diff --git a/assets/images/help/repository/code-scanning-alert-list-tracked-issues.png b/assets/images/help/repository/code-scanning-alert-list-tracked-issues.png new file mode 100644 index 0000000000..1463d9d5a3 Binary files /dev/null and b/assets/images/help/repository/code-scanning-alert-list-tracked-issues.png differ diff --git a/assets/images/help/repository/code-scanning-alert-tracked-in-pill.png b/assets/images/help/repository/code-scanning-alert-tracked-in-pill.png new file mode 100644 index 0000000000..e6b719c856 Binary files /dev/null and b/assets/images/help/repository/code-scanning-alert-tracked-in-pill.png differ diff --git a/assets/images/help/repository/code-scanning-create-issue-for-alert.png b/assets/images/help/repository/code-scanning-create-issue-for-alert.png new file mode 100644 index 0000000000..bb2dba0504 Binary files /dev/null and b/assets/images/help/repository/code-scanning-create-issue-for-alert.png differ diff --git a/assets/images/help/repository/code-scanning-new-tracking-issue.png b/assets/images/help/repository/code-scanning-new-tracking-issue.png new file mode 100644 index 0000000000..a93531050e Binary files /dev/null and b/assets/images/help/repository/code-scanning-new-tracking-issue.png differ diff --git a/assets/images/help/repository/code-scanning-tracking-issue-hovercard.png b/assets/images/help/repository/code-scanning-tracking-issue-hovercard.png new file mode 100644 index 0000000000..761b458649 Binary files /dev/null and b/assets/images/help/repository/code-scanning-tracking-issue-hovercard.png differ diff --git a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/index.md b/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/index.md index 00160beb85..4f9478f221 100644 --- a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/index.md +++ b/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/index.md @@ -19,6 +19,7 @@ children: - /triaging-code-scanning-alerts-in-pull-requests - /setting-up-code-scanning-for-a-repository - /managing-code-scanning-alerts-for-your-repository + - /tracking-code-scanning-alerts-in-issues-using-task-lists - /configuring-code-scanning - /about-code-scanning-with-codeql - /configuring-the-codeql-workflow-for-compiled-languages diff --git a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository.md b/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository.md index 6f8fc2d590..d6d365b55d 100644 --- a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository.md +++ b/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository.md @@ -92,17 +92,17 @@ By default, the code scanning alerts page is filtered to show alerts for the def {% data reusables.repositories.sidebar-code-scanning-alerts %} {% ifversion fpt or ghes > 3.1 or ghae-next or ghec %} 1. Optionally, use the free text search box or the drop-down menus to filter alerts. For example, you can filter by the tool that was used to identify alerts. - ![Filter by tool](/assets/images/help/repository/code-scanning-filter-by-tool.png){% endif %} -1. Under "{% data variables.product.prodname_code_scanning_capc %}," click the alert you'd like to explore. + ![Filter by tool](/assets/images/help/repository/code-scanning-filter-by-tool.png){% endif %} +{% data reusables.code-scanning.explore-alert %} {% ifversion fpt or ghes > 3.1 or ghae-next or ghec %} - ![Summary of alerts](/assets/images/help/repository/code-scanning-click-alert.png) + ![Summary of alerts](/assets/images/help/repository/code-scanning-click-alert.png) {% else %} - ![List of alerts from {% data variables.product.prodname_code_scanning %}](/assets/images/enterprise/3.1/help/repository/code-scanning-click-alert.png) + ![List of alerts from {% data variables.product.prodname_code_scanning %}](/assets/images/enterprise/3.1/help/repository/code-scanning-click-alert.png) {% endif %} 1. Optionally, if the alert highlights a problem with data flow, click **Show paths** to display the path from the data source to the sink where it's used. - ![The "Show paths" link on an alert](/assets/images/help/repository/code-scanning-show-paths.png) + ![The "Show paths" link on an alert](/assets/images/help/repository/code-scanning-show-paths.png) 1. Alerts from {% data variables.product.prodname_codeql %} analysis include a description of the problem. Click **Show more** for guidance on how to fix your code. - ![Details for an alert](/assets/images/help/repository/code-scanning-alert-details.png) + ![Details for an alert](/assets/images/help/repository/code-scanning-alert-details.png) {% ifversion fpt or ghes > 3.1 or ghae-next or ghec %} {% note %} @@ -171,6 +171,15 @@ You can search the list of alerts. This is useful if there is a large number of {% endif %} +{% ifversion fpt or ghes > 3.3 or ghae-issue-5036 %} +## Tracking {% data variables.product.prodname_code_scanning %} alerts in issues + +{% data reusables.code-scanning.beta-alert-tracking-in-issues %} +{% data reusables.code-scanning.github-issues-integration %} +{% data reusables.code-scanning.alert-tracking-link %} + +{% endif %} + ## Fixing an alert Anyone with write permission for a repository can fix an alert by committing a correction to the code. If the repository has {% data variables.product.prodname_code_scanning %} scheduled to run on pull requests, it's best to raise a pull request with your correction. This will trigger {% data variables.product.prodname_code_scanning %} analysis of the changes and test that your fix doesn't introduce any new problems. For more information, see "[Configuring {% data variables.product.prodname_code_scanning %}](/code-security/secure-coding/configuring-code-scanning)" and "[Triaging {% data variables.product.prodname_code_scanning %} alerts in pull requests](/code-security/secure-coding/triaging-code-scanning-alerts-in-pull-requests)." diff --git a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/tracking-code-scanning-alerts-in-issues-using-task-lists.md b/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/tracking-code-scanning-alerts-in-issues-using-task-lists.md new file mode 100644 index 0000000000..9a11aa8815 --- /dev/null +++ b/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/tracking-code-scanning-alerts-in-issues-using-task-lists.md @@ -0,0 +1,82 @@ +--- +title: Tracking code scanning alerts in issues using task lists +shortTitle: Track alerts in issues +intro: 'You can add code scanning alerts to issues using task lists. This makes it easy to create a plan for development work that includes fixing alerts.' +product: '{% data reusables.gated-features.code-scanning %}' +permissions: 'If you have write permission to a repository you can track {% data variables.product.prodname_code_scanning %} alerts in issues using task lists.' +versions: + fpt: '*' + ghes: '> 3.3' + ghae: "issue-5036" +type: how_to +topics: + - Advanced Security + - Code scanning + - Alerts + - Repositories + - Issues +--- + +{% data reusables.code-scanning.beta-alert-tracking-in-issues %} + +## About tracking {% data variables.product.prodname_code_scanning %} alerts in issues + +{% data reusables.code-scanning.github-issues-integration %} + +You can also create a new issue to track an alert: +- From a {% data variables.product.prodname_code_scanning %} alert, which automatically adds the code scanning alert to a task list in the new issue. For more information, see "[Creating a tracking issue from a {% data variables.product.prodname_code_scanning %} alert](#creating-a-tracking-issue-from-a-code-scanning-alert)" below. + +- Via the API as you normally would, and then provide the code scanning link within the body of the issue. You must use the task list syntax to create the tracked relationship: + - `- [ ] ` + - For example, if you add `- [ ] https://github.com/octocat-org/octocat-repo/security/code-scanning/17` to an issue, the issue will track the code scanning alert that has an ID number of 17 in the "Security" tab of the `octocat-repo` repository in the `octocat-org` organization. + +You can use more than one issue to track the same {% data variables.product.prodname_code_scanning %} alert, and issues can belong to different repositories from the repository where the {% data variables.product.prodname_code_scanning %} alert was found. + + +{% data variables.product.product_name %} provides visual cues in different locations of the user interface to indicate when you are tracking {% data variables.product.prodname_code_scanning %} alerts in issues. + +- The code scanning alerts list page will show which alerts are tracked in issues so that you can view at a glance which alerts still require processing. + + ![Tracked in pill on code scanning alert page](/assets/images/help/repository/code-scanning-alert-list-tracked-issues.png) + +- A "tracked in" section will also show in the corresponding alert page. + + ![Tracked in section on code scanning alert page](/assets/images/help/repository/code-scanning-alert-tracked-in-pill.png) + +- On the tracking issue, {% data variables.product.prodname_dotcom %} displays a security badge icon in the task list and on the hovercard. + + {% note %} + + Only users with write permissions to the repository will see the unfurled URL to the alert in the issue, as well as the hovercard. For users with read permissions to the repository, or no permissions at all, the alert will appear as a plain URL. + + {% endnote %} + + The color of the icon is grey because an alert has a status of "open" or "closed" on every branch. The issue tracks an alert, so the alert cannot have a single open/closed state in the issue. If the alert is closed on one branch, the icon color will not change. + + ![Hovercard in tracking issue](/assets/images/help/repository/code-scanning-tracking-issue-hovercard.png) + +The status of the tracked alert won't change if you change the checkbox state of the corresponding task list item (checked/unchecked) in the issue. + +## Creating a tracking issue from a code scanning alert + +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.sidebar-security %} +{% data reusables.repositories.sidebar-code-scanning-alerts %} +{% ifversion fpt or ghes or ghae-next %} +{% data reusables.code-scanning.explore-alert %} +1. Optionally, to find the alert to track, you can use the free-text search or the drop-down menus to filter and locate the alert. For more information, see "[Managing code scanning alerts for your repository](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository#filtering-code-scanning-alerts)." +{% endif %} +1. Towards the top of the page, on the right side, click **Create issue**. + ![Create a tracking issue for the code scanning alert](/assets/images/help/repository/code-scanning-create-issue-for-alert.png) + {% data variables.product.prodname_dotcom %} automatically creates an issue to track the alert and adds the alert as a task list item. + {% data variables.product.prodname_dotcom %} prepopulates the issue: + - The title contains the name of the {% data variables.product.prodname_code_scanning %} alert. + - The body contains the task list item with the full URL to the {% data variables.product.prodname_code_scanning %} alert. +2. Optionally, edit the title and the body of the issue. + {% warning %} + + **Warning:** You may want to edit the title of the issue as it may expose security information. You can also edit the body of the issue, but do not edit the task list item or the issue will no longer track the alert. + {% endwarning %} + + ![New tracking issue for the code scanning alert](/assets/images/help/repository/code-scanning-new-tracking-issue.png) +3. Click **Submit new issue**. \ No newline at end of file diff --git a/content/code-security/guides.md b/content/code-security/guides.md index 5d7083be03..ad1f3074c0 100644 --- a/content/code-security/guides.md +++ b/content/code-security/guides.md @@ -26,6 +26,7 @@ includeGuides: - /code-security/secret-security/about-secret-scanning - /code-security/secret-security/configuring-secret-scanning-for-your-repositories - /code-security/secret-security/managing-alerts-from-secret-scanning + - /code-security/code-scanning//automatically-scanning-your-code-for-vulnerabilities-and-errors/tracking-code-scanning-alerts-in-issues-using-task-lists - /code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning - /code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning - /code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-the-codeql-workflow-for-compiled-languages diff --git a/content/issues/tracking-your-work-with-issues/about-task-lists.md b/content/issues/tracking-your-work-with-issues/about-task-lists.md index 4ec7027560..3ecbe4389e 100644 --- a/content/issues/tracking-your-work-with-issues/about-task-lists.md +++ b/content/issues/tracking-your-work-with-issues/about-task-lists.md @@ -65,4 +65,5 @@ Any issues that are referenced in a task list specify that they are tracked by t ## Further reading -* "[Basic writing and formatting syntax](/articles/basic-writing-and-formatting-syntax)" +* "[Basic writing and formatting syntax](/articles/basic-writing-and-formatting-syntax)"{% ifversion fpt or ghes > 3.3 or ghae-issue-5036 %} +* "[Tracking {% data variables.product.prodname_code_scanning %} alerts in issues using task lists](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/tracking-code-scanning-alerts-in-issues-using-task-lists)"{% endif %} \ No newline at end of file diff --git a/content/issues/tracking-your-work-with-issues/creating-an-issue.md b/content/issues/tracking-your-work-with-issues/creating-an-issue.md index f6813a8e8a..cb346ba181 100644 --- a/content/issues/tracking-your-work-with-issues/creating-an-issue.md +++ b/content/issues/tracking-your-work-with-issues/creating-an-issue.md @@ -153,6 +153,15 @@ Query parameter | Example `projects` | `https://github.com/octo-org/octo-repo/issues/new?title=Bug+fix&projects=octo-org/1` creates an issue with the title "Bug fix" and adds it to the organization's project board 1. `template` | `https://github.com/octo-org/octo-repo/issues/new?template=issue_template.md` creates an issue with a template in the issue body. The `template` query parameter works with templates stored in an `ISSUE_TEMPLATE` subdirectory within the root, `docs/` or `.github/` directory in a repository. For more information, see "[Using templates to encourage useful issues and pull requests](/communities/using-templates-to-encourage-useful-issues-and-pull-requests)." +{% ifversion fpt or ghes > 3.3 or ghae-issue-5036 %} +## Creating an issue from a {% data variables.product.prodname_code_scanning %} alert + +{% data reusables.code-scanning.beta-alert-tracking-in-issues %} +If you're using issues to track and prioritize your work, you can use issues to track {% data variables.product.prodname_code_scanning %} alerts. +{% data reusables.code-scanning.alert-tracking-link %} + +{% endif %} + ## Further reading - "[Writing on GitHub](/github/writing-on-github)" diff --git a/data/reusables/code-scanning/alert-tracking-link.md b/data/reusables/code-scanning/alert-tracking-link.md new file mode 100644 index 0000000000..9453962cff --- /dev/null +++ b/data/reusables/code-scanning/alert-tracking-link.md @@ -0,0 +1,2 @@ + +For more information about creating issues to track {% data variables.product.prodname_code_scanning %} alerts, see "[Tracking {% data variables.product.prodname_code_scanning %} alerts in issues using task lists](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/tracking-code-scanning-alerts-in-issues-using-task-lists)." \ No newline at end of file diff --git a/data/reusables/code-scanning/beta-alert-tracking-in-issues.md b/data/reusables/code-scanning/beta-alert-tracking-in-issues.md new file mode 100644 index 0000000000..7db5b9879a --- /dev/null +++ b/data/reusables/code-scanning/beta-alert-tracking-in-issues.md @@ -0,0 +1,10 @@ +{% ifversion fpt or ghes > 3.3 or ghae-issue-5036 %} + +{% note %} + +**Note:** The tracking of {% data variables.product.prodname_code_scanning %} alerts in issues is in beta and subject to change. + +This feature supports running analysis natively using {% data variables.product.prodname_actions %} or externally using existing CI/CD infrastructure, as well as third-party {% data variables.product.prodname_code_scanning %} tools, but _not_ third-party tracking tools. + +{% endnote %} +{% endif %} \ No newline at end of file diff --git a/data/reusables/code-scanning/explore-alert.md b/data/reusables/code-scanning/explore-alert.md new file mode 100644 index 0000000000..1c7b743669 --- /dev/null +++ b/data/reusables/code-scanning/explore-alert.md @@ -0,0 +1 @@ +1. Under "{% data variables.product.prodname_code_scanning_capc %}," click the alert you'd like to explore. diff --git a/data/reusables/code-scanning/github-issues-integration.md b/data/reusables/code-scanning/github-issues-integration.md new file mode 100644 index 0000000000..07d9c6f990 --- /dev/null +++ b/data/reusables/code-scanning/github-issues-integration.md @@ -0,0 +1,3 @@ +{% data variables.product.prodname_code_scanning_capc %} alerts integrate with task lists in {% data variables.product.prodname_github_issues %} to make it easy for you to prioritize and track alerts with all your development work. For more information about issues, see "[About issues](/issues/tracking-your-work-with-issues/about-issues)." + +To track a code scanning alert in an issue, add the URL for the alert as a task list item in the issue. For more information about task lists, see "[About tasks lists](/issues/tracking-your-work-with-issues/about-task-lists)."