %} @@ -46,21 +46,21 @@ You can also use security overview to see an organization-level view of which re Below is a typical workflow that explains how {% data variables.product.prodname_secret_scanning %} works: -* Detection of secrets: {% data variables.product.prodname_secret_scanning_caps %} automatically scans your repository's contents for sensitive data, such as API keys, passwords, tokens, and other secrets. It looks for patterns and heuristics that match known types of secrets. +* **Detection of secrets**: {% data variables.product.prodname_secret_scanning_caps %} automatically scans your repository's contents for sensitive data, such as API keys, passwords, tokens, and other secrets. It looks for patterns and heuristics that match known types of secrets. -* Alerts and notifications: When a potential secret is detected, {% data variables.product.prodname_dotcom %} generates an alert and notifies the relevant repository administrators and users. This notification includes details about the detected secret, such as its location in the repository. For more information about alert types and alert details, see TODO: - link to "About alerts" article. +* **Alerts and notifications**: When a potential secret is detected, {% data variables.product.prodname_dotcom %} generates an alert and notifies the relevant repository administrators and users. This notification includes details about the detected secret, such as its location in the repository. For more information about alert types and alert details, see TODO: - link to "About alerts" article. -* Review of alerts: When a secret is detected, you'll need to review the alert details provided. +* **Review of alerts**: When a secret is detected, you'll need to review the alert details provided. -* Alert remediation: You then need take appropriate actions to remediate the exposure. This might include: +* **Alert remediation**: You then need take appropriate actions to remediate the exposure. This might include: * Rotating the affected credential to ensure it is no longer usable. * Removing the secret from the repository's history (using tools like BFG Repo-Cleaner or {% data variables.product.prodname_dotcom %}'s built-in features). -* Audit and monitor: It's good practice to regularly audit and monitor your repositories to ensure no other secrets are exposed. +* **Audit and monitor**: It's good practice to regularly audit and monitor your repositories to ensure no other secrets are exposed. {% ifversion fpt or ghec %} -* Integration with partners: {% data variables.product.prodname_dotcom %} works with various service providers to validate secrets. When a partner secret is detected, {% data variables.product.prodname_dotcom %} notifies the provider so they can take appropriate action, such as revoking the credential. For more information about the partnership program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." +* **Integration with partners**: {% data variables.product.prodname_dotcom %} works with various service providers to validate secrets. When a partner secret is detected, {% data variables.product.prodname_dotcom %} notifies the provider so they can take appropriate action, such as revoking the credential. For more information about the partnership program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." {% endif %} @@ -96,6 +96,8 @@ For information about the secrets and service providers supported by {% data var ## Enabling {% data variables.product.prodname_secret_scanning %} +TODO: PLEASE DO NOT REVIEW THIS SECTION AS I WANT TO MAKE IT CONCISE AND SEE WHAT IS IN THE ENABLING ARTICLE(S) + {% data variables.secret-scanning.user_alerts_caps %} is available {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}on all repositories with a license for {% data variables.product.prodname_GH_advanced_security %}{% else %}for free on all public repositories, and for private and internal repositories that are owned by organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %}{% endif %}{% elsif fpt %}for free on all public repositories that you own{% else %}on all organization-owned repositories with a license for {% data variables.product.prodname_GH_advanced_security %}. The feature is not available on user-owned repositories{% endif %}. {% data variables.product.prodname_secret_scanning_caps %} is automatically enabled for all public repositories on {% data variables.product.prodname_dotcom %}. From 5694af7a208d18441f590d046754d8ccfc65fd62 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Tue, 30 Jul 2024 15:28:12 +0000 Subject: [PATCH 190/275] add redirects, delete old article --- ...g-secret-scanning-for-your-repositories.md | 131 ------------------ ...ing-secret-scanning-for-your-repository.md | 4 + 2 files changed, 4 insertions(+), 131 deletions(-) delete mode 100644 content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md diff --git a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md deleted file mode 100644 index 642b570f40..0000000000 --- a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md +++ /dev/null @@ -1,131 +0,0 @@ ---- -title: Configuring secret scanning for your repositories -intro: 'You can configure how {% data variables.product.prodname_dotcom %} scans your repositories for leaked secrets and generates alerts.' -product: '{% data reusables.gated-features.secret-scanning %}' -permissions: 'People with admin permissions to a {% ifversion fpt %}public {% endif %}repository can enable {% data variables.product.prodname_secret_scanning %} for the repository.' -redirect_from: - - /github/administering-a-repository/configuring-secret-scanning-for-private-repositories - - /github/administering-a-repository/configuring-secret-scanning-for-your-repositories - - /code-security/secret-security/configuring-secret-scanning-for-your-repositories -versions: - fpt: '*' - ghes: '*' - ghec: '*' -type: how_to -topics: - - Secret scanning - - Advanced Security - - Repositories -shortTitle: Configure secret scans ---- - -{% data reusables.secret-scanning.enterprise-enable-secret-scanning %} - -## Enabling {% data variables.secret-scanning.user_alerts %} - -You can enable {% data variables.secret-scanning.user_alerts %} for any {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}repository{% else %} repository that is owned by an organization, and for repositories owned by user accounts when using {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_emus %}{% endif %}{% elsif fpt %}free public repository that you own{% else %}repository that is owned by an organization{% endif %}. Once enabled, {% data reusables.secret-scanning.secret-scanning-process %}{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %} {% data reusables.secret-scanning.what-is-scanned %} - -You can also enable {% data variables.product.prodname_secret_scanning %} for multiple repositories in an organization at the same time. For more information, see {% ifversion security-configurations-ga %}"[AUTOTITLE](/code-security/securing-your-organization)."{% else %}"[AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-organization)."{% endif %} - -{% ifversion secret-scanning-enterprise-level %} -{% note %} - -**Note:** If your organization is owned by an enterprise account, an enterprise owner can also enable {% data variables.product.prodname_secret_scanning %} at the enterprise level. For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)." - -{% endnote %} -{% endif %} - -A repository administrator can choose to disable {% data variables.product.prodname_secret_scanning %} for a repository at any time. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)." - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-settings %} -{% data reusables.repositories.navigate-to-code-security-and-analysis %}{% ifversion ghec or ghes %} -1. If {% data variables.product.prodname_advanced_security %} is not already enabled for the repository, to the right of "{% data variables.product.prodname_GH_advanced_security %}", click **Enable**. -1. Review the impact of enabling {% data variables.product.prodname_advanced_security %}, then click **Enable {% data variables.product.prodname_GH_advanced_security %} for this repository**. -1. When you enable {% data variables.product.prodname_advanced_security %}, {% data variables.product.prodname_secret_scanning %} may automatically be enabled for the repository due to the organization's settings. If "{% data variables.product.prodname_secret_scanning_caps %}" is shown with an **Enable** button, you still need to enable {% data variables.product.prodname_secret_scanning %} by clicking **Enable**. If you see a **Disable** button, {% data variables.product.prodname_secret_scanning %} is already enabled. - - ![Screenshot of the "{% data variables.product.prodname_secret_scanning_caps %}" section of the "Code security and analysis" page, with the "Enable" button highlighted in a dark orange outline.](/assets/images/help/repository/enable-secret-scanning-alerts.png){% endif %}{% ifversion fpt %} -1. Scroll down to the bottom of the page, and click **Enable** for {% data variables.product.prodname_secret_scanning %}. If you see a **Disable** button, it means that {% data variables.product.prodname_secret_scanning %} is already enabled for the repository. - - ![Screenshot of the "{% data variables.product.prodname_secret_scanning_caps %}" section of the "Code security and analysis" page, with the "Enable" button highlighted in a dark orange outline.](/assets/images/help/repository/enable-secret-scanning-alerts.png){% endif %} - -## Enabling additional features for {% data variables.secret-scanning.user_alerts %} - -You can enable the following additional {% data variables.product.prodname_secret_scanning %} feature{% ifversion ghec or ghes %}s{% endif %} through your repository's "Code security and analysis" settings: -* **Push protection**. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-secret-scanning-as-a-push-protection-for-a-repository)."{% ifversion secret-scanning-validity-check-partner-patterns %} -* **Validity checks for partner patterns**. For more infomation, see "[Enabling validity checks for partner patterns](#enabling-validity-checks-for-partner-patterns)."{% endif %}{% ifversion secret-scanning-non-provider-patterns %} -* **Scanning for non-provider patterns**. For more information, see "[Enabling scanning for non-provider patterns](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns)."{% endif %}{% ifversion secret-scanning-ai-generic-secret-detection%} -* **AI-powered generic secret detection**. For more information, see "[AUTOTITLE](/code-security/secret-scanning/enabling-ai-powered-generic-secret-detection)."{% endif %}{% ifversion secret-scanning-push-protection-custom-patterns %} -* **Scanning for custom patterns**. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)."{% endif %} - -{% ifversion secret-scanning-validity-check-partner-patterns %} - -### Enabling validity checks for partner patterns - -{% data reusables.gated-features.partner-pattern-validity-check-ghas %} - -You can allow {% data variables.product.prodname_secret_scanning %} to automatically check the validity of a secret found in your repository by sending it to the relevant partner. For more information on validity checks, see "Checking a secret's validity" in "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning#checking-a-secrets-validity)." - -{% note %} - -**Note:** When you enable automatic validity checks for a repository, you also allow on-demand validity checks to be performed for patterns detected in that repository. - -{% endnote %} - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-settings %} -{% data reusables.repositories.navigate-to-code-security-and-analysis %} -{% data reusables.secret-scanning.validity-check-auto-enable %} - -You can also use the REST API to enable validity checks for partner patterns for your repository. For more information, see "[AUTOTITLE](/rest/repos/repos#update-a-repository)." Alternatively, organization owners and enterprise administrators can enable the feature for all repositories in the organization or enterprise settings. For more information on enabling at the organization-level, see "[AUTOTITLE](/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration)." For more information on enabling at the enterprise-level, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)" and "[AUTOTITLE](/rest/enterprise-admin/code-security-and-analysis#update-code-security-and-analysis-features-for-an-enterprise)." - -{% endif %} - -{% ifversion secret-scanning-non-provider-patterns %} - -### Enabling scanning for non-provider patterns - -{% data reusables.secret-scanning.non-provider-patterns-beta %} - -You can enable scanning for non-provider patterns. Non-provider patterns correspond to secrets such as private keys and they have a higher ratio of false positives. - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-settings %} -{% data reusables.repositories.navigate-to-code-security-and-analysis %} -1. Under {% data variables.product.prodname_secret_scanning_caps %}, select the checkbox next to "Scan for non-provider patterns". - -For more information about non-provider patterns, see "{% ifversion fpt or ghec %}[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-secret-scanning-alerts){% endif %}." - -{% endif %} - -{% ifversion secret-scanning-enable-by-default-for-public-repos %} - -## Enabling {% data variables.secret-scanning.user_alerts %} for all your {% ifversion ghec %}user-owned {% endif %}public repositories - -You can enable {% data variables.product.prodname_secret_scanning %} for all of your existing {% ifversion ghec %}user-owned {% endif %}public repositories through your personal account settings. -{% note %} - -**Note**: As of March 11, 2024, {% data variables.product.prodname_secret_scanning %} and push protection will be enabled by default for all new {% ifversion ghec %}user-owned {% endif %}public repositories that you create. You can still choose to disable these features for an individual repository in the repository's "Code security and analysis" settings page. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-public-repositories)". - -{% endnote %} - -{% data reusables.user-settings.access_settings %} -{% data reusables.user-settings.security-analysis %} -1. Under "Code security and analysis", to the right of "{% data variables.product.prodname_secret_scanning_caps %}", click **Disable all** or **Enable all**. -{% data reusables.secret-scanning.push-protection-optional-enable %} - -{% endif %} - -## Excluding directories from {% data variables.secret-scanning.user_alerts %} - -You can configure a `secret_scanning.yml` file to exclude directories from {% data variables.product.prodname_secret_scanning %}, including when you use push protection. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning)." - -You can also ignore individual alerts from {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." - -{% ifversion not fpt %} - -## Further reading - -* "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)" -* "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)" -{% endif %} diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md index 9a3a297192..85b6dd795b 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md @@ -12,6 +12,10 @@ topics: - Secret scanning - Advanced Security - Alerts +redirect_from: + - /github/administering-a-repository/configuring-secret-scanning-for-private-repositories + - /github/administering-a-repository/configuring-secret-scanning-for-your-repositories + - /code-security/secret-security/configuring-secret-scanning-for-your-repositories --- ## About enabling {% data variables.secret-scanning.user_alerts %} From 8ea8bfa01e77815f605a735ef249e6417db551c3 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Wed, 31 Jul 2024 11:20:30 +0000 Subject: [PATCH 191/275] removing deleted article from index frontmatter --- content/code-security/secret-scanning/index.md | 1 - 1 file changed, 1 deletion(-) diff --git a/content/code-security/secret-scanning/index.md b/content/code-security/secret-scanning/index.md index 2a0fe5813b..f08832bf03 100644 --- a/content/code-security/secret-scanning/index.md +++ b/content/code-security/secret-scanning/index.md @@ -18,7 +18,6 @@ children: - /introduction - /enabling-secret-scanning-features - /about-secret-scanning - - /configuring-secret-scanning-for-your-repositories - /managing-alerts-from-secret-scanning - /secret-scanning-patterns - /push-protection-for-repositories-and-organizations From 825a24533ab07a6d9f80f20ae93faac810e79f72 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Wed, 31 Jul 2024 12:09:23 +0000 Subject: [PATCH 192/275] fix redirect duplication --- .../enabling-secret-scanning-for-your-repository.md | 1 - 1 file changed, 1 deletion(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md index 85b6dd795b..8d16cdf243 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md @@ -15,7 +15,6 @@ topics: redirect_from: - /github/administering-a-repository/configuring-secret-scanning-for-private-repositories - /github/administering-a-repository/configuring-secret-scanning-for-your-repositories - - /code-security/secret-security/configuring-secret-scanning-for-your-repositories --- ## About enabling {% data variables.secret-scanning.user_alerts %} From 9e9497f5801da5191ad3023b5912531895d2e117 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Wed, 31 Jul 2024 12:27:08 +0000 Subject: [PATCH 193/275] run script to fix test --- data/learning-tracks/code-security.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/data/learning-tracks/code-security.yml b/data/learning-tracks/code-security.yml index eaf1d1d530..db3a1ed979 100644 --- a/data/learning-tracks/code-security.yml +++ b/data/learning-tracks/code-security.yml @@ -113,8 +113,7 @@ secret_scanning: passwords, and other secrets to your repository. guides: - /code-security/secret-scanning/about-secret-scanning - - >- - /code-security/secret-scanning/configuring-secret-scanning-for-your-repositories + - /code-security/secret-scanning/enabling-secret-scanning-features - >- /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning - >- @@ -129,7 +128,8 @@ secret_scanning: endif %} - >- {% ifversion secret-scanning-push-protection-for-users - %}/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users{% endif %} + %}/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users{% + endif %} - >- {% ifversion secret-scanning-push-protection %}/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line{% @@ -138,7 +138,8 @@ secret_scanning: {% ifversion secret-scanning-push-protection %}/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui{% endif %} - - /code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning + - >- + /code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning security_alerts: title: Explore and manage security alerts description: Learn where to find and resolve security alerts. From 9d9c0d96d7e277729c561269b82f7745ad8700a6 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Wed, 31 Jul 2024 13:49:49 +0000 Subject: [PATCH 194/275] trying to fix redirect errors --- .../enabling-push-protection-for-your-repository.md | 3 --- .../enabling-secret-scanning-for-your-repository.md | 3 --- .../secret-scanning/enabling-secret-scanning-features/index.md | 2 ++ 3 files changed, 2 insertions(+), 6 deletions(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md index c829b5e628..efbd2647c5 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md @@ -12,9 +12,6 @@ topics: - Secret scanning - Advanced Security - Alerts -redirect_from: - - /early-access/code-security/secret-scanning/protecting-pushes-with-secret-scanning - - /code-security/secret-scanning/protecting-pushes-with-secret-scanning --- ## About enabling push protection diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md index 8d16cdf243..9a3a297192 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md @@ -12,9 +12,6 @@ topics: - Secret scanning - Advanced Security - Alerts -redirect_from: - - /github/administering-a-repository/configuring-secret-scanning-for-private-repositories - - /github/administering-a-repository/configuring-secret-scanning-for-your-repositories --- ## About enabling {% data variables.secret-scanning.user_alerts %} diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md index 203755a35b..d55126629f 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md @@ -17,6 +17,8 @@ children: - /enabling-push-protection-for-your-repository - /enabling-validity-checks-for-your-repository redirect_from: + - /github/administering-a-repository/configuring-secret-scanning-for-private-repositories + - /github/administering-a-repository/configuring-secret-scanning-for-your-repositories - /code-security/secret-scanning/configuring-secret-scanning-for-your-repositories - /code-security/secret-scanning/push-protection-for-repositories-and-organizations --- From 7ca9a7b602c71c459c634b139dea66c1f4057b3a Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Wed, 31 Jul 2024 13:58:08 +0000 Subject: [PATCH 195/275] removing redirect to try and fix failing test --- .../secret-scanning/enabling-secret-scanning-features/index.md | 1 - 1 file changed, 1 deletion(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md index d55126629f..f296220c5e 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md @@ -20,5 +20,4 @@ redirect_from: - /github/administering-a-repository/configuring-secret-scanning-for-private-repositories - /github/administering-a-repository/configuring-secret-scanning-for-your-repositories - /code-security/secret-scanning/configuring-secret-scanning-for-your-repositories - - /code-security/secret-scanning/push-protection-for-repositories-and-organizations --- From 3ef11bb923aecf05141cc337a055759512fc4994 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Thu, 1 Aug 2024 08:17:42 +0100 Subject: [PATCH 196/275] linter errors --- content/apps/oauth-apps/using-oauth-apps/internal-oauth-apps.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/apps/oauth-apps/using-oauth-apps/internal-oauth-apps.md b/content/apps/oauth-apps/using-oauth-apps/internal-oauth-apps.md index 18d74fc9c9..10a885f05a 100644 --- a/content/apps/oauth-apps/using-oauth-apps/internal-oauth-apps.md +++ b/content/apps/oauth-apps/using-oauth-apps/internal-oauth-apps.md @@ -23,7 +23,7 @@ These {% data variables.product.prodname_oauth_apps %} are : * GitHub Codespaces for JetBrains * GitHub Desktop * GitHub Education -* github-importer-production +* Github-importer-production * GitHub iOS * GitHub Support * JetBrains IDE Integration From dd36012633c037966b4bbfd3e3ad4294d4677848 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Thu, 1 Aug 2024 07:42:33 +0000 Subject: [PATCH 197/275] delete old article --- .../managing-alerts-from-secret-scanning.md | 230 ------------------ 1 file changed, 230 deletions(-) delete mode 100644 content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md deleted file mode 100644 index 4520fef86c..0000000000 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md +++ /dev/null @@ -1,230 +0,0 @@ ---- -title: Managing alerts from secret scanning -intro: 'You can view, evaluate and resolve alerts for secrets checked in to your repository.' -permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view and dismiss secret scanning alerts for the repository.' -product: '{% data reusables.gated-features.secret-scanning %}' -redirect_from: - - /github/administering-a-repository/managing-alerts-from-secret-scanning - - /code-security/secret-security/managing-alerts-from-secret-scanning -versions: - fpt: '*' - ghes: '*' - ghec: '*' -type: how_to -topics: - - Secret scanning - - Advanced Security - - Alerts - - Repositories -shortTitle: Manage secret alerts ---- -## About the {% data variables.product.prodname_secret_scanning %} alerts page - -{% data reusables.secret-scanning.secret-scanning-about-alerts %} {% data reusables.secret-scanning.repository-alert-location %} - -{% ifversion secret-scanning-non-provider-patterns %} -To help you triage alerts more effectively, {% data variables.product.company_short %} separates alerts into two lists: -* **High confidence** alerts. -* **Other** alerts. - -![Screenshot of the {% data variables.product.prodname_secret_scanning %} alert view. The button to toggle between "High confidence" and "Other" alerts is highlighted with an orange outline.](/assets/images/help/security/secret-scanning-high-confidence-alert-view.png) - -### High confidence alerts list - -The "High confidence" alerts list displays alerts that relate to supported patterns and specified custom patterns. This list is always the default view for the alerts page. - -### Other alerts list - -The "Other" alerts list displays alerts that relate to non-provider patterns (such as private keys){% ifversion secret-scanning-ai-generic-secret-detection %}, or generic secrets detected using AI (such as passwords){% endif %}. These types of alerts have a higher rate of false positives. - -In addition, alerts that fall into this category: -* Are limited in quantity to 5000 alerts per repository (this includes open and closed alerts). -* Are not shown in the summary views for security overview, only in the "{% data variables.product.prodname_secret_scanning_caps %}" view. -* Only have the first five detected locations shown on {% data variables.product.prodname_dotcom %} for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %}, and only the first detected location shown for AI-detected generic secrets{% endif %}. - -For {% data variables.product.company_short %} to scan for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %} and generic secrets{% endif %}, you must first enable the feature{% ifversion secret-scanning-ai-generic-secret-detection %}s{% endif %} for your repository or organization. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#enabling-scanning-for-non-provider-patterns){% ifversion secret-scanning-ai-generic-secret-detection %}" and "[AUTOTITLE](/code-security/secret-scanning/enabling-ai-powered-generic-secret-detection){% endif %}." - -{% endif %} - -## Viewing alerts - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-security %} -1. In the left sidebar, under "Vulnerability alerts", click **{% data variables.product.prodname_secret_scanning_caps %}**. {% ifversion secret-scanning-non-provider-patterns %} -1. Optionally, toggle to "Other" to see alerts for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %} or generic secrets detected using AI{% endif %}.{% endif %} -1. Under "{% data variables.product.prodname_secret_scanning_caps %}", click the alert you want to view. - {% ifversion secret-scanning-user-owned-repos %} - - > [!NOTE] - > {% data reusables.secret-scanning.secret-scanning-user-owned-repo-access %} - - {% endif %} - -## Filtering alerts - -You can apply various filters to the alerts list to help you find the alerts you're interested in. You can use the dropdown menus above the alerts list, or input the qualifiers listed in the table into the search bar. - -|Qualifier|Description| -|---------|-----------| -|`is:open`|Displays open alerts.| -|`is:closed`|Displays closed alerts.| -| {% ifversion secret-scanning-bypass-filter %} | -|`bypassed: true`|Displays alerts for secrets where push protection has been bypassed. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)."| -| {% endif %} | -|`validity:active`| Displays alerts for secrets that are still active. {% ifversion fpt %}Applies to {% data variables.product.company_short %} tokens only.{% endif %} For more information about validity statuses, see "[Checking a secret's validity](#checking-a-secrets-validity)."| -|`validity:inactive`| Displays alerts for secrets that are no longer active.| -|`validity:unknown`| Displays alerts for secrets where the validity status of the secret is unknown.| -|`secret-type:SECRET-NAME`| Displays alerts for a specific secret type, for example, `secret-type:github_personal_access_token`. For a list of supported secret types, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secret)." | -|`provider:PROVIDER-NAME`|Displays alerts for a specific provider, for example, `provider:github`. For a list of supported partners, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."| -| {% ifversion secret-scanning-non-provider-patterns %} | -|`confidence:high`| Displays alerts for high-confidence secrets, which relate to supported secrets and custom patterns. For a list of supported high-confidence patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#high-confidence-patterns)." | -|`confidence:other`| Displays alerts for non-provider patterns, such as private keys{% ifversion secret-scanning-ai-generic-secret-detection %}, and AI-detected generic secrets, such as passwords{% endif %}. For a list of supported non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns)." {% ifversion secret-scanning-ai-generic-secret-detection %}For more information AI-detected generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/about-the-detection-of-generic-secrets-with-secret-scanning)."{% endif %}| -| {% endif %} | - -## Evaluating alerts - -There are some additional features that can help you to evaluate alerts in order to better prioritize and manage them. You can: - -* Check the validity of a secret, to see if the secret is still active. {% ifversion fpt or ghes %}**Applies to {% data variables.product.company_short %} tokens only**.{% endif %} For more information, see "[Checking a secret's validity](#checking-a-secrets-validity)."{% ifversion secret-scanning-validity-check-partner-patterns %} -* Perform an "on-demand" validity check, to get the most up to date validiation status. For more information, see "[Performing an on-demand-validity-check](#performing-an-on-demand-validity-check)."{% endif %}{% ifversion secret-scanning-github-token-metadata %} -* Review a token's metadata. **Applies to {% data variables.product.company_short %} tokens only**. For example, to see when the token was last used. For more information, see "[Reviewing {% data variables.product.company_short %} token metadata](#reviewing-github-token-metadata)."{% endif %} - -### Checking a secret's validity - -Validity checks help you prioritize alerts by telling you which secrets are `active` or `inactive`. An `active` secret is one that could still be exploited, so these alerts should be reviewed and remediated as a priority. - -By default, {% data variables.product.company_short %} checks the validity of {% data variables.product.company_short %} tokens and displays the validitation status of the token in the alert view. - -{% ifversion fpt %} - -Organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %} can also enable validity checks for partner patterns. For more information, see "[Checking a secret's validity](/enterprise-cloud@latest/code-security/secret-scanning/managing-alerts-from-secret-scanning#checking-a-secrets-validity)" in the {% data variables.product.prodname_ghe_cloud %} documentation. - -{% endif %} - -{% ifversion secret-scanning-validity-check-partner-patterns %} - -You can additionally choose to enable validity checks for partner patterns. Once enabled, {% data variables.product.company_short %} will periodically check the validity of a detected credential by sending the secret directly to the provider, as part of {% data variables.product.company_short %}'s formal secret scanning partnership program. {% data variables.product.company_short %} typically makes GET requests to check the validity of the credential, picks the least intrusive endpoints, and selects endpoints that don't return any personal information. - -{% data variables.product.company_short %} displays the validation status of the secret in the alert view. - -{% endif %} - -{% data reusables.secret-scanning.validity-check-table %} - -{% ifversion secret-scanning-validity-check-partner-patterns %} - -{% data reusables.gated-features.partner-pattern-validity-check-ghas %} - -For information on how to enable validity checks for partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#enabling-validity-checks-for-partner-patterns)," and for information on which partner patterns are currently supported, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#high-confidence-patterns)." - -{% endif %} - -You can use the REST API to retrieve a list of the most recent validation status for each of your tokens. For more information, see "[AUTOTITLE](/rest/secret-scanning)" in the REST API documentation. You can also use webhooks to be notified of activity relating to a {% data variables.product.prodname_secret_scanning %} alert. For more information, see the `secret_scanning_alert` event in "[AUTOTITLE](/webhooks/webhook-events-and-payloads?actionType=created#secret_scanning_alert)." - -{% ifversion secret-scanning-validity-check-partner-patterns %} - -### Performing an on-demand validity check - -Once you have enabled validity checks for partner patterns for your repository, you can perform an "on-demand" validity check for any supported secret by clicking {% octicon "sync" aria-hidden="true" %} **Verify secret** in the alert view. {% data variables.product.company_short %} will send the pattern to the relevant partner and display the validation status of the secret in the alert view. - -![Screenshot of the UI showing a {% data variables.product.prodname_secret_scanning %} alert. A button, labeled "Verify secret" is highlighted with an orange outline.](/assets/images/help/security/secret-scanning-verify-secret.png) - -{% endif %} - -{% ifversion secret-scanning-github-token-metadata %} - -### Reviewing {% data variables.product.company_short %} token metadata - -> [!NOTE] -> Metadata for {% data variables.product.company_short %} tokens is currently in public beta and subject to change. - -In the view for an active {% data variables.product.company_short %} token alert, you can review certain metadata about the token. This metadata may help you identify the token and decide what remediation steps to take. - -Tokens, like {% data variables.product.pat_generic %} and other credentials, are considered personal information. For more information about using {% data variables.product.company_short %} tokens, see [GitHub's Privacy Statement](/free-pro-team@latest/site-policy/privacy-policies/github-privacy-statement) and [Acceptable Use Policies](/free-pro-team@latest/site-policy/acceptable-use-policies/github-acceptable-use-policies). - - ![Screenshot of the UI for a {% data variables.product.company_short %} token, showing the token metadata.](/assets/images/help/repository/secret-scanning-github-token-metadata.png) - - Metadata for {% data variables.product.company_short %} tokens is available for active tokens in any repository with secret scanning enabled. If a token has been revoked or its status cannot be validated, metadata will not be available. {% data variables.product.company_short %} auto-revokes {% data variables.product.company_short %} tokens in public repositories, so metadata for {% data variables.product.company_short %} tokens in public repositories is unlikely to be available. The following metadata is available for active {% data variables.product.company_short %} tokens: - -|Metadata|Description| -|-------------------------|--------------------------------------------------------------------------------| -|Secret name| The name given to the {% data variables.product.company_short %} token by its creator| -|Secret owner| The {% data variables.product.company_short %} handle of the token's owner| -|Created on| Date the token was created| -|Expired on| Date the token expired| -|Last used on| Date the token was last used| -|Access| Whether the token has organization access| - -{% ifversion secret-scanning-user-owned-repos %}{% data reusables.secret-scanning.secret-scanning-user-owned-repo-access %} If access is granted, {% data variables.product.prodname_dotcom %} will notify the owner of the repository containing the leaked secret, report the action in the repository owner and enterprise audit logs, and enable access for 2 hours.{% ifversion ghec %} For more information, see "[AUTOTITLE](/admin/managing-accounts-and-repositories/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise)."{% endif %}{% endif %} - -{% endif %} - -## Fixing alerts - -Once a secret has been committed to a repository, you should consider the secret compromised. {% data variables.product.prodname_dotcom %} recommends the following actions for compromised secrets: - -* For a compromised {% data variables.product.prodname_dotcom %} {% data variables.product.pat_generic %}, delete the compromised token, create a new token, and update any services that use the old token. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)." -{%- ifversion token-audit-log %} - * {% ifversion ghec %}If your organization is owned by an enterprise account, identify{% else %}Identify{% endif %} any actions taken by the compromised token on your enterprise's resources. For more information, see "[AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token)." -{%- endif %} -* For all other secrets, first verify that the secret committed to {% data variables.product.product_name %} is valid. If so, create a new secret, update any services that use the old secret, and then delete the old secret. - -{% ifversion fpt or ghec %} - -> [!NOTE] -> If a secret is detected in a public repository on {% data variables.product.prodname_dotcom_the_website %} and the secret also matches a partner pattern, an alert is generated and the potential secret is reported to the service provider. For details of partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." - -{% endif %} - -## Closing alerts - -> [!NOTE] ->{% data variables.product.prodname_secret_scanning_caps %} doesn't automatically close alerts when the corresponding token has been removed from the repository. You must manually close these alerts in the alert list on {% data variables.product.prodname_dotcom %}. - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-security %} -1. In the left sidebar, under "Vulnerability alerts", click **{% data variables.product.prodname_secret_scanning_caps %}**. -1. Under "{% data variables.product.prodname_secret_scanning_caps %}", click the alert you want to view. -1. To dismiss an alert, select the "Close as" dropdown menu and click a reason for resolving an alert. - - ![Screenshot of a {% data variables.product.prodname_secret_scanning %} alert. A dropdown menu, titled "Close as", is expanded and highlighted in a dark orange outline.](/assets/images/help/repository/secret-scanning-dismiss-alert-web-ui-link-partner-documentation.png) - -1. Optionally, in the "Comment" field, add a dismissal comment. The dismissal comment will be added to the alert timeline and can be used as justification during auditing and reporting. You can view the history of all dismissed alerts and dismissal comments in the alert timeline. You can also retrieve or set a comment by using the {% data variables.product.prodname_secret_scanning_caps %} API. The comment is contained in the `resolution_comment` field. For more information, see "[AUTOTITLE](/rest/secret-scanning#update-a-secret-scanning-alert)" in the REST API documentation. -1. Click **Close alert**. - -## Configuring notifications for {% data variables.secret-scanning.alerts %} - -Notifications are different for incremental scans and historical scans. - -### Incremental scans - -{% data reusables.secret-scanning.secret-scanning-configure-notifications %} - -{% data reusables.repositories.navigate-to-repo %} -1. To start watching the repository, select **{% octicon "eye" aria-hidden="true" %} Watch**. - - ![Screenshot of the repository's main page. A dropdown menu, titled "Watch", is highlighted with an orange outline.](/assets/images/help/repository/repository-watch-dropdown.png) - -1. In the dropdown menu, click **All Activity**. Alternatively, to only subscribe to security alerts, click **Custom**, then click **Security alerts**. -1. Navigate to the notification settings for your personal account. These are available at [https://github.com/settings/notifications](https://github.com/settings/notifications). -1. On your notification settings page, under "Subscriptions", then under "Watching", select the **Notify me** dropdown. -1. Select "Email" as a notification option, then click **Save**. - - ![Screenshot of the notification settings for a user account. An element header, titled "Subscriptions", and a sub-header, titled "Watching", are shown. A checkbox, titled "Email", is highlighted with an orange outline.](/assets/images/help/notifications/repository-watching-notification-options.png) - -{% data reusables.notifications.watch-settings %} - -### Historical scans - -For historical scans, {% data variables.product.product_name %} notifies the following users: - -* Organization owners, enterprise owners, and security managers—whenever a historical scan is complete, even if no secrets are found. -* Repository administrators, security managers, and users with custom roles with read/write access—whenever a historical scan detects a secret, and according to their notification preferences. - -We do _not_ notify commit authors. - -{% data reusables.notifications.watch-settings %} - -## Auditing responses to secret scanning alerts - -{% data reusables.secret-scanning.audit-secret-scanning-events %} From f75e710aba252b1a61b5b42b122c9d0bfd032fc9 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Thu, 1 Aug 2024 08:00:24 +0000 Subject: [PATCH 198/275] removing leftover beta note --- .../evaluating-alerts.md | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md index 679d665606..6849593be1 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md @@ -27,15 +27,9 @@ There are some additional features that can help you to evaluate alerts in order ## Checking a secret's validity -{% ifversion secret-scanning-validity-check-partner-patterns %} - -{% data reusables.secret-scanning.validity-check-partner-patterns-beta %} - -{% endif %} - Validity checks help you prioritize alerts by telling you which secrets are `active` or `inactive`. An `active` secret is one that could still be exploited, so these alerts should be reviewed and remediated as a priority. -By default, {% data variables.product.company_short %} checks the validity of {% data variables.product.company_short %} tokens and displays the validitation status of the token in the alert view. +By default, {% data variables.product.company_short %} checks the validity of {% data variables.product.company_short %} tokens and displays the validation status of the token in the alert view. {% ifversion fpt %} From 59b5347151e6cd2316ab92fa5b30acced38f0f7b Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 1 Aug 2024 10:52:02 +0100 Subject: [PATCH 199/275] Update content/code-security/secret-scanning/introduction/about-secret-scanning.md Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com> --- .../secret-scanning/introduction/about-secret-scanning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index cfabf3fa73..1575cdc754 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -28,7 +28,7 @@ shortTitle: Secret scanning {% data reusables.secret-scanning.what-is-scanned %} -When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. Alerts are reported on the **Security** tab of repositories on {% data variables.product.product_name %}, where you can view, evaluate, and manage (fix or dismiss) them. For more information, see TODO: link to Managing alerts. +When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. Alerts are reported on the **Security** tab of repositories on {% data variables.product.product_name %}, where you can view, evaluate, and resolve them. For more information, see TODO: link to Managing alerts. {% ifversion fpt or ghec %}Service providers can partner with {% data variables.product.company_short %} to provide their secret formats for scanning. We automatically run {% data variables.product.prodname_secret_scanning %} for partner patterns on all public repositories and public npm packages.{% data reusables.secret-scanning.partner-program-link %} From 0f5daa397fa98b54713c549cb6ce54783ae349ed Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 1 Aug 2024 11:03:51 +0100 Subject: [PATCH 200/275] start addressing comments --- .../introduction/about-secret-scanning.md | 35 +++++-------------- 1 file changed, 8 insertions(+), 27 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 1575cdc754..9700f6fcd2 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -20,7 +20,7 @@ topics: shortTitle: Secret scanning --- -## What is {% data variables.product.prodname_secret_scanning %} +## About {% data variables.product.prodname_secret_scanning %} {% data variables.product.prodname_secret_scanning_caps %} is a security feature that helps detect and prevent the accidental inclusion of sensitive information such as API keys, passwords, tokens, and other secrets in your repository. When enabled, {% data variables.product.prodname_secret_scanning %} scans commits in public repositories for known types of secrets and alerts repository administrators upon detection. @@ -46,17 +46,17 @@ You can also use security overview to see an organization-level view of which re Below is a typical workflow that explains how {% data variables.product.prodname_secret_scanning %} works: -* **Detection of secrets**: {% data variables.product.prodname_secret_scanning_caps %} automatically scans your repository's contents for sensitive data, such as API keys, passwords, tokens, and other secrets. It looks for patterns and heuristics that match known types of secrets. +* **Detection**: {% data variables.product.prodname_secret_scanning_caps %} automatically scans your repository's contents for sensitive data, such as API keys, passwords, tokens, and other secrets. It looks for patterns and heuristics that match known types of secrets. -* **Alerts and notifications**: When a potential secret is detected, {% data variables.product.prodname_dotcom %} generates an alert and notifies the relevant repository administrators and users. This notification includes details about the detected secret, such as its location in the repository. For more information about alert types and alert details, see TODO: - link to "About alerts" article. +* **Alerts**: When a potential secret is detected, {% data variables.product.prodname_dotcom %} generates an alert and notifies the relevant repository administrators and users. This notification includes details about the detected secret, such as its location in the repository. For more information about alert types and alert details, see TODO: - link to "About alerts" article. -* **Review of alerts**: When a secret is detected, you'll need to review the alert details provided. +* **Review**: When a secret is detected, you'll need to review the alert details provided. -* **Alert remediation**: You then need take appropriate actions to remediate the exposure. This might include: +* **Remediation**: You then need take appropriate actions to remediate the exposure. This might include: * Rotating the affected credential to ensure it is no longer usable. * Removing the secret from the repository's history (using tools like BFG Repo-Cleaner or {% data variables.product.prodname_dotcom %}'s built-in features). -* **Audit and monitor**: It's good practice to regularly audit and monitor your repositories to ensure no other secrets are exposed. +* **Monitoring**: It's good practice to regularly audit and monitor your repositories to ensure no other secrets are exposed. {% ifversion fpt or ghec %} @@ -64,7 +64,7 @@ Below is a typical workflow that explains how {% data variables.product.prodname {% endif %} -## What are the benefits of {% data variables.product.prodname_secret_scanning %} +## Benefits of using {% data variables.product.prodname_secret_scanning %} * **Enhanced security**—{% data variables.product.prodname_secret_scanning_caps %} scans your repositories for sensitive information like API keys, passwords, tokens, and other secrets. By detecting these early, you can mitigate potential security risks before they are exploited by malicious actors. @@ -94,26 +94,6 @@ Below is a typical workflow that explains how {% data variables.product.prodname For information about the secrets and service providers supported by {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." -## Enabling {% data variables.product.prodname_secret_scanning %} - -TODO: PLEASE DO NOT REVIEW THIS SECTION AS I WANT TO MAKE IT CONCISE AND SEE WHAT IS IN THE ENABLING ARTICLE(S) - -{% data variables.secret-scanning.user_alerts_caps %} is available {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}on all repositories with a license for {% data variables.product.prodname_GH_advanced_security %}{% else %}for free on all public repositories, and for private and internal repositories that are owned by organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %}{% endif %}{% elsif fpt %}for free on all public repositories that you own{% else %}on all organization-owned repositories with a license for {% data variables.product.prodname_GH_advanced_security %}. The feature is not available on user-owned repositories{% endif %}. - -{% data variables.product.prodname_secret_scanning_caps %} is automatically enabled for all public repositories on {% data variables.product.prodname_dotcom %}. -For private repositories, {% data variables.product.prodname_secret_scanning %} can be enabled as part of {% data variables.product.prodname_GH_advanced_security %}. - -{% data variables.secret-scanning.user_alerts_caps %} is available {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}on all repositories with a license for {% data variables.product.prodname_GH_advanced_security %}{% else %}for free on all public repositories, and for private and internal repositories that are owned by organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %}{% endif %}{% elsif fpt %}for free on all public repositories that you own{% else %}on all organization-owned repositories with a license for {% data variables.product.prodname_GH_advanced_security %}. The feature is not available on user-owned repositories{% endif %}. {% data reusables.secret-scanning.secret-scanning-user-owned-repos-beta %} - -If you're a repository administrator, you can enable {% data variables.secret-scanning.user_alerts %} for any {% ifversion fpt %}public{% endif %} repository{% ifversion ghec or ghes %}, including archived repositories{% endif %}. Organization owners can also enable {% data variables.secret-scanning.user_alerts %} for all {% ifversion fpt %}public {% endif %}repositories or for all new {% ifversion fpt %}public {% endif %}repositories within an organization. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)" and "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)." - -{% ifversion fpt %}The following users can enable and configure additional scanning: - *Owners of repositories on {% data variables.product.prodname_dotcom_the_website %}, on any _public_ repositories they own. - *Organizations owning _public_ repositories, on any of these repositories. - *Organizations using {% data variables.product.prodname_ghe_cloud %}, on any public repositories (for free), and on any private and internal repositories, when you have a license for {% data variables.product.prodname_GH_advanced_security %}.{% elsif ghec %}You can enable and configure additional scanning for repositories owned by organizations that use {% data variables.product.prodname_ghe_cloud %} for any public repositories (for free), and for private and internal repositories when you have a license for {% data variables.product.prodname_GH_advanced_security %}. Enterprise owners can manage the automatic enablement of {% data variables.product.prodname_GH_advanced_security %} for new repositories owned by {% data variables.product.prodname_emus %} with an enterprise level setting.{% endif %} - -For more information, see TODO: - link to enabling article. - ## Customizing {% data variables.product.prodname_secret_scanning %} Once {% data variables.product.prodname_secret_scanning %} is enabled, you can customize it further, if needed: @@ -181,6 +161,7 @@ About {% data variables.secret-scanning.user_alerts %}{% ifversion ghes %} on {% ## Further reading +* TODO: link to enabling secret scanning article * "[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection) * "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection) * "[AUTOTITLE](/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization)" From 738f2fbd078ecc7febaa3137dc4088e5f1bd8643 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 1 Aug 2024 11:24:45 +0100 Subject: [PATCH 201/275] address more comments --- .../introduction/about-secret-scanning.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 9700f6fcd2..dd01f40112 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -64,7 +64,7 @@ Below is a typical workflow that explains how {% data variables.product.prodname {% endif %} -## Benefits of using {% data variables.product.prodname_secret_scanning %} +## Benefits of {% data variables.product.prodname_secret_scanning %} * **Enhanced security**—{% data variables.product.prodname_secret_scanning_caps %} scans your repositories for sensitive information like API keys, passwords, tokens, and other secrets. By detecting these early, you can mitigate potential security risks before they are exploited by malicious actors. @@ -72,8 +72,6 @@ Below is a typical workflow that explains how {% data variables.product.prodname * **Real-time alerts**—When a secret is detected, {% data variables.product.prodname_secret_scanning %} provides real-time alerts to repository administrators and contributors. This immediate feedback allows for swift remediation actions. -* **Historical scanning**—{% data variables.product.prodname_secret_scanning_caps %} can be configured to scan the entire commit history of your repository. This retrospective analysis helps in identifying and mitigating risks from previously committed secrets that may have gone unnoticed. - {% ifversion fpt or ghec %} * **Integration with service providers**—{% data variables.product.prodname_dotcom %} partners with various service providers to validate detected secrets. When a secret is identified, {% data variables.product.prodname_dotcom %} notifies the corresponding service provider to take appropriate actions, such as revoking the exposed credential. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." @@ -82,13 +80,15 @@ Below is a typical workflow that explains how {% data variables.product.prodname {% ifversion ghec or ghes %} -* **Custom patterns**—Organizations can define custom patterns to detect proprietary or unique types of secrets that may not be covered by default patterns. This flexibility allows for tailored security measures specific to your environment. +* **Custom pattern support**—Organizations can define custom patterns to detect proprietary or unique types of secrets that may not be covered by default patterns. This flexibility allows for tailored security measures specific to your environment. {% endif %} -* **Educational value**—Developers receive notifications when secrets are detected, which serves as a learning opportunity. This ongoing education helps in fostering a culture of security awareness within the development team. +{% ifversion secret-scanning-non-provider-patterns %} -* **Remediation guidance**—Along with alerts, we provide remediation guidance, helping teams understand how to safely remove the sensitive information from their codebase and rotate the compromised credentials. +* **Ability to detect non-provider patterns**—You can expand the detection to include non-provider patterns such as connection strings, authentication headers, and private keys, for your repository or organization. + +{% endif %} ## What are the supported secrets From d7930cab792c598908d497007442bddfdfe8fbad Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 1 Aug 2024 12:00:38 +0100 Subject: [PATCH 202/275] Update content/code-security/secret-scanning/introduction/about-push-protection.md Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com> --- .../secret-scanning/introduction/about-push-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index f5d332522b..a93bd79a56 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -21,7 +21,7 @@ shortTitle: Push protection ## What is push protection -Push protection is a {% data variables.product.prodname_secret_scanning %} feature that is designed to prevent sensitive information, such as secrets or tokens, from being pushed to your repository in the first place. Unlike {% data variables.product.prodname_secret_scanning %} , which detects secrets after they have been committed, push protection proactively scans your code for secrets during the push process and blocks the push if any are detected. +Push protection is a {% data variables.product.prodname_secret_scanning %} feature that is designed to prevent sensitive information, such as secrets or tokens, from being pushed to your repository in the first place. Unlike {% data variables.product.prodname_secret_scanning %}, which detects secrets after they have been committed, push protection proactively scans your code for secrets during the push process and blocks the push if any are detected. Push protection helps you avoid the risks associated with exposed secrets, like unauthorized access to resources or services. With this feature, developers get immediate feedback and can address potential issues before they become a security concern. From 7ef9bed381b0e4ec40d5102aa7bbbc821495c4f7 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 1 Aug 2024 12:04:36 +0100 Subject: [PATCH 203/275] Update content/code-security/secret-scanning/introduction/about-push-protection.md Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com> --- .../secret-scanning/introduction/about-push-protection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index a93bd79a56..bd9c5b8f7e 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -31,8 +31,8 @@ Once enabled, if push protection detects a potential secret during a push attemp You can enable push protection: -* At repository/organization level, if you are a repository administrator or an organization owner. This type of push protection is referred to as "push protection". -* For your account on {% data variables.product.prodname_dotcom %}, as a user. This type of push protection is referred to as "push protection for users". +* At repository/organization level, if you are a repository administrator or an organization owner. You will see alerts in the **Security** tab of your repository when a contributor to the repository bypasses push protection. +* For your account on {% data variables.product.prodname_dotcom %}, as a user. This type of push protection is referred to as "push protection for users". It protects you from pushing secrets to _any_ public repository on {% data variables.product.prodname_dotcom %}, but it doesn't generate alerts. {% endif %} From 5e9045db7a4e5bd34e637df6c017b5e5f98aa954 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 1 Aug 2024 12:05:11 +0100 Subject: [PATCH 204/275] Update content/code-security/secret-scanning/introduction/about-push-protection.md Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com> --- .../secret-scanning/introduction/about-push-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index bd9c5b8f7e..6cf2f9b279 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -25,7 +25,7 @@ Push protection is a {% data variables.product.prodname_secret_scanning %} featu Push protection helps you avoid the risks associated with exposed secrets, like unauthorized access to resources or services. With this feature, developers get immediate feedback and can address potential issues before they become a security concern. -Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push. For some {% data variables.product.prodname_dotcom %} products, more advanced features such as delegated bypass and the use of custom patterns are available: +Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push. For some {% data variables.product.prodname_dotcom %} products, more advanced features such as delegated bypass and the use of custom patterns are available. {% ifversion secret-scanning-push-protection-for-users %} From 2640efb09e53d7826828058def2b31b2edbe7bc8 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 1 Aug 2024 12:06:02 +0100 Subject: [PATCH 205/275] Update content/code-security/secret-scanning/introduction/about-push-protection.md Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com> --- .../secret-scanning/introduction/about-push-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index 6cf2f9b279..f4b810f2e7 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -38,7 +38,7 @@ You can enable push protection: ## What are the benefits of push protection -* **Proactive security**—Push protection acts as a frontline defense mechanism by scanning code for secrets at the time of the push. This proactive approach helps to catch potential issues before they are merged into your repository. +* **Preventative security**—Push protection acts as a frontline defense mechanism by scanning code for secrets at the time of the push. This preventative approach helps to catch potential issues before they are merged into your repository. * **Immediate feedback**—Developers receive instant feedback if a potential secret is detected during a push attempt. This immediate notification allows for quick remediation, reducing the likelihood of sensitive information being exposed. From 804e280359bcf6b5adc6ffee71cf14e5ab09a996 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 1 Aug 2024 12:08:33 +0100 Subject: [PATCH 206/275] what a mess --- .../secret-scanning/introduction/about-push-protection.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index f4b810f2e7..4eb154eee4 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -19,19 +19,19 @@ topics: shortTitle: Push protection --- -## What is push protection +## About push protection Push protection is a {% data variables.product.prodname_secret_scanning %} feature that is designed to prevent sensitive information, such as secrets or tokens, from being pushed to your repository in the first place. Unlike {% data variables.product.prodname_secret_scanning %}, which detects secrets after they have been committed, push protection proactively scans your code for secrets during the push process and blocks the push if any are detected. Push protection helps you avoid the risks associated with exposed secrets, like unauthorized access to resources or services. With this feature, developers get immediate feedback and can address potential issues before they become a security concern. -Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push. For some {% data variables.product.prodname_dotcom %} products, more advanced features such as delegated bypass and the use of custom patterns are available. +Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push. For some {% data variables.product.prodname_dotcom %} products, more advanced features such as delegated bypass and the use of custom patterns are available. {% ifversion secret-scanning-push-protection-for-users %} You can enable push protection: -* At repository/organization level, if you are a repository administrator or an organization owner. You will see alerts in the **Security** tab of your repository when a contributor to the repository bypasses push protection. +* At repository/organization level, if you are a repository administrator or an organization owner. You will see alerts in the **Security** tab of your repository when a contributor to the repository bypasses push protection. * For your account on {% data variables.product.prodname_dotcom %}, as a user. This type of push protection is referred to as "push protection for users". It protects you from pushing secrets to _any_ public repository on {% data variables.product.prodname_dotcom %}, but it doesn't generate alerts. {% endif %} From 4cb9c8d8b52e36dd44debcdaea0b7c43c8bc33ce Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 1 Aug 2024 12:22:01 +0100 Subject: [PATCH 207/275] addressed more comments --- .../introduction/about-push-protection.md | 35 +++++++------------ 1 file changed, 12 insertions(+), 23 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index 4eb154eee4..2bcae81361 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -1,6 +1,6 @@ --- title: About push protection -intro: 'Push protection helps detect secrets in code as changes are pushed. Push protection blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block.{% ifversion secret-scanning-push-protection-for-users %} Push protection can be applied at the repository, organization, and user account level{% else %} You can apply push protection at repository or organization level{% endif %}.' +intro: 'Push protection blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block.{% ifversion secret-scanning-push-protection-for-users %} Push protection can be applied at the repository, organization, and user account level{% else %} You can apply push protection at repository or organization level{% endif %}.' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: fpt: '*' @@ -25,43 +25,31 @@ Push protection is a {% data variables.product.prodname_secret_scanning %} featu Push protection helps you avoid the risks associated with exposed secrets, like unauthorized access to resources or services. With this feature, developers get immediate feedback and can address potential issues before they become a security concern. -Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push. For some {% data variables.product.prodname_dotcom %} products, more advanced features such as delegated bypass and the use of custom patterns are available. +Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push. For some {% data variables.product.prodname_dotcom %} products, more advanced features such as {% ifversion push-protection-delegated-bypass %}delegated bypass and {% endif %}the use of custom patterns are available. {% ifversion secret-scanning-push-protection-for-users %} You can enable push protection: * At repository/organization level, if you are a repository administrator or an organization owner. You will see alerts in the **Security** tab of your repository when a contributor to the repository bypasses push protection. -* For your account on {% data variables.product.prodname_dotcom %}, as a user. This type of push protection is referred to as "push protection for users". It protects you from pushing secrets to _any_ public repository on {% data variables.product.prodname_dotcom %}, but it doesn't generate alerts. - +* For your account on {% data variables.product.prodname_dotcom %}, as a user. This type of push protection is referred to as "push protection for users". It protects you from pushing secrets to _any_ public repository on {% data variables.product.prodname_dotcom %}, but no alerts are generated. {% endif %} -## What are the benefits of push protection +## About the benefits of push protection -* **Preventative security**—Push protection acts as a frontline defense mechanism by scanning code for secrets at the time of the push. This preventative approach helps to catch potential issues before they are merged into your repository. +* **Preventative security**: Push protection acts as a frontline defense mechanism by scanning code for secrets at the time of the push. This preventative approach helps to catch potential issues before they are merged into your repository. -* **Immediate feedback**—Developers receive instant feedback if a potential secret is detected during a push attempt. This immediate notification allows for quick remediation, reducing the likelihood of sensitive information being exposed. +* **Immediate feedback**: Developers receive instant feedback if a potential secret is detected during a push attempt. This immediate notification allows for quick remediation, reducing the likelihood of sensitive information being exposed. -* **Reduced risk of data leaks**—By blocking commits that contain sensitive information, push protection significantly reduces the risk of accidental data leaks. This helps in safeguarding against unauthorized access to your infrastructure, services, and data. +* **Reduced risk of data leaks**: By blocking commits that contain sensitive information, push protection significantly reduces the risk of accidental data leaks. This helps in safeguarding against unauthorized access to your infrastructure, services, and data. -* **Efficient secret management**—Instead of retrospectively dealing with exposed secrets, developers can address issues at the source. This makes secret management more efficient and less time-consuming. +* **Efficient secret management**: Instead of retrospectively dealing with exposed secrets, developers can address issues at the source. This makes secret management more efficient and less time-consuming. -* **Integration with CI/CD pipelines**— -Push Protection can be integrated into your Continuous Integration/Continuous Deployment (CI/CD) pipelines, ensuring that every push is scanned for secrets before it gets deployed. This adds an extra layer of security to your DevOps practices. +* **Integration with CI/CD pipelines**: Push Protection can be integrated into your Continuous Integration/Continuous Deployment (CI/CD) pipelines, ensuring that every push is scanned for secrets before it gets deployed. This adds an extra layer of security to your DevOps practices. -{% ifversion secret-scanning-push-protection-custom-patterns %}* **Ability to detect custom patterns**—Organizations can define custom patterns for detecting secrets unique to their environment. This customization ensures that push Protection can effectively identify and block even non-standard secrets.{% endif %} +{% ifversion secret-scanning-push-protection-custom-patterns %}* **Ability to detect custom patterns**: Organizations can define custom patterns for detecting secrets unique to their environment. This customization ensures that push Protection can effectively identify and block even non-standard secrets.{% endif %} -{% ifversion push-protection-delegated-bypass %}* **Delegated bypass for flexibility**—For cases where false positives occur or when certain patterns are necessary, the delegated bypass feature allows designated users to approve specific pushes. This provides flexibility without compromising overall security.{% endif %} - -* **Audit and monitoring**—Push protection maintains logs of all blocked attempts and bypass approvals. These logs can be audited to ensure compliance and to review any potential security incidents, thereby providing transparency and accountability. - -* **Collaboration and education**—By frequently reminding developers of secure coding practices, push protection helps foster a culture of security within development teams. It serves as a constant reminder that security is everyone's responsibility. - -## Configuring push protection - -To use push protection, you need to have administrative access to the repository or organization you want to configure. Also, your repository or organization should be hosted on {% data variables.product.prodname_dotcom %}. - -Enabling and configuring push protection involves a few steps. For more information, see TODO: - link to enabling article. +{% ifversion push-protection-delegated-bypass %}* **Delegated bypass for flexibility**: For cases where false positives occur or when certain patterns are necessary, the delegated bypass feature allows designated users to approve specific pushes. This provides flexibility without compromising overall security.{% endif %} {% ifversion secret-scanning-push-protection-for-users %} @@ -109,6 +97,7 @@ For information about delegated bypass for push protection, see "[AUTOTITLE](/co ## Further reading +* TODO: add link to enabling push protection article * "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)"{% ifversion secret-scanning-push-protection-custom-patterns %} * "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)"{% endif %}{% ifversion push-protection-delegated-bypass %} * "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)"{% endif %} From e876e65aaa7fce02d8301fa07fd1642bab687b4f Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 1 Aug 2024 12:23:55 +0100 Subject: [PATCH 208/275] follow content model --- .../secret-scanning/introduction/about-secret-scanning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index dd01f40112..4d3f9adeb6 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -64,7 +64,7 @@ Below is a typical workflow that explains how {% data variables.product.prodname {% endif %} -## Benefits of {% data variables.product.prodname_secret_scanning %} +## About the benefits of {% data variables.product.prodname_secret_scanning %} * **Enhanced security**—{% data variables.product.prodname_secret_scanning_caps %} scans your repositories for sensitive information like API keys, passwords, tokens, and other secrets. By detecting these early, you can mitigate potential security risks before they are exploited by malicious actors. From 79a6261ac462aba69e7c8088e1e04e058d1f18d8 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Thu, 1 Aug 2024 11:43:03 +0000 Subject: [PATCH 209/275] final edits --- .../about-alerts.md | 10 ++++++---- .../evaluating-alerts.md | 6 +++++- .../monitoring-alerts.md | 2 +- .../resolving-alerts.md | 4 ++++ .../viewing-alerts.md | 4 ++-- 5 files changed, 18 insertions(+), 8 deletions(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index 20391928f9..e5c5c94fad 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -49,14 +49,16 @@ Push protection scans pushes for supported secrets. If push protection detects a {% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} >[!NOTE] -> {% ifversion secret-scanning-push-protection-for-users %}You can also enable push protection for your personal account, which prevents you from accidentally pushing supported secrets to _any_ public repository. Push protection alerts are _not_ created when you bypass this user-based push protection only. Alerts are only created if the repository itself has push protection enabled. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)."{% endif %} +> {% ifversion secret-scanning-push-protection-for-users %}You can also enable push protection for your personal account, called "push protection for users", which prevents you from accidentally pushing supported secrets to _any_ public repository. Alerts are _not_ created if you choose to bypass your user-based push protection only. Alerts are only created if the repository itself has push protection enabled. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)."{% endif %} > > {% data reusables.secret-scanning.push-protection-older-tokens %} For more information about push protection limitations, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning#push-protection-and-pattern-versions)." ## About partner alerts -When {% data variables.product.company_short %} detects a leaked secret in a public repository or npm package, an alert is sent directly to the secret provider, if they are part of {% data variables.product.company_short %}'s secret scanning partner program. Partner alerts are not applicable to repository administrators, so you do not need to take any action for this type of alert. +When {% data variables.product.company_short %} detects a leaked secret in a public repository or npm package, an alert is sent directly to the secret provider, if they are part of {% data variables.product.company_short %}'s secret scanning partner program. For more information about {% data variables.secret-scanning.partner_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." -Partner alerts are alerts that are sent to the secret providers whenever a secret leak is reported for one of their secrets. {% data variables.product.product_name %} currently scans public repositories and public npm packages for secrets issued by specific service providers and alerts the relevant service provider whenever a secret is detected in a commit. For more information about {% data variables.secret-scanning.partner_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." +Partner alerts are not applicable to repository administrators, so you do not need to take any action for this type of alert. -{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} +## Next steps + +* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)" diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md index 6849593be1..ecf0cb8b0c 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md @@ -1,6 +1,6 @@ --- title: Evaluating alerts from secret scanning -intro: 'There are some additional features that can help you evaluate alerts and prioritize their remediation, such as checking the secret''s validity.' +intro: 'Learn about additional features that can help you evaluate alerts and prioritize their remediation, such as checking a secret''s validity.' permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view secret scanning alerts for the repository.' product: '{% data reusables.gated-features.secret-scanning %}' versions: @@ -94,3 +94,7 @@ Tokens, like {% data variables.product.pat_generic %} and other credentials, are {% ifversion secret-scanning-user-owned-repos %}{% data reusables.secret-scanning.secret-scanning-user-owned-repo-access %} If access is granted, {% data variables.product.prodname_dotcom %} will notify the owner of the repository containing the leaked secret, report the action in the repository owner and enterprise audit logs, and enable access for 2 hours.{% ifversion ghec %} For more information, see "[AUTOTITLE](/admin/managing-accounts-and-repositories/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise)."{% endif %}{% endif %} {% endif %} + +## Next steps + +* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts)" diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md index 50214f73ce..bef02a0818 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md @@ -18,7 +18,7 @@ allowTitleToDifferFromFilename: true ## Configuring notifications for {% data variables.secret-scanning.alerts %} -In addition to Notifications are different for incremental scans and historical scans. +In addition to displaying an alert in the **Security** tab of the repository, {% data variables.product.product_name %} also sends email notifications for alerts. These notifications are different for incremental scans and historical scans. ### Incremental scans diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md index 98b339df99..c03941d584 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md @@ -49,3 +49,7 @@ Once a secret has been committed to a repository, you should consider the secret 1. Optionally, in the "Comment" field, add a dismissal comment. The dismissal comment will be added to the alert timeline and can be used as justification during auditing and reporting. You can view the history of all dismissed alerts and dismissal comments in the alert timeline. You can also retrieve or set a comment by using the {% data variables.product.prodname_secret_scanning_caps %} API. The comment is contained in the `resolution_comment` field. For more information, see "[AUTOTITLE](/rest/secret-scanning#update-a-secret-scanning-alert)" in the REST API documentation. 1. Click **Close alert**. + +## Next steps + +* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts)" diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md index f7f9d3ec9c..dc1a59828d 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md @@ -1,6 +1,6 @@ --- title: Viewing and filtering alerts from secret scanning -intro: 'Learn how to find and filter {% data variables.secret-scanning.user_alerts_caps %} alerts for your repository.' +intro: 'Learn how to find and filter {% data variables.secret-scanning.user_alerts %} alerts for your repository.' permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view {% data variables.secret-scanning.user_alerts_caps %} for the repository.' product: '{% data reusables.gated-features.secret-scanning %}' versions: @@ -84,4 +84,4 @@ You can apply various filters to the alerts list to help you find the alerts you ## Next steps -TODO +* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts)" From 92ecffd52e25c3426b0073e8e52702069b4ea571 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 1 Aug 2024 12:50:36 +0100 Subject: [PATCH 210/275] streamline --- .../introduction/about-push-protection.md | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index 2bcae81361..1bf5ff2d18 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -77,7 +77,7 @@ If push protection occasionally flags non-sensitive information, you can configu ### Defining custom patterns -If you have specific patterns or types of secrets that are unique to your environment or organization, you can define custom patterns that push protection will use to identify secrets. These patterns are used to identify sensitive information that might not be covered by the default scanning rules implemented by {% data variables.product.prodname_dotcom %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." +If you have specific patterns or types of secrets that are unique to your environment or organization, you can define custom patterns that push protection will use to identify secrets. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." {% endif %} @@ -85,13 +85,7 @@ If you have specific patterns or types of secrets that are unique to your enviro ### Using delegated bypass -{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} - -When you enable push protection, by default, anyone with write access to the repository can choose to bypass the protection by specifying a reason for allowing the push containing a secret. With delegated bypass, contributors to a repository are instead obligated to request "bypass privileges." The request is sent to a designated group of reviewers, who either approve or deny the request to bypass push protection. - -If the request to bypass push protection is approved, the contributor can push the commit containing the secret. If the request is denied, the contributor must remove the secret from the commit (or commits) containing the secret before pushing again. - -For information about delegated bypass for push protection, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." +{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} For information about delegated bypass for push protection, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." {% endif %} From 4ba251a3272b3eb3112093b51d91ca7e0e2f4daf Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Thu, 1 Aug 2024 13:11:53 +0000 Subject: [PATCH 211/275] fixing link --- .../managing-alerts-from-secret-scanning/evaluating-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md index ecf0cb8b0c..2c70f79256 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md @@ -33,7 +33,7 @@ By default, {% data variables.product.company_short %} checks the validity of {% {% ifversion fpt %} -Organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %} can also enable validity checks for partner patterns. For more information, see "[Checking a secret's validity](/enterprise-cloud@latest/code-security/secret-scanning/managing-alerts-from-secret-scanning#checking-a-secrets-validity)" in the {% data variables.product.prodname_ghe_cloud %} documentation. +Organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %} can also enable validity checks for partner patterns. For more information, see "[Checking a secret's validity](/enterprise-cloud@latest/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)" in the {% data variables.product.prodname_ghe_cloud %} documentation. {% endif %} From e8c7024d00994998458af11ca13b8f29aeee6879 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Thu, 1 Aug 2024 13:43:06 +0000 Subject: [PATCH 212/275] tryig to fix broken links --- .../managing-alerts-from-secret-scanning/about-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index e5c5c94fad..5813dd93b6 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -55,7 +55,7 @@ Push protection scans pushes for supported secrets. If push protection detects a ## About partner alerts -When {% data variables.product.company_short %} detects a leaked secret in a public repository or npm package, an alert is sent directly to the secret provider, if they are part of {% data variables.product.company_short %}'s secret scanning partner program. For more information about {% data variables.secret-scanning.partner_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." +When {% data variables.product.company_short %} detects a leaked secret in a public repository or npm package, an alert is sent directly to the secret provider, if they are part of {% data variables.product.company_short %}'s secret scanning partner program. For more information about {% data variables.secret-scanning.partner_alerts %}, see "TODO." Partner alerts are not applicable to repository administrators, so you do not need to take any action for this type of alert. From 9df8602c4956302c272b7c31d2786ccf9cfb7155 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Thu, 1 Aug 2024 15:56:55 +0000 Subject: [PATCH 213/275] trying again --- .../managing-alerts-from-secret-scanning/viewing-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md index dc1a59828d..824bb98cd4 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md @@ -72,7 +72,7 @@ You can apply various filters to the alerts list to help you find the alerts you | {% ifversion secret-scanning-bypass-filter %} | |`bypassed: true`|Displays alerts for secrets where push protection has been bypassed. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)."| | {% endif %} | -|`validity:active`| Displays alerts for secrets that are still active. {% ifversion fpt %}Applies to {% data variables.product.company_short %} tokens only.{% endif %} For more information about validity statuses, see "[Checking a secret's validity](#checking-a-secrets-validity)."| +|`validity:active`| Displays alerts for secrets that are still active. {% ifversion fpt %}Applies to {% data variables.product.company_short %} tokens only.{% endif %} For more information about validity statuses, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)."| |`validity:inactive`| Displays alerts for secrets that are no longer active.| |`validity:unknown`| Displays alerts for secrets where the validity status of the secret is unknown.| |`secret-type:SECRET-NAME`| Displays alerts for a specific secret type, for example, `secret-type:github_personal_access_token`. For a list of supported secret types, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secret)." | From 0f691ee177782693379418930e8fd475c5403d38 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Thu, 1 Aug 2024 16:22:56 +0000 Subject: [PATCH 214/275] updating links --- .../setting-up-notifications/configuring-notifications.md | 2 +- content/code-security/secret-scanning/about-secret-scanning.md | 2 +- .../configuring-secret-scanning-for-your-repositories.md | 2 +- .../push-protection-for-repositories-and-organizations.md | 2 +- .../code-security/secret-scanning/secret-scanning-patterns.md | 2 +- ...out-the-detection-of-generic-secrets-with-secret-scanning.md | 2 +- .../enabling-ai-powered-generic-secret-detection.md | 2 +- ...onfiguring-global-security-settings-for-your-organization.md | 2 +- .../creating-a-custom-security-configuration.md | 2 +- .../contributing/style-guide-and-content-model/style-guide.md | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/content/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications.md b/content/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications.md index a0a4401495..64a52b4a74 100644 --- a/content/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications.md +++ b/content/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications.md @@ -220,7 +220,7 @@ For more information about the notification delivery methods available to you, a {% data reusables.secret-scanning.secret-scanning-configure-notifications %} -For more information on how to configure notifications for {% data variables.secret-scanning.alerts %}, see "[Configuring notifications for secret scanning alerts](/code-security/secret-scanning/managing-alerts-from-secret-scanning#configuring-notifications-for-secret-scanning-alerts)." +For more information on how to configure notifications for {% data variables.secret-scanning.alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts)." {% ifversion update-notification-settings-22 or ghes %} diff --git a/content/code-security/secret-scanning/about-secret-scanning.md b/content/code-security/secret-scanning/about-secret-scanning.md index e16760f2f9..cf53f635c0 100644 --- a/content/code-security/secret-scanning/about-secret-scanning.md +++ b/content/code-security/secret-scanning/about-secret-scanning.md @@ -95,7 +95,7 @@ You can also define custom {% data variables.product.prodname_secret_scanning %} For more information about viewing and resolving {% data variables.secret-scanning.alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." {% ifversion secret-scanning-notification-settings %} -For more information on how to configure notifications for {% data variables.secret-scanning.alerts %}, see "[Configuring notifications for secret scanning alerts](/code-security/secret-scanning/managing-alerts-from-secret-scanning#configuring-notifications-for-secret-scanning-alerts)." +For more information on how to configure notifications for {% data variables.secret-scanning.alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts)." {% endif %} Repository administrators and organization owners can grant users and teams access to {% data variables.secret-scanning.alerts %}. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts)." diff --git a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md index 642b570f40..1ac1d22a58 100644 --- a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md +++ b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md @@ -64,7 +64,7 @@ You can enable the following additional {% data variables.product.prodname_secre {% data reusables.gated-features.partner-pattern-validity-check-ghas %} -You can allow {% data variables.product.prodname_secret_scanning %} to automatically check the validity of a secret found in your repository by sending it to the relevant partner. For more information on validity checks, see "Checking a secret's validity" in "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning#checking-a-secrets-validity)." +You can allow {% data variables.product.prodname_secret_scanning %} to automatically check the validity of a secret found in your repository by sending it to the relevant partner. For more information on validity checks, see "Checking a secret's validity" in "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)." {% note %} diff --git a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md index e6080275e9..5515de0ebf 100644 --- a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md +++ b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md @@ -36,7 +36,7 @@ By default, anyone with write access to the repository can choose to bypass push {% ifversion secret-scanning-bypass-filter %} -On the {% data variables.product.prodname_secret_scanning %} alerts page for a repository or organization, you can apply the `bypassed:true` filter to easily see which alerts are the result of a user bypassing push protection. For more information on viewing these alerts, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." +On the {% data variables.product.prodname_secret_scanning %} alerts page for a repository or organization, you can apply the `bypassed:true` filter to easily see which alerts are the result of a user bypassing push protection. For more information on viewing these alerts, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)." {% endif %} diff --git a/content/code-security/secret-scanning/secret-scanning-patterns.md b/content/code-security/secret-scanning/secret-scanning-patterns.md index 6caa786a3d..69196806db 100644 --- a/content/code-security/secret-scanning/secret-scanning-patterns.md +++ b/content/code-security/secret-scanning/secret-scanning-patterns.md @@ -52,7 +52,7 @@ Partner alerts are alerts that are sent to the secret providers whenever a secre * High confidence alerts, which relate to supported patterns and specified custom patterns. * Non-provider alerts, which have a higher ratio of false positives, and correspond to secrets such as private keys. -{% data variables.product.prodname_dotcom %} displays non-provider alerts in a different list to high confidence alerts, making triaging a better experience for users. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning#other-alerts-list)." +{% data variables.product.prodname_dotcom %} displays non-provider alerts in a different list to high confidence alerts, making triaging a better experience for users. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)." {% data reusables.secret-scanning.non-provider-patterns-beta %} diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning.md index 5ac0b34911..9cf1aaffc0 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning.md @@ -38,7 +38,7 @@ The system scans for passwords using the LLM. No additional data is collected by The LLM scans for strings that resemble passwords and verifies that the identified strings included in the response actually exist in the input. -These detected strings are surfaced as alerts on the {% data variables.product.prodname_secret_scanning %} alerts page, but they are displayed in an additional list that is separate from regular {% data variables.secret-scanning.alerts %}. The intent is that this separate list is triaged with more scrutiny to verify the validity of the findings. Each alert notes that it was detected using AI. {% ifversion secret-scanning-ai-generic-secret-detection %}For information on how to view alerts for generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)."{% endif %} +These detected strings are surfaced as alerts on the {% data variables.product.prodname_secret_scanning %} alerts page, but they are displayed in an additional list that is separate from regular {% data variables.secret-scanning.alerts %}. The intent is that this separate list is triaged with more scrutiny to verify the validity of the findings. Each alert notes that it was detected using AI. {% ifversion secret-scanning-ai-generic-secret-detection %}For information on how to view alerts for generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)."{% endif %} ## Improving the performance of generic secret detection diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection.md index 4f94b52b02..3364959cec 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection.md @@ -38,7 +38,7 @@ You can then enable the feature in the security settings page of your organizati 1. In the "Security" section of the sidebar, click **{% octicon "codescan" aria-hidden="true" %} Code security** then **Global settings**. 1. Under "Secret scanning", select the checkbox next to "Use AI detection to find additional secrets". -For information on how to view alerts for generic secrets that have been detected using AI, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." +For information on how to view alerts for generic secrets that have been detected using AI, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)." ## Further reading diff --git a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md index 49a57068fd..4056b2747b 100644 --- a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md +++ b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md @@ -103,7 +103,7 @@ You can customize several {% data variables.product.prodname_global_settings %} ### Scanning for non-provider patterns -You can choose to scan for non-provider patterns, such as private keys, to detect non-provider secrets before they are leaked. To enable these scans, select **Scan for non-provider patterns**. Be aware that non-provider tokens often have a higher rate of false positives. To learn more about non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-user-alerts)" and "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning#other-alerts-list)." +You can choose to scan for non-provider patterns, such as private keys, to detect non-provider secrets before they are leaked. To enable these scans, select **Scan for non-provider patterns**. Be aware that non-provider tokens often have a higher rate of false positives. To learn more about non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-user-alerts)" and "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)." {% data reusables.secret-scanning.non-provider-patterns-beta %} diff --git a/content/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration.md b/content/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration.md index 38751267a1..c60ed6c0ae 100644 --- a/content/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration.md +++ b/content/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration.md @@ -48,7 +48,7 @@ With {% data variables.product.prodname_custom_security_configurations %}, you c 1. In the "{% data variables.product.prodname_code_scanning_caps %}" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for {% data variables.product.prodname_code_scanning %} default setup. To learn about default setup, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#about-default-setup)." 1. In the "{% data variables.product.prodname_secret_scanning_caps %}" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for the following security features: * {% data variables.product.prodname_secret_scanning_caps %}. To learn about {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)."{% ifversion secret-scanning-validity-check-partner-patterns %} - * Validity check. To learn more about validity checks for partner patterns, see "[Checking a secret's validity](/code-security/secret-scanning/managing-alerts-from-secret-scanning#checking-a-secrets-validity)".{% endif %} + * Validity check. To learn more about validity checks for partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)".{% endif %} * Push protection. To learn about push protection, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)." {% ifversion fpt or ghec %} 1. In the "Private vulnerability reporting" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for private vulnerability reporting. To learn about private vulnerability reporting, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository)." diff --git a/content/contributing/style-guide-and-content-model/style-guide.md b/content/contributing/style-guide-and-content-model/style-guide.md index 1e0dda5831..e2ef6039dc 100644 --- a/content/contributing/style-guide-and-content-model/style-guide.md +++ b/content/contributing/style-guide-and-content-model/style-guide.md @@ -54,7 +54,7 @@ Notes are particularly useful for communicating parenthetical information that i * Caveats that might affect the outcome of a process, such as specific user settings. * Products and features that are subject to changes in availability, such as those in beta or being deprecated. -For example, "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning#reviewing-github-token-metadata)" uses a note to inform users that metadata for {% data variables.product.prodname_dotcom %} tokens is currently in beta. +For example, "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#reviewing-github-token-metadata)" uses a note to inform users that metadata for {% data variables.product.prodname_dotcom %} tokens is currently in beta. > [!NOTE] > Metadata for {% data variables.product.prodname_dotcom %} tokens is currently in public beta and subject to change. From 86c899fec4ec246232be6540332b54ed3038f516 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 2 Aug 2024 07:02:53 +0100 Subject: [PATCH 215/275] Update content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../enabling-push-protection-for-your-repository.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md index efbd2647c5..4c54d0042e 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md @@ -20,7 +20,7 @@ To enable push protection for a repository, you must first enable {% data variab {% ifversion secret-scanning-push-protection-for-users %} -You can additionally enable push protection for your own personal account, which prevents you from pushing secrets to _any_ public repository on [GitHub]. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)." +You can additionally enable push protection for your own personal account, which prevents you from pushing secrets to _any_ public repository on {% data variables.product.prodname_dotcom %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)." {% endif %} From 1765c02a06b05801371ae05ac611e4df779b87f1 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 2 Aug 2024 07:08:16 +0100 Subject: [PATCH 216/275] Update content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../enabling-validity-checks-for-your-repository.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md index 3f4c5375db..26977f06e3 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md @@ -1,7 +1,7 @@ --- title: Enabling validity checks for your repository shortTitle: Enable validity checks -intro: 'Validity checks tell you if a secret is active or inactive, which can help you to prioritize the remediation of alerts.' +intro: 'Enabling validity checks on your repository helps you prioritize the remediation of alerts as it tells you if a secret is active or inactive.' product: '{% data reusables.gated-features.partner-pattern-validity-check-ghas %}' versions: feature: secret-scanning-validity-check-partner-patterns From 74ec009286b8f0a26d975843183042081931164e Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 2 Aug 2024 07:08:36 +0100 Subject: [PATCH 217/275] Update content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../enabling-validity-checks-for-your-repository.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md index 26977f06e3..8e03072697 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md @@ -14,7 +14,7 @@ topics: ## About validity checks -You can choose to enable validity checks for partner patterns for your repository. Once enabled, {% data variables.product.company_short %} will periodically check the validity of a detected credential by sending the secret directly to the provider, as part of {% data variables.product.company_short %}'s formal secret scanning partnership program. +You can choose to enable validity checks for partner patterns for your repository. Once enabled, {% data variables.product.company_short %} will periodically check the validity of a detected credential by sending the secret directly to the provider, as part of {% data variables.product.company_short %}'s secret scanning partnership program. {% data reusables.secret-scanning.partner-program-link %} {% data variables.product.company_short %} displays the validation status of the secret in the alert view, so you can see if the secret is `active`, `inactive`, or if the validation status is `unknown`. You can optionally perform an "on-demand" validity check for the secret in the alert view. From 0bf0fb41e06a052c803d05fcc8f17eb15cea6220 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 2 Aug 2024 07:09:11 +0100 Subject: [PATCH 218/275] Update content/code-security/secret-scanning/enabling-secret-scanning-features/index.md Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../secret-scanning/enabling-secret-scanning-features/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md index f296220c5e..1dacb7d113 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md @@ -2,7 +2,7 @@ title: Enabling secret scanning features shortTitle: Enable secret scanning allowTitleToDifferFromFilename: true -intro: '{% data variables.product.prodname_secret_scanning_caps %} scans for and detects secrets that have been checked into a repository. Push protection proactively secures you against leaking secrets by blocking pushes containing secrets.' +intro: 'Learn how to enable {% data variables.product.prodname_secret_scanning %} that scans for and detects secrets that have been checked into a repository, as well as push protection that proactively secures you against leaking secrets by blocking pushes containing secrets.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' From f47a25b008cf265a7632bc4611657e6bc0a16a9b Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 2 Aug 2024 07:09:30 +0100 Subject: [PATCH 219/275] Update content/code-security/secret-scanning/enabling-secret-scanning-features/index.md Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../secret-scanning/enabling-secret-scanning-features/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md index 1dacb7d113..76d8a49661 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md @@ -1,6 +1,6 @@ --- title: Enabling secret scanning features -shortTitle: Enable secret scanning +shortTitle: Enable secret scanning features allowTitleToDifferFromFilename: true intro: 'Learn how to enable {% data variables.product.prodname_secret_scanning %} that scans for and detects secrets that have been checked into a repository, as well as push protection that proactively secures you against leaking secrets by blocking pushes containing secrets.' product: '{% data reusables.gated-features.secret-scanning %}' From b6e32166c2d929696bcd8fc1f2f8f2f90007bcbc Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 2 Aug 2024 06:54:56 +0000 Subject: [PATCH 220/275] apply review feedback --- .../enabling-push-protection-for-your-repository.md | 1 + .../enabling-secret-scanning-for-your-repository.md | 7 ++++++- .../enabling-validity-checks-for-your-repository.md | 4 ++++ data/learning-tracks/code-security.yml | 6 ++++-- 4 files changed, 15 insertions(+), 3 deletions(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md index efbd2647c5..64fbfe079b 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md @@ -44,5 +44,6 @@ If your organization is owned by an enterprise account, an enterprise owner can ## Further reading +* "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection)" * "[AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security)" * "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)" diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md index 9a3a297192..8e2698479c 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md @@ -1,7 +1,7 @@ --- title: Enabling secret scanning for your repository shortTitle: Enable secret scanning -intro: '{% data variables.product.prodname_secret_scanning_caps %} scans your repositories for leaked secrets and generates alerts.' +intro: 'You can configure how {% data variables.product.prodname_dotcom %} scans your repositories for leaked secrets and generates alerts.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' @@ -41,3 +41,8 @@ A repository administrator can choose to disable {% data variables.product.prodn 1. Scroll down to the bottom of the page, and click **Enable** for {% data variables.product.prodname_secret_scanning %}. If you see a **Disable** button, it means that {% data variables.product.prodname_secret_scanning %} is already enabled for the repository. ![Screenshot of the "{% data variables.product.prodname_secret_scanning_caps %}" section of the "Code security and analysis" page, with the "Enable" button highlighted in a dark orange outline.](/assets/images/help/repository/enable-secret-scanning-alerts.png){% endif %} + +## Next steps + +* "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository)"{% ifversion secret-scanning-validity-check-partner-patterns %} +* "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository)"{% endif %} diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md index 3f4c5375db..7b937e97da 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md @@ -35,3 +35,7 @@ For more information on using validity checks, see "TODO." You can also use the REST API to enable validity checks for partner patterns for your repository. For more information, see "[AUTOTITLE](/rest/repos/repos#update-a-repository)." Alternatively, organization owners and enterprise administrators can enable the feature for all repositories in the organization or enterprise settings. For more information on enabling at the organization-level, see "[AUTOTITLE](/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration)." For more information on enabling at the enterprise-level, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)" and "[AUTOTITLE](/rest/enterprise-admin/code-security-and-analysis#update-code-security-and-analysis-features-for-an-enterprise)." + +## Further reading + +* TODO - add link to Managing alerts diff --git a/data/learning-tracks/code-security.yml b/data/learning-tracks/code-security.yml index db3a1ed979..d87502d1e7 100644 --- a/data/learning-tracks/code-security.yml +++ b/data/learning-tracks/code-security.yml @@ -113,9 +113,11 @@ secret_scanning: passwords, and other secrets to your repository. guides: - /code-security/secret-scanning/about-secret-scanning - - /code-security/secret-scanning/enabling-secret-scanning-features + - /code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository + - /code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository - >- - /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning + {% ifversion secret-scanning-validity-check-partner-patterns %} + /code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository{% endif %} - >- {% ifversion not fpt %}/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning{% From fe87fcbe77c32a65845aa342853008b7a216b0ef Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 2 Aug 2024 10:18:34 +0100 Subject: [PATCH 221/275] more work --- .../introduction/about-secret-scanning.md | 23 ++----------------- 1 file changed, 2 insertions(+), 21 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 4d3f9adeb6..8b343629fe 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -102,15 +102,7 @@ Once {% data variables.product.prodname_secret_scanning %} is enabled, you can c ### Detection of non-provider patterns -Non-provider patterns refer to patterns used to identify secrets that are not specific to any particular service provider. These patterns are general and can apply to a wide range of sensitive data types. Here are a few examples of non-provider patterns: - -* Generic API Keys: Identifiable by common structural attributes like specific lengths or character sets (for example, a string of 32 alphanumeric characters). -* Tokens: Generic patterns used to detect various types of tokens that might be common across different services. -* Private Keys: Patterns identifying sections of code that look like private keys, such as those used in SSH or GPG. - -Non-provider pattern detection is not enabled by default because the feature can potentially generate a high ratio of false positives. - -For more information about non-provider pattern detection, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns)." +Non-provider pattern detection is not enabled by default because the feature can potentially generate a high ratio of false positives. However, you can choose to enable that detection for your repositories or organizations. For more information about non-provider pattern detection, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns)." {% endif %} @@ -118,11 +110,7 @@ For more information about non-provider pattern detection, see "[AUTOTITLE](/cod ### Generic secret detection -You can also enable generic secret detection to instruct {% data variables.product.prodname_secret_scanning %} to search your codebase for generic secrets. Generic secrets are unstructured secrets, such as passwords. - -{% data variables.product.prodname_secret_scanning_caps %} uses AI to detect unstructured passwords in git content and generate an alert. Alerts for passwords appear in a separated tab from regular {% data variables.product.prodname_secret_scanning %} alerts. - -For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection)." +You can enable generic secret detection to instruct {% data variables.product.prodname_secret_scanning %} to search your codebase for generic secrets such as passwords. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection)." {% endif %} @@ -152,13 +140,6 @@ You can use AI to generate regular expressions that will capture all your custom {% endif %} -OLD - -About {% data variables.secret-scanning.user_alerts %}{% ifversion ghes %} on {% data variables.product.product_name %}{% endif %} - -{% ifversion secret-scanning-store-tokens %} -{% data variables.product.company_short %} stores detected secrets using symmetric encryption, both in transit and at rest.{% endif %}{% ifversion ghes %} To rotate the encryption keys used for storing the detected secrets, you can contact us by visiting {% data variables.contact.contact_ent_support %}.{% endif %} - ## Further reading * TODO: link to enabling secret scanning article From 71ad597c595240c13ba7c673c71b6be3b8ec1861 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 2 Aug 2024 10:49:20 +0000 Subject: [PATCH 222/275] fixing enabling after discussion --- .../enabling-secret-scanning-for-your-repository.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md index 8e2698479c..459d8fb73d 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md @@ -16,7 +16,15 @@ topics: ## About enabling {% data variables.secret-scanning.user_alerts %} -You can enable {% data variables.secret-scanning.user_alerts %} for any {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}repository{% else %} repository that is owned by an organization, and for repositories owned by user accounts when using {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_emus %}{% endif %}{% elsif fpt %}free public repository that you own{% else %}repository that is owned by an organization{% endif %}. +{% ifversion fpt %} + +{% data variables.secret-scanning.user_alerts_caps %} can be enabled on any free public repository that you own. + +{% endif %}{% ifversion ghec or ghes %} + +{% data variables.secret-scanning.user_alerts_caps %} can be enabled for any repository that is owned by an organization{% ifversion secret-scanning-user-owned-repos %}, and for repositories owned by user accounts when using {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_emus %}{% endif %}. + +{% endif %} If you're an organization owner, you can enable {% data variables.product.prodname_secret_scanning %} for multiple repositories at the same time{% ifversion security-configurations-ga %} using a security configuration{% endif %}. For more information, see {% ifversion security-configurations-ga %}"[AUTOTITLE](/code-security/securing-your-organization){% else %}"[AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-organization#enabling-security-features-in-your-organization)"{% endif %}." From 69448564fa025f3ec91ded914097d58349ea9fc8 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 2 Aug 2024 11:26:55 +0000 Subject: [PATCH 223/275] updated what is scanned because of preview error in ghes 3.10, add li nk to supported secrets in conceptual article --- .../secret-scanning/introduction/about-secret-scanning.md | 6 +++--- data/reusables/secret-scanning/what-is-scanned.md | 4 ++++ 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 8b343629fe..f5ce32e05b 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -24,7 +24,7 @@ shortTitle: Secret scanning {% data variables.product.prodname_secret_scanning_caps %} is a security feature that helps detect and prevent the accidental inclusion of sensitive information such as API keys, passwords, tokens, and other secrets in your repository. When enabled, {% data variables.product.prodname_secret_scanning %} scans commits in public repositories for known types of secrets and alerts repository administrators upon detection. -{% data variables.product.prodname_secret_scanning_caps %} scans your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repository for secrets{% ifversion ghec or ghes %}, even if the repository is archived{% endif %}.{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %}{% ifversion secret-scanning-backfills %}{% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled.{% endif %} +{% data variables.product.prodname_secret_scanning_caps %} scans your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repository for secrets{% ifversion ghec or ghes %}, even if the repository is archived{% endif %}.{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %}{% ifversion secret-scanning-backfills %} {% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled.{% endif %} {% data reusables.secret-scanning.what-is-scanned %} @@ -34,6 +34,8 @@ When a supported secret is leaked, {% data variables.product.product_name %} gen Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner, and aren't displayed on {% data variables.product.prodname_dotcom_the_website %}. For more information, see TODO: link to about secret scanning for partner alerts.{% endif %} +For information about the secrets and service providers supported by {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." + You can use the REST API to monitor results from {% data variables.product.prodname_secret_scanning %} across your repositories{% ifversion ghes %} or your organization{% endif %}. For more information about API endpoints, see "[AUTOTITLE](/rest/secret-scanning)." {% ifversion ghec or ghes %} @@ -92,8 +94,6 @@ Below is a typical workflow that explains how {% data variables.product.prodname ## What are the supported secrets -For information about the secrets and service providers supported by {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." - ## Customizing {% data variables.product.prodname_secret_scanning %} Once {% data variables.product.prodname_secret_scanning %} is enabled, you can customize it further, if needed: diff --git a/data/reusables/secret-scanning/what-is-scanned.md b/data/reusables/secret-scanning/what-is-scanned.md index e0933e4f3c..57d8830510 100644 --- a/data/reusables/secret-scanning/what-is-scanned.md +++ b/data/reusables/secret-scanning/what-is-scanned.md @@ -1,3 +1,5 @@ +{% ifversion fpt or ghec or ghes > 3.10 %} + Additionally, {% data variables.product.prodname_secret_scanning %} scans:{% ifversion secret-scanning-issue-body-comments %} * Descriptions and comments in issues{% endif %}{% ifversion secret-scanning-backfills-historical-issues %} * Titles, descriptions, and comments, in open and closed _historical_ issues{% ifversion ghec %}. A notification is sent to the relevant partner when a historical partner pattern is detected.{% endif %}{% endif %}{% ifversion secret-scanning-enhancements-prs-discussions %} @@ -10,3 +12,5 @@ This additional scanning is free for public repositories. {% endif %} {% data reusables.secret-scanning.beta-prs-discussions-wikis-scanned %} + +{% endif %} From ffe1b2c79926b515f2fa74f47d7c1a4b80e80c0e Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 2 Aug 2024 12:36:14 +0000 Subject: [PATCH 224/275] edits to customizing secret scanning section --- .../introduction/about-secret-scanning.md | 22 +++++-------------- 1 file changed, 6 insertions(+), 16 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index f5ce32e05b..1accf8cd5b 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -92,17 +92,15 @@ Below is a typical workflow that explains how {% data variables.product.prodname {% endif %} -## What are the supported secrets - ## Customizing {% data variables.product.prodname_secret_scanning %} -Once {% data variables.product.prodname_secret_scanning %} is enabled, you can customize it further, if needed: +Once {% data variables.product.prodname_secret_scanning %} is enabled, you can customize it further: {% ifversion secret-scanning-non-provider-patterns %} ### Detection of non-provider patterns -Non-provider pattern detection is not enabled by default because the feature can potentially generate a high ratio of false positives. However, you can choose to enable that detection for your repositories or organizations. For more information about non-provider pattern detection, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns)." +Scan for and detect secrets that are not specific to a service provider, such as private keys and generic API keys. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns)." {% endif %} @@ -110,31 +108,23 @@ Non-provider pattern detection is not enabled by default because the feature can ### Generic secret detection -You can enable generic secret detection to instruct {% data variables.product.prodname_secret_scanning %} to search your codebase for generic secrets such as passwords. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection)." +Leverage {% data variables.product.prodname_secret_scanning %}'s AI capabilities to detect unstructured secrets, such as passwords, in your repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning)." {% endif %} ### Performing validity checks -{% data reusables.secret-scanning.validity-checks-intro %} - -{% ifversion secret-scanning-validity-check-partner-patterns %} - -Organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %} can also enable validity checks for supported partner patterns in their repository, organization, or enterprise level code security settings. Wewill automatically check validation for patterns on a cadence by sending the pattern to our relevant partner provider. You can use the validation status on leaked secrets to help prioritize secrets needing remediation action. - -{% endif %} - -For more information, see TODO: article about validity checks. +Validity checks help you prioritize alerts by telling you which secrets are `active` or `inactive`. For more information, see{% ifversion secret-scanning-validity-check-partner-patterns %} "TODO: link to Enable validity checks" and{% endif %} "TODO: Checking a secret's validity in Evaluating alerts." {% ifversion ghec or ghes %} ### Defining custom patterns -You can define custom patterns and ask {% data variables.product.prodname_secret_scanning %} to scan for these user-defined patterns. This is useful if you have unique types of secrets that don’t match default patterns. This tailored security feature allows for increased coverage as custom pattern detection captures additional types of sensitive data that default patterns might miss, and allows for detection of secrets unique to your applications, APIs, or internal tools. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." +Define your own patterns for secrets used by your organization that {% data variables.product.prodname_secret_scanning %} can scan for and detect. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." {% ifversion secret-scanning-custom-pattern-ai-generated %} -You can use AI to generate regular expressions that will capture all your custom patterns. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-generating-regular-expressions-with-ai)." +You can also leverage AI to generate regular expressions that will capture all your custom patterns. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-generating-regular-expressions-with-ai)." {% endif %} From 00079016b285dcb49c3349654b4868818e037c73 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 2 Aug 2024 13:06:22 +0000 Subject: [PATCH 225/275] add similar how it works section for missing content, update customizing section --- .../introduction/about-push-protection.md | 29 ++++++++++++------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index 1bf5ff2d18..490e9222c8 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -25,16 +25,27 @@ Push protection is a {% data variables.product.prodname_secret_scanning %} featu Push protection helps you avoid the risks associated with exposed secrets, like unauthorized access to resources or services. With this feature, developers get immediate feedback and can address potential issues before they become a security concern. -Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push. For some {% data variables.product.prodname_dotcom %} products, more advanced features such as {% ifversion push-protection-delegated-bypass %}delegated bypass and {% endif %}the use of custom patterns are available. - {% ifversion secret-scanning-push-protection-for-users %} You can enable push protection: * At repository/organization level, if you are a repository administrator or an organization owner. You will see alerts in the **Security** tab of your repository when a contributor to the repository bypasses push protection. * For your account on {% data variables.product.prodname_dotcom %}, as a user. This type of push protection is referred to as "push protection for users". It protects you from pushing secrets to _any_ public repository on {% data variables.product.prodname_dotcom %}, but no alerts are generated. + {% endif %} +For information about the secrets and service providers supported by push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." + +## How push protection works + +Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push. + +By default, anyone with write access to the repository can choose to bypass push protection by specifying one of the bypass reasons outlined in the table. {% data reusables.secret-scanning.push-protection-bypass %} + +{% data reusables.secret-scanning.bypass-reasons-and-alerts %} + +{% ifversion push-protection-delegated-bypass %} If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see "TODO: link to delegated bypass."{% endif %} + ## About the benefits of push protection * **Preventative security**: Push protection acts as a frontline defense mechanism by scanning code for secrets at the time of the push. This preventative approach helps to catch potential issues before they are merged into your repository. @@ -57,27 +68,23 @@ Every user across {% data variables.product.prodname_dotcom %} can also enable p {% endif %} -## What are the supported secrets - -For information about the secrets and service providers supported by push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." - ## Customizing push protection -Once push protection is enabled, you can customize it further, if needed: +Once push protection is enabled, you can customize it further: ### Integration with CI/CD pipelines -You can integrate push protection with your Continuous Integration/Continuous Deployment (CI/CD) pipelines to ensure that it runs scans during automated processes. This typically involves adding steps in your pipeline configuration file to call GitHub's APIs or using {% data variables.product.prodname_actions %}. +Integrate push protection with your Continuous Integration/Continuous Deployment (CI/CD) pipelines to ensure that it runs scans during automated processes. This typically involves adding steps in your pipeline configuration file to call GitHub's APIs or using {% data variables.product.prodname_actions %}. For more information, see "TODO - add link to something here?" ### Handling false positives -If push protection occasionally flags non-sensitive information, you can configure the system to recognize these as false positives. This may also involve adding specific rules or exceptions within your security settings. +If push protection occasionally flags non-sensitive information, you can configure the system to recognize these as false positives. For more information, see "TODO - not sure what to link to here?" {% ifversion secret-scanning-push-protection-custom-patterns %} ### Defining custom patterns -If you have specific patterns or types of secrets that are unique to your environment or organization, you can define custom patterns that push protection will use to identify secrets. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." +Define custom patterns that push protection can use to identify secrets and block pushes containing these secrets. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." {% endif %} @@ -85,7 +92,7 @@ If you have specific patterns or types of secrets that are unique to your enviro ### Using delegated bypass -{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} For information about delegated bypass for push protection, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." +Define contributors who can bypass push protection and add an approval process for other contributors. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." {% endif %} From 01bdcd93586921aa8c090c016598eae9af9bc172 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 2 Aug 2024 15:42:19 +0100 Subject: [PATCH 226/275] Update content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../managing-alerts-from-secret-scanning/about-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index 5813dd93b6..1448336226 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -1,6 +1,6 @@ --- title: About secret scanning alerts -intro: 'Learn about the different types of {% data variables.product.prodname_secret_scanning %} alerts.' +intro: 'Learn about the different types of {% data variables.secret-scanning.alerts %}.' permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can manage secret scanning alerts for the repository.' product: '{% data reusables.gated-features.secret-scanning %}' versions: From 85d30298e87bea0d7e52e087613aa920c52eaff5 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 2 Aug 2024 15:42:32 +0100 Subject: [PATCH 227/275] Update content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../managing-alerts-from-secret-scanning/about-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index 1448336226..ed83c99c8f 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -1,7 +1,7 @@ --- title: About secret scanning alerts intro: 'Learn about the different types of {% data variables.secret-scanning.alerts %}.' -permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can manage secret scanning alerts for the repository.' +permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can manage {% data variables.secret-scanning.alerts %} for the repository.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' From 2ceda850a308793a006aed8809849412ece1b6e3 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 2 Aug 2024 15:42:43 +0100 Subject: [PATCH 228/275] Update content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../managing-alerts-from-secret-scanning/about-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index ed83c99c8f..5e67100653 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -19,7 +19,7 @@ allowTitleToDifferFromFilename: true ## About types of alerts -There are {% ifversion fpt or ghec %}three{% else %}two{% endif %} types of {% data variables.product.prodname_secret_scanning %} alerts: +There are {% ifversion fpt or ghec %}three{% else %}two{% endif %} types of {% data variables.secret-scanning.alerts %}: * **{% ifversion fpt or ghec %}User {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts**: Reported to users in the **Security** tab of the repository, when a supported secret is detected in the repository. * **Push protection alerts**: Reported to users in the **Security** tab of the repository, when a contributor bypasses push protection. {% ifversion fpt or ghec %} From b5a0c01e60371f5bed22abb37bafce98665a2c61 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 2 Aug 2024 15:43:12 +0100 Subject: [PATCH 229/275] Update content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../managing-alerts-from-secret-scanning/about-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index 5e67100653..158f34ac91 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -21,7 +21,7 @@ allowTitleToDifferFromFilename: true There are {% ifversion fpt or ghec %}three{% else %}two{% endif %} types of {% data variables.secret-scanning.alerts %}: -* **{% ifversion fpt or ghec %}User {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts**: Reported to users in the **Security** tab of the repository, when a supported secret is detected in the repository. +* **{% ifversion fpt or ghec %}User alerts {% else %}{% data variables.secret-scanning.alerts_caps %}{% endif %}**: Reported to users in the **Security** tab of the repository, when a supported secret is detected in the repository. * **Push protection alerts**: Reported to users in the **Security** tab of the repository, when a contributor bypasses push protection. {% ifversion fpt or ghec %} * **Partner alerts**: Reported directly to secret providers that are part of {% data variables.product.prodname_secret_scanning %}'s partner program. These alerts are not reported in the **Security** tab of the repository.{% endif %} From d72992de8f6ab7b24cb12c3566459bc419dc8bd7 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 2 Aug 2024 18:56:03 +0100 Subject: [PATCH 230/275] fix formatting --- data/learning-tracks/code-security.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/data/learning-tracks/code-security.yml b/data/learning-tracks/code-security.yml index 638eb7258a..ab42d18f49 100644 --- a/data/learning-tracks/code-security.yml +++ b/data/learning-tracks/code-security.yml @@ -116,6 +116,7 @@ secret_scanning: - /code-security/secret-scanning/about-secret-scanning - /code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository - /code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository + - >- {% ifversion secret-scanning-validity-check-partner-patterns %} /code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository{% endif %} - >- From 721e0a7ba4b16b7acc46a3c0d2df0cb352b9e201 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 2 Aug 2024 19:18:05 +0100 Subject: [PATCH 231/275] remove duplicate entry --- data/learning-tracks/code-security.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/data/learning-tracks/code-security.yml b/data/learning-tracks/code-security.yml index ab42d18f49..1f5d26db59 100644 --- a/data/learning-tracks/code-security.yml +++ b/data/learning-tracks/code-security.yml @@ -113,7 +113,6 @@ secret_scanning: passwords, and other secrets to your repository. guides: - /code-security/secret-scanning/introduction/about-secret-scanning - - /code-security/secret-scanning/about-secret-scanning - /code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository - /code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository - >- From 9cb4baf8c3df709cd24786927abd5df417ced0a2 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 2 Aug 2024 19:23:35 +0100 Subject: [PATCH 232/275] fix 2nd test failure --- .../about-generating-regular-expressions-with-ai.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-generating-regular-expressions-with-ai.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-generating-regular-expressions-with-ai.md index f40e85f4a1..a4c4a26269 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-generating-regular-expressions-with-ai.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-generating-regular-expressions-with-ai.md @@ -13,7 +13,7 @@ topics: - AI redirect_from: - /code-security/secret-scanning/about-the-regular-expression-generator-for-custom-patterns - - /code-security/secret-scanning/about-generating-regular-expressions-with-ai.md + - /code-security/secret-scanning/about-generating-regular-expressions-with-ai --- From 15ceaebab10763bd07a66e325ede7d89ded30e6c Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Sun, 4 Aug 2024 15:58:33 +0100 Subject: [PATCH 233/275] made a start --- .../introduction/supported-secret-scanning-patterns.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md index 9f280300e1..36d59fc0f3 100644 --- a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md +++ b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md @@ -17,6 +17,8 @@ layout: inline shortTitle: Supported patterns --- +TODO + {% data reusables.secret-scanning.enterprise-enable-secret-scanning %} {% ifversion fpt or ghec %} From 8b10139690b1d0bbcba740f6bac44786a43b1775 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Sun, 4 Aug 2024 22:07:20 +0100 Subject: [PATCH 234/275] Update content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../managing-alerts-from-secret-scanning/about-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index 158f34ac91..dde4050e33 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -25,7 +25,7 @@ There are {% ifversion fpt or ghec %}three{% else %}two{% endif %} types of {% d * **Push protection alerts**: Reported to users in the **Security** tab of the repository, when a contributor bypasses push protection. {% ifversion fpt or ghec %} * **Partner alerts**: Reported directly to secret providers that are part of {% data variables.product.prodname_secret_scanning %}'s partner program. These alerts are not reported in the **Security** tab of the repository.{% endif %} -## About {% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts +## About {% ifversion fpt or ghec %}user alerts {% else %}{% data variables.secret-scanning.alerts %}{% endif %} When {% data variables.product.company_short %} detects a supported secret in a repository that has {% data variables.product.prodname_secret_scanning %} enabled, a {% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alert is generated and displayed in the **Security** tab of the repository. From 2f0555c73a5d7ff6e41c43148ad1de133e8420c7 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Sun, 4 Aug 2024 22:07:39 +0100 Subject: [PATCH 235/275] Update content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../managing-alerts-from-secret-scanning/about-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index dde4050e33..30fafce004 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -57,7 +57,7 @@ Push protection scans pushes for supported secrets. If push protection detects a When {% data variables.product.company_short %} detects a leaked secret in a public repository or npm package, an alert is sent directly to the secret provider, if they are part of {% data variables.product.company_short %}'s secret scanning partner program. For more information about {% data variables.secret-scanning.partner_alerts %}, see "TODO." -Partner alerts are not applicable to repository administrators, so you do not need to take any action for this type of alert. +Partner alerts are not sent to repository administrators, so you do not need to take any action for this type of alert. ## Next steps From 3074cd2258a91bcdfc620da174edbaa4a6fa37f2 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Sun, 4 Aug 2024 22:08:28 +0100 Subject: [PATCH 236/275] Update content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../managing-alerts-from-secret-scanning/evaluating-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md index 2c70f79256..0abbda8550 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md @@ -1,7 +1,7 @@ --- title: Evaluating alerts from secret scanning intro: 'Learn about additional features that can help you evaluate alerts and prioritize their remediation, such as checking a secret''s validity.' -permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view secret scanning alerts for the repository.' +permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view {% data variables.secret-scanning.alerts %} for the repository.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' From be284ce3045c9f61e5fcb83b1003ce5a3dddb994 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Sun, 4 Aug 2024 22:08:55 +0100 Subject: [PATCH 237/275] Update content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../managing-alerts-from-secret-scanning/viewing-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md index 824bb98cd4..174b4bf080 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md @@ -1,6 +1,6 @@ --- title: Viewing and filtering alerts from secret scanning -intro: 'Learn how to find and filter {% data variables.secret-scanning.user_alerts %} alerts for your repository.' +intro: 'Learn how to find and filter {% ifversion fpt or ghec %}{% data variables.secret-scanning.user_alerts %}{% else %}{% data variables.secret-scanning.user_alerts %} alerts{% endif %} for your repository.' permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view {% data variables.secret-scanning.user_alerts_caps %} for the repository.' product: '{% data reusables.gated-features.secret-scanning %}' versions: From 92fd323ea76522bdac6e585c4be58239f1f6508c Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Sun, 4 Aug 2024 22:09:48 +0100 Subject: [PATCH 238/275] Update content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../managing-alerts-from-secret-scanning/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md index 3c805b6188..c76f60fbfa 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md @@ -1,6 +1,6 @@ --- title: Managing alerts from secret scanning -intro: 'Learn how to find, evaluate and resolve alerts for secrets checked in to your repository.' +intro: 'Learn how to find, evaluate, and resolve alerts for secrets checked in to your repository.' product: '{% data reusables.gated-features.secret-scanning %}' redirect_from: - /github/administering-a-repository/managing-alerts-from-secret-scanning From 81d42e87933ca6a159bb7f3ee966d5112d621fe1 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Sun, 4 Aug 2024 22:10:10 +0100 Subject: [PATCH 239/275] Update content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../managing-alerts-from-secret-scanning/monitoring-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md index bef02a0818..55d3f79542 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md @@ -18,7 +18,7 @@ allowTitleToDifferFromFilename: true ## Configuring notifications for {% data variables.secret-scanning.alerts %} -In addition to displaying an alert in the **Security** tab of the repository, {% data variables.product.product_name %} also sends email notifications for alerts. These notifications are different for incremental scans and historical scans. +In addition to displaying an alert in the **Security** tab of the repository, {% data variables.product.product_name %} can also send email notifications for alerts. These notifications are different for incremental scans and historical scans. ### Incremental scans From 1049d4e82f44a1cb99ee284f7c9b9b12f131f0fa Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Sun, 4 Aug 2024 22:10:28 +0100 Subject: [PATCH 240/275] Update content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../managing-alerts-from-secret-scanning/resolving-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md index c03941d584..d91679ecac 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md @@ -1,6 +1,6 @@ --- title: Resolving alerts from secret scanning -intro: 'After reviewing the details of alert, you should fix and then close the alert.' +intro: 'After reviewing the details of a secret scanning alert, you should fix and then close the alert.' permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can dismiss secret scanning alerts for the repository.' product: '{% data reusables.gated-features.secret-scanning %}' versions: From fc9954f9446987ef48448d3978673078d6101be0 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Sun, 4 Aug 2024 22:11:01 +0100 Subject: [PATCH 241/275] Update content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../managing-alerts-from-secret-scanning/viewing-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md index 174b4bf080..b51a24bc33 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md @@ -1,7 +1,7 @@ --- title: Viewing and filtering alerts from secret scanning intro: 'Learn how to find and filter {% ifversion fpt or ghec %}{% data variables.secret-scanning.user_alerts %}{% else %}{% data variables.secret-scanning.user_alerts %} alerts{% endif %} for your repository.' -permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view {% data variables.secret-scanning.user_alerts_caps %} for the repository.' +permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view {% data variables.secret-scanning.user_alerts %}{% ifversion ghes %} alerts{% endif %} for the repository.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' From 49e4a4fbc7038568573f35540e9b02fb6ba98ee9 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Sun, 4 Aug 2024 21:38:11 +0000 Subject: [PATCH 242/275] apply review feedback --- .../managing-alerts-from-secret-scanning/about-alerts.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index 30fafce004..898b98b62b 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -62,3 +62,10 @@ Partner alerts are not sent to repository administrators, so you do not need to ## Next steps * "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)" + +## Further reading + +* TODO - link to supported patterns +* TODO - link to define custom patterns +* TODO - link to non-provider patterns +* TODO - link to generic secret detection From 8a7356fa84c412d05309ed81245edc9f6302ff0c Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Sun, 4 Aug 2024 22:58:54 +0100 Subject: [PATCH 243/275] resolve conflicts --- .../managing-alerts-from-secret-scanning.md | 232 ------------------ 1 file changed, 232 deletions(-) delete mode 100644 content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md deleted file mode 100644 index ca3f384f1d..0000000000 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md +++ /dev/null @@ -1,232 +0,0 @@ ---- -title: Managing alerts from secret scanning -intro: 'You can view, evaluate and resolve alerts for secrets checked in to your repository.' -permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view and dismiss secret scanning alerts for the repository.' -product: '{% data reusables.gated-features.secret-scanning %}' -redirect_from: - - /github/administering-a-repository/managing-alerts-from-secret-scanning - - /code-security/secret-security/managing-alerts-from-secret-scanning -versions: - fpt: '*' - ghes: '*' - ghec: '*' -type: how_to -topics: - - Secret scanning - - Advanced Security - - Alerts - - Repositories -shortTitle: Manage secret alerts ---- -## About the {% data variables.product.prodname_secret_scanning %} alerts page - -{% data reusables.secret-scanning.secret-scanning-about-alerts %} {% data reusables.secret-scanning.repository-alert-location %} - -{% ifversion secret-scanning-non-provider-patterns %} -To help you triage alerts more effectively, {% data variables.product.company_short %} separates alerts into two lists: -* **High confidence** alerts. -* **Other** alerts. - -![Screenshot of the {% data variables.product.prodname_secret_scanning %} alert view. The button to toggle between "High confidence" and "Other" alerts is highlighted with an orange outline.](/assets/images/help/security/secret-scanning-high-confidence-alert-view.png) - -### High confidence alerts list - -The "High confidence" alerts list displays alerts that relate to supported patterns and specified custom patterns. This list is always the default view for the alerts page. - -### Other alerts list - -The "Other" alerts list displays alerts that relate to non-provider patterns (such as private keys){% ifversion secret-scanning-ai-generic-secret-detection %}, or generic secrets detected using AI (such as passwords){% endif %}. These types of alerts have a higher rate of false positives. - -In addition, alerts that fall into this category: -* Are limited in quantity to 5000 alerts per repository (this includes open and closed alerts). -* Are not shown in the summary views for security overview, only in the "{% data variables.product.prodname_secret_scanning_caps %}" view. -* Only have the first five detected locations shown on {% data variables.product.prodname_dotcom %} for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %}, and only the first detected location shown for AI-detected generic secrets{% endif %}. - -For {% data variables.product.company_short %} to scan for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %} and generic secrets{% endif %}, you must first enable the feature{% ifversion secret-scanning-ai-generic-secret-detection %}s{% endif %} for your repository or organization. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#enabling-scanning-for-non-provider-patterns){% ifversion secret-scanning-ai-generic-secret-detection %}" and "[AUTOTITLE](/code-security/secret-scanning/enabling-ai-powered-generic-secret-detection){% endif %}." - -{% endif %} - -## Viewing alerts - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-security %} -1. In the left sidebar, under "Vulnerability alerts", click **{% data variables.product.prodname_secret_scanning_caps %}**. {% ifversion secret-scanning-non-provider-patterns %} -1. Optionally, toggle to "Other" to see alerts for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %} or generic secrets detected using AI{% endif %}.{% endif %} -1. Under "{% data variables.product.prodname_secret_scanning_caps %}", click the alert you want to view. - {% ifversion secret-scanning-user-owned-repos %} - - > [!NOTE] - > {% data reusables.secret-scanning.secret-scanning-user-owned-repo-access %} - - {% endif %} - -## Filtering alerts - -You can apply various filters to the alerts list to help you find the alerts you're interested in. You can use the dropdown menus above the alerts list, or input the qualifiers listed in the table into the search bar. - -|Qualifier|Description| -|---------|-----------| -|`is:open`|Displays open alerts.| -|`is:closed`|Displays closed alerts.| -| {% ifversion secret-scanning-bypass-filter %} | -|`bypassed: true`|Displays alerts for secrets where push protection has been bypassed. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)."| -| {% endif %} | -|`validity:active`| Displays alerts for secrets that are still active. {% ifversion fpt %}Applies to {% data variables.product.company_short %} tokens only.{% endif %} For more information about validity statuses, see "[Checking a secret's validity](#checking-a-secrets-validity)."| -|`validity:inactive`| Displays alerts for secrets that are no longer active.| -|`validity:unknown`| Displays alerts for secrets where the validity status of the secret is unknown.| -|`secret-type:SECRET-NAME`| Displays alerts for a specific secret type, for example, `secret-type:github_personal_access_token`. For a list of supported secret types, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secret)." | -|`provider:PROVIDER-NAME`|Displays alerts for a specific provider, for example, `provider:github`. For a list of supported partners, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."| -| {% ifversion secret-scanning-non-provider-patterns %} | -|`confidence:high`| Displays alerts for high-confidence secrets, which relate to supported secrets and custom patterns. For a list of supported high-confidence patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#high-confidence-patterns)." | -|`confidence:other`| Displays alerts for non-provider patterns, such as private keys{% ifversion secret-scanning-ai-generic-secret-detection %}, and AI-detected generic secrets, such as passwords{% endif %}. For a list of supported non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns)." {% ifversion secret-scanning-ai-generic-secret-detection %}For more information AI-detected generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/about-the-detection-of-generic-secrets-with-secret-scanning)."{% endif %}| -| {% endif %} | - -## Evaluating alerts - -There are some additional features that can help you to evaluate alerts in order to better prioritize and manage them. You can: - -* Check the validity of a secret, to see if the secret is still active. {% ifversion fpt or ghes %}**Applies to {% data variables.product.company_short %} tokens only**.{% endif %} For more information, see "[Checking a secret's validity](#checking-a-secrets-validity)."{% ifversion secret-scanning-validity-check-partner-patterns %} -* Perform an "on-demand" validity check, to get the most up to date validiation status. For more information, see "[Performing an on-demand-validity-check](#performing-an-on-demand-validity-check)."{% endif %}{% ifversion secret-scanning-github-token-metadata %} -* Review a token's metadata. **Applies to {% data variables.product.company_short %} tokens only**. For example, to see when the token was last used. For more information, see "[Reviewing {% data variables.product.company_short %} token metadata](#reviewing-github-token-metadata)."{% endif %} - -### Checking a secret's validity - -{% data reusables.secret-scanning.validity-checks-intro %} - -Validity checks help you prioritize alerts by telling you which secrets are `active` or `inactive`. An `active` secret is one that could still be exploited, so these alerts should be reviewed and remediated as a priority. - -By default, {% data variables.product.company_short %} checks the validity of {% data variables.product.company_short %} tokens and displays the validitation status of the token in the alert view. - -{% ifversion fpt %} - -Organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %} can also enable validity checks for partner patterns. For more information, see "[Checking a secret's validity](/enterprise-cloud@latest/code-security/secret-scanning/managing-alerts-from-secret-scanning#checking-a-secrets-validity)" in the {% data variables.product.prodname_ghe_cloud %} documentation. - -{% endif %} - -{% ifversion secret-scanning-validity-check-partner-patterns %} - -You can additionally choose to enable validity checks for partner patterns. Once enabled, {% data variables.product.company_short %} will periodically check the validity of a detected credential by sending the secret directly to the provider, as part of {% data variables.product.company_short %}'s formal secret scanning partnership program. {% data variables.product.company_short %} typically makes GET requests to check the validity of the credential, picks the least intrusive endpoints, and selects endpoints that don't return any personal information. - -{% data variables.product.company_short %} displays the validation status of the secret in the alert view. - -{% endif %} - -{% data reusables.secret-scanning.validity-check-table %} - -{% ifversion secret-scanning-validity-check-partner-patterns %} - -{% data reusables.gated-features.partner-pattern-validity-check-ghas %} - -For information on how to enable validity checks for partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#enabling-validity-checks-for-partner-patterns)," and for information on which partner patterns are currently supported, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#high-confidence-patterns)." - -{% endif %} - -You can use the REST API to retrieve a list of the most recent validation status for each of your tokens. For more information, see "[AUTOTITLE](/rest/secret-scanning)" in the REST API documentation. You can also use webhooks to be notified of activity relating to a {% data variables.product.prodname_secret_scanning %} alert. For more information, see the `secret_scanning_alert` event in "[AUTOTITLE](/webhooks/webhook-events-and-payloads?actionType=created#secret_scanning_alert)." - -{% ifversion secret-scanning-validity-check-partner-patterns %} - -### Performing an on-demand validity check - -Once you have enabled validity checks for partner patterns for your repository, you can perform an "on-demand" validity check for any supported secret by clicking {% octicon "sync" aria-hidden="true" %} **Verify secret** in the alert view. {% data variables.product.company_short %} will send the pattern to the relevant partner and display the validation status of the secret in the alert view. - -![Screenshot of the UI showing a {% data variables.product.prodname_secret_scanning %} alert. A button, labeled "Verify secret" is highlighted with an orange outline.](/assets/images/help/security/secret-scanning-verify-secret.png) - -{% endif %} - -{% ifversion secret-scanning-github-token-metadata %} - -### Reviewing {% data variables.product.company_short %} token metadata - -> [!NOTE] -> Metadata for {% data variables.product.company_short %} tokens is currently in public beta and subject to change. - -In the view for an active {% data variables.product.company_short %} token alert, you can review certain metadata about the token. This metadata may help you identify the token and decide what remediation steps to take. - -Tokens, like {% data variables.product.pat_generic %} and other credentials, are considered personal information. For more information about using {% data variables.product.company_short %} tokens, see [GitHub's Privacy Statement](/free-pro-team@latest/site-policy/privacy-policies/github-privacy-statement) and [Acceptable Use Policies](/free-pro-team@latest/site-policy/acceptable-use-policies/github-acceptable-use-policies). - - ![Screenshot of the UI for a {% data variables.product.company_short %} token, showing the token metadata.](/assets/images/help/repository/secret-scanning-github-token-metadata.png) - - Metadata for {% data variables.product.company_short %} tokens is available for active tokens in any repository with secret scanning enabled. If a token has been revoked or its status cannot be validated, metadata will not be available. {% data variables.product.company_short %} auto-revokes {% data variables.product.company_short %} tokens in public repositories, so metadata for {% data variables.product.company_short %} tokens in public repositories is unlikely to be available. The following metadata is available for active {% data variables.product.company_short %} tokens: - -|Metadata|Description| -|-------------------------|--------------------------------------------------------------------------------| -|Secret name| The name given to the {% data variables.product.company_short %} token by its creator| -|Secret owner| The {% data variables.product.company_short %} handle of the token's owner| -|Created on| Date the token was created| -|Expired on| Date the token expired| -|Last used on| Date the token was last used| -|Access| Whether the token has organization access| - -{% ifversion secret-scanning-user-owned-repos %}{% data reusables.secret-scanning.secret-scanning-user-owned-repo-access %} If access is granted, {% data variables.product.prodname_dotcom %} will notify the owner of the repository containing the leaked secret, report the action in the repository owner and enterprise audit logs, and enable access for 2 hours.{% ifversion ghec %} For more information, see "[AUTOTITLE](/admin/managing-accounts-and-repositories/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise)."{% endif %}{% endif %} - -{% endif %} - -## Fixing alerts - -Once a secret has been committed to a repository, you should consider the secret compromised. {% data variables.product.prodname_dotcom %} recommends the following actions for compromised secrets: - -* For a compromised {% data variables.product.prodname_dotcom %} {% data variables.product.pat_generic %}, delete the compromised token, create a new token, and update any services that use the old token. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)." -{%- ifversion token-audit-log %} - * {% ifversion ghec %}If your organization is owned by an enterprise account, identify{% else %}Identify{% endif %} any actions taken by the compromised token on your enterprise's resources. For more information, see "[AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token)." -{%- endif %} -* For all other secrets, first verify that the secret committed to {% data variables.product.product_name %} is valid. If so, create a new secret, update any services that use the old secret, and then delete the old secret. - -{% ifversion fpt or ghec %} - -> [!NOTE] -> If a secret is detected in a public repository on {% data variables.product.prodname_dotcom_the_website %} and the secret also matches a partner pattern, an alert is generated and the potential secret is reported to the service provider. For details of partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." - -{% endif %} - -## Closing alerts - -> [!NOTE] ->{% data variables.product.prodname_secret_scanning_caps %} doesn't automatically close alerts when the corresponding token has been removed from the repository. You must manually close these alerts in the alert list on {% data variables.product.prodname_dotcom %}. - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-security %} -1. In the left sidebar, under "Vulnerability alerts", click **{% data variables.product.prodname_secret_scanning_caps %}**. -1. Under "{% data variables.product.prodname_secret_scanning_caps %}", click the alert you want to view. -1. To dismiss an alert, select the "Close as" dropdown menu and click a reason for resolving an alert. - - ![Screenshot of a {% data variables.product.prodname_secret_scanning %} alert. A dropdown menu, titled "Close as", is expanded and highlighted in a dark orange outline.](/assets/images/help/repository/secret-scanning-dismiss-alert-web-ui-link-partner-documentation.png) - -1. Optionally, in the "Comment" field, add a dismissal comment. The dismissal comment will be added to the alert timeline and can be used as justification during auditing and reporting. You can view the history of all dismissed alerts and dismissal comments in the alert timeline. You can also retrieve or set a comment by using the {% data variables.product.prodname_secret_scanning_caps %} API. The comment is contained in the `resolution_comment` field. For more information, see "[AUTOTITLE](/rest/secret-scanning#update-a-secret-scanning-alert)" in the REST API documentation. -1. Click **Close alert**. - -## Configuring notifications for {% data variables.secret-scanning.alerts %} - -Notifications are different for incremental scans and historical scans. - -### Incremental scans - -{% data reusables.secret-scanning.secret-scanning-configure-notifications %} - -{% data reusables.repositories.navigate-to-repo %} -1. To start watching the repository, select **{% octicon "eye" aria-hidden="true" %} Watch**. - - ![Screenshot of the repository's main page. A dropdown menu, titled "Watch", is highlighted with an orange outline.](/assets/images/help/repository/repository-watch-dropdown.png) - -1. In the dropdown menu, click **All Activity**. Alternatively, to only subscribe to security alerts, click **Custom**, then click **Security alerts**. -1. Navigate to the notification settings for your personal account. These are available at [https://github.com/settings/notifications](https://github.com/settings/notifications). -1. On your notification settings page, under "Subscriptions", then under "Watching", select the **Notify me** dropdown. -1. Select "Email" as a notification option, then click **Save**. - - ![Screenshot of the notification settings for a user account. An element header, titled "Subscriptions", and a sub-header, titled "Watching", are shown. A checkbox, titled "Email", is highlighted with an orange outline.](/assets/images/help/notifications/repository-watching-notification-options.png) - -{% data reusables.notifications.watch-settings %} - -### Historical scans - -For historical scans, {% data variables.product.product_name %} notifies the following users: - -* Organization owners, enterprise owners, and security managers—whenever a historical scan is complete, even if no secrets are found. -* Repository administrators, security managers, and users with custom roles with read/write access—whenever a historical scan detects a secret, and according to their notification preferences. - -We do _not_ notify commit authors. - -{% data reusables.notifications.watch-settings %} - -## Auditing responses to secret scanning alerts - -{% data reusables.secret-scanning.audit-secret-scanning-events %} From e2811b01b8d5d8099b2ac1264f9b68a18220c459 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Sun, 4 Aug 2024 23:12:32 +0100 Subject: [PATCH 244/275] fix again merge problems --- .../secret-scanning/about-secret-scanning.md | 117 ---------------- ...g-secret-scanning-for-your-repositories.md | 131 ------------------ ...tion-for-repositories-and-organizations.md | 129 ----------------- 3 files changed, 377 deletions(-) delete mode 100644 content/code-security/secret-scanning/about-secret-scanning.md delete mode 100644 content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md delete mode 100644 content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md diff --git a/content/code-security/secret-scanning/about-secret-scanning.md b/content/code-security/secret-scanning/about-secret-scanning.md deleted file mode 100644 index cf53f635c0..0000000000 --- a/content/code-security/secret-scanning/about-secret-scanning.md +++ /dev/null @@ -1,117 +0,0 @@ ---- -title: About secret scanning -intro: '{% data variables.product.product_name %} scans repositories for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally.' -product: '{% data reusables.gated-features.secret-scanning %}' -redirect_from: - - /github/administering-a-repository/about-token-scanning - - /articles/about-token-scanning - - /articles/about-token-scanning-for-private-repositories - - /github/administering-a-repository/about-secret-scanning - - /code-security/secret-security/about-secret-scanning -versions: - fpt: '*' - ghes: '*' - ghec: '*' -type: overview -topics: - - Secret scanning - - Advanced Security ---- - -{% data reusables.secret-scanning.enterprise-enable-secret-scanning %} - - - -If your project communicates with an external service, you might use a token or private key for authentication. Tokens and private keys are examples of secrets that a service provider can issue. If you check a secret into a repository, anyone who has read access to the repository can use the secret to access the external service with your privileges. We recommend that you store secrets in a dedicated, secure location outside of the repository for your project. - -{% data variables.product.prodname_secret_scanning_caps %} will scan your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repository for secrets{% ifversion ghec or ghes %}, even if the repository is archived{% endif %}.{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %} - -{% data reusables.secret-scanning.what-is-scanned %} - -{% ifversion fpt or ghec %} -{% data variables.product.prodname_secret_scanning_caps %} is available on {% data variables.product.prodname_dotcom_the_website %} in two forms: - -1. **{% data variables.secret-scanning.partner_alerts_caps %}.** Runs automatically on all public repositories and public npm packages. Service providers can partner with {% data variables.product.company_short %} to provide their secret formats for scanning, hence the term "partners." {% data reusables.secret-scanning.partner-program-link %} Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner. For more information, see the "[About {% data variables.secret-scanning.partner_alerts %}](#about-secret-scanning-alerts-for-partners)" section below. - -1. **{% data variables.secret-scanning.user_alerts_caps %}.** These alerts are reported on {% data variables.product.prodname_dotcom_the_website %}{% ifversion secret-scanning-non-provider-patterns %} and can be high confidence alerts or non-provider alerts (such as private keys){% endif %}. - {% ifversion fpt %}The following users can enable and configure additional scanning: - * Owners of repositories on {% data variables.product.prodname_dotcom_the_website %}, on any _public_ repositories they own. - * Organizations owning _public_ repositories, on any of these repositories. - * Organizations using {% data variables.product.prodname_ghe_cloud %}, on any public repositories (for free), and on any private and internal repositories, when you have a license for {% data variables.product.prodname_GH_advanced_security %}.{% elsif ghec %}You can enable and configure additional scanning for repositories owned by organizations that use {% data variables.product.prodname_ghe_cloud %} for any public repositories (for free), and for private and internal repositories when you have a license for {% data variables.product.prodname_GH_advanced_security %}. Enterprise owners can manage the automatic enablement of {% data variables.product.prodname_GH_advanced_security %} for new repositories owned by {% data variables.product.prodname_emus %} with an enterprise level setting.{% endif %} - - Any strings that match patterns provided by secret scanning partners, by other service providers, or defined by you or your organization, are reported as alerts in the **Security** tab of repositories. If a string in a public repository matches a partner pattern, it is also reported to the partner. For more information, see the "[About {% data variables.secret-scanning.user_alerts %}](#about-secret-scanning-alerts-for-users)" section below.{% endif %} - -{% data reusables.secret-scanning.audit-secret-scanning-events %} - -{% data reusables.secret-scanning.push-protection-high-level %} To proceed, contributors must either remove the secret(s) from the push or, if needed, bypass the protection. {% ifversion push-protection-custom-link-orgs %}Admins can also specify a custom link that is displayed to the contributor when a push is blocked; the link can contain resources specific to the organization to aid contributors. {% endif %}For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning)." - -{% ifversion secret-scanning-push-protection-for-users %} - -{% data reusables.secret-scanning.push-protection-for-users %} - -{% endif %} - -{% note %} - -**Note:** When you fork a repository with {% data variables.product.prodname_secret_scanning %} or push protection enabled, these features are not enabled by default on the fork. You can enable {% data variables.product.prodname_secret_scanning %} or push protection on the fork the same way you enable them on a standalone repository. - -{% endnote %} - -{% ifversion fpt or ghec %} - -## About {% data variables.secret-scanning.partner_alerts %} - -When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." - -You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories. - -{% endif %} - -## About {% data variables.secret-scanning.user_alerts %}{% ifversion ghes %} on {% data variables.product.product_name %}{% endif %} - -{% data variables.secret-scanning.user_alerts_caps %} is available {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}on all repositories with a license for {% data variables.product.prodname_GH_advanced_security %}{% else %}for free on all public repositories, and for private and internal repositories that are owned by organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %}{% endif %}{% elsif fpt %}for free on all public repositories that you own{% else %}on all organization-owned repositories with a license for {% data variables.product.prodname_GH_advanced_security %}. The feature is not available on user-owned repositories{% endif %}. {% data reusables.secret-scanning.secret-scanning-user-owned-repos-beta %} - -When you enable {% data variables.product.prodname_secret_scanning %} for a repository, {% data variables.product.prodname_dotcom %} scans the code for patterns that match secrets used by many service providers. {% ifversion secret-scanning-backfill-email %}When the scan is completed, {% data variables.product.prodname_dotcom %} sends an email alert to the enterprise and organization owners, even if no secrets were found.{% endif %} For more information about the repository content that is scanned, see the [beginning of this article](#about-secret-scanning). - -When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. {% ifversion secret-scanning-backfills %}{% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled, and send alert notifications following the {% data variables.product.prodname_secret_scanning %} alert notification settings.{% endif %}{% ifversion secret-scanning-non-provider-patterns %} User alerts can be of two types: high confidence alerts, or non-provider alerts.{% endif %} For more information, see "{% ifversion fpt or ghec %}[About user alerts](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[{% data variables.product.prodname_secret_scanning_caps %} patterns](/code-security/secret-scanning/secret-scanning-patterns#about-user-secret-scanning-alerts){% endif %}." - -If you're a repository administrator, you can enable {% data variables.secret-scanning.user_alerts %} for any {% ifversion fpt %}public{% endif %} repository{% ifversion ghec or ghes %}, including archived repositories{% endif %}. Organization owners can also enable {% data variables.secret-scanning.user_alerts %} for all {% ifversion fpt %}public {% endif %}repositories or for all new {% ifversion fpt %}public {% endif %}repositories within an organization. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)" and "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)." - -{% data reusables.secret-scanning.secret-scanning-user-owned-enablement %} - -You can also define custom {% data variables.product.prodname_secret_scanning %} patterns for a repository, organization, or enterprise. For more information, see "[AUTOTITLE]({% ifversion fpt %}/enterprise-cloud@latest{% endif %}/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning){% ifversion fpt %}" in the {% data variables.product.prodname_ghe_cloud %} documentation.{% else %}."{% endif %} - -{% ifversion secret-scanning-store-tokens %} -{% data variables.product.company_short %} stores detected secrets using symmetric encryption, both in transit and at rest.{% endif %}{% ifversion ghes %} To rotate the encryption keys used for storing the detected secrets, you can contact us by visiting {% data variables.contact.contact_ent_support %}.{% endif %} - -### Accessing {% data variables.secret-scanning.alerts %} - -{% data reusables.secret-scanning.secret-scanning-about-alerts %} - -* {% data variables.product.prodname_dotcom %} sends an email alert to the repository administrators and organization owners. You'll receive an alert if you are watching the repository{% ifversion secret-scanning-notification-settings %}, {% else %}, and {% endif %}if you have enabled notifications either for security alerts or for all the activity on the repository{% ifversion secret-scanning-notification-settings %}, and if, in your notification settings, you have selected to receive email notifications for the repositories that you are watching.{% else %}.{% endif %} -* If the person who introduced the secret isn't ignoring the repository, {% data variables.product.prodname_dotcom %} will also send them an email alert. The email contains a link to the related {% data variables.product.prodname_secret_scanning %} alert. The person who introduced the secret can then view the alert in the repository, and resolve the alert. -* {% data reusables.secret-scanning.repository-alert-location %} - -For more information about viewing and resolving {% data variables.secret-scanning.alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." - -{% ifversion secret-scanning-notification-settings %} -For more information on how to configure notifications for {% data variables.secret-scanning.alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts)." -{% endif %} - -Repository administrators and organization owners can grant users and teams access to {% data variables.secret-scanning.alerts %}. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts)." - -{% ifversion ghec or ghes %} -You can use security overview to see an organization-level view of which repositories have enabled {% data variables.product.prodname_secret_scanning %} and the alerts found. For more information, see "[AUTOTITLE](/code-security/security-overview/about-security-overview)." -{% endif %} - -You can also use the REST API to monitor results from {% data variables.product.prodname_secret_scanning %} across your repositories{% ifversion ghes %} or your organization{% endif %}. For more information about API endpoints, see "[AUTOTITLE](/rest/secret-scanning)." - -## Further reading - -* "[AUTOTITLE](/code-security/getting-started/securing-your-repository)" -* "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure)" -* "[AUTOTITLE](/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization)" -{%- ifversion fpt or ghec %} -* "[AUTOTITLE](/codespaces/managing-your-codespaces/managing-encrypted-secrets-for-your-codespaces)"{% endif %} -* "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#storing-credentials-for-dependabot-to-use)" -* "[AUTOTITLE](/actions/security-guides/encrypted-secrets)" diff --git a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md deleted file mode 100644 index 1ac1d22a58..0000000000 --- a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md +++ /dev/null @@ -1,131 +0,0 @@ ---- -title: Configuring secret scanning for your repositories -intro: 'You can configure how {% data variables.product.prodname_dotcom %} scans your repositories for leaked secrets and generates alerts.' -product: '{% data reusables.gated-features.secret-scanning %}' -permissions: 'People with admin permissions to a {% ifversion fpt %}public {% endif %}repository can enable {% data variables.product.prodname_secret_scanning %} for the repository.' -redirect_from: - - /github/administering-a-repository/configuring-secret-scanning-for-private-repositories - - /github/administering-a-repository/configuring-secret-scanning-for-your-repositories - - /code-security/secret-security/configuring-secret-scanning-for-your-repositories -versions: - fpt: '*' - ghes: '*' - ghec: '*' -type: how_to -topics: - - Secret scanning - - Advanced Security - - Repositories -shortTitle: Configure secret scans ---- - -{% data reusables.secret-scanning.enterprise-enable-secret-scanning %} - -## Enabling {% data variables.secret-scanning.user_alerts %} - -You can enable {% data variables.secret-scanning.user_alerts %} for any {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}repository{% else %} repository that is owned by an organization, and for repositories owned by user accounts when using {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_emus %}{% endif %}{% elsif fpt %}free public repository that you own{% else %}repository that is owned by an organization{% endif %}. Once enabled, {% data reusables.secret-scanning.secret-scanning-process %}{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %} {% data reusables.secret-scanning.what-is-scanned %} - -You can also enable {% data variables.product.prodname_secret_scanning %} for multiple repositories in an organization at the same time. For more information, see {% ifversion security-configurations-ga %}"[AUTOTITLE](/code-security/securing-your-organization)."{% else %}"[AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-organization)."{% endif %} - -{% ifversion secret-scanning-enterprise-level %} -{% note %} - -**Note:** If your organization is owned by an enterprise account, an enterprise owner can also enable {% data variables.product.prodname_secret_scanning %} at the enterprise level. For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)." - -{% endnote %} -{% endif %} - -A repository administrator can choose to disable {% data variables.product.prodname_secret_scanning %} for a repository at any time. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)." - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-settings %} -{% data reusables.repositories.navigate-to-code-security-and-analysis %}{% ifversion ghec or ghes %} -1. If {% data variables.product.prodname_advanced_security %} is not already enabled for the repository, to the right of "{% data variables.product.prodname_GH_advanced_security %}", click **Enable**. -1. Review the impact of enabling {% data variables.product.prodname_advanced_security %}, then click **Enable {% data variables.product.prodname_GH_advanced_security %} for this repository**. -1. When you enable {% data variables.product.prodname_advanced_security %}, {% data variables.product.prodname_secret_scanning %} may automatically be enabled for the repository due to the organization's settings. If "{% data variables.product.prodname_secret_scanning_caps %}" is shown with an **Enable** button, you still need to enable {% data variables.product.prodname_secret_scanning %} by clicking **Enable**. If you see a **Disable** button, {% data variables.product.prodname_secret_scanning %} is already enabled. - - ![Screenshot of the "{% data variables.product.prodname_secret_scanning_caps %}" section of the "Code security and analysis" page, with the "Enable" button highlighted in a dark orange outline.](/assets/images/help/repository/enable-secret-scanning-alerts.png){% endif %}{% ifversion fpt %} -1. Scroll down to the bottom of the page, and click **Enable** for {% data variables.product.prodname_secret_scanning %}. If you see a **Disable** button, it means that {% data variables.product.prodname_secret_scanning %} is already enabled for the repository. - - ![Screenshot of the "{% data variables.product.prodname_secret_scanning_caps %}" section of the "Code security and analysis" page, with the "Enable" button highlighted in a dark orange outline.](/assets/images/help/repository/enable-secret-scanning-alerts.png){% endif %} - -## Enabling additional features for {% data variables.secret-scanning.user_alerts %} - -You can enable the following additional {% data variables.product.prodname_secret_scanning %} feature{% ifversion ghec or ghes %}s{% endif %} through your repository's "Code security and analysis" settings: -* **Push protection**. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-secret-scanning-as-a-push-protection-for-a-repository)."{% ifversion secret-scanning-validity-check-partner-patterns %} -* **Validity checks for partner patterns**. For more infomation, see "[Enabling validity checks for partner patterns](#enabling-validity-checks-for-partner-patterns)."{% endif %}{% ifversion secret-scanning-non-provider-patterns %} -* **Scanning for non-provider patterns**. For more information, see "[Enabling scanning for non-provider patterns](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns)."{% endif %}{% ifversion secret-scanning-ai-generic-secret-detection%} -* **AI-powered generic secret detection**. For more information, see "[AUTOTITLE](/code-security/secret-scanning/enabling-ai-powered-generic-secret-detection)."{% endif %}{% ifversion secret-scanning-push-protection-custom-patterns %} -* **Scanning for custom patterns**. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)."{% endif %} - -{% ifversion secret-scanning-validity-check-partner-patterns %} - -### Enabling validity checks for partner patterns - -{% data reusables.gated-features.partner-pattern-validity-check-ghas %} - -You can allow {% data variables.product.prodname_secret_scanning %} to automatically check the validity of a secret found in your repository by sending it to the relevant partner. For more information on validity checks, see "Checking a secret's validity" in "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)." - -{% note %} - -**Note:** When you enable automatic validity checks for a repository, you also allow on-demand validity checks to be performed for patterns detected in that repository. - -{% endnote %} - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-settings %} -{% data reusables.repositories.navigate-to-code-security-and-analysis %} -{% data reusables.secret-scanning.validity-check-auto-enable %} - -You can also use the REST API to enable validity checks for partner patterns for your repository. For more information, see "[AUTOTITLE](/rest/repos/repos#update-a-repository)." Alternatively, organization owners and enterprise administrators can enable the feature for all repositories in the organization or enterprise settings. For more information on enabling at the organization-level, see "[AUTOTITLE](/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration)." For more information on enabling at the enterprise-level, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)" and "[AUTOTITLE](/rest/enterprise-admin/code-security-and-analysis#update-code-security-and-analysis-features-for-an-enterprise)." - -{% endif %} - -{% ifversion secret-scanning-non-provider-patterns %} - -### Enabling scanning for non-provider patterns - -{% data reusables.secret-scanning.non-provider-patterns-beta %} - -You can enable scanning for non-provider patterns. Non-provider patterns correspond to secrets such as private keys and they have a higher ratio of false positives. - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-settings %} -{% data reusables.repositories.navigate-to-code-security-and-analysis %} -1. Under {% data variables.product.prodname_secret_scanning_caps %}, select the checkbox next to "Scan for non-provider patterns". - -For more information about non-provider patterns, see "{% ifversion fpt or ghec %}[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-secret-scanning-alerts){% endif %}." - -{% endif %} - -{% ifversion secret-scanning-enable-by-default-for-public-repos %} - -## Enabling {% data variables.secret-scanning.user_alerts %} for all your {% ifversion ghec %}user-owned {% endif %}public repositories - -You can enable {% data variables.product.prodname_secret_scanning %} for all of your existing {% ifversion ghec %}user-owned {% endif %}public repositories through your personal account settings. -{% note %} - -**Note**: As of March 11, 2024, {% data variables.product.prodname_secret_scanning %} and push protection will be enabled by default for all new {% ifversion ghec %}user-owned {% endif %}public repositories that you create. You can still choose to disable these features for an individual repository in the repository's "Code security and analysis" settings page. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-public-repositories)". - -{% endnote %} - -{% data reusables.user-settings.access_settings %} -{% data reusables.user-settings.security-analysis %} -1. Under "Code security and analysis", to the right of "{% data variables.product.prodname_secret_scanning_caps %}", click **Disable all** or **Enable all**. -{% data reusables.secret-scanning.push-protection-optional-enable %} - -{% endif %} - -## Excluding directories from {% data variables.secret-scanning.user_alerts %} - -You can configure a `secret_scanning.yml` file to exclude directories from {% data variables.product.prodname_secret_scanning %}, including when you use push protection. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning)." - -You can also ignore individual alerts from {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." - -{% ifversion not fpt %} - -## Further reading - -* "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)" -* "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)" -{% endif %} diff --git a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md deleted file mode 100644 index 5515de0ebf..0000000000 --- a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md +++ /dev/null @@ -1,129 +0,0 @@ ---- -title: Push protection for repositories and organizations -intro: 'With push protection for repositories and organizations, {% data variables.product.prodname_secret_scanning %} blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block.' -product: '{% data reusables.gated-features.push-protection-for-repos %}' -versions: - fpt: '*' - ghes: '*' - ghec: '*' -redirect_from: - - /early-access/code-security/secret-scanning/protecting-pushes-with-secret-scanning - - /code-security/secret-scanning/protecting-pushes-with-secret-scanning -type: how_to -topics: - - Secret scanning - - Advanced Security - - Alerts - - Repositories -shortTitle: Push protection for repositories ---- - -{% data reusables.secret-scanning.enterprise-enable-secret-scanning %} - -## About push protection for repositories and organizations - -{% data reusables.secret-scanning.pre-push-protection %} {% data reusables.secret-scanning.push-protection-overview %} {% data reusables.secret-scanning.push-protection-custom-pattern %} {% ifversion secret-scanning-push-protection-custom-patterns %}For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."{% endif %} - -{% data reusables.secret-scanning.push-protection-bypass %} - -{% data reusables.secret-scanning.bypass-reasons-and-alerts %} - -{% ifversion push-protection-delegated-bypass %} - -By default, anyone with write access to the repository can choose to bypass push protection by specifying one of the bypass reasons outlined in the table. If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see "[Enabling delegated bypass for push protection](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)." - -{% endif %} - -{% ifversion secret-scanning-bypass-filter %} - -On the {% data variables.product.prodname_secret_scanning %} alerts page for a repository or organization, you can apply the `bypassed:true` filter to easily see which alerts are the result of a user bypassing push protection. For more information on viewing these alerts, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)." - -{% endif %} - -You can monitor security alerts to discover when users are bypassing push protections and creating alerts. For more information, see "[AUTOTITLE](/code-security/getting-started/auditing-security-alerts)." - -{% ifversion security-overview-push-protection-metrics-page %} - -If you are an organization owner or security manager, you can view metrics on how push protection is performing across your organization. For more information, see "[AUTOTITLE](/code-security/security-overview/viewing-metrics-for-secret-scanning-push-protection)." - -{% endif %} - -{% ifversion ghec or fpt %} -{% note %} - -**Note:** The github.dev web-based editor doesn't support push protection. For more information about the editor, see "[AUTOTITLE](/codespaces/the-githubdev-web-based-editor)." - -{% endnote %} -{% endif %} - -For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." - -## Enabling {% data variables.product.prodname_secret_scanning %} as a push protection - -For you to use {% data variables.product.prodname_secret_scanning %} as a push protection in public repositories, the {% ifversion secret-scanning-enterprise-level %}enterprise,{% endif %} organization{% ifversion secret-scanning-enterprise-level %},{% endif %} or repository needs to have {% data variables.product.prodname_secret_scanning %} enabled.{% ifversion secret-scanning-push-protection-private-internal %} To use {% data variables.product.prodname_secret_scanning %} as a push protection in private or internal repositories,{% ifversion secret-scanning-user-owned-repos %} or in user-owned repositories{% ifversion ghec %} for {% data variables.product.prodname_emus %}{% endif %},{% endif %} the enterprise or organization also needs to have {% data variables.product.prodname_GH_advanced_security %} enabled.{% endif %} For more information, see {% ifversion secret-scanning-enterprise-level %}"[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise),"{% endif %} "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)," "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)," and "[AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security)." - -Organization owners, security managers, and repository administrators can also enable push protection for {% data variables.product.prodname_secret_scanning %} via the API. For more information, see "[AUTOTITLE](/rest/repos#update-a-repository)" and expand the "Properties of the `security_and_analysis` object" section. - -Organization owners can provide a custom link that will be displayed when a push is blocked. This custom link can contain organization-specific resources and advice, such as directions on using a recommended secrets vault or who to contact for questions relating to the blocked secret. - -{% ifversion secret-scanning-enable-by-default-for-public-repos %} - -You can also enable push protection for all of your existing {% ifversion ghec %}user-owned {% endif %} public repositories through your personal account settings. For any new public repositories you create, push protection will be enabled by default. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#enabling-secret-scanning-alerts-for-users-for-all-your-public-repositories)." - -{% endif %} - -{% ifversion secret-scanning-enterprise-level-api %} -Enterprise administrators can also enable or disable {% data variables.product.prodname_secret_scanning %} as a push protection for the enterprise via the API. For more information, see "[AUTOTITLE](/rest/enterprise-admin/code-security-and-analysis)."{% endif %} - -{% note %} - -**Note:** When you fork a repository with {% data variables.product.prodname_secret_scanning %} as a push protection enabled, this is not enabled by default on the fork. You can enable it on the fork the same way you enable it on a standalone repository. - -{% endnote %} - -{% ifversion secret-scanning-enterprise-level %} - -### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection for your enterprise - -{% data reusables.enterprise-accounts.access-enterprise %} -{% data reusables.enterprise-accounts.settings-tab %} -1. In the left sidebar, click **Code security and analysis**. -{% data reusables.advanced-security.secret-scanning-push-protection-enterprise %} -{% endif %} - -### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection for an organization - -{% ifversion security-configurations-ga %} -You can find a set of repositories and enable or disable {% data variables.product.prodname_secret_scanning %} as a push protection for them all at the same time. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)." - -{% elsif security-configurations-beta-and-pre-beta %} - -You can use the organization settings page for "Code security and analysis" to enable or disable {% data variables.product.prodname_secret_scanning %} as a push protection for all existing repositories in an organization. - -{% data reusables.organizations.navigate-to-org %} -{% data reusables.organizations.org_settings %} -{% data reusables.organizations.security-and-analysis %} - -{% ifversion security-configurations-beta-only %} - {% data reusables.security-configurations.changed-org-settings-security-configurations-callout %} For next steps on enabling push protection and other security features at scale with {% data variables.product.prodname_security_configurations %}, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)." -{% endif %} - -{% data reusables.repositories.navigate-to-ghas-settings %} -{% data reusables.advanced-security.secret-scanning-push-protection-org %} - -{% data reusables.security.note-securing-your-org %} -{% endif %} - -### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection for a repository - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-settings %} -{% data reusables.repositories.navigate-to-code-security-and-analysis %} -{% data reusables.repositories.navigate-to-ghas-settings %} -{% data reusables.advanced-security.secret-scanning-push-protection-repo %} - -## Further reading - -* "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection)" -* "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)"{% ifversion push-protection-delegated-bypass %} -* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)"{% endif %} From 8d4543a0fb049789aad24e08361a245bb1a7456e Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 5 Aug 2024 09:11:00 +0100 Subject: [PATCH 245/275] more work --- .../introduction/supported-secret-scanning-patterns.md | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md index 36d59fc0f3..1fdbad6025 100644 --- a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md +++ b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md @@ -17,11 +17,7 @@ layout: inline shortTitle: Supported patterns --- -TODO - -{% data reusables.secret-scanning.enterprise-enable-secret-scanning %} - -{% ifversion fpt or ghec %} +TODO: ## About {% data variables.product.prodname_secret_scanning %} patterns @@ -45,8 +41,6 @@ Partner alerts are alerts that are sent to the secret providers whenever a secre {% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} -{% endif %} - ## About {% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts {% ifversion fpt or ghec %}User alerts are alerts that are reported to users on {% data variables.product.prodname_dotcom %}. {% endif %}When {% data variables.secret-scanning.user_alerts %} {% ifversion fpt or ghec %}are{% else %}is{% endif %} enabled, {% data variables.product.prodname_dotcom %} scans repositories for secrets issued by a large variety of service providers and generates {% data variables.secret-scanning.alerts %}. @@ -89,6 +83,7 @@ Push protection alerts are user alerts that are reported by push protection. {% ## Supported secrets This table lists the secrets supported by {% data variables.product.prodname_secret_scanning %}. You can see the types of alert that get generated for each token, as well as whether a validity check is performed on the token. + * **Provider**—name of the token provider.{% ifversion fpt or ghec %} * **Partner**—token for which leaks are reported to the relevant token partner. Applies to public repositories only. * **User**—token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}.{% ifversion secret-scanning-non-provider-patterns %} From b44d9b5f82e4dd8923f2b87e62c3bc869e79650b Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 5 Aug 2024 09:20:39 +0100 Subject: [PATCH 246/275] fix redirect --- .../managing-alerts-from-secret-scanning/index.md | 1 + .../managing-alerts-from-secret-scanning/viewing-alerts.md | 2 ++ 2 files changed, 3 insertions(+) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md index c76f60fbfa..71d5ea8906 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md @@ -6,6 +6,7 @@ redirect_from: - /github/administering-a-repository/managing-alerts-from-secret-scanning - /code-security/secret-security/managing-alerts-from-secret-scanning - /code-security/secret-scanning/managing-alerts-from-secret-scanning + versions: fpt: '*' ghes: '*' diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md index b51a24bc33..51f60991d1 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md @@ -3,6 +3,8 @@ title: Viewing and filtering alerts from secret scanning intro: 'Learn how to find and filter {% ifversion fpt or ghec %}{% data variables.secret-scanning.user_alerts %}{% else %}{% data variables.secret-scanning.user_alerts %} alerts{% endif %} for your repository.' permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view {% data variables.secret-scanning.user_alerts %}{% ifversion ghes %} alerts{% endif %} for the repository.' product: '{% data reusables.gated-features.secret-scanning %}' +redirect_from: + - /code-security/secret-scanning/managing-alerts-from-secret-scanning versions: fpt: '*' ghes: '*' From 81019de9f3bf21c1589fcda6484fdd9b61e97fc0 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 5 Aug 2024 09:30:30 +0100 Subject: [PATCH 247/275] delete redirect --- .../managing-alerts-from-secret-scanning/viewing-alerts.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md index 51f60991d1..b51a24bc33 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md @@ -3,8 +3,6 @@ title: Viewing and filtering alerts from secret scanning intro: 'Learn how to find and filter {% ifversion fpt or ghec %}{% data variables.secret-scanning.user_alerts %}{% else %}{% data variables.secret-scanning.user_alerts %} alerts{% endif %} for your repository.' permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view {% data variables.secret-scanning.user_alerts %}{% ifversion ghes %} alerts{% endif %} for the repository.' product: '{% data reusables.gated-features.secret-scanning %}' -redirect_from: - - /code-security/secret-scanning/managing-alerts-from-secret-scanning versions: fpt: '*' ghes: '*' From eb855fdb30176299f3483375cca6cd6664733b1e Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 5 Aug 2024 10:04:36 +0100 Subject: [PATCH 248/275] fixing some TODOs --- .../enabling-validity-checks-for-your-repository.md | 4 ++-- .../introduction/about-push-protection.md | 8 ++++---- .../about-secret-scanning-for-partners.md | 2 +- .../introduction/about-secret-scanning.md | 12 ++++++------ .../about-alerts.md | 10 +++++----- 5 files changed, 18 insertions(+), 18 deletions(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md index 33cb3d5dce..751334209b 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md @@ -23,7 +23,7 @@ You can also filter by validation status on the alerts page, to help you priorit > [!NOTE] > {% data variables.product.company_short %} typically makes GET requests to check the validity of the credential, picks the least intrusive endpoints, and selects endpoints that don't return any personal information. -For more information on using validity checks, see "TODO." +For more information on using validity checks, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)." ## Enabling validity checks @@ -38,4 +38,4 @@ Alternatively, organization owners and enterprise administrators can enable the ## Further reading -* TODO - add link to Managing alerts +* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)" diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index 490e9222c8..8a90dc60f3 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -44,7 +44,7 @@ By default, anyone with write access to the repository can choose to bypass push {% data reusables.secret-scanning.bypass-reasons-and-alerts %} -{% ifversion push-protection-delegated-bypass %} If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see "TODO: link to delegated bypass."{% endif %} +{% ifversion push-protection-delegated-bypass %} If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)."{% endif %} ## About the benefits of push protection @@ -74,11 +74,11 @@ Once push protection is enabled, you can customize it further: ### Integration with CI/CD pipelines -Integrate push protection with your Continuous Integration/Continuous Deployment (CI/CD) pipelines to ensure that it runs scans during automated processes. This typically involves adding steps in your pipeline configuration file to call GitHub's APIs or using {% data variables.product.prodname_actions %}. For more information, see "TODO - add link to something here?" +Integrate push protection with your Continuous Integration/Continuous Deployment (CI/CD) pipelines to ensure that it runs scans during automated processes. This typically involves adding steps in your pipeline configuration file to call GitHub's APIs or using {% data variables.product.prodname_actions %}. For more information, see "TODO: - add link to something here?" ### Handling false positives -If push protection occasionally flags non-sensitive information, you can configure the system to recognize these as false positives. For more information, see "TODO - not sure what to link to here?" +If push protection occasionally flags non-sensitive information, you can configure the system to recognize these as false positives. For more information, see "TODO: - not sure what to link to here?" {% ifversion secret-scanning-push-protection-custom-patterns %} @@ -98,7 +98,7 @@ Define contributors who can bypass push protection and add an approval process f ## Further reading -* TODO: add link to enabling push protection article +* "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository)" * "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)"{% ifversion secret-scanning-push-protection-custom-patterns %} * "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)"{% endif %}{% ifversion push-protection-delegated-bypass %} * "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)"{% endif %} diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md index 10fbdb9873..f9117cb5e1 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md @@ -30,4 +30,4 @@ For information about the secrets and service providers supported by push protec * "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)" * "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)" * "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection)" -* TODO: add link to "About alerts" article +* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts)" diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 1accf8cd5b..c1c9fd50d6 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -28,11 +28,11 @@ shortTitle: Secret scanning {% data reusables.secret-scanning.what-is-scanned %} -When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. Alerts are reported on the **Security** tab of repositories on {% data variables.product.product_name %}, where you can view, evaluate, and resolve them. For more information, see TODO: link to Managing alerts. +When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. Alerts are reported on the **Security** tab of repositories on {% data variables.product.product_name %}, where you can view, evaluate, and resolve them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." {% ifversion fpt or ghec %}Service providers can partner with {% data variables.product.company_short %} to provide their secret formats for scanning. We automatically run {% data variables.product.prodname_secret_scanning %} for partner patterns on all public repositories and public npm packages.{% data reusables.secret-scanning.partner-program-link %} -Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner, and aren't displayed on {% data variables.product.prodname_dotcom_the_website %}. For more information, see TODO: link to about secret scanning for partner alerts.{% endif %} +Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner, and aren't displayed on {% data variables.product.prodname_dotcom_the_website %}. For more information, see "Not sure which article to link to TODO:"{% endif %} For information about the secrets and service providers supported by {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." @@ -50,7 +50,7 @@ Below is a typical workflow that explains how {% data variables.product.prodname * **Detection**: {% data variables.product.prodname_secret_scanning_caps %} automatically scans your repository's contents for sensitive data, such as API keys, passwords, tokens, and other secrets. It looks for patterns and heuristics that match known types of secrets. -* **Alerts**: When a potential secret is detected, {% data variables.product.prodname_dotcom %} generates an alert and notifies the relevant repository administrators and users. This notification includes details about the detected secret, such as its location in the repository. For more information about alert types and alert details, see TODO: - link to "About alerts" article. +* **Alerts**: When a potential secret is detected, {% data variables.product.prodname_dotcom %} generates an alert and notifies the relevant repository administrators and users. This notification includes details about the detected secret, such as its location in the repository. For more information about alert types and alert details, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts)." * **Review**: When a secret is detected, you'll need to review the alert details provided. @@ -132,9 +132,9 @@ You can also leverage AI to generate regular expressions that will capture all y ## Further reading -* TODO: link to enabling secret scanning article -* "[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection) -* "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection) +* "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository)" +* "[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection)" +* "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection)" * "[AUTOTITLE](/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization)" * "[AUTOTITLE](/code-security/getting-started/securing-your-repository)" * "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure)" diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index 898b98b62b..4a401621a3 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -55,7 +55,7 @@ Push protection scans pushes for supported secrets. If push protection detects a ## About partner alerts -When {% data variables.product.company_short %} detects a leaked secret in a public repository or npm package, an alert is sent directly to the secret provider, if they are part of {% data variables.product.company_short %}'s secret scanning partner program. For more information about {% data variables.secret-scanning.partner_alerts %}, see "TODO." +When {% data variables.product.company_short %} detects a leaked secret in a public repository or npm package, an alert is sent directly to the secret provider, if they are part of {% data variables.product.company_short %}'s secret scanning partner program. For more information about {% data variables.secret-scanning.partner_alerts %}, see TODO:. Partner alerts are not sent to repository administrators, so you do not need to take any action for this type of alert. @@ -65,7 +65,7 @@ Partner alerts are not sent to repository administrators, so you do not need to ## Further reading -* TODO - link to supported patterns -* TODO - link to define custom patterns -* TODO - link to non-provider patterns -* TODO - link to generic secret detection +* "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns){% ifversion ghec or ghes %} +* "[AUTOTITLE](/code-security/secret-scanning/ using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)"{% endif %}{% ifversion secret-scanning-non-provider-patterns %} +* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns)"{% endif %}{% ifversion secret-scanning-ai-generic-secret-detection %} +* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning)"{% endif %} From 416bb97b8cbf5e599153bfc20ff9c9e7ce1a46d1 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 5 Aug 2024 10:16:07 +0100 Subject: [PATCH 249/275] fixing more TODOs --- .../secret-scanning/introduction/about-secret-scanning.md | 2 +- .../managing-alerts-from-secret-scanning/about-alerts.md | 2 +- .../managing-alerts-from-secret-scanning/index.md | 1 - 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index c1c9fd50d6..c311aaa392 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -114,7 +114,7 @@ Leverage {% data variables.product.prodname_secret_scanning %}'s AI capabilities ### Performing validity checks -Validity checks help you prioritize alerts by telling you which secrets are `active` or `inactive`. For more information, see{% ifversion secret-scanning-validity-check-partner-patterns %} "TODO: link to Enable validity checks" and{% endif %} "TODO: Checking a secret's validity in Evaluating alerts." +Validity checks help you prioritize alerts by telling you which secrets are `active` or `inactive`. For more information, see{% ifversion secret-scanning-validity-check-partner-patterns %} "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository)" and{% endif %} "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)." {% ifversion ghec or ghes %} diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index 4a401621a3..06d24e4c09 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -55,7 +55,7 @@ Push protection scans pushes for supported secrets. If push protection detects a ## About partner alerts -When {% data variables.product.company_short %} detects a leaked secret in a public repository or npm package, an alert is sent directly to the secret provider, if they are part of {% data variables.product.company_short %}'s secret scanning partner program. For more information about {% data variables.secret-scanning.partner_alerts %}, see TODO:. +When {% data variables.product.company_short %} detects a leaked secret in a public repository or npm package, an alert is sent directly to the secret provider, if they are part of {% data variables.product.company_short %}'s secret scanning partner program. For more information about {% data variables.secret-scanning.partner_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)" and "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)." Partner alerts are not sent to repository administrators, so you do not need to take any action for this type of alert. diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md index 71d5ea8906..2060fa9ffe 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md @@ -5,7 +5,6 @@ product: '{% data reusables.gated-features.secret-scanning %}' redirect_from: - /github/administering-a-repository/managing-alerts-from-secret-scanning - /code-security/secret-security/managing-alerts-from-secret-scanning - - /code-security/secret-scanning/managing-alerts-from-secret-scanning versions: fpt: '*' From 8ca05b7307615b0be51a19524c57b73ba55972d4 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 5 Aug 2024 10:49:10 +0100 Subject: [PATCH 250/275] add versioning to fix broken links in GHES --- .../managing-alerts-from-secret-scanning/about-alerts.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index 06d24e4c09..074f77a3b1 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -53,12 +53,16 @@ Push protection scans pushes for supported secrets. If push protection detects a > > {% data reusables.secret-scanning.push-protection-older-tokens %} For more information about push protection limitations, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning#push-protection-and-pattern-versions)." +{% ifversion fpt or ghec %} + ## About partner alerts When {% data variables.product.company_short %} detects a leaked secret in a public repository or npm package, an alert is sent directly to the secret provider, if they are part of {% data variables.product.company_short %}'s secret scanning partner program. For more information about {% data variables.secret-scanning.partner_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)" and "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)." Partner alerts are not sent to repository administrators, so you do not need to take any action for this type of alert. +{% endif %} + ## Next steps * "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)" From cd5b040321c309b8879097f4f07e8346a4b47d45 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 5 Aug 2024 12:16:07 +0100 Subject: [PATCH 251/275] more work on the supported pattern articles --- .../supported-secret-scanning-patterns.md | 56 +++---------------- .../about-alerts.md | 6 +- 2 files changed, 8 insertions(+), 54 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md index d3e643d646..5243e1ba65 100644 --- a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md +++ b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md @@ -17,48 +17,17 @@ layout: inline shortTitle: Supported patterns --- -TODO: - ## About {% data variables.product.prodname_secret_scanning %} patterns -{% data variables.product.product_name %} maintains these different sets of default {% data variables.product.prodname_secret_scanning %} patterns: +{% data reusables.secret-scanning.alert-types %} -1. **Partner patterns.** Used to detect potential secrets in all public repositories as well as public npm packages.{% data reusables.secret-scanning.partner-program-link %} -1. **User alert patterns.** Used to detect potential secrets in {% ifversion fpt %}public{% endif %} repositories with {% data variables.secret-scanning.user_alerts %} enabled. -1. **Push protection patterns.** Used to detect potential secrets in repositories with {% data variables.product.prodname_secret_scanning %} as a push protection enabled. - -{% ifversion fpt %} -Owners of public repositories, as well as organizations using {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_GH_advanced_security %}, can enable {% data variables.secret-scanning.user_alerts %} on their repositories. -{% endif %} +For in-depth information about each alert type, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts)." For details about all the supported patterns, see the "[Supported secrets](#supported-secrets)" section below. If you believe that {% data variables.product.prodname_secret_scanning %} should have detected a secret committed to your repository, and it has not, you first need to check that {% data variables.product.prodname_dotcom %} supports your secret. For more information, refer to the sections below. For more advanced troubleshooting information, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning)." -## About partner alerts - -Partner alerts are alerts that are sent to the secret providers whenever a secret leak is reported for one of their secrets. {% data variables.product.product_name %} currently scans public repositories and public npm packages for secrets issued by specific service providers and alerts the relevant service provider whenever a secret is detected in a commit. For more information about {% data variables.secret-scanning.partner_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-partners)." - -{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} - -## About {% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts - -{% ifversion fpt or ghec %}User alerts are alerts that are reported to users on {% data variables.product.prodname_dotcom %}. {% endif %}When {% data variables.secret-scanning.user_alerts %} {% ifversion fpt or ghec %}are{% else %}is{% endif %} enabled, {% data variables.product.prodname_dotcom %} scans repositories for secrets issued by a large variety of service providers and generates {% data variables.secret-scanning.alerts %}. - -{% ifversion secret-scanning-non-provider-patterns %}{% ifversion fpt or ghec %}User {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts can be of the following types: - -* High confidence alerts, which relate to supported patterns and specified custom patterns. -* Non-provider alerts, which have a higher ratio of false positives, and correspond to secrets such as private keys. - -{% data variables.product.prodname_dotcom %} displays non-provider alerts in a different list to high confidence alerts, making triaging a better experience for users. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)." - -{% data reusables.secret-scanning.non-provider-patterns-beta %} - -{% endif %} - -You can see these alerts on the **Security** tab of the repository. {% ifversion fpt or ghec %}For more information about {% data variables.secret-scanning.user_alerts %}, see TODO: About secret scanning alerts for users{% endif %} - -{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} +From here but not in about alerts If you use the REST API for secret scanning, you can use the `Secret type` to report on secrets from specific issuers. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/rest/secret-scanning)." @@ -70,16 +39,6 @@ If you use the REST API for secret scanning, you can use the `Secret type` to re {% endnote %} {% endif %} -## About push protection alerts - -Push protection alerts are user alerts that are reported by push protection. {% data variables.product.prodname_secret_scanning_caps %} as a push protection currently scans repositories for secrets issued by some service providers. - -{% ifversion secret-scanning-push-protection-for-users %}Push protection alerts are not created for secrets that are bypassed with user-based push protection only. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-users)."{% endif %} - -{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} - -{% data reusables.secret-scanning.push-protection-older-tokens %} For more information about push protection limitations, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning#push-protection-and-pattern-versions)." - ## Supported secrets This table lists the secrets supported by {% data variables.product.prodname_secret_scanning %}. You can see the types of alert that get generated for each token, as well as whether a validity check is performed on the token. @@ -160,10 +119,9 @@ Push protection and validity checks are not supported for non-provider patterns. ## Further reading +* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts)" +{%- ifversion fpt or ghec %} +* "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)" +{%- endif %} * "[AUTOTITLE](/code-security/getting-started/securing-your-repository)" * "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure)" -{%- ifversion fpt or ghec %} -* "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partner-program)" -{%- else %} -* "[AUTOTITLE](/free-pro-team@latest/code-security/secret-scanning/secret-scanning-partner-program)" in the {% data variables.product.prodname_ghe_cloud %} documentation -{% endif %} diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index 074f77a3b1..ab01aeb7d6 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -19,11 +19,7 @@ allowTitleToDifferFromFilename: true ## About types of alerts -There are {% ifversion fpt or ghec %}three{% else %}two{% endif %} types of {% data variables.secret-scanning.alerts %}: - -* **{% ifversion fpt or ghec %}User alerts {% else %}{% data variables.secret-scanning.alerts_caps %}{% endif %}**: Reported to users in the **Security** tab of the repository, when a supported secret is detected in the repository. -* **Push protection alerts**: Reported to users in the **Security** tab of the repository, when a contributor bypasses push protection. {% ifversion fpt or ghec %} -* **Partner alerts**: Reported directly to secret providers that are part of {% data variables.product.prodname_secret_scanning %}'s partner program. These alerts are not reported in the **Security** tab of the repository.{% endif %} +{% data reusables.secret-scanning.alert-types %} ## About {% ifversion fpt or ghec %}user alerts {% else %}{% data variables.secret-scanning.alerts %}{% endif %} From 6eb39fe0353a17853b1dec791e5f82f457ab80b9 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 5 Aug 2024 12:22:28 +0100 Subject: [PATCH 252/275] add reusable --- data/reusables/secret-scanning/alert-types.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 data/reusables/secret-scanning/alert-types.md diff --git a/data/reusables/secret-scanning/alert-types.md b/data/reusables/secret-scanning/alert-types.md new file mode 100644 index 0000000000..23ec30827c --- /dev/null +++ b/data/reusables/secret-scanning/alert-types.md @@ -0,0 +1,5 @@ +There are {% ifversion fpt or ghec %}three{% else %}two{% endif %} types of {% data variables.secret-scanning.alerts %}: + +* **{% ifversion fpt or ghec %}User alerts {% else %}{% data variables.secret-scanning.alerts_caps %}{% endif %}**: Reported to users in the **Security** tab of the repository, when a supported secret is detected in the repository. +* **Push protection alerts**: Reported to users in the **Security** tab of the repository, when a contributor bypasses push protection. {% ifversion fpt or ghec %} +* **Partner alerts**: Reported directly to secret providers that are part of {% data variables.product.prodname_secret_scanning %}'s partner program. These alerts are not reported in the **Security** tab of the repository.{% endif %} From 024d18a75946875a44371ea0a51e254eb717ce0d Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 5 Aug 2024 13:23:51 +0100 Subject: [PATCH 253/275] polishing --- .../supported-secret-scanning-patterns.md | 14 ++------------ data/reusables/secret-scanning/alert-types.md | 2 +- 2 files changed, 3 insertions(+), 13 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md index 5243e1ba65..8c4183b638 100644 --- a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md +++ b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md @@ -25,19 +25,9 @@ For in-depth information about each alert type, see "[AUTOTITLE](/code-security/ For details about all the supported patterns, see the "[Supported secrets](#supported-secrets)" section below. -If you believe that {% data variables.product.prodname_secret_scanning %} should have detected a secret committed to your repository, and it has not, you first need to check that {% data variables.product.prodname_dotcom %} supports your secret. For more information, refer to the sections below. For more advanced troubleshooting information, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning)." - -From here but not in about alerts - If you use the REST API for secret scanning, you can use the `Secret type` to report on secrets from specific issuers. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/rest/secret-scanning)." -{% ifversion ghes or ghec %} -{% note %} - -**Note:** You can also define custom {% data variables.product.prodname_secret_scanning %} patterns for your repository, organization, or enterprise. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." - -{% endnote %} -{% endif %} +If you believe that {% data variables.product.prodname_secret_scanning %} should have detected a secret committed to your repository, and it has not, you first need to check that {% data variables.product.prodname_dotcom %} supports your secret. For more information, refer to the sections below. For more advanced troubleshooting information, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning)." ## Supported secrets @@ -78,7 +68,7 @@ This table lists the secrets supported by {% data variables.product.prodname_sec | Generic | postgres_connection_string | | Generic | rsa_private_key | -Push protection and validity checks are not supported for non-provider patterns. +>[!NOTE] Push protection and validity checks are not supported for non-provider patterns. ### High confidence patterns diff --git a/data/reusables/secret-scanning/alert-types.md b/data/reusables/secret-scanning/alert-types.md index 23ec30827c..9a7b0cdbce 100644 --- a/data/reusables/secret-scanning/alert-types.md +++ b/data/reusables/secret-scanning/alert-types.md @@ -1,5 +1,5 @@ There are {% ifversion fpt or ghec %}three{% else %}two{% endif %} types of {% data variables.secret-scanning.alerts %}: -* **{% ifversion fpt or ghec %}User alerts {% else %}{% data variables.secret-scanning.alerts_caps %}{% endif %}**: Reported to users in the **Security** tab of the repository, when a supported secret is detected in the repository. +* **{% ifversion fpt or ghec %}User alerts{% else %}{% data variables.secret-scanning.alerts_caps %}{% endif %}**: Reported to users in the **Security** tab of the repository, when a supported secret is detected in the repository. * **Push protection alerts**: Reported to users in the **Security** tab of the repository, when a contributor bypasses push protection. {% ifversion fpt or ghec %} * **Partner alerts**: Reported directly to secret providers that are part of {% data variables.product.prodname_secret_scanning %}'s partner program. These alerts are not reported in the **Security** tab of the repository.{% endif %} From 232c0810718701735052143d01e9e51fa907e860 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 5 Aug 2024 13:28:30 +0100 Subject: [PATCH 254/275] use variable --- .../introduction/supported-secret-scanning-patterns.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md index 8c4183b638..f40bae7eb6 100644 --- a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md +++ b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md @@ -25,7 +25,7 @@ For in-depth information about each alert type, see "[AUTOTITLE](/code-security/ For details about all the supported patterns, see the "[Supported secrets](#supported-secrets)" section below. -If you use the REST API for secret scanning, you can use the `Secret type` to report on secrets from specific issuers. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/rest/secret-scanning)." +If you use the REST API for {% data variables.product.prodname_secret_scanning %}, you can use the `Secret type` to report on secrets from specific issuers. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/rest/secret-scanning)." If you believe that {% data variables.product.prodname_secret_scanning %} should have detected a secret committed to your repository, and it has not, you first need to check that {% data variables.product.prodname_dotcom %} supports your secret. For more information, refer to the sections below. For more advanced troubleshooting information, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning)." From 441090756a9aed81e9dea5afdc6348d891477f31 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Mon, 5 Aug 2024 16:45:47 +0100 Subject: [PATCH 255/275] Update content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com> --- .../introduction/supported-secret-scanning-patterns.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md index f40bae7eb6..143d329037 100644 --- a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md +++ b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md @@ -27,7 +27,7 @@ For details about all the supported patterns, see the "[Supported secrets](#supp If you use the REST API for {% data variables.product.prodname_secret_scanning %}, you can use the `Secret type` to report on secrets from specific issuers. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/rest/secret-scanning)." -If you believe that {% data variables.product.prodname_secret_scanning %} should have detected a secret committed to your repository, and it has not, you first need to check that {% data variables.product.prodname_dotcom %} supports your secret. For more information, refer to the sections below. For more advanced troubleshooting information, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning)." +If you believe that {% data variables.product.prodname_secret_scanning %} should have detected a secret committed to your repository, and it has not, you first need to check that {% data variables.product.prodname_dotcom %} supports your secret. For more information, refer to the following sections. For more advanced troubleshooting information, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning)." ## Supported secrets From c86895525ec0f1edbd517343f2c361b0b86425c5 Mon Sep 17 00:00:00 2001 From: Rachael Sewell Date: Mon, 5 Aug 2024 12:45:40 -0700 Subject: [PATCH 256/275] update path to patterns file --- src/secret-scanning/middleware/secret-scanning.ts | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/secret-scanning/middleware/secret-scanning.ts b/src/secret-scanning/middleware/secret-scanning.ts index ebc33523fb..d98f1eacb3 100644 --- a/src/secret-scanning/middleware/secret-scanning.ts +++ b/src/secret-scanning/middleware/secret-scanning.ts @@ -14,7 +14,11 @@ export default async function secretScanning( res: Response, next: NextFunction, ) { - if (!req.pagePath!.endsWith('code-security/secret-scanning/secret-scanning-patterns')) + if ( + !req.pagePath!.endsWith( + 'code-security/secret-scanning/introduction/supported-secret-scanning-patterns', + ) + ) return next() const secretScanningData = yaml.load( From 7de9003d783ca9f3a9dc6c54be6d9e8c47e3359a Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 6 Aug 2024 08:05:28 +0100 Subject: [PATCH 257/275] another TODO --- .../secret-scanning/introduction/about-secret-scanning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index c311aaa392..340a0ea5c6 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -32,7 +32,7 @@ When a supported secret is leaked, {% data variables.product.product_name %} gen {% ifversion fpt or ghec %}Service providers can partner with {% data variables.product.company_short %} to provide their secret formats for scanning. We automatically run {% data variables.product.prodname_secret_scanning %} for partner patterns on all public repositories and public npm packages.{% data reusables.secret-scanning.partner-program-link %} -Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner, and aren't displayed on {% data variables.product.prodname_dotcom_the_website %}. For more information, see "Not sure which article to link to TODO:"{% endif %} +Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner, and aren't displayed on {% data variables.product.prodname_dotcom_the_website %}. For more information about partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts)."{% endif %} For information about the secrets and service providers supported by {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." From 230fb8bdd41a09a9eede9200b9cd270ddddf72d5 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 6 Aug 2024 12:32:19 +0100 Subject: [PATCH 258/275] add notes linking to each of the 2 articles --- .../working-with-push-protection-from-the-command-line.md | 2 ++ .../working-with-push-protection-in-the-github-ui.md | 2 ++ 2 files changed, 4 insertions(+) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md index ba531a5aea..742267de80 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md @@ -38,6 +38,8 @@ To resolve a blocked push, you must remove the secret from all of the commits it * If the secret was introduced by your latest commit, see "[Removing a secret introduced by the latest commit on your branch](#removing-a-secret-introduced-by-the-latest-commit-on-your-branch)." * If the secret appears in earlier commits, see "[Removing a secret introduced by an earlier commit on your branch](#removing-a-secret-introduced-by-an-earlier-commit-on-your-branch)." +>[!NOTE] To learn how to resolved a blocked commit in the {% data variables.product.prodname_dotcom %} UI, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui#resolving-a-blocked-commit)." + ### Removing a secret introduced by the latest commit on your branch If the blocked secret was introduced by the latest commit on your branch, you can follow the guidance below. diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md index 247828019a..b5c5c6f1ad 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md @@ -42,6 +42,8 @@ Organization owners can provide a custom link that will be displayed when a push To resolve a blocked commit in the web UI, you need to remove the secret from the file. Once you remove the secret, you will be able to commit your changes. +>[!NOTE] To learn how to resolved a blocked push on the command line, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line#resolving-a-blocked-push)." + ## Bypassing push protection If {% data variables.product.prodname_dotcom %} blocks a secret that you believe is safe to commit, you {% ifversion push-protection-delegated-bypass %}may be able to {% else %}can {% endif %}bypass the block by specifying a reason for allowing the secret. From 412ece77e6881ef69c161072cc4e409821f71908 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 8 Aug 2024 08:48:10 +0100 Subject: [PATCH 259/275] remove last TODOs --- .../secret-scanning/introduction/about-push-protection.md | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index 8a90dc60f3..dbdd096f6a 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -74,11 +74,7 @@ Once push protection is enabled, you can customize it further: ### Integration with CI/CD pipelines -Integrate push protection with your Continuous Integration/Continuous Deployment (CI/CD) pipelines to ensure that it runs scans during automated processes. This typically involves adding steps in your pipeline configuration file to call GitHub's APIs or using {% data variables.product.prodname_actions %}. For more information, see "TODO: - add link to something here?" - -### Handling false positives - -If push protection occasionally flags non-sensitive information, you can configure the system to recognize these as false positives. For more information, see "TODO: - not sure what to link to here?" +Integrate push protection with your Continuous Integration/Continuous Deployment (CI/CD) pipelines to ensure that it runs scans during automated processes. This typically involves adding steps in your pipeline configuration file to call GitHub's APIs or using {% data variables.product.prodname_actions %}. {% ifversion secret-scanning-push-protection-custom-patterns %} From 04955e51868b57a494a1c1c014918e95fe047a49 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 8 Aug 2024 09:00:02 +0100 Subject: [PATCH 260/275] Apply suggestions from code review Co-authored-by: Felicity Chapman Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com> --- .../enabling-push-protection-for-your-repository.md | 1 + .../enabling-secret-scanning-for-your-repository.md | 4 ++-- .../enabling-validity-checks-for-your-repository.md | 2 +- .../enabling-secret-scanning-features/index.md | 2 +- .../introduction/about-secret-scanning-for-partners.md | 7 +++---- .../secret-scanning/introduction/about-secret-scanning.md | 2 +- .../code-security/secret-scanning/introduction/index.md | 2 +- .../managing-alerts-from-secret-scanning/about-alerts.md | 2 +- .../managing-alerts-from-secret-scanning/index.md | 2 +- .../managing-alerts-from-secret-scanning/viewing-alerts.md | 2 +- .../custom-patterns/metrics-for-custom-patterns.md | 2 +- .../excluding-folders-and-files-from-secret-scanning.md | 2 +- 12 files changed, 15 insertions(+), 15 deletions(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md index cdc9dd9d8c..98552b0809 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md @@ -45,5 +45,6 @@ If your organization is owned by an enterprise account, an enterprise owner can ## Further reading * "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection)" +* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning)" * "[AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security)" * "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)" diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md index 459d8fb73d..2ddcbd8946 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md @@ -52,5 +52,5 @@ A repository administrator can choose to disable {% data variables.product.prodn ## Next steps -* "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository)"{% ifversion secret-scanning-validity-check-partner-patterns %} -* "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository)"{% endif %} +* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)" +* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts)" diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md index 751334209b..9f4aee2a30 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md @@ -14,7 +14,7 @@ topics: ## About validity checks -You can choose to enable validity checks for partner patterns for your repository. Once enabled, {% data variables.product.company_short %} will periodically check the validity of a detected credential by sending the secret directly to the provider, as part of {% data variables.product.company_short %}'s secret scanning partnership program. {% data reusables.secret-scanning.partner-program-link %} +You can enable validity checks for secrets identified as service provider tokens for your repository. Once enabled, {% data variables.product.company_short %} will periodically check the validity of a detected credential by sending the secret directly to the provider, as part of {% data variables.product.company_short %}'s secret scanning partnership program. {% data reusables.secret-scanning.partner-program-link %} {% data variables.product.company_short %} displays the validation status of the secret in the alert view, so you can see if the secret is `active`, `inactive`, or if the validation status is `unknown`. You can optionally perform an "on-demand" validity check for the secret in the alert view. diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md index 76d8a49661..8041ca6b45 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md @@ -2,7 +2,7 @@ title: Enabling secret scanning features shortTitle: Enable secret scanning features allowTitleToDifferFromFilename: true -intro: 'Learn how to enable {% data variables.product.prodname_secret_scanning %} that scans for and detects secrets that have been checked into a repository, as well as push protection that proactively secures you against leaking secrets by blocking pushes containing secrets.' +intro: 'Learn how to enable {% data variables.product.prodname_secret_scanning %} to detect secrets that are already visible in a repository, as well as push protection to proactively secure you against leaking additional secrets by blocking pushes containing secrets.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md index f9117cb5e1..276124021d 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md @@ -1,6 +1,6 @@ --- title: About secret scanning for partners -intro: '{% data variables.product.prodname_secret_scanning_caps %} sends alerts directly to partners when any of the partner''s secrets are found in repositories on {% data variables.product.prodname_dotcom %}. This allows partners to promptly take action to secure their systems.' +intro: 'When {% data variables.product.prodname_secret_scanning %} detects authentication details for a service provider in a public repository on {% data variables.product.prodname_dotcom %}, an alert is sent directly to the provider. This allows service providers who are {% data variables.product.prodname_dotcom %} partners to promptly take action to secure their systems.' versions: fpt: '*' ghec: '*' @@ -17,7 +17,7 @@ shortTitle: Secret scanning for partners > [!NOTE]You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories. -The reason partner alerts are directly sent to the secret providers whenever a secret leak is reported for one of their secrets is because this helps ensure that secrets are not inadvertently exposed in public or private repositories. The notification for regular alerts is different. Regular alerts are displayed on the repository's **Security** tab on {% data variables.product.prodname_dotcom %}. +The reason partner alerts are directly sent to the secret providers whenever a leak is detected for one of their secrets is that this enables the provider to take immediate action to protect you and protect their resources. The notification process for regular alerts is different. Regular alerts are displayed on the repository's **Security** tab on {% data variables.product.prodname_dotcom %} for you to resolve. {% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} @@ -29,5 +29,4 @@ For information about the secrets and service providers supported by push protec * "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)" * "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)" -* "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection)" -* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts)" +* "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)" diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index 340a0ea5c6..e68d53e023 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -24,7 +24,7 @@ shortTitle: Secret scanning {% data variables.product.prodname_secret_scanning_caps %} is a security feature that helps detect and prevent the accidental inclusion of sensitive information such as API keys, passwords, tokens, and other secrets in your repository. When enabled, {% data variables.product.prodname_secret_scanning %} scans commits in public repositories for known types of secrets and alerts repository administrators upon detection. -{% data variables.product.prodname_secret_scanning_caps %} scans your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repository for secrets{% ifversion ghec or ghes %}, even if the repository is archived{% endif %}.{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %}{% ifversion secret-scanning-backfills %} {% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled.{% endif %} +{% data variables.product.prodname_secret_scanning_caps %} scans your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repository for secrets{% ifversion ghec or ghes %}, even if the repository is archived{% endif %}.{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %}{% ifversion secret-scanning-backfills %} {% data variables.product.prodname_dotcom %} will also periodically run a full Git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled.{% endif %} {% data reusables.secret-scanning.what-is-scanned %} diff --git a/content/code-security/secret-scanning/introduction/index.md b/content/code-security/secret-scanning/introduction/index.md index 7c8fb7d1da..5edda345e1 100644 --- a/content/code-security/secret-scanning/introduction/index.md +++ b/content/code-security/secret-scanning/introduction/index.md @@ -2,7 +2,7 @@ title: Introduction to secret scanning shortTitle: Introduction allowTitleToDifferFromFilename: true -intro: 'Learn about {% data variables.product.prodname_secret_scanning_caps %} can keep your repositories secure by scanning them for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally.' +intro: 'Learn how {% data variables.product.prodname_secret_scanning %} detects secrets in existing content and new commits, helping you to avoid exposing sensitive data that could be exploited.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index ab01aeb7d6..def754ce07 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -66,6 +66,6 @@ Partner alerts are not sent to repository administrators, so you do not need to ## Further reading * "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns){% ifversion ghec or ghes %} -* "[AUTOTITLE](/code-security/secret-scanning/ using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)"{% endif %}{% ifversion secret-scanning-non-provider-patterns %} +* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)"{% endif %}{% ifversion secret-scanning-non-provider-patterns %} * "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns)"{% endif %}{% ifversion secret-scanning-ai-generic-secret-detection %} * "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning)"{% endif %} diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md index 2060fa9ffe..6dd0553b9b 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md @@ -1,6 +1,6 @@ --- title: Managing alerts from secret scanning -intro: 'Learn how to find, evaluate, and resolve alerts for secrets checked in to your repository.' +intro: 'Learn how to find, evaluate, and resolve alerts for secrets stored in your repository.' product: '{% data reusables.gated-features.secret-scanning %}' redirect_from: - /github/administering-a-repository/managing-alerts-from-secret-scanning diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md index b51a24bc33..88a71f5b37 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md @@ -72,7 +72,7 @@ You can apply various filters to the alerts list to help you find the alerts you | {% ifversion secret-scanning-bypass-filter %} | |`bypassed: true`|Displays alerts for secrets where push protection has been bypassed. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)."| | {% endif %} | -|`validity:active`| Displays alerts for secrets that are still active. {% ifversion fpt %}Applies to {% data variables.product.company_short %} tokens only.{% endif %} For more information about validity statuses, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)."| +|`validity:active`| Displays alerts for secrets that are known to be active. {% ifversion fpt %}Applies to {% data variables.product.company_short %} tokens only.{% endif %} For more information about validity statuses, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)."| |`validity:inactive`| Displays alerts for secrets that are no longer active.| |`validity:unknown`| Displays alerts for secrets where the validity status of the secret is unknown.| |`secret-type:SECRET-NAME`| Displays alerts for a specific secret type, for example, `secret-type:github_personal_access_token`. For a list of supported secret types, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secret)." | diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md index 619db12b1b..a9e3e99c42 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md @@ -13,7 +13,7 @@ topics: ## Metrics for custom patterns -Organization owners and people with admin permissions can see an overview of the activity for custom patterns. The overview includes alert and push protection activity for the custom pattern during the last 30 days. +Organization owners and people with admin permission for a repository can see an overview of the activity for custom patterns. The overview includes alert and push protection activity for the custom pattern during the last 30 days. > [!NOTE] Metrics for custom patterns are in public beta and subject to change. diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md index 615d45ac73..59adb340ff 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md @@ -66,6 +66,6 @@ You can configure a `secret_scanning.yml` file to exclude directories from {% da Best practices include: * Minimizing the number of directories excluded and being as precise as possible when defining exclusions. This ensures that the instructions are as clear as possible, and that exclusions work as intended. -* Explaining why a particular file or folder is excluded in a comment in the `secret_scanning.yml` file. As with regular code, using comments clarifies your intend, making it easier for others to understand the desired behavior. +* Explaining why a particular file or folder is excluded in a comment in the `secret_scanning.yml` file. As with regular code, using comments clarifies your intention, making it easier for others to understand the desired behavior. * Reviewing the `secret_scanning.yml` file on a regular basis. Some exclusions may no longer apply with time, and it is good practice to keep the file clean and current. The use of comments, as advised above, can help with this. * Informing the security team what files and folders you've excluded, and why. Good communication is vital in ensuring that everyone is on the same page, and understands why specific folders or files are excluded. From 0bed702eca735681abe9392207eb7e49cdbb9604 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 8 Aug 2024 10:37:48 +0100 Subject: [PATCH 261/275] address more comments --- .../enabling-secret-scanning-for-your-repository.md | 4 ++-- .../secret-scanning/introduction/about-push-protection.md | 6 +++--- .../secret-scanning/introduction/about-secret-scanning.md | 2 +- .../introduction/supported-secret-scanning-patterns.md | 2 +- .../enabling-delegated-bypass-for-push-protection.md | 4 ++-- .../index.md | 2 +- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md index 2ddcbd8946..cb6f9297d3 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md @@ -34,8 +34,6 @@ If your organization is owned by an enterprise account, an enterprise owner can {% endif %} -A repository administrator can choose to disable {% data variables.product.prodname_secret_scanning %} for a repository at any time. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)." - ## Enabling {% data variables.secret-scanning.user_alerts %} {% data reusables.repositories.navigate-to-repo %} @@ -50,6 +48,8 @@ A repository administrator can choose to disable {% data variables.product.prodn ![Screenshot of the "{% data variables.product.prodname_secret_scanning_caps %}" section of the "Code security and analysis" page, with the "Enable" button highlighted in a dark orange outline.](/assets/images/help/repository/enable-secret-scanning-alerts.png){% endif %} +A repository administrator can choose to disable {% data variables.product.prodname_secret_scanning %} for a repository at any time. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)." + ## Next steps * "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)" diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index dbdd096f6a..4708f5bf13 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -72,13 +72,13 @@ Every user across {% data variables.product.prodname_dotcom %} can also enable p Once push protection is enabled, you can customize it further: -### Integration with CI/CD pipelines +### Integrate with CI/CD pipelines Integrate push protection with your Continuous Integration/Continuous Deployment (CI/CD) pipelines to ensure that it runs scans during automated processes. This typically involves adding steps in your pipeline configuration file to call GitHub's APIs or using {% data variables.product.prodname_actions %}. {% ifversion secret-scanning-push-protection-custom-patterns %} -### Defining custom patterns +### Define custom patterns Define custom patterns that push protection can use to identify secrets and block pushes containing these secrets. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." @@ -86,7 +86,7 @@ Define custom patterns that push protection can use to identify secrets and bloc {% ifversion push-protection-delegated-bypass %} -### Using delegated bypass +### Configure delegated bypass Define contributors who can bypass push protection and add an approval process for other contributors. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index e68d53e023..2844ccefc3 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -22,7 +22,7 @@ shortTitle: Secret scanning ## About {% data variables.product.prodname_secret_scanning %} -{% data variables.product.prodname_secret_scanning_caps %} is a security feature that helps detect and prevent the accidental inclusion of sensitive information such as API keys, passwords, tokens, and other secrets in your repository. When enabled, {% data variables.product.prodname_secret_scanning %} scans commits in public repositories for known types of secrets and alerts repository administrators upon detection. +{% data variables.product.prodname_secret_scanning_caps %} is a security feature that helps detect and prevent the accidental inclusion of sensitive information such as API keys, passwords, tokens, and other secrets in your repository. When enabled, {% data variables.product.prodname_secret_scanning %} scans commits in repositories for known types of secrets and alerts repository administrators upon detection. {% data variables.product.prodname_secret_scanning_caps %} scans your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repository for secrets{% ifversion ghec or ghes %}, even if the repository is archived{% endif %}.{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %}{% ifversion secret-scanning-backfills %} {% data variables.product.prodname_dotcom %} will also periodically run a full Git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled.{% endif %} diff --git a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md index 143d329037..bd8864ef96 100644 --- a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md +++ b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md @@ -36,7 +36,7 @@ This table lists the secrets supported by {% data variables.product.prodname_sec * **Provider**—name of the token provider.{% ifversion fpt or ghec %} * **Partner**—token for which leaks are reported to the relevant token partner. Applies to public repositories only. * **User**—token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}.{% ifversion secret-scanning-non-provider-patterns %} - * Applies to public repositories, and to private repositories where {% data variables.product.prodname_GH_advanced_security %}, {% data variables.product.prodname_secret_scanning %}. + * Applies to public repositories, and to private repositories where {% data variables.product.prodname_GH_advanced_security %} and {% data variables.product.prodname_secret_scanning %} are enabled. * Includes high confidence tokens, which relate to supported patterns and specified custom patterns, as well as non-provider tokens such as private keys, which usually have a higher ratio of false positives. * For {% data variables.product.prodname_secret_scanning %} to scan for non-provider patterns, the detection of non-provider patterns must be enabled for the repository or the organization. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories)." {% data reusables.secret-scanning.non-provider-patterns-beta %}{% endif %}{% endif %}{% ifversion ghes %} diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md index 20c95220e0..fd6088da36 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md @@ -24,7 +24,7 @@ When you enable this feature, you will create a bypass list of roles and teams w >[!NOTE] You can't add secret teams to the bypass list. -### Configuring delegated bypass for an organization +## Configuring delegated bypass for an organization {% data reusables.organizations.navigate-to-org %} {% data reusables.organizations.org_settings %} @@ -37,7 +37,7 @@ When you enable this feature, you will create a bypass list of roles and teams w 1. Under "Bypass list", click **Add role or team**. 1. In the dialog box, select the roles and teams that you want to add to the bypass list, then click **Add selected**. -### Configuring delegated bypass for a repository +## Configuring delegated bypass for a repository >[!NOTE] If an organization owner configures delegated bypass at the organization-level, the repository-level settings are disabled. diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md index f1c5f02d05..6ed5a0921d 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md @@ -2,7 +2,7 @@ title: Using advanced secret scanning and push protection features shortTitle: Advanced features allowTitleToDifferFromFilename: true -intro: 'Learn how you can customize {% data variables.secret-scanning.partner_alerts %} to meet the needs of your company.' +intro: 'Learn how you can customize {% data variables.product.prodname_secret_scanning %} to meet the needs of your company.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' From 308851bbbd9f288ae65c99f4e62e41c555568563 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 8 Aug 2024 10:40:13 +0100 Subject: [PATCH 262/275] Update content/apps/oauth-apps/using-oauth-apps/internal-oauth-apps.md --- content/apps/oauth-apps/using-oauth-apps/internal-oauth-apps.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/apps/oauth-apps/using-oauth-apps/internal-oauth-apps.md b/content/apps/oauth-apps/using-oauth-apps/internal-oauth-apps.md index 10a885f05a..18d74fc9c9 100644 --- a/content/apps/oauth-apps/using-oauth-apps/internal-oauth-apps.md +++ b/content/apps/oauth-apps/using-oauth-apps/internal-oauth-apps.md @@ -23,7 +23,7 @@ These {% data variables.product.prodname_oauth_apps %} are : * GitHub Codespaces for JetBrains * GitHub Desktop * GitHub Education -* Github-importer-production +* github-importer-production * GitHub iOS * GitHub Support * JetBrains IDE Integration From a6d2bf36ca3f5dde1fc81cc1aeebe7be2fd47185 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 8 Aug 2024 10:41:48 +0100 Subject: [PATCH 263/275] Update content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com> --- .../managing-requests-to-bypass-push-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md index 8dbb251678..bd54906659 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md @@ -24,7 +24,7 @@ An organization owner or repository administrator defines which roles and teams > [!NOTE] Members of the bypass list are still protected from accidentally pushing secrets to a repository. When a member of the bypass list attempts to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. Members of the bypass list do not have to request bypass privileges from other members in order to override the block. -### Managing requests to bypass push protection at the repository-level +### Managing requests to bypass push protection at the repository level {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-security %} From 967783c7c9c2efb53efb973570b19adb6e2b91aa Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 8 Aug 2024 10:42:53 +0100 Subject: [PATCH 264/275] Update content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com> --- .../excluding-folders-and-files-from-secret-scanning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md index 59adb340ff..797bc59e36 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md @@ -28,7 +28,7 @@ You can configure a `secret_scanning.yml` file to exclude directories from {% da {% data reusables.repositories.navigate-to-repo %} {% data reusables.files.add-file %} -1. In the file name field, type _.github/secret_scanning.yml_. +1. In the file name field, enter ".github/secret_scanning.yml". 1. Under **Edit new file**, type `paths-ignore:` followed by the paths you want to exclude from {% data variables.product.prodname_secret_scanning %}. ``` yaml copy From 28a8ae087e490f6c63c089f693f46cfd4216315c Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 8 Aug 2024 11:20:15 +0100 Subject: [PATCH 265/275] address another comment --- .../enabling-validity-checks-for-your-repository.md | 10 +++++++++- .../evaluating-alerts.md | 8 -------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md index 9f4aee2a30..28781292d4 100644 --- a/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md +++ b/content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md @@ -18,7 +18,15 @@ You can enable validity checks for secrets identified as service provider tokens {% data variables.product.company_short %} displays the validation status of the secret in the alert view, so you can see if the secret is `active`, `inactive`, or if the validation status is `unknown`. You can optionally perform an "on-demand" validity check for the secret in the alert view. -You can also filter by validation status on the alerts page, to help you prioritize which alerts you need to take action on. +{% ifversion secret-scanning-validity-check-partner-patterns %} + +You can additionally choose to enable validity checks for partner patterns. Once enabled, {% data variables.product.company_short %} will periodically check the validity of a detected credential by sending the secret directly to the provider, as part of {% data variables.product.company_short %}'s formal secret scanning partnership program. {% data variables.product.company_short %} typically makes GET requests to check the validity of the credential, picks the least intrusive endpoints, and selects endpoints that don't return any personal information. + +{% data variables.product.company_short %} displays the validation status of the secret in the alert view. + +{% endif %} + +You can filter by validation status on the alerts page, to help you prioritize which alerts you need to take action on. > [!NOTE] > {% data variables.product.company_short %} typically makes GET requests to check the validity of the credential, picks the least intrusive endpoints, and selects endpoints that don't return any personal information. diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md index 0abbda8550..e810be9005 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md @@ -37,14 +37,6 @@ Organizations using {% data variables.product.prodname_ghe_cloud %} with a licen {% endif %} -{% ifversion secret-scanning-validity-check-partner-patterns %} - -You can additionally choose to enable validity checks for partner patterns. Once enabled, {% data variables.product.company_short %} will periodically check the validity of a detected credential by sending the secret directly to the provider, as part of {% data variables.product.company_short %}'s formal secret scanning partnership program. {% data variables.product.company_short %} typically makes GET requests to check the validity of the credential, picks the least intrusive endpoints, and selects endpoints that don't return any personal information. - -{% data variables.product.company_short %} displays the validation status of the secret in the alert view. - -{% endif %} - {% data reusables.secret-scanning.validity-check-table %} {% ifversion secret-scanning-validity-check-partner-patterns %} From b1027b97a4edd94bf11603052cb70c0234f1cb78 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 8 Aug 2024 11:36:41 +0100 Subject: [PATCH 266/275] removing versioning to simplify --- .../excluding-folders-and-files-from-secret-scanning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md index 797bc59e36..a32dbca409 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md @@ -16,7 +16,7 @@ topics: ## About {% data variables.product.prodname_secret_scanning %} -{% data variables.product.prodname_secret_scanning_caps %} automatically detects tokens or credentials that have been checked into a {% ifversion ghec %}user-owned {% endif %}public repository. You can view {% ifversion fpt or ghec %}{% data variables.secret-scanning.user_alerts %}{% else %}alerts{% endif %} for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-users)." +{% data variables.product.prodname_secret_scanning_caps %} automatically detects tokens or credentials that have been checked into a repository. You can view {% ifversion fpt or ghec %}{% data variables.secret-scanning.user_alerts %}{% else %}alerts{% endif %} for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-users)." ## About excluding directories from {% data variables.secret-scanning.user_alerts %} From 6465fac273d6b8bcf86eea5891ccc289d608ab05 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 8 Aug 2024 11:41:58 +0100 Subject: [PATCH 267/275] Update content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md Co-authored-by: Felicity Chapman --- .../working-with-push-protection-in-the-github-ui.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md index b5c5c6f1ad..1a334dc55f 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md @@ -57,7 +57,11 @@ If {% data variables.product.prodname_dotcom %} blocks a secret that you believe {% data reusables.secret-scanning.push-protection-public-repos-bypass %} 1. Click **Allow secret**. -If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to push the blocked secret. For more information, see "[Requesting bypass privileges](/enterprise-cloud@latest/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui#requesting-bypass-privileges)" in the {% data variables.product.prodname_ghe_cloud %} documentation. +{% ifversion push-protection-delegated-bypass %} + +If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to push the blocked secret. For more information, see "[Requesting bypass privileges](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui#requesting-bypass-privileges)." + +{% endif %} {% ifversion push-protection-delegated-bypass %} From db5bb6f83bea3032695b6786ea1ea09fd2a5f4a3 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 8 Aug 2024 12:45:25 +0100 Subject: [PATCH 268/275] update anchor links for supported patterns --- .../phase-2-preparing-to-enable-at-scale.md | 6 +++--- .../getting-started/github-security-features.md | 2 +- .../introduction/about-secret-scanning-for-partners.md | 2 +- .../introduction/supported-secret-scanning-patterns.md | 4 ++-- .../evaluating-alerts.md | 2 +- .../resolving-alerts.md | 2 +- .../viewing-alerts.md | 8 ++++---- .../troubleshooting-secret-scanning.md | 4 ++-- .../defining-custom-patterns-for-secret-scanning.md | 2 +- .../enabling-secret-scanning-for-non-provider-patterns.md | 2 +- .../push-protection-for-users.md | 2 +- ...ring-global-security-settings-for-your-organization.md | 2 +- .../end-to-end-supply-chain/securing-code.md | 2 +- .../github-terms-for-additional-products-and-features.md | 2 +- data/reusables/security-overview/settings-limitations.md | 2 +- 15 files changed, 22 insertions(+), 22 deletions(-) diff --git a/content/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md b/content/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md index a2ca0eec3f..15584b48a1 100644 --- a/content/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md +++ b/content/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md @@ -132,7 +132,7 @@ Before you can proceed with pilot programs and rolling out {% data variables.pro **Note:** When a secret is detected in a repository that has enabled {% data variables.product.prodname_secret_scanning %}, {% data variables.product.prodname_dotcom %} alerts all users with access to security alerts for the repository. {% ifversion ghec %} -Secrets found in public repositories using {% data variables.secret-scanning.partner_alerts %} are reported directly to the partner, without creating an alert on {% data variables.product.product_name %}. For details about the supported partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."{% endif %} +Secrets found in public repositories using {% data variables.secret-scanning.partner_alerts %} are reported directly to the partner, without creating an alert on {% data variables.product.product_name %}. For details about the supported partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)."{% endif %} {% endnote %} @@ -158,13 +158,13 @@ If you are enabling {% data variables.product.prodname_secret_scanning %} on a l ### Custom patterns for {% data variables.product.prodname_secret_scanning %} -{% data variables.product.prodname_secret_scanning_caps %} detects a large number of default patterns but can also be configured to detect custom patterns, such as secret formats unique to your infrastructure or used by integrators that {% data variables.product.product_name %}'s {% data variables.product.prodname_secret_scanning %} does not currently detect. For more information about supported secrets for partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns)." +{% data variables.product.prodname_secret_scanning_caps %} detects a large number of default patterns but can also be configured to detect custom patterns, such as secret formats unique to your infrastructure or used by integrators that {% data variables.product.product_name %}'s {% data variables.product.prodname_secret_scanning %} does not currently detect. For more information about supported secrets for partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)." As you audit your repositories and speak to security and developer teams, build a list of the secret types that you will later use to configure custom patterns for {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." ### Push protection for {% data variables.product.prodname_secret_scanning %} -Push protection for organizations and repositories instructs {% data variables.product.prodname_secret_scanning %} to check pushes for supported secrets _before_ secrets are committed to the codebase. For information on which secrets are supported, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." +Push protection for organizations and repositories instructs {% data variables.product.prodname_secret_scanning %} to check pushes for supported secrets _before_ secrets are committed to the codebase. For information on which secrets are supported, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." If a secret is detected in a push, that push is blocked. {% data variables.product.prodname_secret_scanning_caps %} lists any secrets it detects so the author can review the secrets and remove them or, if needed, allow those secrets to be pushed. {% data reusables.secret-scanning.push-protection-custom-pattern %} diff --git a/content/code-security/getting-started/github-security-features.md b/content/code-security/getting-started/github-security-features.md index 55fbc5a9f5..550889a7be 100644 --- a/content/code-security/getting-started/github-security-features.md +++ b/content/code-security/getting-started/github-security-features.md @@ -89,7 +89,7 @@ Push protection for users automatically protects you from accidentally committin ### {% data variables.secret-scanning.partner_alerts_caps %} -Automatically detect leaked secrets across all public repositories, as well as public npm packages. {% data variables.product.company_short %} informs the relevant service provider that the secret may be compromised. For details of the supported secrets and service providers, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." +Automatically detect leaked secrets across all public repositories, as well as public npm packages. {% data variables.product.company_short %} informs the relevant service provider that the secret may be compromised. For details of the supported secrets and service providers, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)." {% endif %} diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md index 276124021d..d99200b63e 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md @@ -23,7 +23,7 @@ The reason partner alerts are directly sent to the secret providers whenever a l ## What are the supported secrets -For information about the secrets and service providers supported by push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." +For information about the secrets and service providers supported by push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)." ## Further reading diff --git a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md index bd8864ef96..6707ff85fc 100644 --- a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md +++ b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md @@ -12,7 +12,7 @@ topics: - Advanced Security redirect_from: - /code-security/secret-scanning/secret-scanning-partners - - /code-security/secret-scanning/secret-scanning-patterns + - /code-security/secret-scanning/introduction/supported-secret-scanning-patterns layout: inline shortTitle: Supported patterns --- @@ -49,7 +49,7 @@ This table lists the secrets supported by {% data variables.product.prodname_sec **Note:** {% data reusables.secret-scanning.push-protection-older-tokens %} For more information about push protection limitations, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning#push-protection-and-pattern-versions)." {% endnote %} -* **Validity check**—token for which a validity check is implemented. {% ifversion secret-scanning-validity-check-partner-patterns %}For partner tokens, {% data variables.product.prodname_dotcom %} sends the token to the relevant partner. Note that not all partners are based in the United States. For more information, see "[{% data variables.product.prodname_advanced_security %}](/free-pro-team@latest/site-policy/github-terms/github-terms-for-additional-products-and-features#advanced-security)" in the Site Policy documentation.{% else %} {% ifversion ghes %}Currently only applies to {% data variables.product.prodname_dotcom %} tokens.{% endif %} {% ifversion fpt %}Currently only applies to {% data variables.product.prodname_dotcom %} tokens, and not shown in the table. For more information about validity check support see "[AUTOTITLE](/enterprise-cloud@latest/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)" in the {% data variables.product.prodname_ghe_cloud %} documentation.{% endif %}{% endif %} +* **Validity check**—token for which a validity check is implemented. {% ifversion secret-scanning-validity-check-partner-patterns %}For partner tokens, {% data variables.product.prodname_dotcom %} sends the token to the relevant partner. Note that not all partners are based in the United States. For more information, see "[{% data variables.product.prodname_advanced_security %}](/free-pro-team@latest/site-policy/github-terms/github-terms-for-additional-products-and-features#advanced-security)" in the Site Policy documentation.{% else %} {% ifversion ghes %}Currently only applies to {% data variables.product.prodname_dotcom %} tokens.{% endif %} {% ifversion fpt %}Currently only applies to {% data variables.product.prodname_dotcom %} tokens, and not shown in the table. For more information about validity check support see "[AUTOTITLE](/enterprise-cloud@latest/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)" in the {% data variables.product.prodname_ghe_cloud %} documentation.{% endif %}{% endif %} {% ifversion secret-scanning-non-provider-patterns %} diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md index e810be9005..074f03a498 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md @@ -43,7 +43,7 @@ Organizations using {% data variables.product.prodname_ghe_cloud %} with a licen {% data reusables.gated-features.partner-pattern-validity-check-ghas %} -For information on how to enable validity checks for partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#enabling-validity-checks-for-partner-patterns)," and for information on which partner patterns are currently supported, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#high-confidence-patterns)." +For information on how to enable validity checks for partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#enabling-validity-checks-for-partner-patterns)," and for information on which partner patterns are currently supported, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#high-confidence-patterns)." {% endif %} diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md index d91679ecac..196c2ed5e3 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md @@ -30,7 +30,7 @@ Once a secret has been committed to a repository, you should consider the secret {% ifversion fpt or ghec %} > [!NOTE] -> If a secret is detected in a public repository on {% data variables.product.prodname_dotcom_the_website %} and the secret also matches a partner pattern, an alert is generated and the potential secret is reported to the service provider. For details of partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." +> If a secret is detected in a public repository on {% data variables.product.prodname_dotcom_the_website %} and the secret also matches a partner pattern, an alert is generated and the potential secret is reported to the service provider. For details of partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." {% endif %} diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md index 88a71f5b37..0863d1e56a 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md @@ -75,11 +75,11 @@ You can apply various filters to the alerts list to help you find the alerts you |`validity:active`| Displays alerts for secrets that are known to be active. {% ifversion fpt %}Applies to {% data variables.product.company_short %} tokens only.{% endif %} For more information about validity statuses, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)."| |`validity:inactive`| Displays alerts for secrets that are no longer active.| |`validity:unknown`| Displays alerts for secrets where the validity status of the secret is unknown.| -|`secret-type:SECRET-NAME`| Displays alerts for a specific secret type, for example, `secret-type:github_personal_access_token`. For a list of supported secret types, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secret)." | -|`provider:PROVIDER-NAME`|Displays alerts for a specific provider, for example, `provider:github`. For a list of supported partners, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."| +|`secret-type:SECRET-NAME`| Displays alerts for a specific secret type, for example, `secret-type:github_personal_access_token`. For a list of supported secret types, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secret)." | +|`provider:PROVIDER-NAME`|Displays alerts for a specific provider, for example, `provider:github`. For a list of supported partners, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."| | {% ifversion secret-scanning-non-provider-patterns %} | -|`confidence:high`| Displays alerts for high-confidence secrets, which relate to supported secrets and custom patterns. For a list of supported high-confidence patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#high-confidence-patterns)." | -|`confidence:other`| Displays alerts for non-provider patterns, such as private keys{% ifversion secret-scanning-ai-generic-secret-detection %}, and AI-detected generic secrets, such as passwords{% endif %}. For a list of supported non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns)." {% ifversion secret-scanning-ai-generic-secret-detection %}For more information about AI-detected generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/about-the-detection-of-generic-secrets-with-secret-scanning)."{% endif %}| +|`confidence:high`| Displays alerts for high-confidence secrets, which relate to supported secrets and custom patterns. For a list of supported high-confidence patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#high-confidence-patterns)." | +|`confidence:other`| Displays alerts for non-provider patterns, such as private keys{% ifversion secret-scanning-ai-generic-secret-detection %}, and AI-detected generic secrets, such as passwords{% endif %}. For a list of supported non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#non-provider-patterns)." {% ifversion secret-scanning-ai-generic-secret-detection %}For more information about AI-detected generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/about-the-detection-of-generic-secrets-with-secret-scanning)."{% endif %}| | {% endif %} | ## Next steps diff --git a/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md b/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md index 9572785a2c..aa572adac2 100644 --- a/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md +++ b/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md @@ -22,7 +22,7 @@ redirect_from: {% data variables.product.prodname_secret_scanning_caps %} will only detect pattern pairs, such as AWS Access Keys and Secrets, if the ID and the secret are found in the same file, and both are pushed to the repository. Pair matching helps reduce false positives since both elements of a pair (the ID and the secret) must be used together to access the provider's resource. -Pairs pushed to different files, or not pushed to the same repository, will not result in alerts. For more information about the supported pattern pairs, see the table in "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns)." +Pairs pushed to different files, or not pushed to the same repository, will not result in alerts. For more information about the supported pattern pairs, see the table in "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)." {% ifversion secret-scanning-validity-check %} @@ -34,7 +34,7 @@ For {% data variables.product.prodname_dotcom %} tokens, we check the validity o ## Push protection limitations -If push protection did not detect a secret that you think should have been detected, then you should first check that push protection supports the secret type in the list of supported secrets. For further information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." +If push protection did not detect a secret that you think should have been detected, then you should first check that push protection supports the secret type in the list of supported secrets. For further information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." If your secret is in the supported list, there are various reasons why push protection may not detect it. diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md index 3c75151d36..2fc60381c3 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md @@ -17,7 +17,7 @@ topics: ## About custom patterns for {% data variables.product.prodname_secret_scanning %} -You can define custom patterns to identify secrets that are not detected by the default patterns supported by {% data variables.product.prodname_secret_scanning %}. For example, you might have a secret pattern that is internal to your organization. For details of the supported secrets and service providers, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns)." +You can define custom patterns to identify secrets that are not detected by the default patterns supported by {% data variables.product.prodname_secret_scanning %}. For example, you might have a secret pattern that is internal to your organization. For details of the supported secrets and service providers, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)." You can define custom patterns for your enterprise, organization, or repository. {% data variables.product.prodname_secret_scanning_caps %} supports up to 500 custom patterns for each organization or enterprise account, and up to 100 custom patterns per repository. diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md index f34762c6bf..5a10b2fa99 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md @@ -20,7 +20,7 @@ shortTitle: Enable for non-provider patterns You can enable scanning for non-provider patterns. Non-provider patterns correspond to secrets such as private keys and they have a higher ratio of false positives. -For more information about non-provider patterns, see "{% ifversion fpt or ghec %}[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-secret-scanning-alerts){% endif %}." +For more information about non-provider patterns, see "{% ifversion fpt or ghec %}[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#about-user--alerts){% else %}[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#about-secret-scanning-alerts){% endif %}." {% ifversion security-configurations %} diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md index c15343611c..0cca4955ce 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md @@ -26,7 +26,7 @@ Push protection for users is different from _push protection for repositories an With push protection for users, {% data variables.product.prodname_dotcom %} won't create an alert when you bypass the protection and push a secret to a public repository, unless the repository itself has {% data variables.product.prodname_secret_scanning %} enabled. However, if the bypassed secret is a {% data variables.product.prodname_dotcom %} token, the token will be revoked and you will be notified by email. -For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." +For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." ## Disabling push protection for users diff --git a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md index 4056b2747b..214c6ef2b5 100644 --- a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md +++ b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md @@ -103,7 +103,7 @@ You can customize several {% data variables.product.prodname_global_settings %} ### Scanning for non-provider patterns -You can choose to scan for non-provider patterns, such as private keys, to detect non-provider secrets before they are leaked. To enable these scans, select **Scan for non-provider patterns**. Be aware that non-provider tokens often have a higher rate of false positives. To learn more about non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-user-alerts)" and "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)." +You can choose to scan for non-provider patterns, such as private keys, to detect non-provider secrets before they are leaked. To enable these scans, select **Scan for non-provider patterns**. Be aware that non-provider tokens often have a higher rate of false positives. To learn more about non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#non-provider-patterns)" and "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts#other-alerts-list)." {% data reusables.secret-scanning.non-provider-patterns-beta %} diff --git a/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-code.md b/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-code.md index 4050c6dab3..bbcb51730d 100644 --- a/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-code.md +++ b/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-code.md @@ -87,7 +87,7 @@ If your organization uses {% data variables.product.prodname_GH_advanced_securit You can also define custom patterns to detect additional secrets at the repository, organization, or enterprise level. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-users)." {% else %} -You can configure {% data variables.product.prodname_secret_scanning %} to check for secrets issued by many service providers and to notify you when any are detected. You can also define custom patterns to detect additional secrets at the repository, organization, or enterprise level. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns)." +You can configure {% data variables.product.prodname_secret_scanning %} to check for secrets issued by many service providers and to notify you when any are detected. You can also define custom patterns to detect additional secrets at the repository, organization, or enterprise level. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)." {% endif %} ### Secure storage of secrets you use in {% data variables.product.product_name %} diff --git a/content/site-policy/github-terms/github-terms-for-additional-products-and-features.md b/content/site-policy/github-terms/github-terms-for-additional-products-and-features.md index 6cfdcd3313..1c439bf750 100644 --- a/content/site-policy/github-terms/github-terms-for-additional-products-and-features.md +++ b/content/site-policy/github-terms/github-terms-for-additional-products-and-features.md @@ -60,7 +60,7 @@ GitHub makes extra security features available to customers under an Advanced Se Advanced Security is licensed on a "Unique Committer" basis. A "Unique Committer" is a licensed user of GitHub Enterprise, GitHub Enterprise Cloud, or GitHub Enterprise Server, who has made a commit in the last 90 days to any repository with any GitHub Advanced Security functionality activated. You must acquire a GitHub Advanced Security User license for each of your Unique Committers. You may only use GitHub Advanced Security on codebases that are developed by or for you. For GitHub Enterprise Cloud users, some Advanced Security features also require the use of GitHub Actions. -For secret scanning with GitHub Advanced Security, when you opt-in to automatic validity checks for partner patterns, exposed third-party tokens may be shared with the relevant partner, in order to provide you with more information about the validity of the token. Not all partners are based in the United States. The [Secret scanning patterns documentation](/enterprise-cloud@latest/code-security/secret-scanning/secret-scanning-patterns) provides more details on which partners support the validity check. +For secret scanning with GitHub Advanced Security, when you opt-in to automatic validity checks for partner patterns, exposed third-party tokens may be shared with the relevant partner, in order to provide you with more information about the validity of the token. Not all partners are based in the United States. The [Secret scanning patterns documentation](/enterprise-cloud@latest/code-security/secret-scanning/introduction/supported-secret-scanning-patterns) provides more details on which partners support the validity check. ## Advisory Database diff --git a/data/reusables/security-overview/settings-limitations.md b/data/reusables/security-overview/settings-limitations.md index f993c80bfe..6dc3ca95fe 100644 --- a/data/reusables/security-overview/settings-limitations.md +++ b/data/reusables/security-overview/settings-limitations.md @@ -4,7 +4,7 @@ **Notes:** * Enabling {% data variables.product.prodname_code_scanning %} default setup _will not_ override any existing configurations of advanced setup for the selected repositories, but it _will_ override any existing configurations of default setup. -* Enabling "Alerts" for {% data variables.product.prodname_secret_scanning %} enables high-confidence alerts. If you want to enable non-provider alerts, you need to edit the repository, organization, or enterprise settings. For more information about alert types, see "[Supported secrets](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." +* Enabling "Alerts" for {% data variables.product.prodname_secret_scanning %} enables high-confidence alerts. If you want to enable non-provider alerts, you need to edit the repository, organization, or enterprise settings. For more information about alert types, see "[Supported secrets](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." {% endnote %} From 76bc8de19a96a8049f070a99c1e32ef572a4a1f7 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 8 Aug 2024 13:18:31 +0100 Subject: [PATCH 269/275] its getting boring --- .../phase-2-preparing-to-enable-at-scale.md | 6 +++--- .../phase-3-pilot-programs.md | 2 +- .../phase-6-rollout-and-scale-secret-scanning.md | 2 +- ...s-for-preventing-data-leaks-in-your-organization.md | 2 +- .../getting-started/github-security-features.md | 2 +- .../introduction/about-push-protection.md | 2 +- .../introduction/about-secret-scanning-for-partners.md | 2 +- .../introduction/supported-secret-scanning-patterns.md | 4 ++-- .../evaluating-alerts.md | 2 +- .../defining-custom-patterns-for-secret-scanning.md | 4 ++-- ...g-global-security-settings-for-your-organization.md | 2 +- .../reviewing-the-audit-log-for-your-organization.md | 8 ++++---- .../reusables/audit_log/audit-log-action-categories.md | 10 +++++----- .../validity-check-partner-patterns-enabled.md | 2 +- src/fixtures/fixtures/versionless-redirects.txt | 2 +- 15 files changed, 26 insertions(+), 26 deletions(-) diff --git a/content/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md b/content/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md index 15584b48a1..c0e6bcd461 100644 --- a/content/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md +++ b/content/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md @@ -132,7 +132,7 @@ Before you can proceed with pilot programs and rolling out {% data variables.pro **Note:** When a secret is detected in a repository that has enabled {% data variables.product.prodname_secret_scanning %}, {% data variables.product.prodname_dotcom %} alerts all users with access to security alerts for the repository. {% ifversion ghec %} -Secrets found in public repositories using {% data variables.secret-scanning.partner_alerts %} are reported directly to the partner, without creating an alert on {% data variables.product.product_name %}. For details about the supported partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)."{% endif %} +Secrets found in public repositories using {% data variables.secret-scanning.partner_alerts %} are reported directly to the partner, without creating an alert on {% data variables.product.product_name %}. For details about the supported partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."{% endif %} {% endnote %} @@ -154,13 +154,13 @@ Enabling {% data variables.product.prodname_secret_scanning %} for all repositor If you are enabling {% data variables.product.prodname_secret_scanning %} on a large organization, be prepared to see a high number of secrets found. Sometimes this comes as a shock to organizations and the alarm is raised. If you would like to turn on {% data variables.product.prodname_secret_scanning %} across all repositories at once, plan for how you will respond to multiple alerts across the organization. -{% data variables.product.prodname_secret_scanning_caps %} can be enabled for individual repositories. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories)." {% data variables.product.prodname_secret_scanning_caps %} can also be enabled for all repositories in your organization, as described above. For more information on enabling for all repositories, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)." +{% data variables.product.prodname_secret_scanning_caps %} can be enabled for individual repositories. For more information, see "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository)." {% data variables.product.prodname_secret_scanning_caps %} can also be enabled for all repositories in your organization, as described above. For more information on enabling for all repositories, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)." ### Custom patterns for {% data variables.product.prodname_secret_scanning %} {% data variables.product.prodname_secret_scanning_caps %} detects a large number of default patterns but can also be configured to detect custom patterns, such as secret formats unique to your infrastructure or used by integrators that {% data variables.product.product_name %}'s {% data variables.product.prodname_secret_scanning %} does not currently detect. For more information about supported secrets for partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)." -As you audit your repositories and speak to security and developer teams, build a list of the secret types that you will later use to configure custom patterns for {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." +As you audit your repositories and speak to security and developer teams, build a list of the secret types that you will later use to configure custom patterns for {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." ### Push protection for {% data variables.product.prodname_secret_scanning %} diff --git a/content/code-security/adopting-github-advanced-security-at-scale/phase-3-pilot-programs.md b/content/code-security/adopting-github-advanced-security-at-scale/phase-3-pilot-programs.md index ab7e0fe4c6..2762d9a094 100644 --- a/content/code-security/adopting-github-advanced-security-at-scale/phase-3-pilot-programs.md +++ b/content/code-security/adopting-github-advanced-security-at-scale/phase-3-pilot-programs.md @@ -102,7 +102,7 @@ Start to review activity using the push protection metrics page in security over {%- endif %} -If you have collated any custom patterns specific to your enterprise, especially any related to the projects piloting {% data variables.product.prodname_secret_scanning %}, you can configure those. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." +If you have collated any custom patterns specific to your enterprise, especially any related to the projects piloting {% data variables.product.prodname_secret_scanning %}, you can configure those. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." To learn how to view and close alerts for secrets checked into your repository, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." diff --git a/content/code-security/adopting-github-advanced-security-at-scale/phase-6-rollout-and-scale-secret-scanning.md b/content/code-security/adopting-github-advanced-security-at-scale/phase-6-rollout-and-scale-secret-scanning.md index e7c4fe4861..0be7b7612f 100644 --- a/content/code-security/adopting-github-advanced-security-at-scale/phase-6-rollout-and-scale-secret-scanning.md +++ b/content/code-security/adopting-github-advanced-security-at-scale/phase-6-rollout-and-scale-secret-scanning.md @@ -107,7 +107,7 @@ Once you have decided on the secret types, you can do the following: You can now expand beyond the five most critical secret types into a more comprehensive list, with an additional focus on education. You can repeat the previous step, remediating previously committed secrets, for the different secret types you have targeted. -You can also include more of the custom patterns collated in the earlier phases and invite security teams and developer teams to submit more patterns, establishing a process for submitting new patterns as new secret types are created. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." +You can also include more of the custom patterns collated in the earlier phases and invite security teams and developer teams to submit more patterns, establishing a process for submitting new patterns as new secret types are created. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." As you continue to build your remediation processes for other secret types, start to create proactive training material that can be shared with all developers of GitHub in your organization. Until this point, a lot of the focus has been reactive. It is an excellent idea to shift focus to being proactive and encourage developers not to push credentials to GitHub in the first place. This can be achieved in multiple ways but creating a short document explaining the risks and reasons would be a great place to start. diff --git a/content/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization.md b/content/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization.md index ef129e252f..a31d159d2f 100644 --- a/content/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization.md +++ b/content/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization.md @@ -84,7 +84,7 @@ There are two forms of {% data variables.product.prodname_secret_scanning %} ava For more information about {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)." -{% data reusables.secret-scanning.push-protection-high-level %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning)."{% ifversion ghec or ghes %} Finally, you can also extend the detection to include custom secret string structures. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."{% endif %} +{% data reusables.secret-scanning.push-protection-high-level %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning)."{% ifversion ghec or ghes %} Finally, you can also extend the detection to include custom secret string structures. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)."{% endif %} ### Review the audit log for your organization diff --git a/content/code-security/getting-started/github-security-features.md b/content/code-security/getting-started/github-security-features.md index 550889a7be..2e375eac3d 100644 --- a/content/code-security/getting-started/github-security-features.md +++ b/content/code-security/getting-started/github-security-features.md @@ -89,7 +89,7 @@ Push protection for users automatically protects you from accidentally committin ### {% data variables.secret-scanning.partner_alerts_caps %} -Automatically detect leaked secrets across all public repositories, as well as public npm packages. {% data variables.product.company_short %} informs the relevant service provider that the secret may be compromised. For details of the supported secrets and service providers, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)." +Automatically detect leaked secrets across all public repositories, as well as public npm packages. {% data variables.product.company_short %} informs the relevant service provider that the secret may be compromised. For details of the supported secrets and service providers, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." {% endif %} diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index 4708f5bf13..b47948085b 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -80,7 +80,7 @@ Integrate push protection with your Continuous Integration/Continuous Deployment ### Define custom patterns -Define custom patterns that push protection can use to identify secrets and block pushes containing these secrets. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." +Define custom patterns that push protection can use to identify secrets and block pushes containing these secrets. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." {% endif %} diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md index d99200b63e..276124021d 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md @@ -23,7 +23,7 @@ The reason partner alerts are directly sent to the secret providers whenever a l ## What are the supported secrets -For information about the secrets and service providers supported by push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)." +For information about the secrets and service providers supported by push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." ## Further reading diff --git a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md index 6707ff85fc..835df227d7 100644 --- a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md +++ b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md @@ -12,7 +12,7 @@ topics: - Advanced Security redirect_from: - /code-security/secret-scanning/secret-scanning-partners - - /code-security/secret-scanning/introduction/supported-secret-scanning-patterns + - /code-security/secret-scanning/secret-scanning-patterns layout: inline shortTitle: Supported patterns --- @@ -38,7 +38,7 @@ This table lists the secrets supported by {% data variables.product.prodname_sec * **User**—token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}.{% ifversion secret-scanning-non-provider-patterns %} * Applies to public repositories, and to private repositories where {% data variables.product.prodname_GH_advanced_security %} and {% data variables.product.prodname_secret_scanning %} are enabled. * Includes high confidence tokens, which relate to supported patterns and specified custom patterns, as well as non-provider tokens such as private keys, which usually have a higher ratio of false positives. - * For {% data variables.product.prodname_secret_scanning %} to scan for non-provider patterns, the detection of non-provider patterns must be enabled for the repository or the organization. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories)." + * For {% data variables.product.prodname_secret_scanning %} to scan for non-provider patterns, the detection of non-provider patterns must be enabled for the repository or the organization. For more information, see "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository)." {% data reusables.secret-scanning.non-provider-patterns-beta %}{% endif %}{% endif %}{% ifversion ghes %} * **{% data variables.product.prodname_secret_scanning_caps %} alert**—token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}.{% ifversion secret-scanning-non-provider-patterns %} * Applies to private repositories where {% data variables.product.prodname_GH_advanced_security %} and {% data variables.product.prodname_secret_scanning %} are enabled. diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md index 074f03a498..6652cf1273 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md @@ -43,7 +43,7 @@ Organizations using {% data variables.product.prodname_ghe_cloud %} with a licen {% data reusables.gated-features.partner-pattern-validity-check-ghas %} -For information on how to enable validity checks for partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#enabling-validity-checks-for-partner-patterns)," and for information on which partner patterns are currently supported, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#high-confidence-patterns)." +For information on how to enable validity checks for partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository)," and for information on which partner patterns are currently supported, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#high-confidence-patterns)." {% endif %} diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md index 2fc60381c3..8e11d146fb 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md @@ -5,7 +5,7 @@ intro: 'You can define your own custom patterns to extend the capabilities of {% product: '{% data reusables.gated-features.secret-scanning %}' redirect_from: - /code-security/secret-security/defining-custom-patterns-for-secret-scanning - - /code-security/secret-scanning/defining-custom-patterns-for-secret-scanning + - /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning versions: ghes: '*' ghec: '*' @@ -52,7 +52,7 @@ For simple tokens you will usually only need to specify a secret format. The oth ## Defining a custom pattern for a repository -Before defining a custom pattern, you must ensure that {% data variables.product.prodname_secret_scanning %} is enabled on your repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories)." +Before defining a custom pattern, you must ensure that {% data variables.product.prodname_secret_scanning %} is enabled on your repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository)." {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-settings %} diff --git a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md index 214c6ef2b5..b840e3c336 100644 --- a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md +++ b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md @@ -126,7 +126,7 @@ To provide context for developers when {% data variables.product.prodname_secret ### Defining custom patterns -You can define custom patterns for {% data variables.product.prodname_secret_scanning %} with regular expressions. Custom patterns can identify secrets that are not detected by the default patterns supported by {% data variables.product.prodname_secret_scanning %}. To create a custom pattern, click **New pattern**, then enter the details for your pattern and click **Save and dry run**. For more information on custom patterns, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." +You can define custom patterns for {% data variables.product.prodname_secret_scanning %} with regular expressions. Custom patterns can identify secrets that are not detected by the default patterns supported by {% data variables.product.prodname_secret_scanning %}. To create a custom pattern, click **New pattern**, then enter the details for your pattern and click **Save and dry run**. For more information on custom patterns, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." {% endif %} diff --git a/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization.md b/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization.md index 94529e94b8..1624176b33 100644 --- a/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization.md +++ b/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization.md @@ -86,7 +86,7 @@ To search for specific events, use the `action` qualifier in your query. Actions | `org_secret_scanning_automatic_validity_checks` | Contains organization-level activities related to enabling and disabling automatic validity checks for {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization)." | {% endif %} | | {% ifversion secret-scanning-audit-log-custom-patterns %} | -| `org_secret_scanning_custom_pattern` | Contains organization-level activities related to {% data variables.product.prodname_secret_scanning %} custom patterns. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." +| `org_secret_scanning_custom_pattern` | Contains organization-level activities related to {% data variables.product.prodname_secret_scanning %} custom patterns. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." | {% endif %} | | `organization_default_label` | Contains all activities related to default labels for repositories in your organization. | `oauth_application` | Contains all activities related to {% data variables.product.prodname_oauth_apps %}. @@ -110,13 +110,13 @@ To search for specific events, use the `action` qualifier in your query. Actions | `repository_secret_scanning` | Contains repository-level activities related to {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)." | {% endif %} | | {% ifversion secret-scanning-validity-check-audit-log %} | -| `repository_secret_scanning_automatic_validity_checks` | Contains repository-level activities related to enabling and disabling automatic validity checks for {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories)." +| `repository_secret_scanning_automatic_validity_checks` | Contains repository-level activities related to enabling and disabling automatic validity checks for {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository)." | {% endif %} | | {% ifversion secret-scanning-audit-log-custom-patterns %} | -| `repository_secret_scanning_custom_pattern` | Contains repository-level activities related to {% data variables.product.prodname_secret_scanning %} custom patterns. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." | +| `repository_secret_scanning_custom_pattern` | Contains repository-level activities related to {% data variables.product.prodname_secret_scanning %} custom patterns. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." | | {% endif %} | | {% ifversion secret-scanning-custom-pattern-push-protection-audit %} | -| `repository_secret_scanning_custom_pattern_push_protection`| Contains repository-level activities related to push protection of a custom pattern for {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)." +| `repository_secret_scanning_custom_pattern_push_protection`| Contains repository-level activities related to push protection of a custom pattern for {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)." | {% endif %} | | {% ifversion secret-scanning-audit-log-custom-patterns %} | | `repository_secret_scanning_push_protection` | Contains repository-level activities related to {% data variables.product.prodname_secret_scanning %} push protection. For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning)." diff --git a/data/reusables/audit_log/audit-log-action-categories.md b/data/reusables/audit_log/audit-log-action-categories.md index 3190d2441f..58c39d08cb 100644 --- a/data/reusables/audit_log/audit-log-action-categories.md +++ b/data/reusables/audit_log/audit-log-action-categories.md @@ -25,7 +25,7 @@ | `business_secret_scanning_custom_pattern` | Contains activities related to custom patterns for {% data variables.product.prodname_secret_scanning %} in an enterprise. {%- endif %} {%- ifversion secret-scanning-custom-pattern-push-protection-audit %} -| `business_secret_scanning_custom_pattern_push_protection` | Contains activities related to push protection of a custom pattern for {% data variables.product.prodname_secret_scanning %} in an enterprise. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-enterprise-account)." +| `business_secret_scanning_custom_pattern_push_protection` | Contains activities related to push protection of a custom pattern for {% data variables.product.prodname_secret_scanning %} in an enterprise. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-enterprise-account)." {%- endif %} {%- ifversion code-security-audit-log-events %} | `business_secret_scanning_push_protection` | Contains activities related to the push protection feature of {% data variables.product.prodname_secret_scanning %} in an enterprise. For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)." @@ -95,7 +95,7 @@ | `org_secret_scanning_automatic_validity_checks` | Contains activities related to enabling or disabling automatic validity checks for {% data variables.product.prodname_secret_scanning %} in an organization. For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization)." {%- endif %} {%- ifversion secret-scanning-audit-log-custom-patterns %} -| `org_secret_scanning_custom_pattern` | Contains activities related to custom patterns for {% data variables.product.prodname_secret_scanning %} in an organization. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." +| `org_secret_scanning_custom_pattern` | Contains activities related to custom patterns for {% data variables.product.prodname_secret_scanning %} in an organization. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." {%- endif %} | `organization_default_label` | Contains activities related to default labels for repositories in an organization. | `organization_domain` | Contains activities related to verified organization domains. @@ -137,13 +137,13 @@ | `repository_secret_scanning` | Contains repository-level activities related to {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)." {%- endif %} {%- ifversion secret-scanning-validity-check-audit-log %} -| `repository_secret_scanning_automatic_validity_checks` | Contains activities related to enabling or disabling automatic validity checks for {% data variables.product.prodname_secret_scanning %} in a repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories)." +| `repository_secret_scanning_automatic_validity_checks` | Contains activities related to enabling or disabling automatic validity checks for {% data variables.product.prodname_secret_scanning %} in a repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository)." {%- endif %} {%- ifversion secret-scanning-audit-log-custom-patterns %} -| `repository_secret_scanning_custom_pattern` | Contains activities related to {% data variables.product.prodname_secret_scanning %} custom patterns in a repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." +| `repository_secret_scanning_custom_pattern` | Contains activities related to {% data variables.product.prodname_secret_scanning %} custom patterns in a repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." {%- endif %} {%- ifversion secret-scanning-custom-pattern-push-protection-audit %} -| `repository_secret_scanning_custom_pattern_push_protection` | Contains activities related to push protection of a custom pattern for {% data variables.product.prodname_secret_scanning %} in a repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)." +| `repository_secret_scanning_custom_pattern_push_protection` | Contains activities related to push protection of a custom pattern for {% data variables.product.prodname_secret_scanning %} in a repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)." {%- endif %} {%- ifversion secret-scanning-audit-log-custom-patterns %} | `repository_secret_scanning_push_protection` | Contains activities related to the push protection feature of {% data variables.product.prodname_secret_scanning %} in a repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning)." diff --git a/data/reusables/secret-scanning/validity-check-partner-patterns-enabled.md b/data/reusables/secret-scanning/validity-check-partner-patterns-enabled.md index bdbd7fbc85..229a0e3fc2 100644 --- a/data/reusables/secret-scanning/validity-check-partner-patterns-enabled.md +++ b/data/reusables/secret-scanning/validity-check-partner-patterns-enabled.md @@ -1 +1 @@ -To be able to filter by validity status, you need to have validity checks for partner patterns enabled at the repository, organization, or enterprise level. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#enabling-validity-checks-for-partner-patterns)," "[AUTOTITLE](/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration)," and "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise#managing-advanced-security-features)." +To be able to filter by validity status, you need to have validity checks for partner patterns enabled at the repository, organization, or enterprise level. For more information, see "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository)," "[AUTOTITLE](/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration)," and "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise#managing-advanced-security-features)." diff --git a/src/fixtures/fixtures/versionless-redirects.txt b/src/fixtures/fixtures/versionless-redirects.txt index a16e709b96..924ce1320c 100644 --- a/src/fixtures/fixtures/versionless-redirects.txt +++ b/src/fixtures/fixtures/versionless-redirects.txt @@ -380,7 +380,7 @@ /enterprise-cloud@latest/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning - /code-security/secret-security/defining-custom-patterns-for-secret-scanning -- /code-security/secret-scanning/defining-custom-patterns-for-secret-scanning +- /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning /enterprise-cloud@latest/organizations/managing-organization-settings/setting-permissions-for-adding-outside-collaborators - /articles/restricting-the-ability-to-add-outside-collaborators-to-organization-repositories From 55d00fd8f63658f316c3af48e3200403fee2bddb Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 8 Aug 2024 13:22:06 +0100 Subject: [PATCH 270/275] reinstate --- .../defining-custom-patterns-for-secret-scanning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md index 8e11d146fb..c9ff88542f 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md @@ -5,7 +5,7 @@ intro: 'You can define your own custom patterns to extend the capabilities of {% product: '{% data reusables.gated-features.secret-scanning %}' redirect_from: - /code-security/secret-security/defining-custom-patterns-for-secret-scanning - - /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning + - /code-security/secret-scanning/defining-custom-patterns-for-secret-scanning versions: ghes: '*' ghec: '*' From 7d45834d7b94ca711f5db0a82419e5e2f9537fc6 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 8 Aug 2024 13:52:25 +0100 Subject: [PATCH 271/275] more link updates --- .../configuring-secret-scanning-for-your-appliance.md | 2 +- .../removing-sensitive-data-from-a-repository.md | 4 ++-- .../phase-2-preparing-to-enable-at-scale.md | 4 ++-- .../phase-6-rollout-and-scale-secret-scanning.md | 4 ++-- ...ctices-for-preventing-data-leaks-in-your-organization.md | 4 ++-- .../getting-started/github-security-features.md | 6 +++--- .../introduction/supported-secret-scanning-patterns.md | 4 ++-- .../managing-alerts-from-secret-scanning/about-alerts.md | 2 +- .../managing-alerts-from-secret-scanning/viewing-alerts.md | 4 ++-- .../about-generating-regular-expressions-with-ai.md | 4 ++-- .../excluding-folders-and-files-from-secret-scanning.md | 2 +- ...the-detection-of-generic-secrets-with-secret-scanning.md | 2 +- .../enabling-ai-powered-generic-secret-detection.md | 2 +- .../push-protection-for-users.md | 2 +- ...guring-global-security-settings-for-your-organization.md | 2 +- .../interpreting-security-findings-on-a-repository.md | 2 +- .../creating-a-custom-security-configuration.md | 4 ++-- .../security-overview/about-security-overview.md | 2 +- .../end-to-end-supply-chain/securing-code.md | 6 +++--- .../learning-about-github/about-github-advanced-security.md | 2 +- ...-security-and-analysis-settings-for-your-organization.md | 2 +- .../reviewing-the-audit-log-for-your-organization.md | 4 ++-- .../archiving-a-github-repository/archiving-repositories.md | 2 +- .../authentication/keeping-your-api-credentials-secure.md | 2 +- content/rest/secret-scanning/secret-scanning.md | 2 +- .../advanced-security/more-info-ghas-secret-scanning.md | 2 +- data/reusables/apps/app-scans.md | 2 +- data/reusables/audit_log/audit-log-action-categories.md | 4 ++-- .../gated-features/push-protection-users-and-repos.md | 2 +- data/reusables/secret-scanning/push-protection-for-users.md | 2 +- .../secret-scanning/push-protection-public-repos-bypass.md | 2 +- 31 files changed, 45 insertions(+), 45 deletions(-) diff --git a/content/admin/managing-code-security/managing-github-advanced-security-for-your-enterprise/configuring-secret-scanning-for-your-appliance.md b/content/admin/managing-code-security/managing-github-advanced-security-for-your-enterprise/configuring-secret-scanning-for-your-appliance.md index 2b491d7ce0..804106a273 100644 --- a/content/admin/managing-code-security/managing-github-advanced-security-for-your-enterprise/configuring-secret-scanning-for-your-appliance.md +++ b/content/admin/managing-code-security/managing-github-advanced-security-for-your-enterprise/configuring-secret-scanning-for-your-appliance.md @@ -19,7 +19,7 @@ topics: ## About {% data variables.product.prodname_secret_scanning %} -If someone checks a secret with a known pattern into a repository, {% data variables.product.prodname_secret_scanning %} catches the secret as it's checked in, and helps you mitigate the impact of the leak. Repository administrators are notified about any commit that contains a secret, and they can quickly view all detected secrets in the **Security** tab for the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)." +If someone checks a secret with a known pattern into a repository, {% data variables.product.prodname_secret_scanning %} catches the secret as it's checked in, and helps you mitigate the impact of the leak. Repository administrators are notified about any commit that contains a secret, and they can quickly view all detected secrets in the **Security** tab for the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)." ## Checking whether your license includes {% data variables.product.prodname_GH_advanced_security %} diff --git a/content/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository.md b/content/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository.md index be9dfb7727..241c1ce56c 100644 --- a/content/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository.md +++ b/content/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository.md @@ -214,10 +214,10 @@ There are a few simple tricks to avoid committing things you don't want committe * Avoid the catch-all commands `git add .` and `git commit -a` on the command line—use `git add filename` and `git rm filename` to individually stage files, instead. * Use `git add --interactive` to individually review and stage changes within each file. * Use `git diff --cached` to review the changes that you have staged for commit. This is the exact diff that `git commit` will produce as long as you don't use the `-a` flag. -* Enable push protection for your repository to detect and prevent pushes which contain hardcoded secrets from being committed to your codebase. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations#about-push-protection-for-repositories-and-organizations)." +* Enable push protection for your repository to detect and prevent pushes which contain hardcoded secrets from being committed to your codebase. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection)." ## Further reading * [`git filter-repo` man page](https://htmlpreview.github.io/?https://github.com/newren/git-filter-repo/blob/docs/html/git-filter-repo.html) * [Pro Git: Git Tools - Rewriting History](https://git-scm.com/book/en/Git-Tools-Rewriting-History) -* "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)" +* "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)" diff --git a/content/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md b/content/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md index c0e6bcd461..d90585d928 100644 --- a/content/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md +++ b/content/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md @@ -136,7 +136,7 @@ Secrets found in public repositories using {% data variables.secret-scanning.par {% endnote %} -If a project communicates with an external service, it might use a token or private key for authentication. If you check a secret into a repository, anyone who has read access to the repository can use the secret to access the external service with your privileges. {% data variables.product.prodname_secret_scanning_caps %} will scan your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repositories for secrets and alert you or block the push containing the secret. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)." +If a project communicates with an external service, it might use a token or private key for authentication. If you check a secret into a repository, anyone who has read access to the repository can use the secret to access the external service with your privileges. {% data variables.product.prodname_secret_scanning_caps %} will scan your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repositories for secrets and alert you or block the push containing the secret. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)." {% ifversion ghec %}{% data variables.secret-scanning.partner_alerts_caps %} runs automatically on public repositories and public npm packages to notify service providers about leaked secrets on {% data variables.product.prodname_dotcom_the_website %}. @@ -176,7 +176,7 @@ Before enabling push protection, consider whether you need to create guidance fo Next, familiarize yourself with the different options for managing and monitoring alerts that are the result of a contributor bypassing push protection. -For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)." +For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection)." {% note %} diff --git a/content/code-security/adopting-github-advanced-security-at-scale/phase-6-rollout-and-scale-secret-scanning.md b/content/code-security/adopting-github-advanced-security-at-scale/phase-6-rollout-and-scale-secret-scanning.md index 0be7b7612f..e91d27f773 100644 --- a/content/code-security/adopting-github-advanced-security-at-scale/phase-6-rollout-and-scale-secret-scanning.md +++ b/content/code-security/adopting-github-advanced-security-at-scale/phase-6-rollout-and-scale-secret-scanning.md @@ -53,11 +53,11 @@ Repeat the last two steps for any new secrets leaked. This process encourages de ## 2. Enable push protection -Once you have enabled {% data variables.product.prodname_secret_scanning %}, you should also enable push protection. With push protection, {% data variables.product.prodname_secret_scanning %} checks pushes for supported secrets and blocks pushes to {% data variables.product.prodname_dotcom %} _before_ the secrets are exposed to other users. For information on how to enable push protection, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-secret-scanning-as-a-push-protection)." +Once you have enabled {% data variables.product.prodname_secret_scanning %}, you should also enable push protection. With push protection, {% data variables.product.prodname_secret_scanning %} checks pushes for supported secrets and blocks pushes to {% data variables.product.prodname_dotcom %} _before_ the secrets are exposed to other users. For information on how to enable push protection, see "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository)." Once enabled, you can do the following: -1. **Provide guidance**: Configure a custom link in the message that contributors will see if their push is blocked by {% data variables.product.prodname_secret_scanning %}. The linked resource can provide guidance for contributors on how to resolve the blocked push. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-secret-scanning-as-a-push-protection)." +1. **Provide guidance**: Configure a custom link in the message that contributors will see if their push is blocked by {% data variables.product.prodname_secret_scanning %}. The linked resource can provide guidance for contributors on how to resolve the blocked push. For more information, see "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository)." 1. **Notify**: Define a webhook that specifically tracks {% data variables.secret-scanning.alerts %} created when someone bypasses push protection by using the alert property `"push_protection_bypassed": true`. Or, use the API to get updates on which {% data variables.secret-scanning.alerts %} were the result of a push protection bypass by filtering the list of results for `"push_protection_bypassed": true`. For more information, see "[AUTOTITLE](/code-security/getting-started/auditing-security-alerts)." diff --git a/content/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization.md b/content/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization.md index a31d159d2f..7fdf778fa8 100644 --- a/content/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization.md +++ b/content/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization.md @@ -36,7 +36,7 @@ Protect your organization's repositories and settings by implementing security b * Encouraging your users to create strong passwords and secure them appropriately, by following {% data variables.product.prodname_dotcom %}’s recommended password guidelines. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-strong-password)."{% ifversion secret-scanning-push-protection-for-users %} -* Encouraging your users to keep push protection for users enabled in their personal account settings, so that no matter which public repository they push to, they are protected. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-users)."{% endif %} +* Encouraging your users to keep push protection for users enabled in their personal account settings, so that no matter which public repository they push to, they are protected. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)."{% endif %} * Establishing an internal security policy in {% data variables.product.prodname_dotcom %}, so users know the appropriate steps to take and who to contact if an incident is suspected. For more information, see "[AUTOTITLE](/code-security/getting-started/adding-a-security-policy-to-your-repository)." @@ -82,7 +82,7 @@ There are two forms of {% data variables.product.prodname_secret_scanning %} ava {% ifversion ghes %}Your site administrator must enable {% data variables.product.prodname_secret_scanning %} for {% data variables.location.product_location %} before you can use this feature. For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-secret-scanning-for-your-appliance)."{% endif %} -For more information about {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)." +For more information about {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)." {% data reusables.secret-scanning.push-protection-high-level %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning)."{% ifversion ghec or ghes %} Finally, you can also extend the detection to include custom secret string structures. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)."{% endif %} diff --git a/content/code-security/getting-started/github-security-features.md b/content/code-security/getting-started/github-security-features.md index 2e375eac3d..4c40a23c94 100644 --- a/content/code-security/getting-started/github-security-features.md +++ b/content/code-security/getting-started/github-security-features.md @@ -77,13 +77,13 @@ Privately discuss and fix security vulnerabilities in your repository's code. Yo ### {% data variables.secret-scanning.user_alerts_caps %} -Automatically detect tokens or credentials that have been checked into a {% ifversion ghec %}user-owned {% endif %}public repository. You can view alerts for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-users)." +Automatically detect tokens or credentials that have been checked into a {% ifversion ghec %}user-owned {% endif %}public repository. You can view alerts for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-alerts-for-users)." {% ifversion secret-scanning-push-protection-for-users %} ### Push protection for users -Push protection for users automatically protects you from accidentally committing secrets to public repositories, regardless of whether the repository itself has {% data variables.product.prodname_secret_scanning %} enabled. Push protection for users is on by default, but you can disable the feature at any time through your personal account settings. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-users)." +Push protection for users automatically protects you from accidentally committing secrets to public repositories, regardless of whether the repository itself has {% data variables.product.prodname_secret_scanning %} enabled. Push protection for users is on by default, but you can disable the feature at any time through your personal account settings. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)." {% endif %} @@ -114,7 +114,7 @@ Automatically detect security vulnerabilities and coding errors in new or modifi ### {% data variables.secret-scanning.user_alerts_caps %} -Automatically detect tokens or credentials that have been checked into a repository. You can view alerts for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. For more information, see {% ifversion fpt or ghec %}"[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-users){% elsif ghes %}"[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-on-github-enterprise-server){% endif %}." +Automatically detect tokens or credentials that have been checked into a repository. You can view alerts for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. For more information, see {% ifversion fpt or ghec %}"[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-alerts-for-users){% elsif ghes %}"[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-on-github-enterprise-server){% endif %}." {% ifversion dependabot-auto-triage-rules %} diff --git a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md index 835df227d7..fe5552fc1f 100644 --- a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md +++ b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md @@ -27,7 +27,7 @@ For details about all the supported patterns, see the "[Supported secrets](#supp If you use the REST API for {% data variables.product.prodname_secret_scanning %}, you can use the `Secret type` to report on secrets from specific issuers. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/rest/secret-scanning)." -If you believe that {% data variables.product.prodname_secret_scanning %} should have detected a secret committed to your repository, and it has not, you first need to check that {% data variables.product.prodname_dotcom %} supports your secret. For more information, refer to the following sections. For more advanced troubleshooting information, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning)." +If you believe that {% data variables.product.prodname_secret_scanning %} should have detected a secret committed to your repository, and it has not, you first need to check that {% data variables.product.prodname_dotcom %} supports your secret. For more information, refer to the following sections. For more advanced troubleshooting information, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning)." ## Supported secrets @@ -46,7 +46,7 @@ This table lists the secrets supported by {% data variables.product.prodname_sec * **Push protection**—token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}. Applies to repositories with {% data variables.product.prodname_secret_scanning %} and push protection enabled. {% note %} - **Note:** {% data reusables.secret-scanning.push-protection-older-tokens %} For more information about push protection limitations, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning#push-protection-and-pattern-versions)." + **Note:** {% data reusables.secret-scanning.push-protection-older-tokens %} For more information about push protection limitations, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning#push-protection-and-pattern-versions)." {% endnote %} * **Validity check**—token for which a validity check is implemented. {% ifversion secret-scanning-validity-check-partner-patterns %}For partner tokens, {% data variables.product.prodname_dotcom %} sends the token to the relevant partner. Note that not all partners are based in the United States. For more information, see "[{% data variables.product.prodname_advanced_security %}](/free-pro-team@latest/site-policy/github-terms/github-terms-for-additional-products-and-features#advanced-security)" in the Site Policy documentation.{% else %} {% ifversion ghes %}Currently only applies to {% data variables.product.prodname_dotcom %} tokens.{% endif %} {% ifversion fpt %}Currently only applies to {% data variables.product.prodname_dotcom %} tokens, and not shown in the table. For more information about validity check support see "[AUTOTITLE](/enterprise-cloud@latest/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)" in the {% data variables.product.prodname_ghe_cloud %} documentation.{% endif %}{% endif %} diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md index def754ce07..b166bb541b 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md @@ -47,7 +47,7 @@ Push protection scans pushes for supported secrets. If push protection detects a >[!NOTE] > {% ifversion secret-scanning-push-protection-for-users %}You can also enable push protection for your personal account, called "push protection for users", which prevents you from accidentally pushing supported secrets to _any_ public repository. Alerts are _not_ created if you choose to bypass your user-based push protection only. Alerts are only created if the repository itself has push protection enabled. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)."{% endif %} > -> {% data reusables.secret-scanning.push-protection-older-tokens %} For more information about push protection limitations, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning#push-protection-and-pattern-versions)." +> {% data reusables.secret-scanning.push-protection-older-tokens %} For more information about push protection limitations, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning#push-protection-and-pattern-versions)." {% ifversion fpt or ghec %} diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md index 0863d1e56a..8c044d59d8 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md @@ -70,7 +70,7 @@ You can apply various filters to the alerts list to help you find the alerts you |`is:open`|Displays open alerts.| |`is:closed`|Displays closed alerts.| | {% ifversion secret-scanning-bypass-filter %} | -|`bypassed: true`|Displays alerts for secrets where push protection has been bypassed. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)."| +|`bypassed: true`|Displays alerts for secrets where push protection has been bypassed. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection)."| | {% endif %} | |`validity:active`| Displays alerts for secrets that are known to be active. {% ifversion fpt %}Applies to {% data variables.product.company_short %} tokens only.{% endif %} For more information about validity statuses, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)."| |`validity:inactive`| Displays alerts for secrets that are no longer active.| @@ -79,7 +79,7 @@ You can apply various filters to the alerts list to help you find the alerts you |`provider:PROVIDER-NAME`|Displays alerts for a specific provider, for example, `provider:github`. For a list of supported partners, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."| | {% ifversion secret-scanning-non-provider-patterns %} | |`confidence:high`| Displays alerts for high-confidence secrets, which relate to supported secrets and custom patterns. For a list of supported high-confidence patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#high-confidence-patterns)." | -|`confidence:other`| Displays alerts for non-provider patterns, such as private keys{% ifversion secret-scanning-ai-generic-secret-detection %}, and AI-detected generic secrets, such as passwords{% endif %}. For a list of supported non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#non-provider-patterns)." {% ifversion secret-scanning-ai-generic-secret-detection %}For more information about AI-detected generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/about-the-detection-of-generic-secrets-with-secret-scanning)."{% endif %}| +|`confidence:other`| Displays alerts for non-provider patterns, such as private keys{% ifversion secret-scanning-ai-generic-secret-detection %}, and AI-detected generic secrets, such as passwords{% endif %}. For a list of supported non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#non-provider-patterns)." {% ifversion secret-scanning-ai-generic-secret-detection %}For more information about AI-detected generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning)."{% endif %}| | {% endif %} | ## Next steps diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-generating-regular-expressions-with-ai.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-generating-regular-expressions-with-ai.md index a4c4a26269..e087bdaf2e 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-generating-regular-expressions-with-ai.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-generating-regular-expressions-with-ai.md @@ -65,11 +65,11 @@ Note that the {% data variables.secret-scanning.custom-pattern-regular-expressio ## Further reading {% ifversion fpt %} -* [AUTOTITLE](/code-security/secret-scanning/about-secret-scanning) +* [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning) * [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning) {% endif %} {% ifversion secret-scanning-custom-pattern-ai-generated %} * [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning) -* [AUTOTITLE](/code-security/secret-scanning/about-secret-scanning) +* [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning) {% endif %} diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md index a32dbca409..5d67eb6d73 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md @@ -16,7 +16,7 @@ topics: ## About {% data variables.product.prodname_secret_scanning %} -{% data variables.product.prodname_secret_scanning_caps %} automatically detects tokens or credentials that have been checked into a repository. You can view {% ifversion fpt or ghec %}{% data variables.secret-scanning.user_alerts %}{% else %}alerts{% endif %} for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-users)." +{% data variables.product.prodname_secret_scanning_caps %} automatically detects tokens or credentials that have been checked into a repository. You can view {% ifversion fpt or ghec %}{% data variables.secret-scanning.user_alerts %}{% else %}alerts{% endif %} for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-alerts-for-users)." ## About excluding directories from {% data variables.secret-scanning.user_alerts %} diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning.md index 9cf1aaffc0..4738306efd 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning.md @@ -83,5 +83,5 @@ Generic secret detection has been subject to Responsible AI Red Teaming and {% d ## Further reading -* [AUTOTITLE](/code-security/secret-scanning/about-secret-scanning) +* [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning) * [AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise#enforcing-a-policy-to-manage-the-use-of-generic-secret-detection-for-secret-scanning-in-your-enterprises-repositories) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection.md index 3364959cec..7fb6980111 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection.md @@ -43,4 +43,4 @@ For information on how to view alerts for generic secrets that have been detecte ## Further reading * [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning) -* [AUTOTITLE](/code-security/secret-scanning/about-secret-scanning) +* [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning) diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md index 0cca4955ce..bcf91feff3 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md @@ -22,7 +22,7 @@ When you try to push a secret to a public repository, {% data variables.product. Push protection for users is always on by default. You can disable the feature at any time through your personal account settings. This may cause secrets to be accidentally leaked. For more information, see "[Disabling push protection for users](#disabling-push-protection-for-users)." -Push protection for users is different from _push protection for repositories and organizations_, which is a {% data variables.product.prodname_secret_scanning %} feature that must be enabled by a repository administrator or organization owner. With push protection for repositories and organizations, {% data variables.product.prodname_secret_scanning %} blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the protection. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)." +Push protection for users is different from _push protection for repositories and organizations_, which is a {% data variables.product.prodname_secret_scanning %} feature that must be enabled by a repository administrator or organization owner. With push protection for repositories and organizations, {% data variables.product.prodname_secret_scanning %} blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the protection. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection)." With push protection for users, {% data variables.product.prodname_dotcom %} won't create an alert when you bypass the protection and push a secret to a public repository, unless the repository itself has {% data variables.product.prodname_secret_scanning %} enabled. However, if the bypassed secret is a {% data variables.product.prodname_dotcom %} token, the token will be revoked and you will be notified by email. diff --git a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md index b840e3c336..a8a06c7cc7 100644 --- a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md +++ b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md @@ -113,7 +113,7 @@ You can choose to scan for non-provider patterns, such as private keys, to detec ### Generic secret detection -Generic secret detection is an AI-powered expansion of {% data variables.product.prodname_secret_scanning %} that scans and creates alerts for unstructured secrets, such as passwords. To enable these scans, select **Use AI detection to find additional secrets**. Be aware that generic secrets often have a higher rate of false positives than other types of alert. To learn more about generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/about-the-detection-of-generic-secrets-with-secret-scanning)." +Generic secret detection is an AI-powered expansion of {% data variables.product.prodname_secret_scanning %} that scans and creates alerts for unstructured secrets, such as passwords. To enable these scans, select **Use AI detection to find additional secrets**. Be aware that generic secrets often have a higher rate of false positives than other types of alert. To learn more about generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning)." {% data reusables.secret-scanning.generic-secret-detection-ai %} diff --git a/content/code-security/securing-your-organization/managing-the-security-of-your-organization/interpreting-security-findings-on-a-repository.md b/content/code-security/securing-your-organization/managing-the-security-of-your-organization/interpreting-security-findings-on-a-repository.md index a8b8fd728c..fbc704b5c6 100644 --- a/content/code-security/securing-your-organization/managing-the-security-of-your-organization/interpreting-security-findings-on-a-repository.md +++ b/content/code-security/securing-your-organization/managing-the-security-of-your-organization/interpreting-security-findings-on-a-repository.md @@ -39,7 +39,7 @@ After you apply a {% data variables.product.prodname_security_configuration %} t {% endif %} You can view {% data variables.product.prodname_secret_scanning %} alerts for a repository by navigating to the main page of that repository, clicking the {% octicon "shield" aria-hidden="true" %} **Security** tab, then clicking {% octicon "key" aria-hidden="true" %} **{% data variables.product.prodname_secret_scanning_caps %}**. -For an introduction to {% data variables.product.prodname_secret_scanning %} alerts, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-users)." +For an introduction to {% data variables.product.prodname_secret_scanning %} alerts, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-alerts-for-users)." To learn how to interpret and resolve {% data variables.product.prodname_secret_scanning %} alerts, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." diff --git a/content/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration.md b/content/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration.md index c60ed6c0ae..96c434b3a6 100644 --- a/content/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration.md +++ b/content/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration.md @@ -47,9 +47,9 @@ With {% data variables.product.prodname_custom_security_configurations %}, you c 1. In the "{% data variables.product.prodname_code_scanning_caps %}" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for {% data variables.product.prodname_code_scanning %} default setup. To learn about default setup, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#about-default-setup)." 1. In the "{% data variables.product.prodname_secret_scanning_caps %}" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for the following security features: - * {% data variables.product.prodname_secret_scanning_caps %}. To learn about {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)."{% ifversion secret-scanning-validity-check-partner-patterns %} + * {% data variables.product.prodname_secret_scanning_caps %}. To learn about {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)."{% ifversion secret-scanning-validity-check-partner-patterns %} * Validity check. To learn more about validity checks for partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)".{% endif %} - * Push protection. To learn about push protection, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)." + * Push protection. To learn about push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection)." {% ifversion fpt or ghec %} 1. In the "Private vulnerability reporting" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for private vulnerability reporting. To learn about private vulnerability reporting, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository)." {% endif %} diff --git a/content/code-security/security-overview/about-security-overview.md b/content/code-security/security-overview/about-security-overview.md index d4665a415b..b7cde053ba 100644 --- a/content/code-security/security-overview/about-security-overview.md +++ b/content/code-security/security-overview/about-security-overview.md @@ -89,7 +89,7 @@ Each repository is shown in security overview with an indicator for each type of | Indicator | Meaning | | -------- | -------- | | {% octicon "code-square" aria-label="Code scanning alerts" %} | {% data variables.product.prodname_code_scanning_caps %} alerts. For more information, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning)." | -| {% octicon "key" aria-label="Secret scanning alerts" %} | {% data variables.product.prodname_secret_scanning_caps %} alerts. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)." | +| {% octicon "key" aria-label="Secret scanning alerts" %} | {% data variables.product.prodname_secret_scanning_caps %} alerts. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)." | | {% octicon "hubot" aria-label="Dependabot alerts" %} | {% data variables.product.prodname_dependabot_alerts %}. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)." | | {% octicon "check" aria-label="Enabled" %} | The security feature is enabled, but does not raise alerts in this repository. | | {% octicon "x" aria-label="Not supported" %} | The security feature is not supported in this repository. | diff --git a/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-code.md b/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-code.md index bbcb51730d..2009666b84 100644 --- a/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-code.md +++ b/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-code.md @@ -74,7 +74,7 @@ Code often needs to communicate with other systems over a network, and requires {% data reusables.secret-scanning.enterprise-enable-secret-scanning %} {% ifversion fpt or ghec %} -{% data variables.product.prodname_dotcom %} partners with many providers to automatically detect when secrets are committed to or stored in your public repositories and public npm packages you depend on, and will notify the provider so they can take appropriate actions to ensure your account remains secure. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-partners)." +{% data variables.product.prodname_dotcom %} partners with many providers to automatically detect when secrets are committed to or stored in your public repositories and public npm packages you depend on, and will notify the provider so they can take appropriate actions to ensure your account remains secure. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-alerts-for-partners)." {% endif %} {% ifversion fpt %} @@ -85,9 +85,9 @@ You can enable and configure additional scanning that will alert you about accid {% elsif secret-scanning-user-owned-repos %} If your organization uses {% data variables.product.prodname_GH_advanced_security %}, you can enable {% data variables.secret-scanning.user_alerts %} on any repository owned by the organization, including private repositories. {% data reusables.secret-scanning.secret-scanning-user-owned-repos-beta %} -You can also define custom patterns to detect additional secrets at the repository, organization, or enterprise level. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-users)." +You can also define custom patterns to detect additional secrets at the repository, organization, or enterprise level. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-alerts-for-users)." {% else %} -You can configure {% data variables.product.prodname_secret_scanning %} to check for secrets issued by many service providers and to notify you when any are detected. You can also define custom patterns to detect additional secrets at the repository, organization, or enterprise level. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)." +You can configure {% data variables.product.prodname_secret_scanning %} to check for secrets issued by many service providers and to notify you when any are detected. You can also define custom patterns to detect additional secrets at the repository, organization, or enterprise level. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)." {% endif %} ### Secure storage of secrets you use in {% data variables.product.product_name %} diff --git a/content/get-started/learning-about-github/about-github-advanced-security.md b/content/get-started/learning-about-github/about-github-advanced-security.md index 145914bf6c..6aeed745e5 100644 --- a/content/get-started/learning-about-github/about-github-advanced-security.md +++ b/content/get-started/learning-about-github/about-github-advanced-security.md @@ -38,7 +38,7 @@ A {% data variables.product.prodname_GH_advanced_security %} license provides th * **{% data variables.product.prodname_codeql_cli %}** - Run {% data variables.product.prodname_codeql %} processes locally on software projects or to generate {% data variables.product.prodname_code_scanning %} results for upload to {% data variables.product.product_name %}. For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/about-the-codeql-cli)." -* **{% data variables.product.prodname_secret_scanning_caps %}** - Detect secrets, for example keys and tokens, that have been checked into {% ifversion fpt %}private repositories{% else %} the repository{% endif %}. If push protection is enabled, {% data variables.product.prodname_dotcom %} also detects secrets when they are pushed to your repository. {% ifversion secret-scanning-enable-by-default-for-public-repos %}{% data variables.secret-scanning.user_alerts_caps %} and push protection are available and free of charge for all {% ifversion ghec %}user-owned {% endif %}public repositories on {% data variables.product.prodname_dotcom_the_website %}.{% endif %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)." +* **{% data variables.product.prodname_secret_scanning_caps %}** - Detect secrets, for example keys and tokens, that have been checked into {% ifversion fpt %}private repositories{% else %} the repository{% endif %}. If push protection is enabled, {% data variables.product.prodname_dotcom %} also detects secrets when they are pushed to your repository. {% ifversion secret-scanning-enable-by-default-for-public-repos %}{% data variables.secret-scanning.user_alerts_caps %} and push protection are available and free of charge for all {% ifversion ghec %}user-owned {% endif %}public repositories on {% data variables.product.prodname_dotcom_the_website %}.{% endif %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection)." {% ifversion dependabot-auto-triage-rules %} diff --git a/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization.md b/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization.md index ee3c1ca944..43f88b03c4 100644 --- a/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization.md +++ b/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization.md @@ -184,6 +184,6 @@ You can manage access to {% data variables.product.prodname_GH_advanced_security ## Further reading * "[AUTOTITLE](/code-security/getting-started/securing-your-repository)"{% ifversion not fpt %} -* "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)"{% endif %} +* "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)"{% endif %} * "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)" * "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security)" diff --git a/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization.md b/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization.md index 1624176b33..51be21c9ad 100644 --- a/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization.md +++ b/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization.md @@ -107,7 +107,7 @@ To search for specific events, use the `action` qualifier in your query. Actions | `repository_dependency_graph` | Contains repository-level activities related to enabling or disabling the dependency graph for a {% ifversion fpt or ghec %}private {% endif %}repository. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)." | {% endif %} | | {% ifversion ghes or ghec %} | -| `repository_secret_scanning` | Contains repository-level activities related to {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)." +| `repository_secret_scanning` | Contains repository-level activities related to {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)." | {% endif %} | | {% ifversion secret-scanning-validity-check-audit-log %} | | `repository_secret_scanning_automatic_validity_checks` | Contains repository-level activities related to enabling and disabling automatic validity checks for {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository)." @@ -129,7 +129,7 @@ To search for specific events, use the `action` qualifier in your query. Actions | `role` | Contains all activities related to [custom repository roles](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-custom-repository-roles-for-an-organization). | {% endif %} | | {% ifversion ghes or ghec %} | -| `secret_scanning` | Contains organization-level configuration activities for {% data variables.product.prodname_secret_scanning %} in existing repositories. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)." +| `secret_scanning` | Contains organization-level configuration activities for {% data variables.product.prodname_secret_scanning %} in existing repositories. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)." | `secret_scanning_new_repos` | Contains organization-level configuration activities for {% data variables.product.prodname_secret_scanning %} for new repositories created in the organization. | {% endif %} | | {% ifversion fpt or ghec %} | diff --git a/content/repositories/archiving-a-github-repository/archiving-repositories.md b/content/repositories/archiving-a-github-repository/archiving-repositories.md index e2abd4ef2c..1fe3d66f52 100644 --- a/content/repositories/archiving-a-github-repository/archiving-repositories.md +++ b/content/repositories/archiving-a-github-repository/archiving-repositories.md @@ -29,7 +29,7 @@ topics: {% ifversion ghec or ghes %} {% note %} -**Note:** Customers who use {% data variables.product.prodname_GH_advanced_security %} can enable {% data variables.product.prodname_secret_scanning %} on archived repositories. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-for-private-repositories)." +**Note:** Customers who use {% data variables.product.prodname_GH_advanced_security %} can enable {% data variables.product.prodname_secret_scanning %} on archived repositories. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-for-private-repositories)." {% endnote %} {% endif %} diff --git a/content/rest/authentication/keeping-your-api-credentials-secure.md b/content/rest/authentication/keeping-your-api-credentials-secure.md index a1753dab1b..b9a14e6f2a 100644 --- a/content/rest/authentication/keeping-your-api-credentials-secure.md +++ b/content/rest/authentication/keeping-your-api-credentials-secure.md @@ -47,7 +47,7 @@ Treat authentication credentials the same way you would treat your passwords or * Don't share authentication credentials using an unencrypted messaging or email system. * Don't pass your {% data variables.product.pat_generic %} as plain text in the command line. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#keeping-your-personal-access-tokens-secure)." * Don't push unencrypted authentication credentials like tokens or keys to any repository, even if the repository is private. Instead consider using a {% data variables.product.prodname_actions %} secret{% ifversion fpt or ghec %} or Codespaces secret{% endif %}. For more information, see "[AUTOTITLE](/actions/security-guides/encrypted-secrets)"{% ifversion fpt or ghec %} and "[AUTOTITLE](/codespaces/managing-your-codespaces/managing-encrypted-secrets-for-your-codespaces)"{% endif %}. -* You can use secret scanning to discover tokens, private keys, and other secrets that were pushed to a repository, or to block future pushes that contain secrets. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)." +* You can use secret scanning to discover tokens, private keys, and other secrets that were pushed to a repository, or to block future pushes that contain secrets. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)." ## Limit who can access your authentication credentials diff --git a/content/rest/secret-scanning/secret-scanning.md b/content/rest/secret-scanning/secret-scanning.md index 072eaa66d4..fd37126d14 100644 --- a/content/rest/secret-scanning/secret-scanning.md +++ b/content/rest/secret-scanning/secret-scanning.md @@ -23,6 +23,6 @@ You can use the API to: * Enable or disable {% data variables.product.prodname_secret_scanning %} and push protection for a repository. For more information, see "[AUTOTITLE](/rest/repos/repos#update-a-repository)" and expand the "Properties of the `security_and_analysis` object" section. * Retrieve and update {% data variables.secret-scanning.alerts %} from a repository. For further details, see the sections below. -For more information about {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)." +For more information about {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)." diff --git a/data/reusables/advanced-security/more-info-ghas-secret-scanning.md b/data/reusables/advanced-security/more-info-ghas-secret-scanning.md index f7f7fdece9..250ebca01b 100644 --- a/data/reusables/advanced-security/more-info-ghas-secret-scanning.md +++ b/data/reusables/advanced-security/more-info-ghas-secret-scanning.md @@ -1 +1 @@ -For more information, see {% ifversion fpt or ghec %}"[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-users)"{% elsif ghes %}"[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-on-github-enterprise-server)"{% endif %} and "[AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security)." +For more information, see {% ifversion fpt or ghec %}"[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-alerts-for-users)"{% elsif ghes %}"[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-on-github-enterprise-server)"{% endif %} and "[AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security)." diff --git a/data/reusables/apps/app-scans.md b/data/reusables/apps/app-scans.md index b7b74e71f2..4cb1432073 100644 --- a/data/reusables/apps/app-scans.md +++ b/data/reusables/apps/app-scans.md @@ -1 +1 @@ -You should conduct regular vulnerability scans for your app. For example, you might set up code scanning and secret scanning for the repository that hosts your app's code. For more information, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)." +You should conduct regular vulnerability scans for your app. For example, you might set up code scanning and secret scanning for the repository that hosts your app's code. For more information, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)." diff --git a/data/reusables/audit_log/audit-log-action-categories.md b/data/reusables/audit_log/audit-log-action-categories.md index 58c39d08cb..067145eef9 100644 --- a/data/reusables/audit_log/audit-log-action-categories.md +++ b/data/reusables/audit_log/audit-log-action-categories.md @@ -134,7 +134,7 @@ | `repository_invitation` | Contains activities related to invitations to join a repository. | `repository_projects_change` | Contains activities related to enabling projects for a repository or for all repositories in an organization. {%- ifversion ghec or ghes %} -| `repository_secret_scanning` | Contains repository-level activities related to {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)." +| `repository_secret_scanning` | Contains repository-level activities related to {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)." {%- endif %} {%- ifversion secret-scanning-validity-check-audit-log %} | `repository_secret_scanning_automatic_validity_checks` | Contains activities related to enabling or disabling automatic validity checks for {% data variables.product.prodname_secret_scanning %} in a repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository)." @@ -163,7 +163,7 @@ | `role` | Contains activities related to [custom repository roles](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-custom-repository-roles-for-an-organization). {%- endif %} {%- ifversion ghec or ghes %} -| `secret_scanning` | Contains organization-level configuration activities for {% data variables.product.prodname_secret_scanning %} in existing repositories. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)." +| `secret_scanning` | Contains organization-level configuration activities for {% data variables.product.prodname_secret_scanning %} in existing repositories. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)." | `secret_scanning_new_repos` | Contains organization-level configuration activities for {% data variables.product.prodname_secret_scanning %} for new repositories created in the organization. {%- endif %} {%- ifversion ghec or ghes %} diff --git a/data/reusables/gated-features/push-protection-users-and-repos.md b/data/reusables/gated-features/push-protection-users-and-repos.md index 1ad4a05bdc..d3cb5795c7 100644 --- a/data/reusables/gated-features/push-protection-users-and-repos.md +++ b/data/reusables/gated-features/push-protection-users-and-repos.md @@ -10,4 +10,4 @@ Push protection for repositories and organizations is available for {% ifversion {%- elsif ghes %} Push protection is available for organization-owned repositories in {% data variables.product.product_name %} if your enterprise has a license for {% data variables.product.prodname_GH_advanced_security %}.{% endif %} -For more information, see {% ifversion secret-scanning-push-protection-for-users %}"[AUTOTITLE](/code-security/secret-scanning/push-protection-for-users)" and {% endif %}"[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)." +For more information, see {% ifversion secret-scanning-push-protection-for-users %}"[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)" and {% endif %}"[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection)." diff --git a/data/reusables/secret-scanning/push-protection-for-users.md b/data/reusables/secret-scanning/push-protection-for-users.md index e9b8d79ef0..24e1b6ec94 100644 --- a/data/reusables/secret-scanning/push-protection-for-users.md +++ b/data/reusables/secret-scanning/push-protection-for-users.md @@ -1 +1 @@ -Additionally, push protection _for users_ automatically protects you from accidentally committing secrets to public repositories, regardless of whether the repository has {% data variables.product.prodname_secret_scanning %} enabled. Push protection for users is on by default, but you can disable the feature at any time through your personal account settings. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-users)." +Additionally, push protection _for users_ automatically protects you from accidentally committing secrets to public repositories, regardless of whether the repository has {% data variables.product.prodname_secret_scanning %} enabled. Push protection for users is on by default, but you can disable the feature at any time through your personal account settings. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)." diff --git a/data/reusables/secret-scanning/push-protection-public-repos-bypass.md b/data/reusables/secret-scanning/push-protection-public-repos-bypass.md index c44f50bed0..f30147f861 100644 --- a/data/reusables/secret-scanning/push-protection-public-repos-bypass.md +++ b/data/reusables/secret-scanning/push-protection-public-repos-bypass.md @@ -6,7 +6,7 @@ When pushing to a _public_ repository that doesn't have secret scanning enabled, you are still protected from accidentally pushing secrets thanks to _push protection for users_, which is on by default for your user account. - With push protection for users, GitHub will automatically block pushes to public repositories if these pushes contain supported secrets, but you won't need to specify a reason for allowing the secret, and {% data variables.product.prodname_dotcom %} won't generate an alert. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-users)." + With push protection for users, GitHub will automatically block pushes to public repositories if these pushes contain supported secrets, but you won't need to specify a reason for allowing the secret, and {% data variables.product.prodname_dotcom %} won't generate an alert. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)." {% endnote %} From 4fca80687b9e5913c10c87e929a9c70c9c5e3466 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 8 Aug 2024 14:04:36 +0100 Subject: [PATCH 272/275] more link updates --- .../secret-scanning/introduction/about-push-protection.md | 3 ++- .../push-protection-for-users.md | 2 +- .../managing-files/adding-a-file-to-a-repository.md | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-push-protection.md b/content/code-security/secret-scanning/introduction/about-push-protection.md index b47948085b..2f286004a3 100644 --- a/content/code-security/secret-scanning/introduction/about-push-protection.md +++ b/content/code-security/secret-scanning/introduction/about-push-protection.md @@ -95,6 +95,7 @@ Define contributors who can bypass push protection and add an approval process f ## Further reading * "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository)" -* "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)"{% ifversion secret-scanning-push-protection-custom-patterns %} +* "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line)" +* "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui)"{% ifversion secret-scanning-push-protection-custom-patterns %} * "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)"{% endif %}{% ifversion push-protection-delegated-bypass %} * "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)"{% endif %} diff --git a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md index bcf91feff3..4884500b35 100644 --- a/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md +++ b/content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md @@ -18,7 +18,7 @@ redirect_from: Push protection for users automatically protects you from accidentally committing secrets to public repositories across {% data variables.product.product_name %}. -When you try to push a secret to a public repository, {% data variables.product.prodname_dotcom %} blocks the push. If you believe it's safe to allow the secret, you have the option to bypass the block. Otherwise, you must remove the secret from the commit before pushing again. For more information on how to resolve a blocked push, see "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection)." +When you try to push a secret to a public repository, {% data variables.product.prodname_dotcom %} blocks the push. If you believe it's safe to allow the secret, you have the option to bypass the block. Otherwise, you must remove the secret from the commit before pushing again. For more information on how to resolve a blocked push, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui)" or "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line)", depending on whether you use the {% data variables.product.product_name %} UI or the command line. Push protection for users is always on by default. You can disable the feature at any time through your personal account settings. This may cause secrets to be accidentally leaked. For more information, see "[Disabling push protection for users](#disabling-push-protection-for-users)." diff --git a/content/repositories/working-with-files/managing-files/adding-a-file-to-a-repository.md b/content/repositories/working-with-files/managing-files/adding-a-file-to-a-repository.md index fa8eaa8d57..e390619202 100644 --- a/content/repositories/working-with-files/managing-files/adding-a-file-to-a-repository.md +++ b/content/repositories/working-with-files/managing-files/adding-a-file-to-a-repository.md @@ -35,7 +35,7 @@ You can upload multiple files to {% data variables.product.product_name %} at th {% ifversion push-protection-block-uploads %} -Your repository may be secured by push protection. With push protection, {% data variables.product.prodname_dotcom %} will block uploading a file to the repository if the file contains a supported secret, such as a token. You should remove the secret from the file before attempting to upload the file again. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection#using-push-protection-from-the-web-ui)" and "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection#resolving-a-blocked-commit-in-the-web-ui)." +Your repository may be secured by push protection. With push protection, {% data variables.product.prodname_dotcom %} will block uploading a file to the repository if the file contains a supported secret, such as a token. You should remove the secret from the file before attempting to upload the file again. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui)" and "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui#resolving-a-blocked-commit)." {% data reusables.secret-scanning.push-protection-web-UI-uploads-beta %} From ac943529d6ba156630dc028dd3ce2891b1829d75 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 8 Aug 2024 14:54:31 +0100 Subject: [PATCH 273/275] and more link updates --- .../code-security/getting-started/github-security-features.md | 4 ++-- .../excluding-folders-and-files-from-secret-scanning.md | 2 +- .../interpreting-security-findings-on-a-repository.md | 2 +- .../end-to-end-supply-chain/securing-code.md | 4 ++-- .../archiving-a-github-repository/archiving-repositories.md | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/content/code-security/getting-started/github-security-features.md b/content/code-security/getting-started/github-security-features.md index 4c40a23c94..d6c6bb7a59 100644 --- a/content/code-security/getting-started/github-security-features.md +++ b/content/code-security/getting-started/github-security-features.md @@ -77,7 +77,7 @@ Privately discuss and fix security vulnerabilities in your repository's code. Yo ### {% data variables.secret-scanning.user_alerts_caps %} -Automatically detect tokens or credentials that have been checked into a {% ifversion ghec %}user-owned {% endif %}public repository. You can view alerts for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-alerts-for-users)." +Automatically detect tokens or credentials that have been checked into a {% ifversion ghec %}user-owned {% endif %}public repository. You can view alerts for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts#about-user-alerts)." {% ifversion secret-scanning-push-protection-for-users %} @@ -114,7 +114,7 @@ Automatically detect security vulnerabilities and coding errors in new or modifi ### {% data variables.secret-scanning.user_alerts_caps %} -Automatically detect tokens or credentials that have been checked into a repository. You can view alerts for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. For more information, see {% ifversion fpt or ghec %}"[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-alerts-for-users){% elsif ghes %}"[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-on-github-enterprise-server){% endif %}." +Automatically detect tokens or credentials that have been checked into a repository. You can view alerts for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. {% data reusables.secret-scanning.alert-type-links %} {% ifversion dependabot-auto-triage-rules %} diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md index 5d67eb6d73..aece61ea35 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md @@ -16,7 +16,7 @@ topics: ## About {% data variables.product.prodname_secret_scanning %} -{% data variables.product.prodname_secret_scanning_caps %} automatically detects tokens or credentials that have been checked into a repository. You can view {% ifversion fpt or ghec %}{% data variables.secret-scanning.user_alerts %}{% else %}alerts{% endif %} for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-alerts-for-users)." +{% data variables.product.prodname_secret_scanning_caps %} automatically detects tokens or credentials that have been checked into a repository. You can view {% ifversion fpt or ghec %}{% data variables.secret-scanning.user_alerts %}{% else %}alerts{% endif %} for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. {% data reusables.secret-scanning.alert-type-links %} ## About excluding directories from {% data variables.secret-scanning.user_alerts %} diff --git a/content/code-security/securing-your-organization/managing-the-security-of-your-organization/interpreting-security-findings-on-a-repository.md b/content/code-security/securing-your-organization/managing-the-security-of-your-organization/interpreting-security-findings-on-a-repository.md index fbc704b5c6..caad619b93 100644 --- a/content/code-security/securing-your-organization/managing-the-security-of-your-organization/interpreting-security-findings-on-a-repository.md +++ b/content/code-security/securing-your-organization/managing-the-security-of-your-organization/interpreting-security-findings-on-a-repository.md @@ -39,7 +39,7 @@ After you apply a {% data variables.product.prodname_security_configuration %} t {% endif %} You can view {% data variables.product.prodname_secret_scanning %} alerts for a repository by navigating to the main page of that repository, clicking the {% octicon "shield" aria-hidden="true" %} **Security** tab, then clicking {% octicon "key" aria-hidden="true" %} **{% data variables.product.prodname_secret_scanning_caps %}**. -For an introduction to {% data variables.product.prodname_secret_scanning %} alerts, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-alerts-for-users)." +For an introduction to {% data variables.product.prodname_secret_scanning %} alerts, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts)." To learn how to interpret and resolve {% data variables.product.prodname_secret_scanning %} alerts, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." diff --git a/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-code.md b/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-code.md index 2009666b84..45f2af8dd5 100644 --- a/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-code.md +++ b/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-code.md @@ -74,7 +74,7 @@ Code often needs to communicate with other systems over a network, and requires {% data reusables.secret-scanning.enterprise-enable-secret-scanning %} {% ifversion fpt or ghec %} -{% data variables.product.prodname_dotcom %} partners with many providers to automatically detect when secrets are committed to or stored in your public repositories and public npm packages you depend on, and will notify the provider so they can take appropriate actions to ensure your account remains secure. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-alerts-for-partners)." +{% data variables.product.prodname_dotcom %} partners with many providers to automatically detect when secrets are committed to or stored in your public repositories and public npm packages you depend on, and will notify the provider so they can take appropriate actions to ensure your account remains secure. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts##about-partner-alerts)." {% endif %} {% ifversion fpt %} @@ -85,7 +85,7 @@ You can enable and configure additional scanning that will alert you about accid {% elsif secret-scanning-user-owned-repos %} If your organization uses {% data variables.product.prodname_GH_advanced_security %}, you can enable {% data variables.secret-scanning.user_alerts %} on any repository owned by the organization, including private repositories. {% data reusables.secret-scanning.secret-scanning-user-owned-repos-beta %} -You can also define custom patterns to detect additional secrets at the repository, organization, or enterprise level. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-alerts-for-users)." +You can also define custom patterns to detect additional secrets at the repository, organization, or enterprise level. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts#about-secret-scanning-alerts)." {% else %} You can configure {% data variables.product.prodname_secret_scanning %} to check for secrets issued by many service providers and to notify you when any are detected. You can also define custom patterns to detect additional secrets at the repository, organization, or enterprise level. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)." {% endif %} diff --git a/content/repositories/archiving-a-github-repository/archiving-repositories.md b/content/repositories/archiving-a-github-repository/archiving-repositories.md index 1fe3d66f52..cb3bbc108c 100644 --- a/content/repositories/archiving-a-github-repository/archiving-repositories.md +++ b/content/repositories/archiving-a-github-repository/archiving-repositories.md @@ -29,7 +29,7 @@ topics: {% ifversion ghec or ghes %} {% note %} -**Note:** Customers who use {% data variables.product.prodname_GH_advanced_security %} can enable {% data variables.product.prodname_secret_scanning %} on archived repositories. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-for-private-repositories)." +**Note:** Customers who use {% data variables.product.prodname_GH_advanced_security %} can enable {% data variables.product.prodname_secret_scanning %} on archived repositories. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)." {% endnote %} {% endif %} From fee208b114e4394d3d0cb4724d18f04f90bc7a7e Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 8 Aug 2024 15:27:23 +0100 Subject: [PATCH 274/275] add reusable --- .../advanced-security/more-info-ghas-secret-scanning.md | 2 +- data/reusables/secret-scanning/alert-type-links.md | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 data/reusables/secret-scanning/alert-type-links.md diff --git a/data/reusables/advanced-security/more-info-ghas-secret-scanning.md b/data/reusables/advanced-security/more-info-ghas-secret-scanning.md index 250ebca01b..4b9b230a89 100644 --- a/data/reusables/advanced-security/more-info-ghas-secret-scanning.md +++ b/data/reusables/advanced-security/more-info-ghas-secret-scanning.md @@ -1 +1 @@ -For more information, see {% ifversion fpt or ghec %}"[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-alerts-for-users)"{% elsif ghes %}"[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning#about-secret-scanning-on-github-enterprise-server)"{% endif %} and "[AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security)." +For more information, see {% ifversion fpt or ghec %}"[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts#about-user-alerts)"{% elsif ghes %}"[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts#about-secret-scanning-alerts)"{% endif %} and "[AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security)." diff --git a/data/reusables/secret-scanning/alert-type-links.md b/data/reusables/secret-scanning/alert-type-links.md new file mode 100644 index 0000000000..d7c998acc2 --- /dev/null +++ b/data/reusables/secret-scanning/alert-type-links.md @@ -0,0 +1 @@ +For more information, see {% ifversion fpt or ghec %}"[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts#about-user-alerts){% elsif ghes %}"[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts#about-secret-scanning-alerts){% endif %}." From 2875e271b11ffd12e91140bd2043a51ccaea52e8 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 8 Aug 2024 15:29:53 +0100 Subject: [PATCH 275/275] space or no space --- .../excluding-folders-and-files-from-secret-scanning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md index aece61ea35..82e7f4b586 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md @@ -16,7 +16,7 @@ topics: ## About {% data variables.product.prodname_secret_scanning %} -{% data variables.product.prodname_secret_scanning_caps %} automatically detects tokens or credentials that have been checked into a repository. You can view {% ifversion fpt or ghec %}{% data variables.secret-scanning.user_alerts %}{% else %}alerts{% endif %} for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. {% data reusables.secret-scanning.alert-type-links %} +{% data variables.product.prodname_secret_scanning_caps %} automatically detects tokens or credentials that have been checked into a repository. You can view {% ifversion fpt or ghec %}{% data variables.secret-scanning.user_alerts %}{% else %}alerts{% endif %} for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised.{% data reusables.secret-scanning.alert-type-links %} ## About excluding directories from {% data variables.secret-scanning.user_alerts %}