diff --git a/content/actions/tutorials/authenticate-with-github_token.md b/content/actions/tutorials/authenticate-with-github_token.md index c16ff42b73d3..9eff4a9d3bfb 100644 --- a/content/actions/tutorials/authenticate-with-github_token.md +++ b/content/actions/tutorials/authenticate-with-github_token.md @@ -28,14 +28,14 @@ contentType: tutorials This tutorial leads you through how to use the `GITHUB_TOKEN` for authentication in {% data variables.product.prodname_actions %} workflows, including examples for passing the token to actions, making API requests, and configuring permissions for secure automation. -For reference information, see [AUTOTITLE](/actions/reference/workflow-syntax-for-github-actions#permissions). +For reference information, see [AUTOTITLE](/actions/reference/workflows-and-actions/workflow-syntax#permissions). ## Using the `GITHUB_TOKEN` in a workflow You can use the `GITHUB_TOKEN` by using the standard syntax for referencing secrets: {% raw %}`${{ secrets.GITHUB_TOKEN }}`{% endraw %}. Examples of using the `GITHUB_TOKEN` include passing the token as an input to an action, or using it to make an authenticated {% data variables.product.github %} API request. > [!IMPORTANT] -> An action can access the `GITHUB_TOKEN` through the `github.token` context even if the workflow does not explicitly pass the `GITHUB_TOKEN` to the action. As a good security practice, you should always make sure that actions only have the minimum access they require by limiting the permissions granted to the `GITHUB_TOKEN`. For more information, see [AUTOTITLE](/actions/reference/workflow-syntax-for-github-actions#permissions). +> An action can access the `GITHUB_TOKEN` through the `github.token` context even if the workflow does not explicitly pass the `GITHUB_TOKEN` to the action. As a good security practice, you should always make sure that actions only have the minimum access they require by limiting the permissions granted to the `GITHUB_TOKEN`. For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/workflow-syntax#permissions). ### Example 1: passing the `GITHUB_TOKEN` as an input @@ -73,15 +73,15 @@ jobs: Use the `permissions` key in your workflow file to modify permissions for the `GITHUB_TOKEN` for an entire workflow or for individual jobs. This allows you to configure the minimum required permissions for a workflow or job. As a good security practice, you should grant the `GITHUB_TOKEN` the least required access. - To see the list of permissions available for use and their parameterized names, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token#account-permissions). + To see the list of permissions available for use and their parameterized names, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#account-permissions). The two workflow examples earlier in this article show the `permissions` key being used at the job level. ## Granting additional permissions -If you need a token that requires permissions that aren't available in the `GITHUB_TOKEN`, create a {% data variables.product.prodname_github_app %} and generate an installation access token within your workflow. For more information, see [AUTOTITLE](/apps/creating-github-apps/guides/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow). Alternatively, you can create a {% data variables.product.pat_generic %}, store it as a secret in your repository, and use the token in your workflow with the {% raw %}`${{ secrets.SECRET_NAME }}`{% endraw %} syntax. For more information, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) and [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). +If you need a token that requires permissions that aren't available in the `GITHUB_TOKEN`, create a {% data variables.product.prodname_github_app %} and generate an installation access token within your workflow. For more information, see [AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow). Alternatively, you can create a {% data variables.product.pat_generic %}, store it as a secret in your repository, and use the token in your workflow with the {% raw %}`${{ secrets.SECRET_NAME }}`{% endraw %} syntax. For more information, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens) and [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets). ## Next steps * [AUTOTITLE](/actions/concepts/security/github_token) -* [AUTOTITLE](/actions/reference/workflow-syntax-for-github-actions#permissions) +* [AUTOTITLE](/actions/reference/workflows-and-actions/workflow-syntax#permissions) diff --git a/content/actions/tutorials/build-and-test-code/go.md b/content/actions/tutorials/build-and-test-code/go.md index 95c436f0cdfe..464c341a7364 100644 --- a/content/actions/tutorials/build-and-test-code/go.md +++ b/content/actions/tutorials/build-and-test-code/go.md @@ -23,11 +23,11 @@ contentType: tutorials This guide shows you how to build, test, and publish a Go package. -{% data variables.product.prodname_dotcom %}-hosted runners have a tools cache with preinstalled software, which includes the dependencies for Go. For a full list of up-to-date software and the preinstalled versions of Go, see [AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#preinstalled-software). +{% data variables.product.prodname_dotcom %}-hosted runners have a tools cache with preinstalled software, which includes the dependencies for Go. For a full list of up-to-date software and the preinstalled versions of Go, see [AUTOTITLE](/actions/concepts/runners/github-hosted-runners#preinstalled-software). ## Prerequisites -You should already be familiar with YAML syntax and how it's used with {% data variables.product.prodname_actions %}. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions). +You should already be familiar with YAML syntax and how it's used with {% data variables.product.prodname_actions %}. For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/workflow-syntax). We recommend that you have a basic understanding of the Go language. For more information, see [Getting started with Go](https://golang.org/doc/tutorial/getting-started). @@ -166,7 +166,7 @@ You can use the `cache-dependency-path` parameter for cases when multiple depend cache-dependency-path: subdir/go.sum ``` -If you have a custom requirement or need finer controls for caching, you can use the [`cache` action](https://github.com/marketplace/actions/cache). For more information, see [AUTOTITLE](/actions/using-workflows/caching-dependencies-to-speed-up-workflows). +If you have a custom requirement or need finer controls for caching, you can use the [`cache` action](https://github.com/marketplace/actions/cache). For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/dependency-caching). ## Building and testing your code @@ -198,7 +198,7 @@ jobs: After a workflow completes, you can upload the resulting artifacts for analysis. For example, you may need to save log files, core dumps, test results, or screenshots. The following example demonstrates how you can use the `upload-artifact` action to upload test results. -For more information, see [AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts). +For more information, see [AUTOTITLE](/actions/tutorials/store-and-share-data). ```yaml copy name: Upload Go test results diff --git a/content/actions/tutorials/build-and-test-code/java-with-ant.md b/content/actions/tutorials/build-and-test-code/java-with-ant.md index c7ac93d4c4bf..b06cb64bd945 100644 --- a/content/actions/tutorials/build-and-test-code/java-with-ant.md +++ b/content/actions/tutorials/build-and-test-code/java-with-ant.md @@ -24,13 +24,13 @@ contentType: tutorials This guide shows you how to create a workflow that performs continuous integration (CI) for your Java project using the Ant build system. The workflow you create will allow you to see when commits to a pull request cause build or test failures against your default branch; this approach can help ensure that your code is always healthy. You can extend your CI workflow to upload artifacts from a workflow run. -{% data variables.product.prodname_dotcom %}-hosted runners have a tools cache with pre-installed software, which includes Java Development Kits (JDKs) and Ant. For a list of software and the pre-installed versions for JDK and Ant, see [AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#supported-software). +{% data variables.product.prodname_dotcom %}-hosted runners have a tools cache with pre-installed software, which includes Java Development Kits (JDKs) and Ant. For a list of software and the pre-installed versions for JDK and Ant, see [AUTOTITLE](/actions/concepts/runners/github-hosted-runners#supported-software). ## Prerequisites You should be familiar with YAML and the syntax for {% data variables.product.prodname_actions %}. For more information, see: -* [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions) -* [AUTOTITLE](/actions/learn-github-actions) +* [AUTOTITLE](/actions/reference/workflows-and-actions/workflow-syntax) +* [AUTOTITLE](/actions/how-tos/write-workflows) We recommend that you have a basic understanding of Java and the Ant framework. For more information, see the [Apache Ant Manual](https://ant.apache.org/manual/). @@ -108,7 +108,7 @@ steps: ## Packaging workflow data as artifacts -After your build has succeeded and your tests have passed, you may want to upload the resulting Java packages as a build artifact. This will store the built packages as part of the workflow run, and allow you to download them. Artifacts can help you test and debug pull requests in your local environment before they're merged. For more information, see [AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts). +After your build has succeeded and your tests have passed, you may want to upload the resulting Java packages as a build artifact. This will store the built packages as part of the workflow run, and allow you to download them. Artifacts can help you test and debug pull requests in your local environment before they're merged. For more information, see [AUTOTITLE](/actions/tutorials/store-and-share-data). Ant will usually create output files like JARs, EARs, or WARs in the `build/jar` directory. You can upload the contents of that directory using the `upload-artifact` action. diff --git a/content/actions/tutorials/build-and-test-code/java-with-gradle.md b/content/actions/tutorials/build-and-test-code/java-with-gradle.md index 1001b70a0216..53f2e362734b 100644 --- a/content/actions/tutorials/build-and-test-code/java-with-gradle.md +++ b/content/actions/tutorials/build-and-test-code/java-with-gradle.md @@ -25,13 +25,13 @@ contentType: tutorials This guide shows you how to create a workflow that performs continuous integration (CI) for your Java project using the Gradle build system. The workflow you create will allow you to see when commits to a pull request cause build or test failures against your default branch; this approach can help ensure that your code is always healthy. You can extend your CI workflow to cache files and upload artifacts from a workflow run. -{% data variables.product.prodname_dotcom %}-hosted runners have a tools cache with pre-installed software, which includes Java Development Kits (JDKs) and Gradle. For a list of software and the pre-installed versions for JDK and Gradle, see [AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#supported-software). +{% data variables.product.prodname_dotcom %}-hosted runners have a tools cache with pre-installed software, which includes Java Development Kits (JDKs) and Gradle. For a list of software and the pre-installed versions for JDK and Gradle, see [AUTOTITLE](/actions/concepts/runners/github-hosted-runners#supported-software). ## Prerequisites You should be familiar with YAML and the syntax for {% data variables.product.prodname_actions %}. For more information, see: -* [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions) -* [AUTOTITLE](/actions/learn-github-actions) +* [AUTOTITLE](/actions/reference/workflows-and-actions/workflow-syntax) +* [AUTOTITLE](/actions/how-tos/write-workflows) We recommend that you have a basic understanding of Java and the Gradle framework. For more information, see the [Gradle User Manual](https://docs.gradle.org/current/userguide/userguide.html). @@ -132,7 +132,7 @@ Caching is enabled by default when using the `gradle/actions/setup-gradle` actio ## Packaging workflow data as artifacts -After your build has succeeded and your tests have passed, you may want to upload the resulting Java packages as a build artifact. This will store the built packages as part of the workflow run, and allow you to download them. Artifacts can help you test and debug pull requests in your local environment before they're merged. For more information, see [AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts). +After your build has succeeded and your tests have passed, you may want to upload the resulting Java packages as a build artifact. This will store the built packages as part of the workflow run, and allow you to download them. Artifacts can help you test and debug pull requests in your local environment before they're merged. For more information, see [AUTOTITLE](/actions/tutorials/store-and-share-data). Gradle will usually create output files like JARs, EARs, or WARs in the `build/libs` directory. You can upload the contents of that directory using the `upload-artifact` action. diff --git a/content/actions/tutorials/build-and-test-code/java-with-maven.md b/content/actions/tutorials/build-and-test-code/java-with-maven.md index dd966d6628a8..8034a2a343e4 100644 --- a/content/actions/tutorials/build-and-test-code/java-with-maven.md +++ b/content/actions/tutorials/build-and-test-code/java-with-maven.md @@ -25,13 +25,13 @@ contentType: tutorials This guide shows you how to create a workflow that performs continuous integration (CI) for your Java project using the Maven software project management tool. The workflow you create will allow you to see when commits to a pull request cause build or test failures against your default branch; this approach can help ensure that your code is always healthy. You can extend your CI workflow to cache files and upload artifacts from a workflow run. -{% data variables.product.prodname_dotcom %}-hosted runners have a tools cache with pre-installed software, which includes Java Development Kits (JDKs) and Maven. For a list of software and the pre-installed versions for JDK and Maven, see [AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#supported-software). +{% data variables.product.prodname_dotcom %}-hosted runners have a tools cache with pre-installed software, which includes Java Development Kits (JDKs) and Maven. For a list of software and the pre-installed versions for JDK and Maven, see [AUTOTITLE](/actions/concepts/runners/github-hosted-runners#supported-software). ## Prerequisites You should be familiar with YAML and the syntax for {% data variables.product.prodname_actions %}. For more information, see: -* [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions) -* [AUTOTITLE](/actions/learn-github-actions) +* [AUTOTITLE](/actions/reference/workflows-and-actions/workflow-syntax) +* [AUTOTITLE](/actions/how-tos/write-workflows) We recommend that you have a basic understanding of Java and the Maven framework. For more information, see the [Maven Getting Started Guide](https://maven.apache.org/guides/getting-started/index.html) in the Maven documentation. @@ -134,7 +134,7 @@ This workflow will save the contents of your local Maven repository, located in ## Packaging workflow data as artifacts -After your build has succeeded and your tests have passed, you may want to upload the resulting Java packages as a build artifact. This will store the built packages as part of the workflow run, and allow you to download them. Artifacts can help you test and debug pull requests in your local environment before they're merged. For more information, see [AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts). +After your build has succeeded and your tests have passed, you may want to upload the resulting Java packages as a build artifact. This will store the built packages as part of the workflow run, and allow you to download them. Artifacts can help you test and debug pull requests in your local environment before they're merged. For more information, see [AUTOTITLE](/actions/tutorials/store-and-share-data). Maven will usually create output files like JARs, EARs, or WARs in the `target` directory. To upload those as artifacts, you can copy them into a new directory that contains artifacts to upload. For example, you can create a directory called `staging`. Then you can upload the contents of that directory using the `upload-artifact` action. diff --git a/content/actions/tutorials/build-and-test-code/net.md b/content/actions/tutorials/build-and-test-code/net.md index aa482046f745..b72129ae19d1 100644 --- a/content/actions/tutorials/build-and-test-code/net.md +++ b/content/actions/tutorials/build-and-test-code/net.md @@ -24,11 +24,11 @@ contentType: tutorials This guide shows you how to build, test, and publish a .NET package. - {% data variables.product.prodname_dotcom %}-hosted runners have a tools cache with preinstalled software, which includes the .NET Core SDK. For a full list of up-to-date software and the preinstalled versions of .NET Core SDK, see [software installed on {% data variables.product.prodname_dotcom %}-hosted runners](/actions/using-github-hosted-runners/about-github-hosted-runners). + {% data variables.product.prodname_dotcom %}-hosted runners have a tools cache with preinstalled software, which includes the .NET Core SDK. For a full list of up-to-date software and the preinstalled versions of .NET Core SDK, see [software installed on {% data variables.product.prodname_dotcom %}-hosted runners](/actions/concepts/runners/github-hosted-runners). ## Prerequisites -You should already be familiar with YAML syntax and how it's used with {% data variables.product.prodname_actions %}. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions). +You should already be familiar with YAML syntax and how it's used with {% data variables.product.prodname_actions %}. For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/workflow-syntax). We recommend that you have a basic understanding of the .NET Core SDK. For more information, see [Getting started with .NET](https://dotnet.microsoft.com/learn). @@ -147,7 +147,7 @@ steps: You can cache NuGet dependencies for future workflows using the optional `cache` input. For example, the YAML below caches the NuGet `global-packages` folder, and then installs the `Newtonsoft` package. A second optional input, `cache-dependency-path`, can be used to specify the path to a dependency file: `packages.lock.json`. -For more information, see [AUTOTITLE](/actions/using-workflows/caching-dependencies-to-speed-up-workflows). +For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/dependency-caching). ```yaml steps: @@ -187,7 +187,7 @@ steps: After a workflow completes, you can upload the resulting artifacts for analysis. For example, you may need to save log files, core dumps, test results, or screenshots. The following example demonstrates how you can use the `upload-artifact` action to upload test results. -For more information, see [AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts). +For more information, see [AUTOTITLE](/actions/tutorials/store-and-share-data). ```yaml name: dotnet package diff --git a/content/actions/tutorials/build-and-test-code/nodejs.md b/content/actions/tutorials/build-and-test-code/nodejs.md index 094cd6f59447..2fecac3401e0 100644 --- a/content/actions/tutorials/build-and-test-code/nodejs.md +++ b/content/actions/tutorials/build-and-test-code/nodejs.md @@ -30,7 +30,7 @@ This guide shows you how to create a continuous integration (CI) workflow that b We recommend that you have a basic understanding of Node.js, YAML, workflow configuration options, and how to create a workflow file. For more information, see: -* [AUTOTITLE](/actions/learn-github-actions) +* [AUTOTITLE](/actions/how-tos/write-workflows) * [Getting started with Node.js](https://nodejs.org/en/docs/guides/getting-started-guide/) {% data reusables.actions.enterprise-setup-prereq %} @@ -99,7 +99,7 @@ The `setup-node` action takes a Node.js version as an input and configures that The workflow template includes a matrix strategy that builds and tests your code with the Node.js versions listed in `node-version`. The 'x' in the version number is a wildcard character that matches the latest minor and patch release available for a version. Each version of Node.js specified in the `node-version` array creates a job that runs the same steps. -Each job can access the value defined in the matrix `node-version` array using the `matrix` context. The `setup-node` action uses the context as the `node-version` input. The `setup-node` action configures each job with a different Node.js version before building and testing code. For more information about matrix strategies and contexts, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstrategymatrix) and [AUTOTITLE](/actions/learn-github-actions/contexts). +Each job can access the value defined in the matrix `node-version` array using the `matrix` context. The `setup-node` action uses the context as the `node-version` input. The `setup-node` action configures each job with a different Node.js version before building and testing code. For more information about matrix strategies and contexts, see [AUTOTITLE](/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idstrategymatrix) and [AUTOTITLE](/actions/reference/workflows-and-actions/contexts). ```yaml copy strategy: @@ -146,13 +146,13 @@ jobs: ``` If you don't specify a Node.js version, {% data variables.product.prodname_dotcom %} uses the environment's default Node.js version. -For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#supported-software). +For more information, see [AUTOTITLE](/actions/concepts/runners/github-hosted-runners#supported-software). ## Installing dependencies {% data variables.product.prodname_dotcom %}-hosted runners have npm and Yarn dependency managers installed. You can use npm and Yarn to install dependencies in your workflow before building and testing your code. The Windows and Linux {% data variables.product.prodname_dotcom %}-hosted runners also have Grunt, Gulp, and Bower installed. -You can also cache dependencies to speed up your workflow. For more information, see [AUTOTITLE](/actions/using-workflows/caching-dependencies-to-speed-up-workflows). +You can also cache dependencies to speed up your workflow. For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/dependency-caching). ### Example using npm @@ -214,7 +214,7 @@ steps: {% data reusables.actions.setup-node-intro %} -To authenticate to your private registry, you'll need to store your npm authentication token as a secret. For example, create a repository secret called `NPM_TOKEN`. For more information, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). +To authenticate to your private registry, you'll need to store your npm authentication token as a secret. For example, create a repository secret called `NPM_TOKEN`. For more information, see [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets). In the example below, the secret `NPM_TOKEN` stores the npm authentication token. The `setup-node` action configures the `.npmrc` file to read the npm authentication token from the `NODE_AUTH_TOKEN` environment variable. When using the `setup-node` action to create an `.npmrc` file, you must set the `NODE_AUTH_TOKEN` environment variable with the secret that contains your npm authentication token. @@ -294,7 +294,7 @@ steps: - run: pnpm test ``` -If you have a custom requirement or need finer controls for caching, you can use the [`cache` action](https://github.com/marketplace/actions/cache). For more information, see [AUTOTITLE](/actions/using-workflows/caching-dependencies-to-speed-up-workflows). +If you have a custom requirement or need finer controls for caching, you can use the [`cache` action](https://github.com/marketplace/actions/cache). For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/dependency-caching). ## Building and testing your code @@ -314,8 +314,8 @@ steps: ## Packaging workflow data as artifacts -You can save artifacts from your build and test steps to view after a job completes. For example, you may need to save log files, core dumps, test results, or screenshots. For more information, see [AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts). +You can save artifacts from your build and test steps to view after a job completes. For example, you may need to save log files, core dumps, test results, or screenshots. For more information, see [AUTOTITLE](/actions/tutorials/store-and-share-data). ## Publishing to package registries -You can configure your workflow to publish your Node.js package to a package registry after your CI tests pass. For more information about publishing to npm and {% data variables.product.prodname_registry %}, see [AUTOTITLE](/actions/publishing-packages/publishing-nodejs-packages). +You can configure your workflow to publish your Node.js package to a package registry after your CI tests pass. For more information about publishing to npm and {% data variables.product.prodname_registry %}, see [AUTOTITLE](/actions/tutorials/publish-packages/publish-nodejs-packages). diff --git a/content/actions/tutorials/build-and-test-code/powershell.md b/content/actions/tutorials/build-and-test-code/powershell.md index 50888d60e318..8a49204c32f1 100644 --- a/content/actions/tutorials/build-and-test-code/powershell.md +++ b/content/actions/tutorials/build-and-test-code/powershell.md @@ -28,11 +28,11 @@ This guide shows you how to use PowerShell for CI. It describes how to use Peste {% data variables.product.prodname_dotcom %}-hosted runners have a tools cache with pre-installed software, which includes PowerShell and Pester. -For a full list of up-to-date software and the pre-installed versions of PowerShell and Pester, see [AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#supported-software). +For a full list of up-to-date software and the pre-installed versions of PowerShell and Pester, see [AUTOTITLE](/actions/concepts/runners/github-hosted-runners#supported-software). ## Prerequisites -You should be familiar with YAML and the syntax for {% data variables.product.prodname_actions %}. For more information, see [AUTOTITLE](/actions/learn-github-actions). +You should be familiar with YAML and the syntax for {% data variables.product.prodname_actions %}. For more information, see [AUTOTITLE](/actions/how-tos/write-workflows). We recommend that you have a basic understanding of PowerShell and Pester. For more information, see: * [Getting started with PowerShell](https://docs.microsoft.com/powershell/scripting/learn/ps101/01-getting-started) @@ -106,7 +106,7 @@ The table below describes the locations for various PowerShell modules in each { > [!NOTE] > The pre-installed packages (such as Pester) used by {% data variables.product.prodname_dotcom %}-hosted runners are regularly updated, and can introduce significant changes. As a result, it is recommended that you always specify the required package versions by using `Install-Module` with `-MaximumVersion`. -You can also cache dependencies to speed up your workflow. For more information, see [AUTOTITLE](/actions/using-workflows/caching-dependencies-to-speed-up-workflows). +You can also cache dependencies to speed up your workflow. For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/dependency-caching). For example, the following job installs the `SqlServer` and `PSScriptAnalyzer` modules: @@ -129,7 +129,7 @@ jobs: ### Caching dependencies -You can cache PowerShell dependencies using a unique key, which allows you to restore the dependencies for future workflows with the [`cache`](https://github.com/marketplace/actions/cache) action. For more information, see [AUTOTITLE](/actions/using-workflows/caching-dependencies-to-speed-up-workflows). +You can cache PowerShell dependencies using a unique key, which allows you to restore the dependencies for future workflows with the [`cache`](https://github.com/marketplace/actions/cache) action. For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/dependency-caching). PowerShell caches its dependencies in different locations, depending on the runner's operating system. For example, the `path` location used in the following Ubuntu example will be different for a Windows operating system. @@ -184,7 +184,7 @@ The following example installs `PSScriptAnalyzer` and uses it to lint all `ps1` ## Packaging workflow data as artifacts -You can upload artifacts to view after a workflow completes. For example, you may need to save log files, core dumps, test results, or screenshots. For more information, see [AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts). +You can upload artifacts to view after a workflow completes. For example, you may need to save log files, core dumps, test results, or screenshots. For more information, see [AUTOTITLE](/actions/tutorials/store-and-share-data). The following example demonstrates how you can use the `upload-artifact` action to archive the test results received from `Invoke-Pester`. For more information, see the [`upload-artifact` action](https://github.com/actions/upload-artifact). @@ -210,11 +210,11 @@ jobs: if: {% raw %}${{ always() }}{% endraw %} ``` -The `always()` function configures the job to continue processing even if there are test failures. For more information, see [AUTOTITLE](/actions/learn-github-actions/contexts#always). +The `always()` function configures the job to continue processing even if there are test failures. For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/contexts#always). ## Publishing to PowerShell Gallery -You can configure your workflow to publish your PowerShell module to the PowerShell Gallery when your CI tests pass. You can use secrets to store any tokens or credentials needed to publish your package. For more information, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). +You can configure your workflow to publish your PowerShell module to the PowerShell Gallery when your CI tests pass. You can use secrets to store any tokens or credentials needed to publish your package. For more information, see [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets). The following example creates a package and uses `Publish-Module` to publish it to the PowerShell Gallery: diff --git a/content/actions/tutorials/build-and-test-code/python.md b/content/actions/tutorials/build-and-test-code/python.md index 312a48eda7ff..05e44c50314d 100644 --- a/content/actions/tutorials/build-and-test-code/python.md +++ b/content/actions/tutorials/build-and-test-code/python.md @@ -26,11 +26,11 @@ contentType: tutorials This guide shows you how to build, test, and publish a Python package. -{% data variables.product.prodname_dotcom %}-hosted runners have a tools cache with pre-installed software, which includes Python and PyPy. You don't have to install anything! For a full list of up-to-date software and the pre-installed versions of Python and PyPy, see [AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#supported-software). +{% data variables.product.prodname_dotcom %}-hosted runners have a tools cache with pre-installed software, which includes Python and PyPy. You don't have to install anything! For a full list of up-to-date software and the pre-installed versions of Python and PyPy, see [AUTOTITLE](/actions/concepts/runners/github-hosted-runners#supported-software). ## Prerequisites -You should be familiar with YAML and the syntax for {% data variables.product.prodname_actions %}. For more information, see [AUTOTITLE](/actions/learn-github-actions). +You should be familiar with YAML and the syntax for {% data variables.product.prodname_actions %}. For more information, see [AUTOTITLE](/actions/how-tos/write-workflows). We recommend that you have a basic understanding of Python, and pip. For more information, see: @@ -126,7 +126,7 @@ If you are using a self-hosted runner, you can configure the runner to use the ` ### Using multiple Python versions -The following example uses a matrix for the job to set up multiple Python versions. For more information, see [AUTOTITLE](/actions/using-jobs/using-a-matrix-for-your-jobs). +The following example uses a matrix for the job to set up multiple Python versions. For more information, see [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/run-job-variations). ```yaml copy name: Python package @@ -185,7 +185,7 @@ jobs: If you specify a version of Python that is not available, `setup-python` fails with an error such as: `##[error]Version 3.7 with arch x64 not found`. The error message includes the available versions. -You can also use the `exclude` keyword in your workflow if there is a configuration of Python that you do not wish to run. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstrategy). +You can also use the `exclude` keyword in your workflow if there is a configuration of Python that you do not wish to run. For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idstrategy). ```yaml copy name: Python package @@ -221,7 +221,7 @@ We recommend using `setup-python` to configure the version of Python used in you {% data variables.product.prodname_dotcom %}-hosted runners have the pip package manager installed. You can use pip to install dependencies from the PyPI package registry before building and testing your code. For example, the YAML below installs or upgrades the `pip` package installer and the `setuptools` and `wheel` packages. -You can also cache dependencies to speed up your workflow. For more information, see [AUTOTITLE](/actions/using-workflows/caching-dependencies-to-speed-up-workflows). +You can also cache dependencies to speed up your workflow. For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/dependency-caching). ```yaml copy steps: @@ -358,7 +358,7 @@ jobs: ## Packaging workflow data as artifacts -You can upload artifacts to view after a workflow completes. For example, you may need to save log files, core dumps, test results, or screenshots. For more information, see [AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts). +You can upload artifacts to view after a workflow completes. For example, you may need to save log files, core dumps, test results, or screenshots. For more information, see [AUTOTITLE](/actions/tutorials/store-and-share-data). The following example demonstrates how you can use the `upload-artifact` action to archive test results from running `pytest`. For more information, see the [`upload-artifact` action](https://github.com/actions/upload-artifact). @@ -470,6 +470,6 @@ jobs: {% ifversion not ghes %} For more information about this workflow, including the PyPI settings -needed, see [AUTOTITLE](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-pypi). +needed, see [AUTOTITLE](/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-pypi). {% endif %} diff --git a/content/actions/tutorials/build-and-test-code/ruby.md b/content/actions/tutorials/build-and-test-code/ruby.md index edb571bd091b..1ea08efc3578 100644 --- a/content/actions/tutorials/build-and-test-code/ruby.md +++ b/content/actions/tutorials/build-and-test-code/ruby.md @@ -28,7 +28,7 @@ This guide shows you how to create a continuous integration (CI) workflow that b We recommend that you have a basic understanding of Ruby, YAML, workflow configuration options, and how to create a workflow file. For more information, see: -* [Learn {% data variables.product.prodname_actions %}](/actions/learn-github-actions) +* [Learn {% data variables.product.prodname_actions %}](/actions/how-tos/write-workflows) * [Ruby in 20 minutes](https://www.ruby-lang.org/en/documentation/quickstart/) ## Using a Ruby workflow template @@ -129,7 +129,7 @@ strategy: {% endraw %} -Each version of Ruby specified in the `ruby-version` array creates a job that runs the same steps. The {% raw %}`${{ matrix.ruby-version }}`{% endraw %} context is used to access the current job's version. For more information about matrix strategies and contexts, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions) and [AUTOTITLE](/actions/learn-github-actions/contexts). +Each version of Ruby specified in the `ruby-version` array creates a job that runs the same steps. The {% raw %}`${{ matrix.ruby-version }}`{% endraw %} context is used to access the current job's version. For more information about matrix strategies and contexts, see [AUTOTITLE](/actions/reference/workflows-and-actions/workflow-syntax) and [AUTOTITLE](/actions/reference/workflows-and-actions/contexts). The full updated workflow with a matrix strategy could look like this: @@ -199,7 +199,7 @@ This will configure bundler to install your gems to `vendor/cache`. For each suc **Caching without setup-ruby** -For greater control over caching, you can use the `actions/cache` action directly. For more information, see [AUTOTITLE](/actions/using-workflows/caching-dependencies-to-speed-up-workflows). +For greater control over caching, you can use the `actions/cache` action directly. For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/dependency-caching). ```yaml steps: diff --git a/content/actions/tutorials/build-and-test-code/rust.md b/content/actions/tutorials/build-and-test-code/rust.md index ce6b400fbb2a..88c0624451ca 100644 --- a/content/actions/tutorials/build-and-test-code/rust.md +++ b/content/actions/tutorials/build-and-test-code/rust.md @@ -22,11 +22,11 @@ contentType: tutorials This guide shows you how to build, test, and publish a Rust package. -{% data variables.product.prodname_dotcom %}-hosted runners have a tools cache with preinstalled software, which includes the dependencies for Rust. For a full list of up-to-date software and the preinstalled versions of Rust, see [AUTOTITLE](/actions/using-github-hosted-runners/using-github-hosted-runners/about-github-hosted-runners#preinstalled-software). +{% data variables.product.prodname_dotcom %}-hosted runners have a tools cache with preinstalled software, which includes the dependencies for Rust. For a full list of up-to-date software and the preinstalled versions of Rust, see [AUTOTITLE](/actions/concepts/runners/github-hosted-runners#preinstalled-software). ## Prerequisites -You should already be familiar with YAML syntax and how it's used with {% data variables.product.prodname_actions %}. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions). +You should already be familiar with YAML syntax and how it's used with {% data variables.product.prodname_actions %}. For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/workflow-syntax). We recommend that you have a basic understanding of the Rust language. For more information, see [Getting started with Rust](https://www.rust-lang.org/learn). @@ -110,7 +110,7 @@ You can cache and restore dependencies using the Cache action. This example assu key: {% raw %}${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}{% endraw %} ``` -If you have custom requirements or need finer controls for caching, you should explore other configuration options for the [`cache` action](https://github.com/marketplace/actions/cache). For more information, see [AUTOTITLE](/actions/using-workflows/caching-dependencies-to-speed-up-workflows). +If you have custom requirements or need finer controls for caching, you should explore other configuration options for the [`cache` action](https://github.com/marketplace/actions/cache). For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/dependency-caching). ## Building and testing your code @@ -164,7 +164,7 @@ After a workflow completes, you can upload the resulting artifacts for analysis path: {% raw %}target/${{ matrix.BUILD_TARGET }}/{% endraw %} ``` -To use the uploaded artifact in a different job, ensure your workflows have the right permissions for the repository, see [AUTOTITLE](/actions/security-for-github-actions/security-guides/automatic-token-authentication). You could use these example steps to download the app created in the previous workflow and publish it on {% data variables.product.github %}. +To use the uploaded artifact in a different job, ensure your workflows have the right permissions for the repository, see [AUTOTITLE](/actions/tutorials/authenticate-with-github_token). You could use these example steps to download the app created in the previous workflow and publish it on {% data variables.product.github %}. ```yaml copy - uses: {% data reusables.actions.action-checkout %} diff --git a/content/actions/tutorials/build-and-test-code/swift.md b/content/actions/tutorials/build-and-test-code/swift.md index 48f819208c52..d2c75aad353d 100644 --- a/content/actions/tutorials/build-and-test-code/swift.md +++ b/content/actions/tutorials/build-and-test-code/swift.md @@ -24,11 +24,11 @@ contentType: tutorials This guide shows you how to build and test a Swift package. -{% data variables.product.prodname_dotcom %}-hosted runners have a tools cache with preinstalled software, and the Ubuntu and macOS runners include the dependencies for building Swift packages. For a full list of up-to-date software and the preinstalled versions of Swift and Xcode, see [AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#supported-software). +{% data variables.product.prodname_dotcom %}-hosted runners have a tools cache with preinstalled software, and the Ubuntu and macOS runners include the dependencies for building Swift packages. For a full list of up-to-date software and the preinstalled versions of Swift and Xcode, see [AUTOTITLE](/actions/concepts/runners/github-hosted-runners#supported-software). ## Prerequisites -You should already be familiar with YAML syntax and how it's used with {% data variables.product.prodname_actions %}. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions). +You should already be familiar with YAML syntax and how it's used with {% data variables.product.prodname_actions %}. For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/workflow-syntax). We recommend that you have a basic understanding of Swift packages. For more information, see [Swift Packages](https://developer.apple.com/documentation/xcode/swift-packages) in the Apple developer documentation. diff --git a/content/actions/tutorials/build-and-test-code/xamarin-apps.md b/content/actions/tutorials/build-and-test-code/xamarin-apps.md index 1fd811204c18..c2c64a684a65 100644 --- a/content/actions/tutorials/build-and-test-code/xamarin-apps.md +++ b/content/actions/tutorials/build-and-test-code/xamarin-apps.md @@ -30,7 +30,7 @@ For a full list of available Xamarin SDK versions on the {% data variables.produ We recommend that you have a basic understanding of Xamarin, .NET Core SDK, YAML, workflow configuration options, and how to create a workflow file. For more information, see: -* [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions) +* [AUTOTITLE](/actions/reference/workflows-and-actions/workflow-syntax) * [Getting started with .NET](https://dotnet.microsoft.com/learn) * [Learn Xamarin](https://dotnet.microsoft.com/learn/xamarin) diff --git a/content/actions/tutorials/create-actions/create-a-composite-action.md b/content/actions/tutorials/create-actions/create-a-composite-action.md index 9f4da1c1811a..4161c8f13789 100644 --- a/content/actions/tutorials/create-actions/create-a-composite-action.md +++ b/content/actions/tutorials/create-actions/create-a-composite-action.md @@ -29,12 +29,12 @@ Once you complete this project, you should understand how to build your own comp ### Composite actions and reusable workflows -Composite actions allow you to collect a series of workflow job steps into a single action which you can then run as a single job step in multiple workflows. Reusable workflows provide another way of avoiding duplication, by allowing you to run a complete workflow from within other workflows. For more information, see [AUTOTITLE](/actions/using-workflows/avoiding-duplication). +Composite actions allow you to collect a series of workflow job steps into a single action which you can then run as a single job step in multiple workflows. Reusable workflows provide another way of avoiding duplication, by allowing you to run a complete workflow from within other workflows. For more information, see [AUTOTITLE](/actions/concepts/workflows-and-actions/reusing-workflow-configurations). ## Prerequisites > > [!NOTE] -> This example explains how to create a composite action within a separate repository. However, it is possible to create a composite action within the same repository. For more information, see [AUTOTITLE](/actions/creating-actions/creating-a-composite-action#creating-a-composite-action-within-the-same-repository). +> This example explains how to create a composite action within a separate repository. However, it is possible to create a composite action within the same repository. For more information, see [AUTOTITLE](/actions/tutorials/create-actions/create-a-composite-action#creating-a-composite-action-within-the-same-repository). Before you begin, you'll create a repository on {% data variables.product.github %}. @@ -95,7 +95,7 @@ Before you begin, you'll create a repository on {% data variables.product.github ## Creating an action metadata file -1. In the `hello-world-composite-action` repository, create a new file called `action.yml` and add the following example code. For more information about this syntax, see [AUTOTITLE](/actions/creating-actions/metadata-syntax-for-github-actions#runs-for-composite-actions). +1. In the `hello-world-composite-action` repository, create a new file called `action.yml` and add the following example code. For more information about this syntax, see [AUTOTITLE](/actions/reference/workflows-and-actions/metadata-syntax#runs-for-composite-actions). ```yaml copy name: 'Hello World' @@ -137,9 +137,9 @@ Before you begin, you'll create a repository on {% data variables.product.github This file defines the `who-to-greet` input, maps the random generated number to the `random-number` output variable, adds the action's path to the runner system path (to locate the `goodbye.sh` script during execution), and runs the `goodbye.sh` script. - For more information about managing outputs, see [AUTOTITLE](/actions/creating-actions/metadata-syntax-for-github-actions#outputs-for-composite-actions). + For more information about managing outputs, see [AUTOTITLE](/actions/reference/workflows-and-actions/metadata-syntax#outputs-for-composite-actions). - For more information about how to use `github.action_path`, see [AUTOTITLE](/actions/learn-github-actions/contexts#github-context). + For more information about how to use `github.action_path`, see [AUTOTITLE](/actions/reference/workflows-and-actions/contexts#github-context). 1. From your terminal, check in your `action.yml` file. @@ -149,7 +149,7 @@ Before you begin, you'll create a repository on {% data variables.product.github git push ``` -1. From your terminal, add a tag. This example uses a tag called `v1`. For more information, see [AUTOTITLE](/actions/creating-actions/about-custom-actions#using-release-management-for-actions). +1. From your terminal, add a tag. This example uses a tag called `v1`. For more information, see [AUTOTITLE](/actions/concepts/workflows-and-actions/custom-actions#using-release-management-for-actions). ```shell copy git tag -a -m "Description of this release" v1 @@ -158,7 +158,7 @@ Before you begin, you'll create a repository on {% data variables.product.github ## Testing out your action in a workflow -The following workflow code uses the completed hello world action that you made in [AUTOTITLE](/actions/creating-actions/creating-a-composite-action#creating-an-action-metadata-file). +The following workflow code uses the completed hello world action that you made in [AUTOTITLE](/actions/tutorials/create-actions/create-a-composite-action#creating-an-action-metadata-file). Copy the workflow code into a `.github/workflows/main.yml` file in another repository, replacing `OWNER` and `SHA` with the repository owner and the SHA of the commit you want to use, respectively. You can also replace the `who-to-greet` input with your name. @@ -226,7 +226,7 @@ From your repository, click the **Actions** tab, and select the latest workflow ``` {% endwindows %} -1. In the `hello-world-composite-action` folder, create the `action.yml` file based on the steps in [AUTOTITLE](/actions/creating-actions/creating-a-composite-action#creating-an-action-metadata-file). +1. In the `hello-world-composite-action` folder, create the `action.yml` file based on the steps in [AUTOTITLE](/actions/tutorials/create-actions/create-a-composite-action#creating-an-action-metadata-file). 1. When using the action, use the relative path to the folder where the composite action's `action.yml` file is located in the `uses` key. The below example assumes it is in the `.github/actions/hello-world-composite-action` folder. ```yaml copy diff --git a/content/actions/tutorials/create-actions/create-a-javascript-action.md b/content/actions/tutorials/create-actions/create-a-javascript-action.md index 6a4fdd9df365..afe6eb45eef4 100644 --- a/content/actions/tutorials/create-actions/create-a-javascript-action.md +++ b/content/actions/tutorials/create-actions/create-a-javascript-action.md @@ -59,7 +59,7 @@ Before you begin, you'll need to download Node.js and create a public {% data va ## Creating an action metadata file -Create a new file named `action.yml` in the `hello-world-javascript-action` directory with the following example code. For more information, see [AUTOTITLE](/actions/creating-actions/metadata-syntax-for-github-actions). +Create a new file named `action.yml` in the `hello-world-javascript-action` directory with the following example code. For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/metadata-syntax). ```yaml copy name: Hello World @@ -133,7 +133,7 @@ try { {% endraw %} -If an error is thrown in the above `index.js` example, `core.setFailed(error.message);` uses the actions toolkit [`@actions/core`](https://github.com/actions/toolkit/tree/main/packages/core) package to log a message and set a failing exit code. For more information, see [AUTOTITLE](/actions/creating-actions/setting-exit-codes-for-actions). +If an error is thrown in the above `index.js` example, `core.setFailed(error.message);` uses the actions toolkit [`@actions/core`](https://github.com/actions/toolkit/tree/main/packages/core) package to log a message and set a failing exit code. For more information, see [AUTOTITLE](/actions/how-tos/create-and-publish-actions/set-exit-codes). ## Creating a README diff --git a/content/actions/tutorials/create-an-example-workflow.md b/content/actions/tutorials/create-an-example-workflow.md index e05331f322e1..66cbd431057a 100644 --- a/content/actions/tutorials/create-an-example-workflow.md +++ b/content/actions/tutorials/create-an-example-workflow.md @@ -21,6 +21,6 @@ This guide shows you how to create a basic workflow that is triggered when code {% data reusables.actions.workflow-templates-for-more-information %} -> [!IMPORTANT] For more information about best practices for securing your workflows and secure use of {% data variables.product.prodname_actions %} features, see [AUTOTITLE](/actions/reference/secure-use-reference#writing-workflows). +> [!IMPORTANT] For more information about best practices for securing your workflows and secure use of {% data variables.product.prodname_actions %} features, see [AUTOTITLE](/actions/reference/security/secure-use#writing-workflows). {% data reusables.actions.workflow-basic-example-and-explanation %} diff --git a/content/actions/tutorials/manage-your-work/add-comments-with-labels.md b/content/actions/tutorials/manage-your-work/add-comments-with-labels.md index 92a2c82e5d8e..849e6f941bef 100644 --- a/content/actions/tutorials/manage-your-work/add-comments-with-labels.md +++ b/content/actions/tutorials/manage-your-work/add-comments-with-labels.md @@ -21,7 +21,7 @@ category: ## Introduction -This tutorial demonstrates how to use the {% data variables.product.prodname_cli %} to comment on an issue when a specific label is applied. For example, when the `help wanted` label is added to an issue, you can add a comment to encourage contributors to work on the issue. For more information about {% data variables.product.prodname_cli %}, see [AUTOTITLE](/actions/using-workflows/using-github-cli-in-workflows). +This tutorial demonstrates how to use the {% data variables.product.prodname_cli %} to comment on an issue when a specific label is applied. For example, when the `help wanted` label is added to an issue, you can add a comment to encourage contributors to work on the issue. For more information about {% data variables.product.prodname_cli %}, see [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/use-github-cli). In the tutorial, you will first make a workflow file that uses the `gh issue comment` command to comment on an issue. Then, you will customize the workflow to suit your needs. @@ -67,9 +67,9 @@ Every time an issue in your repository is labeled, this workflow will run. If th Test your workflow by applying your specified label to an issue. -1. Open an issue in your repository. For more information, see [AUTOTITLE](/issues/tracking-your-work-with-issues/creating-an-issue). +1. Open an issue in your repository. For more information, see [AUTOTITLE](/issues/tracking-your-work-with-issues/using-issues/creating-an-issue). 1. Label the issue with the specified label in your workflow file. For more information, see [AUTOTITLE](/issues/using-labels-and-milestones-to-track-work/managing-labels#applying-labels-to-issues-and-pull-requests). -1. To see the workflow run triggered by labeling the issue, view the history of your workflow runs. For more information, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history). +1. To see the workflow run triggered by labeling the issue, view the history of your workflow runs. For more information, see [AUTOTITLE](/actions/how-tos/monitor-workflows/view-workflow-run-history). 1. When the workflow completes, the issue that you labeled should have a comment added. ## Next steps diff --git a/content/actions/tutorials/manage-your-work/add-labels-to-issues.md b/content/actions/tutorials/manage-your-work/add-labels-to-issues.md index ce13fbaf382d..4f2413f7fad7 100644 --- a/content/actions/tutorials/manage-your-work/add-labels-to-issues.md +++ b/content/actions/tutorials/manage-your-work/add-labels-to-issues.md @@ -65,12 +65,12 @@ Every time an issue in your repository is opened or reopened, this workflow will Test out your workflow by creating an issue in your repository. -1. Create an issue in your repository. For more information, see [AUTOTITLE](/issues/tracking-your-work-with-issues/creating-an-issue). -1. To see the workflow run that was triggered by creating the issue, view the history of your workflow runs. For more information, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history). +1. Create an issue in your repository. For more information, see [AUTOTITLE](/issues/tracking-your-work-with-issues/using-issues/creating-an-issue). +1. To see the workflow run that was triggered by creating the issue, view the history of your workflow runs. For more information, see [AUTOTITLE](/actions/how-tos/monitor-workflows/view-workflow-run-history). 1. When the workflow completes, the issue that you created should have the specified labels added. ## Next steps * To learn more about additional things you can do with the {% data variables.product.prodname_cli %}, see the [GitHub CLI manual](https://cli.github.com/manual/). -* To learn more about different events that can trigger your workflow, see [AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#issues). +* To learn more about different events that can trigger your workflow, see [AUTOTITLE](/actions/reference/workflows-and-actions/events-that-trigger-workflows#issues). * [Search GitHub](https://github.com/search?q=path%3A.github%2Fworkflows+gh+issue+edit&type=code) for examples of workflows using `gh issue edit`. diff --git a/content/actions/tutorials/manage-your-work/close-inactive-issues.md b/content/actions/tutorials/manage-your-work/close-inactive-issues.md index a77e338b7dee..6ab0ba33737e 100644 --- a/content/actions/tutorials/manage-your-work/close-inactive-issues.md +++ b/content/actions/tutorials/manage-your-work/close-inactive-issues.md @@ -57,7 +57,7 @@ In the tutorial, you will first make a workflow file that uses the [`actions/sta ``` 1. Customize the parameters in your workflow file: - * Change the value for `on.schedule` to dictate when you want this workflow to run. In the example above, the workflow will run every day at 1:30 UTC. For more information about scheduled workflows, see [AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#scheduled-events). + * Change the value for `on.schedule` to dictate when you want this workflow to run. In the example above, the workflow will run every day at 1:30 UTC. For more information about scheduled workflows, see [AUTOTITLE](/actions/reference/workflows-and-actions/events-that-trigger-workflows#scheduled-events). * Change the value for `days-before-issue-stale` to the number of days without activity before the `actions/stale` action labels an issue. If you never want this action to label issues, set this value to `-1`. * Change the value for `days-before-issue-close` to the number of days without activity before the `actions/stale` action closes an issue. If you never want this action to close issues, set this value to `-1`. * Change the value for `stale-issue-label` to the label that you want to apply to issues that have been inactive for the amount of time specified by `days-before-issue-stale`. @@ -72,7 +72,7 @@ Based on the `schedule` parameter (for example, every day at 1:30 UTC), your wor > [!NOTE] > {% data reusables.actions.schedule-delay %} -You can view the history of your workflow runs to see this workflow run periodically. For more information, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history). +You can view the history of your workflow runs to see this workflow run periodically. For more information, see [AUTOTITLE](/actions/how-tos/monitor-workflows/view-workflow-run-history). This workflow will only label and/or close 30 issues at a time in order to avoid exceeding a rate limit. You can configure this with the `operations-per-run` setting. For more information, see the [`actions/stale` action documentation](https://github.com/marketplace/actions/close-stale-issues). diff --git a/content/actions/tutorials/manage-your-work/schedule-issue-creation.md b/content/actions/tutorials/manage-your-work/schedule-issue-creation.md index 5e0103b9b0a5..4962e40449fe 100644 --- a/content/actions/tutorials/manage-your-work/schedule-issue-creation.md +++ b/content/actions/tutorials/manage-your-work/schedule-issue-creation.md @@ -21,7 +21,7 @@ category: ## Introduction -This tutorial demonstrates how to use the {% data variables.product.prodname_cli %} to create an issue on a regular basis. For example, you can create an issue each week to use as the agenda for a team meeting. For more information about {% data variables.product.prodname_cli %}, see [AUTOTITLE](/actions/using-workflows/using-github-cli-in-workflows). +This tutorial demonstrates how to use the {% data variables.product.prodname_cli %} to create an issue on a regular basis. For example, you can create an issue each week to use as the agenda for a team meeting. For more information about {% data variables.product.prodname_cli %}, see [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/use-github-cli). In the tutorial, you will first make a workflow file that uses the {% data variables.product.prodname_cli %}. Then, you will customize the workflow to suit your needs. @@ -87,12 +87,12 @@ In the tutorial, you will first make a workflow file that uses the {% data varia ``` 1. Customize the parameters in your workflow file: - * Change the value for `on.schedule` to dictate when you want this workflow to run. In the example above, the workflow will run every Monday at 7:20 UTC. For more information about scheduled workflows, see [AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#scheduled-events). + * Change the value for `on.schedule` to dictate when you want this workflow to run. In the example above, the workflow will run every Monday at 7:20 UTC. For more information about scheduled workflows, see [AUTOTITLE](/actions/reference/workflows-and-actions/events-that-trigger-workflows#scheduled-events). * Change the value for `ASSIGNEES` to the list of {% data variables.product.prodname_dotcom %} usernames that you want to assign to the issue. * Change the value for `LABELS` to the list of labels that you want to apply to the issue. * Change the value for `TITLE` to the title that you want the issue to have. * Change the value for `BODY` to the text that you want in the issue body. The `|` character allows you to use a multi-line value for this parameter. - * If you want to pin this issue in your repository, set `PINNED` to `true`. For more information about pinned issues, see [AUTOTITLE](/issues/tracking-your-work-with-issues/pinning-an-issue-to-your-repository). + * If you want to pin this issue in your repository, set `PINNED` to `true`. For more information about pinned issues, see [AUTOTITLE](/issues/tracking-your-work-with-issues/administering-issues/pinning-an-issue-to-your-repository). * If you want to close the previous issue generated by this workflow each time a new issue is created, set `CLOSE_PREVIOUS` to `true`. The workflow will close the most recent issue that has the labels defined in the `labels` field. To avoid closing the wrong issue, use a unique label or combination of labels. 1. {% data reusables.actions.commit-workflow %} @@ -103,7 +103,7 @@ Based on the `schedule` parameter (for example, every Monday at 7:20 UTC), your > [!NOTE] > {% data reusables.actions.schedule-delay %} -You can view the history of your workflow runs to see this workflow run periodically. For more information, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history). +You can view the history of your workflow runs to see this workflow run periodically. For more information, see [AUTOTITLE](/actions/how-tos/monitor-workflows/view-workflow-run-history). ## Next steps diff --git a/content/actions/tutorials/migrate-to-github-actions/automated-migrations/azure-devops-migration.md b/content/actions/tutorials/migrate-to-github-actions/automated-migrations/azure-devops-migration.md index 0b11dcd9e3a5..285a20788695 100644 --- a/content/actions/tutorials/migrate-to-github-actions/automated-migrations/azure-devops-migration.md +++ b/content/actions/tutorials/migrate-to-github-actions/automated-migrations/azure-devops-migration.md @@ -43,7 +43,7 @@ Certain Azure DevOps constructs must be migrated manually from Azure DevOps into * Environments * Pre-deployment approvals -For more information on manual migrations, see [AUTOTITLE](/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-azure-pipelines-to-github-actions). +For more information on manual migrations, see [AUTOTITLE](/actions/tutorials/migrate-to-github-actions/manual-migrations/migrate-from-azure-pipelines). #### Unsupported tasks @@ -440,10 +440,10 @@ You can transform Azure DevOps templates with {% data variables.product.prodname {% data variables.product.prodname_actions_importer %} is able to transform Azure DevOps templates with some limitations. -* Azure DevOps templates used under the `stages`, `deployments`, and `jobs` keys are converted into reusable workflows in {% data variables.product.prodname_actions %}. For more information, see [AUTOTITLE](/actions/using-workflows/reusing-workflows). -* Azure DevOps templates used under the `steps` key are converted into composite actions. For more information, see [AUTOTITLE](/actions/creating-actions/creating-a-composite-action). +* Azure DevOps templates used under the `stages`, `deployments`, and `jobs` keys are converted into reusable workflows in {% data variables.product.prodname_actions %}. For more information, see [AUTOTITLE](/actions/how-tos/reuse-automations/reuse-workflows). +* Azure DevOps templates used under the `steps` key are converted into composite actions. For more information, see [AUTOTITLE](/actions/tutorials/create-actions/create-a-composite-action). * If you currently have job templates that reference other job templates, {% data variables.product.prodname_actions_importer %} converts the templates into reusable workflows. Because reusable workflows cannot reference other reusable workflows, this is invalid syntax in {% data variables.product.prodname_actions %}. You must manually correct nested reusable workflows. -* If a template references an external Azure DevOps organization or {% data variables.product.prodname_dotcom %} repository, you must use the `--credentials-file` option to provide credentials to access this template. For more information, see [AUTOTITLE](/actions/migrating-to-github-actions/automated-migrations/supplemental-arguments-and-settings#using-a-credentials-file-for-authentication). +* If a template references an external Azure DevOps organization or {% data variables.product.prodname_dotcom %} repository, you must use the `--credentials-file` option to provide credentials to access this template. For more information, see [AUTOTITLE](/actions/reference/github-actions-importer/supplemental-arguments-and-settings#using-a-credentials-file-for-authentication). * You can dynamically generate YAML using `each` expressions with the following caveats: * Nested `each` blocks are not supported and cause the parent `each` block to be unsupported. * `each` and contained `if` conditions are evaluated at transformation time, because {% data variables.product.prodname_actions %} does not support this style of insertion. diff --git a/content/actions/tutorials/migrate-to-github-actions/automated-migrations/bamboo-migration.md b/content/actions/tutorials/migrate-to-github-actions/automated-migrations/bamboo-migration.md index 494b78e3c603..25d236791eeb 100644 --- a/content/actions/tutorials/migrate-to-github-actions/automated-migrations/bamboo-migration.md +++ b/content/actions/tutorials/migrate-to-github-actions/automated-migrations/bamboo-migration.md @@ -34,11 +34,11 @@ There are some limitations when migrating from Bamboo to {% data variables.produ * {% data variables.product.prodname_actions_importer %} relies on the YAML specification generated by the Bamboo Server to perform migrations. When Bamboo does not support exporting something to YAML, the missing information is not migrated. * Trigger conditions are unsupported. When {% data variables.product.prodname_actions_importer %} encounters a trigger with a condition, the condition is surfaced as a comment and the trigger is transformed without it. * Bamboo Plans with customized settings for storing artifacts are not transformed. Instead, artifacts are stored and retrieved using the [`upload-artifact`](https://github.com/actions/upload-artifact) and [`download-artifact`](https://github.com/actions/download-artifact) actions. -* Disabled plans must be disabled manually in the GitHub UI. For more information, see [AUTOTITLE](/actions/using-workflows/disabling-and-enabling-a-workflow). +* Disabled plans must be disabled manually in the GitHub UI. For more information, see [AUTOTITLE](/actions/how-tos/manage-workflow-runs/disable-and-enable-workflows). * Disabled jobs are transformed with a `if: false` condition which prevents it from running. You must remove this to re-enable the job. * Disabled tasks are not transformed because they are not included in the exported plan when using the Bamboo API. * Bamboo provides options to clean up build workspaces after a build is complete. These are not transformed because it is assumed GitHub-hosted runners or ephemeral self-hosted runners will automatically handle this. -* The hanging build detection options are not transformed because there is no equivalent in {% data variables.product.prodname_actions %}. The closest option is `timeout-minutes` on a job, which can be used to set the maximum number of minutes to let a job run. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idtimeout-minutes). +* The hanging build detection options are not transformed because there is no equivalent in {% data variables.product.prodname_actions %}. The closest option is `timeout-minutes` on a job, which can be used to set the maximum number of minutes to let a job run. For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idtimeout-minutes). * Pattern match labeling is not transformed because there is no equivalent in {% data variables.product.prodname_actions %}. * All artifacts are transformed into an `actions/upload-artifact`, regardless of whether they are `shared` or not, so they can be downloaded from any job in the workflow. * Permissions are not transformed because there is no suitable equivalent in {% data variables.product.prodname_actions %}. diff --git a/content/actions/tutorials/migrate-to-github-actions/automated-migrations/bitbucket-pipelines-migration.md b/content/actions/tutorials/migrate-to-github-actions/automated-migrations/bitbucket-pipelines-migration.md index ae70d066e844..657215c5d487 100644 --- a/content/actions/tutorials/migrate-to-github-actions/automated-migrations/bitbucket-pipelines-migration.md +++ b/content/actions/tutorials/migrate-to-github-actions/automated-migrations/bitbucket-pipelines-migration.md @@ -29,9 +29,9 @@ The instructions below will guide you through configuring your environment to us There are some limitations when migrating from Bitbucket Pipelines to {% data variables.product.prodname_actions %} with {% data variables.product.prodname_actions_importer %}. * Images in a private AWS ECR are not supported. -* The Bitbucket Pipelines option `size` is not supported. {% ifversion fpt or ghec %}If additional runner resources are required in {% data variables.product.prodname_actions %}, consider using {% data variables.actions.hosted_runner %}s. For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners).{% endif %} +* The Bitbucket Pipelines option `size` is not supported. {% ifversion fpt or ghec %}If additional runner resources are required in {% data variables.product.prodname_actions %}, consider using {% data variables.actions.hosted_runner %}s. For more information, see [AUTOTITLE](/actions/how-tos/manage-runners/larger-runners).{% endif %} * Metrics detailing the queue time of jobs is not supported by the `forecast` command. -* Bitbucket [after-scripts](https://support.atlassian.com/bitbucket-cloud/docs/step-options/#After-script) are supported using {% data variables.product.prodname_actions %} `always()` in combination with checking the `steps..conclusion` of the previous step. For more information, see [AUTOTITLE](/actions/learn-github-actions/contexts#steps-context). +* Bitbucket [after-scripts](https://support.atlassian.com/bitbucket-cloud/docs/step-options/#After-script) are supported using {% data variables.product.prodname_actions %} `always()` in combination with checking the `steps..conclusion` of the previous step. For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/contexts#steps-context). The following is an example of using the `always()` with `steps..conclusion`. diff --git a/content/actions/tutorials/migrate-to-github-actions/automated-migrations/gitlab-migration.md b/content/actions/tutorials/migrate-to-github-actions/automated-migrations/gitlab-migration.md index 575682ae8fa0..4b5b9962853a 100644 --- a/content/actions/tutorials/migrate-to-github-actions/automated-migrations/gitlab-migration.md +++ b/content/actions/tutorials/migrate-to-github-actions/automated-migrations/gitlab-migration.md @@ -40,7 +40,7 @@ Certain GitLab constructs must be migrated manually. These include: * Masked project or group variable values * Artifact reports -For more information on manual migrations, see [AUTOTITLE](/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-gitlab-cicd-to-github-actions). +For more information on manual migrations, see [AUTOTITLE](/actions/tutorials/migrate-to-github-actions/manual-migrations/migrate-from-gitlab-cicd). ## Installing the {% data variables.product.prodname_actions_importer %} CLI extension @@ -312,7 +312,7 @@ gh actions-importer migrate gitlab --project my-project-name --output-dir output ### Supported syntax for GitLab pipelines -The following table shows the type of properties {% data variables.product.prodname_actions_importer %} is currently able to convert. For more details about how GitLab pipeline syntax aligns with {% data variables.product.prodname_actions %}, see [AUTOTITLE](/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-gitlab-cicd-to-github-actions). +The following table shows the type of properties {% data variables.product.prodname_actions_importer %} is currently able to convert. For more details about how GitLab pipeline syntax aligns with {% data variables.product.prodname_actions %}, see [AUTOTITLE](/actions/tutorials/migrate-to-github-actions/manual-migrations/migrate-from-gitlab-cicd). | GitLab Pipelines | GitHub Actions | Status | | :-------------------------------------- | :------------------------------ | :-------------------------- | diff --git a/content/actions/tutorials/migrate-to-github-actions/automated-migrations/jenkins-migration.md b/content/actions/tutorials/migrate-to-github-actions/automated-migrations/jenkins-migration.md index dd2dcc1e3442..2ee08e620db0 100644 --- a/content/actions/tutorials/migrate-to-github-actions/automated-migrations/jenkins-migration.md +++ b/content/actions/tutorials/migrate-to-github-actions/automated-migrations/jenkins-migration.md @@ -36,7 +36,7 @@ There are some limitations when migrating from Jenkins to {% data variables.prod * Self-hosted runners * Unknown plugins -For more information on manual migrations, see [AUTOTITLE](/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-jenkins-to-github-actions). +For more information on manual migrations, see [AUTOTITLE](/actions/tutorials/migrate-to-github-actions/manual-migrations/migrate-from-jenkins). ## Installing the {% data variables.product.prodname_actions_importer %} CLI extension @@ -272,7 +272,7 @@ source_files: ### Supported syntax for Jenkins pipelines -The following tables show the type of properties {% data variables.product.prodname_actions_importer %} is currently able to convert. For more details about how Jenkins pipeline syntax aligns with {% data variables.product.prodname_actions %}, see [AUTOTITLE](/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-jenkins-to-github-actions). +The following tables show the type of properties {% data variables.product.prodname_actions_importer %} is currently able to convert. For more details about how Jenkins pipeline syntax aligns with {% data variables.product.prodname_actions %}, see [AUTOTITLE](/actions/tutorials/migrate-to-github-actions/manual-migrations/migrate-from-jenkins). For information about supported Jenkins plugins, see the [`github/gh-actions-importer` repository](https://github.com/github/gh-actions-importer/blob/main/docs/jenkins/index.md). diff --git a/content/actions/tutorials/migrate-to-github-actions/automated-migrations/travis-ci-migration.md b/content/actions/tutorials/migrate-to-github-actions/automated-migrations/travis-ci-migration.md index 151aaf26c61f..38713d97e1e0 100644 --- a/content/actions/tutorials/migrate-to-github-actions/automated-migrations/travis-ci-migration.md +++ b/content/actions/tutorials/migrate-to-github-actions/automated-migrations/travis-ci-migration.md @@ -37,7 +37,7 @@ Certain Travis CI constructs must be migrated manually. These include: * Secrets * Unknown job properties -For more information on manual migrations, see [AUTOTITLE](/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-travis-ci-to-github-actions). +For more information on manual migrations, see [AUTOTITLE](/actions/tutorials/migrate-to-github-actions/manual-migrations/migrate-from-travis-ci). #### Travis CI project languages @@ -310,7 +310,7 @@ gh actions-importer dry-run travis-ci --travis-ci-repository travis-org-name/tra ### Supported syntax for Travis CI pipelines -The following table shows the type of properties {% data variables.product.prodname_actions_importer %} is currently able to convert. For more details about how Travis CI pipeline syntax aligns with {% data variables.product.prodname_actions %}, see [AUTOTITLE](/actions/migrating-to-github-actions/manually-migrating-to-github-actions/migrating-from-travis-ci-to-github-actions). +The following table shows the type of properties {% data variables.product.prodname_actions_importer %} is currently able to convert. For more details about how Travis CI pipeline syntax aligns with {% data variables.product.prodname_actions %}, see [AUTOTITLE](/actions/tutorials/migrate-to-github-actions/manual-migrations/migrate-from-travis-ci). | Travis CI | GitHub Actions | Status | | :------------------ | :--------------------------------- | ------------------: | diff --git a/content/actions/tutorials/migrate-to-github-actions/manual-migrations/migrate-from-azure-pipelines.md b/content/actions/tutorials/migrate-to-github-actions/manual-migrations/migrate-from-azure-pipelines.md index c3961da47296..e474487197aa 100644 --- a/content/actions/tutorials/migrate-to-github-actions/manual-migrations/migrate-from-azure-pipelines.md +++ b/content/actions/tutorials/migrate-to-github-actions/manual-migrations/migrate-from-azure-pipelines.md @@ -29,7 +29,7 @@ Azure Pipelines and {% data variables.product.prodname_actions %} both allow you * Jobs include one or more steps or individual commands. * Steps or tasks can be reused and shared with the community. -For more information, see [AUTOTITLE](/actions/learn-github-actions/understanding-github-actions). +For more information, see [AUTOTITLE](/actions/get-started/understand-github-actions). ## Key differences @@ -52,7 +52,7 @@ Jobs and steps in Azure Pipelines are very similar to jobs and steps in {% data You can run a script or a shell command as a step in a workflow. In Azure Pipelines, script steps can be specified using the `script` key, or with the `bash`, `powershell`, or `pwsh` keys. Scripts can also be specified as an input to the [Bash task](https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/bash?view=azure-devops) or the [PowerShell task](https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/powershell?view=azure-devops). -In {% data variables.product.prodname_actions %}, all scripts are specified using the `run` key. To select a particular shell, you can specify the `shell` key when providing the script. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun). +In {% data variables.product.prodname_actions %}, all scripts are specified using the `run` key. To select a particular shell, you can specify the `shell` key when providing the script. For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idstepsrun). Below is an example of the syntax for each system. @@ -100,7 +100,7 @@ jobs: In Azure Pipelines, scripts can be configured to error if any output is sent to `stderr`. {% data variables.product.prodname_actions %} does not support this configuration. -{% data variables.product.prodname_actions %} configures shells to "fail fast" whenever possible, which stops the script immediately if one of the commands in a script exits with an error code. In contrast, Azure Pipelines requires explicit configuration to exit immediately on an error. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference). +{% data variables.product.prodname_actions %} configures shells to "fail fast" whenever possible, which stops the script immediately if one of the commands in a script exits with an error code. In contrast, Azure Pipelines requires explicit configuration to exit immediately on an error. For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/workflow-syntax#exit-codes-and-error-action-preference). ## Differences in the default shell on Windows @@ -141,7 +141,7 @@ jobs: {% endraw %} -For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#using-a-specific-shell). +For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/workflow-syntax#using-a-specific-shell). ## Migrating conditionals and expression syntax @@ -182,7 +182,7 @@ jobs: {% endraw %} -For more information, see [AUTOTITLE](/actions/learn-github-actions/expressions). +For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/expressions). ## Dependencies between jobs @@ -252,7 +252,7 @@ jobs: {% endraw %} -For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idneeds). +For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idneeds). ## Migrating tasks to actions @@ -293,4 +293,4 @@ jobs: - run: python script.py ``` -You can find actions that you can use in your workflow in [{% data variables.product.prodname_marketplace %}](https://github.com/marketplace?type=actions), or you can create your own actions. For more information, see [AUTOTITLE](/actions/creating-actions). +You can find actions that you can use in your workflow in [{% data variables.product.prodname_marketplace %}](https://github.com/marketplace?type=actions), or you can create your own actions. For more information, see [AUTOTITLE](/actions/how-tos/reuse-automations). diff --git a/content/actions/tutorials/migrate-to-github-actions/manual-migrations/migrate-from-circleci.md b/content/actions/tutorials/migrate-to-github-actions/manual-migrations/migrate-from-circleci.md index a5c4ebc72887..306a0c2ca761 100644 --- a/content/actions/tutorials/migrate-to-github-actions/manual-migrations/migrate-from-circleci.md +++ b/content/actions/tutorials/migrate-to-github-actions/manual-migrations/migrate-from-circleci.md @@ -29,29 +29,29 @@ CircleCI and {% data variables.product.prodname_actions %} both allow you to cre * Jobs include one or more steps or individual commands. * Steps or tasks can be reused and shared with the community. -For more information, see [AUTOTITLE](/actions/learn-github-actions/understanding-github-actions). +For more information, see [AUTOTITLE](/actions/get-started/understand-github-actions). ## Key differences When migrating from CircleCI, consider the following differences: * CircleCI’s automatic test parallelism automatically groups tests according to user-specified rules or historical timing information. This functionality is not built into {% data variables.product.prodname_actions %}. -* Actions that execute in Docker containers are sensitive to permissions problems since containers have a different mapping of users. You can avoid many of these problems by not using the `USER` instruction in your _Dockerfile_. For more information about the Docker filesystem on {% data variables.product.github %}-hosted runners, see [AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#docker-container-filesystem). +* Actions that execute in Docker containers are sensitive to permissions problems since containers have a different mapping of users. You can avoid many of these problems by not using the `USER` instruction in your _Dockerfile_. For more information about the Docker filesystem on {% data variables.product.github %}-hosted runners, see [AUTOTITLE](/actions/concepts/runners/github-hosted-runners#docker-container-filesystem). ## Migrating workflows and jobs CircleCI defines `workflows` in the _config.yml_ file, which allows you to configure more than one workflow. {% data variables.product.github %} requires one workflow file per workflow, and as a consequence, does not require you to declare `workflows`. You'll need to create a new workflow file for each workflow configured in _config.yml_. -Both CircleCI and {% data variables.product.prodname_actions %} configure `jobs` in the configuration file using similar syntax. If you configure any dependencies between jobs using `requires` in your CircleCI workflow, you can use the equivalent {% data variables.product.prodname_actions %} `needs` syntax. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idneeds). +Both CircleCI and {% data variables.product.prodname_actions %} configure `jobs` in the configuration file using similar syntax. If you configure any dependencies between jobs using `requires` in your CircleCI workflow, you can use the equivalent {% data variables.product.prodname_actions %} `needs` syntax. For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idneeds). ## Migrating orbs to actions -Both CircleCI and {% data variables.product.prodname_actions %} provide a mechanism to reuse and share tasks in a workflow. CircleCI uses a concept called orbs, written in YAML, to provide tasks that people can reuse in a workflow. {% data variables.product.prodname_actions %} has powerful and flexible reusable components called actions, which you build with either JavaScript files or Docker images. You can create actions by writing custom code that interacts with your repository in any way you'd like, including integrating with {% data variables.product.github %}'s APIs and any publicly available third-party API. For example, an action can publish npm modules, send SMS alerts when urgent issues are created, or deploy production-ready code. For more information, see [AUTOTITLE](/actions/creating-actions). +Both CircleCI and {% data variables.product.prodname_actions %} provide a mechanism to reuse and share tasks in a workflow. CircleCI uses a concept called orbs, written in YAML, to provide tasks that people can reuse in a workflow. {% data variables.product.prodname_actions %} has powerful and flexible reusable components called actions, which you build with either JavaScript files or Docker images. You can create actions by writing custom code that interacts with your repository in any way you'd like, including integrating with {% data variables.product.github %}'s APIs and any publicly available third-party API. For example, an action can publish npm modules, send SMS alerts when urgent issues are created, or deploy production-ready code. For more information, see [AUTOTITLE](/actions/how-tos/reuse-automations). {% ifversion fpt or ghec %} -CircleCI can reuse pieces of workflows with YAML anchors and aliases. {% data variables.product.prodname_actions %} supports YAML anchors and aliases for reusability, and also provides matrices for running jobs with different configurations. For more information about matrices, see [AUTOTITLE](/actions/using-jobs/using-a-matrix-for-your-jobs). +CircleCI can reuse pieces of workflows with YAML anchors and aliases. {% data variables.product.prodname_actions %} supports YAML anchors and aliases for reusability, and also provides matrices for running jobs with different configurations. For more information about matrices, see [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/run-job-variations). {% else %} -CircleCI can reuse pieces of workflows with YAML anchors and aliases. {% data variables.product.prodname_actions %} supports the most common need for reusability using matrices. For more information about matrices, see [AUTOTITLE](/actions/using-jobs/using-a-matrix-for-your-jobs). +CircleCI can reuse pieces of workflows with YAML anchors and aliases. {% data variables.product.prodname_actions %} supports the most common need for reusability using matrices. For more information about matrices, see [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/run-job-variations). {% endif %} ## Using Docker images @@ -62,15 +62,15 @@ CircleCI provides a set of pre-built images with common dependencies. These imag We recommend that you move away from CircleCI's pre-built images when you migrate to {% data variables.product.prodname_actions %}. In many cases, you can use actions to install the additional dependencies you need. -For more information about the Docker filesystem, see [AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#docker-container-filesystem). +For more information about the Docker filesystem, see [AUTOTITLE](/actions/concepts/runners/github-hosted-runners#docker-container-filesystem). -For more information about the tools and packages available on {% data variables.product.prodname_dotcom %}-hosted runner images, see [AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners#supported-software). +For more information about the tools and packages available on {% data variables.product.prodname_dotcom %}-hosted runner images, see [AUTOTITLE](/actions/concepts/runners/github-hosted-runners#supported-software). ## Using variables and secrets CircleCI and {% data variables.product.prodname_actions %} support setting variables in the configuration file and creating secrets using the CircleCI or {% data variables.product.github %} UI. -For more information, see [AUTOTITLE](/actions/reference/variables-reference#default-environment-variables) and [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). +For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/variables#default-environment-variables) and [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets). ## Caching @@ -145,7 +145,7 @@ Below is an example in CircleCI and {% data variables.product.prodname_actions % name: homework ``` -For more information, see [AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts). +For more information, see [AUTOTITLE](/actions/tutorials/store-and-share-data). ## Using databases and service containers @@ -262,7 +262,7 @@ jobs: -For more information, see [AUTOTITLE](/actions/using-containerized-services/about-service-containers). +For more information, see [AUTOTITLE](/actions/tutorials/use-containerized-services/use-docker-service-containers). ## Complete Example diff --git a/content/actions/tutorials/migrate-to-github-actions/manual-migrations/migrate-from-gitlab-cicd.md b/content/actions/tutorials/migrate-to-github-actions/manual-migrations/migrate-from-gitlab-cicd.md index 0c9a980ebf8a..8d5a75a6f3b3 100644 --- a/content/actions/tutorials/migrate-to-github-actions/manual-migrations/migrate-from-gitlab-cicd.md +++ b/content/actions/tutorials/migrate-to-github-actions/manual-migrations/migrate-from-gitlab-cicd.md @@ -111,7 +111,7 @@ linux_job: {% endraw %} -For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idruns-on). +For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idruns-on). ## Docker images @@ -142,7 +142,7 @@ jobs: {% endraw %} -For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idcontainer). +For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idcontainer). ## Condition and expression syntax @@ -180,7 +180,7 @@ jobs: {% endraw %} -For more information, see [AUTOTITLE](/actions/learn-github-actions/expressions). +For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/expressions). ## Dependencies between Jobs @@ -252,19 +252,19 @@ jobs: {% endraw %} -For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idneeds). +For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idneeds). ## Scheduling workflows Both GitLab CI/CD and {% data variables.product.prodname_actions %} allow you to run workflows at a specific interval. In GitLab CI/CD, pipeline schedules are configured with the UI, while in {% data variables.product.prodname_actions %} you can trigger a workflow on a scheduled interval with the "on" key. -For more information, see [AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#scheduled-events). +For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/events-that-trigger-workflows#scheduled-events). ## Variables and secrets GitLab CI/CD and {% data variables.product.prodname_actions %} support setting variables in the pipeline or workflow configuration file, and creating secrets using the GitLab or {% data variables.product.github %} UI. -For more information, see [AUTOTITLE](/actions/learn-github-actions/variables) and [AUTOTITLE](/actions/security-for-github-actions/security-guides/about-secrets). +For more information, see [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/use-variables) and [AUTOTITLE](/actions/concepts/security/secrets). ## Caching @@ -338,7 +338,7 @@ artifacts: path: math-homework.txt ``` -For more information, see [AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts). +For more information, see [AUTOTITLE](/actions/tutorials/store-and-share-data). ## Databases and service containers @@ -412,4 +412,4 @@ jobs: POSTGRES_PORT: 5432 ``` -For more information, see [AUTOTITLE](/actions/using-containerized-services/about-service-containers). +For more information, see [AUTOTITLE](/actions/tutorials/use-containerized-services/use-docker-service-containers). diff --git a/content/actions/tutorials/migrate-to-github-actions/manual-migrations/migrate-from-jenkins.md b/content/actions/tutorials/migrate-to-github-actions/manual-migrations/migrate-from-jenkins.md index d4fe60810f35..b231033f4392 100644 --- a/content/actions/tutorials/migrate-to-github-actions/manual-migrations/migrate-from-jenkins.md +++ b/content/actions/tutorials/migrate-to-github-actions/manual-migrations/migrate-from-jenkins.md @@ -26,15 +26,15 @@ Jenkins and {% data variables.product.prodname_actions %} both allow you to crea * Jenkins creates workflows using _Declarative Pipelines_, which are similar to {% data variables.product.prodname_actions %} workflow files. * Jenkins uses _stages_ to run a collection of steps, while {% data variables.product.prodname_actions %} uses jobs to group one or more steps or individual commands. -* Jenkins and {% data variables.product.prodname_actions %} support container-based builds. For more information, see [AUTOTITLE](/actions/creating-actions/creating-a-docker-container-action). +* Jenkins and {% data variables.product.prodname_actions %} support container-based builds. For more information, see [AUTOTITLE](/actions/tutorials/use-containerized-services/create-a-docker-container-action). * Steps or tasks can be reused and shared with the community. -For more information, see [AUTOTITLE](/actions/learn-github-actions/understanding-github-actions). +For more information, see [AUTOTITLE](/actions/get-started/understand-github-actions). ## Key differences -* Jenkins has two types of syntax for creating pipelines: Declarative Pipeline and Scripted Pipeline. {% data variables.product.prodname_actions %} uses YAML to create workflows and configuration files. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions). -* Jenkins deployments are typically self-hosted, with users maintaining the servers in their own data centers. {% data variables.product.prodname_actions %} offers a hybrid cloud approach by hosting its own runners that you can use to run jobs, while also supporting self-hosted runners. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners). +* Jenkins has two types of syntax for creating pipelines: Declarative Pipeline and Scripted Pipeline. {% data variables.product.prodname_actions %} uses YAML to create workflows and configuration files. For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/workflow-syntax). +* Jenkins deployments are typically self-hosted, with users maintaining the servers in their own data centers. {% data variables.product.prodname_actions %} offers a hybrid cloud approach by hosting its own runners that you can use to run jobs, while also supporting self-hosted runners. For more information, see [AUTOTITLE](/actions/concepts/runners/self-hosted-runners). ## Comparing capabilities @@ -42,7 +42,7 @@ For more information, see [AUTOTITLE](/actions/learn-github-actions/understandin Jenkins lets you send builds to a single build agent, or you can distribute them across multiple agents. You can also classify these agents according to various attributes, such as operating system types. -Similarly, {% data variables.product.prodname_actions %} can send jobs to {% data variables.product.prodname_dotcom %}-hosted or self-hosted runners, and you can use labels to classify runners according to various attributes. For more information, see [AUTOTITLE](/actions/learn-github-actions/understanding-github-actions#runners) and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners). +Similarly, {% data variables.product.prodname_actions %} can send jobs to {% data variables.product.prodname_dotcom %}-hosted or self-hosted runners, and you can use labels to classify runners according to various attributes. For more information, see [AUTOTITLE](/actions/get-started/understand-github-actions#runners) and [AUTOTITLE](/actions/concepts/runners/self-hosted-runners). ### Using sections to organize pipelines @@ -50,10 +50,10 @@ Jenkins splits its Declarative Pipelines into multiple sections. Similarly, {% d | Jenkins Directives | {% data variables.product.prodname_actions %} | | ------------- | ------------- | -| [`agent`](https://jenkins.io/doc/book/pipeline/syntax/#agent) | [`jobs..runs-on`](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idruns-on)
[`jobs..container`](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idcontainer) | +| [`agent`](https://jenkins.io/doc/book/pipeline/syntax/#agent) | [`jobs..runs-on`](/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idruns-on)
[`jobs..container`](/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idcontainer) | | [`post`](https://jenkins.io/doc/book/pipeline/syntax/#post) | None | -| [`stages`](https://jenkins.io/doc/book/pipeline/syntax/#stages) | [`jobs`](/actions/using-workflows/workflow-syntax-for-github-actions#jobs) | -| [`steps`](https://jenkins.io/doc/book/pipeline/syntax/#steps) | [`jobs..steps`](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idsteps) | +| [`stages`](https://jenkins.io/doc/book/pipeline/syntax/#stages) | [`jobs`](/actions/reference/workflows-and-actions/workflow-syntax#jobs) | +| [`steps`](https://jenkins.io/doc/book/pipeline/syntax/#steps) | [`jobs..steps`](/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idsteps) | ## Using directives @@ -61,16 +61,16 @@ Jenkins uses directives to manage _Declarative Pipelines_. These directives defi | Jenkins Directives | {% data variables.product.prodname_actions %} | | ------------- | ------------- | -| [`environment`](https://jenkins.io/doc/book/pipeline/syntax/#environment) | [`jobs..env`](/actions/using-workflows/workflow-syntax-for-github-actions#env)
[`jobs..steps[*].env`](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsenv) | -| [`options`](https://jenkins.io/doc/book/pipeline/syntax/#options) | [`jobs..strategy`](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstrategy)
[`jobs..strategy.fail-fast`](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstrategyfail-fast)
[`jobs..timeout-minutes`](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idtimeout-minutes) | -| [`parameters`](https://jenkins.io/doc/book/pipeline/syntax/#options) | [`inputs`](/actions/creating-actions/metadata-syntax-for-github-actions#inputs)
[`outputs`](/actions/creating-actions/metadata-syntax-for-github-actions#outputs-for-docker-container-and-javascript-actions) | -| [`triggers`](https://jenkins.io/doc/book/pipeline/syntax/#triggers) | [`on`](/actions/using-workflows/workflow-syntax-for-github-actions#on)
[`on..types`](/actions/using-workflows/workflow-syntax-for-github-actions#onevent_nametypes)
[on..](/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#onpushbranchestagsbranches-ignoretags-ignore)
[on..](/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#onpull_requestpull_request_targetbranchesbranches-ignore)
[on..paths](/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore) | -| [`triggers { upstreamprojects() }`](https://jenkins.io/doc/book/pipeline/syntax/#triggers) | [`jobs..needs`](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idneeds) | -| [Jenkins cron syntax](https://jenkins.io/doc/book/pipeline/syntax/#cron-syntax) | [`on.schedule`](/actions/using-workflows/workflow-syntax-for-github-actions#onschedule) | -| [`stage`](https://jenkins.io/doc/book/pipeline/syntax/#stage) | [`jobs.`](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_id)
[`jobs..name`](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idname) | -| [`tools`](https://jenkins.io/doc/book/pipeline/syntax/#tools) | [Specifications for {% data variables.product.prodname_dotcom %}-hosted runners](/actions/using-github-hosted-runners/about-github-hosted-runners#supported-software) | -| [`input`](https://jenkins.io/doc/book/pipeline/syntax/#input) | [`inputs`](/actions/creating-actions/metadata-syntax-for-github-actions#inputs) | -| [`when`](https://jenkins.io/doc/book/pipeline/syntax/#when) | [`jobs..if`](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idif) | +| [`environment`](https://jenkins.io/doc/book/pipeline/syntax/#environment) | [`jobs..env`](/actions/reference/workflows-and-actions/workflow-syntax#env)
[`jobs..steps[*].env`](/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idstepsenv) | +| [`options`](https://jenkins.io/doc/book/pipeline/syntax/#options) | [`jobs..strategy`](/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idstrategy)
[`jobs..strategy.fail-fast`](/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idstrategyfail-fast)
[`jobs..timeout-minutes`](/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idtimeout-minutes) | +| [`parameters`](https://jenkins.io/doc/book/pipeline/syntax/#options) | [`inputs`](/actions/reference/workflows-and-actions/metadata-syntax#inputs)
[`outputs`](/actions/reference/workflows-and-actions/metadata-syntax#outputs-for-docker-container-and-javascript-actions) | +| [`triggers`](https://jenkins.io/doc/book/pipeline/syntax/#triggers) | [`on`](/actions/reference/workflows-and-actions/workflow-syntax#on)
[`on..types`](/actions/reference/workflows-and-actions/workflow-syntax#onevent_nametypes)
[on..](/actions/reference/workflows-and-actions/workflow-syntax#onpushbranchestagsbranches-ignoretags-ignore)
[on..](/actions/reference/workflows-and-actions/workflow-syntax#onpullrequestpullrequesttargetbranchesbranches-ignore)
[on..paths](/actions/reference/workflows-and-actions/workflow-syntax#onpushpullrequestpullrequesttargetpathspaths-ignore) | +| [`triggers { upstreamprojects() }`](https://jenkins.io/doc/book/pipeline/syntax/#triggers) | [`jobs..needs`](/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idneeds) | +| [Jenkins cron syntax](https://jenkins.io/doc/book/pipeline/syntax/#cron-syntax) | [`on.schedule`](/actions/reference/workflows-and-actions/workflow-syntax#onschedule) | +| [`stage`](https://jenkins.io/doc/book/pipeline/syntax/#stage) | [`jobs.`](/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_id)
[`jobs..name`](/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idname) | +| [`tools`](https://jenkins.io/doc/book/pipeline/syntax/#tools) | [Specifications for {% data variables.product.prodname_dotcom %}-hosted runners](/actions/concepts/runners/github-hosted-runners#supported-software) | +| [`input`](https://jenkins.io/doc/book/pipeline/syntax/#input) | [`inputs`](/actions/reference/workflows-and-actions/metadata-syntax#inputs) | +| [`when`](https://jenkins.io/doc/book/pipeline/syntax/#when) | [`jobs..if`](/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idif) | ## Using sequential stages @@ -80,7 +80,7 @@ Jenkins uses directives to manage _Declarative Pipelines_. These directives defi | Jenkins Parallel | {% data variables.product.prodname_actions %} | | ------------- | ------------- | -| [`parallel`](https://jenkins.io/doc/book/pipeline/syntax/#parallel) | [`jobs..strategy.max-parallel`](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstrategymax-parallel) | +| [`parallel`](https://jenkins.io/doc/book/pipeline/syntax/#parallel) | [`jobs..strategy.max-parallel`](/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idstrategymax-parallel) | ### Matrix @@ -88,8 +88,8 @@ Both {% data variables.product.prodname_actions %} and Jenkins let you use a mat | Jenkins | {% data variables.product.prodname_actions %} | | ------------- | ------------- | -| [`axis`](https://jenkins.io/doc/book/pipeline/syntax/#matrix-axes) | [`strategy/matrix`](/actions/using-workflows/about-workflows#using-a-build-matrix)
[`context`](/actions/learn-github-actions/contexts) | -| [`stages`](https://jenkins.io/doc/book/pipeline/syntax/#matrix-stages) | [`steps-context`](/actions/learn-github-actions/contexts#steps-context) | +| [`axis`](https://jenkins.io/doc/book/pipeline/syntax/#matrix-axes) | [`strategy/matrix`](/actions/concepts/workflows-and-actions/workflows#using-a-build-matrix)
[`context`](/actions/reference/workflows-and-actions/contexts) | +| [`stages`](https://jenkins.io/doc/book/pipeline/syntax/#matrix-stages) | [`steps-context`](/actions/reference/workflows-and-actions/contexts#steps-context) | | [`excludes`](https://jenkins.io/doc/book/pipeline/syntax/#matrix-stages) | None | ### Using steps to execute tasks @@ -98,7 +98,7 @@ Jenkins groups `steps` together in `stages`. Each of these steps can be a script | Jenkins | {% data variables.product.prodname_actions %} | | ------------- | ------------- | -| [`steps`](https://jenkins.io/doc/book/pipeline/syntax/#steps) | [`jobs..steps`](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idsteps) | +| [`steps`](https://jenkins.io/doc/book/pipeline/syntax/#steps) | [`jobs..steps`](/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idsteps) | ## Examples of common tasks diff --git a/content/actions/tutorials/migrate-to-github-actions/manual-migrations/migrate-from-travis-ci.md b/content/actions/tutorials/migrate-to-github-actions/manual-migrations/migrate-from-travis-ci.md index 6e4d0f4015d3..606c76c7cd2b 100644 --- a/content/actions/tutorials/migrate-to-github-actions/manual-migrations/migrate-from-travis-ci.md +++ b/content/actions/tutorials/migrate-to-github-actions/manual-migrations/migrate-from-travis-ci.md @@ -28,8 +28,8 @@ This guide helps you migrate from Travis CI to {% data variables.product.prodnam Before starting your migration to {% data variables.product.prodname_actions %}, it would be useful to become familiar with how it works: -* For a quick example that demonstrates a {% data variables.product.prodname_actions %} job, see [AUTOTITLE](/actions/quickstart). -* To learn the essential {% data variables.product.prodname_actions %} concepts, see [AUTOTITLE](/actions/learn-github-actions/understanding-github-actions). +* For a quick example that demonstrates a {% data variables.product.prodname_actions %} job, see [AUTOTITLE](/actions/get-started/quickstart). +* To learn the essential {% data variables.product.prodname_actions %} concepts, see [AUTOTITLE](/actions/get-started/understand-github-actions). ## Comparing job execution @@ -41,28 +41,28 @@ To give you control over when CI tasks are executed, a {% data variables.product ### Using YAML syntax -Travis CI and {% data variables.product.prodname_actions %} both use YAML to create jobs and workflows, and these files are stored in the code's repository. For more information on how {% data variables.product.prodname_actions %} uses YAML, see [AUTOTITLE](/actions/learn-github-actions/understanding-github-actions#create-an-example-workflow). +Travis CI and {% data variables.product.prodname_actions %} both use YAML to create jobs and workflows, and these files are stored in the code's repository. For more information on how {% data variables.product.prodname_actions %} uses YAML, see [AUTOTITLE](/actions/tutorials/create-an-example-workflow). ### Custom variables -Travis CI lets you set variables and share them between stages. Similarly, {% data variables.product.prodname_actions %} lets you define variables for a workflow. For more information, see [AUTOTITLE](/actions/learn-github-actions/variables). +Travis CI lets you set variables and share them between stages. Similarly, {% data variables.product.prodname_actions %} lets you define variables for a workflow. For more information, see [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/use-variables). ### Default variables -Travis CI and {% data variables.product.prodname_actions %} both include default environment variables that you can use in your YAML files. For {% data variables.product.prodname_actions %}, you can see these listed in [AUTOTITLE](/actions/reference/variables-reference#default-environment-variables). +Travis CI and {% data variables.product.prodname_actions %} both include default environment variables that you can use in your YAML files. For {% data variables.product.prodname_actions %}, you can see these listed in [AUTOTITLE](/actions/reference/workflows-and-actions/variables#default-environment-variables). ### Parallel job processing -Travis CI can use `stages` to run jobs in parallel. Similarly, {% data variables.product.prodname_actions %} runs `jobs` in parallel. For more information, see [AUTOTITLE](/actions/using-workflows/about-workflows#creating-dependent-jobs). +Travis CI can use `stages` to run jobs in parallel. Similarly, {% data variables.product.prodname_actions %} runs `jobs` in parallel. For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/workflow-syntax#jobsjobidneeds). ### Status badges Travis CI and {% data variables.product.prodname_actions %} both support status badges, which let you indicate whether a build is passing or failing. -For more information, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/adding-a-workflow-status-badge). +For more information, see [AUTOTITLE](/actions/how-tos/monitor-workflows/add-a-status-badge). ### Using a matrix -Travis CI and {% data variables.product.prodname_actions %} both support a matrix, allowing you to perform testing using combinations of operating systems and software packages. For more information, see [AUTOTITLE](/actions/using-jobs/using-a-matrix-for-your-jobs). +Travis CI and {% data variables.product.prodname_actions %} both support a matrix, allowing you to perform testing using combinations of operating systems and software packages. For more information, see [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/run-job-variations). Below is an example comparing the syntax for each system. @@ -95,7 +95,7 @@ jobs: ### Targeting specific branches -Travis CI and {% data variables.product.prodname_actions %} both allow you to target your CI to a specific branch. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onpushbranchestagsbranches-ignoretags-ignore). +Travis CI and {% data variables.product.prodname_actions %} both allow you to target your CI to a specific branch. For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/workflow-syntax#onpushbranchestagsbranches-ignoretags-ignore). Below is an example of the syntax for each system. @@ -163,31 +163,31 @@ When migrating from Travis CI, consider the following key features in {% data va ### Storing secrets -{% data variables.product.prodname_actions %} allows you to store secrets and reference them in your jobs. {% data variables.product.prodname_actions %} organizations can limit which repositories can access organization secrets. Deployment protection rules can require manual approval for a workflow to access environment secrets. For more information, see [AUTOTITLE](/actions/security-for-github-actions/security-guides/about-secrets). +{% data variables.product.prodname_actions %} allows you to store secrets and reference them in your jobs. {% data variables.product.prodname_actions %} organizations can limit which repositories can access organization secrets. Deployment protection rules can require manual approval for a workflow to access environment secrets. For more information, see [AUTOTITLE](/actions/concepts/security/secrets). ### Sharing files between jobs and workflows -{% data variables.product.prodname_actions %} includes integrated support for artifact storage, allowing you to share files between jobs in a workflow. You can also save the resulting files and share them with other workflows. For more information, see [AUTOTITLE](/actions/learn-github-actions/essential-features-of-github-actions#sharing-data-between-jobs). +{% data variables.product.prodname_actions %} includes integrated support for artifact storage, allowing you to share files between jobs in a workflow. You can also save the resulting files and share them with other workflows. For more information, see [AUTOTITLE](/actions/get-started/understand-github-actions#sharing-data-between-jobs). ### Hosting your own runners -If your jobs require specific hardware or software, {% data variables.product.prodname_actions %} allows you to host your own runners and send your jobs to them for processing. {% data variables.product.prodname_actions %} also lets you use policies to control how these runners are accessed, granting access at the organization or repository level. For more information, see [AUTOTITLE](/actions/how-tos/managing-self-hosted-runners). +If your jobs require specific hardware or software, {% data variables.product.prodname_actions %} allows you to host your own runners and send your jobs to them for processing. {% data variables.product.prodname_actions %} also lets you use policies to control how these runners are accessed, granting access at the organization or repository level. For more information, see [AUTOTITLE](/actions/how-tos/manage-runners/self-hosted-runners). {% ifversion fpt or ghec %} ### Concurrent jobs and execution time -The concurrent jobs and workflow execution times in {% data variables.product.prodname_actions %} can vary depending on your {% data variables.product.company_short %} plan. For more information, see [AUTOTITLE](/actions/learn-github-actions/usage-limits-billing-and-administration). +The concurrent jobs and workflow execution times in {% data variables.product.prodname_actions %} can vary depending on your {% data variables.product.company_short %} plan. For more information, see [AUTOTITLE](/actions/concepts/billing-and-usage). {% endif %} ### Using different languages in {% data variables.product.prodname_actions %} -When working with different languages in {% data variables.product.prodname_actions %}, you can create a step in your job to set up your language dependencies. For more information about working with a particular language, see [AUTOTITLE](/actions/use-cases-and-examples/building-and-testing). +When working with different languages in {% data variables.product.prodname_actions %}, you can create a step in your job to set up your language dependencies. For more information about working with a particular language, see [AUTOTITLE](/actions/tutorials/build-and-test-code). ## Executing scripts -{% data variables.product.prodname_actions %} can use `run` steps to run scripts or shell commands. To use a particular shell, you can specify the `shell` type when providing the path to the script. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun). +{% data variables.product.prodname_actions %} can use `run` steps to run scripts or shell commands. To use a particular shell, you can specify the `shell` type when providing the path to the script. For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idstepsrun). For example: @@ -204,15 +204,15 @@ When migrating to {% data variables.product.prodname_actions %}, there are diffe ### Script error handling -{% data variables.product.prodname_actions %} stops a job immediately if one of the steps returns an error code. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference). +{% data variables.product.prodname_actions %} stops a job immediately if one of the steps returns an error code. For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/workflow-syntax#exit-codes-and-error-action-preference). ### Job error handling -{% data variables.product.prodname_actions %} uses `if` conditionals to execute jobs or steps in certain situations. For example, you can run a step when another step results in a `failure()`. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#example-using-status-check-functions). You can also use [`continue-on-error`](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idcontinue-on-error) to prevent a workflow run from stopping when a job fails. +{% data variables.product.prodname_actions %} uses `if` conditionals to execute jobs or steps in certain situations. For example, you can run a step when another step results in a `failure()`. For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/workflow-syntax#example-using-status-check-functions). You can also use [`continue-on-error`](/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idcontinue-on-error) to prevent a workflow run from stopping when a job fails. ## Migrating syntax for conditionals and expressions -To run jobs under conditional expressions, Travis CI and {% data variables.product.prodname_actions %} share a similar `if` condition syntax. {% data variables.product.prodname_actions %} lets you use the `if` conditional to prevent a job or step from running unless a condition is met. For more information, see [AUTOTITLE](/actions/learn-github-actions/expressions). +To run jobs under conditional expressions, Travis CI and {% data variables.product.prodname_actions %} share a similar `if` condition syntax. {% data variables.product.prodname_actions %} lets you use the `if` conditional to prevent a job or step from running unless a condition is met. For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/expressions). This example demonstrates how an `if` conditional can control whether a step is executed: @@ -227,7 +227,7 @@ jobs: ## Migrating phases to steps -Where Travis CI uses _phases_ to run _steps_, {% data variables.product.prodname_actions %} has _steps_ which execute _actions_. You can find prebuilt actions in the [{% data variables.product.prodname_marketplace %}](https://github.com/marketplace?type=actions), or you can create your own actions. For more information, see [AUTOTITLE](/actions/creating-actions). +Where Travis CI uses _phases_ to run _steps_, {% data variables.product.prodname_actions %} has _steps_ which execute _actions_. You can find prebuilt actions in the [{% data variables.product.prodname_marketplace %}](https://github.com/marketplace?type=actions), or you can create your own actions. For more information, see [AUTOTITLE](/actions/how-tos/reuse-automations). Below is an example of the syntax for each system. @@ -349,4 +349,4 @@ jobs: ## Next steps -To continue learning about the main features of {% data variables.product.prodname_actions %}, see [AUTOTITLE](/actions/learn-github-actions). +To continue learning about the main features of {% data variables.product.prodname_actions %}, see [AUTOTITLE](/actions/how-tos/write-workflows). diff --git a/content/actions/tutorials/publish-packages/publish-docker-images.md b/content/actions/tutorials/publish-packages/publish-docker-images.md index ee8a4218cf48..f4550d57ce6b 100644 --- a/content/actions/tutorials/publish-packages/publish-docker-images.md +++ b/content/actions/tutorials/publish-packages/publish-docker-images.md @@ -28,12 +28,12 @@ This guide shows you how to create a workflow that performs a Docker build, and ## Prerequisites -We recommend that you have a basic understanding of workflow configuration options and how to create a workflow file. For more information, see [AUTOTITLE](/actions/learn-github-actions). +We recommend that you have a basic understanding of workflow configuration options and how to create a workflow file. For more information, see [AUTOTITLE](/actions/how-tos/write-workflows). You might also find it helpful to have a basic understanding of the following: -* [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions) -* [AUTOTITLE](/actions/security-guides/automatic-token-authentication){% ifversion fpt or ghec %} +* [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets) +* [AUTOTITLE](/actions/tutorials/authenticate-with-github_token){% ifversion fpt or ghec %} * [AUTOTITLE](/packages/working-with-a-github-packages-registry/working-with-the-container-registry){% else %} * [AUTOTITLE](/packages/working-with-a-github-packages-registry/working-with-the-docker-registry){% endif %} @@ -58,7 +58,7 @@ In the example workflow below, we use the Docker `login-action` and `build-push- To push to Docker Hub, you will need to have a Docker Hub account, and have a Docker Hub repository created. For more information, see [Pushing a Docker container image to Docker Hub](https://docs.docker.com/docker-hub/quickstart/#step-3-build-and-push-an-image-to-docker-hub) in the Docker documentation. The `login-action` options required for Docker Hub are: -* `username` and `password`: This is your Docker Hub username and password. We recommend storing your Docker Hub username and password as secrets so they aren't exposed in your workflow file. For more information, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). +* `username` and `password`: This is your Docker Hub username and password. We recommend storing your Docker Hub username and password as secrets so they aren't exposed in your workflow file. For more information, see [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets). The `metadata-action` option required for Docker Hub is: * `images`: The namespace and name for the Docker image you are building/pushing to Docker Hub. @@ -139,8 +139,8 @@ In the example workflow below, we use the Docker `login-action`{% ifversion fpt The `login-action` options required for {% data variables.product.prodname_registry %} are: * `registry`: Must be set to {% ifversion fpt or ghec %}`ghcr.io`{% elsif ghes %}`{% data reusables.package_registry.container-registry-hostname %}`{% endif %}. -* `username`: You can use the {% raw %}`${{ github.actor }}`{% endraw %} context to automatically use the username of the user that triggered the workflow run. For more information, see [AUTOTITLE](/actions/learn-github-actions/contexts#github-context). -* `password`: You can use the automatically-generated `GITHUB_TOKEN` secret for the password. For more information, see [AUTOTITLE](/actions/security-guides/automatic-token-authentication). +* `username`: You can use the {% raw %}`${{ github.actor }}`{% endraw %} context to automatically use the username of the user that triggered the workflow run. For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/contexts#github-context). +* `password`: You can use the automatically-generated `GITHUB_TOKEN` secret for the password. For more information, see [AUTOTITLE](/actions/tutorials/authenticate-with-github_token). {% ifversion fpt or ghec %} The `metadata-action` option required for {% data variables.product.prodname_registry %} is: diff --git a/content/actions/tutorials/publish-packages/publish-java-packages-with-gradle.md b/content/actions/tutorials/publish-packages/publish-java-packages-with-gradle.md index cfcc8c584313..abc935dabbfe 100644 --- a/content/actions/tutorials/publish-packages/publish-java-packages-with-gradle.md +++ b/content/actions/tutorials/publish-packages/publish-java-packages-with-gradle.md @@ -24,16 +24,16 @@ category: ## Prerequisites -We recommend that you have a basic understanding of workflow files and configuration options. For more information, see [AUTOTITLE](/actions/learn-github-actions). +We recommend that you have a basic understanding of workflow files and configuration options. For more information, see [AUTOTITLE](/actions/how-tos/write-workflows). -For more information about creating a CI workflow for your Java project with Gradle, see [AUTOTITLE](/actions/automating-builds-and-tests/building-and-testing-java-with-gradle). +For more information about creating a CI workflow for your Java project with Gradle, see [AUTOTITLE](/actions/tutorials/build-and-test-code/java-with-gradle). You may also find it helpful to have a basic understanding of the following: * [AUTOTITLE](/packages/working-with-a-github-packages-registry/working-with-the-apache-maven-registry) -* [AUTOTITLE](/actions/learn-github-actions/variables) -* [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions) -* [AUTOTITLE](/actions/security-guides/automatic-token-authentication) +* [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/use-variables) +* [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets) +* [AUTOTITLE](/actions/tutorials/authenticate-with-github_token) ## About package configuration @@ -43,7 +43,7 @@ The _build.gradle_ file also contains configuration for the distribution managem ## Publishing packages to the Maven Central Repository -Each time you create a new release, you can trigger a workflow to publish your package. The workflow in the example below runs when the `release` event triggers with type `created`. The workflow publishes the package to the Maven Central Repository if CI tests pass. For more information on the `release` event, see [AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#release). +Each time you create a new release, you can trigger a workflow to publish your package. The workflow in the example below runs when the `release` event triggers with type `created`. The workflow publishes the package to the Maven Central Repository if CI tests pass. For more information on the `release` event, see [AUTOTITLE](/actions/reference/workflows-and-actions/events-that-trigger-workflows#release). You can define a new Maven repository in the publishing block of your _build.gradle_ file that points to your package repository. For example, if you were deploying to the Maven Central Repository through the OSSRH hosting project, your _build.gradle_ could specify a repository with the name `"OSSRH"`. @@ -73,7 +73,7 @@ publishing { {% endraw %} -With this configuration, you can create a workflow that publishes your package to the Maven Central Repository by running the `gradle publish` command. In the deploy step, you’ll need to set environment variables for the username and password or token that you use to authenticate to the Maven repository. For more information, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). +With this configuration, you can create a workflow that publishes your package to the Maven Central Repository by running the `gradle publish` command. In the deploy step, you’ll need to set environment variables for the username and password or token that you use to authenticate to the Maven repository. For more information, see [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets). ```yaml copy @@ -109,11 +109,11 @@ jobs: {% data reusables.actions.gradle-workflow-steps %} 1. Executes the Gradle `publish` task to publish to the `OSSRH` Maven repository. The `MAVEN_USERNAME` environment variable will be set with the contents of your `OSSRH_USERNAME` secret, and the `MAVEN_PASSWORD` environment variable will be set with the contents of your `OSSRH_TOKEN` secret. - For more information about using secrets in your workflow, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). + For more information about using secrets in your workflow, see [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets). ## Publishing packages to {% data variables.product.prodname_registry %} -Each time you create a new release, you can trigger a workflow to publish your package. The workflow in the example below runs when the `release` event triggers with type `created`. The workflow publishes the package to {% data variables.product.prodname_registry %} if CI tests pass. For more information on the `release` event, see [AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#release). +Each time you create a new release, you can trigger a workflow to publish your package. The workflow in the example below runs when the `release` event triggers with type `created`. The workflow publishes the package to {% data variables.product.prodname_registry %} if CI tests pass. For more information on the `release` event, see [AUTOTITLE](/actions/reference/workflows-and-actions/events-that-trigger-workflows#release). You can define a new Maven repository in the publishing block of your _build.gradle_ that points to {% data variables.product.prodname_registry %}. In that repository configuration, you can also take advantage of environment variables set in your CI workflow run. You can use the `GITHUB_ACTOR` environment variable as a username, and you can set the `GITHUB_TOKEN` environment variable with your `GITHUB_TOKEN` secret. @@ -183,7 +183,7 @@ jobs: {% data reusables.actions.gradle-workflow-steps %} 1. Executes the Gradle `publish` task to publish to {% data variables.product.prodname_registry %}. The `GITHUB_TOKEN` environment variable will be set with the content of the `GITHUB_TOKEN` secret. The `permissions` key specifies the access that the `GITHUB_TOKEN` secret will allow. - For more information about using secrets in your workflow, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). + For more information about using secrets in your workflow, see [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets). ## Publishing packages to the Maven Central Repository and {% data variables.product.prodname_registry %} @@ -268,4 +268,4 @@ jobs: {% data reusables.actions.gradle-workflow-steps %} 1. Executes the Gradle `publish` task to publish to the `OSSRH` Maven repository and {% data variables.product.prodname_registry %}. The `MAVEN_USERNAME` environment variable will be set with the contents of your `OSSRH_USERNAME` secret, and the `MAVEN_PASSWORD` environment variable will be set with the contents of your `OSSRH_TOKEN` secret. The `GITHUB_TOKEN` environment variable will be set with the content of the `GITHUB_TOKEN` secret. The `permissions` key specifies the access that the `GITHUB_TOKEN` secret will allow. - For more information about using secrets in your workflow, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). + For more information about using secrets in your workflow, see [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets). diff --git a/content/actions/tutorials/publish-packages/publish-java-packages-with-maven.md b/content/actions/tutorials/publish-packages/publish-java-packages-with-maven.md index e3c4729b6125..ba310a526b46 100644 --- a/content/actions/tutorials/publish-packages/publish-java-packages-with-maven.md +++ b/content/actions/tutorials/publish-packages/publish-java-packages-with-maven.md @@ -24,16 +24,16 @@ category: ## Prerequisites -We recommend that you have a basic understanding of workflow files and configuration options. For more information, see [AUTOTITLE](/actions/learn-github-actions). +We recommend that you have a basic understanding of workflow files and configuration options. For more information, see [AUTOTITLE](/actions/how-tos/write-workflows). -For more information about creating a CI workflow for your Java project with Maven, see [AUTOTITLE](/actions/automating-builds-and-tests/building-and-testing-java-with-maven). +For more information about creating a CI workflow for your Java project with Maven, see [AUTOTITLE](/actions/tutorials/build-and-test-code/java-with-maven). You may also find it helpful to have a basic understanding of the following: * [AUTOTITLE](/packages/working-with-a-github-packages-registry/working-with-the-apache-maven-registry) -* [AUTOTITLE](/actions/learn-github-actions/variables) -* [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions) -* [AUTOTITLE](/actions/security-guides/automatic-token-authentication) +* [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/use-variables) +* [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets) +* [AUTOTITLE](/actions/tutorials/authenticate-with-github_token) ## About package configuration @@ -47,7 +47,7 @@ You can use the `setup-java` action to configure the deployment repository as we ## Publishing packages to the Maven Central Repository -Each time you create a new release, you can trigger a workflow to publish your package. The workflow in the example below runs when the `release` event triggers with type `created`. The workflow publishes the package to the Maven Central Repository if CI tests pass. For more information on the `release` event, see [AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#release). +Each time you create a new release, you can trigger a workflow to publish your package. The workflow in the example below runs when the `release` event triggers with type `created`. The workflow publishes the package to the Maven Central Repository if CI tests pass. For more information on the `release` event, see [AUTOTITLE](/actions/reference/workflows-and-actions/events-that-trigger-workflows#release). In this workflow, you can use the `setup-java` action. This action installs the given version of the JDK into the `PATH`, but it also configures a Maven _settings.xml_ for publishing packages. By default, the settings file will be configured for {% data variables.product.prodname_registry %}, but it can be configured to deploy to another package registry, such as the Maven Central Repository. If you already have a distribution management repository configured in _pom.xml_, then you can specify that `id` during the `setup-java` action invocation. @@ -72,7 +72,7 @@ For example, if you were deploying to the Maven Central Repository through the O With this configuration, you can create a workflow that publishes your package to the Maven Central Repository by specifying the repository management `id` to the `setup-java` action. You’ll also need to provide environment variables that contain the username and password to authenticate to the repository. -In the deploy step, you’ll need to set the environment variables to the username that you authenticate with to the repository, and to a secret that you’ve configured with the password or token to authenticate with. For more information, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). +In the deploy step, you’ll need to set the environment variables to the username that you authenticate with to the repository, and to a secret that you’ve configured with the password or token to authenticate with. For more information, see [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets). ```yaml copy name: Publish package to the Maven Central Repository @@ -105,11 +105,11 @@ This workflow performs the following steps: 1. Sets up the Java JDK, and also configures the Maven _settings.xml_ file to add authentication for the `ossrh` repository using the `MAVEN_USERNAME` and `MAVEN_PASSWORD` environment variables. 1. {% data reusables.actions.publish-to-maven-workflow-step %} - For more information about using secrets in your workflow, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). + For more information about using secrets in your workflow, see [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets). ## Publishing packages to {% data variables.product.prodname_registry %} -Each time you create a new release, you can trigger a workflow to publish your package. The workflow in the example below runs when the `release` event triggers with type `created`. The workflow publishes the package to {% data variables.product.prodname_registry %} if CI tests pass. For more information on the `release` event, see [AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#release). +Each time you create a new release, you can trigger a workflow to publish your package. The workflow in the example below runs when the `release` event triggers with type `created`. The workflow publishes the package to {% data variables.product.prodname_registry %} if CI tests pass. For more information on the `release` event, see [AUTOTITLE](/actions/reference/workflows-and-actions/events-that-trigger-workflows#release). In this workflow, you can use the `setup-java` action. This action installs the given version of the JDK into the `PATH`, and also sets up a Maven _settings.xml_ for publishing the package to {% data variables.product.prodname_registry %}. The generated _settings.xml_ defines authentication for a server with an `id` of `github`, using the `GITHUB_ACTOR` environment variable as the username and the `GITHUB_TOKEN` environment variable as the password. The `GITHUB_TOKEN` environment variable is assigned the value of the special `GITHUB_TOKEN` secret. @@ -167,7 +167,7 @@ This workflow performs the following steps: 1. Sets up the Java JDK, and also automatically configures the Maven _settings.xml_ file to add authentication for the `github` Maven repository to use the `GITHUB_TOKEN` environment variable. 1. {% data reusables.actions.publish-to-packages-workflow-step %} - For more information about using secrets in your workflow, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). + For more information about using secrets in your workflow, see [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets). ## Publishing packages to the Maven Central Repository and {% data variables.product.prodname_registry %} @@ -222,4 +222,4 @@ This workflow performs the following steps: 1. Calls `setup-java` the second time. This automatically configures the Maven _settings.xml_ file for {% data variables.product.prodname_registry %}. 1. {% data reusables.actions.publish-to-packages-workflow-step %} - For more information about using secrets in your workflow, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). + For more information about using secrets in your workflow, see [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets). diff --git a/content/actions/tutorials/publish-packages/publish-nodejs-packages.md b/content/actions/tutorials/publish-packages/publish-nodejs-packages.md index d3cdce81985b..429958fe46a3 100644 --- a/content/actions/tutorials/publish-packages/publish-nodejs-packages.md +++ b/content/actions/tutorials/publish-packages/publish-nodejs-packages.md @@ -25,16 +25,16 @@ This guide shows you how to create a workflow that publishes Node.js packages to ## Prerequisites -We recommend that you have a basic understanding of workflow configuration options and how to create a workflow file. For more information, see [AUTOTITLE](/actions/learn-github-actions). +We recommend that you have a basic understanding of workflow configuration options and how to create a workflow file. For more information, see [AUTOTITLE](/actions/how-tos/write-workflows). -For more information about creating a CI workflow for your Node.js project, see [AUTOTITLE](/actions/automating-builds-and-tests/building-and-testing-nodejs). +For more information about creating a CI workflow for your Node.js project, see [AUTOTITLE](/actions/tutorials/build-and-test-code/nodejs). You may also find it helpful to have a basic understanding of the following: * [AUTOTITLE](/packages/working-with-a-github-packages-registry/working-with-the-npm-registry) -* [AUTOTITLE](/actions/learn-github-actions/variables) -* [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions) -* [AUTOTITLE](/actions/security-guides/automatic-token-authentication) +* [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/use-variables) +* [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets) +* [AUTOTITLE](/actions/tutorials/authenticate-with-github_token) ## About package configuration @@ -50,7 +50,7 @@ If you add steps in your workflow to configure the `publishConfig` fields in you You can trigger a workflow to publish your package every time you publish a new release. The process in the following example is executed when the release event of type `published` is triggered. If the CI tests pass, the process uploads the package to the npm registry. For more information, see [AUTOTITLE](/repositories/releasing-projects-on-github/managing-releases-in-a-repository#creating-a-release). -To perform authenticated operations against the npm registry in your workflow, you'll need to store your npm authentication token as a secret. For example, create a repository secret called `NPM_TOKEN`. For more information, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). +To perform authenticated operations against the npm registry in your workflow, you'll need to store your npm authentication token as a secret. For example, create a repository secret called `NPM_TOKEN`. For more information, see [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets). By default, npm uses the `name` field of the `package.json` file to determine the name of your published package. When publishing to a global namespace, you only need to include the package name. For example, you would publish a package named `my-package` to `https://www.npmjs.com/package/my-package`. @@ -118,7 +118,7 @@ If you do provide the `repository` key in your `package.json` file, then the rep To perform authenticated operations against the {% data variables.product.prodname_registry %} registry in your workflow, you can use the `GITHUB_TOKEN`. {% data reusables.actions.github-token-permissions %} -If you want to publish your package to a different repository, you must use a {% data variables.product.pat_v1 %} that has permission to write to packages in the destination repository. For more information, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) and [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). +If you want to publish your package to a different repository, you must use a {% data variables.product.pat_v1 %} that has permission to write to packages in the destination repository. For more information, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens) and [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets). ### Example workflow diff --git a/content/actions/tutorials/store-and-share-data.md b/content/actions/tutorials/store-and-share-data.md index fd148660ad9a..a6a0d52e4d0e 100644 --- a/content/actions/tutorials/store-and-share-data.md +++ b/content/actions/tutorials/store-and-share-data.md @@ -208,7 +208,7 @@ jobs: echo The result is $value ``` -The workflow run will archive any artifacts that it generated. For more information on downloading archived artifacts, see [AUTOTITLE](/actions/managing-workflow-runs/downloading-workflow-artifacts). +The workflow run will archive any artifacts that it generated. For more information on downloading archived artifacts, see [AUTOTITLE](/actions/how-tos/manage-workflow-runs/download-workflow-artifacts). {% ifversion fpt or ghec %} diff --git a/content/actions/tutorials/use-actions-runner-controller/get-started.md b/content/actions/tutorials/use-actions-runner-controller/get-started.md index cae9e0856a70..1127c6df58b6 100644 --- a/content/actions/tutorials/use-actions-runner-controller/get-started.md +++ b/content/actions/tutorials/use-actions-runner-controller/get-started.md @@ -45,7 +45,7 @@ In order to use ARC, ensure you have the following. For additional Helm configuration options, see [`values.yaml`](https://github.com/actions/actions-runner-controller/blob/master/charts/gha-runner-scale-set-controller/values.yaml) in the ARC documentation. -1. To enable ARC to authenticate to {% data variables.product.company_short %}, generate a {% data variables.product.pat_v1 %}. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api#deploying-using-personal-access-token-classic-authentication). +1. To enable ARC to authenticate to {% data variables.product.company_short %}, generate a {% data variables.product.pat_v1 %}. For more information, see [AUTOTITLE](/actions/how-tos/manage-runners/use-actions-runner-controller/authenticate-to-the-api#deploying-using-personal-access-token-classic-authentication). ## Configuring a runner scale set @@ -53,7 +53,7 @@ In order to use ARC, ensure you have the following. When you run the command, keep the following in mind. - * Update the `INSTALLATION_NAME` value carefully. You will use the installation name as the value of `runs-on` in your workflows. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idruns-on). + * Update the `INSTALLATION_NAME` value carefully. You will use the installation name as the value of `runs-on` in your workflows. For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idruns-on). * Update the `NAMESPACE` value to the location you want the runner pods to be created. * Set `GITHUB_CONFIG_URL` to the URL of your repository, organization, or enterprise. This is the entity that the runners will belong to. {% ifversion fpt %} @@ -65,7 +65,7 @@ In order to use ARC, ensure you have the following. > [!NOTE] > * {% data reusables.actions.actions-runner-controller-security-practices-namespace %} - > * {% data reusables.actions.actions-runner-controller-security-practices-secret %} For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller). + > * {% data reusables.actions.actions-runner-controller-security-practices-secret %} For more information, see [AUTOTITLE](/actions/how-tos/manage-runners/use-actions-runner-controller/deploy-runner-scale-sets). ```bash copy INSTALLATION_NAME="arc-runner-set" @@ -110,7 +110,7 @@ In order to use ARC, ensure you have the following. arc-runner-set-754b578d-listener 1/1 Running 0 12s ``` -If your installation was not successful, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/troubleshooting-actions-runner-controller-errors) for troubleshooting information. +If your installation was not successful, see [AUTOTITLE](/actions/tutorials/use-actions-runner-controller/troubleshoot) for troubleshooting information. ## Using runner scale sets @@ -118,7 +118,7 @@ Now you will create and run a simple test workflow that uses the runner scale se 1. In a repository, create a workflow similar to the following example. The `runs-on` value should match the Helm installation name you used when you installed the autoscaling runner set. - For more information on adding workflows to a repository, see [AUTOTITLE](/actions/quickstart#creating-your-first-workflow). + For more information on adding workflows to a repository, see [AUTOTITLE](/actions/get-started/quickstart#creating-your-first-workflow). ```yaml copy name: Actions Runner Controller Demo @@ -133,7 +133,7 @@ Now you will create and run a simple test workflow that uses the runner scale se - run: echo "🎉 This job uses runner scale set runners!" ``` -1. Once you've added the workflow to your repository, manually trigger the workflow. For more information, see [AUTOTITLE](/actions/managing-workflow-runs/manually-running-a-workflow). +1. Once you've added the workflow to your repository, manually trigger the workflow. For more information, see [AUTOTITLE](/actions/how-tos/manage-workflow-runs/manually-run-a-workflow). 1. To view the runner pods being created while the workflow is running, run the following command from your terminal. @@ -152,9 +152,9 @@ Now you will create and run a simple test workflow that uses the runner scale se {% data variables.product.prodname_actions_runner_controller %} can help you efficiently manage your {% data variables.product.prodname_actions %} runners. Ready to get started? Here are some helpful resources for taking your next steps with ARC: -* For detailed authentication information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api). -* For help using ARC runners in your workflows, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/using-actions-runner-controller-runners-in-a-workflow). -* For deployment information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller). +* For detailed authentication information, see [AUTOTITLE](/actions/how-tos/manage-runners/use-actions-runner-controller/authenticate-to-the-api). +* For help using ARC runners in your workflows, see [AUTOTITLE](/actions/how-tos/manage-runners/use-actions-runner-controller/use-arc-in-a-workflow). +* For deployment information, see [AUTOTITLE](/actions/how-tos/manage-runners/use-actions-runner-controller/deploy-runner-scale-sets). ## Legal notice diff --git a/content/actions/tutorials/use-actions-runner-controller/troubleshoot.md b/content/actions/tutorials/use-actions-runner-controller/troubleshoot.md index b90c6450225a..3a976c1263f3 100644 --- a/content/actions/tutorials/use-actions-runner-controller/troubleshoot.md +++ b/content/actions/tutorials/use-actions-runner-controller/troubleshoot.md @@ -88,7 +88,7 @@ If the controller pod is running, but the listener pod is not, inspect the logs If you have a proxy configured or you're using a sidecar proxy that's automatically injected, such as [Istio](https://istio.io/), ensure it's configured to allow traffic from the controller container (manager) to the Kubernetes API server. -If you have installed the autoscaling runner set, but the listener pod is not created, verify that the `githubConfigSecret` you provided is correct and that the `githubConfigUrl` you provided is accurate. See [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api) and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller) for more information. +If you have installed the autoscaling runner set, but the listener pod is not created, verify that the `githubConfigSecret` you provided is correct and that the `githubConfigUrl` you provided is accurate. See [AUTOTITLE](/actions/how-tos/manage-runners/use-actions-runner-controller/authenticate-to-the-api) and [AUTOTITLE](/actions/how-tos/manage-runners/use-actions-runner-controller/deploy-runner-scale-sets) for more information. ## Runner pods are recreated after a canceled workflow run diff --git a/content/actions/tutorials/use-containerized-services/create-a-docker-container-action.md b/content/actions/tutorials/use-containerized-services/create-a-docker-container-action.md index a973af03ac47..28cde100bc21 100644 --- a/content/actions/tutorials/use-containerized-services/create-a-docker-container-action.md +++ b/content/actions/tutorials/use-containerized-services/create-a-docker-container-action.md @@ -36,11 +36,11 @@ Once you complete this project, you should understand how to build your own Dock * You must create a repository on {% data variables.product.github %} and clone it to your workstation. For more information, see [AUTOTITLE](/repositories/creating-and-managing-repositories/creating-a-new-repository) and [AUTOTITLE](/repositories/creating-and-managing-repositories/cloning-a-repository). * If your repository uses {% data variables.large_files.product_name_short %}, you must include the objects in archives of your repository. For more information, see [AUTOTITLE](/enterprise-cloud@latest/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-git-lfs-objects-in-archives-of-your-repository). -* You may find it helpful to have a basic understanding of {% data variables.product.prodname_actions %}, environment variables and the Docker container filesystem. For more information, see [AUTOTITLE](/actions/learn-github-actions/variables) and [AUTOTITLE](/enterprise-cloud@latest/actions/using-github-hosted-runners/about-github-hosted-runners#docker-container-filesystem). +* You may find it helpful to have a basic understanding of {% data variables.product.prodname_actions %}, environment variables and the Docker container filesystem. For more information, see [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/use-variables) and [AUTOTITLE](/actions/reference/runners/github-hosted-runners#docker-container-filesystem). ## Creating a Dockerfile -In your new `hello-world-docker-action` directory, create a new `Dockerfile` file. Make sure that your filename is capitalized correctly (use a capital `D` but not a capital `f`) if you're having issues. For more information, see [AUTOTITLE](/actions/creating-actions/dockerfile-support-for-github-actions). +In your new `hello-world-docker-action` directory, create a new `Dockerfile` file. Make sure that your filename is capitalized correctly (use a capital `D` but not a capital `f`) if you're having issues. For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/dockerfile-support). **Dockerfile** @@ -57,7 +57,7 @@ ENTRYPOINT ["/entrypoint.sh"] ## Creating an action metadata file -Create a new `action.yml` file in the `hello-world-docker-action` directory you created above. For more information, see [AUTOTITLE](/actions/creating-actions/metadata-syntax-for-github-actions). +Create a new `action.yml` file in the `hello-world-docker-action` directory you created above. For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/metadata-syntax). {% raw %} **action.yml** @@ -91,7 +91,7 @@ This metadata defines one `who-to-greet` input and one `time` output parameter. You can choose any base Docker image and, therefore, any language for your action. The following shell script example uses the `who-to-greet` input variable to print "Hello [who-to-greet]" in the log file. -Next, the script gets the current time and sets it as an output variable that actions running later in a job can use. In order for {% data variables.product.prodname_dotcom %} to recognize output variables, you must write them to the `$GITHUB_OUTPUT` environment file: `echo "=" >> $GITHUB_OUTPUT`. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-commands-for-github-actions#setting-an-output-parameter). +Next, the script gets the current time and sets it as an output variable that actions running later in a job can use. In order for {% data variables.product.prodname_dotcom %} to recognize output variables, you must write them to the `$GITHUB_OUTPUT` environment file: `echo "=" >> $GITHUB_OUTPUT`. For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/workflow-commands#setting-an-output-parameter). 1. Create a new `entrypoint.sh` file in the `hello-world-docker-action` directory. @@ -108,7 +108,7 @@ Next, the script gets the current time and sets it as an output variable that ac ``` - If `entrypoint.sh` executes without any errors, the action's status is set to `success`. You can also explicitly set exit codes in your action's code to provide an action's status. For more information, see [AUTOTITLE](/actions/creating-actions/setting-exit-codes-for-actions). + If `entrypoint.sh` executes without any errors, the action's status is set to `success`. You can also explicitly set exit codes in your action's code to provide an action's status. For more information, see [AUTOTITLE](/actions/how-tos/create-and-publish-actions/set-exit-codes). 1. Make your `entrypoint.sh` file executable. Git provides a way to explicitly change the permission mode of a file so that it doesn’t get reset every time there is a clone/fork. @@ -168,7 +168,7 @@ with: From your terminal, commit your `action.yml`, `entrypoint.sh`, `Dockerfile`, and `README.md` files. -It's best practice to also add a version tag for releases of your action. For more information on versioning your action, see [AUTOTITLE](/actions/creating-actions/about-custom-actions#using-release-management-for-actions). +It's best practice to also add a version tag for releases of your action. For more information on versioning your action, see [AUTOTITLE](/actions/how-tos/create-and-publish-actions/manage-custom-actions#using-release-management-for-actions). ```shell copy git add action.yml entrypoint.sh Dockerfile README.md @@ -189,7 +189,7 @@ Now you're ready to test your action out in a workflow. ### Example using a public action -The following workflow code uses the completed _hello world_ action in the public [`actions/hello-world-docker-action`](https://github.com/actions/hello-world-docker-action) repository. Copy the following workflow example code into a `.github/workflows/main.yml` file, but replace the `actions/hello-world-docker-action` with your repository and action name. You can also replace the `who-to-greet` input with your name. {% ifversion fpt or ghec %}Public actions can be used even if they're not published to {% data variables.product.prodname_marketplace %}. For more information, see [AUTOTITLE](/actions/creating-actions/publishing-actions-in-github-marketplace#publishing-an-action). {% endif %} +The following workflow code uses the completed _hello world_ action in the public [`actions/hello-world-docker-action`](https://github.com/actions/hello-world-docker-action) repository. Copy the following workflow example code into a `.github/workflows/main.yml` file, but replace the `actions/hello-world-docker-action` with your repository and action name. You can also replace the `who-to-greet` input with your name. {% ifversion fpt or ghec %}Public actions can be used even if they're not published to {% data variables.product.prodname_marketplace %}. For more information, see [AUTOTITLE](/actions/how-tos/create-and-publish-actions/publish-in-github-marketplace#publishing-an-action). {% endif %} **.github/workflows/main.yml** @@ -266,7 +266,7 @@ jobs: path: {% raw %}${{ github.workspace }}{% endraw %} ``` -For more information about uploading build output as an artifact, see [AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts). +For more information about uploading build output as an artifact, see [AUTOTITLE](/actions/tutorials/store-and-share-data). ## Example Docker container actions on {% data variables.product.prodname_dotcom_the_website %} diff --git a/content/actions/tutorials/use-containerized-services/create-postgresql-service-containers.md b/content/actions/tutorials/use-containerized-services/create-postgresql-service-containers.md index 8ce4f70b195d..b652b790a3d3 100644 --- a/content/actions/tutorials/use-containerized-services/create-postgresql-service-containers.md +++ b/content/actions/tutorials/use-containerized-services/create-postgresql-service-containers.md @@ -33,7 +33,7 @@ This guide shows you workflow examples that configure a service container using You may also find it helpful to have a basic understanding of YAML, the syntax for {% data variables.product.prodname_actions %}, and PostgreSQL. For more information, see: -* [AUTOTITLE](/actions/learn-github-actions) +* [AUTOTITLE](/actions/how-tos/write-workflows) * [PostgreSQL tutorial](https://www.postgresqltutorial.com/) in the PostgreSQL documentation ## Running jobs in containers @@ -220,7 +220,7 @@ jobs: {% data reusables.actions.postgres-label-description %} -The workflow maps port 5432 on the PostgreSQL service container to the Docker host. For more information about the `ports` keyword, see [AUTOTITLE](/actions/using-containerized-services/about-service-containers#mapping-docker-host-and-service-container-ports). +The workflow maps port 5432 on the PostgreSQL service container to the Docker host. For more information about the `ports` keyword, see [AUTOTITLE](/actions/tutorials/use-containerized-services/use-docker-service-containers#mapping-docker-host-and-service-container-ports). ```yaml copy jobs: diff --git a/content/actions/tutorials/use-containerized-services/create-redis-service-containers.md b/content/actions/tutorials/use-containerized-services/create-redis-service-containers.md index 8bfac68ab542..576b6abd057f 100644 --- a/content/actions/tutorials/use-containerized-services/create-redis-service-containers.md +++ b/content/actions/tutorials/use-containerized-services/create-redis-service-containers.md @@ -33,7 +33,7 @@ This guide shows you workflow examples that configure a service container using You may also find it helpful to have a basic understanding of YAML, the syntax for {% data variables.product.prodname_actions %}, and Redis. For more information, see: -* [AUTOTITLE](/actions/learn-github-actions) +* [AUTOTITLE](/actions/how-tos/write-workflows) * [Getting Started with Redis](https://redis.io/learn/howtos/quick-start) in the Redis documentation ## Running jobs in containers @@ -210,7 +210,7 @@ jobs: {% data reusables.actions.redis-label-description %} -The workflow maps port 6379 on the Redis service container to the Docker host. For more information about the `ports` keyword, see [AUTOTITLE](/actions/using-containerized-services/about-service-containers#mapping-docker-host-and-service-container-ports). +The workflow maps port 6379 on the Redis service container to the Docker host. For more information about the `ports` keyword, see [AUTOTITLE](/actions/tutorials/use-containerized-services/use-docker-service-containers#mapping-docker-host-and-service-container-ports). ```yaml copy jobs: diff --git a/content/actions/tutorials/use-containerized-services/use-docker-service-containers.md b/content/actions/tutorials/use-containerized-services/use-docker-service-containers.md index 5d3cf2c1601b..f09497deb646 100644 --- a/content/actions/tutorials/use-containerized-services/use-docker-service-containers.md +++ b/content/actions/tutorials/use-containerized-services/use-docker-service-containers.md @@ -42,11 +42,11 @@ You don't need to configure any ports for service containers. By default, all co When running jobs directly on the runner machine, you can access service containers using `localhost:` or `127.0.0.1:`. {% data variables.product.prodname_dotcom %} configures the container network to enable communication from the service container to the Docker host. -When a job runs directly on a runner machine, the service running in the Docker container does not expose its ports to the job on the runner by default. You need to map ports on the service container to the Docker host. For more information, see [AUTOTITLE](/actions/using-containerized-services/about-service-containers#mapping-docker-host-and-service-container-ports). +When a job runs directly on a runner machine, the service running in the Docker container does not expose its ports to the job on the runner by default. You need to map ports on the service container to the Docker host. For more information, see [AUTOTITLE](/actions/tutorials/use-containerized-services/use-docker-service-containers#mapping-docker-host-and-service-container-ports). ## Creating service containers -You can use the `services` keyword to create service containers that are part of a job in your workflow. For more information, see [`jobs..services`](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idservices). +You can use the `services` keyword to create service containers that are part of a job in your workflow. For more information, see [`jobs..services`](/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idservices). This example creates a service called `redis` in a job called `container-job`. The Docker host in this example is the `node:16-bullseye` container. @@ -78,7 +78,7 @@ jobs: If your job runs in a Docker container, you do not need to map ports on the host or the service container. If your job runs directly on the runner machine, you'll need to map any required service container ports to ports on the host runner machine. -You can map service containers ports to the Docker host using the `ports` keyword. For more information, see [`jobs..services`](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idservices). +You can map service containers ports to the Docker host using the `ports` keyword. For more information, see [`jobs..services`](/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idservices). | Value of `ports` | Description | |------------------|--------------| @@ -88,7 +88,7 @@ You can map service containers ports to the Docker host using the `ports` keywor When you map ports using the `ports` keyword, {% data variables.product.prodname_dotcom %} uses the `--publish` command to publish the container’s ports to the Docker host. For more information, see [Docker container networking](https://docs.docker.com/config/containers/container-networking/) in the Docker documentation. -When you specify the container port but not the Docker host port, the container port is randomly assigned to a free port. {% data variables.product.prodname_dotcom %} sets the assigned container port in the service container context. For example, for a `redis` service container, if you configured the Docker host port 5432, you can access the corresponding container port using the `job.services.redis.ports[5432]` context. For more information, see [AUTOTITLE](/actions/learn-github-actions/contexts#job-context). +When you specify the container port but not the Docker host port, the container port is randomly assigned to a free port. {% data variables.product.prodname_dotcom %} sets the assigned container port in the service container context. For example, for a `redis` service container, if you configured the Docker host port 5432, you can access the corresponding container port using the `job.services.redis.ports[5432]` context. For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/contexts#job-context). ### Example mapping Redis ports @@ -183,11 +183,11 @@ services: - 2379:2379 ``` -The naming and behavior match Docker Compose. For more information, see [`jobs..services..command`](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idservicesservice_idcommand) and [`jobs..services..entrypoint`](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idservicesservice_identrypoint). +The naming and behavior match Docker Compose. For more information, see [`jobs..services..command`](/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idservicesservice_idcommand) and [`jobs..services..entrypoint`](/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idservicesservice_identrypoint). {% endif %} ## Further reading -* [AUTOTITLE](/actions/using-containerized-services/creating-redis-service-containers) -* [AUTOTITLE](/actions/using-containerized-services/creating-postgresql-service-containers) +* [AUTOTITLE](/actions/tutorials/use-containerized-services/create-redis-service-containers) +* [AUTOTITLE](/actions/tutorials/use-containerized-services/create-postgresql-service-containers) diff --git a/content/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities.md b/content/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities.md index 36f346db0872..42bfd0cf8109 100644 --- a/content/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities.md +++ b/content/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities.md @@ -16,7 +16,7 @@ category: - Install and configure your instance --- -You can execute these commands from anywhere on the VM after signing in as an SSH admin user. For more information, see [AUTOTITLE](/admin/configuration/configuring-your-enterprise/accessing-the-administrative-shell-ssh). +You can execute these commands from anywhere on the VM after signing in as an SSH admin user. For more information, see [AUTOTITLE](/admin/administering-your-instance/administering-your-instance-from-the-command-line/accessing-the-administrative-shell-ssh). ## General @@ -45,7 +45,7 @@ $ ghe-announce -u > dismissible: MESSAGE ``` -You can also set an announcement banner using the enterprise settings on {% data variables.product.prodname_ghe_server %}. For more information, see [AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/customizing-user-messages-for-your-enterprise#creating-a-global-announcement-banner). +You can also set an announcement banner using the enterprise settings on {% data variables.product.prodname_ghe_server %}. For more information, see [AUTOTITLE](/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise#creating-a-global-announcement-banner). @@ -124,7 +124,7 @@ Allows you to find the universally unique identifier (UUID) of your node in `clu ghe-config HOSTNAME.uuid ``` -Allows you to exempt a list of users from REST API rate limits. A hard limit of 120,000 requests will still apply to these users. Usernames you provide for this command are case-sensitive. For more information, see [AUTOTITLE](/rest/overview/rate-limits-for-the-rest-api). +Allows you to exempt a list of users from REST API rate limits. A hard limit of 120,000 requests will still apply to these users. Usernames you provide for this command are case-sensitive. For more information, see [AUTOTITLE](/rest/using-the-rest-api/rate-limits-for-the-rest-api). ``` shell $ ghe-config app.github.rate-limiting-exempt-users "hubot github-actions[bot]" @@ -306,7 +306,7 @@ ghe-logs-tail ### ghe-maintenance -This utility allows you to control the state of the installation's maintenance mode. It's designed to be used primarily by the {% data variables.enterprise.management_console %} behind-the-scenes, but it can be used directly. For more information, see [AUTOTITLE](/admin/configuration/configuring-your-enterprise/enabling-and-scheduling-maintenance-mode). +This utility allows you to control the state of the installation's maintenance mode. It's designed to be used primarily by the {% data variables.enterprise.management_console %} behind-the-scenes, but it can be used directly. For more information, see [AUTOTITLE](/admin/administering-your-instance/configuring-maintenance-mode/enabling-and-scheduling-maintenance-mode). ```shell ghe-maintenance -h @@ -367,7 +367,7 @@ ghe-org-admin-promote -a ### ghe-reactivate-admin-login -Use this command to immediately unlock the {% data variables.enterprise.management_console %} after an account lockout. To configure authentication policies for {% data variables.location.product_location %}, see [AUTOTITLE](/admin/configuration/configuring-your-enterprise/configuring-rate-limits#configuring-authentication-policy-rate-limits). +Use this command to immediately unlock the {% data variables.enterprise.management_console %} after an account lockout. To configure authentication policies for {% data variables.location.product_location %}, see [AUTOTITLE](/admin/configuring-settings/configuring-user-applications-for-your-enterprise/configuring-rate-limits#configuring-authentication-policy-rate-limits). ```shell ghe-reactivate-admin-login @@ -541,7 +541,7 @@ existing keys in /etc/ssh/ssh_host_* and generate new ones. [y/N] ### ghe-ssh-weak-fingerprints -This utility returns a report of known weak SSH keys stored on the {% data variables.product.prodname_enterprise %} appliance. You can optionally revoke user keys as a bulk action. The utility will report weak system keys, which you must manually revoke in the [{% data variables.enterprise.management_console %}](/admin/configuration/administering-your-instance-from-the-management-console). +This utility returns a report of known weak SSH keys stored on the {% data variables.product.prodname_enterprise %} appliance. You can optionally revoke user keys as a bulk action. The utility will report weak system keys, which you must manually revoke in the [{% data variables.enterprise.management_console %}](/admin/administering-your-instance/administering-your-instance-from-the-web-ui). ```shell # Print a report of weak user and system SSH keys @@ -553,7 +553,7 @@ $ ghe-ssh-weak-fingerprints --revoke ### ghe-ssl-acme -This utility allows you to install a Let's Encrypt certificate on your {% data variables.product.prodname_enterprise %} appliance. For more information, see [AUTOTITLE](/admin/configuration/configuring-network-settings/configuring-tls). +This utility allows you to install a Let's Encrypt certificate on your {% data variables.product.prodname_enterprise %} appliance. For more information, see [AUTOTITLE](/admin/configuring-settings/hardening-security-for-your-enterprise/configuring-tls). You can use the `-x` flag to remove the ACME configuration. @@ -623,7 +623,7 @@ For more information about this command or for additional options, use the `-h` ### ghe-ssl-generate-csr -This utility allows you to generate a private key and certificate signing request (CSR), which you can share with a commercial or private certificate authority to get a valid certificate to use with your instance. For more information, see [AUTOTITLE](/admin/configuration/configuring-network-settings/configuring-tls). +This utility allows you to generate a private key and certificate signing request (CSR), which you can share with a commercial or private certificate authority to get a valid certificate to use with your instance. For more information, see [AUTOTITLE](/admin/configuring-settings/hardening-security-for-your-enterprise/configuring-tls). For more information about this command or for additional options, use the `-h` flag. @@ -633,7 +633,7 @@ ghe-ssl-generate-csr ### ghe-storage-extend -Some platforms require this script to expand the user volume. For more information, see [AUTOTITLE](/admin/enterprise-management/updating-the-virtual-machine-and-physical-resources/increasing-storage-capacity). +Some platforms require this script to expand the user volume. For more information, see [AUTOTITLE](/admin/monitoring-and-managing-your-instance/updating-the-virtual-machine-and-physical-resources/increasing-storage-capacity). ```shell ghe-storage-extend @@ -705,7 +705,7 @@ ghe-backup-healthcheck ### ghe-cluster-balance -This utility allows you to enforce an even distribution of allocations across your cluster nodes by checking the status of your cluster's allocations, then rebalancing problematic allocations. For more information, see [AUTOTITLE](/admin/enterprise-management/configuring-clustering/rebalancing-cluster-workloads). +This utility allows you to enforce an even distribution of allocations across your cluster nodes by checking the status of your cluster's allocations, then rebalancing problematic allocations. For more information, see [AUTOTITLE](/admin/monitoring-and-managing-your-instance/configuring-clustering/rebalancing-cluster-workloads). To output a list of balanceable jobs and their associated allocation spread: @@ -910,7 +910,7 @@ ghe-storage evacuate storage-server-UUID ### nes -This utility allows you to monitor the health of cluster nodes using {% data variables.product.prodname_nes %}. By default, {% data variables.product.prodname_nes %} is disabled. For more information, see [AUTOTITLE](/admin/enterprise-management/configuring-clustering/monitoring-the-health-of-your-cluster-nodes-with-node-eligibility-service). +This utility allows you to monitor the health of cluster nodes using {% data variables.product.prodname_nes %}. By default, {% data variables.product.prodname_nes %} is disabled. For more information, see [AUTOTITLE](/admin/monitoring-and-managing-your-instance/configuring-clustering/monitoring-the-health-of-your-cluster-nodes-with-node-eligibility-service). To view the health of the cluster's nodes: @@ -1025,7 +1025,7 @@ ghe-cluster-each -r git -- "ghe-repo-gc --prune USERNAME/REPONAME" ### ghe-actions-check -This utility checks that all services for {% data variables.product.prodname_actions %} are healthy. For more information, see [AUTOTITLE](/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/getting-started-with-github-actions-for-github-enterprise-server) and [AUTOTITLE](/admin/github-actions/advanced-configuration-and-troubleshooting/troubleshooting-github-actions-for-your-enterprise). +This utility checks that all services for {% data variables.product.prodname_actions %} are healthy. For more information, see [AUTOTITLE](/admin/managing-github-actions-for-your-enterprise/getting-started-with-github-actions-for-your-enterprise/getting-started-with-github-actions-for-github-enterprise-server) and [AUTOTITLE](/admin/managing-github-actions-for-your-enterprise/advanced-configuration-and-troubleshooting/troubleshooting-github-actions-for-your-enterprise). ```shell ghe-actions-check @@ -1035,7 +1035,7 @@ ghe-actions-check This utility tests the blob storage configuration for {% data variables.product.prodname_actions %} on {% data variables.location.product_location %}. You can use the utility to verify your storage configuration before you enable {% data variables.product.prodname_actions %} for your instance. -For more information about the configuration of {% data variables.product.prodname_actions %}, see [AUTOTITLE](/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/getting-started-with-github-actions-for-github-enterprise-server). +For more information about the configuration of {% data variables.product.prodname_actions %}, see [AUTOTITLE](/admin/managing-github-actions-for-your-enterprise/getting-started-with-github-actions-for-your-enterprise/getting-started-with-github-actions-for-github-enterprise-server). > [!NOTE] > This utility only works with configurations that use a credentials-based connection to the storage provider. To test OpenID Connect (OIDC) configurations, use [`ghe-actions-test-storage-with-oidc`](#ghe-actions-test-storage-with-oidc). @@ -1111,7 +1111,7 @@ All Storage tests passed ### ghe-repl-decommission -This command decommissions the database entries for the node with the specified UUID. You run this command on the new primary after performing a failover to a replica node, to remove the decommissioned node's database entries. For more information, see [AUTOTITLE](/admin/enterprise-management/configuring-high-availability/initiating-a-failover-to-your-replica-appliance). +This command decommissions the database entries for the node with the specified UUID. You run this command on the new primary after performing a failover to a replica node, to remove the decommissioned node's database entries. For more information, see [AUTOTITLE](/admin/monitoring-and-managing-your-instance/configuring-high-availability/initiating-a-failover-to-your-replica-appliance). ```shell ghe-repl-decommission @@ -1121,7 +1121,7 @@ ghe-repl-decommission ### ghe-repl-promote -This command disables replication on an existing replica node and converts the replica node to a primary node using the same settings as the original primary node. All replication services are enabled. For more information, see [AUTOTITLE](/admin/enterprise-management/configuring-high-availability/initiating-a-failover-to-your-replica-appliance). +This command disables replication on an existing replica node and converts the replica node to a primary node using the same settings as the original primary node. All replication services are enabled. For more information, see [AUTOTITLE](/admin/monitoring-and-managing-your-instance/configuring-high-availability/initiating-a-failover-to-your-replica-appliance). {% data reusables.enterprise_installation.promoting-a-replica %} @@ -1131,7 +1131,7 @@ ghe-repl-promote ### ghe-repl-setup -Run this utility on an existing node to begin enabling a high availability configuration. The utility puts the node in standby mode before you begin replication with [`ghe-repl-start`](#ghe-repl-start). For more information, see [AUTOTITLE](/admin/enterprise-management/configuring-high-availability/creating-a-high-availability-replica). +Run this utility on an existing node to begin enabling a high availability configuration. The utility puts the node in standby mode before you begin replication with [`ghe-repl-start`](#ghe-repl-start). For more information, see [AUTOTITLE](/admin/monitoring-and-managing-your-instance/configuring-high-availability/creating-a-high-availability-replica). After running the utility, the following configuration occurs on the node. @@ -1147,7 +1147,7 @@ ghe-repl-setup PRIMARY-NODE-IP ### ghe-repl-start -This utility begins replication of all datastores on a node. Run this utility after running [`ghe-repl-setup`](#ghe-repl-setup). For more information, see [AUTOTITLE](/admin/enterprise-management/configuring-high-availability/creating-a-high-availability-replica). +This utility begins replication of all datastores on a node. Run this utility after running [`ghe-repl-setup`](#ghe-repl-setup). For more information, see [AUTOTITLE](/admin/monitoring-and-managing-your-instance/configuring-high-availability/creating-a-high-availability-replica). ```shell ghe-repl-start @@ -1155,7 +1155,7 @@ ghe-repl-start ### ghe-repl-status -This utility displays the status of replication on a node, returning an `OK`, `WARNING` or `CRITICAL` status for each datastore's replication stream. For more information, see [AUTOTITLE](/admin/enterprise-management/configuring-high-availability/monitoring-a-high-availability-configuration). +This utility displays the status of replication on a node, returning an `OK`, `WARNING` or `CRITICAL` status for each datastore's replication stream. For more information, see [AUTOTITLE](/admin/monitoring-and-managing-your-instance/configuring-high-availability/monitoring-a-high-availability-configuration). * If any of the replication channels are in a `WARNING` state, the command will exit with code `1`. * If you have not started replication, the command will exit with code `1`. @@ -1311,7 +1311,7 @@ GHE_LICENSE_FILE=/path/license ghe-license import ### ghe-find-insecure-git-operations -This utility searches your instance's logs and identifies Git operations over SSH that use insecure algorithms or hash functions, including DSA, RSA-SHA-1, HMAC-SHA-1, and CBC ciphers. You can use the output to support each client's transition to a more secure SSH connection. For more information, see [{% data variables.product.prodname_blog %}](https://github.blog/2022-06-28-improving-git-protocol-security-on-github-enterprise-server) and [AUTOTITLE](/admin/configuration/configuring-your-enterprise/configuring-ssh-connections-to-your-instance). +This utility searches your instance's logs and identifies Git operations over SSH that use insecure algorithms or hash functions, including DSA, RSA-SHA-1, HMAC-SHA-1, and CBC ciphers. You can use the output to support each client's transition to a more secure SSH connection. For more information, see [{% data variables.product.prodname_blog %}](https://github.blog/2022-06-28-improving-git-protocol-security-on-github-enterprise-server) and [AUTOTITLE](/admin/configuring-settings/hardening-security-for-your-enterprise/configuring-ssh-connections-to-your-instance). ```shell ghe-find-insecure-git-operations @@ -1421,7 +1421,7 @@ ghe-migrations -refresh_rate SECONDS ### ghe-update-check -This utility will check to see if a new patch release of {% data variables.product.prodname_enterprise %} is available. If it is, and if space is available on your instance, it will download the package. By default, it's saved to _/var/lib/ghe-updates_. An administrator can then [perform the upgrade](/admin/enterprise-management/updating-the-virtual-machine-and-physical-resources). +This utility will check to see if a new patch release of {% data variables.product.prodname_enterprise %} is available. If it is, and if space is available on your instance, it will download the package. By default, it's saved to _/var/lib/ghe-updates_. An administrator can then [perform the upgrade](/admin/monitoring-and-managing-your-instance/updating-the-virtual-machine-and-physical-resources). A file containing the status of the download is available at _/var/lib/ghe-updates/ghe-update-check.status_. @@ -1499,7 +1499,7 @@ ghe-upgrade-scheduler -r UPGRADE PACKAGE FILENAME ### ghe-license usage -This utility exports a list of the installation's users in JSON format. If your instance is connected to {% data variables.product.prodname_ghe_cloud %}, {% data variables.product.prodname_ghe_server %} uses this information for reporting licensing information to {% data variables.product.prodname_ghe_cloud %}. For more information, see [AUTOTITLE](/admin/configuration/configuring-github-connect/managing-github-connect). +This utility exports a list of the installation's users in JSON format. If your instance is connected to {% data variables.product.prodname_ghe_cloud %}, {% data variables.product.prodname_ghe_server %} uses this information for reporting licensing information to {% data variables.product.prodname_ghe_cloud %}. For more information, see [AUTOTITLE](/admin/configuring-settings/configuring-github-connect/enabling-github-connect-for-githubcom). By default, the list of users in the resulting JSON file is encrypted. Review optional flags via `ghe-license --help`. @@ -1509,7 +1509,7 @@ ghe-license usage ### ghe-org-membership-update -This utility will enforce the default organization membership visibility setting on all members in your instance. For more information, see [AUTOTITLE](/admin/user-management/managing-organizations-in-your-enterprise/configuring-visibility-for-organization-membership). Setting options are `public` or `private`. +This utility will enforce the default organization membership visibility setting on all members in your instance. For more information, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/configuring-visibility-for-organization-membership). Setting options are `public` or `private`. ```shell ghe-org-membership-update --visibility=SETTING diff --git a/content/admin/administering-your-instance/administering-your-instance-from-the-web-ui/about-the-management-console.md b/content/admin/administering-your-instance/administering-your-instance-from-the-web-ui/about-the-management-console.md index ec7bf7ba9fce..0e6934cc32b9 100644 --- a/content/admin/administering-your-instance/administering-your-instance-from-the-web-ui/about-the-management-console.md +++ b/content/admin/administering-your-instance/administering-your-instance-from-the-web-ui/about-the-management-console.md @@ -16,9 +16,9 @@ The {% data variables.enterprise.management_console %} allows you to manage the You can always reach the {% data variables.enterprise.management_console %} using {% data variables.location.product_location %}'s IP address, even when the instance is in maintenance mode, or there is a critical application failure or hostname or SSL misconfiguration. -To access the {% data variables.enterprise.management_console %}, you can use the root site administrator password established during initial setup of {% data variables.location.product_location %} or log in as a {% data variables.enterprise.management_console %} user. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/accessing-the-management-console). You must also be able to connect to the virtual machine host on port 8443. If you're having trouble reaching the {% data variables.enterprise.management_console %}, please check intermediate firewall and security group configurations. +To access the {% data variables.enterprise.management_console %}, you can use the root site administrator password established during initial setup of {% data variables.location.product_location %} or log in as a {% data variables.enterprise.management_console %} user. For more information, see [AUTOTITLE](/admin/administering-your-instance/administering-your-instance-from-the-web-ui/accessing-the-management-console). You must also be able to connect to the virtual machine host on port 8443. If you're having trouble reaching the {% data variables.enterprise.management_console %}, please check intermediate firewall and security group configurations. -The {% data variables.enterprise.management_console %} password hash is stored in `/data/user/common/secrets.conf`. If high availability or clustering is configured, the file is automatically synced from the primary node to any additional nodes. Any change to the primary's password will automatically be replicated to all of the instance's nodes. For more information about high availability, see [AUTOTITLE](/admin/enterprise-management/configuring-high-availability/about-high-availability-configuration). +The {% data variables.enterprise.management_console %} password hash is stored in `/data/user/common/secrets.conf`. If high availability or clustering is configured, the file is automatically synced from the primary node to any additional nodes. Any change to the primary's password will automatically be replicated to all of the instance's nodes. For more information about high availability, see [AUTOTITLE](/admin/monitoring-and-managing-your-instance/configuring-high-availability/about-high-availability-configuration). When someone performs an action in the {% data variables.enterprise.management_console %} via the web interface or REST API, an event appears in the audit log. For more information, see [AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise). @@ -28,9 +28,9 @@ In the {% data variables.enterprise.management_console %}, you can perform admin * **Initial setup:** Walk through the initial setup process when first launching {% data variables.location.product_location %} by visiting {% data variables.location.product_location %}'s IP address in your browser. -* **Identity and access management:** Improve the security of {% data variables.location.product_location %} by creating dedicated user accounts for the {% data variables.enterprise.management_console %}. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/managing-access-to-the-management-console). +* **Identity and access management:** Improve the security of {% data variables.location.product_location %} by creating dedicated user accounts for the {% data variables.enterprise.management_console %}. For more information, see [AUTOTITLE](/admin/administering-your-instance/administering-your-instance-from-the-web-ui/managing-access-to-the-management-console). -* **Configuring authentication policies for the {% data variables.enterprise.management_console %}:** Set rate limits for login attempts, and the lockout duration if someone exceeds the rate limit. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/managing-access-to-the-management-console#configuring-rate-limits-for-authentication-to-the-management-console). +* **Configuring authentication policies for the {% data variables.enterprise.management_console %}:** Set rate limits for login attempts, and the lockout duration if someone exceeds the rate limit. For more information, see [AUTOTITLE](/admin/administering-your-instance/administering-your-instance-from-the-web-ui/managing-access-to-the-management-console#configuring-rate-limits-for-authentication-to-the-management-console). * **Configuring basic settings for your instance:** Configure DNS, hostname, SSL, user authentication, email, monitoring services, and log forwarding on the Settings page. * **Scheduling maintenance windows:** Take {% data variables.location.product_location %} offline while performing maintenance using the {% data variables.enterprise.management_console %} or administrative shell. * **Troubleshooting:** Generate a support bundle or view high level diagnostic information. diff --git a/content/admin/administering-your-instance/administering-your-instance-from-the-web-ui/accessing-the-management-console.md b/content/admin/administering-your-instance/administering-your-instance-from-the-web-ui/accessing-the-management-console.md index 85c04e1fbb6a..5dab3912cb47 100644 --- a/content/admin/administering-your-instance/administering-your-instance-from-the-web-ui/accessing-the-management-console.md +++ b/content/admin/administering-your-instance/administering-your-instance-from-the-web-ui/accessing-the-management-console.md @@ -15,7 +15,7 @@ category: ## Accessing the {% data variables.enterprise.management_console %} -The first time that you access the {% data variables.enterprise.management_console %} for {% data variables.location.product_location %}, you must upload your license file. For more information, see [AUTOTITLE](/billing/managing-your-license-for-github-enterprise). +The first time that you access the {% data variables.enterprise.management_console %} for {% data variables.location.product_location %}, you must upload your license file. For more information, see [AUTOTITLE](/billing/how-tos/manage-server-licenses/download-your-license). {% data reusables.enterprise_site_admin_settings.access-settings %} {% data reusables.enterprise_site_admin_settings.management-console %} diff --git a/content/admin/administering-your-instance/administering-your-instance-from-the-web-ui/managing-access-to-the-management-console.md b/content/admin/administering-your-instance/administering-your-instance-from-the-web-ui/managing-access-to-the-management-console.md index 4666f4440093..538e1073bb56 100644 --- a/content/admin/administering-your-instance/administering-your-instance-from-the-web-ui/managing-access-to-the-management-console.md +++ b/content/admin/administering-your-instance/administering-your-instance-from-the-web-ui/managing-access-to-the-management-console.md @@ -11,7 +11,7 @@ category: - Install and configure your instance --- -{% data reusables.enterprise_site_admin_settings.management-console-access %} For more information about {% data variables.enterprise.management_console %} access, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console). +{% data reusables.enterprise_site_admin_settings.management-console-access %} For more information about {% data variables.enterprise.management_console %} access, see [AUTOTITLE](/admin/administering-your-instance/administering-your-instance-from-the-web-ui). You can also use the `gh es` {% data variables.product.prodname_cli %} extension to manage the root site administrator password, which controls access to the Management Console. For more information, see the [GH ES CLI usage documentation](https://github.com/github/gh-es/blob/main/USAGE.md#gh-es-access-set-password) and [AUTOTITLE](/admin/administering-your-instance/administering-your-instance-from-the-command-line/administering-your-instance-using-the-github-cli). @@ -45,7 +45,7 @@ While signed into the {% data variables.enterprise.management_console %} as the ## Inviting new {% data variables.enterprise.management_console %} users -If you have configured email for notifications for {% data variables.location.product_location %}, new {% data variables.enterprise.management_console %} users will automatically receive an invitation to complete creation of the {% data variables.enterprise.management_console %} user account. For more information, see [AUTOTITLE](/admin/configuration/configuring-your-enterprise/configuring-email-for-notifications). +If you have configured email for notifications for {% data variables.location.product_location %}, new {% data variables.enterprise.management_console %} users will automatically receive an invitation to complete creation of the {% data variables.enterprise.management_console %} user account. For more information, see [AUTOTITLE](/admin/configuring-settings/configuring-user-applications-for-your-enterprise/configuring-email-for-notifications). If you have not configured email notifications for {% data variables.location.product_location %}, you must manually copy the {% data variables.enterprise.management_console %} invitation link and send it to the user. The user must set a password using the link before the user can access the {% data variables.enterprise.management_console %}. diff --git a/content/admin/administering-your-instance/administering-your-instance-from-the-web-ui/troubleshooting-access-to-the-management-console.md b/content/admin/administering-your-instance/administering-your-instance-from-the-web-ui/troubleshooting-access-to-the-management-console.md index 052ed7701953..2410dc4096bf 100644 --- a/content/admin/administering-your-instance/administering-your-instance-from-the-web-ui/troubleshooting-access-to-the-management-console.md +++ b/content/admin/administering-your-instance/administering-your-instance-from-the-web-ui/troubleshooting-access-to-the-management-console.md @@ -17,7 +17,7 @@ If you experience problems accessing the Management Console, you can try the fol ## Unlocking the {% data variables.enterprise.management_console %} after failed login attempts -The {% data variables.enterprise.management_console %} locks after the number of failed login attempts configured by your authentication policies. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/managing-access-to-the-management-console#configuring-rate-limits-for-authentication-to-the-management-console). +The {% data variables.enterprise.management_console %} locks after the number of failed login attempts configured by your authentication policies. For more information, see [AUTOTITLE](/admin/administering-your-instance/administering-your-instance-from-the-web-ui/managing-access-to-the-management-console#configuring-rate-limits-for-authentication-to-the-management-console). ### Unlocking the root site administrator account @@ -37,4 +37,4 @@ If you cannot connect to the {% data variables.enterprise.management_console %} ### Error: "Your session has expired" for connections through a load balancer -If you access {% data variables.location.product_location %} through a load balancer and connections to the {% data variables.enterprise.management_console %} fail with a message that your session has expired, you may need to reconfigure your load balancer. For more information, see [AUTOTITLE](/admin/configuration/configuring-network-settings/using-github-enterprise-server-with-a-load-balancer#error-your-session-has-expired-for-connections-to-the-management-console). +If you access {% data variables.location.product_location %} through a load balancer and connections to the {% data variables.enterprise.management_console %} fail with a message that your session has expired, you may need to reconfigure your load balancer. For more information, see [AUTOTITLE](/admin/configuring-settings/configuring-network-settings/using-github-enterprise-server-with-a-load-balancer#error-your-session-has-expired-for-connections-to-the-management-console). diff --git a/content/admin/administering-your-instance/configuring-maintenance-mode/enabling-and-scheduling-maintenance-mode.md b/content/admin/administering-your-instance/configuring-maintenance-mode/enabling-and-scheduling-maintenance-mode.md index b4b50cad4b44..0df9df75ff44 100644 --- a/content/admin/administering-your-instance/configuring-maintenance-mode/enabling-and-scheduling-maintenance-mode.md +++ b/content/admin/administering-your-instance/configuring-maintenance-mode/enabling-and-scheduling-maintenance-mode.md @@ -55,7 +55,7 @@ The IP exception list provides controlled and restricted access to {% data varia If you re-enable maintenance mode, the IP exception list will be disabled and {% data variables.location.product_location %} will return to maintenance mode. If you just disable the IP exception list, {% data variables.location.product_location %} will return to normal operation. -You can also use a command-line utility to configure the IP exception list. For more information, see [AUTOTITLE](/admin/configuration/configuring-your-enterprise/command-line-utilities#ghe-maintenance) and [AUTOTITLE](/admin/configuration/configuring-your-enterprise/accessing-the-administrative-shell-ssh). +You can also use a command-line utility to configure the IP exception list. For more information, see [AUTOTITLE](/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities#ghe-maintenance) and [AUTOTITLE](/admin/administering-your-instance/administering-your-instance-from-the-command-line/accessing-the-administrative-shell-ssh). {% data reusables.enterprise_site_admin_settings.access-settings %} {% data reusables.enterprise_site_admin_settings.management-console %} diff --git a/content/admin/all-releases.md b/content/admin/all-releases.md index 1d5cc6f2ac5d..18b2ea60a743 100644 --- a/content/admin/all-releases.md +++ b/content/admin/all-releases.md @@ -53,7 +53,7 @@ We hosted developer documentation for {% data variables.product.prodname_ghe_ser For instances with a {% data variables.product.prodname_GHAS_or_code_security %} license and {% data variables.product.prodname_code_scanning %} enabled, the {% data variables.product.prodname_codeql %} action for {% data variables.product.prodname_code_scanning %} analysis uses a minimum recommended version of the {% data variables.product.prodname_codeql_cli %} by default. -If you run analysis in an external CI system, we recommend using the same version of the {% data variables.product.prodname_codeql_cli %}. See [AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-code-scanning-for-your-appliance). +If you run analysis in an external CI system, we recommend using the same version of the {% data variables.product.prodname_codeql_cli %}. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/configure-specific-tools/configuring-code-scanning-for-your-appliance). | {% data variables.product.prodname_ghe_server %} version | Recommended {% data variables.product.prodname_codeql_cli %} version | | ------------------------------------------------- | ---------------------- | @@ -76,7 +76,7 @@ If you run analysis in an external CI system, we recommend using the same versio For instances with {% data variables.product.prodname_actions %} enabled, self-hosted {% data variables.product.prodname_actions %} runners must run a minimum required version of the {% data variables.product.prodname_actions %} Runner application. * For most instances, the Runner application is updated automatically. -* If your instance uses ephemeral self-hosted runners and you've disabled automatic updates, you must upgrade your runners before upgrading {% data variables.product.prodname_ghe_server %}. See [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#requirements-for-self-hosted-runner-machines). +* If your instance uses ephemeral self-hosted runners and you've disabled automatic updates, you must upgrade your runners before upgrading {% data variables.product.prodname_ghe_server %}. See [AUTOTITLE](/actions/concepts/runners/self-hosted-runners#requirements-for-self-hosted-runner-machines). | {% data variables.product.prodname_ghe_server %} version | Minimum Runner version | | ------------------------------------------------- | ---------------------- | diff --git a/content/admin/backing-up-and-restoring-your-instance/configuring-backups-on-your-instance.md b/content/admin/backing-up-and-restoring-your-instance/configuring-backups-on-your-instance.md index b7cea396a4f0..87f2e2f8618e 100644 --- a/content/admin/backing-up-and-restoring-your-instance/configuring-backups-on-your-instance.md +++ b/content/admin/backing-up-and-restoring-your-instance/configuring-backups-on-your-instance.md @@ -101,7 +101,7 @@ Backup snapshots created by {% data variables.product.prodname_enterprise_backup > To ensure a recovered instance is immediately available, perform backups targeting the primary instance even in a geo-replication configuration. 1. Set the `GHE_DATA_DIR` value to the filesystem location where you want to store backup snapshots. We recommend choosing a location on the same filesystem as your backup host. -1. To grant your backup host access to your instance, open your primary instance's settings page at `http(s)://HOSTNAME/setup/settings` and add the backup host's SSH key to the list of authorized SSH keys. For more information, see [AUTOTITLE](/admin/configuration/configuring-your-enterprise/accessing-the-administrative-shell-ssh#enabling-access-to-the-administrative-shell-via-ssh). +1. To grant your backup host access to your instance, open your primary instance's settings page at `http(s)://HOSTNAME/setup/settings` and add the backup host's SSH key to the list of authorized SSH keys. For more information, see [AUTOTITLE](/admin/administering-your-instance/administering-your-instance-from-the-command-line/accessing-the-administrative-shell-ssh#enabling-access-to-the-administrative-shell-via-ssh). 1. On your backup host, verify SSH connectivity with {% data variables.location.product_location %} with the `ghe-host-check` command. ```shell @@ -150,10 +150,10 @@ Network settings are excluded from the backup snapshot. After restoration, you m ### Prerequisites -1. Ensure maintenance mode is enabled on the primary instance and all active processes have completed. For more information, see [AUTOTITLE](/admin/configuration/configuring-your-enterprise/enabling-and-scheduling-maintenance-mode). -1. Stop replication on all replica nodes in a high-availability configuration. For more information, see [AUTOTITLE](/admin/enterprise-management/configuring-high-availability/about-high-availability-configuration#ghe-repl-stop). -1. Provision a new {% data variables.product.prodname_ghe_server %} instance to use as a target for the restoration of your backup. For more information, see [AUTOTITLE](/admin/installation/setting-up-a-github-enterprise-server-instance). -1. If {% data variables.location.product_location %} has {% data variables.product.prodname_actions %} enabled, you must configure the external storage provider for {% data variables.product.prodname_actions %} on the replacement instance. For more information, see [AUTOTITLE](/admin/github-actions/advanced-configuration-and-troubleshooting/backing-up-and-restoring-github-enterprise-server-with-github-actions-enabled). +1. Ensure maintenance mode is enabled on the primary instance and all active processes have completed. For more information, see [AUTOTITLE](/admin/administering-your-instance/configuring-maintenance-mode/enabling-and-scheduling-maintenance-mode). +1. Stop replication on all replica nodes in a high-availability configuration. For more information, see [AUTOTITLE](/admin/monitoring-and-managing-your-instance/configuring-high-availability/about-high-availability-configuration#ghe-repl-stop). +1. Provision a new {% data variables.product.prodname_ghe_server %} instance to use as a target for the restoration of your backup. For more information, see [AUTOTITLE](/admin/installing-your-enterprise-server/setting-up-a-github-enterprise-server-instance). +1. If {% data variables.location.product_location %} has {% data variables.product.prodname_actions %} enabled, you must configure the external storage provider for {% data variables.product.prodname_actions %} on the replacement instance. For more information, see [AUTOTITLE](/admin/managing-github-actions-for-your-enterprise/advanced-configuration-and-troubleshooting/backing-up-and-restoring-github-enterprise-server-with-github-actions-enabled). ### Starting the restore operation @@ -181,7 +181,7 @@ $ ghe-restore -c 169.154.1.1 > Visit https://169.154.1.1/setup/settings to review appliance configuration. ``` -Optionally, to validate the restore, configure an IP exception list to allow access to a specified list of IP addresses. For more information, see [AUTOTITLE](/admin/configuration/configuring-your-enterprise/enabling-and-scheduling-maintenance-mode#validating-changes-in-maintenance-mode-using-the-ip-exception-list). +Optionally, to validate the restore, configure an IP exception list to allow access to a specified list of IP addresses. For more information, see [AUTOTITLE](/admin/administering-your-instance/configuring-maintenance-mode/enabling-and-scheduling-maintenance-mode#validating-changes-in-maintenance-mode-using-the-ip-exception-list). On an instance in a high-availability configuration, after you restore to new disks on an existing or empty instance, `ghe-repl-status` may report that Git or Alambic replication is out of sync due to stale server UUIDs. These stale UUIDs can be the result of a retired node in a high-availability configuration still being present in the application database, but not in the restored replication configuration. @@ -203,4 +203,4 @@ Optionally, you can run the following command to print the current progress, the ```shell copy bin/ghe-backup-progress --once -``` \ No newline at end of file +``` diff --git a/content/admin/backing-up-and-restoring-your-instance/configuring-the-backup-service.md b/content/admin/backing-up-and-restoring-your-instance/configuring-the-backup-service.md index 73b36372e56a..0791b0433f8c 100644 --- a/content/admin/backing-up-and-restoring-your-instance/configuring-the-backup-service.md +++ b/content/admin/backing-up-and-restoring-your-instance/configuring-the-backup-service.md @@ -50,7 +50,7 @@ Before configuring the service, you must prepare the storage volume where backup If you're using a dedicated block device as your backup target, you need to initialize it via SSH before proceeding in the {% data variables.enterprise.management_console %}. This process will **format the device and erase all existing data**. -1. Connect to your instance via SSH as the `admin` user. See [AUTOTITLE](/admin/configuration/configuring-your-enterprise/accessing-the-administrative-shell-ssh). +1. Connect to your instance via SSH as the `admin` user. See [AUTOTITLE](/admin/administering-your-instance/administering-your-instance-from-the-command-line/accessing-the-administrative-shell-ssh). 1. Attach your backup block device to the instance. 1. Identify the device name using `lsblk` to list available block devices. Make sure you select the correct device to avoid data loss. diff --git a/content/admin/backing-up-and-restoring-your-instance/creating-and-monitoring-backups.md b/content/admin/backing-up-and-restoring-your-instance/creating-and-monitoring-backups.md index 8728ac84ded8..932347a9508f 100644 --- a/content/admin/backing-up-and-restoring-your-instance/creating-and-monitoring-backups.md +++ b/content/admin/backing-up-and-restoring-your-instance/creating-and-monitoring-backups.md @@ -28,7 +28,7 @@ Once the backup service is configured, it will automatically create backups base To create an on-demand backup—for example, before performing maintenance: -1. Connect to your instance via SSH as the `admin` user. See [AUTOTITLE](/admin/configuration/configuring-your-enterprise/accessing-the-administrative-shell-ssh). +1. Connect to your instance via SSH as the `admin` user. See [AUTOTITLE](/admin/administering-your-instance/administering-your-instance-from-the-command-line/accessing-the-administrative-shell-ssh). 1. Run the backup command: ```shell diff --git a/content/admin/backing-up-and-restoring-your-instance/restoring-from-a-backup.md b/content/admin/backing-up-and-restoring-your-instance/restoring-from-a-backup.md index 22f80e1040d8..ef50fe63892c 100644 --- a/content/admin/backing-up-and-restoring-your-instance/restoring-from-a-backup.md +++ b/content/admin/backing-up-and-restoring-your-instance/restoring-from-a-backup.md @@ -30,7 +30,7 @@ You also can’t restore from a newer version to an older one. For example, tryi Before restoring a backup: -1. **Enable maintenance mode** on the target instance. See [AUTOTITLE](/admin/configuration/configuring-your-enterprise/enabling-and-scheduling-maintenance-mode). +1. **Enable maintenance mode** on the target instance. See [AUTOTITLE](/admin/administering-your-instance/configuring-maintenance-mode/enabling-and-scheduling-maintenance-mode). 1. **Verify access** to the backup storage containing the snapshot. 1. **Pause interfering services** — if using High Availability (HA), make sure replication is stopped. 1. **Prepare for {% data variables.product.prodname_actions %}** — if enabled, ensure the target instance is configured with the correct external storage. See [AUTOTITLE](/admin/backing-up-and-restoring-your-instance/restoring-with-github-actions-enabled) for details. diff --git a/content/admin/backing-up-and-restoring-your-instance/restoring-with-github-actions-enabled.md b/content/admin/backing-up-and-restoring-your-instance/restoring-with-github-actions-enabled.md index 98be2eed1306..20744d339055 100644 --- a/content/admin/backing-up-and-restoring-your-instance/restoring-with-github-actions-enabled.md +++ b/content/admin/backing-up-and-restoring-your-instance/restoring-with-github-actions-enabled.md @@ -35,4 +35,4 @@ When restoring an instance with {% data variables.product.prodname_actions %} en All runners must be re-registered with the restored instance, as previous registration tokens are invalid after a restore. -For more information, see [AUTOTITLE](/admin/github-actions/advanced-configuration-and-troubleshooting/backing-up-and-restoring-github-enterprise-server-with-github-actions-enabled). +For more information, see [AUTOTITLE](/admin/managing-github-actions-for-your-enterprise/advanced-configuration-and-troubleshooting/backing-up-and-restoring-github-enterprise-server-with-github-actions-enabled). diff --git a/content/admin/concepts/enterprise-fundamentals/automations-in-your-enterprise.md b/content/admin/concepts/enterprise-fundamentals/automations-in-your-enterprise.md index cfcb758a9ed6..2515ac336e74 100644 --- a/content/admin/concepts/enterprise-fundamentals/automations-in-your-enterprise.md +++ b/content/admin/concepts/enterprise-fundamentals/automations-in-your-enterprise.md @@ -131,4 +131,4 @@ Use **{% data variables.product.prodname_github_apps %} and {% data variables.pr ## Next steps -Learn how to design and manage {% data variables.product.prodname_github_apps %} at the enterprise level in [AUTOTITLE](/admin/managing-your-enterprise-account/creating-github-apps-for-your-enterprise). +Learn how to design and manage {% data variables.product.prodname_github_apps %} at the enterprise level in [AUTOTITLE](/admin/managing-github-apps-for-your-enterprise/creating-github-apps-for-your-enterprise). diff --git a/content/enterprise-onboarding/getting-started-with-your-enterprise/choose-an-enterprise-type.md b/content/admin/concepts/enterprise-fundamentals/choose-an-enterprise-type.md similarity index 98% rename from content/enterprise-onboarding/getting-started-with-your-enterprise/choose-an-enterprise-type.md rename to content/admin/concepts/enterprise-fundamentals/choose-an-enterprise-type.md index 291cb3eee996..42ae7cf207e9 100644 --- a/content/enterprise-onboarding/getting-started-with-your-enterprise/choose-an-enterprise-type.md +++ b/content/admin/concepts/enterprise-fundamentals/choose-an-enterprise-type.md @@ -10,6 +10,7 @@ redirect_from: - /admin/identity-and-access-management/understanding-iam-for-enterprises/choosing-an-enterprise-type-for-github-enterprise-cloud - /admin/managing-iam/understanding-iam-for-enterprises/choosing-an-enterprise-type-for-github-enterprise-cloud - /admin/concepts/identity-and-access-management/enterprise-types-for-github-enterprise-cloud + - /enterprise-onboarding/getting-started-with-your-enterprise/choose-an-enterprise-type contentType: other docsTeamMetrics: - enterprise-onboarding diff --git a/content/admin/concepts/enterprise-fundamentals/index.md b/content/admin/concepts/enterprise-fundamentals/index.md index 9b7a9dda22c8..b576c15bf3c9 100644 --- a/content/admin/concepts/enterprise-fundamentals/index.md +++ b/content/admin/concepts/enterprise-fundamentals/index.md @@ -6,6 +6,7 @@ versions: ghes: '*' ghec: '*' children: + - /choose-an-enterprise-type - /enterprise-accounts - /teams-in-an-enterprise - /roles-in-an-enterprise diff --git a/content/admin/concepts/identity-and-access-management/enterprise-managed-users.md b/content/admin/concepts/identity-and-access-management/enterprise-managed-users.md index f0953fc28fc2..de9f1039d104 100644 --- a/content/admin/concepts/identity-and-access-management/enterprise-managed-users.md +++ b/content/admin/concepts/identity-and-access-management/enterprise-managed-users.md @@ -32,10 +32,10 @@ With {% data variables.product.prodname_emus %}, you manage the lifecycle and au * Your IdP **provisions new user accounts** on {% data variables.product.prodname_dotcom %}, with access to your enterprise. * Users must **authenticate on your IdP** to access your enterprise's resources on {% data variables.product.prodname_dotcom %}. * You control **usernames, profile data, organization membership, and repository access** from your IdP. -* If your enterprise uses OIDC SSO, {% data variables.product.prodname_dotcom %} will validate access to your enterprise and its resources using your IdP's **Conditional Access Policy (CAP)**. See [AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-support-for-your-idps-conditional-access-policy). -* {% data variables.enterprise.prodname_managed_users_caps %} **cannot create public content** or collaborate outside your enterprise. See [AUTOTITLE](/admin/identity-and-access-management/understanding-iam-for-enterprises/abilities-and-restrictions-of-managed-user-accounts). +* If your enterprise uses OIDC SSO, {% data variables.product.prodname_dotcom %} will validate access to your enterprise and its resources using your IdP's **Conditional Access Policy (CAP)**. See [AUTOTITLE](/admin/managing-iam/configuring-authentication-for-enterprise-managed-users/about-support-for-your-idps-conditional-access-policy). +* {% data variables.enterprise.prodname_managed_users_caps %} **cannot create public content** or collaborate outside your enterprise. See [AUTOTITLE](/admin/managing-iam/understanding-iam-for-enterprises/abilities-and-restrictions-of-managed-user-accounts). -> [!NOTE] {% data variables.product.prodname_emus %} is not the best solution for every customer. To determine whether it's right for your enterprise, see [AUTOTITLE](/admin/identity-and-access-management/understanding-iam-for-enterprises/choosing-an-enterprise-type-for-github-enterprise-cloud). +> [!NOTE] {% data variables.product.prodname_emus %} is not the best solution for every customer. To determine whether it's right for your enterprise, see [AUTOTITLE](/enterprise-onboarding/getting-started-with-your-enterprise/choose-an-enterprise-type). ## How does EMUs integrate with identity management systems? @@ -63,13 +63,13 @@ If you cannot use a single partner IdP for both authentication and provisioning, * Adhere to **{% data variables.product.company_short %}'s integration guidelines** * Provide **authentication using SAML**, adhering to SAML 2.0 specification -* Provide **user lifecycle management using SCIM**, adhering to the SCIM 2.0 specification and communicating with {% data variables.product.company_short %}'s REST API (see [AUTOTITLE](/admin/identity-and-access-management/provisioning-user-accounts-for-enterprise-managed-users/provisioning-users-with-scim-using-the-rest-api)) +* Provide **user lifecycle management using SCIM**, adhering to the SCIM 2.0 specification and communicating with {% data variables.product.company_short %}'s REST API (see [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api)) {% data reusables.emus.mixed-systems-note %} ## How are usernames and profile information managed for EMUs? -{% data variables.product.prodname_dotcom %} automatically creates a username for each developer by normalizing an identifier provided by your IdP. If the unique parts of the identifier are removed during normalization, a conflict may occur. See [AUTOTITLE](/admin/identity-and-access-management/managing-iam-for-your-enterprise/username-considerations-for-external-authentication#resolving-username-problems). +{% data variables.product.prodname_dotcom %} automatically creates a username for each developer by normalizing an identifier provided by your IdP. If the unique parts of the identifier are removed during normalization, a conflict may occur. See [AUTOTITLE](/admin/managing-iam/iam-configuration-reference/username-considerations-for-external-authentication#resolving-username-problems). The profile name and email address of a {% data variables.enterprise.prodname_managed_user %} is provided by the IdP: * {% data variables.enterprise.prodname_managed_users_caps %} _cannot_ change their profile name or email address on {% data variables.product.prodname_dotcom %}. @@ -78,16 +78,16 @@ The profile name and email address of a {% data variables.enterprise.prodname_ma ## How are roles and access managed for EMUs? -In your IdP, you can give each {% data variables.enterprise.prodname_managed_user %} a **role in your enterprise**, such as member, owner, or guest collaborator. See [AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/roles-in-an-enterprise). +In your IdP, you can give each {% data variables.enterprise.prodname_managed_user %} a **role in your enterprise**, such as member, owner, or guest collaborator. See [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-roles-in-your-enterprise/abilities-of-roles). -Organization memberships (and repository access) can be managed manually, or you can **update memberships automatically using IdP groups**. See [AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/managing-team-memberships-with-identity-provider-groups). +Organization memberships (and repository access) can be managed manually, or you can **update memberships automatically using IdP groups**. See [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/managing-team-memberships-with-identity-provider-groups). ## How do {% data variables.enterprise.prodname_managed_users %} authenticate to {% data variables.product.prodname_dotcom %}? The locations where {% data variables.enterprise.prodname_managed_users %} can authenticate to {% data variables.product.prodname_dotcom %} depends on how you configure authentication (SAML or OIDC). See [AUTOTITLE](/authentication/authenticating-with-single-sign-on/authenticating-with-a-managed-user-account). -By default, when an unauthenticated user attempts to access your enterprise, {% data variables.product.company_short %} displays a 404 error. You can optionally enable automatic redirects to single sign-on (SSO) instead. See [AUTOTITLE](/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-sso-for-unauthenticated-users). +By default, when an unauthenticated user attempts to access your enterprise, {% data variables.product.company_short %} displays a 404 error. You can optionally enable automatic redirects to single sign-on (SSO) instead. See [AUTOTITLE](/enterprise-cloud@latest/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-sso-for-unauthenticated-users). ## Further reading -* [AUTOTITLE](/admin/identity-and-access-management/understanding-iam-for-enterprises/getting-started-with-enterprise-managed-users) +* [AUTOTITLE](/admin/managing-iam/understanding-iam-for-enterprises/getting-started-with-enterprise-managed-users) diff --git a/content/admin/concepts/identity-and-access-management/identity-and-access-management-fundamentals.md b/content/admin/concepts/identity-and-access-management/identity-and-access-management-fundamentals.md index 6f56c0d96b79..7086cd273fad 100644 --- a/content/admin/concepts/identity-and-access-management/identity-and-access-management-fundamentals.md +++ b/content/admin/concepts/identity-and-access-management/identity-and-access-management-fundamentals.md @@ -21,7 +21,7 @@ category: {% data reusables.enterprise-accounts.about-enterprise-types %} -After learning more about authentication and provisioning for each of these options, to determine which method is best for your enterprise, see [AUTOTITLE](/admin/identity-and-access-management/managing-iam-for-your-enterprise/identifying-the-best-authentication-method-for-your-enterprise). +After learning more about authentication and provisioning for each of these options, to determine which method is best for your enterprise, see [AUTOTITLE](/enterprise-onboarding/getting-started-with-your-enterprise/choose-an-enterprise-type). {% elsif ghes %} @@ -41,17 +41,17 @@ When you create an enterprise on {% data variables.product.github %}, you can de ### Authentication through {% data variables.location.product_location %} -With authentication solely through {% data variables.location.product_location %}, each person you want to grant access to your enterprise must create and manage a personal account on {% data variables.location.product_location %}. After you grant access to your enterprise, the member can access your enterprise's resources after signing into the account on {% data variables.location.product_location %}. The member manages the account, and can contribute to other enterprises, organizations, and repositories on {% data variables.location.product_location %}. For more information about personal accounts, see [AUTOTITLE](/get-started/signing-up-for-github/signing-up-for-a-new-github-account). +With authentication solely through {% data variables.location.product_location %}, each person you want to grant access to your enterprise must create and manage a personal account on {% data variables.location.product_location %}. After you grant access to your enterprise, the member can access your enterprise's resources after signing into the account on {% data variables.location.product_location %}. The member manages the account, and can contribute to other enterprises, organizations, and repositories on {% data variables.location.product_location %}. For more information about personal accounts, see [AUTOTITLE](/get-started/start-your-journey/creating-an-account-on-github). ### Authentication through {% data variables.location.product_location %} with additional SAML access restriction -If you configure additional SAML access restriction, each person you want to grant access to your enterprise must create and manage a personal account on {% data variables.location.product_location %}. After you grant access to your enterprise, the member can access your enterprise's resources only after authenticating successfully for both the account on {% data variables.location.product_location %} and for an account on your SAML identity provider (IdP). The member can contribute to other enterprises, organizations, and repositories on {% data variables.location.product_location %} using their personal account. For more information about requiring SAML authentication for all access your enterprise's resources, see [AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam/about-saml-for-enterprise-iam). +If you configure additional SAML access restriction, each person you want to grant access to your enterprise must create and manage a personal account on {% data variables.location.product_location %}. After you grant access to your enterprise, the member can access your enterprise's resources only after authenticating successfully for both the account on {% data variables.location.product_location %} and for an account on your SAML identity provider (IdP). The member can contribute to other enterprises, organizations, and repositories on {% data variables.location.product_location %} using their personal account. For more information about requiring SAML authentication for all access your enterprise's resources, see [AUTOTITLE](/admin/managing-iam/understanding-iam-for-enterprises/about-saml-for-enterprise-iam). -You can choose between configuring SAML at the enterprise level, which applies the same SAML configuration to all organizations within the enterprise, and configuring SAML separately for individual organizations. For more information, see [AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam/deciding-whether-to-configure-saml-for-your-enterprise-or-your-organizations). +You can choose between configuring SAML at the enterprise level, which applies the same SAML configuration to all organizations within the enterprise, and configuring SAML separately for individual organizations. For more information, see [AUTOTITLE](/admin/managing-iam/using-saml-for-enterprise-iam/deciding-whether-to-configure-saml-for-your-enterprise-or-your-organizations). ### Authentication with {% data variables.product.prodname_emus %} and federation -If you need more control of the accounts for your enterprise members on {% data variables.product.github %}, you can use {% data variables.product.prodname_emus %}. With {% data variables.product.prodname_emus %}, you provision and manage accounts for your enterprise members on {% data variables.product.github %} using your IdP. Each member signs into an account that you create, and your enterprise manages the account. Contributions outside the enterprise are restricted. For more information, see [AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users). +If you need more control of the accounts for your enterprise members on {% data variables.product.github %}, you can use {% data variables.product.prodname_emus %}. With {% data variables.product.prodname_emus %}, you provision and manage accounts for your enterprise members on {% data variables.product.github %} using your IdP. Each member signs into an account that you create, and your enterprise manages the account. Contributions outside the enterprise are restricted. For more information, see [AUTOTITLE](/admin/concepts/identity-and-access-management/enterprise-managed-users). {% elsif ghes %} @@ -62,19 +62,19 @@ The following authentication methods are available for {% data variables.product ### Built-in authentication -{% data reusables.enterprise_user_management.built-in-authentication-new-accounts %} To access your instance, people authenticate with the credentials for the account. For more information, see [AUTOTITLE](/admin/identity-and-access-management/using-built-in-authentication/configuring-built-in-authentication). +{% data reusables.enterprise_user_management.built-in-authentication-new-accounts %} To access your instance, people authenticate with the credentials for the account. For more information, see [AUTOTITLE](/admin/managing-iam/using-built-in-authentication/configuring-built-in-authentication). ### External authentication If you use an external directory or identity provider (IdP) to centralize access to multiple web applications, you may be able to configure external authentication for {% data variables.location.product_location %}. For more information, see the following articles. -* [AUTOTITLE](/admin/identity-and-access-management/using-cas-for-enterprise-iam) -* [AUTOTITLE](/admin/identity-and-access-management/using-ldap-for-enterprise-iam) -* [AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam) +* [AUTOTITLE](/admin/managing-iam/using-cas-for-enterprise-iam) +* [AUTOTITLE](/admin/managing-iam/using-ldap-for-enterprise-iam) +* [AUTOTITLE](/admin/managing-iam/using-saml-for-enterprise-iam) {% data reusables.enterprise.saml-or-ldap %} -If you choose to use external authentication, you can also configure fallback authentication for people who don't have an account on your external authentication provider. For example, you may want to grant access to a contractor or machine user. For more information, see [AUTOTITLE](/admin/identity-and-access-management/managing-iam-for-your-enterprise/allowing-built-in-authentication-for-users-outside-your-provider). +If you choose to use external authentication, you can also configure fallback authentication for people who don't have an account on your external authentication provider. For example, you may want to grant access to a contractor or machine user. For more information, see [AUTOTITLE](/admin/managing-iam/understanding-iam-for-enterprises/allowing-built-in-authentication-for-users-outside-your-provider). {% endif %} @@ -84,11 +84,11 @@ If you choose to use external authentication, you can also configure fallback au If you use [authentication through {% data variables.location.product_location %} with additional SAML access restriction](#authentication-through-githubcom-with-additional-saml-access-restriction), people create personal accounts on {% data variables.product.prodname_dotcom_the_website %}, and you can grant those personal accounts access to resources in your enterprise. You do not provision accounts. -Alternatively, if you use [{% data variables.product.prodname_emus %}](#authentication-with-enterprise-managed-users-and-federation), you must configure your IdP to provision user accounts within your enterprise on {% data variables.location.product_location %} using System for Cross-domain Identity Management (SCIM). For more information, see [AUTOTITLE](/admin/identity-and-access-management/provisioning-user-accounts-for-enterprise-managed-users). +Alternatively, if you use [{% data variables.product.prodname_emus %}](#authentication-with-enterprise-managed-users-and-federation), you must configure your IdP to provision user accounts within your enterprise on {% data variables.location.product_location %} using System for Cross-domain Identity Management (SCIM). For more information, see [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim). {% elsif ghes %} -If you configure built-in authentication, CAS, LDAP, or SAML, {% data variables.product.prodname_ghe_server %} creates a user account when an authorized person signs into the instance, or "just in time" (JIT). Optionally, if you use SAML, you can provision user accounts from your identity provider (IdP) using SCIM. For more information, see [AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam/configuring-user-provisioning-with-scim-for-your-enterprise). +If you configure built-in authentication, CAS, LDAP, or SAML, {% data variables.product.prodname_ghe_server %} creates a user account when an authorized person signs into the instance, or "just in time" (JIT). Optionally, if you use SAML, you can provision user accounts from your identity provider (IdP) using SCIM. For more information, see [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes). {% endif %} @@ -102,7 +102,7 @@ If you configure built-in authentication, CAS, LDAP, or SAML, {% data variables. ## Further reading -* [AUTOTITLE](/admin/overview/about-enterprise-accounts) +* [AUTOTITLE](/admin/concepts/enterprise-fundamentals/enterprise-accounts) {%- ifversion ghec %} * [AUTOTITLE](/organizations/managing-membership-in-your-organization/can-i-create-accounts-for-people-in-my-organization) {%- endif %} diff --git a/content/admin/concepts/security-and-compliance/audit-log-for-an-enterprise.md b/content/admin/concepts/security-and-compliance/audit-log-for-an-enterprise.md index d9256e375156..0ae676f46dc8 100644 --- a/content/admin/concepts/security-and-compliance/audit-log-for-an-enterprise.md +++ b/content/admin/concepts/security-and-compliance/audit-log-for-an-enterprise.md @@ -26,5 +26,5 @@ category: * [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization) {%- ifversion ghes %} -* [AUTOTITLE](/admin/enterprise-management/monitoring-your-appliance/about-system-logs) +* [AUTOTITLE](/admin/monitoring-and-managing-your-instance/monitoring-your-instance/about-system-logs) {%- endif %} diff --git a/content/admin/concepts/security-and-compliance/enterprise-policies.md b/content/admin/concepts/security-and-compliance/enterprise-policies.md index cbc16bc4fd9b..310061aad17b 100644 --- a/content/admin/concepts/security-and-compliance/enterprise-policies.md +++ b/content/admin/concepts/security-and-compliance/enterprise-policies.md @@ -25,12 +25,12 @@ While you're configuring enterprise policies, to help you understand the impact {% data reusables.enterprise.repo-policy-rules-alternative %} -For a full list of repository management policies, see [AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise). +For a full list of repository management policies, see [AUTOTITLE](/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise). {% ifversion ghes %} -Another way to enforce standards within your enterprise is to use pre-receive hooks, which are scripts that run on {% data variables.location.product_location %} to implement quality checks. For more information, see [AUTOTITLE](/admin/policies/enforcing-policy-with-pre-receive-hooks). +Another way to enforce standards within your enterprise is to use pre-receive hooks, which are scripts that run on {% data variables.location.product_location %} to implement quality checks. For more information, see [AUTOTITLE](/admin/enforcing-policies/enforcing-policy-with-pre-receive-hooks). {% endif %} ## Further reading -* [AUTOTITLE](/admin/overview/about-enterprise-accounts) +* [AUTOTITLE](/admin/concepts/enterprise-fundamentals/enterprise-accounts) diff --git a/content/admin/configuring-packages/configuring-package-ecosystem-support-for-your-enterprise.md b/content/admin/configuring-packages/configuring-package-ecosystem-support-for-your-enterprise.md index b3b8a44b2e9f..df55852b5d48 100644 --- a/content/admin/configuring-packages/configuring-package-ecosystem-support-for-your-enterprise.md +++ b/content/admin/configuring-packages/configuring-package-ecosystem-support-for-your-enterprise.md @@ -22,7 +22,7 @@ You can choose which package ecosystems you'd like to enable, disable, or set to ## Prerequisites -Before you can configure individual package ecosystems, {% data variables.product.prodname_registry %} must be enabled and configured for your instance. For more information, see [AUTOTITLE](/admin/packages/getting-started-with-github-packages-for-your-enterprise). +Before you can configure individual package ecosystems, {% data variables.product.prodname_registry %} must be enabled and configured for your instance. For more information, see [AUTOTITLE](/admin/configuring-packages/getting-started-with-github-packages-for-your-enterprise). ## Enabling or disabling individual package ecosystems @@ -54,4 +54,4 @@ If you wish to enable npm upstream sources, select `Enabled` for `npm upstreamin ## Next steps -As a next step, we recommend you check if you need to update or upload a TLS certificate for your packages host URL. For more information, see [AUTOTITLE](/admin/packages/getting-started-with-github-packages-for-your-enterprise). +As a next step, we recommend you check if you need to update or upload a TLS certificate for your packages host URL. For more information, see [AUTOTITLE](/admin/configuring-packages/getting-started-with-github-packages-for-your-enterprise). diff --git a/content/admin/configuring-packages/getting-started-with-github-packages-for-your-enterprise.md b/content/admin/configuring-packages/getting-started-with-github-packages-for-your-enterprise.md index 2ae5d2a89458..65f03fe0506e 100644 --- a/content/admin/configuring-packages/getting-started-with-github-packages-for-your-enterprise.md +++ b/content/admin/configuring-packages/getting-started-with-github-packages-for-your-enterprise.md @@ -25,18 +25,18 @@ category: If you plan to enable {% data variables.product.prodname_container_registry %} for the users of your instance, at least 10% more CPU resources are required. -We recommend reviewing the levels of activity for users and automations on the instance to ensure that you have provisioned adequate CPU for your users. For more information, see [AUTOTITLE](/admin/enterprise-management/monitoring-your-appliance). +We recommend reviewing the levels of activity for users and automations on the instance to ensure that you have provisioned adequate CPU for your users. For more information, see [AUTOTITLE](/admin/monitoring-and-managing-your-instance/monitoring-your-instance). For more information about minimum hardware requirements for {% data variables.location.product_location %}, see the hardware considerations for your instance's platform. -* [AWS](/admin/installation/setting-up-a-github-enterprise-server-instance/installing-github-enterprise-server-on-aws#hardware-considerations) -* [Azure](/admin/installation/setting-up-a-github-enterprise-server-instance/installing-github-enterprise-server-on-azure#hardware-considerations) -* [Google Cloud Platform](/admin/installation/setting-up-a-github-enterprise-server-instance/installing-github-enterprise-server-on-google-cloud-platform#hardware-considerations) -* [Hyper-V](/admin/installation/setting-up-a-github-enterprise-server-instance/installing-github-enterprise-server-on-hyper-v#hardware-considerations) -* [OpenStack KVM](/admin/installation/setting-up-a-github-enterprise-server-instance/installing-github-enterprise-server-on-openstack-kvm#hardware-considerations) -* [VMware](/admin/installation/setting-up-a-github-enterprise-server-instance/installing-github-enterprise-server-on-vmware#hardware-considerations) +* [AWS](/admin/installing-your-enterprise-server/setting-up-a-github-enterprise-server-instance/installing-github-enterprise-server-on-aws#hardware-considerations) +* [Azure](/admin/installing-your-enterprise-server/setting-up-a-github-enterprise-server-instance/installing-github-enterprise-server-on-azure#hardware-considerations) +* [Google Cloud Platform](/admin/installing-your-enterprise-server/setting-up-a-github-enterprise-server-instance/installing-github-enterprise-server-on-google-cloud-platform#hardware-considerations) +* [Hyper-V](/admin/installing-your-enterprise-server/setting-up-a-github-enterprise-server-instance/installing-github-enterprise-server-on-hyper-v#hardware-considerations) +* [OpenStack KVM](/admin/installing-your-enterprise-server/setting-up-a-github-enterprise-server-instance/installing-github-enterprise-server-on-openstack-kvm#hardware-considerations) +* [VMware](/admin/installing-your-enterprise-server/setting-up-a-github-enterprise-server-instance/installing-github-enterprise-server-on-vmware#hardware-considerations) -For more information about adjusting resources for an existing instance, see [AUTOTITLE](/admin/enterprise-management/updating-the-virtual-machine-and-physical-resources/increasing-cpu-or-memory-resources). +For more information about adjusting resources for an existing instance, see [AUTOTITLE](/admin/monitoring-and-managing-your-instance/updating-the-virtual-machine-and-physical-resources/increasing-cpu-or-memory-resources). ## Step 3: Enable {% data variables.product.prodname_registry %} and configure external storage @@ -50,22 +50,22 @@ Supported external storage providers * MinIO To enable {% data variables.product.prodname_registry %} and configure third-party storage, see: -* [AUTOTITLE](/admin/packages/enabling-github-packages-with-aws) -* [AUTOTITLE](/admin/packages/enabling-github-packages-with-azure-blob-storage) -* [AUTOTITLE](/admin/packages/enabling-github-packages-with-minio) +* [AUTOTITLE](/admin/configuring-packages/enabling-github-packages-with-aws) +* [AUTOTITLE](/admin/configuring-packages/enabling-github-packages-with-azure-blob-storage) +* [AUTOTITLE](/admin/configuring-packages/enabling-github-packages-with-minio) ## Step 4: Specify the package ecosystems to support on your instance -Choose which package ecosystems you'd like to enable, disable, or set to read-only on {% data variables.location.product_location %}. {% data reusables.package_registry.packages-ghes-supported-registries %} For more information, see [AUTOTITLE](/admin/packages/configuring-package-ecosystem-support-for-your-enterprise). +Choose which package ecosystems you'd like to enable, disable, or set to read-only on {% data variables.location.product_location %}. {% data reusables.package_registry.packages-ghes-supported-registries %} For more information, see [AUTOTITLE](/admin/configuring-packages/configuring-package-ecosystem-support-for-your-enterprise). ## Step 5: Ensure you have a TLS certificate for your package host URL, if needed If subdomain isolation is enabled for {% data variables.location.product_location %}, you will need to create and upload a TLS certificate that allows the package host URL for each ecosystem you want to use, such as `{% data reusables.package_registry.container-registry-hostname %}`. Make sure each package host URL includes `https://`. - You can create the certificate manually, or you can use _Let's Encrypt_. If you already use _Let's Encrypt_, you must request a new TLS certificate after enabling {% data variables.product.prodname_registry %}. For more information about package host URLs, see [AUTOTITLE](/admin/configuration/configuring-network-settings/enabling-subdomain-isolation). For more information about uploading TLS certificates to {% data variables.product.prodname_ghe_server %}, see [AUTOTITLE](/admin/configuration/configuring-network-settings/configuring-tls). + You can create the certificate manually, or you can use _Let's Encrypt_. If you already use _Let's Encrypt_, you must request a new TLS certificate after enabling {% data variables.product.prodname_registry %}. For more information about package host URLs, see [AUTOTITLE](/admin/configuring-settings/hardening-security-for-your-enterprise/enabling-subdomain-isolation). For more information about uploading TLS certificates to {% data variables.product.prodname_ghe_server %}, see [AUTOTITLE](/admin/configuring-settings/hardening-security-for-your-enterprise/configuring-tls). ## Step 6: Check for and rename reserved names If you want to use the Docker ecosystem with subdomain isolation disabled, you **must** first rename any user or organization named `v2` on {% data variables.location.product_location %}, prior to enabling Docker ecosystem support in the {% data variables.enterprise.management_console %}. Docker uses a `v2` account name to manage path conflicts with the Docker API, and once Docker registry support is enabled, you won't be able to use this name anymore. -You can view a full list of logins reserved for internal use by navigating to the "Reserved logins" page in the Site admin dashboard. For more information, see [AUTOTITLE](/admin/configuration/configuring-your-enterprise/site-admin-dashboard#reserved-logins). +You can view a full list of logins reserved for internal use by navigating to the "Reserved logins" page in the Site admin dashboard. For more information, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/about-reserved-usernames-for-github-enterprise-server#viewing-reserved-username). diff --git a/content/admin/configuring-packages/migrating-your-enterprise-to-the-container-registry-from-the-docker-registry.md b/content/admin/configuring-packages/migrating-your-enterprise-to-the-container-registry-from-the-docker-registry.md index 21ee2a06d6e7..c926f1b80f1c 100644 --- a/content/admin/configuring-packages/migrating-your-enterprise-to-the-container-registry-from-the-docker-registry.md +++ b/content/admin/configuring-packages/migrating-your-enterprise-to-the-container-registry-from-the-docker-registry.md @@ -18,7 +18,7 @@ category: {% data reusables.package_registry.container-registry-benefits %} For more information, see [AUTOTITLE](/packages/working-with-a-github-packages-registry/working-with-the-container-registry). -For more information about configuring {% data variables.product.prodname_registry %} for {% data variables.location.product_location %}, see [AUTOTITLE](/admin/packages/getting-started-with-github-packages-for-your-enterprise). +For more information about configuring {% data variables.product.prodname_registry %} for {% data variables.location.product_location %}, see [AUTOTITLE](/admin/configuring-packages/getting-started-with-github-packages-for-your-enterprise). ## About migration from the Docker registry @@ -32,7 +32,7 @@ For more information about configuring {% data variables.product.prodname_regist You can start a migration of all your organizations' Docker images to the {% data variables.product.prodname_container_registry %}. The duration of the migration operation depends on the total number of images to migrate, and the overall load on your instance. After a successful migration, {% data variables.product.prodname_ghe_server %} will display a summary, and all future uploads of Docker images will use the {% data variables.product.prodname_container_registry %}. -If a site administrator has configured email notifications for {% data variables.location.product_location %}, you will receive an email after the migration is complete. For more information, see [AUTOTITLE](/admin/configuration/configuring-your-enterprise/configuring-email-for-notifications). +If a site administrator has configured email notifications for {% data variables.location.product_location %}, you will receive an email after the migration is complete. For more information, see [AUTOTITLE](/admin/configuring-settings/configuring-user-applications-for-your-enterprise/configuring-email-for-notifications). ### During the migration diff --git a/content/admin/index.md b/content/admin/index.md index 620260225018..51694b753448 100644 --- a/content/admin/index.md +++ b/content/admin/index.md @@ -92,7 +92,7 @@ versions: ghes: '*' children: - /overview - - concepts + - /concepts - /data-residency - /managing-your-enterprise-account - /installing-your-enterprise-server diff --git a/content/code-security/concepts/supply-chain-security/dependabot-version-updates.md b/content/code-security/concepts/supply-chain-security/dependabot-version-updates.md index ac8bc42a72d8..426ab5bd6803 100644 --- a/content/code-security/concepts/supply-chain-security/dependabot-version-updates.md +++ b/content/code-security/concepts/supply-chain-security/dependabot-version-updates.md @@ -47,6 +47,12 @@ For certain package managers, {% data variables.product.prodname_dependabot_vers When {% data variables.product.prodname_dependabot %} identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. For vendored dependencies, {% data variables.product.prodname_dependabot %} raises a pull request to replace the outdated dependency with the new version directly. You check that your tests pass, review the changelog and release notes included in the pull request summary, and then merge it. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates). +{% ifversion dependabot-cooldown-default-days %} + +{% data reusables.dependabot.default-cooldown-period %} This gives new releases time to stabilize before you receive a pull request. You can customize the cooldown periods, and the dependencies they apply to, with the `cooldown` option. For more information, see [AUTOTITLE](/code-security/reference/supply-chain-security/dependabot-options-reference#cooldown-). + +{% endif %} + If you enable _security updates_, {% data variables.product.prodname_dependabot %} also raises pull requests to update vulnerable dependencies. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates). ## Updates for actions diff --git a/content/code-security/getting-started/github-security-features.md b/content/code-security/getting-started/github-security-features.md index 8ea62552d109..c94567a4ac79 100644 --- a/content/code-security/getting-started/github-security-features.md +++ b/content/code-security/getting-started/github-security-features.md @@ -42,17 +42,17 @@ Some features are _only_ available for public repositories. ### Security policy -Make it easy for your users to confidentially report security vulnerabilities they've found in your repository. For more information, see [AUTOTITLE](/code-security/getting-started/adding-a-security-policy-to-your-repository). +Make it easy for your users to confidentially report security vulnerabilities they've found in your repository. For more information, see [AUTOTITLE](/code-security/how-tos/report-and-fix-vulnerabilities/configure-vulnerability-reporting/add-security-policy). ### Dependency graph The dependency graph allows you to explore the ecosystems and packages that your repository depends on and the repositories and packages that depend on your repository. -You can find the dependency graph on the **Insights** tab for your repository. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph). +You can find the dependency graph on the **Insights** tab for your repository. For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependency-graph). ### Software Bill of Materials (SBOM) -You can export the dependency graph of your repository as an SPDX-compatible, Software Bill of Materials (SBOM). For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exporting-a-software-bill-of-materials-for-your-repository). +You can export the dependency graph of your repository as an SPDX-compatible, Software Bill of Materials (SBOM). For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/establish-provenance-and-integrity/export-dependencies-as-sbom). ### {% data variables.product.prodname_advisory_database %} @@ -60,8 +60,8 @@ The {% data variables.product.prodname_advisory_database %} contains a curated l ### {% data variables.product.prodname_dependabot_alerts %} and security updates -View alerts about dependencies that are known to contain security vulnerabilities, and choose whether to have pull requests generated automatically to update these dependencies. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) -and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates). +View alerts about dependencies that are known to contain security vulnerabilities, and choose whether to have pull requests generated automatically to update these dependencies. For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-alerts) +and [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-security-updates). You can also use default {% data variables.dependabot.auto_triage_rules %} curated by {% data variables.product.github %} to automatically filter out a substantial amount of false positives. @@ -71,19 +71,19 @@ You can also use default {% data variables.dependabot.auto_triage_rules %} curat #### {% data variables.product.prodname_dependabot_malware_alerts %} -On {% data variables.product.prodname_dotcom_the_website %} and {% data variables.product.prodname_ghe_server %} 3.22+, you can view alerts for malicious dependencies in your repository. See [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-malware-alerts). +On {% data variables.product.prodname_dotcom_the_website %} and {% data variables.product.prodname_ghe_server %} 3.22+, you can view alerts for malicious dependencies in your repository. See [AUTOTITLE](/code-security/concepts/supply-chain-security/malware-alerts). {% endif %} ### {% data variables.product.prodname_dependabot_version_updates %} -Use {% data variables.product.prodname_dependabot %} to automatically raise pull requests to keep your dependencies up-to-date. This helps reduce your exposure to older versions of dependencies. Using newer versions makes it easier to apply patches if security vulnerabilities are discovered, and also makes it easier for {% data variables.product.prodname_dependabot_security_updates %} to successfully raise pull requests to upgrade vulnerable dependencies. You can also customize {% data variables.product.prodname_dependabot_version_updates %} to streamline their integration into your repositories. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates). +Use {% data variables.product.prodname_dependabot %} to automatically raise pull requests to keep your dependencies up-to-date. This helps reduce your exposure to older versions of dependencies. Using newer versions makes it easier to apply patches if security vulnerabilities are discovered, and also makes it easier for {% data variables.product.prodname_dependabot_security_updates %} to successfully raise pull requests to upgrade vulnerable dependencies. You can also customize {% data variables.product.prodname_dependabot_version_updates %} to streamline their integration into your repositories. For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-version-updates). {% ifversion fpt or ghec %} ### Security advisories -Privately discuss and fix security vulnerabilities in your public repository's code. You can then publish a security advisory to alert your community to the vulnerability and encourage community members to upgrade. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories). +Privately discuss and fix security vulnerabilities in your public repository's code. You can then publish a security advisory to alert your community to the vulnerability and encourage community members to upgrade. For more information, see [AUTOTITLE](/code-security/concepts/vulnerability-reporting-and-management/repository-security-advisories). {% endif %} @@ -95,7 +95,7 @@ Enforce consistent code standards, security, and compliance across branches and ### Artifact attestations -Create unfalsifiable provenance and integrity guarantees for the software you build. For more information, see [AUTOTITLE](/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds). +Create unfalsifiable provenance and integrity guarantees for the software you build. For more information, see [AUTOTITLE](/actions/how-tos/secure-your-work/use-artifact-attestations/use-artifact-attestations). {% ifversion fpt %} @@ -104,13 +104,13 @@ Create unfalsifiable provenance and integrity guarantees for the software you bu ### {% data variables.secret-scanning.partner_alerts_caps %} -When {% data variables.product.github %} detects a leaked secret in a public repository, or a public npm packages, {% data variables.product.github %} informs the relevant service provider that the secret may be compromised. For details of the supported secrets and service providers, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets). +When {% data variables.product.github %} detects a leaked secret in a public repository, or a public npm packages, {% data variables.product.github %} informs the relevant service provider that the secret may be compromised. For details of the supported secrets and service providers, see [AUTOTITLE](/code-security/reference/secret-security/supported-secret-scanning-patterns#supported-provider-patterns). {% ifversion secret-scanning-push-protection-for-users %} ### Push protection for users -Push protection for users automatically protects you from accidentally committing secrets to public repositories, regardless of whether the repository itself has {% data variables.product.prodname_secret_scanning %} enabled. Push protection for users is on by default, but you can disable the feature at any time through your personal account settings. For more information, see [AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users). +Push protection for users automatically protects you from accidentally committing secrets to public repositories, regardless of whether the repository itself has {% data variables.product.prodname_secret_scanning %} enabled. Push protection for users is on by default, but you can disable the feature at any time through your personal account settings. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-secrets/prevent-future-leaks/manage-user-push-protection). {% endif %} @@ -130,7 +130,7 @@ For information about how you can try {% data variables.product.prodname_GH_secr ### {% data variables.secret-scanning.user_alerts_caps %} -Automatically detect hardcoded credentials that have been checked into a repository. You can view alerts for any secrets that {% data variables.product.github %} finds in your code, in the **{% data variables.product.prodname_security_and_quality_tab %}** tab of your repository, so you can respond to credential leaks quickly. For more information, see [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning). +Automatically detect hardcoded credentials that have been checked into a repository. You can view alerts for any secrets that {% data variables.product.github %} finds in your code, in the **{% data variables.product.prodname_security_and_quality_tab %}** tab of your repository, so you can respond to credential leaks quickly. For more information, see [AUTOTITLE](/code-security/concepts/secret-security/secret-scanning). {% data reusables.advanced-security.available-for-public-repos %} @@ -138,13 +138,13 @@ Automatically detect hardcoded credentials that have been checked into a reposit ### {% data variables.secret-scanning.ai-detected-secrets-caps %} -{% data variables.secret-scanning.ai-detected-secrets-caps %}'s generic secret detection is an AI-powered expansion of {% data variables.product.prodname_secret_scanning %} that identifies unstructured secrets (passwords) in your source code and then generates an alert. For more information, see [AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets). +{% data variables.secret-scanning.ai-detected-secrets-caps %}'s generic secret detection is an AI-powered expansion of {% data variables.product.prodname_secret_scanning %} that identifies unstructured secrets (passwords) in your source code and then generates an alert. For more information, see [AUTOTITLE](/code-security/responsible-use/security-and-quality-ai-features). {% endif %} ### Push protection -Push protection proactively scans your code, and any repository contributors' code, for hardcoded secrets during the push process and blocks the push if any credential leaks are detected. If a contributor bypasses the block, an alert is generated. For more information, see [AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection). +Push protection proactively scans your code, and any repository contributors' code, for hardcoded secrets during the push process and blocks the push if any credential leaks are detected. If a contributor bypasses the block, an alert is generated. For more information, see [AUTOTITLE](/code-security/concepts/secret-security/push-protection). {% data reusables.advanced-security.available-for-public-repos %} @@ -155,17 +155,17 @@ Delegated bypass for push protection lets you control which individuals, roles, * Are exempt from push protection{% endif %} * Can review bypass requests from other contributors -For more information, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection). +For more information, see [AUTOTITLE](/code-security/concepts/secret-security/delegated-bypass). ### Custom patterns -You can define custom patterns to identify secrets that are not detected by the default patterns supported by {% data variables.product.prodname_secret_scanning %}, such as patterns that are internal to your organization. For more information, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning). +You can define custom patterns to identify secrets that are not detected by the default patterns supported by {% data variables.product.prodname_secret_scanning %}, such as patterns that are internal to your organization. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-secrets/customize-leak-detection/define-custom-patterns). ### Security overview -Security overview allows you to review the overall security landscape of your organization, view trends and other insights, and manage security configurations, making it easy to monitor your organization's security status and identify the repositories and organizations at greatest risk. For more information, see [AUTOTITLE](/code-security/security-overview/about-security-overview). +Security overview allows you to review the overall security landscape of your organization, view trends and other insights, and manage security configurations, making it easy to monitor your organization's security status and identify the repositories and organizations at greatest risk. For more information, see [AUTOTITLE](/code-security/concepts/security-at-scale/security-overview). ## Available with {% data variables.product.prodname_GH_code_security %} @@ -183,13 +183,13 @@ For information about how you can try {% data variables.product.prodname_GH_code ### {% data variables.product.prodname_code_scanning_caps %} -Automatically detect security vulnerabilities and coding errors in new or modified code. Potential problems are highlighted, with detailed information, allowing you to fix the code before it's merged into your default branch. For more information, see [AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning). +Automatically detect security vulnerabilities and coding errors in new or modified code. Potential problems are highlighted, with detailed information, allowing you to fix the code before it's merged into your default branch. For more information, see [AUTOTITLE](/code-security/concepts/code-scanning/code-scanning). {% data reusables.advanced-security.available-for-public-repos %} ### {% data variables.product.prodname_codeql_cli %} -Run {% data variables.product.prodname_codeql %} processes locally on software projects or to generate {% data variables.product.prodname_code_scanning %} results for upload to {% data variables.product.github %}. For more information, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/about-the-codeql-cli). +Run {% data variables.product.prodname_codeql %} processes locally on software projects or to generate {% data variables.product.prodname_code_scanning %} results for upload to {% data variables.product.github %}. For more information, see [AUTOTITLE](/code-security/concepts/code-scanning/codeql/codeql-cli). {% data reusables.advanced-security.available-for-public-repos %} @@ -197,7 +197,7 @@ Run {% data variables.product.prodname_codeql %} processes locally on software p ### {% data variables.copilot.copilot_autofix_short %} -Get automatically generated fixes for {% data variables.product.prodname_code_scanning %} alerts. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning). +Get automatically generated fixes for {% data variables.product.prodname_code_scanning %} alerts. For more information, see [AUTOTITLE](/code-security/responsible-use/security-and-quality-ai-features). {% data reusables.advanced-security.available-for-public-repos %} @@ -217,7 +217,7 @@ Find vulnerabilities in languages and frameworks not covered by {% data variable ### Dependency review -Show the full impact of changes to dependencies and see details of any vulnerable versions before you merge a pull request. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review). +Show the full impact of changes to dependencies and see details of any vulnerable versions before you merge a pull request. For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependency-review). {% data reusables.advanced-security.available-for-public-repos %} @@ -225,19 +225,19 @@ Show the full impact of changes to dependencies and see details of any vulnerabl ### Security campaigns -Fix security alerts at scale by creating security campaigns and collaborating with developers to reduce your security backlog. For more information, see [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/about-security-campaigns). +Fix security alerts at scale by creating security campaigns and collaborating with developers to reduce your security backlog. For more information, see [AUTOTITLE](/code-security/concepts/security-at-scale/about-security-campaigns). {% endif %} ### Security overview -Security overview allows you to review the overall security landscape of your organization, view trends and other insights, and manage security configurations, making it easy to monitor your organization's security status and identify the repositories and organizations at greatest risk. For more information, see [AUTOTITLE](/code-security/security-overview/about-security-overview). +Security overview allows you to review the overall security landscape of your organization, view trends and other insights, and manage security configurations, making it easy to monitor your organization's security status and identify the repositories and organizations at greatest risk. For more information, see [AUTOTITLE](/code-security/concepts/security-at-scale/security-overview). {% ifversion copilot-chat-ghas-alerts %} ## Leveraging {% data variables.copilot.copilot_chat %} to understand security alerts -With a {% data variables.copilot.copilot_enterprise %} license, you can also ask {% data variables.copilot.copilot_chat %} for help to better understand security alerts in repositories in your organization from {% data variables.product.prodname_GHAS %} features ({% data variables.product.prodname_code_scanning %}, {% data variables.product.prodname_secret_scanning %}, and {% data variables.product.prodname_dependabot_alerts %}). For more information, see [AUTOTITLE](/copilot/using-github-copilot/asking-github-copilot-questions-in-githubcom#asking-questions-about-alerts-from-github-advanced-security-features). +With a {% data variables.copilot.copilot_enterprise %} license, you can also ask {% data variables.copilot.copilot_chat %} for help to better understand security alerts in repositories in your organization from {% data variables.product.prodname_GHAS %} features ({% data variables.product.prodname_code_scanning %}, {% data variables.product.prodname_secret_scanning %}, and {% data variables.product.prodname_dependabot_alerts %}). For more information, see [AUTOTITLE](/copilot/how-tos/copilot-on-github/chat-with-copilot/chat-in-github). {% endif %} diff --git a/content/code-security/getting-started/quickstart-for-securing-your-repository.md b/content/code-security/getting-started/quickstart-for-securing-your-repository.md index 28bd8e455277..b822bc8c7053 100644 --- a/content/code-security/getting-started/quickstart-for-securing-your-repository.md +++ b/content/code-security/getting-started/quickstart-for-securing-your-repository.md @@ -45,7 +45,7 @@ From the main page of your repository, click **{% octicon "gear" aria-hidden="tr {% data reusables.dependabot.dependabot-alerts-dependency-graph-enterprise %} -For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#enabling-and-disabling-the-dependency-graph). +For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/enable-dependency-graph#enabling-the-dependency-graph-for-a-repository). ## Managing {% data variables.product.prodname_dependabot_alerts %} @@ -65,11 +65,11 @@ For more information, see [AUTOTITLE](/code-security/supply-chain-security/under {% data reusables.dependabot.dependabot-alerts-enterprise-server-repo-org-enablement %} {% endif %} -For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts){% ifversion fpt or ghec %} and [AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-personal-account-settings/managing-security-and-analysis-settings-for-your-personal-account){% endif %}. +For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-alerts){% ifversion fpt or ghec %} and [AUTOTITLE](/account-and-profile/how-tos/account-settings/managing-security-and-analysis-features){% endif %}. ## Managing dependency review -Dependency review lets you visualize dependency changes in pull requests before they are merged into your repositories. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review). +Dependency review lets you visualize dependency changes in pull requests before they are merged into your repositories. For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependency-review). Dependency review is a {% data variables.product.prodname_GH_code_security %} feature. {% ifversion fpt or ghec %}Dependency review is enabled for all repositories with the dependency graph enabled. Organizations that use {% data variables.product.prodname_team %} or {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_GH_code_security %} can additionally enable dependency review for private and internal repositories.{% endif %} @@ -89,20 +89,20 @@ For any repository that uses {% data variables.product.prodname_dependabot_alert 1. Click **{% data variables.product.UI_advanced_security %}**. 1. Next to {% data variables.product.prodname_dependabot_security_updates %}, click **Enable**. -For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates) and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates). +For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-security-updates) and [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-security-updates). ## Managing {% data variables.product.prodname_dependabot_version_updates %} -You can enable {% data variables.product.prodname_dependabot %} to automatically raise pull requests to keep your dependencies up-to-date. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates). +You can enable {% data variables.product.prodname_dependabot %} to automatically raise pull requests to keep your dependencies up-to-date. For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-version-updates). {% ifversion dependabot-settings-update-37 %} 1. From the main page of your repository, click **{% octicon "gear" aria-hidden="true" aria-label="gear" %} Settings**. 1. Click **{% data variables.product.UI_advanced_security %}**. 1. Next to {% data variables.product.prodname_dependabot_version_updates %}, click **Enable** to create a basic `dependabot.yml` configuration file. -1. Specify the dependencies to update and any associated configuration options, then commit the file to the repository. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#enabling-dependabot-version-updates). +1. Specify the dependencies to update and any associated configuration options, then commit the file to the repository. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-version-updates#enabling-dependabot-version-updates). {% else %} -To enable {% data variables.product.prodname_dependabot_version_updates %}, you must create a `dependabot.yml` configuration file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates). +To enable {% data variables.product.prodname_dependabot_version_updates %}, you must create a `dependabot.yml` configuration file. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-version-updates). {% endif %} ## Configuring {% data variables.product.prodname_code_security %} @@ -116,7 +116,7 @@ To enable {% data variables.product.prodname_dependabot_version_updates %}, you {% data variables.product.prodname_GH_code_security %} includes {% data variables.product.prodname_code_scanning %}, {% data variables.product.prodname_codeql_cli %} and {% data variables.copilot.copilot_autofix_short %}, as well as other features that find and fix vulnerabilities in your codebase. -You can configure {% data variables.product.prodname_code_scanning %} to automatically identify vulnerabilities and errors in the code stored in your repository by using a {% data variables.code-scanning.codeql_workflow %} or third-party tool. Depending on the programming languages in your repository, you can configure {% data variables.product.prodname_code_scanning %} with {% data variables.product.prodname_codeql %} using default setup, in which {% data variables.product.github %} automatically determines the languages to scan, query suites to run, and events that will trigger a new scan. For more information, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning). +You can configure {% data variables.product.prodname_code_scanning %} to automatically identify vulnerabilities and errors in the code stored in your repository by using a {% data variables.code-scanning.codeql_workflow %} or third-party tool. Depending on the programming languages in your repository, you can configure {% data variables.product.prodname_code_scanning %} with {% data variables.product.prodname_codeql %} using default setup, in which {% data variables.product.github %} automatically determines the languages to scan, query suites to run, and events that will trigger a new scan. For more information, see [AUTOTITLE](/code-security/how-tos/find-and-fix-code-vulnerabilities/configure-code-scanning/configure-code-scanning). 1. From the main page of your repository, click **{% octicon "gear" aria-hidden="true" aria-label="gear" %} Settings**. 1. In the "Security" section of the sidebar, click **{% octicon "shield-lock" aria-hidden="true" aria-label="shield-lock" %} {% data variables.product.UI_advanced_security %}**. @@ -125,7 +125,7 @@ You can configure {% data variables.product.prodname_code_scanning %} to automat 1. In the pop-up window that appears, review the default configuration settings for your repository, then click **Enable {% data variables.product.prodname_codeql %}**.{% ifversion code-scanning-autofix %} 1. Choose whether you want to enable addition features, such as {% data variables.copilot.copilot_autofix_short %} or AI-powered security detections.{% endif %} -As an alternative to default setup, you can use advanced setup, which generates a workflow file you can edit to customize your {% data variables.product.prodname_code_scanning %} with {% data variables.product.prodname_codeql %}. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning#configuring-advanced-setup-for-code-scanning-with-codeql). +As an alternative to default setup, you can use advanced setup, which generates a workflow file you can edit to customize your {% data variables.product.prodname_code_scanning %} with {% data variables.product.prodname_codeql %}. For more information, see [AUTOTITLE](/code-security/how-tos/find-and-fix-code-vulnerabilities/configure-code-scanning/configuring-advanced-setup-for-code-scanning#configuring-advanced-setup-for-code-scanning-with-codeql). ## Configuring {% data variables.product.prodname_secret_protection %} @@ -153,15 +153,15 @@ If you are a repository maintainer, it's good practice to specify a security pol 1. Click **Start setup**. 1. Add information about supported versions of your project and how to report vulnerabilities. -For more information, see [AUTOTITLE](/code-security/getting-started/adding-a-security-policy-to-your-repository). +For more information, see [AUTOTITLE](/code-security/how-tos/report-and-fix-vulnerabilities/configure-vulnerability-reporting/add-security-policy). ## Next steps -You can view and manage alerts from security features to address dependencies and vulnerabilities in your code. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts), [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates), [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository), and [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning). +You can view and manage alerts from security features to address dependencies and vulnerabilities in your code. For more information, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-dependabot-alerts/view-dependabot-alerts), [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/manage-dependabot-prs), [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-code-scanning-alerts/assess-alerts), and [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-secret-scanning-alerts). -You can also use {% data variables.product.github %}'s tools to audit responses to security alerts. For more information, see [AUTOTITLE](/code-security/getting-started/auditing-security-alerts). +You can also use {% data variables.product.github %}'s tools to audit responses to security alerts. For more information, see [AUTOTITLE](/code-security/concepts/security-at-scale/audit-security-alerts). -{% ifversion fpt or ghec %}If you have a security vulnerability in a public repository, you can create a security advisory to privately discuss and fix the vulnerability. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories) and [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory). +{% ifversion fpt or ghec %}If you have a security vulnerability in a public repository, you can create a security advisory to privately discuss and fix the vulnerability. For more information, see [AUTOTITLE](/code-security/concepts/vulnerability-reporting-and-management/repository-security-advisories) and [AUTOTITLE](/code-security/how-tos/report-and-fix-vulnerabilities/fix-reported-vulnerabilities/create-repository-advisory). {% endif %} {% data reusables.security-overview.security-information-about-actions %} diff --git a/content/code-security/how-tos/secure-at-scale/configure-enterprise-security/establish-complete-coverage/create-custom-configuration.md b/content/code-security/how-tos/secure-at-scale/configure-enterprise-security/establish-complete-coverage/create-custom-configuration.md index 8773af92009e..0282adb3df4b 100644 --- a/content/code-security/how-tos/secure-at-scale/configure-enterprise-security/establish-complete-coverage/create-custom-configuration.md +++ b/content/code-security/how-tos/secure-at-scale/configure-enterprise-security/establish-complete-coverage/create-custom-configuration.md @@ -42,31 +42,31 @@ When creating a security configuration, keep in mind that: 1. In the "{% data variables.product.prodname_security_configurations_caps %}" section, click **New configuration**. 1. To help identify your {% data variables.product.prodname_custom_security_configuration %} and clarify its purpose on the "{% data variables.product.prodname_security_configurations_caps %}" page, name your configuration and create a description. 1. Optionally, enable "{% data variables.product.prodname_secret_protection %}", a paid feature for private {% ifversion ghec %}and internal {% endif %} repositories. Enabling {% data variables.product.prodname_secret_protection %} enables alerts for {% data variables.product.prodname_secret_scanning %}. In addition, you can choose whether to enable, disable, or keep the existing settings for the following {% data variables.product.prodname_secret_scanning %} features:{% ifversion secret-scanning-validity-check-partner-patterns %} - * **Validity checks**. To learn more about validity checks for partner patterns, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity).{% ifversion ghes > 3.19 %} - Your site administrator must enable validity checks before you can use this feature. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/configure-specific-tools/configuring-secret-scanning-for-your-appliance).{% endif %}{% endif %}{% ifversion fpt or ghec %} - * **Extended metadata**. To learn more about extended metadata checks, see [About extended metadata checks](/code-security/concepts/secret-security/about-validity-checks#about-extended-metadata-checks) and [AUTOTITLE](/code-security/tutorials/remediate-leaked-secrets/evaluating-alerts#reviewing-extended-metadata-for-a-token). + * **Validity checks**. To learn more about validity checks for partner patterns, see [AUTOTITLE](/code-security/tutorials/remediate-leaked-secrets/evaluating-alerts#checking-a-secrets-validity).{% ifversion ghes > 3.19 %} + Your site administrator must enable validity checks before you can use this feature. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/configure-specific-tools/configure-secret-scanning).{% endif %}{% endif %}{% ifversion fpt or ghec %} + * **Extended metadata**. To learn more about extended metadata checks, see [About extended metadata checks](/code-security/concepts/secret-security/validity-checks#about-extended-metadata-checks) and [AUTOTITLE](/code-security/tutorials/remediate-leaked-secrets/evaluating-alerts#reviewing-extended-metadata-for-a-token). > [!NOTE] > You can only enable extended metadata checks if validity checks are enabled.{% endif %} - * **Generic patterns**. To learn more about scanning for generic patterns, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-generic-patterns) and [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts).{% ifversion secret-scanning-ai-generic-secret-detection %} - * **Scan for AI-detected secrets**. To learn more, see [AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets).{% endif %} - * **Push protection**. To learn about push protection, see [AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection).{% ifversion push-protection-delegated-bypass-configurations-enterprise %} - * **Bypass privileges**. By assigning bypass privileges{% ifversion push-protection-org-enterprise-exemptions %} or exemptions{% endif %}, selected actors can bypass{% ifversion push-protection-org-enterprise-exemptions %} or skip{% endif %} push protection. There is a review and approval process for all other contributors. See [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection).{% endif %} - * **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/enabling-delegated-alert-dismissal-for-secret-scanning). + * **Generic patterns**. To learn more about scanning for generic patterns, see [AUTOTITLE](/code-security/reference/secret-security/supported-secret-scanning-patterns#supported-generic-patterns) and [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-secret-scanning-alerts/viewing-alerts).{% ifversion secret-scanning-ai-generic-secret-detection %} + * **Scan for AI-detected secrets**. To learn more, see [AUTOTITLE](/code-security/responsible-use/security-and-quality-ai-features).{% endif %} + * **Push protection**. To learn about push protection, see [AUTOTITLE](/code-security/concepts/secret-security/push-protection).{% ifversion push-protection-delegated-bypass-configurations-enterprise %} + * **Bypass privileges**. By assigning bypass privileges{% ifversion push-protection-org-enterprise-exemptions %} or exemptions{% endif %}, selected actors can bypass{% ifversion push-protection-org-enterprise-exemptions %} or skip{% endif %} push protection. There is a review and approval process for all other contributors. See [AUTOTITLE](/code-security/concepts/secret-security/delegated-bypass).{% endif %} + * **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-secret-scanning-alerts/enable-delegated-dismissal). 1. Optionally, enable "{% data variables.product.prodname_code_security %}", a paid feature for private {% ifversion ghec %}and internal {% endif %} repositories. You can choose whether to enable, disable, or keep the existing settings for the following {% data variables.product.prodname_code_scanning %} features: - * **Default setup**. To learn more about default setup, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#about-default-setup). + * **Default setup**. To learn more about default setup, see [AUTOTITLE](/code-security/how-tos/find-and-fix-code-vulnerabilities/configure-code-scanning/configure-code-scanning#configuring-default-setup-for-a-repository). {% data reusables.code-scanning.enable-default-setup-allow-advanced-setup-note %} - * **Runner type**. If you want to target specific runners for {% data variables.product.prodname_code_scanning %}, you can choose to use custom-labeled runners at this step. See [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#assigning-labels-to-runners). - * **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/enabling-delegated-alert-dismissal-for-code-scanning). + * **Runner type**. If you want to target specific runners for {% data variables.product.prodname_code_scanning %}, you can choose to use custom-labeled runners at this step. See [AUTOTITLE](/code-security/how-tos/find-and-fix-code-vulnerabilities/configure-code-scanning/configure-code-scanning#assigning-labels-to-self-hosted-runners). + * **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-code-scanning-alerts/enable-delegated-alert-dismissal). 1. Still under "{% data variables.product.prodname_code_security %}", in the "Dependency scanning" table, choose whether you want to enable, disable, or keep the existing settings for the following dependency scanning features: - * **Dependency graph**. To learn about dependency graph, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph). + * **Dependency graph**. To learn about dependency graph, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependency-graph). > [!TIP] - > When both "{% data variables.product.prodname_code_security %}" and Dependency graph are enabled, this enables dependency review, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review).{%- ifversion maven-transitive-dependencies %} - * **Automatic dependency submission**. To learn about automatic dependency submission, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-automatic-dependency-submission-for-your-repository).{%- endif %} - * **{% data variables.product.prodname_dependabot %} alerts**. To learn about {% data variables.product.prodname_dependabot %}, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts). - * **Security updates**. To learn about security updates, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates).{% ifversion dependabot-delegated-alert-dismissal %} - * **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/enable-delegated-alert-dismissal).{% endif %}{% ifversion dependabot-malware-alerts %} - * **{% data variables.product.prodname_dependabot_malware_alerts_short_caps %}**. To learn more, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-malware-alerts).{% endif %}{% ifversion fpt or ghec %} -1. For "Private vulnerability reporting", choose whether you want to enable, disable, or keep the existing settings. To learn about private vulnerability reporting, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository).{% endif %} + > When both "{% data variables.product.prodname_code_security %}" and Dependency graph are enabled, this enables dependency review, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependency-review).{%- ifversion maven-transitive-dependencies %} + * **Automatic dependency submission**. To learn about automatic dependency submission, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/submit-dependencies-automatically).{%- endif %} + * **{% data variables.product.prodname_dependabot %} alerts**. To learn about {% data variables.product.prodname_dependabot %}, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-alerts). + * **Security updates**. To learn about security updates, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-security-updates).{% ifversion dependabot-delegated-alert-dismissal %} + * **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-dependabot-alerts/enable-delegated-alert-dismissal).{% endif %}{% ifversion dependabot-malware-alerts %} + * **{% data variables.product.prodname_dependabot_malware_alerts_short_caps %}**. To learn more, see [AUTOTITLE](/code-security/concepts/supply-chain-security/malware-alerts).{% endif %}{% ifversion fpt or ghec %} +1. For "Private vulnerability reporting", choose whether you want to enable, disable, or keep the existing settings. To learn about private vulnerability reporting, see [AUTOTITLE](/code-security/how-tos/report-and-fix-vulnerabilities/configure-vulnerability-reporting/configure-for-a-repository).{% endif %} 1. Optionally, in the "Policy" section, you can use additional options to control how the configuration is applied: * **Use as default for newly created repositories**. Select the **None** {% octicon "triangle-down" aria-hidden="true" aria-label="triangle-down" %} dropdown menu, then click **Public**, **Private and internal**, or **All repositories**. {% data reusables.security-configurations.default-configuration-exception-repo-transfers %} @@ -87,27 +87,27 @@ When creating a security configuration, keep in mind that: 1. To help identify your {% data variables.product.prodname_custom_security_configuration %} and clarify its purpose on the "New configuration" page, name your configuration and create a description. 1. In the "{% data variables.product.prodname_GHAS %} features" row, choose whether to include or exclude {% data variables.product.prodname_GHAS %} (GHAS) features. 1. In the "{% data variables.product.prodname_secret_scanning_caps %}" table, choose whether you want to enable, disable, or keep the existing settings for the following security features:{% ifversion ghes > 3.16 %} - * **Alerts**. To learn about {% data variables.secret-scanning.alerts %}, see [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning).{% endif %} {% ifversion secret-scanning-validity-check-partner-patterns %} - * **Validity checks**. To learn more about validity checks for partner patterns, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity).{% endif %} - * **Generic patterns**. To learn more about scanning for generic patterns, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-generic-patterns) and [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts).{% ifversion secret-scanning-ai-generic-secret-detection %} - * **Scan for AI-detected secrets**. To learn more, see [AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets).{% endif %} - * **Push protection**. To learn about push protection, see [AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection). - * **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/enabling-delegated-alert-dismissal-for-secret-scanning). + * **Alerts**. To learn about {% data variables.secret-scanning.alerts %}, see [AUTOTITLE](/code-security/concepts/secret-security/secret-scanning).{% endif %} {% ifversion secret-scanning-validity-check-partner-patterns %} + * **Validity checks**. To learn more about validity checks for partner patterns, see [AUTOTITLE](/code-security/tutorials/remediate-leaked-secrets/evaluating-alerts#checking-a-secrets-validity).{% endif %} + * **Generic patterns**. To learn more about scanning for generic patterns, see [AUTOTITLE](/code-security/reference/secret-security/supported-secret-scanning-patterns#supported-generic-patterns) and [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-secret-scanning-alerts/viewing-alerts).{% ifversion secret-scanning-ai-generic-secret-detection %} + * **Scan for AI-detected secrets**. To learn more, see [AUTOTITLE](/code-security/responsible-use/security-and-quality-ai-features).{% endif %} + * **Push protection**. To learn about push protection, see [AUTOTITLE](/code-security/concepts/secret-security/push-protection). + * **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-secret-scanning-alerts/enable-delegated-dismissal). 1. In the "{% data variables.product.prodname_code_scanning_caps %}" table, choose whether you want to enable, disable, or keep the existing settings for {% data variables.product.prodname_code_scanning %} default setup. - * **Default setup**. To learn more, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#about-default-setup). + * **Default setup**. To learn more, see [AUTOTITLE](/code-security/how-tos/find-and-fix-code-vulnerabilities/configure-code-scanning/configure-code-scanning#configuring-default-setup-for-a-repository). {% data reusables.code-scanning.enable-default-setup-allow-advanced-setup-note %} - * **Runner type**. If you want to target specific runners for {% data variables.product.prodname_code_scanning %}, you can choose to use custom-labeled runners at this step. See [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#assigning-labels-to-runners). - * **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/enabling-delegated-alert-dismissal-for-code-scanning). + * **Runner type**. If you want to target specific runners for {% data variables.product.prodname_code_scanning %}, you can choose to use custom-labeled runners at this step. See [AUTOTITLE](/code-security/how-tos/find-and-fix-code-vulnerabilities/configure-code-scanning/configure-code-scanning#assigning-labels-to-self-hosted-runners). + * **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-code-scanning-alerts/enable-delegated-alert-dismissal). 1. In the "Dependency scanning" table, choose whether you want to enable, disable, or keep the existing settings for the following dependency scanning features: - * **Dependency graph**. To learn about dependency graph, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph). + * **Dependency graph**. To learn about dependency graph, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependency-graph). > [!TIP] - > When both "{% data variables.product.prodname_GHAS %}" and Dependency graph are enabled, this enables dependency review, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review).{%- ifversion maven-transitive-dependencies %} - * **Automatic dependency submission**. To learn about automatic dependency submission, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-automatic-dependency-submission-for-your-repository).{%- endif %} - * **{% data variables.product.prodname_dependabot %} alerts**. To learn about {% data variables.product.prodname_dependabot %}, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts). - * **Security updates**. To learn about security updates, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates).{% ifversion dependabot-delegated-alert-dismissal %} - * **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/enable-delegated-alert-dismissal).{% endif %}{% ifversion dependabot-malware-alerts %} - * **{% data variables.product.prodname_dependabot_malware_alerts_short_caps %}**. To learn more, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-malware-alerts).{% endif %}{% ifversion fpt or ghec %} -1. For "Private vulnerability reporting", choose whether you want to enable, disable, or keep the existing settings. To learn about private vulnerability reporting, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository).{% endif %} + > When both "{% data variables.product.prodname_GHAS %}" and Dependency graph are enabled, this enables dependency review, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependency-review).{%- ifversion maven-transitive-dependencies %} + * **Automatic dependency submission**. To learn about automatic dependency submission, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/submit-dependencies-automatically).{%- endif %} + * **{% data variables.product.prodname_dependabot %} alerts**. To learn about {% data variables.product.prodname_dependabot %}, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-alerts). + * **Security updates**. To learn about security updates, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-security-updates).{% ifversion dependabot-delegated-alert-dismissal %} + * **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-dependabot-alerts/enable-delegated-alert-dismissal).{% endif %}{% ifversion dependabot-malware-alerts %} + * **{% data variables.product.prodname_dependabot_malware_alerts_short_caps %}**. To learn more, see [AUTOTITLE](/code-security/concepts/supply-chain-security/malware-alerts).{% endif %}{% ifversion fpt or ghec %} +1. For "Private vulnerability reporting", choose whether you want to enable, disable, or keep the existing settings. To learn about private vulnerability reporting, see [AUTOTITLE](/code-security/how-tos/report-and-fix-vulnerabilities/configure-vulnerability-reporting/configure-for-a-repository).{% endif %} 1. Optionally, in the "Policy" section, you can use additional options to control how the configuration is applied: * **Use as default for newly created repositories**. Select the **None** {% octicon "triangle-down" aria-hidden="true" aria-label="triangle-down" %} dropdown menu, then click **Public**, **Private and internal**, or **All repositories**. {% data reusables.security-configurations.default-configuration-exception-repo-transfers %} @@ -119,8 +119,8 @@ When creating a security configuration, keep in mind that: ## Next steps -To optionally configure additional {% data variables.product.prodname_secret_scanning %} settings for the enterprise, see [AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/configuring-additional-secret-scanning-settings-for-your-enterprise). +To optionally configure additional {% data variables.product.prodname_secret_scanning %} settings for the enterprise, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/establish-complete-coverage/configure-additional-settings). -To apply your {% data variables.product.prodname_custom_security_configuration %} to repositories in your organization, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-a-custom-security-configuration). +To apply your {% data variables.product.prodname_custom_security_configuration %} to repositories in your organization, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/apply-custom-configuration). {% data reusables.security-configurations.edit-configuration-next-step %} diff --git a/content/code-security/how-tos/secure-at-scale/configure-enterprise-security/establish-complete-coverage/enabling-github-advanced-security-for-your-enterprise.md b/content/code-security/how-tos/secure-at-scale/configure-enterprise-security/establish-complete-coverage/enabling-github-advanced-security-for-your-enterprise.md index 286359f8eb79..1a0d520a333f 100644 --- a/content/code-security/how-tos/secure-at-scale/configure-enterprise-security/establish-complete-coverage/enabling-github-advanced-security-for-your-enterprise.md +++ b/content/code-security/how-tos/secure-at-scale/configure-enterprise-security/establish-complete-coverage/enabling-github-advanced-security-for-your-enterprise.md @@ -20,11 +20,11 @@ category: {% data reusables.advanced-security.ghas-helps-developers %} -When you enable {% data variables.product.prodname_GHAS %} for your enterprise, repository administrators in all organizations can enable the features unless you set up a policy to restrict access. See [AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise). +When you enable {% data variables.product.prodname_GHAS %} for your enterprise, repository administrators in all organizations can enable the features unless you set up a policy to restrict access. See [AUTOTITLE](/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise). {% data reusables.secret-scanning.secret-scanning-enterprise-level-api %} -For guidance on a phased deployment of {% data variables.product.prodname_GHAS %}, see [AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/introduction-to-adopting-github-advanced-security-at-scale). +For guidance on a phased deployment of {% data variables.product.prodname_GHAS %}, see [AUTOTITLE](/code-security/tutorials/adopting-github-advanced-security-at-scale/introduction-to-adopting-github-advanced-security-at-scale). ## Checking whether your license includes {% data variables.product.prodname_AS %} @@ -35,14 +35,14 @@ For guidance on a phased deployment of {% data variables.product.prodname_GHAS % ## Prerequisites for enabling {% data variables.product.prodname_cs_and_sp %} -1. Upgrade your {% data variables.product.prodname_enterprise %} license to include {% data variables.product.prodname_cs_and_sp %}. For information about licensing, see [AUTOTITLE](/billing/managing-billing-for-your-products/managing-billing-for-github-advanced-security/about-billing-for-github-advanced-security). -1. Download the new license file. See [AUTOTITLE](/billing/managing-your-license-for-github-enterprise/downloading-your-license-for-github-enterprise). -1. Upload the new license file to {% data variables.product.prodname_ghe_server %}. See [AUTOTITLE](/billing/managing-your-license-for-github-enterprise/uploading-a-new-license-to-github-enterprise-server). +1. Upgrade your {% data variables.product.prodname_enterprise %} license to include {% data variables.product.prodname_cs_and_sp %}. For information about licensing, see [AUTOTITLE](/billing/concepts/product-billing/github-advanced-security). +1. Download the new license file. See [AUTOTITLE](/billing/how-tos/manage-server-licenses/download-your-license). +1. Upload the new license file to {% data variables.product.prodname_ghe_server %}. See [AUTOTITLE](/billing/how-tos/manage-server-licenses/upload-new-license). 1. Review the prerequisites for the features you plan to enable. - * {% data variables.product.prodname_code_scanning_caps %}, see [AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-code-scanning-for-your-appliance#prerequisites-for-code-scanning). - * {% data variables.product.prodname_secret_scanning_caps %}, see [AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-secret-scanning-for-your-appliance#prerequisites-for-secret-scanning). - * {% data variables.product.prodname_dependabot %}, see [AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise). + * {% data variables.product.prodname_code_scanning_caps %}, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/configure-specific-tools/configuring-code-scanning-for-your-appliance#prerequisites-for-code-scanning). + * {% data variables.product.prodname_secret_scanning_caps %}, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/configure-specific-tools/configure-secret-scanning#prerequisites-for-secret-scanning). + * {% data variables.product.prodname_dependabot %}, see [AUTOTITLE](/admin/configuring-settings/configuring-github-connect/enabling-dependabot-for-your-enterprise). ## Enabling and disabling {% data variables.product.prodname_AS %} features @@ -54,11 +54,11 @@ For guidance on a phased deployment of {% data variables.product.prodname_GHAS % 1. Under "Security," select the features that you want to enable and deselect any features you want to disable. {% data reusables.enterprise_management_console.save-settings %} -When {% data variables.product.prodname_ghe_server %} has finished restarting, you're ready to set up any additional resources required for newly enabled features. See [AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-code-scanning-for-your-appliance). +When {% data variables.product.prodname_ghe_server %} has finished restarting, you're ready to set up any additional resources required for newly enabled features. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/configure-specific-tools/configuring-code-scanning-for-your-appliance). ## Enabling or disabling {% data variables.product.prodname_AS %} features via the administrative shell (SSH) -You can enable or disable features programmatically on {% data variables.product.prodname_ghe_server %}. For more information about the administrative shell and command-line utilities for {% data variables.product.prodname_ghe_server %}, see [AUTOTITLE](/admin/configuration/configuring-your-enterprise/accessing-the-administrative-shell-ssh) and [AUTOTITLE](/admin/configuration/configuring-your-enterprise/command-line-utilities#ghe-config). +You can enable or disable features programmatically on {% data variables.product.prodname_ghe_server %}. For more information about the administrative shell and command-line utilities for {% data variables.product.prodname_ghe_server %}, see [AUTOTITLE](/admin/administering-your-instance/administering-your-instance-from-the-command-line/accessing-the-administrative-shell-ssh) and [AUTOTITLE](/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities#ghe-config). For example, you can enable any {% data variables.product.prodname_AS %} feature with your infrastructure-as-code tooling when you deploy an instance for staging or disaster recovery. @@ -108,7 +108,7 @@ For example, you can enable any {% data variables.product.prodname_AS %} feature ghe-config app.code-scanning.enabled false ``` - * Optionally, if you disable {% data variables.product.prodname_code_scanning %}, you can also disable the internal MinIO service for {% data variables.product.prodname_AS %}. If {% data variables.product.prodname_dependabot_updates %} are enabled for the instance and you want to disable this service, you must also disable {% data variables.product.prodname_dependabot_updates %}. Disabling the service does not affect MinIO storage for {% data variables.product.prodname_actions %} or {% data variables.product.prodname_registry %}. For more information about {% data variables.product.prodname_dependabot_updates %}, see [AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise). + * Optionally, if you disable {% data variables.product.prodname_code_scanning %}, you can also disable the internal MinIO service for {% data variables.product.prodname_AS %}. If {% data variables.product.prodname_dependabot_updates %} are enabled for the instance and you want to disable this service, you must also disable {% data variables.product.prodname_dependabot_updates %}. Disabling the service does not affect MinIO storage for {% data variables.product.prodname_actions %} or {% data variables.product.prodname_registry %}. For more information about {% data variables.product.prodname_dependabot_updates %}, see [AUTOTITLE](/admin/configuring-settings/configuring-github-connect/enabling-dependabot-for-your-enterprise). * To disable {% data variables.product.prodname_dependabot_updates %}, enter the following command. diff --git a/content/code-security/how-tos/secure-at-scale/configure-enterprise-security/manage-your-coverage/delete-custom-configuration.md b/content/code-security/how-tos/secure-at-scale/configure-enterprise-security/manage-your-coverage/delete-custom-configuration.md index f383b4abf929..a47a6c69658f 100644 --- a/content/code-security/how-tos/secure-at-scale/configure-enterprise-security/manage-your-coverage/delete-custom-configuration.md +++ b/content/code-security/how-tos/secure-at-scale/configure-enterprise-security/manage-your-coverage/delete-custom-configuration.md @@ -15,7 +15,7 @@ category: ## About deleting a {% data variables.product.prodname_custom_security_configuration %} -If you no longer need a {% data variables.product.prodname_custom_security_configuration %}, you can delete that configuration to ensure it will not be applied to any repositories in the future. If you want to delete a {% data variables.product.prodname_custom_security_configuration %} because you want to change the security enablement settings in that configuration, consider editing the configuration instead. For more information, see [AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/editing-a-custom-security-configuration). +If you no longer need a {% data variables.product.prodname_custom_security_configuration %}, you can delete that configuration to ensure it will not be applied to any repositories in the future. If you want to delete a {% data variables.product.prodname_custom_security_configuration %} because you want to change the security enablement settings in that configuration, consider editing the configuration instead. For more information, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/manage-your-coverage/edit-custom-configuration). > [!WARNING] > Deleting a {% data variables.product.prodname_custom_security_configuration %} will detach all repositories that are linked to that configuration. The existing security settings for those repositories will be unchanged, but you must apply a different {% data variables.product.prodname_security_configuration %} or manage their security settings at the repository level to keep their settings up to date. diff --git a/content/code-security/how-tos/secure-at-scale/configure-enterprise-security/manage-your-coverage/enabling-public-monitoring-for-your-enterprise.md b/content/code-security/how-tos/secure-at-scale/configure-enterprise-security/manage-your-coverage/enabling-public-monitoring-for-your-enterprise.md index d81786824c59..b961bbe85e17 100644 --- a/content/code-security/how-tos/secure-at-scale/configure-enterprise-security/manage-your-coverage/enabling-public-monitoring-for-your-enterprise.md +++ b/content/code-security/how-tos/secure-at-scale/configure-enterprise-security/manage-your-coverage/enabling-public-monitoring-for-your-enterprise.md @@ -17,7 +17,7 @@ category: Before enabling public monitoring, ensure your enterprise has: * {% data variables.product.prodname_GH_advanced_security %} or {% data variables.product.prodname_GH_secret_protection %} enabled -* While not necessary, we recommend having at one verified domain configured (see [AUTOTITLE](/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise)) in order to get the full value for the feature. +* While not necessary, we recommend having at one verified domain configured (see [AUTOTITLE](/admin/configuring-settings/configuring-user-applications-for-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise)) in order to get the full value for the feature. ## Enabling public monitoring diff --git a/content/code-security/how-tos/secure-at-scale/configure-organization-security/configure-specific-tools/assess-your-vulnerability-risk.md b/content/code-security/how-tos/secure-at-scale/configure-organization-security/configure-specific-tools/assess-your-vulnerability-risk.md index 0de5a49c1935..db3511fd3982 100644 --- a/content/code-security/how-tos/secure-at-scale/configure-organization-security/configure-specific-tools/assess-your-vulnerability-risk.md +++ b/content/code-security/how-tos/secure-at-scale/configure-organization-security/configure-specific-tools/assess-your-vulnerability-risk.md @@ -34,4 +34,4 @@ You can only generate a {% data variables.product.prodname_code_security_risk_as ## Next steps -Now that you've generated a {% data variables.product.prodname_code_security_risk_assessment %} report for your organization, learn how to interpret the results. See [AUTOTITLE](/code-security/tutorials/secure-your-organization/interpreting-code-security-risk-assessment-results). +Now that you've generated a {% data variables.product.prodname_code_security_risk_assessment %} report for your organization, learn how to interpret the results. See [AUTOTITLE](/code-security/tutorials/secure-your-organization/interpret-code-security-risk-assessment). diff --git a/content/code-security/how-tos/secure-at-scale/configure-organization-security/configure-specific-tools/code-scanning-at-scale.md b/content/code-security/how-tos/secure-at-scale/configure-organization-security/configure-specific-tools/code-scanning-at-scale.md index 5109eb8072b5..9fbd7ed8ef8e 100644 --- a/content/code-security/how-tos/secure-at-scale/configure-organization-security/configure-specific-tools/code-scanning-at-scale.md +++ b/content/code-security/how-tos/secure-at-scale/configure-organization-security/configure-specific-tools/code-scanning-at-scale.md @@ -31,21 +31,21 @@ A repository must meet all the following criteria to be eligible for default set ## Configuring default setup for all eligible repositories in an organization -You can enable default setup for all eligible repositories in your organization. For more information, see [AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale). +You can enable default setup for all eligible repositories in your organization. For more information, see [AUTOTITLE](/code-security/concepts/security-at-scale/organization-security). ### Configuring default setup features -Through your organization's security settings page, you can customize default setup for all eligible repositories, such as extending coverage using model packs. See [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup). +Through your organization's security settings page, you can customize default setup for all eligible repositories, such as extending coverage using model packs. See [AUTOTITLE](/code-security/how-tos/find-and-fix-code-vulnerabilities/manage-your-configuration/edit-default-setup). ## Configuring default setup for a subset of repositories in an organization -You can filter for specific repositories you would like to configure default setup for. For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-a-custom-security-configuration). +You can filter for specific repositories you would like to configure default setup for. For more information, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/apply-custom-configuration). {% ifversion org-private-registry %} ## Providing default setup access to private registries -When a repository uses code stored in a private registry, default setup needs access to the registry to work effectively. For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries). +When a repository uses code stored in a private registry, default setup needs access to the registry to work effectively. For more information, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries). {% endif %} @@ -57,6 +57,6 @@ You can use rulesets to prevent pull requests from being merged when one of the {% data reusables.code-scanning.merge-protection-rulesets-conditions %} -For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/set-code-scanning-merge-protection#creating-a-merge-protection-ruleset-for-all-repositories-in-an-organization). For more general information about rulesets, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets). +For more information, see [AUTOTITLE](/code-security/how-tos/find-and-fix-code-vulnerabilities/manage-your-configuration/set-merge-protection#creating-a-merge-protection-ruleset-for-all-repositories-in-an-organization). For more general information about rulesets, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets). {% endif %} diff --git a/content/code-security/how-tos/secure-at-scale/configure-organization-security/configure-specific-tools/configuring-advanced-setup-for-code-scanning-with-codeql-at-scale.md b/content/code-security/how-tos/secure-at-scale/configure-organization-security/configure-specific-tools/configuring-advanced-setup-for-code-scanning-with-codeql-at-scale.md index aae20bfc71b6..fe2712e80e6b 100644 --- a/content/code-security/how-tos/secure-at-scale/configure-organization-security/configure-specific-tools/configuring-advanced-setup-for-code-scanning-with-codeql-at-scale.md +++ b/content/code-security/how-tos/secure-at-scale/configure-organization-security/configure-specific-tools/configuring-advanced-setup-for-code-scanning-with-codeql-at-scale.md @@ -24,7 +24,7 @@ For repositories that are not eligible for default setup, you can use a bulk con > [!NOTE] To successfully execute the script, {% data variables.product.prodname_actions %} must be enabled for the {% ifversion fpt %}organization{% elsif ghec %}organization or enterprise{% elsif ghes %}instance{% endif %}. 1. Identify a group of repositories that can be analyzed using the same {% data variables.product.prodname_code_scanning %} configuration. For example, all repositories that build Java artifacts using the production environment. -1. Create and test a {% data variables.product.prodname_actions %} workflow to call the {% data variables.product.prodname_codeql %} action with the appropriate configuration. For more information, see [AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning#configuring-advanced-setup-for-code-scanning-with-codeql). +1. Create and test a {% data variables.product.prodname_actions %} workflow to call the {% data variables.product.prodname_codeql %} action with the appropriate configuration. For more information, see [AUTOTITLE](/code-security/how-tos/find-and-fix-code-vulnerabilities/configure-code-scanning/configuring-advanced-setup-for-code-scanning#configuring-advanced-setup-for-code-scanning-with-codeql). 1. Use one of the example scripts or create a custom script to add the workflow to each repository in the group. * GitHub CLI extension: [`advanced-security/gh-add-files`](https://github.com/advanced-security/gh-add-files?ref_product=code-scanning&ref_type=engagement&ref_style=text) * Python example: [`Malwarebytes/ghas-cli`](https://github.com/Malwarebytes/ghas-cli?ref_product=code-scanning&ref_type=engagement&ref_style=text) repository @@ -35,4 +35,4 @@ For repositories that are not eligible for default setup, you can use a bulk con {% data reusables.code-scanning.beta-model-packs %} -If your codebase depends on a library or framework that is not recognized by the standard queries in {% data variables.product.prodname_codeql %}, you can extend the {% data variables.product.prodname_codeql %} coverage in your bulk configuration script by specifying published {% data variables.product.prodname_codeql %} model packs. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#codeql-model-packs). +If your codebase depends on a library or framework that is not recognized by the standard queries in {% data variables.product.prodname_codeql %}, you can extend the {% data variables.product.prodname_codeql %} coverage in your bulk configuration script by specifying published {% data variables.product.prodname_codeql %} model packs. For more information, see [AUTOTITLE](/code-security/reference/code-scanning/workflow-configuration-options#codeql-model-packs). diff --git a/content/code-security/how-tos/secure-at-scale/configure-organization-security/configure-specific-tools/enforce-dependency-review.md b/content/code-security/how-tos/secure-at-scale/configure-organization-security/configure-specific-tools/enforce-dependency-review.md index 3d7636208bc9..97148e1798c9 100644 --- a/content/code-security/how-tos/secure-at-scale/configure-organization-security/configure-specific-tools/enforce-dependency-review.md +++ b/content/code-security/how-tos/secure-at-scale/configure-organization-security/configure-specific-tools/enforce-dependency-review.md @@ -15,11 +15,11 @@ category: - Secure at scale --- -You can enforce the use of the {% data variables.dependency-review.action_name %} in your organization by setting up a repository ruleset that will require a workflow that runs dependency review to pass before pull requests can be merged. For more information about the action, see [AUTOTITLE](/code-security/concepts/supply-chain-security/about-dependency-review#about-the-dependency-review-action). +You can enforce the use of the {% data variables.dependency-review.action_name %} in your organization by setting up a repository ruleset that will require a workflow that runs dependency review to pass before pull requests can be merged. For more information about the action, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependency-review#about-the-dependency-review-action). ## Prerequisites -You need to add the {% data variables.dependency-review.action_name %} to one of the repositories in your organization, and configure the action. For more information, see [Configuring the dependency review action](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-review-action). +You need to add the {% data variables.dependency-review.action_name %} to one of the repositories in your organization, and configure the action. For more information, see [Configuring the dependency review action](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-dependency-review-action). ## Enforcing dependency review for your organization diff --git a/content/code-security/how-tos/secure-at-scale/configure-organization-security/configure-specific-tools/estimate-price.md b/content/code-security/how-tos/secure-at-scale/configure-organization-security/configure-specific-tools/estimate-price.md index 6f65714fd182..d00e144c15c0 100644 --- a/content/code-security/how-tos/secure-at-scale/configure-organization-security/configure-specific-tools/estimate-price.md +++ b/content/code-security/how-tos/secure-at-scale/configure-organization-security/configure-specific-tools/estimate-price.md @@ -19,11 +19,11 @@ category: You can use the {% data variables.secret-scanning.pricing-calculator %} on the secret risk assessment page to estimate the monthly cost of {% data variables.product.prodname_GH_secret_protection %} for your organization. This tool allows you to preview costs based on your current repositories and active committers, so you can plan for purchase or rollout decisions. -For more information about {% data variables.product.prodname_secret_protection %}, see [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/choosing-github-secret-protection). +For more information about {% data variables.product.prodname_secret_protection %}, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/configure-specific-tools/protect-your-secrets). ## Prerequisites -You need to have generated a secret risk assessment for your organization. See [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/viewing-the-secret-risk-assessment-report-for-your-organization). +You need to have generated a secret risk assessment for your organization. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/configure-specific-tools/viewing-your-security-risk-assessment-reports). ## Estimating the price of {% data variables.product.prodname_secret_protection %} diff --git a/content/code-security/how-tos/secure-at-scale/configure-organization-security/configure-specific-tools/protect-your-secrets.md b/content/code-security/how-tos/secure-at-scale/configure-organization-security/configure-specific-tools/protect-your-secrets.md index 1fffeca83db4..b676ac337a00 100644 --- a/content/code-security/how-tos/secure-at-scale/configure-organization-security/configure-specific-tools/protect-your-secrets.md +++ b/content/code-security/how-tos/secure-at-scale/configure-organization-security/configure-specific-tools/protect-your-secrets.md @@ -18,8 +18,8 @@ category: Before you configure {% data variables.product.prodname_GH_secret_protection %}: -* Run the free {% data variables.product.prodname_secret_risk_assessment %} to inform your enablement strategy. See [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/assess-your-secret-risk). -* Review best practices for choosing pilot repositories. See [AUTOTITLE](/code-security/concepts/security-at-scale/best-practices-for-selecting-pilot-repositories). +* Run the free {% data variables.product.prodname_secret_risk_assessment %} to inform your enablement strategy. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/configure-specific-tools/assess-your-secret-risk). +* Review best practices for choosing pilot repositories. See [AUTOTITLE](/code-security/concepts/security-at-scale/select-pilot-repositories). ## Configuring {% data variables.product.prodname_GH_secret_protection %} @@ -30,7 +30,7 @@ Before you configure {% data variables.product.prodname_GH_secret_protection %}: * **For public repositories for free**: Click to enable for _only_ public repositories in your organization. * **For all repositories**: Click to see an estimated cost for {% data variables.product.prodname_GH_secret_protection %} for all repositories in your organization. * If you are satisfied with the pricing estimate, to enable {% data variables.product.prodname_secret_scanning %} alerts and push protection across your organization, click **Enable {% data variables.product.prodname_secret_protection %}**. - * Alternatively, click **Configure in settings** to customize which repositories you want to enable {% data variables.product.prodname_secret_protection %} for. See [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration). + * Alternatively, click **Configure in settings** to customize which repositories you want to enable {% data variables.product.prodname_secret_protection %} for. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/create-custom-configuration). {% ifversion secret-scanning-public-monitoring %} diff --git a/content/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/apply-custom-configuration.md b/content/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/apply-custom-configuration.md index 912857c2def4..238af283b42f 100644 --- a/content/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/apply-custom-configuration.md +++ b/content/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/apply-custom-configuration.md @@ -16,7 +16,7 @@ category: - Secure at scale --- -To learn how to create a {% data variables.product.prodname_custom_security_configuration %}, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration). +To learn how to create a {% data variables.product.prodname_custom_security_configuration %}, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/create-custom-configuration). ## Applying your {% data variables.product.prodname_custom_security_configuration %} to repositories in your organization @@ -24,7 +24,7 @@ To learn how to create a {% data variables.product.prodname_custom_security_conf {% data reusables.organizations.org_settings %} {% data reusables.security-configurations.view-configurations-page %} 1. Click the **Repositories** tab. -1. Optionally, in the "Apply configurations" section, filter for specific repositories you would like to apply your {% data variables.product.prodname_custom_security_configuration %} to. To learn how to filter the repository table, see [AUTOTITLE](/code-security/securing-your-organization/managing-the-security-of-your-organization/filtering-repositories-in-your-organization-using-the-repository-table). +1. Optionally, in the "Apply configurations" section, filter for specific repositories you would like to apply your {% data variables.product.prodname_custom_security_configuration %} to. To learn how to filter the repository table, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/manage-your-coverage/filter-repositories). {% data reusables.security-configurations.select-repos %} 1. Select the **Apply configuration** {% octicon "triangle-down" aria-hidden="true" aria-label="triangle-down" %} dropdown menu, then click **YOUR-CONFIGURATION-NAME**. @@ -35,4 +35,4 @@ To learn how to create a {% data variables.product.prodname_custom_security_conf >[!NOTE] > If you apply an enforced configuration, this information is reported in the list of repositories. An enforced configuration means that repository owners are blocked from changing features that have been enabled or disabled in the configuration, but features that are not set aren't enforced. -After you apply a configuration, each repository's configuration status reflects the result of the operation—for example, `attached`, `attaching`, or `failed`. For the full list of statuses and recommended actions, see [AUTOTITLE](/code-security/reference/security-at-scale/security-configuration-statuses). +After you apply a configuration, each repository's configuration status reflects the result of the operation—for example, `attached`, `attaching`, or `failed`. For the full list of statuses and recommended actions, see [AUTOTITLE](/code-security/reference/security-at-scale/configuration-statuses). diff --git a/content/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/configure-global-settings.md b/content/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/configure-global-settings.md index 1db1a2d63ee6..f4faffd6ca03 100644 --- a/content/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/configure-global-settings.md +++ b/content/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/configure-global-settings.md @@ -38,11 +38,11 @@ You can create and manage {% data variables.dependabot.auto_triage_rules %} to i * You can create a new rule by clicking **New rule**, then entering the details for your rule and clicking **Create rule**. * You can edit an existing rule by clicking {% octicon "pencil" aria-label="Edit CURATED-OR-CUSTOM rule" %}, then making the desired changes and clicking **Save rule**. -For more information on {% data variables.dependabot.auto_triage_rules %}, see [AUTOTITLE](/code-security/concepts/supply-chain-security/about-dependabot-auto-triage-rules) and [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/customizing-auto-triage-rules-to-prioritize-dependabot-alerts#adding-custom-auto-triage-rules-to-your-organization). +For more information on {% data variables.dependabot.auto_triage_rules %}, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-auto-triage-rules) and [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/auto-triage-dependabot-alerts#adding-custom-auto-triage-rules-to-your-organization). ### Grouping {% data variables.product.prodname_dependabot_security_updates %} -{% data variables.product.prodname_dependabot %} can group all automatically suggested security updates into a single pull request. To enable grouped security updates, select **Grouped security updates**. For more information about grouped updates and customization options, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configuring-dependabot-security-updates#grouping-dependabot-security-updates-into-a-single-pull-request). +{% data variables.product.prodname_dependabot %} can group all automatically suggested security updates into a single pull request. To enable grouped security updates, select **Grouped security updates**. For more information about grouped updates and customization options, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-security-updates#grouping-dependabot-security-updates-into-a-single-pull-request). {% ifversion dependabot-on-actions-opt-in %} @@ -52,7 +52,7 @@ If both {% data variables.product.prodname_dependabot %} and {% data variables.p Otherwise, to allow {% data variables.product.prodname_dependabot %} to use {% data variables.product.prodname_actions %} runners to perform dependency updates for all existing repositories in the organization, select "{% data variables.product.prodname_dependabot %} on Actions runners". -For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners). +For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-on-actions). {% endif %} @@ -81,7 +81,7 @@ To configure the runner type: {% ifversion dependabot-on-actions-self-hosted %} -For more information about configuring self-hosted runners for {% data variables.product.prodname_dependabot %}, see [AUTOTITLE](/code-security/dependabot/maintain-dependencies/managing-dependabot-on-self-hosted-runners). +For more information about configuring self-hosted runners for {% data variables.product.prodname_dependabot %}, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-on-self-hosted-runners). {% endif %} @@ -124,7 +124,7 @@ You can customize several {% data variables.product.prodname_global_settings %} ### Enabling {% data variables.copilot.copilot_autofix_short %} for {% data variables.product.prodname_codeql %} -You can select **{% data variables.copilot.copilot_autofix_short %}** to enable {% data variables.copilot.copilot_autofix_short %} for all the repositories in your organization that use {% data variables.product.prodname_codeql %} default setup or {% data variables.product.prodname_codeql %} advanced setup. {% data variables.copilot.copilot_autofix_short %} is an expansion of {% data variables.product.prodname_code_scanning %} that suggests fixes for {% data variables.product.prodname_code_scanning %} alerts. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning). +You can select **{% data variables.copilot.copilot_autofix_short %}** to enable {% data variables.copilot.copilot_autofix_short %} for all the repositories in your organization that use {% data variables.product.prodname_codeql %} default setup or {% data variables.product.prodname_codeql %} advanced setup. {% data variables.copilot.copilot_autofix_short %} is an expansion of {% data variables.product.prodname_code_scanning %} that suggests fixes for {% data variables.product.prodname_code_scanning %} alerts. For more information, see [AUTOTITLE](/code-security/responsible-use/security-and-quality-ai-features). {% endif %} @@ -138,7 +138,7 @@ You can select **AI-powered security detections** to enable AI-powered security ### Expanding {% data variables.product.prodname_codeql %} analysis -You can expand {% data variables.product.prodname_codeql %} analysis coverage for all repositories in your organization that use default setup by configuring {% data variables.product.prodname_codeql %} model packs. Model packs extend the {% data variables.product.prodname_codeql %} analysis to recognize additional frameworks and libraries that are not included in the standard {% data variables.product.prodname_codeql %} libraries. This global configuration applies to repositories using default setup and allows you to specify model packs published via the container registry. For more information, see [AUTOTITLE](/code-security/how-tos/scan-code-for-vulnerabilities/manage-your-configuration/editing-your-configuration-of-default-setup#extending-coverage-for-all-repositories-in-an-organization). +You can expand {% data variables.product.prodname_codeql %} analysis coverage for all repositories in your organization that use default setup by configuring {% data variables.product.prodname_codeql %} model packs. Model packs extend the {% data variables.product.prodname_codeql %} analysis to recognize additional frameworks and libraries that are not included in the standard {% data variables.product.prodname_codeql %} libraries. This global configuration applies to repositories using default setup and allows you to specify model packs published via the container registry. For more information, see [AUTOTITLE](/code-security/how-tos/find-and-fix-code-vulnerabilities/manage-your-configuration/edit-default-setup#extending-coverage-for-all-repositories-in-an-organization). {% ifversion code-scanning-inactive-repos %} @@ -164,7 +164,7 @@ To provide context for developers when {% data variables.product.prodname_secret ### Defining custom patterns -You can define custom patterns for {% data variables.product.prodname_secret_scanning %} with regular expressions. Custom patterns can identify secrets that are not detected by the default patterns supported by {% data variables.product.prodname_secret_scanning %}. To create a custom pattern, click **New pattern**, then enter the details for your pattern and click **Save and dry run**. For more information on custom patterns, see [AUTOTITLE](/code-security/how-tos/secure-your-secrets/customize-leak-detection/defining-custom-patterns-for-secret-scanning). +You can define custom patterns for {% data variables.product.prodname_secret_scanning %} with regular expressions. Custom patterns can identify secrets that are not detected by the default patterns supported by {% data variables.product.prodname_secret_scanning %}. To create a custom pattern, click **New pattern**, then enter the details for your pattern and click **Save and dry run**. For more information on custom patterns, see [AUTOTITLE](/code-security/how-tos/secure-your-secrets/customize-leak-detection/define-custom-patterns). {% ifversion push-protected-pattern-configuration %} @@ -179,7 +179,7 @@ You can customize which secret patterns are included in push protection, giving {% data reusables.secret-scanning.pattern-enablement-org-enterprise %} -For more information on how to read data on the {% data variables.product.prodname_secret_scanning %} pattern configuration page, see [AUTOTITLE](/code-security/reference/secret-security/secret-scanning-pattern-configuration-data). +For more information on how to read data on the {% data variables.product.prodname_secret_scanning %} pattern configuration page, see [AUTOTITLE](/code-security/reference/secret-security/secret-pattern-data). {% endif %} diff --git a/content/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/create-custom-configuration.md b/content/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/create-custom-configuration.md index 1e2d852329e6..9144a1d235aa 100644 --- a/content/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/create-custom-configuration.md +++ b/content/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/create-custom-configuration.md @@ -50,31 +50,31 @@ When creating a security configuration, keep in mind that: 1. To configure groups of security features for your repositories, click **Custom configuration**. 1. To help identify your {% data variables.product.prodname_custom_security_configuration %} and clarify its purpose on the "{% data variables.product.prodname_security_configurations_caps %}" page, name your configuration and create a description. 1. Optionally, enable "{% data variables.product.prodname_secret_protection %}", a paid feature for private {% ifversion ghec %}and internal {% endif %} repositories. Enabling {% data variables.product.prodname_secret_protection %} enables alerts for {% data variables.product.prodname_secret_scanning %}. In addition, you can choose whether to enable, disable, or keep the existing settings for the following {% data variables.product.prodname_secret_scanning %} features:{% ifversion secret-scanning-validity-check-partner-patterns %} - * **Validity checks**. To learn more about validity checks for partner patterns, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity).{% ifversion ghes > 3.19 %} - Your site administrator must enable validity checks before you can use this feature. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/configure-specific-tools/configuring-secret-scanning-for-your-appliance).{% endif %}{% endif %}{% ifversion fpt or ghec %} - * **Extended metadata**. To learn more about extended metadata checks, see [About extended metadata checks](/code-security/concepts/secret-security/about-validity-checks#about-extended-metadata-checks) and [AUTOTITLE](/code-security/tutorials/remediate-leaked-secrets/evaluating-alerts#reviewing-extended-metadata-for-a-token). + * **Validity checks**. To learn more about validity checks for partner patterns, see [AUTOTITLE](/code-security/tutorials/remediate-leaked-secrets/evaluating-alerts#checking-a-secrets-validity).{% ifversion ghes > 3.19 %} + Your site administrator must enable validity checks before you can use this feature. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/configure-specific-tools/configure-secret-scanning).{% endif %}{% endif %}{% ifversion fpt or ghec %} + * **Extended metadata**. To learn more about extended metadata checks, see [About extended metadata checks](/code-security/concepts/secret-security/validity-checks#about-extended-metadata-checks) and [AUTOTITLE](/code-security/tutorials/remediate-leaked-secrets/evaluating-alerts#reviewing-extended-metadata-for-a-token). > [!NOTE] > You can only enable extended metadata checks if validity checks are enabled.{% endif %} - * **Generic patterns**. To learn more about scanning for generic patterns, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-generic-patterns) and [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts).{% ifversion secret-scanning-ai-generic-secret-detection %} - * **Scan for AI-detected secrets**. To learn more, see [AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets).{% endif %} - * **Push protection**. To learn about push protection, see [AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection). - * **Bypass privileges**. By assigning bypass privileges{% ifversion push-protection-org-enterprise-exemptions %} or exemptions{% endif %}, selected actors can bypass{% ifversion push-protection-org-enterprise-exemptions %} or skip{% endif %} push protection. There is a review and approval process for all other contributors. See [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection). - * **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/enabling-delegated-alert-dismissal-for-secret-scanning). + * **Generic patterns**. To learn more about scanning for generic patterns, see [AUTOTITLE](/code-security/reference/secret-security/supported-secret-scanning-patterns#supported-generic-patterns) and [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-secret-scanning-alerts/viewing-alerts).{% ifversion secret-scanning-ai-generic-secret-detection %} + * **Scan for AI-detected secrets**. To learn more, see [AUTOTITLE](/code-security/responsible-use/security-and-quality-ai-features).{% endif %} + * **Push protection**. To learn about push protection, see [AUTOTITLE](/code-security/concepts/secret-security/push-protection). + * **Bypass privileges**. By assigning bypass privileges{% ifversion push-protection-org-enterprise-exemptions %} or exemptions{% endif %}, selected actors can bypass{% ifversion push-protection-org-enterprise-exemptions %} or skip{% endif %} push protection. There is a review and approval process for all other contributors. See [AUTOTITLE](/code-security/concepts/secret-security/delegated-bypass). + * **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-secret-scanning-alerts/enable-delegated-dismissal). 1. Optionally, enable "{% data variables.product.prodname_code_security %}", a paid feature for private {% ifversion ghec %}and internal {% endif %} repositories. You can choose whether to enable, disable, or keep the existing settings for the following {% data variables.product.prodname_code_scanning %} features: - * **Default setup**. To learn more about default setup, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#about-default-setup). + * **Default setup**. To learn more about default setup, see [AUTOTITLE](/code-security/how-tos/find-and-fix-code-vulnerabilities/configure-code-scanning/configure-code-scanning#configuring-default-setup-for-a-repository). {% data reusables.code-scanning.enable-default-setup-allow-advanced-setup-note %} - * **Runner type**. If you want to target specific runners for {% data variables.product.prodname_code_scanning %}, you can choose to use custom-labeled runners at this step. See [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#assigning-labels-to-runners). - * **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/enabling-delegated-alert-dismissal-for-code-scanning). + * **Runner type**. If you want to target specific runners for {% data variables.product.prodname_code_scanning %}, you can choose to use custom-labeled runners at this step. See [AUTOTITLE](/code-security/how-tos/find-and-fix-code-vulnerabilities/configure-code-scanning/configure-code-scanning#assigning-labels-to-self-hosted-runners). + * **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-code-scanning-alerts/enable-delegated-alert-dismissal). 1. Still under "{% data variables.product.prodname_code_security %}", in the "Dependency scanning" table, choose whether you want to enable, disable, or keep the existing settings for the following dependency scanning features: - * **Dependency graph**. To learn about dependency graph, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph). + * **Dependency graph**. To learn about dependency graph, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependency-graph). > [!TIP] - > When both "{% data variables.product.prodname_code_security %}" and Dependency graph are enabled, this enables dependency review, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review).{%- ifversion maven-transitive-dependencies %} - * **Automatic dependency submission**. To learn about automatic dependency submission, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-automatic-dependency-submission-for-your-repository).{%- endif %} - * **{% data variables.product.prodname_dependabot %} alerts**. To learn about {% data variables.product.prodname_dependabot %}, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts). - * **Security updates**. To learn about security updates, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates).{% ifversion dependabot-delegated-alert-dismissal %} - * **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/enable-delegated-alert-dismissal).{% endif %}{% ifversion dependabot-malware-alerts %} - * **{% data variables.product.prodname_dependabot_malware_alerts_short_caps %}**. To learn more, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-malware-alerts).{% endif %}{% ifversion fpt or ghec %} -1. For "Private vulnerability reporting", choose whether you want to enable, disable, or keep the existing settings. To learn about private vulnerability reporting, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository).{% endif %} + > When both "{% data variables.product.prodname_code_security %}" and Dependency graph are enabled, this enables dependency review, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependency-review).{%- ifversion maven-transitive-dependencies %} + * **Automatic dependency submission**. To learn about automatic dependency submission, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/submit-dependencies-automatically).{%- endif %} + * **{% data variables.product.prodname_dependabot %} alerts**. To learn about {% data variables.product.prodname_dependabot %}, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-alerts). + * **Security updates**. To learn about security updates, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-security-updates).{% ifversion dependabot-delegated-alert-dismissal %} + * **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-dependabot-alerts/enable-delegated-alert-dismissal).{% endif %}{% ifversion dependabot-malware-alerts %} + * **{% data variables.product.prodname_dependabot_malware_alerts_short_caps %}**. To learn more, see [AUTOTITLE](/code-security/concepts/supply-chain-security/malware-alerts).{% endif %}{% ifversion fpt or ghec %} +1. For "Private vulnerability reporting", choose whether you want to enable, disable, or keep the existing settings. To learn about private vulnerability reporting, see [AUTOTITLE](/code-security/how-tos/report-and-fix-vulnerabilities/configure-vulnerability-reporting/configure-for-a-repository).{% endif %} 1. Optionally, in the "Policy" section, you can use additional options to control how the configuration is applied: * **Use as default for newly created repositories**. Select the **None** {% octicon "triangle-down" aria-hidden="true" aria-label="triangle-down" %} dropdown menu, then click **Public**, **Private and internal**, or **All repositories**. {% data reusables.security-configurations.default-configuration-exception-repo-transfers %} @@ -95,28 +95,28 @@ When creating a security configuration, keep in mind that: 1. To help identify your {% data variables.product.prodname_custom_security_configuration %} and clarify its purpose on the "New configuration" page, name your configuration and create a description. 1. In the "{% data variables.product.prodname_GHAS %} features" row, choose whether to include or exclude {% data variables.product.prodname_GHAS %} (GHAS) features. 1. In the "{% data variables.product.prodname_secret_scanning_caps %}" table, choose whether you want to enable, disable, or keep the existing settings for the following security features:{% ifversion ghes %} - * **Alerts**. To learn about {% data variables.secret-scanning.alerts %}, see [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning).{% endif %} {% ifversion secret-scanning-validity-check-partner-patterns %} - * **Validity checks**. To learn more about validity checks for partner patterns, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity).{% endif %} - * **Generic patterns**. To learn more about scanning for generic patterns, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-generic-patterns) and [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts).{% ifversion secret-scanning-ai-generic-secret-detection %} - * **Scan for AI-detected secrets**. To learn more, see [AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets).{% endif %} - * **Push protection**. To learn about push protection, see [AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection). - * **Bypass privileges**. By assigning bypass privileges{% ifversion push-protection-org-enterprise-exemptions %} or exemptions{% endif %}, selected actors can bypass{% ifversion push-protection-org-enterprise-exemptions %} or skip{% endif %} push protection. There is a review and approval process for all other contributors. See [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection). - * **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/enabling-delegated-alert-dismissal-for-secret-scanning). + * **Alerts**. To learn about {% data variables.secret-scanning.alerts %}, see [AUTOTITLE](/code-security/concepts/secret-security/secret-scanning).{% endif %} {% ifversion secret-scanning-validity-check-partner-patterns %} + * **Validity checks**. To learn more about validity checks for partner patterns, see [AUTOTITLE](/code-security/tutorials/remediate-leaked-secrets/evaluating-alerts#checking-a-secrets-validity).{% endif %} + * **Generic patterns**. To learn more about scanning for generic patterns, see [AUTOTITLE](/code-security/reference/secret-security/supported-secret-scanning-patterns#supported-generic-patterns) and [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-secret-scanning-alerts/viewing-alerts).{% ifversion secret-scanning-ai-generic-secret-detection %} + * **Scan for AI-detected secrets**. To learn more, see [AUTOTITLE](/code-security/responsible-use/security-and-quality-ai-features).{% endif %} + * **Push protection**. To learn about push protection, see [AUTOTITLE](/code-security/concepts/secret-security/push-protection). + * **Bypass privileges**. By assigning bypass privileges{% ifversion push-protection-org-enterprise-exemptions %} or exemptions{% endif %}, selected actors can bypass{% ifversion push-protection-org-enterprise-exemptions %} or skip{% endif %} push protection. There is a review and approval process for all other contributors. See [AUTOTITLE](/code-security/concepts/secret-security/delegated-bypass). + * **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-secret-scanning-alerts/enable-delegated-dismissal). 1. In the "{% data variables.product.prodname_code_scanning_caps %}" table, choose whether you want to enable, disable, or keep the existing settings for {% data variables.product.prodname_code_scanning %} default setup. - * **Default setup**. To learn more about default setup, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#about-default-setup). + * **Default setup**. To learn more about default setup, see [AUTOTITLE](/code-security/how-tos/find-and-fix-code-vulnerabilities/configure-code-scanning/configure-code-scanning#configuring-default-setup-for-a-repository). {% data reusables.code-scanning.enable-default-setup-allow-advanced-setup-note %} - * **Runner type**. If you want to target specific runners for {% data variables.product.prodname_code_scanning %}, you can choose to use custom-labeled runners at this step. See [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#assigning-labels-to-runners). - * **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/enabling-delegated-alert-dismissal-for-code-scanning). + * **Runner type**. If you want to target specific runners for {% data variables.product.prodname_code_scanning %}, you can choose to use custom-labeled runners at this step. See [AUTOTITLE](/code-security/how-tos/find-and-fix-code-vulnerabilities/configure-code-scanning/configure-code-scanning#assigning-labels-to-self-hosted-runners). + * **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-code-scanning-alerts/enable-delegated-alert-dismissal). 1. In the "Dependency scanning" table, choose whether you want to enable, disable, or keep the existing settings for the following dependency scanning features: - * **Dependency graph**. To learn about dependency graph, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph). + * **Dependency graph**. To learn about dependency graph, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependency-graph). > [!TIP] - > When both "{% data variables.product.prodname_GHAS %}" and Dependency graph are enabled, this enables dependency review, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review).{%- ifversion maven-transitive-dependencies %} - * **Automatic dependency submission**. To learn about automatic dependency submission, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-automatic-dependency-submission-for-your-repository).{%- endif %} - * **{% data variables.product.prodname_dependabot %} alerts**. To learn about {% data variables.product.prodname_dependabot %}, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts). - * **Security updates**. To learn about security updates, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates).{% ifversion dependabot-delegated-alert-dismissal %} - * **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/enable-delegated-alert-dismissal).{% endif %}{% ifversion dependabot-malware-alerts %} - * **{% data variables.product.prodname_dependabot_malware_alerts_short_caps %}**. To learn more, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-malware-alerts).{% endif %}{% ifversion fpt or ghec %} -1. For "Private vulnerability reporting", choose whether you want to enable, disable, or keep the existing settings. To learn about private vulnerability reporting, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository).{% endif %} + > When both "{% data variables.product.prodname_GHAS %}" and Dependency graph are enabled, this enables dependency review, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependency-review).{%- ifversion maven-transitive-dependencies %} + * **Automatic dependency submission**. To learn about automatic dependency submission, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/submit-dependencies-automatically).{%- endif %} + * **{% data variables.product.prodname_dependabot %} alerts**. To learn about {% data variables.product.prodname_dependabot %}, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-alerts). + * **Security updates**. To learn about security updates, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-security-updates).{% ifversion dependabot-delegated-alert-dismissal %} + * **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-dependabot-alerts/enable-delegated-alert-dismissal).{% endif %}{% ifversion dependabot-malware-alerts %} + * **{% data variables.product.prodname_dependabot_malware_alerts_short_caps %}**. To learn more, see [AUTOTITLE](/code-security/concepts/supply-chain-security/malware-alerts).{% endif %}{% ifversion fpt or ghec %} +1. For "Private vulnerability reporting", choose whether you want to enable, disable, or keep the existing settings. To learn about private vulnerability reporting, see [AUTOTITLE](/code-security/how-tos/report-and-fix-vulnerabilities/configure-vulnerability-reporting/configure-for-a-repository).{% endif %} 1. Optionally, in the "Policy" section, you can use additional options to control how the configuration is applied: * **Use as default for newly created repositories**. Select the **None** {% octicon "triangle-down" aria-hidden="true" aria-label="triangle-down" %} dropdown menu, then click **Public**, **Private and internal**, or **All repositories**. {% data reusables.security-configurations.default-configuration-exception-repo-transfers %} @@ -126,6 +126,6 @@ When creating a security configuration, keep in mind that: ## Next steps -To apply your {% data variables.product.prodname_custom_security_configuration %} to repositories in your organization, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-a-custom-security-configuration). +To apply your {% data variables.product.prodname_custom_security_configuration %} to repositories in your organization, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/apply-custom-configuration). {% data reusables.security-configurations.edit-configuration-next-step %} diff --git a/content/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries.md b/content/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries.md index a67f3f5dde82..6cead7fd3caa 100644 --- a/content/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries.md +++ b/content/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries.md @@ -61,7 +61,7 @@ When you enable {% data variables.product.prodname_code_scanning %} default setu When configuring private registries for the first time, you need to disable and re-enable {% data variables.product.prodname_code_scanning %} default setup for any repositories that you want to use the new definition. New or modified configurations will be automatically picked up on subsequent runs. -For languages supporting private package registries, {% data variables.product.prodname_code_scanning %} default setup will produce information on the {% data variables.code-scanning.tool_status_page %}. This shows you which private registry configurations were available to an analysis, but not whether {% data variables.product.prodname_code_scanning %} default setup was able to successfully download private dependencies from them. For more information about the {% data variables.code-scanning.tool_status_page %}, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page). +For languages supporting private package registries, {% data variables.product.prodname_code_scanning %} default setup will produce information on the {% data variables.code-scanning.tool_status_page %}. This shows you which private registry configurations were available to an analysis, but not whether {% data variables.product.prodname_code_scanning %} default setup was able to successfully download private dependencies from them. For more information about the {% data variables.code-scanning.tool_status_page %}, see [AUTOTITLE](/code-security/how-tos/find-and-fix-code-vulnerabilities/manage-your-configuration/use-the-tools-status-page-for-code-scanning). Alternatively, you can confirm whether private registries were used successfully by {% data variables.product.prodname_code_scanning %} analysis by looking in the Actions log files, see [AUTOTITLE](/code-security/reference/code-scanning/code-scanning-logs#diagnostic-information-for-private-package-registries). @@ -71,7 +71,7 @@ Alternatively, you can confirm whether private registries were used successfully For compiled languages, the `codeql-action` must observe a build of the code. You can either revise your existing build workflow to also run the `codeql-action` or create a new workflow that builds the production version of the code and also runs the `codeql-action`. -Any private registries used by the build must also be accessible to the workflow that runs the `codeql-action`. For more information on advanced setup, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning#configuring-advanced-setup-for-code-scanning-with-codeql). +Any private registries used by the build must also be accessible to the workflow that runs the `codeql-action`. For more information on advanced setup, see [AUTOTITLE](/code-security/how-tos/find-and-fix-code-vulnerabilities/configure-code-scanning/configuring-advanced-setup-for-code-scanning#configuring-advanced-setup-for-code-scanning-with-codeql). ## {% data variables.product.prodname_dependabot %} updates access to private registries @@ -79,7 +79,7 @@ Any private registries used by the build must also be accessible to the workflow {% data variables.product.prodname_dependabot %} cannot check for security or version updates for code stored in a private registry unless it can access the registry. If you do not configure access to the private registry, then {% data variables.product.prodname_dependabot %} cannot raise pull requests to update any of the dependencies stored in the registry. -When you configure access to one or more private registries, {% data variables.product.prodname_dependabot %} can propose pull requests to upgrade a vulnerable dependency or to maintain a dependency, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot). +When you configure access to one or more private registries, {% data variables.product.prodname_dependabot %} can propose pull requests to upgrade a vulnerable dependency or to maintain a dependency, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries) and [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-private-registries). {% ifversion org-automatic-registry-access %} @@ -91,7 +91,7 @@ For packages stored in {% data variables.product.prodname_registry %} and {% dat To enable this, grant the repository **Read** access to each package in the package settings. Once access is granted, {% data variables.product.prodname_dependabot %} can pull from those packages automatically, and you can remove any {% data variables.product.pat_generic %}-based registry entries you previously configured for them. -See [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot#configuring-private-github-hosted-registries). +See [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries#configuring-private-github-hosted-registries). {% endif %} {% ifversion org-private-registry-oidc %} diff --git a/content/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/managing-your-github-advanced-security-license-usage.md b/content/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/managing-your-github-advanced-security-license-usage.md index b7fce3b46aa7..780d8cb1985b 100644 --- a/content/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/managing-your-github-advanced-security-license-usage.md +++ b/content/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/managing-your-github-advanced-security-license-usage.md @@ -30,12 +30,12 @@ Before you can effectively manage your paid use of {% data variables.product.pro ![Screenshot of the "Apply configurations" section. The current license use for the enterprise is outlined in dark orange.](/assets/images/help/security-configurations/current-sp-cs-license-usage.png) -1. Optionally, to find specific repositories in your organization, filter the repository table. To learn more, see [AUTOTITLE](/code-security/securing-your-organization/managing-the-security-of-your-organization/filtering-repositories-in-your-organization-using-the-repository-table). +1. Optionally, to find specific repositories in your organization, filter the repository table. To learn more, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/manage-your-coverage/filter-repositories). {% ifversion ghec %} > [!TIP] -> For information about buying more volume/subscription licenses, see [AUTOTITLE](/billing/managing-billing-for-your-products/managing-billing-for-github-advanced-security/managing-your-github-advanced-security-licensing). +> For information about buying more volume/subscription licenses, see [AUTOTITLE](/billing/how-tos/products/manage-ghas-licenses). {% endif %} ## Turning off {% data variables.product.prodname_cs_or_sp %} @@ -45,7 +45,7 @@ The simplest way to turn off all {% data variables.product.prodname_cs_or_sp %} > [!TIP] > Ensure that you give your custom configuration a very clear name, for example: "No Code Security" or "Secret Protection and Supply chain only" to avoid confusion. -For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration) and [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-a-custom-security-configuration). +For more information, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/create-custom-configuration) and [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/apply-custom-configuration). {% ifversion ghec or ghes %} To prevent future enablement of security features, we recommend you ask your enterprise administrator to set the enterprise account's {% data variables.product.prodname_AS %} policies so that: diff --git a/content/code-security/how-tos/secure-at-scale/configure-organization-security/manage-your-coverage/delete-custom-configuration.md b/content/code-security/how-tos/secure-at-scale/configure-organization-security/manage-your-coverage/delete-custom-configuration.md index a396634fcbb0..52252e24c43e 100644 --- a/content/code-security/how-tos/secure-at-scale/configure-organization-security/manage-your-coverage/delete-custom-configuration.md +++ b/content/code-security/how-tos/secure-at-scale/configure-organization-security/manage-your-coverage/delete-custom-configuration.md @@ -17,7 +17,7 @@ category: ## About deleting a {% data variables.product.prodname_custom_security_configuration %} -If you no longer need a {% data variables.product.prodname_custom_security_configuration %}, you can delete that configuration to ensure it will not be applied to any repositories in the future. If you are deleting a {% data variables.product.prodname_custom_security_configuration %} because you want to change the security enablement settings in that configuration, you can instead edit the configuration. For more information, see [AUTOTITLE](/code-security/securing-your-organization/managing-the-security-of-your-organization/editing-a-custom-security-configuration). +If you no longer need a {% data variables.product.prodname_custom_security_configuration %}, you can delete that configuration to ensure it will not be applied to any repositories in the future. If you are deleting a {% data variables.product.prodname_custom_security_configuration %} because you want to change the security enablement settings in that configuration, you can instead edit the configuration. For more information, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/manage-your-coverage/edit-custom-configuration). > [!WARNING] > Deleting a {% data variables.product.prodname_custom_security_configuration %} will detach all repositories that are linked to that configuration. The existing security settings for those repositories will be unchanged, but you must apply a different {% data variables.product.prodname_security_configuration %} or manage their security settings at the repository level to keep their settings up to date. diff --git a/content/code-security/how-tos/secure-at-scale/configure-organization-security/manage-your-coverage/detach-security-configuration.md b/content/code-security/how-tos/secure-at-scale/configure-organization-security/manage-your-coverage/detach-security-configuration.md index 5eaf03ffa12e..23530c70e225 100644 --- a/content/code-security/how-tos/secure-at-scale/configure-organization-security/manage-your-coverage/detach-security-configuration.md +++ b/content/code-security/how-tos/secure-at-scale/configure-organization-security/manage-your-coverage/detach-security-configuration.md @@ -19,21 +19,21 @@ If you decide that the security needs of a repository are too specific for a {% Detaching a repository from a {% data variables.product.prodname_security_configuration %} will not change the existing security enablement settings for that repository. -Alternatively, if you want to apply a {% data variables.product.prodname_security_configuration %} to a repository that's already attached to a different configuration, you can apply the configuration as normal, and you do not need to detach the current configuration. For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-a-custom-security-configuration). +Alternatively, if you want to apply a {% data variables.product.prodname_security_configuration %} to a repository that's already attached to a different configuration, you can apply the configuration as normal, and you do not need to detach the current configuration. For more information, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/apply-custom-configuration). ## Detaching repositories from linked {% data variables.product.prodname_security_configurations %} -Detached repositories show a status of "No configuration" in the repository table on the {% data variables.product.prodname_security_configurations %} settings page. For more information about all configuration statuses, see [AUTOTITLE](/code-security/reference/security-at-scale/security-configuration-statuses). +Detached repositories show a status of "No configuration" in the repository table on the {% data variables.product.prodname_security_configurations %} settings page. For more information about all configuration statuses, see [AUTOTITLE](/code-security/reference/security-at-scale/configuration-statuses). {% data reusables.profile.access_org %} {% data reusables.organizations.org_settings %} {% data reusables.security-configurations.view-configurations-page %} 1. Click the **Repositories** tab. -1. Optionally, in the "Apply configurations" section, filter for specific repositories you would like to detach from their configurations. To learn more, see [AUTOTITLE](/code-security/securing-your-organization/managing-the-security-of-your-organization/filtering-repositories-in-your-organization-using-the-repository-table). +1. Optionally, in the "Apply configurations" section, filter for specific repositories you would like to detach from their configurations. To learn more, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/manage-your-coverage/filter-repositories). {% data reusables.security-configurations.select-repos %} 1. Select the **Apply configuration** {% octicon "triangle-down" aria-hidden="true" aria-label="triangle-down" %} dropdown menu, then click **No configuration**. 1. To finish detaching your repositories from their linked {% data variables.product.prodname_security_configurations %}, in the "No configuration?" window, click **No configuration**. ## Next steps -You can now manage security enablement settings at the repository level. For an introduction, see [AUTOTITLE](/code-security/getting-started/securing-your-repository). +You can now manage security enablement settings at the repository level. For an introduction, see [AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-repository). diff --git a/content/code-security/how-tos/secure-your-secrets/customize-leak-detection/define-custom-patterns.md b/content/code-security/how-tos/secure-your-secrets/customize-leak-detection/define-custom-patterns.md index 1c2db26ff50f..e53c6025360f 100644 --- a/content/code-security/how-tos/secure-your-secrets/customize-leak-detection/define-custom-patterns.md +++ b/content/code-security/how-tos/secure-your-secrets/customize-leak-detection/define-custom-patterns.md @@ -29,7 +29,7 @@ You can use AI to generate regular expressions based on a text description of th ## Defining a custom pattern for a repository -Before defining a custom pattern, you must ensure that {% data variables.product.prodname_secret_protection %} is enabled on your repository. For more information, see [AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository). +Before defining a custom pattern, you must ensure that {% data variables.product.prodname_secret_protection %} is enabled on your repository. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-secrets/detect-secret-leaks/enable-secret-scanning). {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-settings %} @@ -39,16 +39,16 @@ Before defining a custom pattern, you must ensure that {% data variables.product 1. When you're ready to test your new custom pattern, to identify matches in the repository without creating alerts, click **Save and dry run**. {% data reusables.advanced-security.secret-scanning-dry-run-results %} {% data reusables.advanced-security.secret-scanning-create-custom-pattern %} -1. Optionally, to enable push protection for your custom pattern, click **Enable**. For more information, see [AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning). +1. Optionally, to enable push protection for your custom pattern, click **Enable**. For more information, see [AUTOTITLE](/code-security/concepts/secret-security/push-protection). > [!NOTE] > The "Enable" button isn't available until after the dry run succeeds and you publish the pattern. -After your pattern is created, {% data reusables.secret-scanning.secret-scanning-process %} For more information on viewing {% data variables.secret-scanning.alerts %}, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning). +After your pattern is created, {% data reusables.secret-scanning.secret-scanning-process %} For more information on viewing {% data variables.secret-scanning.alerts %}, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-secret-scanning-alerts). ## Defining a custom pattern for an organization -Before defining a custom pattern, you must ensure that you enable {% data variables.product.prodname_secret_scanning %} for the repositories that you want to scan in your organization. You can use {% data variables.product.prodname_security_configurations %} to enable {% data variables.product.prodname_secret_scanning %} on all repositories in your organization. For more information, see [AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale). +Before defining a custom pattern, you must ensure that you enable {% data variables.product.prodname_secret_scanning %} for the repositories that you want to scan in your organization. You can use {% data variables.product.prodname_security_configurations %} to enable {% data variables.product.prodname_secret_scanning %} on all repositories in your organization. For more information, see [AUTOTITLE](/code-security/concepts/security-at-scale/organization-security). {% data reusables.profile.access_org %} {% data reusables.profile.org_settings %} @@ -60,17 +60,17 @@ Before defining a custom pattern, you must ensure that you enable {% data variab {% data reusables.advanced-security.secret-scanning-dry-run-select-repos %} {% data reusables.advanced-security.secret-scanning-dry-run-results %} {% data reusables.advanced-security.secret-scanning-create-custom-pattern %} -1. Optionally, to enable push protection for your custom pattern, click **Enable**. For more information, see [AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-in-an-organization-for-a-custom-pattern). +1. Optionally, to enable push protection for your custom pattern, click **Enable**. For more information, see [AUTOTITLE](/code-security/concepts/secret-security/push-protection#customization). {% indented_data_reference reusables.secret-scanning.push-protection-org-notes spaces=3 %} -After your pattern is created, {% data variables.product.prodname_secret_scanning %} scans for any secrets in repositories in your organization, including their entire Git history on all branches. Organization owners and repository administrators will be alerted to any secrets found and can review the alert in the repository where the secret is found. For more information on viewing {% data variables.secret-scanning.alerts %}, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning). +After your pattern is created, {% data variables.product.prodname_secret_scanning %} scans for any secrets in repositories in your organization, including their entire Git history on all branches. Organization owners and repository administrators will be alerted to any secrets found and can review the alert in the repository where the secret is found. For more information on viewing {% data variables.secret-scanning.alerts %}, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-secret-scanning-alerts). ## Defining a custom pattern for an enterprise account {% ifversion ghes %} -Before defining a custom pattern, you must ensure that you enable secret scanning for your enterprise account. For more information, see [AUTOTITLE](/admin/advanced-security/enabling-github-advanced-security-for-your-enterprise). +Before defining a custom pattern, you must ensure that you enable secret scanning for your enterprise account. For more information, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/establish-complete-coverage/enabling-github-advanced-security-for-your-enterprise). {% endif %} @@ -88,7 +88,7 @@ Before defining a custom pattern, you must ensure that you enable secret scannin {% data reusables.advanced-security.secret-scanning-dry-run-select-enterprise-repos %} {% data reusables.advanced-security.secret-scanning-dry-run-results %} {% data reusables.advanced-security.secret-scanning-create-custom-pattern %} -1. Optionally, to enable push protection for your custom pattern, click **Enable**. For more information, see [AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning). +1. Optionally, to enable push protection for your custom pattern, click **Enable**. For more information, see [AUTOTITLE](/code-security/concepts/secret-security/push-protection). {% indented_data_reference reusables.secret-scanning.push-protection-enterprise-note spaces=3 %} -After your pattern is created, {% data variables.product.prodname_secret_scanning %} scans for any secrets in repositories within your organizations with {% data variables.product.prodname_GH_secret_protection %} enabled, including their entire Git history on all branches. Organization owners and repository administrators will be alerted to any secrets found, and can review the alert in the repository where the secret is found. For more information on viewing {% data variables.secret-scanning.alerts %}, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning). +After your pattern is created, {% data variables.product.prodname_secret_scanning %} scans for any secrets in repositories within your organizations with {% data variables.product.prodname_GH_secret_protection %} enabled, including their entire Git history on all branches. Organization owners and repository administrators will be alerted to any secrets found, and can review the alert in the repository where the secret is found. For more information on viewing {% data variables.secret-scanning.alerts %}, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-secret-scanning-alerts). diff --git a/content/code-security/how-tos/secure-your-secrets/customize-leak-detection/enable-metadata-checks.md b/content/code-security/how-tos/secure-your-secrets/customize-leak-detection/enable-metadata-checks.md index b139f043ff6c..155221d77f74 100644 --- a/content/code-security/how-tos/secure-your-secrets/customize-leak-detection/enable-metadata-checks.md +++ b/content/code-security/how-tos/secure-your-secrets/customize-leak-detection/enable-metadata-checks.md @@ -16,13 +16,13 @@ category: {% data reusables.secret-scanning.metadata-checks-public-preview %} -This article shows how you can enable extended metadata checks for individual repositories through repository settings. Alternatively, you can enable them at scale using **security configurations** at the organization or enterprise level. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/creating-a-custom-security-configuration) or [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/establish-complete-coverage/creating-a-custom-security-configuration-for-your-enterprise). +This article shows how you can enable extended metadata checks for individual repositories through repository settings. Alternatively, you can enable them at scale using **security configurations** at the organization or enterprise level. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/create-custom-configuration) or [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/establish-complete-coverage/create-custom-configuration). {% ifversion secret-scanning-validity-check-partner-patterns %} ## Prerequisites -Before enabling metadata checks, you need to ensure that validity checks are enabled for the repository. See [AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository#enabling-validity-checks). +Before enabling metadata checks, you need to ensure that validity checks are enabled for the repository. See [AUTOTITLE](/code-security/how-tos/secure-your-secrets/customize-leak-detection/enable-validity-checks#enabling-validity-checks). {% endif %} @@ -44,4 +44,4 @@ Before enabling metadata checks, you need to ensure that validity checks are ena ## Further reading -* [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning) +* [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-secret-scanning-alerts) diff --git a/content/code-security/how-tos/secure-your-secrets/customize-leak-detection/enable-validity-checks.md b/content/code-security/how-tos/secure-your-secrets/customize-leak-detection/enable-validity-checks.md index f0591214935a..b44d6d704b83 100644 --- a/content/code-security/how-tos/secure-your-secrets/customize-leak-detection/enable-validity-checks.md +++ b/content/code-security/how-tos/secure-your-secrets/customize-leak-detection/enable-validity-checks.md @@ -13,13 +13,13 @@ category: - Protect your secrets --- -You can enable validity checks for individual repositories through repository settings. Validity checks verify whether detected secrets are still active, helping you prioritize remediation efforts. For information about what validity checks are and how they work, see [AUTOTITLE](/code-security/concepts/secret-security/about-validity-checks). +You can enable validity checks for individual repositories through repository settings. Validity checks verify whether detected secrets are still active, helping you prioritize remediation efforts. For information about what validity checks are and how they work, see [AUTOTITLE](/code-security/concepts/secret-security/validity-checks). -For a list of which secret patterns support validity checks, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns). +For a list of which secret patterns support validity checks, see [AUTOTITLE](/code-security/reference/secret-security/supported-secret-scanning-patterns). {% ifversion ghes %} -Before you can enable validity checks for your repository, your site administrator must enable the feature for the whole instance. See [AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-secret-scanning-for-your-appliance). +Before you can enable validity checks for your repository, your site administrator must enable the feature for the whole instance. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/configure-specific-tools/configure-secret-scanning). {% endif %} @@ -33,8 +33,8 @@ To enable validity checks from the UI: > [!NOTE] > You can also use the REST API to enable validity checks for partner patterns for your repository. For more information, see [AUTOTITLE](/rest/repos/repos#update-a-repository). -Alternatively, organization owners and enterprise administrators can enable the feature for all repositories in the organization or enterprise. For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration) and [AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/creating-a-custom-security-configuration-for-your-enterprise). +Alternatively, organization owners and enterprise administrators can enable the feature for all repositories in the organization or enterprise. For more information, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/create-custom-configuration) and [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/establish-complete-coverage/create-custom-configuration). ## Further reading -* [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning) +* [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-secret-scanning-alerts) diff --git a/content/code-security/how-tos/secure-your-secrets/customize-leak-detection/exclude-folders-and-files.md b/content/code-security/how-tos/secure-your-secrets/customize-leak-detection/exclude-folders-and-files.md index 27b86b62f2d5..814b2365ba12 100644 --- a/content/code-security/how-tos/secure-your-secrets/customize-leak-detection/exclude-folders-and-files.md +++ b/content/code-security/how-tos/secure-your-secrets/customize-leak-detection/exclude-folders-and-files.md @@ -33,7 +33,7 @@ You can configure a `secret_scanning.yml` file to automatically close alerts fou This tells {% data variables.product.prodname_secret_scanning %} to automatically close alerts for everything in the `docs` directory. You can use this example file as a template to add the files and folders you’d like to exclude from your own repositories. - You can also use special characters, such as `*` to filter paths. For more information about filter patterns, see [Workflow syntax for GitHub Actions](/actions/reference/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet). + You can also use special characters, such as `*` to filter paths. For more information about filter patterns, see [Workflow syntax for GitHub Actions](/actions/reference/workflows-and-actions/workflow-syntax#filter-pattern-cheat-sheet). ``` yaml copy paths-ignore: diff --git a/content/code-security/how-tos/secure-your-secrets/customize-leak-detection/generating-regular-expressions-for-custom-patterns-with-ai.md b/content/code-security/how-tos/secure-your-secrets/customize-leak-detection/generating-regular-expressions-for-custom-patterns-with-ai.md index 41cf8435dbab..e974964dd792 100644 --- a/content/code-security/how-tos/secure-your-secrets/customize-leak-detection/generating-regular-expressions-for-custom-patterns-with-ai.md +++ b/content/code-security/how-tos/secure-your-secrets/customize-leak-detection/generating-regular-expressions-for-custom-patterns-with-ai.md @@ -48,4 +48,4 @@ category: ## Further reading -* [AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-regex-generator) +* [AUTOTITLE](/code-security/responsible-use/security-and-quality-ai-features) diff --git a/content/code-security/how-tos/secure-your-secrets/customize-leak-detection/manage-custom-patterns.md b/content/code-security/how-tos/secure-your-secrets/customize-leak-detection/manage-custom-patterns.md index 04669a1ffaa2..0b901b582f7e 100644 --- a/content/code-security/how-tos/secure-your-secrets/customize-leak-detection/manage-custom-patterns.md +++ b/content/code-security/how-tos/secure-your-secrets/customize-leak-detection/manage-custom-patterns.md @@ -15,7 +15,7 @@ category: - Protect your secrets --- -Custom patterns are user-defined patterns that you can use to identify secrets that are not detected by the default patterns supported by {% data variables.product.prodname_secret_scanning %}. For more information, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning). +Custom patterns are user-defined patterns that you can use to identify secrets that are not detected by the default patterns supported by {% data variables.product.prodname_secret_scanning %}. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-secrets/customize-leak-detection/define-custom-patterns). At the enterprise level, only the creator of a custom pattern can edit the pattern, and use it in a dry run. There are no similar restrictions for editing custom patterns at repository and organization level. @@ -83,7 +83,7 @@ Before enabling push protection for a custom pattern at organization level, you ### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection in a repository for a custom pattern -Before enabling push protection for a custom pattern at repository level, you must define the custom pattern for the repository, and test it in the repository. For more information, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository). +Before enabling push protection for a custom pattern at repository level, you must define the custom pattern for the repository, and test it in the repository. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-secrets/customize-leak-detection/define-custom-patterns#defining-a-custom-pattern-for-a-repository). {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-settings %} diff --git a/content/code-security/how-tos/secure-your-secrets/detect-secret-leaks/enable-secret-scanning.md b/content/code-security/how-tos/secure-your-secrets/detect-secret-leaks/enable-secret-scanning.md index e735f0ab34b0..fff34d016efe 100644 --- a/content/code-security/how-tos/secure-your-secrets/detect-secret-leaks/enable-secret-scanning.md +++ b/content/code-security/how-tos/secure-your-secrets/detect-secret-leaks/enable-secret-scanning.md @@ -25,11 +25,11 @@ category: {% data variables.secret-scanning.user_alerts_caps %} can be enabled for any repository that is owned by an organization{% ifversion secret-scanning-user-owned-repos %}, and for repositories owned by user accounts when using {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_emus %}{% endif %}. -If you're an organization owner, you can enable {% data variables.product.prodname_secret_scanning %} for multiple repositories at a time using {% data variables.product.prodname_security_configurations %}. For more information, see [AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale). +If you're an organization owner, you can enable {% data variables.product.prodname_secret_scanning %} for multiple repositories at a time using {% data variables.product.prodname_security_configurations %}. For more information, see [AUTOTITLE](/code-security/concepts/security-at-scale/organization-security). {% ifversion security-configuration-enterprise-level %} -If your organization is owned by an enterprise account, an enterprise owner can also enable {% data variables.product.prodname_secret_scanning %} at the enterprise level. For more information, see [AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/creating-a-custom-security-configuration-for-your-enterprise). +If your organization is owned by an enterprise account, an enterprise owner can also enable {% data variables.product.prodname_secret_scanning %} at the enterprise level. For more information, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/establish-complete-coverage/create-custom-configuration). {% endif %} @@ -55,5 +55,5 @@ The enablement steps above configure {% data variables.product.prodname_secret_s ## Next steps -* [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts) -* [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts) +* [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-secret-scanning-alerts/viewing-alerts) +* [AUTOTITLE](/code-security/concepts/secret-security/about-alerts) diff --git a/content/code-security/how-tos/secure-your-secrets/detect-secret-leaks/enabling-secret-scanning-for-ai-detected-secrets.md b/content/code-security/how-tos/secure-your-secrets/detect-secret-leaks/enabling-secret-scanning-for-ai-detected-secrets.md index 94cfcc86a321..25d89e362c3e 100644 --- a/content/code-security/how-tos/secure-your-secrets/detect-secret-leaks/enabling-secret-scanning-for-ai-detected-secrets.md +++ b/content/code-security/how-tos/secure-your-secrets/detect-secret-leaks/enabling-secret-scanning-for-ai-detected-secrets.md @@ -35,12 +35,12 @@ You can enable {% data variables.secret-scanning.generic-secret-detection %} in You must configure {% data variables.secret-scanning.generic-secret-detection %} for your organization using a {% data variables.product.prodname_custom_security_configuration %}. You can then apply the {% data variables.product.prodname_security_configuration %} to all (or selected) repositories in your organization. -1. Create a new {% data variables.product.prodname_custom_security_configuration %}, or edit an existing one. See [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration#creating-a-custom-security-configuration). +1. Create a new {% data variables.product.prodname_custom_security_configuration %}, or edit an existing one. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/create-custom-configuration#creating-a-custom-security-configuration). 1. When creating the custom security configuration, ensure that "{% data variables.product.prodname_secret_protection %}" is set to **Enabled**, and that the dropdown menu for "Scan for AI-detected secrets" is also set to **Enabled**. -1. Apply the {% data variables.product.prodname_custom_security_configuration %} to one or more repositories. For more information, see [AUTOTITLE](/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/applying-a-custom-security-configuration). +1. Apply the {% data variables.product.prodname_custom_security_configuration %} to one or more repositories. For more information, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/apply-custom-configuration). -For information on how to view alerts for generic secrets that have been detected with AI, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts). +For information on how to view alerts for generic secrets that have been detected with AI, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-secret-scanning-alerts/viewing-alerts). ## Further reading -* [AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets) +* [AUTOTITLE](/code-security/responsible-use/security-and-quality-ai-features) diff --git a/content/code-security/how-tos/secure-your-secrets/manage-bypass-requests/enable-delegated-bypass.md b/content/code-security/how-tos/secure-your-secrets/manage-bypass-requests/enable-delegated-bypass.md index efb5c44771ea..53ca5818931c 100644 --- a/content/code-security/how-tos/secure-your-secrets/manage-bypass-requests/enable-delegated-bypass.md +++ b/content/code-security/how-tos/secure-your-secrets/manage-bypass-requests/enable-delegated-bypass.md @@ -15,7 +15,7 @@ category: - Protect your secrets --- -Delegated bypass for push protection lets you define who can push commits containing secrets and adds an approval process for other contributors. See [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection). +Delegated bypass for push protection lets you define who can push commits containing secrets and adds an approval process for other contributors. See [AUTOTITLE](/code-security/concepts/secret-security/delegated-bypass). To enable delegated bypass, create the teams or roles that will manage bypass requests. Alternatively, use fine-grained permissions for more granular control. See [Using fine-grained permissions to control who can review and manage bypass requests](#using-fine-grained-permissions-to-control-who-can-review-and-manage-bypass-requests). @@ -38,7 +38,7 @@ To enable delegated bypass, create the teams or roles that will manage bypass re {% data reusables.secret-scanning.push-protection-optional-grant-exemption %} {% data reusables.secret-scanning.push-protection-exemption-warning %} 1. Click **Save configuration**. -1. Apply the security configuration to repositories in your organization. See [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-a-custom-security-configuration). +1. Apply the security configuration to repositories in your organization. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/apply-custom-configuration). {% ifversion push-protection-delegated-bypass-configurations-enterprise %} @@ -48,14 +48,14 @@ To enable delegated bypass, create the teams or roles that will manage bypass re {% data reusables.secret-scanning.push-protection-optional-grant-exemption %} {% data reusables.secret-scanning.push-protection-exemption-warning %} 1. Click **Save configuration**. -1. Apply the security configuration to organizations and repositories in your enterprise. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/establish-complete-coverage/applying-a-custom-security-configuration-to-your-enterprise). +1. Apply the security configuration to organizations and repositories in your enterprise. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/establish-complete-coverage/apply-custom-configuration). {% endif %} ## Using fine-grained permissions to control who can review and manage bypass requests You can grant specific individuals or teams in your organization the ability to review and manage bypass requests using fine-grained permissions. -1. Ensure that delegated bypass is enabled for the organization. For more information, follow steps 1-3 in [Enabling delegated bypass for your organization](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection#enabling-delegated-bypass-for-an-organization) and ensure you have saved and applied the security configuration to your selected repositories. +1. Ensure that delegated bypass is enabled for the organization. For more information, follow steps 1-3 in [Enabling delegated bypass for your organization](/code-security/how-tos/secure-your-secrets/manage-bypass-requests/enable-delegated-bypass#enabling-delegated-bypass-for-an-organization) and ensure you have saved and applied the security configuration to your selected repositories. 1. Create (or edit) a custom organization role. For information on creating and editing custom roles, see [AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/managing-custom-organization-roles#creating-a-custom-role). 1. When choosing which permissions to add to the custom role, select the "Review and manage {% data variables.product.prodname_secret_scanning %} bypass requests" permission. 1. Assign the custom role to individual members or teams in your organization. For more information on assigning custom roles, see [AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/using-organization-roles#assigning-an-organization-role). diff --git a/content/code-security/how-tos/secure-your-secrets/manage-bypass-requests/grant-exemptions.md b/content/code-security/how-tos/secure-your-secrets/manage-bypass-requests/grant-exemptions.md index 9deac4dad5d3..6b31ed2c8ff1 100644 --- a/content/code-security/how-tos/secure-your-secrets/manage-bypass-requests/grant-exemptions.md +++ b/content/code-security/how-tos/secure-your-secrets/manage-bypass-requests/grant-exemptions.md @@ -30,11 +30,11 @@ category: {% data reusables.secret-scanning.push-protection-grant-exemption %} 1. Click **Save configuration**. -1. Apply the security configuration to repositories in your organization. See [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-a-custom-security-configuration). +1. Apply the security configuration to repositories in your organization. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/apply-custom-configuration). ## Granting exemptions for your enterprise {% data reusables.secret-scanning.push-protection-grant-enterprise-bypass %} {% data reusables.secret-scanning.push-protection-grant-exemption %} 1. Click **Save configuration**. -1. Apply the security configuration to organizations and repositories in your enterprise. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/establish-complete-coverage/applying-a-custom-security-configuration-to-your-enterprise). +1. Apply the security configuration to organizations and repositories in your enterprise. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/establish-complete-coverage/apply-custom-configuration). diff --git a/content/code-security/how-tos/secure-your-secrets/manage-bypass-requests/manage-bypass-requests.md b/content/code-security/how-tos/secure-your-secrets/manage-bypass-requests/manage-bypass-requests.md index e46180e1e448..557f65c6d7a6 100644 --- a/content/code-security/how-tos/secure-your-secrets/manage-bypass-requests/manage-bypass-requests.md +++ b/content/code-security/how-tos/secure-your-secrets/manage-bypass-requests/manage-bypass-requests.md @@ -19,7 +19,7 @@ When delegated bypass for push protection is enabled, designated reviewers can a This article explains how to review and manage bypass requests for repositories and organizations. -For more information about how bypass requests work, see [AUTOTITLE](/code-security/concepts/secret-security/about-bypass-requests-for-push-protection). +For more information about how bypass requests work, see [AUTOTITLE](/code-security/concepts/secret-security/bypass-requests). ## Managing requests for a repository @@ -35,7 +35,7 @@ For more information about how bypass requests work, see [AUTOTITLE](/code-secur ## Managing requests for an organization -Organization owners, security managers and organization members with the relevant fine-grained permission (via a custom role) can review and manage bypass requests for all repositories in the organization using security overview. See [AUTOTITLE](/code-security/security-overview/reviewing-requests-to-bypass-push-protection). +Organization owners, security managers and organization members with the relevant fine-grained permission (via a custom role) can review and manage bypass requests for all repositories in the organization using security overview. See [AUTOTITLE](/code-security/how-tos/secure-your-secrets/manage-bypass-requests/review-bypass-requests). ## Filtering requests @@ -60,6 +60,6 @@ The following statuses are assigned to a request: ## Further reading -* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection) -* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection) -* [AUTOTITLE](/code-security/security-overview/reviewing-requests-to-bypass-push-protection) +* [AUTOTITLE](/code-security/concepts/secret-security/delegated-bypass) +* [AUTOTITLE](/code-security/how-tos/secure-your-secrets/manage-bypass-requests/enable-delegated-bypass) +* [AUTOTITLE](/code-security/how-tos/secure-your-secrets/manage-bypass-requests/review-bypass-requests) diff --git a/content/code-security/how-tos/secure-your-secrets/manage-bypass-requests/review-bypass-requests.md b/content/code-security/how-tos/secure-your-secrets/manage-bypass-requests/review-bypass-requests.md index 799de28fccc6..8eea7bfeba0e 100644 --- a/content/code-security/how-tos/secure-your-secrets/manage-bypass-requests/review-bypass-requests.md +++ b/content/code-security/how-tos/secure-your-secrets/manage-bypass-requests/review-bypass-requests.md @@ -18,7 +18,7 @@ category: ## Prerequisites -Before you can review bypass requests, delegated bypass must be enabled for your organization or repositories. See [AUTOTITLE](/code-security/how-tos/secure-your-secrets/manage-bypass-requests/enabling-delegated-bypass-for-push-protection). +Before you can review bypass requests, delegated bypass must be enabled for your organization or repositories. See [AUTOTITLE](/code-security/how-tos/secure-your-secrets/manage-bypass-requests/enable-delegated-bypass). You can review and manage these requests in security overview. @@ -53,5 +53,5 @@ The following statuses are assigned to a request: ## Further reading -* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection) -* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection) +* [AUTOTITLE](/code-security/concepts/secret-security/delegated-bypass) +* [AUTOTITLE](/code-security/how-tos/secure-your-secrets/manage-bypass-requests/enable-delegated-bypass) diff --git a/content/code-security/how-tos/secure-your-secrets/work-with-leak-prevention/push-protection-in-the-github-ui.md b/content/code-security/how-tos/secure-your-secrets/work-with-leak-prevention/push-protection-in-the-github-ui.md index eca14e11c1af..079905838c62 100644 --- a/content/code-security/how-tos/secure-your-secrets/work-with-leak-prevention/push-protection-in-the-github-ui.md +++ b/content/code-security/how-tos/secure-your-secrets/work-with-leak-prevention/push-protection-in-the-github-ui.md @@ -38,7 +38,7 @@ Organization owners can provide a custom link that will be displayed when a push To resolve a blocked commit in the web UI, you need to remove the secret from the file. Once you remove the secret, you will be able to commit your changes. ->[!NOTE] To learn how to resolved a blocked push on the command line, see [AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line#resolving-a-blocked-push). +> [!NOTE] To learn how to resolved a blocked push on the command line, see [AUTOTITLE](/code-security/how-tos/secure-your-secrets/work-with-leak-prevention/push-protection-on-the-command-line#resolving-a-blocked-push). ## Bypassing push protection @@ -53,7 +53,7 @@ If {% data variables.product.prodname_dotcom %} blocks a secret that you believe {% data reusables.secret-scanning.push-protection-public-repos-bypass %} 1. Click **Allow secret**. -If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to push the blocked secret. For more information, see [Requesting bypass privileges](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui#requesting-bypass-privileges). +If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to push the blocked secret. For more information, see [Requesting bypass privileges](/code-security/how-tos/secure-your-secrets/work-with-leak-prevention/push-protection-in-the-github-ui#requesting-bypass-privileges). ## Requesting bypass privileges @@ -75,5 +75,5 @@ If your request is denied, you will need to remove the secret from the file befo ## Further reading -* [AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line) -* [AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-rest-api) +* [AUTOTITLE](/code-security/how-tos/secure-your-secrets/work-with-leak-prevention/push-protection-on-the-command-line) +* [AUTOTITLE](/code-security/concepts/secret-security/push-protection-from-the-rest-api) diff --git a/content/code-security/how-tos/secure-your-secrets/work-with-leak-prevention/push-protection-on-the-command-line.md b/content/code-security/how-tos/secure-your-secrets/work-with-leak-prevention/push-protection-on-the-command-line.md index 8b1dde155930..c44834754f65 100644 --- a/content/code-security/how-tos/secure-your-secrets/work-with-leak-prevention/push-protection-on-the-command-line.md +++ b/content/code-security/how-tos/secure-your-secrets/work-with-leak-prevention/push-protection-on-the-command-line.md @@ -116,5 +116,5 @@ To resolve a blocked push, you must remove the secret from all of the commits it ## Further reading -* [AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui) -* [AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-rest-api) +* [AUTOTITLE](/code-security/how-tos/secure-your-secrets/work-with-leak-prevention/push-protection-in-the-github-ui) +* [AUTOTITLE](/code-security/concepts/secret-security/push-protection-from-the-rest-api) diff --git a/content/code-security/how-tos/secure-your-supply-chain/establish-provenance-and-integrity/export-dependencies-as-sbom.md b/content/code-security/how-tos/secure-your-supply-chain/establish-provenance-and-integrity/export-dependencies-as-sbom.md index 4202d4aa3a9e..a11df2308f74 100644 --- a/content/code-security/how-tos/secure-your-supply-chain/establish-provenance-and-integrity/export-dependencies-as-sbom.md +++ b/content/code-security/how-tos/secure-your-supply-chain/establish-provenance-and-integrity/export-dependencies-as-sbom.md @@ -39,7 +39,7 @@ If you want to use the REST API to export an SBOM for your repository, see [AUTO ## Generating a software bill of materials from {% data variables.product.prodname_actions %} -The following actions will generate an SBOM for your repository and attach it as a workflow artifact which you can download and use in other applications. For more information about downloading workflow artifacts, see [AUTOTITLE](/actions/managing-workflow-runs/downloading-workflow-artifacts). +The following actions will generate an SBOM for your repository and attach it as a workflow artifact which you can download and use in other applications. For more information about downloading workflow artifacts, see [AUTOTITLE](/actions/how-tos/manage-workflow-runs/download-workflow-artifacts). | Action | Details | | --- | --- | diff --git a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/auto-triage-dependabot-alerts.md b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/auto-triage-dependabot-alerts.md index df1a023ed655..a695f1a12135 100644 --- a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/auto-triage-dependabot-alerts.md +++ b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/auto-triage-dependabot-alerts.md @@ -56,7 +56,7 @@ You can use {% data variables.dependabot.custom_rules %} to tailor which {% data When {% data variables.product.prodname_dependabot_security_updates %} are enabled for a repository, {% data variables.product.prodname_dependabot %} will automatically try to open pull requests to resolve **every** open {% data variables.product.prodname_dependabot %} alert that has an available patch. If you prefer to customize this behavior using a rule, you must leave {% data variables.product.prodname_dependabot_security_updates %} disabled. -For more information about enabling or disabling {% data variables.product.prodname_dependabot_security_updates %} for a repository, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#managing-dependabot-security-updates-for-your-repositories). +For more information about enabling or disabling {% data variables.product.prodname_dependabot_security_updates %} for a repository, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-security-updates#managing-dependabot-security-updates-for-your-repositories). ## Adding {% data variables.dependabot.custom_rules %} to your repository @@ -81,7 +81,7 @@ For more information about enabling or disabling {% data variables.product.prodn ## Adding {% data variables.dependabot.custom_rules %} to your organization -You can add {% data variables.dependabot.custom_rules %} for all eligible repositories in your organization. For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#creating-and-managing-dependabot-auto-triage-rules). +You can add {% data variables.dependabot.custom_rules %} for all eligible repositories in your organization. For more information, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/configure-global-settings#creating-and-managing-dependabot-auto-triage-rules). ## Editing or deleting {% data variables.dependabot.custom_rules %} for your repository @@ -95,5 +95,5 @@ You can add {% data variables.dependabot.custom_rules %} for all eligible reposi ## Editing or deleting {% data variables.dependabot.custom_rules %} for your organization -You can edit or delete {% data variables.dependabot.custom_rules %} for all eligible repositories in your organization. For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#creating-and-managing-dependabot-auto-triage-rules). +You can edit or delete {% data variables.dependabot.custom_rules %} for all eligible repositories in your organization. For more information, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/configure-global-settings#creating-and-managing-dependabot-auto-triage-rules). diff --git a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries.md b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries.md index 4303b2a4c737..3e36d0a46ca1 100644 --- a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries.md +++ b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries.md @@ -25,9 +25,9 @@ category: In most ecosystems, private dependencies are usually published to private package registries. These private registries are similar to their public equivalents, but they require authentication. -For specific ecosystems, you can configure {% data variables.product.prodname_dependabot %} to access _only_ private registries by removing calls to public registries. For more information, see [AUTOTITLE](/code-security/dependabot/maintain-dependencies/removing-dependabot-access-to-public-registries). +For specific ecosystems, you can configure {% data variables.product.prodname_dependabot %} to access _only_ private registries by removing calls to public registries. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/remove-access-to-public-registries). -{% ifversion dependabot-on-actions-self-hosted %}To allow {% data variables.product.prodname_dependabot %} access to registries hosted privately or restricted to internal networks, configure {% data variables.product.prodname_dependabot %} to run on {% data variables.product.prodname_actions %} self-hosted runners. For more information, see [AUTOTITLE](/code-security/dependabot/maintain-dependencies/managing-dependabot-on-self-hosted-runners).{% endif %} +{% ifversion dependabot-on-actions-self-hosted %}To allow {% data variables.product.prodname_dependabot %} access to registries hosted privately or restricted to internal networks, configure {% data variables.product.prodname_dependabot %} to run on {% data variables.product.prodname_actions %} self-hosted runners. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-on-self-hosted-runners).{% endif %} {% ifversion org-automatic-registry-access %} @@ -70,7 +70,7 @@ You can configure {% data variables.product.prodname_dependabot %}'s access to p {% ifversion org-private-registry-oidc %} Organization-level registries support **Token**, **Username and password**, and **OIDC** authentication. {% endif %} -For more information about configuration, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries). +For more information about configuration, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries). {% endif %} @@ -92,7 +92,7 @@ To give {% data variables.product.prodname_dependabot %} access to the private r {% data variables.product.prodname_dependabot %} secrets are encrypted credentials that you create at either the organization level or the repository level. When you add a secret at the organization level, you can specify which repositories can access the secret. You can use secrets to allow {% data variables.product.prodname_dependabot %} to update dependencies located in private package registries. When you add a secret, it's encrypted before it reaches {% data variables.product.prodname_dotcom %} and it remains encrypted until it's used by {% data variables.product.prodname_dependabot %} to access a private package registry. -{% data variables.product.prodname_dependabot %} secrets also include secrets that are used by {% data variables.product.prodname_actions %} workflows triggered by {% data variables.product.prodname_dependabot %} pull requests. {% data variables.product.prodname_dependabot %} itself may not use these secrets, but the workflows require them. For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions#accessing-secrets). +{% data variables.product.prodname_dependabot %} secrets also include secrets that are used by {% data variables.product.prodname_actions %} workflows triggered by {% data variables.product.prodname_dependabot %} pull requests. {% data variables.product.prodname_dependabot %} itself may not use these secrets, but the workflows require them. For more information, see [AUTOTITLE](/code-security/reference/supply-chain-security/troubleshoot-dependabot/dependabot-on-actions#accessing-secrets). After you add a {% data variables.product.prodname_dependabot %} secret, you can reference it in the `dependabot.yml` configuration file like this: {% raw %}`${{secrets.NAME}}`{% endraw %}, where "NAME" is the name you chose for the secret. For example: @@ -154,7 +154,7 @@ When creating a secret in an organization, you can use a policy to limit which r You can add {% data variables.product.prodname_dependabot %}-related IP addresses to your registries IP allow list. -If your private registry is configured with an IP allow list, you can find the IP addresses {% data variables.product.prodname_dependabot %} uses to access the registry in the meta API endpoint, under the `actions` key. For more information, see [AUTOTITLE](/rest/meta/meta) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners). +If your private registry is configured with an IP allow list, you can find the IP addresses {% data variables.product.prodname_dependabot %} uses to access the registry in the meta API endpoint, under the `actions` key. For more information, see [AUTOTITLE](/rest/meta/meta) and [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-on-actions). {% endif %} @@ -169,7 +169,7 @@ With OIDC-based authentication, {% data variables.product.prodname_dependabot %} {% ifversion org-private-registry-oidc %} > [!TIP] -> OIDC authentication is also available for **organization-level** private registries, which you can configure through the organization settings UI or the REST API. For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries#configuring-oidc-authentication-for-a-private-registry). +> OIDC authentication is also available for **organization-level** private registries, which you can configure through the organization settings UI or the REST API. For more information, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries#configuring-oidc-authentication-for-a-private-registry). {% endif %} diff --git a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-dependabot-notifications.md b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-dependabot-notifications.md index bd32f8d77a5a..7a6c48bb06f9 100644 --- a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-dependabot-notifications.md +++ b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-dependabot-notifications.md @@ -17,11 +17,11 @@ category: - Secure your dependencies --- -By default, {% data variables.product.github %} sends notifications about new alerts by email to people with write, maintain, or admin permissions to a repository. See [AUTOTITLE](/code-security/concepts/supply-chain-security/about-dependabot-alerts#notifications-for-alerts). +By default, {% data variables.product.github %} sends notifications about new alerts by email to people with write, maintain, or admin permissions to a repository. See [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-alerts#notifications-for-alerts). ## Configuring notifications for {% data variables.product.prodname_dependabot_alerts %} -You can configure notification settings for yourself or your organization from the Manage notifications drop-down {% octicon "bell" aria-label="The notifications bell" %} shown at the top of each page. For more information, see [AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications#choosing-your-notification-settings). +You can configure notification settings for yourself or your organization from the Manage notifications drop-down {% octicon "bell" aria-label="The notifications bell" %} shown at the top of each page. For more information, see [AUTOTITLE](/subscriptions-and-notifications/get-started/configuring-notifications#choosing-your-notification-settings). {% data reusables.notifications.vulnerable-dependency-notification-options %} @@ -30,11 +30,11 @@ You can configure notification settings for yourself or your organization from t ![Screenshot of the notification options for {% data variables.product.prodname_dependabot_alerts %}.](/assets/images/help/enterprises/dependabot-alerts-options-no-ui.png){% endif %} > [!NOTE] -> You can filter your notifications on {% data variables.product.company_short %} to show {% data variables.product.prodname_dependabot_alerts %}. For more information, see [AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/viewing-and-triaging-notifications/managing-notifications-from-your-inbox#dependabot-custom-filters). +> You can filter your notifications on {% data variables.product.company_short %} to show {% data variables.product.prodname_dependabot_alerts %}. For more information, see [AUTOTITLE](/subscriptions-and-notifications/how-tos/viewing-and-triaging-notifications/managing-notifications-from-your-inbox#dependabot-custom-filters). -{% data reusables.repositories.security-alerts-x-github-severity %} For more information, see [AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications#filtering-email-notifications). +{% data reusables.repositories.security-alerts-x-github-severity %} For more information, see [AUTOTITLE](/subscriptions-and-notifications/get-started/configuring-notifications#filtering-email-notifications). ## Further reading -* [AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications) -* [AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/viewing-and-triaging-notifications/managing-notifications-from-your-inbox#supported-is-queries) +* [AUTOTITLE](/subscriptions-and-notifications/get-started/configuring-notifications) +* [AUTOTITLE](/subscriptions-and-notifications/how-tos/viewing-and-triaging-notifications/managing-notifications-from-your-inbox#supported-is-queries) diff --git a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-dependency-review-action.md b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-dependency-review-action.md index fce99c00f6d9..16a5805d21db 100644 --- a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-dependency-review-action.md +++ b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-dependency-review-action.md @@ -16,7 +16,7 @@ category: - Secure your dependencies --- -The "{% data variables.dependency-review.action_name %}" refers to the specific action that can report on differences in a pull request within the {% data variables.product.prodname_actions %} context. It can also add enforcement mechanisms to the {% data variables.product.prodname_actions %} workflow. For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/about-dependency-review#about-the-dependency-review-action). +The "{% data variables.dependency-review.action_name %}" refers to the specific action that can report on differences in a pull request within the {% data variables.product.prodname_actions %} context. It can also add enforcement mechanisms to the {% data variables.product.prodname_actions %} workflow. For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependency-review#about-the-dependency-review-action). {% ifversion ghec %} @@ -176,4 +176,4 @@ For further details about the configuration options, see [`dependency-review-act ## Further reading -* [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/customizing-your-dependency-review-action-configuration) +* [AUTOTITLE](/code-security/tutorials/secure-your-dependencies/customize-dependency-review-action) diff --git a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-on-github-hosted-runners.md b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-on-github-hosted-runners.md index f06c65a84a90..017c1b302f53 100644 --- a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-on-github-hosted-runners.md +++ b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-on-github-hosted-runners.md @@ -18,7 +18,7 @@ You can configure {% data variables.product.prodname_dependabot %} on standard { If you restrict access to your organization's or repository's private resources, you may need to update your list of allowed IP addresses prior to enabling {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners. You can update your IP allow list to use the {% data variables.product.prodname_dotcom %}-hosted runners IP addresses (instead of the {% data variables.product.prodname_dependabot %} IP addresses), sourced from the [meta](/rest/meta) REST API endpoint. ->[!WARNING] You should not rely on the {% data variables.product.prodname_actions %} IP addresses for authentication to private registries. These {% data variables.product.prodname_actions %} addresses are not only used by {% data variables.product.prodname_dotcom %}, and should not be trusted for authentication. Instead, use a self-hosted runner to ensure greater control over your network access. For more information, see [AUTOTITLE](/code-security/dependabot/maintain-dependencies/managing-dependabot-on-self-hosted-runners). +> [!WARNING] You should not rely on the {% data variables.product.prodname_actions %} IP addresses for authentication to private registries. These {% data variables.product.prodname_actions %} addresses are not only used by {% data variables.product.prodname_dotcom %}, and should not be trusted for authentication. Instead, use a self-hosted runner to ensure greater control over your network access. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-on-self-hosted-runners). ### For your repository @@ -50,7 +50,7 @@ If a repository in your organization has {% data variables.product.prodname_depe If you run into {% data variables.product.prodname_dependabot %} timeouts and out-of-memory errors, you may want to use {% data variables.actions.hosted_runners %}, as you can configure these runners to have more resources. You can only enable {% data variables.actions.hosted_runners %} for {% data variables.product.prodname_dependabot %} **for an organization**. -1. Add a {% data variables.actions.hosted_runner %} to your organization and ensure the name specified is `dependabot`. For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners/managing-larger-runners#adding-a-larger-runner-to-an-organization). +1. Add a {% data variables.actions.hosted_runner %} to your organization and ensure the name specified is `dependabot`. For more information, see [AUTOTITLE](/actions/how-tos/manage-runners/larger-runners/manage-larger-runners#adding-a-larger-runner-to-an-organization). 1. Opt in the organization to self-hosted runners. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-on-self-hosted-runners#for-your-organization). This step is required, as it ensures that future {% data variables.product.prodname_dependabot %} jobs will run on the larger {% data variables.product.prodname_dotcom %}-hosted runner that has the `dependabot` name. {% data reusables.dependabot.no-ubuntu-latest-label-self-hosted %} diff --git a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-on-self-hosted-runners.md b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-on-self-hosted-runners.md index ef7543529371..a64a9cd4055e 100644 --- a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-on-self-hosted-runners.md +++ b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-on-self-hosted-runners.md @@ -23,16 +23,16 @@ category: ## Adding self-hosted runners for {% data variables.product.prodname_dependabot %} updates -1. Provision self-hosted runners, at the repository or organization level. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners) and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners). +1. Provision self-hosted runners, at the repository or organization level. For more information, see [AUTOTITLE](/actions/concepts/runners/self-hosted-runners) and [AUTOTITLE](/actions/how-tos/manage-runners/self-hosted-runners/add-runners). 1. Configure your environment and runners to meet the requirements for {% data variables.product.prodname_dependabot %}. See [Requirements for using {% data variables.product.prodname_dependabot %} with self-hosted runners](/code-security/reference/supply-chain-security/dependabot-on-actions#requirements-for-using-dependabot-with-self-hosted-runners).{% ifversion dependabot-self-hosted-labels %} 1. If you are configuring self-hosted runners for your organization, you can create and assign a custom label for your runners. Otherwise, if you are configuring self-hosted runners for a standalone repository, you need to apply the `dependabot` label. See [AUTOTITLE](/actions/how-tos/manage-runners/self-hosted-runners/apply-labels).{% else %} -1. Assign a `dependabot` label to each runner you want {% data variables.product.prodname_dependabot %} to use. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-labels-with-self-hosted-runners#assigning-a-label-to-a-self-hosted-runner).{% endif %} -1. Optionally, enable workflows triggered by {% data variables.product.prodname_dependabot %} to use more than read-only permissions and to have access to any secrets that are normally available. For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions#restrictions-when-dependabot-triggers-events). +1. Assign a `dependabot` label to each runner you want {% data variables.product.prodname_dependabot %} to use. For more information, see [AUTOTITLE](/actions/how-tos/manage-runners/self-hosted-runners/apply-labels#assigning-a-label-to-a-self-hosted-runner).{% endif %} +1. Optionally, enable workflows triggered by {% data variables.product.prodname_dependabot %} to use more than read-only permissions and to have access to any secrets that are normally available. For more information, see [AUTOTITLE](/code-security/reference/supply-chain-security/troubleshoot-dependabot/dependabot-on-actions#restrictions-when-dependabot-triggers-events). ## Enabling self-hosted runners for {% data variables.product.prodname_dependabot_updates %} > [!WARNING] -> Before enabling "{% data variables.product.prodname_dependabot %} on self-hosted runners", ensure that your self-hosted runners or {% data variables.actions.hosted_runners %} are configured with the runner label used by {% data variables.product.prodname_dependabot %} (by default, `dependabot`). When this setting is enabled, {% data variables.product.prodname_dependabot %} jobs will only run on runners with this label. If no runners with this label are available, jobs will remain queued indefinitely. See [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners#how-runner-settings-interact). +> Before enabling "{% data variables.product.prodname_dependabot %} on self-hosted runners", ensure that your self-hosted runners or {% data variables.actions.hosted_runners %} are configured with the runner label used by {% data variables.product.prodname_dependabot %} (by default, `dependabot`). When this setting is enabled, {% data variables.product.prodname_dependabot %} jobs will only run on runners with this label. If no runners with this label are available, jobs will remain queued indefinitely. See [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-on-actions#how-runner-settings-interact). Once you have configured self-hosted runners for {% data variables.product.prodname_dependabot_updates %}, you can enable or disable {% data variables.product.prodname_dependabot_updates %} on self-hosted runners at the organization or repository level. diff --git a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-private-registries.md b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-private-registries.md index f331c325092f..64448b57a25d 100644 --- a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-private-registries.md +++ b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-private-registries.md @@ -62,7 +62,7 @@ Bun adheres to the same configuration guidelines as npm. Note that the `.npmrc` Supported by Artifactory, Artifacts, Cloudsmith, {% data variables.product.prodname_registry %} registry, Nexus, and ProGet. -You can authenticate with either a username and password, or a token. For more information, see `rubygems-server` in [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot#rubygems-server). +You can authenticate with either a username and password, or a token. For more information, see `rubygems-server` in [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries#rubygems-server). Snippet of a `dependabot.yml` file using a username and password. @@ -99,7 +99,7 @@ registries: ### Cargo -Cargo supports username, password and token-based authentication. For more information, see `cargo-registry` in [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot#cargo-registry). +Cargo supports username, password and token-based authentication. For more information, see `cargo-registry` in [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries#cargo-registry). The snippet below shows a `dependabot.yml` file configuration that uses a token. @@ -107,11 +107,11 @@ The snippet below shows a `dependabot.yml` file configuration that uses a token. ### Docker -Docker supports using a username and password for registries. For more information, see `docker-registry` in [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot#docker-registry). +Docker supports using a username and password for registries. For more information, see `docker-registry` in [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries#docker-registry). {% ifversion org-automatic-registry-access %} -For images stored in {% data variables.product.prodname_container_registry %}, you can grant your repository **Read** access in the package settings instead of configuring credentials in your `dependabot.yml` file. See [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot#configuring-private-github-hosted-registries). +For images stored in {% data variables.product.prodname_container_registry %}, you can grant your repository **Read** access in the package settings instead of configuring credentials in your `dependabot.yml` file. See [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries#configuring-private-github-hosted-registries). {% endif %} @@ -166,7 +166,7 @@ Docker Compose adheres to the same configuration guidelines as Docker. For more ### Helm Charts -Helm supports using a username and password for registries. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot#helm-registry). +Helm supports using a username and password for registries. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries#helm-registry). Snippet of `dependabot.yml` file using a username and password. @@ -202,9 +202,9 @@ When configuring {% data variables.product.prodname_dependabot %} for Helm chart ### Gradle -{% data variables.product.prodname_dependabot %} doesn't run Gradle but supports updates to certain Gradle files. For more information, see "Gradle" in [AUTOTITLE](/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories#gradle). +{% data variables.product.prodname_dependabot %} doesn't run Gradle but supports updates to certain Gradle files. For more information, see "Gradle" in [AUTOTITLE](/code-security/reference/supply-chain-security/supported-ecosystems-and-repositories#gradle). -Gradle supports the `maven-repository` registry type. For more information, see `maven-repository` in [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot#maven-repository). +Gradle supports the `maven-repository` registry type. For more information, see `maven-repository` in [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries#maven-repository). The `maven-repository` type supports username, password and replaces-base. {% data reusables.dependabot.password-definition %} @@ -276,7 +276,7 @@ This feature enables unified dependency management for both public and private G ### Maven -Maven supports username, password and replaces-base. For more information, see `maven-repository` in [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot#maven-repository). +Maven supports username, password and replaces-base. For more information, see `maven-repository` in [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries#maven-repository). {% raw %} @@ -326,7 +326,7 @@ You can define the configuration in the `dependabot.yml` file using the `npm-reg #### Using the `npm-registry` type in the configuration file -You can define the private registry configuration in a `dependabot.yml` file using the `npm-registry` type. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot#npm-registry). +You can define the private registry configuration in a `dependabot.yml` file using the `npm-registry` type. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries#npm-registry). The snippet of a `dependabot.yml` file below uses a token. {% data reusables.dependabot.token-is-github-pat %} @@ -421,7 +421,7 @@ Registries should be configured using the `https` protocol. Supported by Artifactory, Artifacts, Cloudsmith, {% data variables.product.prodname_registry %} registry, Nexus, and ProGet. -The `nuget-feed` type supports username and password, or token. For more information, see `nuget-feed` in [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot#nuget-feed). +The `nuget-feed` type supports username and password, or token. For more information, see `nuget-feed` in [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries#nuget-feed). {% raw %} @@ -467,7 +467,7 @@ registries: ### pub -You can define the private registry configuration in a `dependabot.yml` file using the `pub-repository` type. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot#pub-repository). +You can define the private registry configuration in a `dependabot.yml` file using the `pub-repository` type. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries#pub-repository). {% raw %} @@ -500,7 +500,7 @@ pub supports URL and token authentication. The URL used for the registry should Supported by Artifactory, Azure Artifacts, Cloudsmith, Nexus, and ProGet. The {% data variables.product.prodname_registry %} registry is not supported. -The `python-index` type supports username and password, or token. For more information, see `python-index` in [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot#python-index). +The `python-index` type supports username and password, or token. For more information, see `python-index` in [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries#python-index). {% raw %} @@ -547,11 +547,11 @@ registries: ### uv -The uv registry uses a configuration similar to that of the python index. For more information, see "`python-index`" in [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot#python-index). +The uv registry uses a configuration similar to that of the python index. For more information, see "`python-index`" in [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries#python-index). ### Yarn -The Yarn registry uses a configuration similar to that of the npm registry. For more information, see "`npm-registry`" in [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot#npm-registry). +The Yarn registry uses a configuration similar to that of the npm registry. For more information, see "`npm-registry`" in [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries#npm-registry). {% raw %} @@ -776,7 +776,7 @@ If you are restricting which IPs can reach your Nexus host, you need to add the * "3.217.93.44/32" For more information, see [Securing Nexus Repository Manager](https://help.sonatype.com/repomanager3/planning-your-implementation/securing-nexus-repository-manager) in the Sonatype documentation. - Registries can be proxied to reach out to a public registry in case a dependency is not available in the private registry. However, you may want {% data variables.product.prodname_dependabot %} to only access the private registry and not access the public registry at all. For more information, see [Quick Start Guide - Proxying Maven and NPM](https://help.sonatype.com/repomanager3/planning-your-implementation/quick-start-guide---proxying-maven-and-npm) in the Sonatype documentation, and [AUTOTITLE](/code-security/dependabot/maintain-dependencies/removing-dependabot-access-to-public-registries). + Registries can be proxied to reach out to a public registry in case a dependency is not available in the private registry. However, you may want {% data variables.product.prodname_dependabot %} to only access the private registry and not access the public registry at all. For more information, see [Quick Start Guide - Proxying Maven and NPM](https://help.sonatype.com/repomanager3/planning-your-implementation/quick-start-guide---proxying-maven-and-npm) in the Sonatype documentation, and [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/remove-access-to-public-registries). ### ProGet diff --git a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/controlling-dependencies-updated.md b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/controlling-dependencies-updated.md index 4bb016f257eb..462c599824f9 100644 --- a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/controlling-dependencies-updated.md +++ b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/controlling-dependencies-updated.md @@ -81,10 +81,10 @@ If you are not ready to adopt changes from certain dependencies in your project, * Configure the `ignore` option for the dependency in your `dependabot.yml` file. * **You can use this to ignore updates for specific dependencies, versions, and types of updates.** - * For more information, see `ignore` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#ignore--). + * For more information, see `ignore` in [AUTOTITLE](/code-security/reference/supply-chain-security/dependabot-options-reference#ignore--). * Use `@dependabot ignore` comment commands on a {% data variables.product.prodname_dependabot %} pull request for version updates and security updates. * **You can use comment commands to ignore updates for specific dependencies and versions.** - * For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands). + * For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/manage-dependabot-prs#managing-dependabot-pull-requests-with-comment-commands). Here are some examples showing how `ignore` can be used to customize which dependencies are updated. @@ -122,13 +122,13 @@ For pull requests for grouped updates, you can also use `@dependabot unignore` c * Un-ignore a specific dependency * Un-ignore all ignore conditions for all dependencies in a {% data variables.product.prodname_dependabot %} pull request -For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-for-grouped-updates-with-comment-commands). +For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/manage-dependabot-prs#managing-dependabot-pull-requests-for-grouped-updates-with-comment-commands). ## Allowing specific dependencies to be updated You can use `allow` to tell {% data variables.product.prodname_dependabot %} about the dependencies you want to maintain. `allow` is usually used in conjunction with `ignore`. -For more information, see `allow` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#allow--). +For more information, see `allow` in [AUTOTITLE](/code-security/reference/supply-chain-security/dependabot-options-reference#allow--). By default, {% data variables.product.prodname_dependabot %} creates version update pull requests only for the dependencies that are explicitly defined in a manifest (`direct` dependencies). This configuration uses `allow` to tell {% data variables.product.prodname_dependabot %} that we want it to maintain `all` types of dependency. That is, both the `direct` dependencies and their dependencies (also known as indirect dependencies, sub-dependencies, or transient dependencies). In addition, the configuration tells {% data variables.product.prodname_dependabot %} to ignore all dependencies with a name matching the pattern `org.xwiki.*` because we have a different process for maintaining them. @@ -176,7 +176,7 @@ You can use `update-types` with `allow` to restrict updates to specific semantic > [!NOTE] > `update-types` only affects _version_ updates, not _security_ updates. Security updates will always be created regardless of the `update-types` setting. -For more information, see `update-types` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#update-types-allow). +For more information, see `update-types` in [AUTOTITLE](/code-security/reference/supply-chain-security/dependabot-options-reference#update-types-allow). Here are some examples showing how `update-types` can be used with `allow`. @@ -223,7 +223,7 @@ Here are some examples showing how `update-types` can be used with `allow`. You can use `versions` in conjunction with `ignore` to ignore specific versions or ranges of versions. -For more information, see `versions` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#versions-ignore). +For more information, see `versions` in [AUTOTITLE](/code-security/reference/supply-chain-security/dependabot-options-reference#versions-ignore). * To ignore a specific version @@ -256,7 +256,7 @@ For more information, see `versions` in [AUTOTITLE](/code-security/dependabot/wo You can specify one or more semantic versioning (SemVer) levels to ignore using `update-types` with `ignore`.{% ifversion dependabot-allow-update-types %} Alternatively, you can use `update-types` with `allow` to explicitly specify which update levels to allow, see [Allowing specific semantic versioning levels for updates](#allowing-specific-semantic-versioning-levels-for-updates).{% endif %} -For more information, see `update-types` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#update-types-ignore). +For more information, see `update-types` in [AUTOTITLE](/code-security/reference/supply-chain-security/dependabot-options-reference#update-types-ignore). In this example, {% data variables.product.prodname_dependabot %} will ignore patch versions for Node. @@ -282,7 +282,7 @@ updates: By default, {% data variables.product.prodname_dependabot %} tries to increase the minimum version requirement for dependencies it identifies as apps, and widens the allowed version requirements to include both the new and old versions for dependencies it identifies as libraries. -You can change this default strategy. For more information, see `versioning-strategy` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#versioning-strategy--). +You can change this default strategy. For more information, see `versioning-strategy` in [AUTOTITLE](/code-security/reference/supply-chain-security/dependabot-options-reference#versioning-strategy--). In this example, {% data variables.product.prodname_dependabot %} will increase the minimum version requirement to match the new version for both apps and libraries. @@ -319,7 +319,7 @@ You can instruct {% data variables.product.prodname_dependabot %} to vendor spec {% data variables.product.prodname_dependabot %} automatically maintains vendored dependencies for Go modules, and you can configure Bundler to also update vendored dependencies. -For more information, see `vendor` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#vendor--). +For more information, see `vendor` in [AUTOTITLE](/code-security/reference/supply-chain-security/dependabot-options-reference#vendor--). In this example, `vendor` is set to `true` for Bundler, which means that {% data variables.product.prodname_dependabot %} will also maintain dependencies for Bundler that are stored in the _vendor/cache_ directory in the repository. diff --git a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/customizing-dependabot-security-prs.md b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/customizing-dependabot-security-prs.md index 407a30d46474..4edf35439fe0 100644 --- a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/customizing-dependabot-security-prs.md +++ b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/customizing-dependabot-security-prs.md @@ -19,8 +19,8 @@ category: If you haven't yet configured a `dependabot.yml` file for your repository and you want to customize pull requests for security updates, you must first: -1. Check in a `dependabot.yml` file into the `.github` directory of your repository. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#enabling-dependabot-version-updates). -1. Set all the required keys. For more information, see [Required keys](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#required-keys). +1. Check in a `dependabot.yml` file into the `.github` directory of your repository. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-version-updates#enabling-dependabot-version-updates). +1. Set all the required keys. For more information, see [Required keys](/code-security/reference/supply-chain-security/dependabot-options-reference#required-keys). 1. If you want the customization for a package ecosystem to **only apply to security updates** (and exclude version updates), set the `open-pull-requests-limit` key to `0`. You can then consider what your needs and priorities are for security updates, and apply a combination of the customization options outlined below. @@ -29,7 +29,7 @@ You can then consider what your needs and priorities are for security updates, a To create a more **targeted review process** that prioritizes meaningful updates, use `groups` to combine security updates for multiple dependencies into a single pull request. -For detailed guidance, see [Prioritizing meaningful updates](/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates#prioritizing-meaningful-updates). +For detailed guidance, see [Prioritizing meaningful updates](/code-security/tutorials/secure-your-dependencies/optimizing-pr-creation-version-updates#prioritizing-meaningful-updates). {% ifversion dependabot-reviewers-deprecation %} @@ -37,7 +37,7 @@ For detailed guidance, see [Prioritizing meaningful updates](/code-security/depe Use `assignees` to automatically add individuals or teams as assignees to pull requests. -For detailed guidance, see [Automatically adding assignees](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs#automatically-adding-assignees). +For detailed guidance, see [Automatically adding assignees](/code-security/tutorials/secure-your-dependencies/customizing-dependabot-prs#automatically-adding-assignees). ## Automatically adding reviewers @@ -54,7 +54,7 @@ To ensure your project's security updates get addressed promptly by the appropri To ensure your project's security updates get **addressed promptly** by the appropriate team, use `reviewers` and `assignees` to automatically add individuals or teams as **reviewers or assignees** to pull requests. -For detailed guidance, see [Automatically adding reviewers and assignees](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs#automatically-adding-reviewers-and-assignees). +For detailed guidance, see [Automatically adding reviewers and assignees](/code-security/tutorials/secure-your-dependencies/customizing-dependabot-prs#automatically-adding-reviewers-and-assignees). {% endif %} @@ -62,25 +62,25 @@ For detailed guidance, see [Automatically adding reviewers and assignees](/code- To **prioritize** specific pull requests, or integrate them into CI/CD pipelines, use `labels` to apply your own **custom labels** to each pull request. -For detailed guidance, see [Labeling pull requests with custom labels](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs#labeling-pull-requests-with-custom-labels). +For detailed guidance, see [Labeling pull requests with custom labels](/code-security/tutorials/secure-your-dependencies/customizing-dependabot-prs#labeling-pull-requests-with-custom-labels). ## Adding a prefix to commit messages To **integrate** with automations that process commit messages or pull requests titles, use `commit-message` to specify the prefix that you want for commit messages and pull request titles. -For detailed guidance, see [Adding a prefix to commit messages](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs#adding-a-prefix-to-commit-messages). +For detailed guidance, see [Adding a prefix to commit messages](/code-security/tutorials/secure-your-dependencies/customizing-dependabot-prs#adding-a-prefix-to-commit-messages). ## Associating pull requests with a milestone To **track progress** towards a project goal or release, use `milestone` to associate {% data variables.product.prodname_dependabot %}'s pull requests with a milestone. -For detailed guidance, see [Associating pull requests with a milestone](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs#associating-pull-requests-with-a-milestone). +For detailed guidance, see [Associating pull requests with a milestone](/code-security/tutorials/secure-your-dependencies/customizing-dependabot-prs#associating-pull-requests-with-a-milestone). ## Changing the separator in the pull request branch name To ensure your **branch names align** with your team's existing conventions, use `pull-request-branch-name.separator` to specify the separator you want {% data variables.product.prodname_dependabot %} to use for branch names. -For detailed guidance, see [Changing the separator in the pull request branch name](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs#changing-the-separator-in-the-pull-request-branch-name). +For detailed guidance, see [Changing the separator in the pull request branch name](/code-security/tutorials/secure-your-dependencies/customizing-dependabot-prs#changing-the-separator-in-the-pull-request-branch-name). ## Example 1: configuration for security updates only @@ -175,5 +175,5 @@ updates: ## Further reading -* [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference) -* [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot) +* [AUTOTITLE](/code-security/reference/supply-chain-security/dependabot-options-reference) +* [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries) diff --git a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/list-configured-dependencies.md b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/list-configured-dependencies.md index b6aa385866a3..32f38d1d7227 100644 --- a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/list-configured-dependencies.md +++ b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/list-configured-dependencies.md @@ -23,7 +23,7 @@ category: ## Viewing dependencies monitored by {% data variables.product.prodname_dependabot %} -After you've enabled version updates, you can confirm that your configuration is correct using the **{% data variables.product.prodname_dependabot %}** tab in the dependency graph for the repository. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates). +After you've enabled version updates, you can confirm that your configuration is correct using the **{% data variables.product.prodname_dependabot %}** tab in the dependency graph for the repository. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-version-updates). {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.accessing-repository-graphs %} @@ -35,4 +35,4 @@ After you've enabled version updates, you can confirm that your configuration is If any dependencies are missing, check the log files for errors. If any package managers are missing, review the configuration file. -For information about {% data variables.product.prodname_dependabot %} job logs, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/viewing-dependabot-job-logs). +For information about {% data variables.product.prodname_dependabot %} job logs, see [AUTOTITLE](/code-security/how-tos/view-and-interpret-data/view-dependabot-logs). diff --git a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/manage-dependabot-prs.md b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/manage-dependabot-prs.md index ea0237d9ef07..05049d067843 100644 --- a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/manage-dependabot-prs.md +++ b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/manage-dependabot-prs.md @@ -30,7 +30,7 @@ category: ## Changing the rebase strategy for {% data variables.product.prodname_dependabot %} pull requests -By default, {% data variables.product.prodname_dependabot %} automatically rebases pull requests to resolve any conflicts. {% data reusables.dependabot.pull-requests-30-days-cutoff %} If you'd prefer to handle merge conflicts manually, you can disable this using the `rebase-strategy` option. For details, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#rebase-strategy--). +By default, {% data variables.product.prodname_dependabot %} automatically rebases pull requests to resolve any conflicts. {% data reusables.dependabot.pull-requests-30-days-cutoff %} If you'd prefer to handle merge conflicts manually, you can disable this using the `rebase-strategy` option. For details, see [AUTOTITLE](/code-security/reference/supply-chain-security/dependabot-options-reference#rebase-strategy--). ## Allowing {% data variables.product.prodname_dependabot %} to rebase and force push over extra commits @@ -44,4 +44,4 @@ You can use comment commands on {% data variables.product.prodname_dependabot %} If you run any of the commands for ignoring dependencies or versions, {% data variables.product.prodname_dependabot %} stores the preferences for the repository centrally. While this is a quick solution, for repositories with more than one contributor it is better to explicitly define the dependencies and versions to ignore in the configuration file. This makes it easy for all contributors to see why a particular dependency isn't being updated automatically. -For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#ignore--). +For more information, see [AUTOTITLE](/code-security/reference/supply-chain-security/dependabot-options-reference#ignore--). diff --git a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/prioritize-with-preset-rules.md b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/prioritize-with-preset-rules.md index 83c86d4efd31..6d0dcbee15e9 100644 --- a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/prioritize-with-preset-rules.md +++ b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/prioritize-with-preset-rules.md @@ -19,7 +19,7 @@ category: ## Prerequisites -Before you enable {% data variables.dependabot.github_presets %} for your repository, you should be familiar with their functionality and purpose. See [AUTOTITLE](/code-security/concepts/supply-chain-security/about-dependabot-auto-triage-rules). +Before you enable {% data variables.dependabot.github_presets %} for your repository, you should be familiar with their functionality and purpose. See [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-auto-triage-rules). ## Enabling {% data variables.product.company_short %} preset rules diff --git a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/remove-access-to-public-registries.md b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/remove-access-to-public-registries.md index a332972f0dd0..c9f1c8d50c8a 100644 --- a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/remove-access-to-public-registries.md +++ b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/remove-access-to-public-registries.md @@ -19,7 +19,7 @@ category: ## About configuring {% data variables.product.prodname_dependabot %} to only access private registries -{% data reusables.dependabot.private-registry-support %} For more information about private registry support and configuration, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot). {% data reusables.dependabot.advanced-private-registry-config-link %} +{% data reusables.dependabot.private-registry-support %} For more information about private registry support and configuration, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries). {% data reusables.dependabot.advanced-private-registry-config-link %} {% data reusables.dependabot.dependabot-on-actions-self-hosted-link %} @@ -28,13 +28,13 @@ You can configure {% data variables.product.prodname_dependabot %} to access _on {% ifversion dependabot-ghes-no-public-internet %} > [!NOTE] -> Before you remove access to public registries from your configuration for {% data variables.product.prodname_dependabot_updates %}, check that your site administrator has set up the {% data variables.product.prodname_dependabot %} runners with access to the private registries you need. For more information, see [AUTOTITLE](/admin/code-security/managing-supply-chain-security-for-your-enterprise/configuring-dependabot-to-work-with-limited-internet-access). +> Before you remove access to public registries from your configuration for {% data variables.product.prodname_dependabot_updates %}, check that your site administrator has set up the {% data variables.product.prodname_dependabot %} runners with access to the private registries you need. For more information, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/configure-specific-tools/configure-limited-internet-access). {% endif %} ## Bundler -To configure the Bundler ecosystem to only access private registries, you can set `replaces-base: true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#rubygems-server). +To configure the Bundler ecosystem to only access private registries, you can set `replaces-base: true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries#rubygems-server). The Bundler ecosystem additionally requires a `Gemfile` file with the private registry URL to be checked into the repository. @@ -50,7 +50,7 @@ To configure the Docker ecosystem to only access private registries, you can use **Option 1** -Define the private registry configuration in a `dependabot.yml` file without `replaces-base`. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#docker-registry). +Define the private registry configuration in a `dependabot.yml` file without `replaces-base`. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries#docker-registry). > [!NOTE] > Remove `replaces-base: true` from the configuration file. @@ -73,13 +73,13 @@ In the `Dockerfile` file, add the image name in the format of `IMAGE[:TAG]`, whe **Option 2** -Set `replaces-base: true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#docker-registry). The registry configured with the `replaces-base` can be used as a mirror or a pull through cache. For further details, see [Registry as a pull through cache](https://docs.docker.com/registry/recipes/mirror/) in the Docker documentation. +Set `replaces-base: true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries#docker-registry). The registry configured with the `replaces-base` can be used as a mirror or a pull through cache. For further details, see [Registry as a pull through cache](https://docs.docker.com/registry/recipes/mirror/) in the Docker documentation. ## Gradle To configure the Gradle ecosystem to only access private registries, you can use these configuration methods. -Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#maven-repository). +Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries#maven-repository). > [!NOTE] > Remove `replaces-base: true` from the configuration file. @@ -102,7 +102,7 @@ To configure the Maven ecosystem to only access private registries, you can use **Option 1** -Set `replaces-base: true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#maven-repository). +Set `replaces-base: true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries#maven-repository). **Option 2** @@ -129,7 +129,7 @@ To configure the npm ecosystem to only access private registries, you can use th **Option 1** -Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#npm-registry). +Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries#npm-registry). > [!NOTE] > Remove `replaces-base: true` from the configuration file. @@ -142,7 +142,7 @@ The npm ecosystem additionally requires a `.npmrc` file with the private registr **Option 2** -If there is no global registry defined in an `.npmrc` file, you can set `replaces-base: true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#npm-registry). +If there is no global registry defined in an `.npmrc` file, you can set `replaces-base: true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries#npm-registry). > [!NOTE] > For scoped dependencies (`@my-org/my-dep`), {% data variables.product.prodname_dependabot %} requires that the private registry is defined in the project's `.npmrc` file. To define private registries for individual scopes, use `@myscope:registry=https://private_registry_url`. @@ -157,7 +157,7 @@ To configure the Yarn Classic ecosystem to only access private registries, you c **Option 1** -Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#npm-registry). +Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries#npm-registry). > [!NOTE] > Delete `replaces-base: true` from the configuration file. @@ -185,7 +185,7 @@ If the `yarn.lock` file doesn't list the private registry as the dependency sour **Option 3** -If there is no global registry defined in a `.yarnrc` file, you can set `replaces-base: true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#npm-registry). +If there is no global registry defined in a `.yarnrc` file, you can set `replaces-base: true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries#npm-registry). > [!NOTE] > For scoped dependencies (`@my-org/my-dep`), {% data variables.product.prodname_dependabot %} requires that the private registry is defined in the project's `.npmrc` file. To define private registries for individual scopes, use `@myscope:registry=https://private_registry_url`. @@ -196,7 +196,7 @@ To configure the Yarn Berry ecosystem to only access private registries, you can **Option 1** -Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#npm-registry). +Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries#npm-registry). > [!NOTE] > Delete `replaces-base: true` from the configuration file. @@ -230,7 +230,7 @@ If the `yarn.lock` file doesn't list the private registry as the dependency sour ## NuGet -To allow the NuGet ecosystem to only access private registries, you can configure the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#nuget-feed). +To allow the NuGet ecosystem to only access private registries, you can configure the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries#nuget-feed). The NuGet ecosystem additionally requires a `nuget.config` file to be checked into the repository, with either a `< clear />` tag in `` section or a key `nuget.org` as true in the `disabledPackageSources` section of the `nuget.config` file. @@ -291,7 +291,7 @@ To configure the Pip ecosystem to only access private registries, you can use th **Option 1** -Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#npm-registry). +Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries#npm-registry). > [!NOTE] > Delete `replaces-base: true` from the configuration file. @@ -306,7 +306,7 @@ Add the private registry URL to the `[global]` section of the `pip.conf` file an **Option 2** -Set `replaces-base: true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#python-index). +Set `replaces-base: true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries#python-index). ### Pip-compile @@ -314,11 +314,11 @@ To configure the Pip-compile ecosystem to only access private registries, you ca **Option 1** -Set `replaces-base: true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#python-index). +Set `replaces-base: true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries#python-index). **Option 2** -Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#npm-registry). +Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries#npm-registry). > [!NOTE] > Delete `replaces-base: true` from the configuration file. @@ -331,7 +331,7 @@ Add the private registry URL to the `requirements.txt` file and check the file i ### Pipenv -To configure Pipenv to only access private registries, remove `replaces-base` from the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#python-index). +To configure Pipenv to only access private registries, remove `replaces-base` from the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries#python-index). > [!NOTE] > Delete `replaces-base: true` from the configuration file. @@ -347,7 +347,7 @@ name = "pypi" ### Poetry -To configure Poetry to only access private registries, set `replaces-base: true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#python-index). +To configure Poetry to only access private registries, set `replaces-base: true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries#python-index). Add the private registry url to the `[[tool.poetry.source]]` section of the `pyproject.toml` file and checked it in the repository. diff --git a/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/auto-update-actions.md b/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/auto-update-actions.md index 8cd28c8a5779..b7ebb5bed3aa 100644 --- a/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/auto-update-actions.md +++ b/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/auto-update-actions.md @@ -21,17 +21,17 @@ category: {% data reusables.dependabot.enterprise-enable-dependabot %} -When you enable {% data variables.product.prodname_dependabot_version_updates %} for {% data variables.product.prodname_actions %}, {% data variables.product.prodname_dependabot %} will help ensure that references to actions in a repository's _workflow.yml_ file and reusable workflows used inside workflows are kept up to date. For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/about-dependabot-version-updates). +When you enable {% data variables.product.prodname_dependabot_version_updates %} for {% data variables.product.prodname_actions %}, {% data variables.product.prodname_dependabot %} will help ensure that references to actions in a repository's _workflow.yml_ file and reusable workflows used inside workflows are kept up to date. For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-version-updates). ## Enabling {% data variables.product.prodname_dependabot_version_updates %} for actions -1. If you have already enabled {% data variables.product.prodname_dependabot_version_updates %} for other ecosystems or package managers, simply open the existing `dependabot.yml` file. Otherwise, create a `dependabot.yml` configuration file in the `.github` directory of your repository. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#enabling-dependabot-version-updates). +1. If you have already enabled {% data variables.product.prodname_dependabot_version_updates %} for other ecosystems or package managers, simply open the existing `dependabot.yml` file. Otherwise, create a `dependabot.yml` configuration file in the `.github` directory of your repository. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-version-updates#enabling-dependabot-version-updates). 1. Specify `"github-actions"` as a `package-ecosystem` to monitor. 1. Set the `directory` to `"/"` to check for workflow files in `.github/workflows`. 1. Set a `schedule.interval` to specify how often to check for new versions. {% data reusables.dependabot.check-in-dependabot-yml %} If you have edited an existing file, save your changes. -You can also enable {% data variables.product.prodname_dependabot_version_updates %} on forks. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#enabling-version-updates-on-forks). +You can also enable {% data variables.product.prodname_dependabot_version_updates %} on forks. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-version-updates#enabling-version-updates-on-forks). ## Example `dependabot.yml` file for {% data variables.product.prodname_actions %} @@ -52,8 +52,8 @@ updates: ## Configuring {% data variables.product.prodname_dependabot_version_updates %} for actions -When enabling {% data variables.product.prodname_dependabot_version_updates %} for actions, you must specify values for `package-ecosystem`, `directory`, and `schedule.interval`. There are many more optional properties that you can set to further customize your version updates. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference). +When enabling {% data variables.product.prodname_dependabot_version_updates %} for actions, you must specify values for `package-ecosystem`, `directory`, and `schedule.interval`. There are many more optional properties that you can set to further customize your version updates. For more information, see [AUTOTITLE](/code-security/reference/supply-chain-security/dependabot-options-reference). ## Further reading -* [AUTOTITLE](/actions/learn-github-actions) +* [AUTOTITLE](/actions/how-tos/write-workflows) diff --git a/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-dependabot-alerts.md b/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-dependabot-alerts.md index 5fb496a15e14..9411c5fd49bf 100644 --- a/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-dependabot-alerts.md +++ b/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-dependabot-alerts.md @@ -16,7 +16,7 @@ category: - Secure your dependencies --- -When {% data variables.product.prodname_dependabot %} detects vulnerable dependencies in a repository, it generates alerts. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts). +When {% data variables.product.prodname_dependabot %} detects vulnerable dependencies in a repository, it generates alerts. For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-alerts). You can enable or disable {% data variables.product.prodname_dependabot_alerts %} for: * Your personal account @@ -26,7 +26,7 @@ You can enable or disable {% data variables.product.prodname_dependabot_alerts % {% ifversion ghes %} > [!NOTE] -> An enterprise owner must first set up {% data variables.product.prodname_dependabot %} for your enterprise before you can configure {% data variables.product.prodname_dependabot_alerts %}. For more information, see [AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise). +> An enterprise owner must first set up {% data variables.product.prodname_dependabot %} for your enterprise before you can configure {% data variables.product.prodname_dependabot_alerts %}. For more information, see [AUTOTITLE](/admin/configuring-settings/configuring-github-connect/enabling-dependabot-for-your-enterprise). {% endif %} ## Managing {% data variables.product.prodname_dependabot_alerts %} for your personal account @@ -50,7 +50,7 @@ When you enable {% data variables.product.prodname_dependabot_alerts %} for exis 1. Under "{% data variables.product.UI_advanced_security %}", to the right of {% data variables.product.prodname_dependabot_alerts %}, select **Automatically enable for new repositories**. {% else %} -{% data variables.product.prodname_dependabot_alerts %} for your repositories can be enabled or disabled by your enterprise owner. For more information, see [AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise). +{% data variables.product.prodname_dependabot_alerts %} for your repositories can be enabled or disabled by your enterprise owner. For more information, see [AUTOTITLE](/admin/configuring-settings/configuring-github-connect/enabling-dependabot-for-your-enterprise). {% endif %} @@ -63,7 +63,7 @@ By default, we notify people with write, maintain, or admin permissions in the a {% data reusables.security.security-and-analysis-features-enable-read-only %} {% ifversion ghes %} -An enterprise owner must first set up {% data variables.product.prodname_dependabot %} for your enterprise before you can manage {% data variables.product.prodname_dependabot_alerts %} for your repository. For more information, see [AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise).{% endif %} +An enterprise owner must first set up {% data variables.product.prodname_dependabot %} for your enterprise before you can manage {% data variables.product.prodname_dependabot_alerts %} for your repository. For more information, see [AUTOTITLE](/admin/configuring-settings/configuring-github-connect/enabling-dependabot-for-your-enterprise).{% endif %} ### Enabling or disabling {% data variables.product.prodname_dependabot_alerts %} for a repository @@ -74,7 +74,7 @@ An enterprise owner must first set up {% data variables.product.prodname_dependa ## Managing {% data variables.product.prodname_dependabot_alerts %} for your organization -You can enable {% data variables.product.prodname_dependabot_alerts %} for all eligible repositories in your organization. For more information, see [AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale). +You can enable {% data variables.product.prodname_dependabot_alerts %} for all eligible repositories in your organization. For more information, see [AUTOTITLE](/code-security/concepts/security-at-scale/organization-security). {% ifversion ghec or ghes %} @@ -82,7 +82,7 @@ You can enable {% data variables.product.prodname_dependabot_alerts %} for all e {% ifversion security-configuration-enterprise-level %} -{% data variables.product.prodname_security_configurations_caps %}, which are collections of security settings, allow you to manage {% data variables.product.prodname_dependabot_alerts %} for your enterprise. You can configure your own {% data variables.product.prodname_custom_security_configuration %} to have the enablement settings to meet the specific security needs of your enterprise. See [AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/creating-a-custom-security-configuration-for-your-enterprise). +{% data variables.product.prodname_security_configurations_caps %}, which are collections of security settings, allow you to manage {% data variables.product.prodname_dependabot_alerts %} for your enterprise. You can configure your own {% data variables.product.prodname_custom_security_configuration %} to have the enablement settings to meet the specific security needs of your enterprise. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/establish-complete-coverage/create-custom-configuration). {% else %} diff --git a/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-malware-alerts.md b/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-malware-alerts.md index 15a6d691bcd2..607620b3301e 100644 --- a/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-malware-alerts.md +++ b/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-malware-alerts.md @@ -20,11 +20,11 @@ category: ## Enabling {% data variables.product.prodname_dependabot_malware_alerts %} for your organization -You can enable {% data variables.product.prodname_dependabot_malware_alerts %} for repositories in your organization with a {% data variables.product.prodname_custom_security_configuration %}. {% data variables.product.prodname_security_configurations_caps %} are collections of security settings that you can customize and apply at scale. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/creating-a-custom-security-configuration). +You can enable {% data variables.product.prodname_dependabot_malware_alerts %} for repositories in your organization with a {% data variables.product.prodname_custom_security_configuration %}. {% data variables.product.prodname_security_configurations_caps %} are collections of security settings that you can customize and apply at scale. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/create-custom-configuration). ## Enabling {% data variables.product.prodname_dependabot_malware_alerts %} for your enterprise -You can enable {% data variables.product.prodname_dependabot_malware_alerts %} for repositories in your enterprise with a {% data variables.product.prodname_custom_security_configuration %}. {% data variables.product.prodname_security_configurations_caps %} are collections of security settings that you can customize and apply at scale. See {% ifversion fpt or ghec %}[AUTOTITLE](/enterprise-cloud@latest/code-security/how-tos/secure-at-scale/configure-enterprise-security/establish-complete-coverage/creating-a-custom-security-configuration-for-your-enterprise){% else %}[AUTOTITLE](/enterprise-server@latest/code-security/how-tos/secure-at-scale/configure-enterprise-security/establish-complete-coverage/creating-a-custom-security-configuration-for-your-enterprise){% endif %}. +You can enable {% data variables.product.prodname_dependabot_malware_alerts %} for repositories in your enterprise with a {% data variables.product.prodname_custom_security_configuration %}. {% data variables.product.prodname_security_configurations_caps %} are collections of security settings that you can customize and apply at scale. See {% ifversion fpt or ghec %}[AUTOTITLE](/enterprise-cloud@latest/code-security/how-tos/secure-at-scale/configure-enterprise-security/establish-complete-coverage/create-custom-configuration){% else %}[AUTOTITLE](/enterprise-server@latest/code-security/how-tos/secure-at-scale/configure-enterprise-security/establish-complete-coverage/create-custom-configuration){% endif %}. ## Next steps diff --git a/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-security-updates.md b/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-security-updates.md index 7185c5a60687..02be7a9c13b6 100644 --- a/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-security-updates.md +++ b/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-security-updates.md @@ -27,7 +27,7 @@ category: ## Managing {% data variables.product.prodname_dependabot_security_updates %} for your repositories -You can enable or disable {% data variables.product.prodname_dependabot_security_updates %} for all qualifying repositories owned by your personal account or organization. For more information, see [AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-personal-account-settings/managing-security-and-analysis-settings-for-your-personal-account) or [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization). +You can enable or disable {% data variables.product.prodname_dependabot_security_updates %} for all qualifying repositories owned by your personal account or organization. For more information, see [AUTOTITLE](/account-and-profile/how-tos/account-settings/managing-security-and-analysis-features) or [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization). You can also enable or disable {% data variables.product.prodname_dependabot_security_updates %} for an individual repository. @@ -42,9 +42,9 @@ You can also enable or disable {% data variables.product.prodname_dependabot_sec In order to use grouped security updates, you must first enable the following features: -* **Dependency graph**. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph). -* **{% data variables.product.prodname_dependabot_alerts %}**. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts). -* **{% data variables.product.prodname_dependabot_security_updates %}**. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates). +* **Dependency graph**. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/enable-dependency-graph). +* **{% data variables.product.prodname_dependabot_alerts %}**. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-dependabot-alerts). +* **{% data variables.product.prodname_dependabot_security_updates %}**. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-security-updates#managing-for-your-repositories). > [!NOTE] > When grouped security updates are first enabled, {% data variables.product.prodname_dependabot %} will immediately try to create grouped pull requests. You may notice {% data variables.product.prodname_dependabot %} closing old pull requests and opening new ones. @@ -61,7 +61,7 @@ In order to use grouped security updates, you must first enable the following fe ### Enabling or disabling grouped {% data variables.product.prodname_dependabot_security_updates %} for an organization -You can enable grouped {% data variables.product.prodname_dependabot_security_updates %} into a single pull request. For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#grouping-dependabot-security-updates). +You can enable grouped {% data variables.product.prodname_dependabot_security_updates %} into a single pull request. For more information, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/configure-global-settings#grouping-dependabot-security-updates). ## Overriding the default behavior with a configuration file @@ -73,7 +73,7 @@ Use the `groups` option with the `applies-to: security-updates` key to create se If you only require _security_ updates and want to exclude _version_ updates, you can set `open-pull-requests-limit` to `0` in order to prevent version updates for a given `package-ecosystem`. -For more information about the configuration options available for security updates, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/customizing-dependabot-security-prs). +For more information about the configuration options available for security updates, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/customizing-dependabot-security-prs). ```yaml copy # Example configuration file that: @@ -118,6 +118,6 @@ updates: ## Further reading -* [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) -* [AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts) -* [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems#supported-package-ecosystems) +* [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-alerts) +* [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-dependabot-alerts) +* [AUTOTITLE](/code-security/reference/supply-chain-security/dependency-graph-supported-package-ecosystems#supported-package-ecosystems) diff --git a/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-version-updates.md b/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-version-updates.md index d8b83edbdd74..de1aa4619669 100644 --- a/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-version-updates.md +++ b/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-version-updates.md @@ -47,12 +47,12 @@ You enable {% data variables.product.prodname_dependabot_version_updates %} by c ``` 1. Add a `version`. This key is mandatory. The file must start with `version: 2`. -1. Optionally, if you have dependencies in a private registry, add a `registries` section containing authentication details. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot). -1. Add an `updates` section, with an entry for each package manager you want {% data variables.product.prodname_dependabot %} to monitor. This key is mandatory. You use it to configure how {% data variables.product.prodname_dependabot %} updates the versions or your project's dependencies. Each entry configures the update settings for a particular package manager. For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/about-the-dependabot-yml-file) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference). +1. Optionally, if you have dependencies in a private registry, add a `registries` section containing authentication details. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries). +1. Add an `updates` section, with an entry for each package manager you want {% data variables.product.prodname_dependabot %} to monitor. This key is mandatory. You use it to configure how {% data variables.product.prodname_dependabot %} updates the versions or your project's dependencies. Each entry configures the update settings for a particular package manager. For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/about-the-dependabot-yml-file) and [AUTOTITLE](/code-security/reference/supply-chain-security/dependabot-options-reference). 1. For each package manager, use: - * `package-ecosystem` to specify the package manager. For more information about the supported package managers, see [`package-ecosystem`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#package-ecosystem-). - * `directories` or `directory` to specify the location of multiple manifest or other definition files. For more information, see [Defining multiple locations for manifest files](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#defining-multiple-locations-for-manifest-files). + * `package-ecosystem` to specify the package manager. For more information about the supported package managers, see [`package-ecosystem`](/code-security/reference/supply-chain-security/dependabot-options-reference#package-ecosystem-). + * `directories` or `directory` to specify the location of multiple manifest or other definition files. For more information, see [Defining multiple locations for manifest files](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/controlling-dependencies-updated#defining-multiple-locations-for-manifest-files). * `schedule.interval` to specify how often to check for new versions. {% data reusables.dependabot.check-in-dependabot-yml %} @@ -107,13 +107,13 @@ On a fork, you also need to explicitly enable {% data variables.product.prodname ## Receiving updates for indirect dependencies -By default, only direct dependencies that are explicitly defined in a manifest are kept up to date by {% data variables.product.prodname_dependabot_version_updates %}. You can choose to receive updates for indirect dependencies defined in lock files. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#allowing-specific-dependencies-to-be-updated). +By default, only direct dependencies that are explicitly defined in a manifest are kept up to date by {% data variables.product.prodname_dependabot_version_updates %}. You can choose to receive updates for indirect dependencies defined in lock files. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/controlling-dependencies-updated#allowing-specific-dependencies-to-be-updated). ## Enabling access to private dependencies {% data reusables.dependabot.private-dependencies-note %} -Additionally, {% data variables.product.prodname_dependabot %} doesn't support private {% data variables.product.prodname_dotcom %} dependencies for all package managers. For more information, see [AUTOTITLE](/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories) and [AUTOTITLE](/get-started/learning-about-github/github-language-support). +Additionally, {% data variables.product.prodname_dependabot %} doesn't support private {% data variables.product.prodname_dotcom %} dependencies for all package managers. For more information, see [AUTOTITLE](/code-security/reference/supply-chain-security/supported-ecosystems-and-repositories) and [AUTOTITLE](/get-started/learning-about-github/github-language-support). ## Checking the status of version updates @@ -121,7 +121,7 @@ After you enable version updates, the **Dependabot** tab in the dependency graph ![Screenshot of the Dependency graph page. A tab, titled "{% data variables.product.prodname_dependabot %}," is highlighted with an orange outline.](/assets/images/help/dependabot/dependabot-tab-view.png) -For information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/listing-dependencies-configured-for-version-updates). +For information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/list-configured-dependencies). ## Disabling {% data variables.product.prodname_dependabot_version_updates %} @@ -168,4 +168,4 @@ updates: update-types: ["version-update:semver-patch"] ``` -For more information about checking for existing ignore preferences, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#ignore--). +For more information about checking for existing ignore preferences, see [AUTOTITLE](/code-security/reference/supply-chain-security/dependabot-options-reference#ignore--). diff --git a/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configuring-multi-ecosystem-updates.md b/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configuring-multi-ecosystem-updates.md index 05cf5a33e43f..6eafb1d99ca4 100644 --- a/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configuring-multi-ecosystem-updates.md +++ b/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configuring-multi-ecosystem-updates.md @@ -18,7 +18,7 @@ Multi-ecosystem updates allow you to consolidate {% data variables.product.prodn ## Prerequisites * A repository with dependencies in multiple package ecosystems -* An existing `.github/dependabot.yml` file. See [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates). +* An existing `.github/dependabot.yml` file. See [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-version-updates). ## 1. Define your multi-ecosystem group in your `.github/dependabot.yml` file @@ -69,7 +69,7 @@ Commit the changes to your `dependabot.yml` file. ## 4. Customize with additional keys (optional) -You can add assignees, labels, or other configuration options to your multi-ecosystem groups. See [`assignees`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#assignees--) and [`labels`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#labels--). +You can add assignees, labels, or other configuration options to your multi-ecosystem groups. See [`assignees`](/code-security/reference/supply-chain-security/dependabot-options-reference#assignees--) and [`labels`](/code-security/reference/supply-chain-security/dependabot-options-reference#labels--). ```yaml copy multi-ecosystem-groups: @@ -111,4 +111,4 @@ If you're not seeing consolidated pull requests, ensure that: ## Further reading -* [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference) +* [AUTOTITLE](/code-security/reference/supply-chain-security/dependabot-options-reference) diff --git a/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/enable-dependency-graph.md b/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/enable-dependency-graph.md index 0a4346845a84..b567e05fc0b2 100644 --- a/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/enable-dependency-graph.md +++ b/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/enable-dependency-graph.md @@ -17,7 +17,7 @@ category: - Secure your dependencies --- -The dependency graph is a summary of the manifest and lock files stored in a repository and any dependencies that are submitted for the repository using the {% data variables.dependency-submission-api.name %}. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph). +The dependency graph is a summary of the manifest and lock files stored in a repository and any dependencies that are submitted for the repository using the {% data variables.dependency-submission-api.name %}. For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependency-graph). When the dependency graph is first enabled, any manifest and lock files for supported ecosystems are parsed immediately. The graph is usually populated within minutes but this may take longer for repositories with many dependencies. Once enabled, the graph is automatically updated with every push to the repository{% ifversion fpt or ghec %} and every push to other repositories in the graph{% endif %}. @@ -37,9 +37,9 @@ Enabling the dependency graph gives {% data variables.product.github %} read-onl ## Enabling the dependency graph for multiple repositories -You can enable or disable the dependency graph for all repositories owned by your user account, regardless of their visibility. See [AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-user-account-settings/managing-security-and-analysis-settings-for-your-personal-account). +You can enable or disable the dependency graph for all repositories owned by your user account, regardless of their visibility. See [AUTOTITLE](/account-and-profile/how-tos/account-settings/managing-security-and-analysis-features). -You can also enable the dependency graph for multiple repositories in an organization at the same time. For more information, see [AUTOTITLE](/code-security/securing-your-organization). +You can also enable the dependency graph for multiple repositories in an organization at the same time. For more information, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security). {% endif %} @@ -47,13 +47,13 @@ You can also enable the dependency graph for multiple repositories in an organiz {% data reusables.dependency-submission.dependency-submission-link %} -For more information on viewing the dependency graph, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository). +For more information on viewing the dependency graph, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/explore-dependencies). ## Further reading {%- ifversion maven-transitive-dependencies %} -* [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-automatic-dependency-submission-for-your-repository){%- endif %} +* [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/submit-dependencies-automatically){%- endif %} {%- ifversion fpt or ghec %} * [AUTOTITLE](/organizations/collaborating-with-groups-in-organizations/viewing-insights-for-dependencies-in-your-organization){%- endif %} -* [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts) -* [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies) +* [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-dependabot-alerts/view-dependabot-alerts) +* [AUTOTITLE](/code-security/reference/supply-chain-security/troubleshoot-dependabot/vulnerability-detection) diff --git a/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/explore-dependencies.md b/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/explore-dependencies.md index 77ae81e63e8c..a5b67efb0f25 100644 --- a/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/explore-dependencies.md +++ b/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/explore-dependencies.md @@ -24,7 +24,7 @@ category: ## Viewing the dependency graph -The dependency graph shows the dependencies{% ifversion fpt or ghec %} and dependents{% endif %} of your repository. {% data reusables.dependency-graph.repository-view-update %} For information about the detection of dependencies and which ecosystems are supported, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems). +The dependency graph shows the dependencies{% ifversion fpt or ghec %} and dependents{% endif %} of your repository. {% data reusables.dependency-graph.repository-view-update %} For information about the detection of dependencies and which ecosystems are supported, see [AUTOTITLE](/code-security/reference/supply-chain-security/dependency-graph-supported-package-ecosystems). {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.accessing-repository-graphs %} @@ -42,7 +42,7 @@ The dependency graph shows the dependencies{% ifversion fpt or ghec %} and depen {% endif %} {% ifversion ghes %} -Enterprise owners can configure the dependency graph at an enterprise level. For more information, see [AUTOTITLE](/admin/code-security/managing-supply-chain-security-for-your-enterprise/enabling-the-dependency-graph-for-your-enterprise). +Enterprise owners can configure the dependency graph at an enterprise level. For more information, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/configure-specific-tools/enable-dependency-graph). {% endif %} ### Dependencies view @@ -55,7 +55,7 @@ For each dependency, you can see its ecosystem, the manifest file in which it wa * You can sort and filter dependencies by typing filters as `key:value` pairs into the search bar. * Use `ecosystem: ` to display dependencies for the selected ecosystem.{% ifversion transitive-dependency-labeling-npm %} - * Use `relationship:` to filter the list by relationship status. Possible values are `direct`, `transitive`, and `inconclusive`. Alternatively, you can click the relationship label adjacent to a dependency name to only show dependencies of the same relationship status. This filter is only available for ecosystems with transitive dependency support. See [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems) for more information.{% endif %} + * Use `relationship:` to filter the list by relationship status. Possible values are `direct`, `transitive`, and `inconclusive`. Alternatively, you can click the relationship label adjacent to a dependency name to only show dependencies of the same relationship status. This filter is only available for ecosystems with transitive dependency support. See [AUTOTITLE](/code-security/reference/supply-chain-security/dependency-graph-supported-package-ecosystems) for more information.{% endif %} {% endif %} @@ -63,7 +63,7 @@ For each dependency, you can see its ecosystem, the manifest file in which it wa Any direct and indirect dependencies that are specified in the repository's manifest or lock files are listed. {% endif %} -Dependencies submitted to a project using the {% data variables.dependency-submission-api.name %} will show which detector was used for their submission and when they were submitted. For more information on using the {% data variables.dependency-submission-api.name %}, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api). +Dependencies submitted to a project using the {% data variables.dependency-submission-api.name %} will show which detector was used for their submission and when they were submitted. For more information on using the {% data variables.dependency-submission-api.name %}, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/use-dependency-submission-api). If vulnerabilities have been detected in the repository, these are shown at the top of the view for users with access to {% data variables.product.prodname_dependabot_alerts %}. @@ -84,9 +84,9 @@ For public repositories, the dependents view shows how the repository is used by ## Further reading -* [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph) -* [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph) -* [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts){% ifversion ghec %} +* [AUTOTITLE](/code-security/reference/supply-chain-security/troubleshoot-dependabot/dependency-graph-errors) +* [AUTOTITLE](/code-security/concepts/supply-chain-security/dependency-graph) +* [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-dependabot-alerts/view-dependabot-alerts){% ifversion ghec %} * [AUTOTITLE](/organizations/collaborating-with-groups-in-organizations/viewing-insights-for-dependencies-in-your-organization){% endif %}{% ifversion fpt or ghec %} -* [AUTOTITLE](/get-started/privacy-on-github) +* [AUTOTITLE](/get-started/archiving-your-github-personal-account-and-public-repositories) {% endif %} diff --git a/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/submit-dependencies-automatically.md b/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/submit-dependencies-automatically.md index 6b42168037c9..05adaaaac0e2 100644 --- a/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/submit-dependencies-automatically.md +++ b/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/submit-dependencies-automatically.md @@ -27,7 +27,7 @@ You must also enable {% data variables.product.prodname_actions %} for the repos Repository administrators can enable or disable automatic dependency submission for a repository by following the steps outlined in this procedure. -Organization owners can enable automatic dependency submission for multiple repositories using a security configuration. For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration). +Organization owners can enable automatic dependency submission for multiple repositories using a security configuration. For more information, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/create-custom-configuration). {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-settings %} @@ -51,14 +51,14 @@ For ecosystems that support {% data variables.product.prodname_dependabot %} gra When {% data variables.product.prodname_dependabot %} graph jobs encounter private packages that are not accessible through configured secrets, those packages are gracefully omitted from the dependency graph without causing a failure. -For more information on configuring private registry access, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot). +For more information on configuring private registry access, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries). ### Using self-hosted runners You can configure **self-hosted runners** to run automatic dependency submission jobs, instead of using the {% data variables.product.prodname_actions %} infrastructure. This is necessary to access private registries for ecosystems that do not support {% data variables.product.prodname_dependabot %} graph jobs, or when your registries are only reachable from within your network. The self-hosted runners must be running on Linux or macOS. For .NET and Python auto-submission, they must have access to the public internet in order to download the latest component-detection release. -1. Provision one or more self-hosted runners, at the repository or organization level. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners) and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners). -1. Assign a `dependency-submission` label to each runner you want automatic dependency submission to use. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-labels-with-self-hosted-runners#assigning-a-label-to-a-self-hosted-runner). +1. Provision one or more self-hosted runners, at the repository or organization level. For more information, see [AUTOTITLE](/actions/concepts/runners/self-hosted-runners) and [AUTOTITLE](/actions/how-tos/manage-runners/self-hosted-runners/add-runners). +1. Assign a `dependency-submission` label to each runner you want automatic dependency submission to use. For more information, see [AUTOTITLE](/actions/how-tos/manage-runners/self-hosted-runners/apply-labels#assigning-a-label-to-a-self-hosted-runner). {% data reusables.repositories.navigate-to-code-security-and-analysis %} 1. Under "Dependency graph", click the dropdown menu next to "Automatic dependency submission", then select **Enabled for labeled runners**. @@ -73,5 +73,5 @@ For network allowlist URLs, larger runner configuration, troubleshooting details ## Further reading * [AUTOTITLE](/code-security/reference/supply-chain-security/automatic-dependency-submission) -* [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security) -* [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api) +* [AUTOTITLE](/code-security/concepts/supply-chain-security/supply-chain-security) +* [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/use-dependency-submission-api) diff --git a/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/use-dependency-submission-api.md b/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/use-dependency-submission-api.md index 0be894006bc8..f02431f63bf0 100644 --- a/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/use-dependency-submission-api.md +++ b/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/use-dependency-submission-api.md @@ -26,7 +26,7 @@ You can use the {% data variables.dependency-submission-api.name %} in a {% data {% data reusables.dependency-submission.premade-action-table %} -For more information about these actions, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems#package-ecosystems-supported-via-dependency-submission-actions). +For more information about these actions, see [AUTOTITLE](/code-security/reference/supply-chain-security/dependency-graph-supported-package-ecosystems#package-ecosystems-supported-via-dependency-submission-actions). ### Creating your own action @@ -36,7 +36,7 @@ Alternatively, you can write your own action to submit dependencies for your pro 1. Translate the list of dependencies into the snapshot format accepted by the {% data variables.dependency-submission-api.name %}. For more information about the format, see the body parameters for the "Create a repository snapshot" API endpoint in [AUTOTITLE](/rest/dependency-graph/dependency-submission). 1. Submit the formatted list of dependencies to the {% data variables.dependency-submission-api.name %}. -{% data variables.product.github %} maintains the [Dependency Submission Toolkit](https://github.com/github/dependency-submission-toolkit), a TypeScript library to help you build your own GitHub Action for submitting dependencies to the {% data variables.dependency-submission-api.name %}. For more information about writing an action, see [AUTOTITLE](/actions/creating-actions). +{% data variables.product.github %} maintains the [Dependency Submission Toolkit](https://github.com/github/dependency-submission-toolkit), a TypeScript library to help you build your own GitHub Action for submitting dependencies to the {% data variables.dependency-submission-api.name %}. For more information about writing an action, see [AUTOTITLE](/actions/tutorials/create-actions). ## Submitting SBOMs as snapshots diff --git a/content/code-security/how-tos/use-ghas-with-ai-coding-agents/scan-for-secrets-with-github-mcp-server.md b/content/code-security/how-tos/use-ghas-with-ai-coding-agents/scan-for-secrets-with-github-mcp-server.md index bc92b3b2f0c2..f1e6c329e19d 100644 --- a/content/code-security/how-tos/use-ghas-with-ai-coding-agents/scan-for-secrets-with-github-mcp-server.md +++ b/content/code-security/how-tos/use-ghas-with-ai-coding-agents/scan-for-secrets-with-github-mcp-server.md @@ -22,7 +22,7 @@ This works with any MCP-compatible agent or IDE, including {% data variables.pro ## Prerequisites * **{% data variables.product.prodname_GH_secret_protection %}** is enabled for the repository. -* **{% data variables.product.github %} MCP server** is connected in your IDE or agent. See [AUTOTITLE](/copilot/how-tos/provide-context/use-mcp/set-up-the-github-mcp-server). +* **{% data variables.product.github %} MCP server** is connected in your IDE or agent. See [AUTOTITLE](/copilot/how-tos/provide-context/use-mcp-in-your-ide/set-up-the-github-mcp-server). * Your organization's **security configuration** determines which secret types are detected and whether push protection is enforced. The MCP tools respect your organization's push protection configuration (repository-level push protection settings are not used). ## Step 1: Install and configure tools @@ -135,7 +135,7 @@ The agent returns: * The **file and line** where it was detected * **Remediation steps**, such as removing or rotating the credential -If push protection is enabled, the MCP server also blocks secrets from being included in any actions it takes on your behalf, such as commits, pull requests, or the creation of files. See [AUTOTITLE](/code-security/concepts/secret-security/working-with-push-protection-and-the-github-mcp-server). +If push protection is enabled, the MCP server also blocks secrets from being included in any actions it takes on your behalf, such as commits, pull requests, or the creation of files. See [AUTOTITLE](/code-security/concepts/secret-security/push-protection-and-the-github-mcp-server). ## Troubleshooting diff --git a/content/code-security/how-tos/view-and-interpret-data/analyze-organization-data/assessing-adoption-code-security.md b/content/code-security/how-tos/view-and-interpret-data/analyze-organization-data/assessing-adoption-code-security.md index 5d0b65f12f6d..c169953bbaf8 100644 --- a/content/code-security/how-tos/view-and-interpret-data/analyze-organization-data/assessing-adoption-code-security.md +++ b/content/code-security/how-tos/view-and-interpret-data/analyze-organization-data/assessing-adoption-code-security.md @@ -32,7 +32,7 @@ You can view data to assess the enablement of features for secure coding across {% ifversion dependabot-updates-paused-enterprise-orgs %} -In the list of repositories, a "Paused" label under "{% data variables.product.prodname_dependabot %}" indicates repositories for which {% data variables.product.prodname_dependabot_updates %} are paused. For information about inactivity criteria, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-automatic-deactivation-of-dependabot-updates) and [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#about-automatic-deactivation-of-dependabot-updates), for security and version updates, respectively.{% endif %} +In the list of repositories, a "Paused" label under "{% data variables.product.prodname_dependabot %}" indicates repositories for which {% data variables.product.prodname_dependabot_updates %} are paused. For information about inactivity criteria, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-security-updates#about-automatic-deactivation-of-dependabot-updates) and [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-version-updates#about-automatic-deactivation-of-dependabot-updates), for security and version updates, respectively.{% endif %} ## Viewing the enablement of features for secure coding in an enterprise @@ -55,7 +55,7 @@ You can view data to assess the enablement status and enablement status trends o 1. Click on one of the tabs for "{% data variables.product.prodname_dependabot %}," "{% data variables.product.prodname_code_scanning_caps %}," or "{% data variables.product.prodname_secret_scanning_caps %}" to view enablement trends and the percentage of repositories in your organization with that feature enabled. This data is displayed as a graph and a detailed table. 1. Optionally, use the options at the top of the "Enablement trends" view page to filter the group of repositories you want to see enablement trends for. * Use the date picker to set the time range that you want to view enablement trends for. - * Click in the search box to add further filters on the enablement trends displayed. The filters you can apply are the same as those for the "Overview" dashboard view. For more information, see [AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview). + * Click in the search box to add further filters on the enablement trends displayed. The filters you can apply are the same as those for the "Overview" dashboard view. For more information, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/remediate-alerts-at-scale/filtering-alerts-in-security-overview). ![Screenshot of the "Enablement trends" view for an organization, showing Dependabot status and trends over 30 days, with a filter applied.](/assets/images/help/security-overview/security-overview-enablement-trends.png) @@ -69,16 +69,16 @@ You can view data to assess the enablement status and enablement status trends o 1. Click on one of the tabs for "{% data variables.product.prodname_dependabot %}," "{% data variables.product.prodname_code_scanning_caps %}," or "{% data variables.product.prodname_secret_scanning_caps %}" to view enablement trends and the percentage of repositories across organizations in your enterprise with that feature enabled. This data is displayed as a graph and a detailed table. 1. Optionally, use the options at the top of the "Enablement trends" view page to filter the group of repositories you want to see enablement trends for. * Use the date picker to set the time range that you want to view enablement trends for. - * Click in the search box to add further filters on the enablement trends displayed. For more information, see [AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview). + * Click in the search box to add further filters on the enablement trends displayed. For more information, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/remediate-alerts-at-scale/filtering-alerts-in-security-overview). ->[!TIP] You can use the `owner:` filter in the search field to filter the data by organization. For more information, see [AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview). +>[!TIP] You can use the `owner:` filter in the search field to filter the data by organization. For more information, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/remediate-alerts-at-scale/filtering-alerts-in-security-overview). ## Acting on enablement data After you have reviewed enablement coverage, consider the following actions. -1. Check if your enterprise has configured overly restrictive policies that limit the use of security features. See [AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise). -1. Enable features that should be enabled on all repositories. For information on enabling features for a whole organization, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization). +1. Check if your enterprise has configured overly restrictive policies that limit the use of security features. See [AUTOTITLE](/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise). +1. Enable features that should be enabled on all repositories. For information on enabling features for a whole organization, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security). For example, {% data variables.secret-scanning.alerts %} and push protection reduce the risk of a security leak no matter what information is stored in the repository. If you see repositories that don't already use these features, you should either enable them or discuss an enablement plan with the team who owns the repository. @@ -87,7 +87,7 @@ After you have reviewed enablement coverage, consider the following actions. ## Next steps {% ifversion security-overview-export-data %} -You can download a CSV file of the data displayed on the "Security coverage" page. This data file can be used for efforts like security research and in-depth data analysis, and can integrate easily with external datasets. See [AUTOTITLE](/code-security/security-overview/exporting-data-from-security-overview). +You can download a CSV file of the data displayed on the "Security coverage" page. This data file can be used for efforts like security research and in-depth data analysis, and can integrate easily with external datasets. See [AUTOTITLE](/code-security/how-tos/view-and-interpret-data/analyze-organization-data/export-data). {% endif %} You can use the "Enablement trends" view to see enablement status and enablement status trends over time for {% data variables.product.prodname_dependabot %}, {% data variables.product.prodname_code_scanning %}, or {% data variables.product.prodname_secret_scanning %} across repositories or organizations. See [Viewing enablement trends for an organization](#viewing-enablement-trends-for-an-organization) or [Viewing enablement trends for an enterprise](#viewing-enablement-trends-for-an-enterprise). diff --git a/content/code-security/how-tos/view-and-interpret-data/analyze-organization-data/assessing-code-security-risk.md b/content/code-security/how-tos/view-and-interpret-data/analyze-organization-data/assessing-code-security-risk.md index 07be24c200df..00ca14b0c5e3 100644 --- a/content/code-security/how-tos/view-and-interpret-data/analyze-organization-data/assessing-code-security-risk.md +++ b/content/code-security/how-tos/view-and-interpret-data/analyze-organization-data/assessing-code-security-risk.md @@ -34,7 +34,7 @@ These views provide you with the data and filters to: * Understand how your organization is affected by secret leaks and exposures.{% endif %}{% ifversion security-overview-export-data %} * Export your current selection of data for further analysis and reporting. {% endif %} -For information about the **Overview**, see [AUTOTITLE](/code-security/security-overview/viewing-security-insights). +For information about the **Overview**, see [AUTOTITLE](/code-security/how-tos/view-and-interpret-data/analyze-organization-data/viewing-security-insights). ## Viewing organization-level security risks in code @@ -48,7 +48,7 @@ For information about the **Overview**, see [AUTOTITLE](/code-security/security- {% data reusables.security-overview.unaffected-repositories %} {% data reusables.organizations.security-overview-feature-specific-page %} {% ifversion security-overview-export-data %} -1. Optionally, use the **{% octicon "download" aria-hidden="true" aria-label="download" %} Export CSV** button to download a CSV file of the data currently displayed on the page for security research and in-depth data analysis. For more information, see [AUTOTITLE](/code-security/security-overview/exporting-data-from-security-overview). {% endif %} +1. Optionally, use the **{% octicon "download" aria-hidden="true" aria-label="download" %} Export CSV** button to download a CSV file of the data currently displayed on the page for security research and in-depth data analysis. For more information, see [AUTOTITLE](/code-security/how-tos/view-and-interpret-data/analyze-organization-data/export-data). {% endif %} {% data reusables.security-overview.alert-differences %} @@ -67,7 +67,7 @@ You can view data for security alerts across organizations in an enterprise. {% data reusables.security-overview.unaffected-repositories %} {% data reusables.organizations.security-overview-feature-specific-page %}{% ifversion security-overview-export-data %} -1. Optionally, use the {% octicon "download" aria-hidden="true" aria-label="download" %} **Export CSV** button to download a CSV file of the data currently displayed on the page for security research and in-depth data analysis. For more information, see [AUTOTITLE](/code-security/security-overview/exporting-data-from-security-overview). {% endif %} +1. Optionally, use the {% octicon "download" aria-hidden="true" aria-label="download" %} **Export CSV** button to download a CSV file of the data currently displayed on the page for security research and in-depth data analysis. For more information, see [AUTOTITLE](/code-security/how-tos/view-and-interpret-data/analyze-organization-data/export-data). {% endif %} {% data reusables.security-overview.alert-differences %} @@ -75,5 +75,5 @@ You can view data for security alerts across organizations in an enterprise. ## Next steps -When you have assessed your security risks, you are ready to create a security campaign to collaborate with developers to remediate alerts. For information about fixing security alerts at scale, see [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/creating-managing-security-campaigns) and [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/best-practice-fix-alerts-at-scale). +When you have assessed your security risks, you are ready to create a security campaign to collaborate with developers to remediate alerts. For information about fixing security alerts at scale, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/remediate-alerts-at-scale/creating-managing-security-campaigns) and [AUTOTITLE](/code-security/tutorials/secure-your-organization/best-practice-fix-alerts-at-scale). {% endif %} diff --git a/content/code-security/how-tos/view-and-interpret-data/analyze-organization-data/export-risk-report-csv.md b/content/code-security/how-tos/view-and-interpret-data/analyze-organization-data/export-risk-report-csv.md index 95342e355059..afc82d05a879 100644 --- a/content/code-security/how-tos/view-and-interpret-data/analyze-organization-data/export-risk-report-csv.md +++ b/content/code-security/how-tos/view-and-interpret-data/analyze-organization-data/export-risk-report-csv.md @@ -20,4 +20,4 @@ category: ## Next steps -To better understand the fields of your CSV file, see [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/risk-report-csv-contents). +To better understand the fields of your CSV file, see [AUTOTITLE](/code-security/reference/secret-security/risk-report-csv-contents). diff --git a/content/code-security/how-tos/view-and-interpret-data/analyze-organization-data/find-insecure-repositories.md b/content/code-security/how-tos/view-and-interpret-data/analyze-organization-data/find-insecure-repositories.md index e483e377c4e2..d98f1f97cc12 100644 --- a/content/code-security/how-tos/view-and-interpret-data/analyze-organization-data/find-insecure-repositories.md +++ b/content/code-security/how-tos/view-and-interpret-data/analyze-organization-data/find-insecure-repositories.md @@ -26,5 +26,5 @@ category: * `tool:dependabot` shows only alerts for dependencies identified by {% data variables.product.prodname_dependabot %} * `tool:secret-scanning` shows only alerts for secrets identified by {% data variables.product.prodname_secret_scanning %} * `tool:codeql` shows only alerts for potential security vulnerabilities identified by {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} -1. You can add further filters to show only the repositories you want to assess. The list of repositories and metrics displayed on the page automatically update to match your current selection. For more information on filtering, see [AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview). +1. You can add further filters to show only the repositories you want to assess. The list of repositories and metrics displayed on the page automatically update to match your current selection. For more information on filtering, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/remediate-alerts-at-scale/filtering-alerts-in-security-overview). {% data reusables.organizations.security-overview-feature-specific-page %} diff --git a/content/code-security/how-tos/view-and-interpret-data/analyze-organization-data/viewing-metrics-for-dependabot-alerts.md b/content/code-security/how-tos/view-and-interpret-data/analyze-organization-data/viewing-metrics-for-dependabot-alerts.md index 1887963c9e44..46be43623649 100644 --- a/content/code-security/how-tos/view-and-interpret-data/analyze-organization-data/viewing-metrics-for-dependabot-alerts.md +++ b/content/code-security/how-tos/view-and-interpret-data/analyze-organization-data/viewing-metrics-for-dependabot-alerts.md @@ -14,7 +14,7 @@ category: - Secure at scale --- -You can view metrics for {% data variables.product.prodname_dependabot_alerts %} to track and prioritize vulnerabilities across your organization. For more information about the available metrics and how to use them, see [AUTOTITLE](/code-security/concepts/supply-chain-security/about-metrics-for-dependabot-alerts). +You can view metrics for {% data variables.product.prodname_dependabot_alerts %} to track and prioritize vulnerabilities across your organization. For more information about the available metrics and how to use them, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-alert-metrics). This article explains how to access and view these metrics for your organization. diff --git a/content/code-security/how-tos/view-and-interpret-data/analyze-organization-data/viewing-metrics-for-pull-request-alerts.md b/content/code-security/how-tos/view-and-interpret-data/analyze-organization-data/viewing-metrics-for-pull-request-alerts.md index 8b9629621735..293fba5b7d0f 100644 --- a/content/code-security/how-tos/view-and-interpret-data/analyze-organization-data/viewing-metrics-for-pull-request-alerts.md +++ b/content/code-security/how-tos/view-and-interpret-data/analyze-organization-data/viewing-metrics-for-pull-request-alerts.md @@ -28,7 +28,7 @@ category: * Click **{% octicon "plus" aria-hidden="true" aria-label="plus" %} Add a filter**, then select a filter from the dropdown menu. * To search for repositories matching the selected filter, fill out the available fields for that filter, then click **Apply**. You can repeat this process to add as many filters as you would like to your search. * Optionally, to remove a filter from your search, click **{% octicon "filter" aria-hidden="true" aria-label="filter" %} Filter**. In the row of the filter you want to remove, click {% octicon "x" aria-label="Delete FILTER-NUMBER: FILTER-PROPERTIES" %}, then click **Apply**.{% ifversion security-overview-export-data %} -1. You can use the **{% octicon "download" aria-hidden="true" aria-label="download" %} Export CSV** button to download a CSV file of the data currently displayed on the page for security research and in-depth data analysis. For more information, see [AUTOTITLE](/code-security/security-overview/exporting-data-from-security-overview). {% endif %} +1. You can use the **{% octicon "download" aria-hidden="true" aria-label="download" %} Export CSV** button to download a CSV file of the data currently displayed on the page for security research and in-depth data analysis. For more information, see [AUTOTITLE](/code-security/how-tos/view-and-interpret-data/analyze-organization-data/export-data). {% endif %} ## Viewing {% data variables.product.prodname_codeql %} pull request metrics for your enterprise diff --git a/content/code-security/how-tos/view-and-interpret-data/analyze-organization-data/viewing-security-insights.md b/content/code-security/how-tos/view-and-interpret-data/analyze-organization-data/viewing-security-insights.md index d56c3efa499e..41f2a60ac4b3 100644 --- a/content/code-security/how-tos/view-and-interpret-data/analyze-organization-data/viewing-security-insights.md +++ b/content/code-security/how-tos/view-and-interpret-data/analyze-organization-data/viewing-security-insights.md @@ -17,10 +17,10 @@ category: - Secure at scale --- -The overview page in security overview provides a consolidated dashboard of your organization{% ifversion security-overview-dashboard-enterprise %} or enterprise{% endif %}'s security landscape. You can filter the dashboard by time period, tool, and other criteria to focus on specific areas of interest. For more information about the overview dashboard, available metrics, and access permissions, see [AUTOTITLE](/code-security/concepts/security-at-scale/about-security-overview). +The overview page in security overview provides a consolidated dashboard of your organization{% ifversion security-overview-dashboard-enterprise %} or enterprise{% endif %}'s security landscape. You can filter the dashboard by time period, tool, and other criteria to focus on specific areas of interest. For more information about the overview dashboard, available metrics, and access permissions, see [AUTOTITLE](/code-security/concepts/security-at-scale/security-overview). {% ifversion security-overview-export-data %} -You can download a CSV file of the overview dashboard data for your organization or enterprise. For more information, see [AUTOTITLE](/code-security/how-tos/view-and-interpret-data/analyze-organization-data/exporting-data-from-security-overview). +You can download a CSV file of the overview dashboard data for your organization or enterprise. For more information, see [AUTOTITLE](/code-security/how-tos/view-and-interpret-data/analyze-organization-data/export-data). {% endif %} @@ -53,6 +53,6 @@ The enterprise security overview also includes a **Public monitoring** page, whe ## Next steps -The dashboard displays metrics about alert status, remediation velocity, and high-risk repositories in your organization{% ifversion security-overview-dashboard-enterprise %} or enterprise{% endif %}. For detailed explanations of each metric and how it's calculated, see [AUTOTITLE](/code-security/reference/security-at-scale/security-overview-dashboard-metrics). +The dashboard displays metrics about alert status, remediation velocity, and high-risk repositories in your organization{% ifversion security-overview-dashboard-enterprise %} or enterprise{% endif %}. For detailed explanations of each metric and how it's calculated, see [AUTOTITLE](/code-security/reference/security-at-scale/overview-dashboard-metrics). -You can filter the dashboard by time period, tool, repository, and other criteria. For more information, see [AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview). +You can filter the dashboard by time period, tool, repository, and other criteria. For more information, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/remediate-alerts-at-scale/filtering-alerts-in-security-overview). diff --git a/content/code-security/how-tos/view-and-interpret-data/change-used-by-data.md b/content/code-security/how-tos/view-and-interpret-data/change-used-by-data.md index ef2783b62dd2..22912a771691 100644 --- a/content/code-security/how-tos/view-and-interpret-data/change-used-by-data.md +++ b/content/code-security/how-tos/view-and-interpret-data/change-used-by-data.md @@ -11,7 +11,7 @@ category: - Secure your dependencies --- -{% data reusables.dependency-graph.used-by %} For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/about-the-dependency-graph#dependents-and-used-by-data). +{% data reusables.dependency-graph.used-by %} For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependency-graph#dependents-and-used-by-data). If you have admin permissions to a repository that contains multiple packages, you can choose which package the "Used by" section represents. diff --git a/content/code-security/how-tos/view-and-interpret-data/view-code-scanning-logs.md b/content/code-security/how-tos/view-and-interpret-data/view-code-scanning-logs.md index d62693941ac5..77afd545fcf5 100644 --- a/content/code-security/how-tos/view-and-interpret-data/view-code-scanning-logs.md +++ b/content/code-security/how-tos/view-and-interpret-data/view-code-scanning-logs.md @@ -40,8 +40,8 @@ After configuring {% data variables.product.prodname_code_scanning %} using defa 1. Optionally, to see more detail about the commit that triggered the workflow run, click the short commit hash. The short commit hash is 7 lowercase characters immediately following the commit author's username. -1. Once all jobs are complete, you can view the details of any {% data variables.product.prodname_code_scanning %} alerts that were identified. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository). +1. Once all jobs are complete, you can view the details of any {% data variables.product.prodname_code_scanning %} alerts that were identified. For more information, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-code-scanning-alerts/assess-alerts#viewing-the-alerts-for-a-repository). ## Further reading -If you're looking for diagnostic information about whether {% data variables.product.prodname_code_scanning %} accessed any private registries, see [AUTOTITLE](/code-security/how-tos/view-and-interpret-data/viewing-code-scanning-logs). +If you're looking for diagnostic information about whether {% data variables.product.prodname_code_scanning %} accessed any private registries, see [AUTOTITLE](/code-security/reference/code-scanning/code-scanning-logs#diagnostic-information-for-private-package-registries). diff --git a/content/code-security/reference/permissions/repository-security-advisory.md b/content/code-security/reference/permissions/repository-security-advisory.md index b98e3846a4c0..1d5a111510c6 100644 --- a/content/code-security/reference/permissions/repository-security-advisory.md +++ b/content/code-security/reference/permissions/repository-security-advisory.md @@ -29,24 +29,24 @@ category: Action | Write permissions | Admin permissions | ------ | ----------------- | ----------------- | See a draft security advisory | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | -Add collaborators to the security advisory (see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory)) | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} | +Add collaborators to the security advisory (see [AUTOTITLE](/code-security/how-tos/report-and-fix-vulnerabilities/fix-reported-vulnerabilities/add-collaborators)) | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} | Edit and delete any comments in the security advisory | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | -Create a temporary private fork in the security advisory (see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)) | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} | -Add changes to a temporary private fork in the security advisory (see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)) | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | -Create pull requests in a temporary private fork (see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)) | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | -Merge changes in the security advisory (see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)) | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} | -Add and edit metadata in the security advisory (see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory)) | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | -Add and remove credits for a security advisory (see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory)) | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | +Create a temporary private fork in the security advisory (see [AUTOTITLE](/code-security/tutorials/fix-reported-vulnerabilities/collaborate-in-a-fork)) | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} | +Add changes to a temporary private fork in the security advisory (see [AUTOTITLE](/code-security/tutorials/fix-reported-vulnerabilities/collaborate-in-a-fork)) | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | +Create pull requests in a temporary private fork (see [AUTOTITLE](/code-security/tutorials/fix-reported-vulnerabilities/collaborate-in-a-fork)) | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | +Merge changes in the security advisory (see [AUTOTITLE](/code-security/tutorials/fix-reported-vulnerabilities/collaborate-in-a-fork)) | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} | +Add and edit metadata in the security advisory (see [AUTOTITLE](/code-security/how-tos/report-and-fix-vulnerabilities/fix-reported-vulnerabilities/publish-repository-advisory)) | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | +Add and remove credits for a security advisory (see [AUTOTITLE](/code-security/how-tos/report-and-fix-vulnerabilities/fix-reported-vulnerabilities/edit-repository-advisories)) | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | Close the draft security advisory | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} | -Publish the security advisory (see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory)) | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} | +Publish the security advisory (see [AUTOTITLE](/code-security/how-tos/report-and-fix-vulnerabilities/fix-reported-vulnerabilities/publish-repository-advisory)) | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} | ### Permission differences for global security advisories -Unlike repository security advisories, anyone can contribute to **global security advisories** in the {% data variables.product.prodname_advisory_database %} at [github.com/advisories](https://github.com/advisories). Edits to global advisories will not change or affect how the advisory appears on the repository. See [AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database). +Unlike repository security advisories, anyone can contribute to **global security advisories** in the {% data variables.product.prodname_advisory_database %} at [github.com/advisories](https://github.com/advisories). Edits to global advisories will not change or affect how the advisory appears on the repository. See [AUTOTITLE](/code-security/how-tos/report-and-fix-vulnerabilities/fix-reported-vulnerabilities/edit-advisory-database). ## Further reading -* [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory) -* [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability) -* [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory) -* [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/deleting-a-repository-security-advisory) +* [AUTOTITLE](/code-security/how-tos/report-and-fix-vulnerabilities/fix-reported-vulnerabilities/add-collaborators) +* [AUTOTITLE](/code-security/tutorials/fix-reported-vulnerabilities/collaborate-in-a-fork) +* [AUTOTITLE](/code-security/how-tos/report-and-fix-vulnerabilities/fix-reported-vulnerabilities/remove-collaborators) +* [AUTOTITLE](/code-security/how-tos/report-and-fix-vulnerabilities/fix-reported-vulnerabilities/delete-repository-advisories) diff --git a/content/code-security/reference/permissions/security-overview.md b/content/code-security/reference/permissions/security-overview.md index 970ef6fe83d6..38ba474f32f2 100644 --- a/content/code-security/reference/permissions/security-overview.md +++ b/content/code-security/reference/permissions/security-overview.md @@ -47,10 +47,10 @@ For more information about access to security alerts and related views, see [AUT ## Enterprise-level overview > [!NOTE] -> If you are an **enterprise owner**, you will need to join an organization as an organization owner to view data for the organization's repositories in both the organization-level and enterprise-level overview.{% ifversion secret-scanning-user-owned-repos %} {% data reusables.secret-scanning.secret-scanning-user-owned-repo-access %}{% endif %} For more information, see [AUTOTITLE](/admin/user-management/managing-organizations-in-your-enterprise/managing-your-role-in-an-organization-owned-by-your-enterprise). +> If you are an **enterprise owner**, you will need to join an organization as an organization owner to view data for the organization's repositories in both the organization-level and enterprise-level overview.{% ifversion secret-scanning-user-owned-repos %} {% data reusables.secret-scanning.secret-scanning-user-owned-repo-access %}{% endif %} For more information, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-your-role-in-an-organization-owned-by-your-enterprise). In the enterprise-level security overview, you can see data for all organizations where you are an **organization owner or security manager**. {% ifversion ghec %} -If you're an owner of an {% data variables.enterprise.prodname_emu_enterprise %}, you can view data from user-owned repositories in security overview and filter by repository owner type. For more information on {% data variables.enterprise.prodname_managed_users %}, see [AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users). +If you're an owner of an {% data variables.enterprise.prodname_emu_enterprise %}, you can view data from user-owned repositories in security overview and filter by repository owner type. For more information on {% data variables.enterprise.prodname_managed_users %}, see [AUTOTITLE](/admin/concepts/identity-and-access-management/enterprise-managed-users). {% endif %} diff --git a/content/code-security/reference/secret-security/risk-report-csv-contents.md b/content/code-security/reference/secret-security/risk-report-csv-contents.md index 1951e23d7da4..107b3ee433e8 100644 --- a/content/code-security/reference/secret-security/risk-report-csv-contents.md +++ b/content/code-security/reference/secret-security/risk-report-csv-contents.md @@ -19,7 +19,7 @@ The {% data variables.product.prodname_secret_risk_assessment %} report CSV file | ---------- | ---------------------- | --------------------------------------------------------- | | A | `Organization Name` | The name of the organization the secret was detected in | | B | `Name` | The token name for the type of secret | -| C | `Slug` | The normalized string for the token. This corresponds to `Token` in the table of supported secrets. See [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets). | +| C | `Slug` | The normalized string for the token. This corresponds to `Token` in the table of supported secrets. See [AUTOTITLE](/code-security/reference/secret-security/supported-secret-scanning-patterns#supported-secrets). | | D | `Push Protected` | A `boolean` to indicate whether the secret would be detected and blocked by push protection if it were enabled | | E | `Generic Pattern` | A `boolean` to indicate whether the secret matched a generic pattern and would generate an alert if {% data variables.product.prodname_secret_scanning %} with generic patterns were enabled | | F | `Secret Count` | An aggregate count of the active and inactive secrets found for the token type | @@ -27,4 +27,4 @@ The {% data variables.product.prodname_secret_risk_assessment %} report CSV file ## Next steps -To learn which secrets you should prioritize for remediation, see [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/interpreting-secret-risk-assessment-results#step-5-prioritizing-remediation-and-related-actions). +To learn which secrets you should prioritize for remediation, see [AUTOTITLE](/code-security/tutorials/secure-your-organization/interpret-secret-risk-assessment#step-5-prioritizing-remediation-and-related-actions). diff --git a/content/code-security/reference/secret-security/secret-pattern-data.md b/content/code-security/reference/secret-security/secret-pattern-data.md index 4ea9a5bfe7e4..c10d31f72b0f 100644 --- a/content/code-security/reference/secret-security/secret-pattern-data.md +++ b/content/code-security/reference/secret-security/secret-pattern-data.md @@ -14,7 +14,7 @@ redirect_from: - /code-security/reference/secret-security/secret-scanning-pattern-configuration-data --- -When configuring push protection, you can view performance data for each secret pattern to make informed enablement decisions. Use metrics like alert volume and false positive rates to balance security with developer experience. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/configuring-global-security-settings-for-your-organization#specifying-patterns-to-include-in-push-protection){% ifversion security-configuration-enterprise-level %} or [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/establish-complete-coverage/configuring-additional-secret-scanning-settings-for-your-enterprise#specifying-patterns-to-include-in-push-protection-for-your-enterprise){% endif %}. +When configuring push protection, you can view performance data for each secret pattern to make informed enablement decisions. Use metrics like alert volume and false positive rates to balance security with developer experience. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/configure-global-settings#specifying-patterns-to-include-in-push-protection){% ifversion security-configuration-enterprise-level %} or [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/establish-complete-coverage/configure-additional-settings#specifying-patterns-to-include-in-push-protection-for-your-enterprise){% endif %}. {% data reusables.secret-scanning.pattern-enablement-org-enterprise-chart %} diff --git a/content/code-security/reference/secret-security/secret-scanning-scope.md b/content/code-security/reference/secret-security/secret-scanning-scope.md index c5b322a7c950..eddfc6cfbb01 100644 --- a/content/code-security/reference/secret-security/secret-scanning-scope.md +++ b/content/code-security/reference/secret-security/secret-scanning-scope.md @@ -34,7 +34,7 @@ Public monitoring alerts appear in the enterprise-level security overview, on th {% data variables.product.prodname_secret_scanning_caps %} will only detect pattern pairs, such as AWS Access Keys and Secrets, if the ID and the secret are found in the same file, and both are pushed to the repository. Pair matching helps reduce false positives since both elements of a pair (the ID and the secret) must be used together to access the provider's resource. -Pairs pushed to different files, or not pushed to the same repository, will not result in alerts. For more information about the supported pattern pairs, see the table in [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns). +Pairs pushed to different files, or not pushed to the same repository, will not result in alerts. For more information about the supported pattern pairs, see the table in [AUTOTITLE](/code-security/reference/secret-security/supported-secret-scanning-patterns). ## About legacy GitHub tokens @@ -42,7 +42,7 @@ For {% data variables.product.prodname_dotcom %} tokens, we check the validity o ## Push protection limitations -If push protection did not detect a secret that you think should have been detected, then you should first check that push protection supports the secret type in the list of supported secrets. For further information, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets). +If push protection did not detect a secret that you think should have been detected, then you should first check that push protection supports the secret type in the list of supported secrets. For further information, see [AUTOTITLE](/code-security/reference/secret-security/supported-secret-scanning-patterns#supported-secrets). If your secret is in the supported list, there are various reasons why push protection may not detect it. diff --git a/content/code-security/reference/secret-security/secret-types.md b/content/code-security/reference/secret-security/secret-types.md index 234ca69f521b..233f88e3da9b 100644 --- a/content/code-security/reference/secret-security/secret-types.md +++ b/content/code-security/reference/secret-security/secret-types.md @@ -116,7 +116,7 @@ Organization-level secrets: * Actions secrets are not available to workflows initiated by {% data variables.product.prodname_dependabot %}. * Actions secrets are not passed to workflows that are triggered by a pull request from a fork. * {% data variables.product.prodname_actions %} automatically redacts the contents of all {% data variables.product.github %} secrets that are printed to workflow logs. -* You can store up to 1,000 organization secrets, 100 repository secrets, and 100 environment secrets. Secrets are limited to 48 KB in size. For more information, see [Limits for secrets](/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#limits-for-secrets). +* You can store up to 1,000 organization secrets, 100 repository secrets, and 100 environment secrets. Secrets are limited to 48 KB in size. For more information, see [Limits for secrets](/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets#limits-for-secrets). {% ifversion fpt or ghec %} @@ -168,7 +168,7 @@ Organization-level secrets: ## Further reading -* [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#storing-credentials-for-dependabot-to-use) -* [AUTOTITLE](/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions){% ifversion fpt or ghec %} +* [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries#storing-credentials-for-dependabot-to-use) +* [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets){% ifversion fpt or ghec %} * [AUTOTITLE](/codespaces/managing-codespaces-for-your-organization/managing-development-environment-secrets-for-your-repository-or-organization) * [AUTOTITLE](/codespaces/managing-your-codespaces/managing-your-account-specific-secrets-for-github-codespaces){% endif %} diff --git a/content/code-security/reference/secret-security/supported-secret-scanning-patterns.md b/content/code-security/reference/secret-security/supported-secret-scanning-patterns.md index 6d597272b728..aadf973b9b8b 100644 --- a/content/code-security/reference/secret-security/supported-secret-scanning-patterns.md +++ b/content/code-security/reference/secret-security/supported-secret-scanning-patterns.md @@ -21,7 +21,7 @@ category: {% data reusables.secret-scanning.alert-types %} -For in-depth information about each alert type, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts). +For in-depth information about each alert type, see [AUTOTITLE](/code-security/concepts/secret-security/about-alerts). If you use the REST API for {% data variables.product.prodname_secret_scanning %}, you can use the `Secret type` to report on secrets from specific issuers. For more information, see [AUTOTITLE](/enterprise-cloud@latest/rest/secret-scanning). @@ -101,7 +101,7 @@ Precision levels are estimated based on the pattern type's typical false positiv ## Supported AI-detected patterns -{% data variables.product.prodname_secret_scanning_caps %} uses {% data variables.product.prodname_copilot_short %} to detect generic secrets using AI. See [AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets). +{% data variables.product.prodname_secret_scanning_caps %} uses {% data variables.product.prodname_copilot_short %} to detect generic secrets using AI. See [AUTOTITLE](/code-security/responsible-use/security-and-quality-ai-features). | Provider | Token | |----------|:--------------------| diff --git a/content/code-security/reference/security-at-scale/configuration-statuses.md b/content/code-security/reference/security-at-scale/configuration-statuses.md index be0035f9b304..16e3e009e335 100644 --- a/content/code-security/reference/security-at-scale/configuration-statuses.md +++ b/content/code-security/reference/security-at-scale/configuration-statuses.md @@ -13,9 +13,9 @@ redirect_from: - /code-security/reference/security-at-scale/security-configuration-statuses --- -A repository's configuration status tells you the current state of its relationship with the applied {% data variables.product.prodname_security_configuration %}. That relationship can change over time—for example, when a repository admin overrides a setting, an admin enables enforcement, or an attachment fails. For more about how configurations and repositories interact, see [AUTOTITLE](/code-security/concepts/security-at-scale/about-enabling-security-features-at-scale). +A repository's configuration status tells you the current state of its relationship with the applied {% data variables.product.prodname_security_configuration %}. That relationship can change over time—for example, when a repository admin overrides a setting, an admin enables enforcement, or an attachment fails. For more about how configurations and repositories interact, see [AUTOTITLE](/code-security/concepts/security-at-scale/organization-security). -You can view configuration statuses in the repository table on your organization's {% data variables.product.prodname_security_configurations %} settings page, or retrieve them with the REST API. For more information, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/manage-your-coverage/filtering-repositories-in-your-organization-using-the-repository-table) and [AUTOTITLE](/rest/code-security/configurations). +You can view configuration statuses in the repository table on your organization's {% data variables.product.prodname_security_configurations %} settings page, or retrieve them with the REST API. For more information, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/manage-your-coverage/filter-repositories) and [AUTOTITLE](/rest/code-security/configurations). ## Configuration status reference @@ -28,11 +28,11 @@ In the repository table, the "Configuration status" filter supports "Attached," | `attached` | The configuration is actively applied. The repository inherits all settings from the configuration. | An organization or enterprise admin applied the configuration to the repository. | The configuration name (for example, "My config") | No action needed. | | `attaching` | The configuration is being applied. This is a transient state. | An organization or enterprise admin just applied the configuration. | {% octicon "clock" aria-label="Applying" %} Applying CONFIGURATION-NAME | Wait for the operation to complete. If the status does not change, check for attachment failures. | | `updating` | The configuration is being updated on the repository. | An organization or enterprise admin changed a setting in the configuration. | {% octicon "clock" aria-label="Updating" %} Updating CONFIGURATION-NAME | Wait for the update to complete. | -| `enforced` | The configuration is actively applied and enforced. Repository admins cannot change the enablement status of features controlled by the configuration. | An organization or enterprise admin enabled enforcement on the configuration. | {% octicon "shield" aria-label="Enforced" %} Enforced CONFIGURATION-NAME | No action needed. For more information, see [AUTOTITLE](/code-security/reference/security-at-scale/security-configuration-enforcement). | +| `enforced` | The configuration is actively applied and enforced. Repository admins cannot change the enablement status of features controlled by the configuration. | An organization or enterprise admin enabled enforcement on the configuration. | {% octicon "shield" aria-label="Enforced" %} Enforced CONFIGURATION-NAME | No action needed. For more information, see [AUTOTITLE](/code-security/reference/security-at-scale/configuration-enforcement). | | `removed` | A repository-level setting was changed that conflicts with the configuration. The configuration is still associated with the repository, but the repository no longer inherits all settings. | A repository admin changed a security setting on an unenforced configuration. | {% octicon "alert" aria-label="Removed" %} Removed CONFIGURATION-NAME | To restore the intended settings, re-apply the configuration in the "{% data variables.product.prodname_AS %}" page of the repository. To prevent future overrides, consider enabling enforcement. | | `removed_by_enterprise` | An enterprise-level configuration change caused a conflict with the repository's settings. | An enterprise admin changed a setting that conflicts with the organization-level configuration applied to the repository. | {% octicon "alert" aria-label="Removed" %} Removed CONFIGURATION-NAME | Coordinate with your enterprise admin to resolve the conflict. Re-apply the configuration at the organization or enterprise level. | -| `failed` | The configuration could not be attached to the repository. | A conflict between existing repository settings and the configuration prevented attachment. | {% octicon "alert" aria-label="Failed" %} Failed REASON | Filter by `config-status:failed` in the repository table, then follow the remediation guidance for the specific repository. For more information, see [AUTOTITLE](/code-security/reference/security-at-scale/troubleshoot-security-configurations/diagnosing-security-configuration-issues). | -| `detached` | No configuration is applied. The repository's security settings are managed individually. | An organization admin detached the configuration, or the repository was never attached to a configuration. | No configuration | Apply a configuration if you want the repository to inherit centrally managed settings. For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-a-custom-security-configuration). | +| `failed` | The configuration could not be attached to the repository. | A conflict between existing repository settings and the configuration prevented attachment. | {% octicon "alert" aria-label="Failed" %} Failed REASON | Filter by `config-status:failed` in the repository table, then follow the remediation guidance for the specific repository. For more information, see [AUTOTITLE](/code-security/reference/security-at-scale/troubleshoot-security-configurations/configuration-issue-diagnosis). | +| `detached` | No configuration is applied. The repository's security settings are managed individually. | An organization admin detached the configuration, or the repository was never attached to a configuration. | No configuration | Apply a configuration if you want the repository to inherit centrally managed settings. For more information, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/apply-custom-configuration). | ## Understanding `removed` vs. `detached` @@ -41,7 +41,7 @@ These statuses reflect different situations: * **`removed`**: A repository admin changed a security setting that conflicts with an unenforced configuration. The configuration is still associated with the repository, but the repository no longer counts toward your organization's coverage metrics for that configuration. Re-applying the configuration restores the relationship. * **`detached`**: The configuration is fully disconnected from the repository. The repository's existing security settings are unchanged, but no configuration manages them. To restore centrally managed settings, apply a new configuration. -To prevent repositories from reaching a `removed` status, enable enforcement on the configuration. For more information, see [AUTOTITLE](/code-security/reference/security-at-scale/security-configuration-enforcement). +To prevent repositories from reaching a `removed` status, enable enforcement on the configuration. For more information, see [AUTOTITLE](/code-security/reference/security-at-scale/configuration-enforcement). ## Tracking configuration status changes with the audit log @@ -49,6 +49,6 @@ Your organization's audit log records `repository_security_configuration` events ## Further reading -* [AUTOTITLE](/code-security/concepts/security-at-scale/about-enabling-security-features-at-scale) -* [AUTOTITLE](/code-security/reference/security-at-scale/security-configuration-enforcement) -* [AUTOTITLE](/code-security/reference/security-at-scale/troubleshoot-security-configurations/diagnosing-security-configuration-issues) +* [AUTOTITLE](/code-security/concepts/security-at-scale/organization-security) +* [AUTOTITLE](/code-security/reference/security-at-scale/configuration-enforcement) +* [AUTOTITLE](/code-security/reference/security-at-scale/troubleshoot-security-configurations/configuration-issue-diagnosis) diff --git a/content/code-security/reference/security-at-scale/overview-dashboard-filters.md b/content/code-security/reference/security-at-scale/overview-dashboard-filters.md index f12fba1b778f..b75a43c834cb 100644 --- a/content/code-security/reference/security-at-scale/overview-dashboard-filters.md +++ b/content/code-security/reference/security-at-scale/overview-dashboard-filters.md @@ -169,7 +169,7 @@ You can limit the data to repositories owned by a single organization in your en {% data reusables.security.production-context-mdc-preview %} -For more information about production context, see [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-vulnerabilities/alerts-in-production-code). +For more information about production context, see [AUTOTITLE](/code-security/tutorials/secure-your-organization/prioritize-alerts-in-production-code). | Qualifier | Description | | -------- | -------- | @@ -192,7 +192,7 @@ For more information about production context, see [AUTOTITLE](/code-security/se |{% endif %}| |`ecosystem`|Display {% data variables.product.prodname_dependabot_alerts %} detected in a specified ecosystem, for example: `ecosystem:Maven`.| |`epss_percentage`|Display {% data variables.product.prodname_dependabot_alerts %} whose EPSS score meets the defined criteria, for example: `epss_percentage:>=0.01`| -|`has`|Display {% data variables.product.prodname_dependabot_alerts %} for vulnerabilities where either a secure version is already available (`patch`) or where at least one call from the repository to a vulnerable function is detected (`vulnerable-calls`). For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts#about-the-detection-of-calls-to-vulnerable-functions).| +|`has`|Display {% data variables.product.prodname_dependabot_alerts %} for vulnerabilities where either a secure version is already available (`patch`) or where at least one call from the repository to a vulnerable function is detected (`vulnerable-calls`). For more information, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-dependabot-alerts/view-dependabot-alerts#about-the-detection-of-calls-to-vulnerable-functions).| |`is`|Display {% data variables.product.prodname_dependabot_alerts %} that are open (`open`) or closed (`closed`).| |`package`|Display {% data variables.product.prodname_dependabot_alerts %} detected in the specified package, for example: `package:semver`.| |`props`|Display {% data variables.product.prodname_dependabot_alerts %} for repositories with a specific custom property set. For example, `props.data_sensitivity:high` displays results for repositories with the `data_sensitivity` property set to the value `high`.| diff --git a/content/code-security/reference/security-at-scale/overview-dashboard-metrics.md b/content/code-security/reference/security-at-scale/overview-dashboard-metrics.md index 8e78642fc4ea..86492aaefa25 100644 --- a/content/code-security/reference/security-at-scale/overview-dashboard-metrics.md +++ b/content/code-security/reference/security-at-scale/overview-dashboard-metrics.md @@ -18,17 +18,17 @@ redirect_from: In security overview, the overview dashboard displays security alert metrics for your organization{% ifversion security-overview-dashboard-enterprise %} or enterprise{% endif %}. You can use the dashboard to monitor the health of your application security program, collaborate with engineering teams, and gather data for benchmarking purposes. -The dashboard displays trending data that tracks alert counts and activity over time, as well as snapshot data that reflects the current state. All data and metrics across the dashboard change as you apply filters. By default, the dashboard displays all alerts from {% data variables.product.prodname_dotcom %} tools, but you can use the tool filter to show alerts from a specific tool ({% data variables.product.prodname_secret_scanning %}, {% data variables.product.prodname_dependabot %}, {% data variables.product.prodname_code_scanning %} using {% data variables.product.prodname_codeql %}, a specific third-party tool) or all third-party {% data variables.product.prodname_code_scanning %} tools. See [AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview). +The dashboard displays trending data that tracks alert counts and activity over time, as well as snapshot data that reflects the current state. All data and metrics across the dashboard change as you apply filters. By default, the dashboard displays all alerts from {% data variables.product.prodname_dotcom %} tools, but you can use the tool filter to show alerts from a specific tool ({% data variables.product.prodname_secret_scanning %}, {% data variables.product.prodname_dependabot %}, {% data variables.product.prodname_code_scanning %} using {% data variables.product.prodname_codeql %}, a specific third-party tool) or all third-party {% data variables.product.prodname_code_scanning %} tools. See [AUTOTITLE](/code-security/how-tos/manage-security-alerts/remediate-alerts-at-scale/filtering-alerts-in-security-overview). **Trend indicators** show percentage change compared to the previous period. For example: * 10 alerts this week vs. 20 alerts last week = 50% decrease * An average alert age of 15 days vs. 5 days = 200% increase -**Alert severity filtering:** The dashboard only includes alerts with security severity levels: `Critical`, `High`, `Medium`, or `Low`. Non-security alerts (`Error`, `Warning`, or `Note`) are excluded. This may cause the dashboard count to differ from {% data variables.product.prodname_code_scanning %} alert totals. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#about-alert-severity-and-security-severity-levels). +**Alert severity filtering:** The dashboard only includes alerts with security severity levels: `Critical`, `High`, `Medium`, or `Low`. Non-security alerts (`Error`, `Warning`, or `Note`) are excluded. This may cause the dashboard count to differ from {% data variables.product.prodname_code_scanning %} alert totals. For more information, see [AUTOTITLE](/code-security/concepts/code-scanning/code-scanning-alerts#about-alert-severity-and-security-severity-levels). ### Limitations -The data that populates the overview page can and will change over time due to various factors, such as repository deletion or modifications to a security advisory. This means that the overview metrics for the same time period could vary if viewed at two different times. For compliance reports or other scenarios where data consistency is crucial, we recommend that you source data from the audit log. See [AUTOTITLE](/code-security/getting-started/auditing-security-alerts). +The data that populates the overview page can and will change over time due to various factors, such as repository deletion or modifications to a security advisory. This means that the overview metrics for the same time period could vary if viewed at two different times. For compliance reports or other scenarios where data consistency is crucial, we recommend that you source data from the audit log. See [AUTOTITLE](/code-security/concepts/security-at-scale/audit-security-alerts). The overview page tracks how security alerts changed over time. However, when you filter by another attribute, such as repository status, it uses that attribute's current value, not its historical value. @@ -88,7 +88,7 @@ Shows the ratio of secrets bypassed to the total secrets blocked by push protect Click **View details** to view the {% data variables.product.prodname_secret_scanning %} report with the same filters and time period selected. -For more information on {% data variables.product.prodname_secret_scanning %} push protection metrics, see [AUTOTITLE](/code-security/security-overview/viewing-metrics-for-secret-scanning-push-protection). +For more information on {% data variables.product.prodname_secret_scanning %} push protection metrics, see [AUTOTITLE](/code-security/how-tos/view-and-interpret-data/analyze-organization-data/viewing-metrics-for-secret-scanning-push-protection). ### Impact analysis table @@ -158,7 +158,7 @@ The count of pull request alerts detected by {% data variables.product.prodname_ Shows the ratio of accepted {% data variables.copilot.copilot_autofix_short %} suggestions to the total number of {% data variables.copilot.copilot_autofix_short %} suggestions on pull request alerts detected by {% data variables.product.prodname_code_scanning %}. -{% data variables.copilot.copilot_autofix_short %} for {% data variables.product.prodname_code_scanning %} provides targeted recommendations to help you fix {% data variables.product.prodname_code_scanning %} alerts. See [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning). +{% data variables.copilot.copilot_autofix_short %} for {% data variables.product.prodname_code_scanning %} provides targeted recommendations to help you fix {% data variables.product.prodname_code_scanning %} alerts. See [AUTOTITLE](/code-security/responsible-use/security-and-quality-ai-features). {% endif %} diff --git a/content/code-security/reference/security-at-scale/troubleshoot-security-configurations/a-repository-is-using-advanced-setup-for-code-scanning.md b/content/code-security/reference/security-at-scale/troubleshoot-security-configurations/a-repository-is-using-advanced-setup-for-code-scanning.md index 00b422fd303e..ce5f50bacc65 100644 --- a/content/code-security/reference/security-at-scale/troubleshoot-security-configurations/a-repository-is-using-advanced-setup-for-code-scanning.md +++ b/content/code-security/reference/security-at-scale/troubleshoot-security-configurations/a-repository-is-using-advanced-setup-for-code-scanning.md @@ -39,6 +39,6 @@ If there is no advanced setup or the advanced setup is inactive, then default se There are three ways you could solve this problem: -1. **Change the Default setup option from "Enabled" to "Enabled with advanced setup allowed"** in the {% data variables.product.prodname_security_configuration %}. _Option available from {% data variables.product.prodname_ghe_server %} 3.19._ After editing your {% data variables.product.prodname_security_configuration %}, reapply it to the repositories. For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-a-custom-security-configuration). -1. **Update the affected repositories to use default setup** for {% data variables.product.prodname_code_scanning %} at the repository level and then reapply your {% data variables.product.prodname_security_configuration %} to the repositories. For more information, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning). -1. **Create a new custom {% data variables.product.prodname_security_configuration %}** that does not include a setting for {% data variables.product.prodname_code_scanning %} and apply this {% data variables.product.prodname_security_configuration %} to repositories that use advanced setup. For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration). +1. **Change the Default setup option from "Enabled" to "Enabled with advanced setup allowed"** in the {% data variables.product.prodname_security_configuration %}. _Option available from {% data variables.product.prodname_ghe_server %} 3.19._ After editing your {% data variables.product.prodname_security_configuration %}, reapply it to the repositories. For more information, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/apply-custom-configuration). +1. **Update the affected repositories to use default setup** for {% data variables.product.prodname_code_scanning %} at the repository level and then reapply your {% data variables.product.prodname_security_configuration %} to the repositories. For more information, see [AUTOTITLE](/code-security/how-tos/find-and-fix-code-vulnerabilities/configure-code-scanning/configure-code-scanning). +1. **Create a new custom {% data variables.product.prodname_security_configuration %}** that does not include a setting for {% data variables.product.prodname_code_scanning %} and apply this {% data variables.product.prodname_security_configuration %} to repositories that use advanced setup. For more information, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/create-custom-configuration). diff --git a/content/code-security/reference/security-at-scale/troubleshoot-security-configurations/configuration-issue-diagnosis.md b/content/code-security/reference/security-at-scale/troubleshoot-security-configurations/configuration-issue-diagnosis.md index f363b9d02d44..994ccea13e9a 100644 --- a/content/code-security/reference/security-at-scale/troubleshoot-security-configurations/configuration-issue-diagnosis.md +++ b/content/code-security/reference/security-at-scale/troubleshoot-security-configurations/configuration-issue-diagnosis.md @@ -42,7 +42,7 @@ To find and remediate repositories with a `removed` status: {% data reusables.security-configurations.view-configurations-page %} 1. Filter the repository list using the "Configuration status" filter and select "Removed." 1. To restore the intended settings, re-apply the configuration to the affected repositories. -1. To prevent future overrides, consider enabling enforcement on the configuration. See [AUTOTITLE](/code-security/reference/security-at-scale/security-configuration-enforcement). +1. To prevent future overrides, consider enabling enforcement on the configuration. See [AUTOTITLE](/code-security/reference/security-at-scale/configuration-enforcement). ## Finding and remediating enterprise-removed configurations @@ -57,5 +57,5 @@ To find and remediate repositories with a `removed_by_enterprise` status: 1. Coordinate with your enterprise admin to resolve the conflict between the enterprise-level and organization-level configurations. 1. Re-apply the configuration at the organization or enterprise level. -For more information about all configuration statuses, see [AUTOTITLE](/code-security/reference/security-at-scale/security-configuration-statuses). +For more information about all configuration statuses, see [AUTOTITLE](/code-security/reference/security-at-scale/configuration-statuses). diff --git a/content/code-security/reference/security-at-scale/troubleshoot-security-configurations/not-enough-ghas-licenses.md b/content/code-security/reference/security-at-scale/troubleshoot-security-configurations/not-enough-ghas-licenses.md index 9cb47b794d51..3f6c6cc6e207 100644 --- a/content/code-security/reference/security-at-scale/troubleshoot-security-configurations/not-enough-ghas-licenses.md +++ b/content/code-security/reference/security-at-scale/troubleshoot-security-configurations/not-enough-ghas-licenses.md @@ -16,7 +16,7 @@ category: - Troubleshoot security tools --- -If you are on a volume / subscription-based billing model for {% data variables.product.prodname_GHAS %} (GHAS), you must have an available GHAS license for any additional unique active committers to enable GHAS features on a private{% ifversion ghec or ghes %} or internal{% endif %} repository. To learn about GHAS licensing, as well as unique and active committers, see [AUTOTITLE](/billing/managing-billing-for-your-products/managing-billing-for-github-advanced-security/about-billing-for-github-advanced-security). +If you are on a volume / subscription-based billing model for {% data variables.product.prodname_GHAS %} (GHAS), you must have an available GHAS license for any additional unique active committers to enable GHAS features on a private{% ifversion ghec or ghes %} or internal{% endif %} repository. To learn about GHAS licensing, as well as unique and active committers, see [AUTOTITLE](/billing/concepts/product-billing/github-advanced-security). If you try to apply a {% data variables.product.prodname_security_configuration %} with GHAS features to your repositories and don't have enough GHAS licenses, the configuration will only be successfully applied to public repositories. For private {% ifversion ghec or ghes %}and internal {% endif %}repositories, only free security features will be enabled due to the license limitation, resulting in the following outcomes: @@ -24,4 +24,4 @@ If you try to apply a {% data variables.product.prodname_security_configuration * GHAS features _will not_ be enabled for _any_ private {% ifversion ghec or ghes %}or internal {% endif %}repositories. * The {% data variables.product.prodname_security_configuration %} _will not_ be applied to _any_ private {% ifversion ghec or ghes %}or internal {% endif %}repositories, since only some features from the configuration are enabled. -For more information on managing GHAS licenses for your organization, see [AUTOTITLE](/code-security/securing-your-organization/managing-the-security-of-your-organization/managing-your-github-advanced-security-license-usage). +For more information on managing GHAS licenses for your organization, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/managing-your-github-advanced-security-license-usage). diff --git a/content/code-security/reference/security-incident-response/investigation-areas.md b/content/code-security/reference/security-incident-response/investigation-areas.md index d241b9365de7..d1091ba99845 100644 --- a/content/code-security/reference/security-incident-response/investigation-areas.md +++ b/content/code-security/reference/security-incident-response/investigation-areas.md @@ -12,7 +12,7 @@ contentType: reference This reference article shows you which {% data variables.product.github %} tools to use and which {% data variables.product.github %} surfaces to check when you're responding to a security incident. Use this article to guide your investigation across major threat categories. -For full guidance on how to respond to a security incident, including **containment strategies**, see [AUTOTITLE](/code-security/tutorials/secure-your-organization/responding-to-security-incidents). +For full guidance on how to respond to a security incident, including **containment strategies**, see [AUTOTITLE](/code-security/tutorials/secure-your-organization/respond-to-a-security-incident). > [!IMPORTANT] > The availability of each tool (and the data it provides) varies by {% data variables.product.github %} plan, role, permissions, feature enablement, and pre-incident configuration (for example, audit log streaming and IP address disclosure require prior set up). For more information, see [AUTOTITLE](/code-security/reference/security-incident-response/investigation-tools). @@ -44,7 +44,7 @@ You suspect a token or key has been stolen or exploited, received a {% data vari ### Key resources -* [Containment actions](/code-security/tutorials/secure-your-organization/responding-to-security-incidents#step-2-contain-the-threat){% ifversion ghec %} +* [Containment actions](/code-security/tutorials/secure-your-organization/respond-to-a-security-incident#step-2-contain-the-threat){% ifversion ghec %} * [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/identifying-audit-log-events-performed-by-an-access-token) (organizations) * [AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token) (enterprises){% endif %} * [AUTOTITLE](/code-security/tutorials/remediate-leaked-secrets/remediating-a-leaked-secret) @@ -73,7 +73,7 @@ You noticed unusual login activity, saw unexpected commits or changes, or detect ### Key resources -* [Containment actions](/code-security/tutorials/secure-your-organization/responding-to-security-incidents#step-2-contain-the-threat) +* [Containment actions](/code-security/tutorials/secure-your-organization/respond-to-a-security-incident#step-2-contain-the-threat) ## Data exfiltration @@ -97,7 +97,7 @@ You detected large downloads, unusual API activity, or received reports of your ### Key resources -* [Containment actions](/code-security/tutorials/secure-your-organization/responding-to-security-incidents#step-2-contain-the-threat) +* [Containment actions](/code-security/tutorials/secure-your-organization/respond-to-a-security-incident#step-2-contain-the-threat) ## Malicious code and workflow changes @@ -128,7 +128,7 @@ You found suspicious code in your repository, a security researcher reported an ### Key resources -* [Containment actions](/code-security/tutorials/secure-your-organization/responding-to-security-incidents#step-2-contain-the-threat) +* [Containment actions](/code-security/tutorials/secure-your-organization/respond-to-a-security-incident#step-2-contain-the-threat) * [AUTOTITLE](/actions/concepts/security/github_token) * [AUTOTITLE](/actions/reference/security/secure-use) @@ -159,17 +159,17 @@ You received a malware or dependency alert, suspect a malicious package, or noti | --- | --- | | [{% data variables.product.github %} code search](/code-security/reference/security-incident-response/investigation-tools#github-code-search)| Search for references to the suspected package or Action | | [Dependency graph](/code-security/reference/security-incident-response/investigation-tools#dependency-graph) | Visualize and review dependencies | -| [{% data variables.product.prodname_dependabot %} alerts](/code-security/how-tos/manage-security-alerts/manage-dependabot-alerts/viewing-and-updating-dependabot-alerts) | Review for alerts relating to vulnerable dependencies | +| [{% data variables.product.prodname_dependabot %} alerts](/code-security/how-tos/manage-security-alerts/manage-dependabot-alerts/view-dependabot-alerts) | Review for alerts relating to vulnerable dependencies | | [{% data variables.product.prodname_advisory_database %}](https://github.com/advisories)| Search for `type:malware` | | [Activity view](/code-security/reference/security-incident-response/investigation-tools#activity-view) | Review recent pushes to repositories | | [Security overview](/code-security/reference/security-incident-response/investigation-tools#security-overview) | Review recent security alerts across an organization or enterprise | ### Key resources -* [Containment actions](/code-security/tutorials/secure-your-organization/responding-to-security-incidents#step-2-contain-the-threat) +* [Containment actions](/code-security/tutorials/secure-your-organization/respond-to-a-security-incident#step-2-contain-the-threat) ## Further reading -* [AUTOTITLE](/code-security/tutorials/secure-your-organization/responding-to-security-incidents) +* [AUTOTITLE](/code-security/tutorials/secure-your-organization/respond-to-a-security-incident) * [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization) -* [AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/about-the-audit-log-for-your-enterprise) \ No newline at end of file +* [AUTOTITLE](/admin/concepts/security-and-compliance/audit-log-for-an-enterprise) diff --git a/content/code-security/reference/security-incident-response/investigation-tools.md b/content/code-security/reference/security-incident-response/investigation-tools.md index 1db03e9b72d7..9ccea741413f 100644 --- a/content/code-security/reference/security-incident-response/investigation-tools.md +++ b/content/code-security/reference/security-incident-response/investigation-tools.md @@ -92,9 +92,9 @@ Read access to the repository. ### Key resources -* [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/exploring-the-dependencies-of-a-repository) +* [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/explore-dependencies) * [AUTOTITLE](/code-security/reference/supply-chain-security/dependency-graph-supported-package-ecosystems) -* [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/establish-provenance-and-integrity/exporting-a-software-bill-of-materials-for-your-repository) +* [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/establish-provenance-and-integrity/export-dependencies-as-sbom) ### Notes and limitations @@ -143,7 +143,7 @@ Read access to the repository. ### Key resources -* [AUTOTITLE](/code-security/concepts/security-at-scale/about-security-overview) +* [AUTOTITLE](/code-security/concepts/security-at-scale/security-overview) * [AUTOTITLE](/code-security/how-tos/view-and-interpret-data/analyze-organization-data/viewing-security-insights#viewing-the-security-overview-dashboard-for-your-organization) ### Notes and limitations @@ -185,4 +185,4 @@ Read access to the repository. * You can download logs for an entire workflow run or for a specific job programmatically using the REST API. Both endpoints return a redirect URL that is valid for one minute. For more information, see [AUTOTITLE](/rest/actions/workflow-runs) and [AUTOTITLE](/rest/actions/workflow-jobs). * Workflow run logs only capture standard output from workflow steps. Activity that does not write to standard output, such as network calls, file system modifications, or background processes, does not appear in the logs. * For {% data variables.product.github %}-hosted runners, the runner environment is ephemeral and destroyed after the job completes. {% data variables.product.github %} does not retain any data beyond the workflow run logs for these runners. For self-hosted runners, additional host-level or network telemetry may be available from your own infrastructure. -* For a more comprehensive investigation, correlate workflow run logs with audit log events. Events such as `git.clone`, `git.fetch`, `git.push`, `protected_branch.create`, and `protected_branch.policy_override` can provide additional context. Because Git events in {% data variables.product.github %}-hosted audit logs are currently retained for only 7 days for enterprises, setting up streamed enterprise audit logs ahead of time is important for this type of investigation. For more information, see [AUTOTITLE](/code-security/tutorials/secure-your-organization/preparing-for-security-incidents). +* For a more comprehensive investigation, correlate workflow run logs with audit log events. Events such as `git.clone`, `git.fetch`, `git.push`, `protected_branch.create`, and `protected_branch.policy_override` can provide additional context. Because Git events in {% data variables.product.github %}-hosted audit logs are currently retained for only 7 days for enterprises, setting up streamed enterprise audit logs ahead of time is important for this type of investigation. For more information, see [AUTOTITLE](/code-security/tutorials/secure-your-organization/prepare-for-a-security-incident). diff --git a/content/code-security/reference/supply-chain-security/automatic-dependency-submission.md b/content/code-security/reference/supply-chain-security/automatic-dependency-submission.md index 1db2ed291bd6..b258effc04e1 100644 --- a/content/code-security/reference/supply-chain-security/automatic-dependency-submission.md +++ b/content/code-security/reference/supply-chain-security/automatic-dependency-submission.md @@ -65,13 +65,13 @@ If you use a different JDK distribution, you may also need: {% data variables.product.prodname_team %} or {% data variables.product.prodname_ghe_cloud %} users can use {% data variables.actions.hosted_runners %} to run automatic dependency submissions jobs. -1. Provision a larger runner at the organization level with the name `dependency-submission`. For more information, see [Adding a {% data variables.actions.hosted_runner %} to an organization](/actions/using-github-hosted-runners/about-larger-runners/managing-larger-runners#adding-a-larger-runner-to-an-organization). -1. Give your repository access to the runner. For more information, see [Allowing repositories to access {% data variables.actions.hosted_runners %}](/actions/using-github-hosted-runners/about-larger-runners/managing-larger-runners#allowing-repositories-to-access-larger-runners). +1. Provision a larger runner at the organization level with the name `dependency-submission`. For more information, see [Adding a {% data variables.actions.hosted_runner %} to an organization](/actions/how-tos/manage-runners/larger-runners/manage-larger-runners#adding-a-larger-runner-to-an-organization). +1. Give your repository access to the runner. For more information, see [Allowing repositories to access {% data variables.actions.hosted_runners %}](/actions/how-tos/manage-runners/larger-runners/manage-larger-runners#allowing-repositories-to-access-larger-runners). 1. Under "Dependency graph", click the dropdown menu next to “Automatic dependency submission”, then select **Enabled for labeled runners**. ## Troubleshoot automatic dependency submission -Automatic dependency submission makes a best effort to cache package downloads between runs using the [Cache](https://github.com/marketplace/actions/cache) action to speed up workflows. For self-hosted runners, you may want to manage this cache within your own infrastructure. To do this, you can disable the built-in caching by setting an environment variable of `GH_DEPENDENCY_SUBMISSION_SKIP_CACHE` to `true`. For more information, see [AUTOTITLE](/actions/learn-github-actions/variables). +Automatic dependency submission makes a best effort to cache package downloads between runs using the [Cache](https://github.com/marketplace/actions/cache) action to speed up workflows. For self-hosted runners, you may want to manage this cache within your own infrastructure. To do this, you can disable the built-in caching by setting an environment variable of `GH_DEPENDENCY_SUBMISSION_SKIP_CACHE` to `true`. For more information, see [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/use-variables). ### Manifest deduplication @@ -91,7 +91,7 @@ For Gradle projects, automatic dependency submission runs a fork of the open sou ### .NET projects -The .NET autosubmission action uses the open source [component-detection](https://github.com/microsoft/component-detection/) project as the engine for its dependency detection. It supports .NET 8.x, 9.x, and 10.x. .NET autosubmission runs if the repository's `dependabot.yml` defines `nuget` as a [`package-ecosystem`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#package-ecosystem-) or when there is a supported manifest file in the root directory of the repository. Supported manifest files include `.sln`, `.csproj`, `packages.config`, `.vbproj`, `.vcxproj`, and `.fsproj`. +The .NET autosubmission action uses the open source [component-detection](https://github.com/microsoft/component-detection/) project as the engine for its dependency detection. It supports .NET 8.x, 9.x, and 10.x. .NET autosubmission runs if the repository's `dependabot.yml` defines `nuget` as a [`package-ecosystem`](/code-security/reference/supply-chain-security/dependabot-options-reference#package-ecosystem-) or when there is a supported manifest file in the root directory of the repository. Supported manifest files include `.sln`, `.csproj`, `packages.config`, `.vbproj`, `.vcxproj`, and `.fsproj`. ### Python projects diff --git a/content/code-security/reference/supply-chain-security/dependabot-options-reference.md b/content/code-security/reference/supply-chain-security/dependabot-options-reference.md index 0cae870bec80..bc1b71a09303 100644 --- a/content/code-security/reference/supply-chain-security/dependabot-options-reference.md +++ b/content/code-security/reference/supply-chain-security/dependabot-options-reference.md @@ -63,7 +63,7 @@ For a real-world example of a `dependabot.yml` file, see [{% data variables.prod ## `allow` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} -Use to define exactly which dependencies to maintain for a package ecosystem. Often used with the [`ignore`](#ignore--) option. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#allowing-specific-dependencies-to-be-updated). +Use to define exactly which dependencies to maintain for a package ecosystem. Often used with the [`ignore`](#ignore--) option. For examples, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/controlling-dependencies-updated#allowing-specific-dependencies-to-be-updated). {% data variables.product.prodname_dependabot %} default behavior: @@ -126,7 +126,7 @@ You can combine `update-types` with `dependency-name` or `dependency-type` to fu ## `assignees` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} -Specify individual assignees for all pull requests raised for a package ecosystem. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs). +Specify individual assignees for all pull requests raised for a package ecosystem. For examples, see [AUTOTITLE](/code-security/tutorials/secure-your-dependencies/customizing-dependabot-prs). {% data variables.product.prodname_dependabot %} default behavior: @@ -141,7 +141,7 @@ Assignees must have write access to the repository. For organization-owned repos ## `commit-message` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} -Define the format for commit messages. Since the titles of pull requests are written based on commit messages, this setting also impacts the titles of pull requests. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs). +Define the format for commit messages. Since the titles of pull requests are written based on commit messages, this setting also impacts the titles of pull requests. For examples, see [AUTOTITLE](/code-security/tutorials/secure-your-dependencies/customizing-dependabot-prs). {% data variables.product.prodname_dependabot %} default behavior: @@ -186,15 +186,28 @@ Supported by: `bundler`, `composer`, `mix`, `maven`, `npm`, `pip`, and `uv`. Defines a **cooldown period** for dependency updates, allowing updates to be delayed for a configurable number of days. The `cooldown` option is only available for _version_ updates, not _security_ updates. -This feature enables users to customize how often {% data variables.product.prodname_dependabot %} generates new version updates, offering greater control over update frequency. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates#setting-up-a-cooldown-period-for-dependency-updates). +This feature enables users to customize how often {% data variables.product.prodname_dependabot %} generates new version updates, offering greater control over update frequency. For examples, see [AUTOTITLE](/code-security/tutorials/secure-your-dependencies/optimizing-pr-creation-version-updates#setting-up-a-cooldown-period-for-dependency-updates). + +{% ifversion dependabot-cooldown-default-days %} {% data variables.product.prodname_dependabot %} default behavior: -* Check for updates according to the scheduled defined via `schedule.interval`. +* Check for updates according to the schedule defined via `schedule.interval`. +* Apply a **default cooldown period of 3 days** to version updates, even when `cooldown` is not configured. A new version is not considered for a version update until 3 days after its release. **This default cooldown does not apply to security updates.** + +You can configure the `cooldown` option to customize these default cooldown periods and control which dependencies they apply to. When **`cooldown`** is defined: + +{% else %} + +{% data variables.product.prodname_dependabot %} default behavior: + +* Check for updates according to the schedule defined via `schedule.interval`. * Consider all new versions **immediately** for updates. When **`cooldown`** is defined: +{% endif %} + 1. {% data variables.product.prodname_dependabot %} checks for updates according to the defined `schedule.interval` settings. 1. {% data variables.product.prodname_dependabot %} checks for any cooldown settings. 1. If a dependency’s new release falls within its cooldown period, {% data variables.product.prodname_dependabot %} skips updating the version for that dependency. @@ -207,7 +220,7 @@ You can specify the duration of the cooldown using the options below. | Parameter | Description | |-----------|-------------| -| `default-days` | **Default cooldown period for dependencies** without specific rules (optional). | +| `default-days` | **Default cooldown period for dependencies** without specific rules (optional).{% ifversion dependabot-cooldown-default-days %} If not specified, {% data variables.product.prodname_dependabot %} applies a default cooldown of 3 days.{% endif %} | | `semver-major-days` | Cooldown period for **major version updates** (optional, applies only to package managers supporting SemVer). | | `semver-minor-days` | Cooldown period for **minor version updates** (optional, applies only to package managers supporting SemVer). | | `semver-patch-days` | Cooldown period for **patch version updates** (optional, applies only to package managers supporting SemVer). | @@ -281,7 +294,7 @@ The table below shows the package managers that support `cooldown`. The `default ## `directories` or `directory` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} -**Required option**. Use to define the location of the package manifests for each package manager (for example, the _package.json_ or _Gemfile_). Without this information {% data variables.product.prodname_dependabot %} cannot create pull requests for version updates. For examples, see [Defining multiple locations for manifest files](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#defining-multiple-locations-for-manifest-files). +**Required option**. Use to define the location of the package manifests for each package manager (for example, the _package.json_ or _Gemfile_). Without this information {% data variables.product.prodname_dependabot %} cannot create pull requests for version updates. For examples, see [Defining multiple locations for manifest files](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/controlling-dependencies-updated#defining-multiple-locations-for-manifest-files). * Use `directory` to define a single directory of manifests. * Use `directories` to define a list of multiple directories of manifests. @@ -300,7 +313,7 @@ Not currently in use. ## `groups` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} -Define rules to create one or more sets of dependencies managed by a package manager, to group updates into fewer, targeted pull requests. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates). +Define rules to create one or more sets of dependencies managed by a package manager, to group updates into fewer, targeted pull requests. For examples, see [AUTOTITLE](/code-security/tutorials/secure-your-dependencies/optimizing-pr-creation-version-updates). {% data variables.product.prodname_dependabot %} default behavior: @@ -369,11 +382,11 @@ By default, a group will include updates for all semantic versions (SemVer). Sem * Use `minor` to include minor releases. * Use `major` to include major releases. -For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#specifying-the-semantic-versioning-level-to-ignore). +For examples, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/controlling-dependencies-updated#specifying-the-semantic-versioning-level-to-ignore). ## `ignore` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} -Use with the [`allow`](#allow--) option to define exactly which dependencies to maintain for a package ecosystem. {% data variables.product.prodname_dependabot %} checks for all allowed dependencies and then filters out any ignored dependencies or versions. So a dependency that is matched by both an allow and an ignore will be ignored. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#ignoring-specific-dependencies). +Use with the [`allow`](#allow--) option to define exactly which dependencies to maintain for a package ecosystem. {% data variables.product.prodname_dependabot %} checks for all allowed dependencies and then filters out any ignored dependencies or versions. So a dependency that is matched by both an allow and an ignore will be ignored. For examples, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/controlling-dependencies-updated#ignoring-specific-dependencies). {% data variables.product.prodname_dependabot %} default behavior: @@ -412,7 +425,7 @@ Use to ignore specific versions or ranges of versions. If you want to define a r * NuGet: use `7.*` * Maven: use `[1.4,)` -For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#ignoring-specific-versions-or-ranges-of-versions). +For examples, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/controlling-dependencies-updated#ignoring-specific-versions-or-ranges-of-versions). ### `update-types` (`ignore`) @@ -426,7 +439,7 @@ Specify which semantic versions (SemVer) to ignore. SemVer is an accepted standa Supported by: `bundler`, `mix`, and `pip`. -Allow {% data variables.product.prodname_dependabot %} to execute external code in the manifest during updates. For examples, see [Allowing external code execution](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot#allowing-external-code-execution). +Allow {% data variables.product.prodname_dependabot %} to execute external code in the manifest during updates. For examples, see [Allowing external code execution](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries#allowing-external-code-execution). {% data variables.product.prodname_dependabot %} default behavior: @@ -443,7 +456,7 @@ Supported value: `allow`. ## `labels` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} -Specify your own labels for all pull requests raised for a package manager. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs). +Specify your own labels for all pull requests raised for a package manager. For examples, see [AUTOTITLE](/code-security/tutorials/secure-your-dependencies/customizing-dependabot-prs). {% data variables.product.prodname_dependabot %} default behavior: @@ -463,7 +476,7 @@ When `labels` is defined: ## `milestone` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} -Associate all pull requests raised for a package manager with a milestone. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs). +Associate all pull requests raised for a package manager with a milestone. For examples, see [AUTOTITLE](/code-security/tutorials/secure-your-dependencies/customizing-dependabot-prs). {% data variables.product.prodname_dependabot %} default behavior: @@ -498,7 +511,7 @@ When `multi-ecosystem-groups` is used: Assign individual package ecosystems to a multi-ecosystem group using the `multi-ecosystem-group` parameter in your `updates` configuration. > [!IMPORTANT] -> Multi-ecosystem updates require specific configuration patterns and have unique parameter merging behavior. For complete setup instructions, configuration examples, and detailed parameter reference, see [AUTOTITLE](/code-security/tutorials/secure-your-dependencies/configuring-multi-ecosystem-updates). +> Multi-ecosystem updates require specific configuration patterns and have unique parameter merging behavior. For complete setup instructions, configuration examples, and detailed parameter reference, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configuring-multi-ecosystem-updates). ```yaml copy # Basic `dependabot.yml` file defining a multi-ecosystem-group @@ -535,13 +548,13 @@ Change the limit on the maximum number of pull requests for version updates open When `open-pull-requests-limit` is defined: * {% data variables.product.prodname_dependabot %} opens pull requests up to the defined integer value. A large value can be set to effectively remove the open pull request limit. -* You can temporarily disable version updates for a package manager by setting this option to zero, see [Disabling {% data variables.product.prodname_dependabot_version_updates %}](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#disabling-dependabot-version-updates). +* You can temporarily disable version updates for a package manager by setting this option to zero, see [Disabling {% data variables.product.prodname_dependabot_version_updates %}](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-version-updates#disabling-dependabot-version-updates). ## `package-ecosystem` {% octicon "versions" aria-label="Version updates only" height="24" %} -**Required option.** Define one `package-ecosystem` element for each package manager that you want {% data variables.product.prodname_dependabot %} to monitor for new versions. The repository must also contain a dependency manifest or lock file for each package manager, see [Example `dependabot.yml` file](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#example-dependabotyml-file). +**Required option.** Define one `package-ecosystem` element for each package manager that you want {% data variables.product.prodname_dependabot %} to monitor for new versions. The repository must also contain a dependency manifest or lock file for each package manager, see [Example `dependabot.yml` file](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-version-updates#example-dependabotyml-file). Package manager | YAML value | Supported versions | ---------------|------------------|:------------------:| @@ -608,7 +621,7 @@ Package manager | YAML value | Supported versions | ## `pull-request-branch-name.separator` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} -Specify a separator to use when generating branch names. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs). +Specify a separator to use when generating branch names. For examples, see [AUTOTITLE](/code-security/tutorials/secure-your-dependencies/customizing-dependabot-prs). {% data variables.product.prodname_dependabot %} default behavior: @@ -641,11 +654,11 @@ When `rebase-strategy` is set to `disabled`, {% data variables.product.prodname_ ## `registries` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} -Configure access to private package registries to allow {% data variables.product.prodname_dependabot %} to update a wider range of dependencies, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot) and [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/guidance-for-the-configuration-of-private-registries-for-dependabot). +Configure access to private package registries to allow {% data variables.product.prodname_dependabot %} to update a wider range of dependencies, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries) and [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-private-registries). There are 2 locations in the `dependabot.yml` file where you can use the `registries` key: -1. At the top level, where you define the private registries you want to use and their access information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot). +1. At the top level, where you define the private registries you want to use and their access information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries). 1. Within the `updates` blocks, where you can specify which private registries each package manager should use. {% data variables.product.prodname_dependabot %} default behavior is to raise pull requests only to update dependencies stored in publicly accessible registries. @@ -668,7 +681,7 @@ Supported values: `REGISTRY_NAME` or `"*"` > > You can also automatically add reviewers and assignees using a CODEOWNERS file. See [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners). -Specify individual reviewers, or teams of reviewers, for all pull requests raised for a package manager. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs). +Specify individual reviewers, or teams of reviewers, for all pull requests raised for a package manager. For examples, see [AUTOTITLE](/code-security/tutorials/secure-your-dependencies/customizing-dependabot-prs). {% data variables.product.prodname_dependabot %} default behavior: @@ -685,7 +698,7 @@ Reviewers must have at least read access to the repository. ## `schedule` {% octicon "versions" aria-label="Version updates only" height="24" %} -**Required option.** Define how often to check for new versions for each package manager you configure using the `interval` parameter. Optionally, for daily and weekly intervals, you can customize when {% data variables.product.prodname_dependabot %} checks for updates. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates). +**Required option.** Define how often to check for new versions for each package manager you configure using the `interval` parameter. Optionally, for daily and weekly intervals, you can customize when {% data variables.product.prodname_dependabot %} checks for updates. For examples, see [AUTOTITLE](/code-security/tutorials/secure-your-dependencies/optimizing-pr-creation-version-updates). | Parameters | Purpose | |------------|---------| @@ -771,7 +784,7 @@ The time zone identifier must match a timezone in the database maintained by [ia ## `target-branch` {% octicon "versions" aria-label="Version updates only" height="24" %} -Define a specific branch to check for version updates and to target pull requests for version updates against. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs). +Define a specific branch to check for version updates and to target pull requests for version updates against. For examples, see [AUTOTITLE](/code-security/tutorials/secure-your-dependencies/customizing-dependabot-prs). {% data variables.product.prodname_dependabot %} default behavior: @@ -849,7 +862,7 @@ Supported by: `bundler` and `gomod` only. Tell {% data variables.product.prodname_dependabot %} to maintain your vendored dependencies as well as the dependencies defined by manifest files. A dependency is described as "vendored" or "cached" when you store the code within your repository, see [`bundle cache` documentation](https://bundler.io/man/bundle-cache.1.html) and [`go mod vendor` documentation](https://golang.org/ref/mod#go-mod-vendor). -For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#updating-vendored-dependencies). +For examples, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/controlling-dependencies-updated#updating-vendored-dependencies). {% data variables.product.prodname_dependabot %} default behavior: @@ -868,7 +881,7 @@ Supported values: `true` or `false` Supported by: `bundler`, `cargo`, `composer`, `mix`, `npm`, `pip`, `pub`, and `uv` -Define how {% data variables.product.prodname_dependabot %} should edit manifest files. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#defining-a-versioning-strategy). +Define how {% data variables.product.prodname_dependabot %} should edit manifest files. For examples, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/controlling-dependencies-updated#defining-a-versioning-strategy). {% data variables.product.prodname_dependabot %} default behavior: @@ -1023,14 +1036,14 @@ The parameters used to provide authentication details for access to a private re {% endif %} -All sensitive data used for authentication should be stored securely and referenced from that secure location, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot). +All sensitive data used for authentication should be stored securely and referenced from that secure location, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries). > [!TIP] > {% data reusables.dependabot.password-definition %} {% ifversion dependabot-oidc-support %} -For more information about OIDC support for {% data variables.product.prodname_dependabot %}, see [AUTOTITLE](/actions/concepts/security/openid-connect#oidc-support-for-dependabot) and [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot#using-oidc-for-authentication). +For more information about OIDC support for {% data variables.product.prodname_dependabot %}, see [AUTOTITLE](/actions/concepts/security/openid-connect#oidc-support-for-dependabot) and [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries#using-oidc-for-authentication). {% endif %} diff --git a/content/code-security/reference/supply-chain-security/dependency-graph-supported-package-ecosystems.md b/content/code-security/reference/supply-chain-security/dependency-graph-supported-package-ecosystems.md index b1779221edf7..99a10f36306d 100644 --- a/content/code-security/reference/supply-chain-security/dependency-graph-supported-package-ecosystems.md +++ b/content/code-security/reference/supply-chain-security/dependency-graph-supported-package-ecosystems.md @@ -59,8 +59,8 @@ In the table below: > [!NOTE] > * If you list your Python dependencies within a `setup.py` file, we may not be able to parse and list every dependency in your project. -> * {% data variables.product.prodname_actions %} workflows must be located in the `.github/workflows/` directory of a repository to be recognized as manifests. Any actions or workflows referenced using the syntax `jobs[*].steps[*].uses` or `jobs..uses` will be parsed as dependencies. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions). -> * {% data reusables.dependabot.dependabot-alert-actions-semver %} For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) and [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates). +> * {% data variables.product.prodname_actions %} workflows must be located in the `.github/workflows/` directory of a repository to be recognized as manifests. Any actions or workflows referenced using the syntax `jobs[*].steps[*].uses` or `jobs..uses` will be parsed as dependencies. For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/workflow-syntax). +> * {% data reusables.dependabot.dependabot-alert-actions-semver %} For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-alerts) and [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-version-updates). {% ifversion dependabot-community-ecosystems %} diff --git a/content/code-security/reference/supply-chain-security/supported-ecosystems-and-repositories.md b/content/code-security/reference/supply-chain-security/supported-ecosystems-and-repositories.md index 83d1aa2a12d9..db082e17a897 100644 --- a/content/code-security/reference/supply-chain-security/supported-ecosystems-and-repositories.md +++ b/content/code-security/reference/supply-chain-security/supported-ecosystems-and-repositories.md @@ -16,13 +16,13 @@ category: This article provides reference information about the package ecosystems and repository types that {% data variables.product.prodname_dependabot %} supports. -{% data variables.product.prodname_dependabot %} is a {% data variables.product.github %} tool that helps keep your dependencies secure and up to date. It automatically detects vulnerable or outdated dependencies in your repositories and creates pull requests to update them, making it easier to maintain your software supply chain security. For more information, see [AUTOTITLE](/code-security/tutorials/secure-your-dependencies/dependabot-quickstart-guide). +{% data variables.product.prodname_dependabot %} is a {% data variables.product.github %} tool that helps keep your dependencies secure and up to date. It automatically detects vulnerable or outdated dependencies in your repositories and creates pull requests to update them, making it easier to maintain your software supply chain security. For more information, see [AUTOTITLE](/code-security/tutorials/secure-your-dependencies/dependabot-quickstart). ## Supported ecosystems maintained by {% data variables.product.github %} -You can configure updates for repositories that contain a dependency manifest or lock file for one of the supported package managers. For some package managers, you can also configure vendoring for dependencies. For more information, see [`vendor`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#vendor--). -{% data variables.product.prodname_dependabot %} also supports dependencies in private registries. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot). +You can configure updates for repositories that contain a dependency manifest or lock file for one of the supported package managers. For some package managers, you can also configure vendoring for dependencies. For more information, see [`vendor`](/code-security/reference/supply-chain-security/dependabot-options-reference#vendor--). +{% data variables.product.prodname_dependabot %} also supports dependencies in private registries. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries). {% ifversion ghes %} > [!NOTE] @@ -34,6 +34,6 @@ You can configure updates for repositories that contain a dependency manifest or > * {% data reusables.dependabot.private-dependencies-note %} > * {% data variables.product.prodname_dependabot %} doesn't support private {% data variables.product.prodname_dotcom %} dependencies for all package managers. See the details in the table below. -If your repository already uses an integration for dependency management, you will need to disable this before enabling {% data variables.product.prodname_dependabot %}. {% ifversion fpt or ghec %}For more information, see [AUTOTITLE](/get-started/exploring-integrations/about-integrations).{% endif %} +If your repository already uses an integration for dependency management, you will need to disable this before enabling {% data variables.product.prodname_dependabot %}. {% ifversion fpt or ghec %}For more information, see [AUTOTITLE](/integrations/concepts/about-integrations).{% endif %} {% data reusables.dependabot.supported-package-managers %} diff --git a/content/code-security/reference/supply-chain-security/troubleshoot-dependabot/dependabot-errors.md b/content/code-security/reference/supply-chain-security/troubleshoot-dependabot/dependabot-errors.md index 7525155bcd26..16fb3aff50c9 100644 --- a/content/code-security/reference/supply-chain-security/troubleshoot-dependabot/dependabot-errors.md +++ b/content/code-security/reference/supply-chain-security/troubleshoot-dependabot/dependabot-errors.md @@ -48,7 +48,7 @@ To view the full log files for a particular job, to the right of the log entry y ![Screenshot of the Dependabot job log entries for a manifest file. A button, called "View logs," is highlighted in a dark orange outline.](/assets/images/help/dependabot/dependabot-job-log-error-message.png) -For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/viewing-dependabot-job-logs). +For more information, see [AUTOTITLE](/code-security/how-tos/view-and-interpret-data/view-dependabot-logs). ## Dependency resolution errors @@ -62,7 +62,7 @@ For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting- Every application that has dependencies has a dependency graph, that is, a directed acyclic graph of every package version that the application directly or indirectly depends on. Every time a dependency is updated, this graph must resolve otherwise the application won't build. When an ecosystem has a deep and complex dependency graph, for example, npm and RubyGems, it is often impossible to upgrade a single dependency without upgrading the whole ecosystem. -**Resolution:** Stay up to date with the most recently released versions, for example, by enabling version updates. This increases the likelihood that a vulnerability in one dependency can be resolved by a simple upgrade that doesn't break the dependency graph. See [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates). +**Resolution:** Stay up to date with the most recently released versions, for example, by enabling version updates. This increases the likelihood that a vulnerability in one dependency can be resolved by a simple upgrade that doesn't break the dependency graph. See [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-version-updates). ### Updates dependencies without an alert @@ -98,7 +98,7 @@ If a security vulnerability is released for `B` versions `<2.0.0` and a patch is Either comment will trigger {% data variables.product.prodname_dependabot %} to check if the dependency is no longer upgradable or vulnerable. If {% data variables.product.prodname_dependabot %} detects that the pull request is no longer required, it will close the pull request in this particular case. -For more information about {% data variables.product.prodname_dependabot %} comment commands, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands). +For more information about {% data variables.product.prodname_dependabot %} comment commands, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/manage-dependabot-prs#managing-dependabot-pull-requests-with-comment-commands). ### Can't update to the required version as there is already an open pull request for the latest version @@ -120,7 +120,7 @@ For more information about {% data variables.product.prodname_dependabot %} comm **Resolution:** First examine the dependency graph for your repository, review what version it has detected for the dependency, and check if the identified version matches what is being used in your repository. -If you suspect your dependency graph data is out of date, you may need to manually update the dependency graph for your repository or investigate your dependency information further. See [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph). +If you suspect your dependency graph data is out of date, you may need to manually update the dependency graph for your repository or investigate your dependency information further. See [AUTOTITLE](/code-security/reference/supply-chain-security/troubleshoot-dependabot/dependency-graph-errors). If you are able to confirm the dependency version is no longer vulnerable, you can close the {% data variables.product.prodname_dependabot %} pull request. @@ -136,7 +136,7 @@ There's a limit on the number of open pull requests {% data variables.product.pr * Security update pull requests: 10 * Version update pull requests: 5 (configurable using `open-pull-requests-limit`) -There are separate limits for security and version update pull requests, so that open version update pull requests cannot block the creation of a security update pull request. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#open-pull-requests-limit-). +There are separate limits for security and version update pull requests, so that open version update pull requests cannot block the creation of a security update pull request. For more information, see [AUTOTITLE](/code-security/reference/supply-chain-security/dependabot-options-reference#open-pull-requests-limit-). **Resolution:** Merge or close some of the existing pull requests and trigger a new pull request manually. see [Triggering a {% data variables.product.prodname_dependabot %} pull request manually](#triggering-a-dependabot-pull-request-manually). @@ -150,7 +150,7 @@ There are separate limits for security and version update pull requests, so that **Resolution for version updates:** Specify the most important dependencies to update using the `allow` parameter or, alternatively, use the `ignore` parameter to exclude some dependencies from updates. Updating your configuration might allow {% data variables.product.prodname_dependabot %} to review the version update and generate the pull request in the time available. -**Resolution for security updates:** Reduce the chances of timeouts by keeping the dependencies updated, for example, by enabling version updates. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates). +**Resolution for security updates:** Reduce the chances of timeouts by keeping the dependencies updated, for example, by enabling version updates. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-version-updates). ## Grouping errors @@ -160,7 +160,7 @@ There are separate limits for security and version update pull requests, so that **Error message:** `{% data variables.product.prodname_dependabot %} fails to group a set of dependencies into a single pull request for {% data variables.product.prodname_dependabot_version_updates %}` -The [`groups`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#groups--) configuration settings in the `dependabot.yml` file can apply to version updates and security updates. Use the `applies-to` key to specify where (version updates or security updates) a set of grouping rules is applied. +The [`groups`](/code-security/reference/supply-chain-security/dependabot-options-reference#groups--) configuration settings in the `dependabot.yml` file can apply to version updates and security updates. Use the `applies-to` key to specify where (version updates or security updates) a set of grouping rules is applied. {% data reusables.dependabot.dependabot-grouped-updates-applies-to %} @@ -186,7 +186,7 @@ In this example, {% data variables.product.prodname_dependabot %} will: **Resolution:** Ensure that configuration settings don't cancel each other, and update them appropriately in your configuration file. To debug the problem, look at the logs. For information about accessing the logs for a manifest, see [How to view errors](#how-to-view-errors). -For more information on how to configure groups for {% data variables.product.prodname_dependabot_version_updates %}, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#groups--). +For more information on how to configure groups for {% data variables.product.prodname_dependabot_version_updates %}, see [AUTOTITLE](/code-security/reference/supply-chain-security/dependabot-options-reference#groups--). ### Failed to group dependencies (security updates) @@ -194,7 +194,7 @@ For more information on how to configure groups for {% data variables.product.pr **Error message:** `{% data variables.product.prodname_dependabot %} fails to group a set of dependencies into a single pull request for {% data variables.product.prodname_dependabot_security_updates %}` -The [`groups`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#groups--) configuration settings in the `dependabot.yml` file can apply to version updates and security updates. Use the `applies-to` key to specify where (version updates or security updates) a set of grouping rules is applied. Check you have grouping configured to apply to security updates. If the `applies-to` key is absent from a set of grouping rules in your configuration, any group rules will by default only apply to version updates. +The [`groups`](/code-security/reference/supply-chain-security/dependabot-options-reference#groups--) configuration settings in the `dependabot.yml` file can apply to version updates and security updates. Use the `applies-to` key to specify where (version updates or security updates) a set of grouping rules is applied. Check you have grouping configured to apply to security updates. If the `applies-to` key is absent from a set of grouping rules in your configuration, any group rules will by default only apply to version updates. {% data reusables.dependabot.dependabot-grouped-updates-applies-to %} @@ -205,7 +205,7 @@ The [`groups`](/code-security/dependabot/working-with-dependabot/dependabot-opti * {% data variables.product.prodname_dependabot %} **will not** group dependencies from different package ecosystems together. * {% data variables.product.prodname_dependabot %} **will not** group security updates with version updates. -For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-grouped-security-updates) and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/customizing-dependabot-security-prs). +For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-security-updates#about-grouped-security-updates) and [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/customizing-dependabot-security-prs). ### Failed to update dependency in grouped pull request @@ -220,7 +220,7 @@ There are different troubleshooting techniques you can use for failed version up {% data variables.product.prodname_dependabot %} will show the failed update in your logs, as well as in the job summary at the end of your logs. **Resolution:** -1. Use the `@dependabot recreate` comment on the pull request to build the group again. See [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands). +1. Use the `@dependabot recreate` comment on the pull request to build the group again. See [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/manage-dependabot-prs#managing-dependabot-pull-requests-with-comment-commands). 1. If the dependency still fails to update, use the `exclude-patterns` configuration so that the dependency is excluded from the group. {% data variables.product.prodname_dependabot %} will then raise a separate pull request to update the dependency. 1. If the dependency still fails to update, there may be a problem with the dependency itself, or with {% data variables.product.prodname_dependabot %} for that specific ecosystem. @@ -271,7 +271,7 @@ If {% data variables.product.prodname_dependabot %} attempts to check whether de **Resolution:** Make sure that all of the referenced dependencies are hosted at accessible locations. -**Version updates only:** {% data reusables.dependabot.private-dependencies-note %} Additionally, {% data variables.product.prodname_dependabot %} doesn't support private {% data variables.product.prodname_dotcom %} dependencies for all package managers. See [AUTOTITLE](/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories). +**Version updates only:** {% data reusables.dependabot.private-dependencies-note %} Additionally, {% data variables.product.prodname_dependabot %} doesn't support private {% data variables.product.prodname_dotcom %} dependencies for all package managers. See [AUTOTITLE](/code-security/reference/supply-chain-security/supported-ecosystems-and-repositories). ## Triggering a {% data variables.product.prodname_dependabot %} pull request manually @@ -283,5 +283,5 @@ If you unblock {% data variables.product.prodname_dependabot %}, you can manuall ## Further reading -* [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph) -* [AUTOTITLE](/code-security/reference/supply-chain-security/troubleshoot-dependabot/vulnerable-dependency-detection) +* [AUTOTITLE](/code-security/reference/supply-chain-security/troubleshoot-dependabot/dependency-graph-errors) +* [AUTOTITLE](/code-security/reference/supply-chain-security/troubleshoot-dependabot/vulnerability-detection) diff --git a/content/code-security/reference/supply-chain-security/troubleshoot-dependabot/dependabot-on-actions.md b/content/code-security/reference/supply-chain-security/troubleshoot-dependabot/dependabot-on-actions.md index 84eb9ec771e3..83d981f40df9 100644 --- a/content/code-security/reference/supply-chain-security/troubleshoot-dependabot/dependabot-on-actions.md +++ b/content/code-security/reference/supply-chain-security/troubleshoot-dependabot/dependabot-on-actions.md @@ -21,17 +21,17 @@ category: {% data reusables.dependabot.dependabot-on-actions-troubleshooting-workflows %} -Some troubleshooting advice is provided in this article. You can also see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idpermissions). +Some troubleshooting advice is provided in this article. You can also see [AUTOTITLE](/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idpermissions). ### Accessing secrets -When a {% data variables.product.prodname_dependabot %} event triggers a workflow, the only secrets available to the workflow are {% data variables.product.prodname_dependabot %} secrets. {% data variables.product.prodname_actions %} secrets are **not available**. You must therefore store any secrets that are used by a workflow triggered by {% data variables.product.prodname_dependabot %} events as {% data variables.product.prodname_dependabot %} secrets. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#storing-credentials-for-dependabot-to-use). +When a {% data variables.product.prodname_dependabot %} event triggers a workflow, the only secrets available to the workflow are {% data variables.product.prodname_dependabot %} secrets. {% data variables.product.prodname_actions %} secrets are **not available**. You must therefore store any secrets that are used by a workflow triggered by {% data variables.product.prodname_dependabot %} events as {% data variables.product.prodname_dependabot %} secrets. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries#storing-credentials-for-dependabot-to-use). -{% data variables.product.prodname_dependabot %} secrets are added to the `secrets` context and referenced using exactly the same syntax as secrets for {% data variables.product.prodname_actions %}. For more information, see [AUTOTITLE](/actions/security-guides/encrypted-secrets#using-encrypted-secrets-in-a-workflow). +{% data variables.product.prodname_dependabot %} secrets are added to the `secrets` context and referenced using exactly the same syntax as secrets for {% data variables.product.prodname_actions %}. For more information, see [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets#using-encrypted-secrets-in-a-workflow). If you have a workflow that will be triggered by {% data variables.product.prodname_dependabot %} and also by other actors, the simplest solution is to store the token with the permissions required in an action and in a {% data variables.product.prodname_dependabot %} secret with identical names. Then the workflow can include a single call to these secrets. If the secret for {% data variables.product.prodname_dependabot %} has a different name, use conditions to specify the correct secrets for different actors to use. -For examples that use conditions, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions). +For examples that use conditions, see [AUTOTITLE](/code-security/tutorials/secure-your-dependencies/automate-dependabot-with-actions). To access a private container registry on AWS with a user name and password, a workflow must include a secret for `username` and `password`. @@ -84,8 +84,8 @@ jobs: {% endraw %} -For more information, see [AUTOTITLE](/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token). +For more information, see [AUTOTITLE](/actions/tutorials/authenticate-with-github_token#modifying-the-permissions-for-the-github_token). ## Manually re-running a workflow -When you manually re-run a {% data variables.product.prodname_dependabot %} workflow, it will run with the same privileges as before even if the user who initiated the rerun has different privileges. For more information, see [AUTOTITLE](/actions/managing-workflow-runs/re-running-workflows-and-jobs). +When you manually re-run a {% data variables.product.prodname_dependabot %} workflow, it will run with the same privileges as before even if the user who initiated the rerun has different privileges. For more information, see [AUTOTITLE](/actions/how-tos/manage-workflow-runs/re-run-workflows-and-jobs). diff --git a/content/code-security/reference/supply-chain-security/troubleshoot-dependabot/dependency-graph-errors.md b/content/code-security/reference/supply-chain-security/troubleshoot-dependabot/dependency-graph-errors.md index 484000fa4e3c..5c24c1234309 100644 --- a/content/code-security/reference/supply-chain-security/troubleshoot-dependabot/dependency-graph-errors.md +++ b/content/code-security/reference/supply-chain-security/troubleshoot-dependabot/dependency-graph-errors.md @@ -24,7 +24,7 @@ The dependency graph automatically includes information on dependencies that are The dependency graph doesn't automatically include "loose" dependencies. "Loose" dependencies are individual files that are copied from another source and checked into the repository directly or within an archive (such as a ZIP or JAR file), rather than being referenced by in a package manager’s manifest or lockfile. -However, you can use the {% data variables.dependency-submission-api.name %} to add dependencies to a project's dependency graph, even if the dependencies are not declared in a manifest or lock file, such as dependencies resolved when a project is built. {% data reusables.dependency-graph.dependency-submission-API-short %} For more information on the {% data variables.dependency-submission-api.name %}, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api). +However, you can use the {% data variables.dependency-submission-api.name %} to add dependencies to a project's dependency graph, even if the dependencies are not declared in a manifest or lock file, such as dependencies resolved when a project is built. {% data reusables.dependency-graph.dependency-submission-API-short %} For more information on the {% data variables.dependency-submission-api.name %}, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/use-dependency-submission-api). **Check:** Is the missing dependency for a component that's not specified in the repository's manifest or lockfile? @@ -32,7 +32,7 @@ However, you can use the {% data variables.dependency-submission-api.name %} to The dependency graph analyzes manifests as they’re pushed to {% data variables.product.prodname_dotcom %}. The dependency graph doesn't, therefore, have access to the build environment of the project, so it can't resolve variables used within manifests. If you use variables within a manifest to specify the name, or more commonly the version of a dependency, then that dependency will not automatically be included in the dependency graph. -However, you can use the {% data variables.dependency-submission-api.name %} to add dependencies to a project's dependency graph, even if the dependencies are only resolved when a project is built. For more information on the {% data variables.dependency-submission-api.name %}, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api). +However, you can use the {% data variables.dependency-submission-api.name %} to add dependencies to a project's dependency graph, even if the dependencies are only resolved when a project is built. For more information on the {% data variables.dependency-submission-api.name %}, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/use-dependency-submission-api). **Check:** Is the missing dependency declared in the manifest by using a variable for its name or version? @@ -67,7 +67,7 @@ From the repository's {% data variables.product.prodname_dependabot %} tab, clic >[!NOTE] You need to have permission to manage security alerts in order to refresh a repository's dependency graph. See [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts) for information on configuring this access. To further reduce the potential for abuse, the **Refresh {% data variables.product.prodname_dependabot_alerts %}** option can only be triggered once an hour per repository. -Clicking **Refresh {% data variables.product.prodname_dependabot_alerts %}** will only scan manifest files. If your dependency graph also includes build-time dependency information submitted using the {% data variables.dependency-submission-api.name %}, rerunning the Action or external process which generates and submits the dependency information will also trigger a rebuild of the repository's dependency graph. For more information about the {% data variables.dependency-submission-api.name %}, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api). +Clicking **Refresh {% data variables.product.prodname_dependabot_alerts %}** will only scan manifest files. If your dependency graph also includes build-time dependency information submitted using the {% data variables.dependency-submission-api.name %}, rerunning the Action or external process which generates and submits the dependency information will also trigger a rebuild of the repository's dependency graph. For more information about the {% data variables.dependency-submission-api.name %}, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/use-dependency-submission-api). If you are using automatic dependency submission, pushing a commit that updates the repository's manifest file will trigger the automatic submission action to run. @@ -75,7 +75,7 @@ In all cases, the timestamp at the top of the list of alerts indicates the last ## Further reading -* [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph) +* [AUTOTITLE](/code-security/concepts/supply-chain-security/dependency-graph) * [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository) -* [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies) -* [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-errors) +* [AUTOTITLE](/code-security/reference/supply-chain-security/troubleshoot-dependabot/vulnerability-detection) +* [AUTOTITLE](/code-security/reference/supply-chain-security/troubleshoot-dependabot/dependabot-errors) diff --git a/content/code-security/reference/supply-chain-security/troubleshoot-dependabot/vulnerability-detection.md b/content/code-security/reference/supply-chain-security/troubleshoot-dependabot/vulnerability-detection.md index ac8c39bbcfcd..f6b381a0efa6 100644 --- a/content/code-security/reference/supply-chain-security/troubleshoot-dependabot/vulnerability-detection.md +++ b/content/code-security/reference/supply-chain-security/troubleshoot-dependabot/vulnerability-detection.md @@ -26,11 +26,11 @@ category: {% data variables.product.prodname_dotcom %} generates and displays dependency data differently than other tools. Consequently, if you've been using another tool to identify dependencies you will almost certainly see different results. Consider the following: * {% data variables.product.prodname_advisory_database %} is one of the data sources that {% data variables.product.prodname_dotcom %} uses to identify vulnerable dependencies and malware. It's a free, curated database of security advisories for common package ecosystems on {% data variables.product.prodname_dotcom %}. It includes both data reported directly to {% data variables.product.prodname_dotcom %} from {% data variables.product.prodname_security_advisories %}, as well as official feeds and community sources. This data is reviewed and curated by {% data variables.product.prodname_dotcom %} to ensure that false or unactionable information is not shared with the development community. {% data reusables.security-advisory.link-browsing-advisory-db %} -* The dependency graph parses all known package manifest files in a user’s repository. For example, for npm it will parse the _package-lock.json_ file. It constructs a graph of all of the repository’s dependencies and public dependents. This happens when you enable the dependency graph and when anyone pushes to the default branch, and it includes commits that makes changes to a supported manifest format. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph) and [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph). -* {% data variables.product.prodname_dependabot %} scans any push, to the default branch, that contains a manifest file. When a new advisory is added, it scans all existing repositories and generates an alert for each repository that is affected. {% data variables.product.prodname_dependabot_alerts %} are aggregated at the repository level, rather than creating one alert per advisory. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts). -* {% data variables.product.prodname_dependabot_security_updates %} are triggered when you receive an alert about a vulnerable dependency in your repository. Where possible, {% data variables.product.prodname_dependabot %} creates a pull request in your repository to upgrade the vulnerable dependency to the minimum possible secure version needed to avoid the vulnerability. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates) and [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-errors). +* The dependency graph parses all known package manifest files in a user’s repository. For example, for npm it will parse the _package-lock.json_ file. It constructs a graph of all of the repository’s dependencies and public dependents. This happens when you enable the dependency graph and when anyone pushes to the default branch, and it includes commits that make changes to a supported manifest format. For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependency-graph) and [AUTOTITLE](/code-security/reference/supply-chain-security/troubleshoot-dependabot/dependency-graph-errors). +* {% data variables.product.prodname_dependabot %} scans any push, to the default branch, that contains a manifest file. When a new advisory is added, it scans all existing repositories and generates an alert for each repository that is affected. {% data variables.product.prodname_dependabot_alerts %} are aggregated at the repository level, rather than creating one alert per advisory. For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-alerts). +* {% data variables.product.prodname_dependabot_security_updates %} are triggered when you receive an alert about a vulnerable dependency in your repository. Where possible, {% data variables.product.prodname_dependabot %} creates a pull request in your repository to upgrade the vulnerable dependency to the minimum possible secure version needed to avoid the vulnerability. For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-security-updates) and [AUTOTITLE](/code-security/reference/supply-chain-security/troubleshoot-dependabot/dependabot-errors). - {% data variables.product.prodname_dependabot %} doesn't scan repositories on a schedule, but rather when something changes. For example, a scan is triggered when a new dependency is added ({% data variables.product.prodname_dotcom %} checks for this on every push), or when a new advisory is added to the database{% ifversion ghes %} and synchronized to {% data variables.product.prodname_dotcom %}{% endif %}. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts#detection-of-insecure-dependencies). + {% data variables.product.prodname_dependabot %} doesn't scan repositories on a schedule, but rather when something changes. For example, a scan is triggered when a new dependency is added ({% data variables.product.prodname_dotcom %} checks for this on every push), or when a new advisory is added to the database{% ifversion ghes %} and synchronized to {% data variables.product.prodname_dotcom %}{% endif %}. For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-alerts#detection-of-insecure-dependencies). ## Alert coverage scope @@ -42,7 +42,7 @@ category: ## Unsupported ecosystems -{% data variables.product.prodname_dependabot_alerts %} are supported for a set of ecosystems where we can provide high-quality, actionable data. Curated advisories in the {% data variables.product.prodname_advisory_database %}, the dependency graph, {% ifversion fpt or ghec %}{% data variables.product.prodname_dependabot %} security updates, {% endif %}and {% data variables.product.prodname_dependabot_alerts %} are provided for several ecosystems, including Java’s Maven, JavaScript’s npm and Yarn, .NET’s NuGet, Python’s pip, Ruby's RubyGems, and PHP’s Composer. For an overview of the package ecosystems that we support for {% data variables.product.prodname_dependabot_alerts %}, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems#supported-package-ecosystems). +{% data variables.product.prodname_dependabot_alerts %} are supported for a set of ecosystems where we can provide high-quality, actionable data. Curated advisories in the {% data variables.product.prodname_advisory_database %}, the dependency graph, {% ifversion fpt or ghec %}{% data variables.product.prodname_dependabot %} security updates, {% endif %}and {% data variables.product.prodname_dependabot_alerts %} are provided for several ecosystems, including Java’s Maven, JavaScript’s npm and Yarn, .NET’s NuGet, Python’s pip, Ruby's RubyGems, and PHP’s Composer. For an overview of the package ecosystems that we support for {% data variables.product.prodname_dependabot_alerts %}, see [AUTOTITLE](/code-security/reference/supply-chain-security/dependency-graph-supported-package-ecosystems#supported-package-ecosystems). It's worth noting that security advisories may exist for other ecosystems. The information in an unreviewed security advisory is provided by the maintainers of a particular repository. This data is not curated by {% data variables.product.prodname_dotcom %}. {% data reusables.security-advisory.link-browsing-advisory-db %} @@ -81,7 +81,7 @@ The {% data variables.product.prodname_dependabot_alerts %} count in {% data var ## Dependency ignore options -You can configure {% data variables.product.prodname_dependabot %} to ignore specific dependencies in the configuration file, which will prevent security and version updates for those dependencies. If you only wish to use security updates, you will need to override the default behavior with a configuration file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#overriding-the-default-behavior-with-a-configuration-file) to prevent version updates from being activated. For information about ignoring dependencies, see [Ignoring specific dependencies](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#ignoring-specific-dependencies). +You can configure {% data variables.product.prodname_dependabot %} to ignore specific dependencies in the configuration file, which will prevent security and version updates for those dependencies. If you only wish to use security updates, you will need to override the default behavior with a configuration file. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-security-updates#overriding-the-default-behavior-with-a-configuration-file) to prevent version updates from being activated. For information about ignoring dependencies, see [Ignoring specific dependencies](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/controlling-dependencies-updated#ignoring-specific-dependencies). ## Monorepo limitations for {% data variables.product.prodname_actions %} versions @@ -106,9 +106,9 @@ If your repository contains multiple {% data variables.product.prodname_actions ## Further reading -* [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) -* [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts) +* [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-alerts) +* [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-dependabot-alerts/view-dependabot-alerts) * [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository) -* [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph) -* [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-errors){% ifversion dependabot-on-actions-opt-in %} -* [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners){% endif %} +* [AUTOTITLE](/code-security/reference/supply-chain-security/troubleshoot-dependabot/dependency-graph-errors) +* [AUTOTITLE](/code-security/reference/supply-chain-security/troubleshoot-dependabot/dependabot-errors){% ifversion dependabot-on-actions-opt-in %} +* [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-on-actions){% endif %} diff --git a/content/code-security/responsible-use/security-and-quality-ai-features.md b/content/code-security/responsible-use/security-and-quality-ai-features.md index d9e42649b08e..ab8f1551e8b3 100644 --- a/content/code-security/responsible-use/security-and-quality-ai-features.md +++ b/content/code-security/responsible-use/security-and-quality-ai-features.md @@ -74,7 +74,7 @@ The key features and capabilities outlined here describe what GitHub Code Securi * **Automated fix suggestions for security alerts**: Copilot Autofix automatically generates code change suggestions for CodeQL alerts found on pull requests and on the default branch. Each suggestion includes both the proposed code change and a natural language explanation of the fix. * **Alert-to-fix translation**: Copilot Autofix translates the description and location of a code scanning alert into actionable code changes that may resolve the underlying security vulnerability. The system uses CodeQL alert data in SARIF format, surrounding code snippets, and query help text to generate relevant fixes. -* **Multi-language support**: Copilot Autofix supports fix generation for a subset of queries included in the default and security-extended CodeQL query suites for C#, C/C++, Go, Java/Kotlin, Swift, JavaScript/TypeScript, Python, Ruby, and Rust. For more information on these query suites, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites#built-in-codeql-query-suites). +* **Multi-language support**: Copilot Autofix supports fix generation for a subset of queries included in the default and security-extended CodeQL query suites for C#, C/C++, Go, Java/Kotlin, Swift, JavaScript/TypeScript, Python, Ruby, and Rust. For more information on these query suites, see [AUTOTITLE](/code-security/concepts/code-scanning/codeql/codeql-query-suites#built-in-codeql-query-suites). * **AI-powered password detection**: Secret scanning's generic secret detection scans repository content using AI to identify unstructured secrets (like passwords) that deterministic pattern matching cannot find. Detected secrets are surfaced as alerts in the secret scanning alert list under the **{% octicon "shield" aria-hidden="true" aria-label="shield" %} {% ifversion security-and-quality-tab %}Security and quality{% else %}Security{% endif %}** tab. * **AI-powered regular expression generation**: Secret scanning's regular expression generator takes a natural language description of the pattern you want to detect, along with optional example strings, and produces up to three candidate regular expressions. Each result includes an AI-generated plain language description, and you can validate patterns via a dry run before deployment. * **Code quality issue detection**: GitHub Code Quality runs CodeQL quality queries on changed code in pull requests and periodically on the full default branch. These queries identify maintainability, reliability, and style issues. @@ -131,14 +131,14 @@ When Copilot Autofix is enabled for a repository, code scanning alerts are proce 1. **Input processing**: Input is limited to text (typically code) that a user has checked into a repository. The system provides this text to the model along with a meta prompt asking the model to find unstructured secrets within the scope of the input. The user does not interact with the model directly. Multiple models may be used to validate a single finding. 1. **Model analysis**: The model scans for strings that resemble unstructured secrets like passwords. 1. **Response generation**: The model verifies that the identified strings included in the response actually exist in the input. -1. **Output formatting**: Detected strings are surfaced as alerts on the secret scanning alerts page in a separate list from regular secret scanning alerts. Each alert notes that it was detected by AI.{% ifversion secret-scanning-ai-generic-secret-detection %} For information on how to view alerts for generic secrets, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts).{% endif %} +1. **Output formatting**: Detected strings are surfaced as alerts on the secret scanning alerts page in a separate list from regular secret scanning alerts. Each alert notes that it was detected by AI.{% ifversion secret-scanning-ai-generic-secret-detection %} For information on how to view alerts for generic secrets, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-secret-scanning-alerts/viewing-alerts).{% endif %} **Custom pattern regex generator** processes input and produces output as follows: 1. **Input processing**: Users input a natural language text description of the pattern they want to detect, along with optional example strings that should be matched. 1. **Language model analysis**: The description and examples are sent to the LLM via the GitHub Copilot API, which generates regular expressions matching the input. 1. **Response generation**: The model returns up to three candidate regular expressions. Each result includes an AI-generated plain language description. Some results may be quite similar, and some may not match every instance of the intended pattern. -1. **Output formatting**: Results are displayed in the custom pattern definition form. When you click **Use result**, the expression and any examples are copied to the main custom pattern form, where you can perform a dry run to validate the pattern across your repository or organization. For more information, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning). +1. **Output formatting**: Results are displayed in the custom pattern definition form. When you click **Use result**, the expression and any examples are copied to the main custom pattern form, where you can perform a dry run to validate the pattern across your repository or organization. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-secrets/customize-leak-detection/define-custom-patterns). **GitHub Code Quality LLM-powered analysis** processes input and produces output as follows: @@ -188,7 +188,7 @@ Understanding GitHub Code Security AI features' limitations is crucial to determ ### Limitations specific to GitHub Code Quality -* **Shared limitations with Copilot code review**: Code Quality's LLM-powered analysis uses the same underlying language model and analysis engine as Copilot code review. It shares similar limitations, including incomplete detection, false positives, code suggestion accuracy, and potential biases. For more information, see [AUTOTITLE](/copilot/responsible-use/code-review). +* **Shared limitations with Copilot code review**: Code Quality's LLM-powered analysis uses the same underlying language model and analysis engine as Copilot code review. It shares similar limitations, including incomplete detection, false positives, code suggestion accuracy, and potential biases. For more information, see [AUTOTITLE](/copilot/responsible-use/agents). * **Best-effort autofix**: Copilot Autofix for Code Quality findings operates on a best-effort basis and is not guaranteed to generate a fix for every finding. * **Review required**: You must always review suggestions from Copilot Autofix and edit changes as needed before accepting them. @@ -238,7 +238,7 @@ GitHub Code Quality's LLM-powered analysis shares the evaluation framework of Co * **Human-in-the-loop review**: Copilot Autofix presents all suggestions as proposed code changes that require explicit developer review and acceptance before being applied. Developers must evaluate each suggestion and verify it maintains the codebase's intended behavior. * **Content filtering**: A filtering system on the LLM detects and prevents potentially harmful suggestions from being displayed to users. The system is stress-tested through red teaming to identify potential vulnerabilities. * **Internal quality testing**: Suggestions that fail internal testing are not displayed to users. Fix generation is only shown when the system has sufficient confidence in the suggestion's quality. -* **Opt-in/opt-out controls**: Copilot Autofix is allowed by default and enabled for every repository using CodeQL, but administrators can disable Copilot Autofix at the enterprise, organization, and repository levels. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/disabling-autofix-for-code-scanning). +* **Opt-in/opt-out controls**: Copilot Autofix is allowed by default and enabled for every repository using CodeQL, but administrators can disable Copilot Autofix at the enterprise, organization, and repository levels. For more information, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-code-scanning-alerts/disabling-autofix-for-code-scanning). * **No training on customer data**: Data handled by Copilot Autofix is not employed for LLM training purposes. The use of this feature is governed by the existing terms and conditions associated with GitHub Advanced Security. * **False positive feedback loop**: When users close a generic secret detection alert and mark the reason as "False positive," GitHub uses the false positive volume to improve the model. GitHub does not have access to the secret literals themselves. * **Dry-run validation for generated patterns**: Generated regular expressions from the custom pattern regex generator must go through a dry-run validation step before deployment. Users explicitly import a result into the custom pattern form and test it across their repository or organization, ensuring patterns perform as expected before they are used in production. @@ -254,7 +254,7 @@ Responsible AI is a shared commitment between GitHub and its customers. While Gi * **Evaluate legal and regulatory considerations**: {% data reusables.rai.copilot.application-card-evaluate-legal-regulatory %} * **Always review suggestions before accepting**: Evaluate the proposed code change to ensure it correctly fixes the security vulnerability without changing the intended behavior of your code. Having good test coverage helps verify that a fix does not change the behavior of the codebase. * **Verify CI tests pass**: After committing a suggested fix or modified fix, always verify that continuous integration testing (CI) for the codebase continues to pass and that the alert is shown as resolved before merging your pull request. -* **Review dependency changes carefully**: If a suggested fix includes changes to dependencies, verify that any added or updated dependencies are secure, supported, and maintain the intended behavior of the codebase. Use dependency management solutions, such as the dependency review API and action, to evaluate changes. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review). +* **Review dependency changes carefully**: If a suggested fix includes changes to dependencies, verify that any added or updated dependencies are secure, supported, and maintain the intended behavior of the codebase. Use dependency management solutions, such as the dependency review API and action, to evaluate changes. For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependency-review). * **Close false positive alerts appropriately**: Since AI secret detection may generate more false positives than partner pattern detection, review the accuracy of each alert. When you verify an alert to be a false positive, close the alert and mark the reason as "False positive" in the GitHub UI. This feedback helps improve the model. * **Validate generated regex patterns with a dry run**: When using the custom pattern regex generator, always perform a dry run across representative repositories before deploying a generated pattern organization-wide. * **Be specific with descriptions**: To improve the quality of generated regular expressions, be as specific as possible with your natural language descriptions and include diverse example strings that represent the patterns you want to detect. @@ -266,7 +266,7 @@ Responsible AI is a shared commitment between GitHub and its customers. While Gi * **Exercise caution when designing agentic AI in sensitive domains**: {% data reusables.rai.copilot.application-card-agentic-ai-caution %} * **Enable CI testing on pull requests**: Ensure continuous integration testing is in place before enabling Copilot Autofix, so that functional requirements are verified after developers apply fixes. * **Use dependency management solutions**: Enable dependency review on pull requests to catch potentially risky dependency changes introduced by Autofix suggestions. -* **Review security overview metrics**: Use your organization's security overview dashboard to view the total number of Copilot Autofix suggestions generated on open and closed pull requests for a given time period. For more information, see [AUTOTITLE](/code-security/security-overview/viewing-security-insights#autofix-suggestions). +* **Review security overview metrics**: Use your organization's security overview dashboard to view the total number of Copilot Autofix suggestions generated on open and closed pull requests for a given time period. For more information, see [AUTOTITLE](/code-security/reference/security-at-scale/overview-dashboard-metrics#pull-request-alerts-fixed-with-suggestions). * **Evaluate false-positive volume for secret detection**: Evaluate the false-positive volume and establish triage processes for the alerts list. * **Monitor Code Quality suggestion volume and quality**: Evaluate the volume and quality of Code Quality suggestions and adjust enablement as appropriate for your organization. @@ -274,19 +274,19 @@ Responsible AI is a shared commitment between GitHub and its customers. While Gi For additional guidance on the responsible use of GitHub Security AI features, we recommend reviewing the following documentation: -* [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts) -* [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests#working-with-autofix-suggestions-for-alerts-on-a-pull-request) -* [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/resolving-code-scanning-alerts#generating-suggested-fixes-for-code-scanning-alerts) -* [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/disabling-autofix-for-code-scanning) +* [AUTOTITLE](/code-security/concepts/code-scanning/code-scanning-alerts) +* [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-code-scanning-alerts/triage-alerts-in-pull-requests#working-with-suggestions-for-alerts-on-a-pull-request) +* [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-code-scanning-alerts/resolve-alerts#generating-suggested-fixes-for-code-scanning-alerts) +* [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-code-scanning-alerts/disabling-autofix-for-code-scanning) * [AUTOTITLE](/free-pro-team@latest/site-policy/github-terms/github-terms-for-additional-products-and-features#advanced-security) -* [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning) +* [AUTOTITLE](/code-security/concepts/secret-security/secret-scanning) * [AUTOTITLE](/code-security/how-tos/secure-your-secrets/detect-secret-leaks/enabling-secret-scanning-for-ai-detected-secrets) -* [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning){% ifversion ghec %} -* [AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise#enforcing-a-policy-to-manage-the-use-of-generic-secret-detection-for-secret-scanning-in-your-enterprises-repositories){% endif %} +* [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-secret-scanning-alerts){% ifversion ghec %} +* [AUTOTITLE](/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise#enforcing-a-policy-to-manage-the-use-of-generic-secret-detection-for-secret-scanning-in-your-enterprises-repositories){% endif %} * [AUTOTITLE](/code-security/how-tos/secure-your-secrets/customize-leak-detection/generating-regular-expressions-for-custom-patterns-with-ai) -* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning) -* [AUTOTITLE](/code-security/code-quality/get-started/quickstart) -* [AUTOTITLE](/copilot/responsible-use/code-review) +* [AUTOTITLE](/code-security/how-tos/secure-your-secrets/customize-leak-detection/define-custom-patterns) +* [AUTOTITLE](/code-security/tutorials/improve-code-quality/quickstart) +* [AUTOTITLE](/copilot/responsible-use/agents) * [Community discussion for Code Quality feedback](https://github.com/orgs/community/discussions/177488) ### Learn more about responsible AI diff --git a/content/code-security/tutorials/adopting-github-advanced-security-at-scale/introduction-to-adopting-github-advanced-security-at-scale.md b/content/code-security/tutorials/adopting-github-advanced-security-at-scale/introduction-to-adopting-github-advanced-security-at-scale.md index 1edaeadc7b69..60f120540996 100644 --- a/content/code-security/tutorials/adopting-github-advanced-security-at-scale/introduction-to-adopting-github-advanced-security-at-scale.md +++ b/content/code-security/tutorials/adopting-github-advanced-security-at-scale/introduction-to-adopting-github-advanced-security-at-scale.md @@ -27,17 +27,17 @@ We’ve created a phased approach to GHAS rollouts developed from industry and G Enabling GHAS across a large organization can be broken down into six core phases. -1. [Align on your rollout strategy and goals](/code-security/adopting-github-advanced-security-at-scale/phase-1-align-on-your-rollout-strategy-and-goals): Think about what success will look like, and align on how GHAS will be implemented in your company. This phase may only take a few days or a week, but it lays a solid foundation for the rest of the rollout. +1. [Align on your rollout strategy and goals](/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-1-align-on-your-rollout-strategy-and-goals): Think about what success will look like, and align on how GHAS will be implemented in your company. This phase may only take a few days or a week, but it lays a solid foundation for the rest of the rollout. -1. [Preparing to enable at scale](/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale): Prepare developers, collect data about your repositories, and ensure you're ready for the next phase. +1. [Preparing to enable at scale](/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale): Prepare developers, collect data about your repositories, and ensure you're ready for the next phase. -1. [Pilot programs](/code-security/adopting-github-advanced-security-at-scale/phase-3-pilot-programs): Optionally, pilot an initial rollout to a few high-impact projects and teams. This will allow an initial group within your company to get familiar with GHAS before you roll out to the remainder of your company. +1. [Pilot programs](/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-3-pilot-programs): Optionally, pilot an initial rollout to a few high-impact projects and teams. This will allow an initial group within your company to get familiar with GHAS before you roll out to the remainder of your company. -1. [Create internal documentation](/code-security/adopting-github-advanced-security-at-scale/phase-4-create-internal-documentation): Create and communicate internal documentation for the consumers of GHAS. Without proper documentation provided to developers, security engineers, and others who will be using GHAS, the value will get lost in the rollout. +1. [Create internal documentation](/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-4-create-internal-documentation): Create and communicate internal documentation for the consumers of GHAS. Without proper documentation provided to developers, security engineers, and others who will be using GHAS, the value will get lost in the rollout. -1. [Rollout and scale {% data variables.product.prodname_code_scanning %}](/code-security/adopting-github-advanced-security-at-scale/phase-5-rollout-and-scale-code-scanning): Leveraging the available APIs, automatically rollout {% data variables.product.prodname_code_scanning %} by team and by language across your enterprise, using the repository data you collected earlier. +1. [Rollout and scale {% data variables.product.prodname_code_scanning %}](/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-5-rollout-and-scale-code-scanning): Leveraging the available APIs, automatically rollout {% data variables.product.prodname_code_scanning %} by team and by language across your enterprise, using the repository data you collected earlier. -1. [Rollout and scale {% data variables.product.prodname_secret_scanning %}](/code-security/adopting-github-advanced-security-at-scale/phase-6-rollout-and-scale-secret-scanning): Roll out {% data variables.product.prodname_secret_scanning %}, which involves less configuration and is therefore simpler to adopt than {% data variables.product.prodname_code_scanning %}. Still, it's critical to have a strategy for handling new and old results. +1. [Rollout and scale {% data variables.product.prodname_secret_scanning %}](/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-6-rollout-and-scale-secret-scanning): Roll out {% data variables.product.prodname_secret_scanning %}, which involves less configuration and is therefore simpler to adopt than {% data variables.product.prodname_code_scanning %}. Still, it's critical to have a strategy for handling new and old results. ## {% data variables.contact.github_support %} and {% data variables.product.prodname_professional_services %} diff --git a/content/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-1-align-on-your-rollout-strategy-and-goals.md b/content/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-1-align-on-your-rollout-strategy-and-goals.md index a779658dd8f3..537e76bc4f72 100644 --- a/content/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-1-align-on-your-rollout-strategy-and-goals.md +++ b/content/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-1-align-on-your-rollout-strategy-and-goals.md @@ -13,7 +13,7 @@ category: --- > [!TIP] -> This article is part of a series on adopting {% data variables.product.prodname_GHAS %} at scale. For the introduction to this series, see [AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/introduction-to-adopting-github-advanced-security-at-scale). +> This article is part of a series on adopting {% data variables.product.prodname_GHAS %} at scale. For the introduction to this series, see [AUTOTITLE](/code-security/tutorials/adopting-github-advanced-security-at-scale/introduction-to-adopting-github-advanced-security-at-scale). ## Set clear goals for your company’s rollout @@ -65,4 +65,4 @@ If your company is interested in custom {% data variables.product.prodname_codeq When {% data variables.product.prodname_code_scanning %} is run from a pull request, the scan will include the full codebase and not just the changes made in the pull request. Scanning the entire codebase is an important step to ensure the change has been reviewed against all interactions in the codebase. > [!TIP] -> For the next article in this series, see [AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale). +> For the next article in this series, see [AUTOTITLE](/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale). diff --git a/content/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md b/content/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md index d2d047c0c3f9..fbfa5fb207e5 100644 --- a/content/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md +++ b/content/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md @@ -13,11 +13,11 @@ category: --- > [!TIP] -> This article is part of a series on adopting {% data variables.product.prodname_GHAS %} at scale. For the previous article in this series, see [AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/phase-1-align-on-your-rollout-strategy-and-goals). +> This article is part of a series on adopting {% data variables.product.prodname_GHAS %} at scale. For the previous article in this series, see [AUTOTITLE](/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-1-align-on-your-rollout-strategy-and-goals). ## Preparing to enable {% data variables.product.prodname_code_scanning %} -{% data reusables.code-scanning.about-code-scanning %} For more information, see [AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning). +{% data reusables.code-scanning.about-code-scanning %} For more information, see [AUTOTITLE](/code-security/concepts/code-scanning/code-scanning). Rolling {% data variables.product.prodname_code_scanning %} out across hundreds of repositories can be difficult, especially when done inefficiently. Following these steps will ensure your rollout is both efficient and successful. @@ -29,9 +29,9 @@ Rolling {% data variables.product.prodname_code_scanning %} out across hundreds First, prepare your teams to use {% data variables.product.prodname_code_scanning %}. The more teams that use {% data variables.product.prodname_code_scanning %}, the more data you'll have to drive remediation plans and monitor progress on your rollout. For an introduction to {% data variables.product.prodname_code_scanning %}, see: -* [AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning) -* [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts) -* [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository) +* [AUTOTITLE](/code-security/concepts/code-scanning/code-scanning) +* [AUTOTITLE](/code-security/concepts/code-scanning/code-scanning-alerts) +* [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-code-scanning-alerts/assess-alerts) Your core focus should be preparing as many teams to use {% data variables.product.prodname_code_scanning %} as possible. You can also encourage teams to remediate appropriately, but we recommend prioritizing enablement and use of {% data variables.product.prodname_code_scanning %} over fixing issues during this phase. @@ -39,7 +39,7 @@ Your core focus should be preparing as many teams to use {% data variables.produ ### Enabling {% data variables.product.prodname_code_scanning %} for your appliance -Before you can proceed with pilot programs and rolling out {% data variables.product.prodname_code_scanning %} across your enterprise, you must first enable {% data variables.product.prodname_code_scanning %} for your appliance. For more information, see [AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-code-scanning-for-your-appliance). +Before you can proceed with pilot programs and rolling out {% data variables.product.prodname_code_scanning %} across your enterprise, you must first enable {% data variables.product.prodname_code_scanning %} for your appliance. For more information, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/configure-specific-tools/configuring-code-scanning-for-your-appliance). {% endif %} @@ -48,9 +48,9 @@ Before you can proceed with pilot programs and rolling out {% data variables.pro > [!NOTE] > When a secret is detected in a repository that has enabled {% data variables.product.prodname_secret_scanning %}, {% data variables.product.github %} alerts all users with access to security alerts for the repository. {% ifversion ghec %} > -> Secrets found in public repositories using {% data variables.secret-scanning.partner_alerts %} are reported directly to the partner, without creating an alert on {% data variables.product.github %}. For details about the supported partner patterns, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets).{% endif %} +> Secrets found in public repositories using {% data variables.secret-scanning.partner_alerts %} are reported directly to the partner, without creating an alert on {% data variables.product.github %}. For details about the supported partner patterns, see [AUTOTITLE](/code-security/reference/secret-security/supported-secret-scanning-patterns#supported-secrets).{% endif %} -If a project communicates with an external service, it might use a token or private key for authentication. If you check a secret into a repository, anyone who has read access to the repository can use the secret to access the external service with your privileges. {% data variables.product.prodname_secret_scanning_caps %} will scan your entire Git history on all branches present in your {% data variables.product.github %} repositories for secrets and alert you or block the push containing the secret. For more information, see [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning). +If a project communicates with an external service, it might use a token or private key for authentication. If you check a secret into a repository, anyone who has read access to the repository can use the secret to access the external service with your privileges. {% data variables.product.prodname_secret_scanning_caps %} will scan your entire Git history on all branches present in your {% data variables.product.github %} repositories for secrets and alert you or block the push containing the secret. For more information, see [AUTOTITLE](/code-security/concepts/secret-security/secret-scanning). {% ifversion ghec %}{% data variables.secret-scanning.partner_alerts_caps %} runs automatically on public repositories and public npm packages to notify service providers about leaked secrets on {% data variables.product.github %}. @@ -68,17 +68,17 @@ Enabling {% data variables.product.prodname_secret_scanning %} for all repositor If you are enabling {% data variables.product.prodname_secret_scanning %} on a large organization, be prepared to see a high number of secrets found. Sometimes this comes as a shock to organizations and the alarm is raised. If you would like to turn on {% data variables.product.prodname_secret_scanning %} across all repositories at once, plan for how you will respond to multiple alerts across the organization. -{% data variables.product.prodname_secret_scanning_caps %} can be enabled for individual repositories. For more information, see [AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository). {% data variables.product.prodname_secret_scanning_caps %} can also be enabled for all repositories in your organization, as described above. For more information on enabling for all repositories, see [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization). +{% data variables.product.prodname_secret_scanning_caps %} can be enabled for individual repositories. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-secrets/detect-secret-leaks/enable-secret-scanning). {% data variables.product.prodname_secret_scanning_caps %} can also be enabled for all repositories in your organization, as described above. For more information on enabling for all repositories, see [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization). ### Custom patterns for {% data variables.product.prodname_secret_scanning %} -{% data variables.product.prodname_secret_scanning_caps %} detects a large number of default patterns but can also be configured to detect custom patterns, such as secret formats unique to your infrastructure or used by integrators that {% data variables.product.github %}'s {% data variables.product.prodname_secret_scanning %} does not currently detect. For more information about supported secrets for partner patterns, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns). +{% data variables.product.prodname_secret_scanning_caps %} detects a large number of default patterns but can also be configured to detect custom patterns, such as secret formats unique to your infrastructure or used by integrators that {% data variables.product.github %}'s {% data variables.product.prodname_secret_scanning %} does not currently detect. For more information about supported secrets for partner patterns, see [AUTOTITLE](/code-security/reference/secret-security/supported-secret-scanning-patterns). -As you audit your repositories and speak to security and developer teams, build a list of the secret types that you will later use to configure custom patterns for {% data variables.product.prodname_secret_scanning %}. For more information, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning). +As you audit your repositories and speak to security and developer teams, build a list of the secret types that you will later use to configure custom patterns for {% data variables.product.prodname_secret_scanning %}. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-secrets/customize-leak-detection/define-custom-patterns). ### Push protection for {% data variables.product.prodname_secret_scanning %} -Push protection for organizations and repositories instructs {% data variables.product.prodname_secret_scanning %} to check pushes for supported secrets _before_ secrets are committed to the codebase. For information on which secrets are supported, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets). +Push protection for organizations and repositories instructs {% data variables.product.prodname_secret_scanning %} to check pushes for supported secrets _before_ secrets are committed to the codebase. For information on which secrets are supported, see [AUTOTITLE](/code-security/reference/secret-security/supported-secret-scanning-patterns#supported-secrets). If a secret is detected in a push, that push is blocked. {% data variables.product.prodname_secret_scanning_caps %} lists any secrets it detects so the author can review the secrets and remove them or, if needed, allow those secrets to be pushed. {% data reusables.secret-scanning.push-protection-custom-pattern %} @@ -90,8 +90,8 @@ Before enabling push protection, consider whether you need to create guidance fo Next, familiarize yourself with the different options for managing and monitoring alerts that are the result of a contributor bypassing push protection. -For more information, see [AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection). +For more information, see [AUTOTITLE](/code-security/concepts/secret-security/push-protection). ## Next steps -For the next article in this series, see [AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/phase-3-pilot-programs). +For the next article in this series, see [AUTOTITLE](/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-3-pilot-programs). diff --git a/content/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-3-pilot-programs.md b/content/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-3-pilot-programs.md index 6a8d1cfda2e8..74cfde581f1e 100644 --- a/content/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-3-pilot-programs.md +++ b/content/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-3-pilot-programs.md @@ -12,8 +12,8 @@ category: - Plan your security strategy --- ->[!TIP] -> This article is part of a series on adopting {% data variables.product.prodname_GHAS %} at scale. For the previous article in this series, see [AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale). +> [!TIP] +> This article is part of a series on adopting {% data variables.product.prodname_GHAS %} at scale. For the previous article in this series, see [AUTOTITLE](/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale). ## About pilot programs @@ -25,7 +25,7 @@ Before you start your pilot projects, we recommend that you schedule some meetin {% ifversion ghes %} -If you haven't already enabled GHAS for your {% data variables.product.prodname_ghe_server %} instance, see [AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise). +If you haven't already enabled GHAS for your {% data variables.product.prodname_ghe_server %} instance, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/establish-complete-coverage/enabling-github-advanced-security-for-your-enterprise). {% endif %} @@ -37,17 +37,17 @@ If you haven't already enabled GHAS for your {% data variables.product.prodname_ {% ifversion ghes %} -To enable {% data variables.product.prodname_code_scanning %} on your {% data variables.product.prodname_ghe_server %} instance, see [AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-code-scanning-for-your-appliance). +To enable {% data variables.product.prodname_code_scanning %} on your {% data variables.product.prodname_ghe_server %} instance, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/configure-specific-tools/configuring-code-scanning-for-your-appliance). {% endif %} -You can quickly configure default setup for {% data variables.product.prodname_code_scanning %} across multiple repositories in an organization using security overview. For more information, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale#configuring-default-setup-for-a-subset-of-repositories-in-an-organization). +You can quickly configure default setup for {% data variables.product.prodname_code_scanning %} across multiple repositories in an organization using security overview. For more information, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/configure-specific-tools/code-scanning-at-scale#configuring-default-setup-for-a-subset-of-repositories-in-an-organization). You can also choose to enable {% data variables.product.prodname_code_scanning %} for all repositories in an organization, but we recommend configuring {% data variables.product.prodname_code_scanning %} on a subset of high-impact repositories for your pilot program. {% data reusables.advanced-security.enable-default-setup-first %} -If your company wants to use other third-party code analysis tools with {% data variables.product.prodname_dotcom %} {% data variables.product.prodname_code_scanning %}, you can use actions to run those tools within {% data variables.product.prodname_dotcom %}. Alternatively, you can upload results, which are generated by third-party tools as SARIF files, to {% data variables.product.prodname_code_scanning %}. For more information, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning). +If your company wants to use other third-party code analysis tools with {% data variables.product.prodname_dotcom %} {% data variables.product.prodname_code_scanning %}, you can use actions to run those tools within {% data variables.product.prodname_dotcom %}. Alternatively, you can upload results, which are generated by third-party tools as SARIF files, to {% data variables.product.prodname_code_scanning %}. For more information, see [AUTOTITLE](/code-security/how-tos/find-and-fix-code-vulnerabilities/integrate-with-existing-tools). ## Piloting {% data variables.product.prodname_secret_scanning %} @@ -55,19 +55,19 @@ If your company wants to use other third-party code analysis tools with {% data {% ifversion ghes %} -To enable secret scanning for your {% data variables.product.prodname_ghe_server %} instance, see [AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-secret-scanning-for-your-appliance). +To enable secret scanning for your {% data variables.product.prodname_ghe_server %} instance, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/configure-specific-tools/configure-secret-scanning). {% endif %} -You need to enable {% data variables.product.prodname_secret_scanning %} and push protection for each pilot project. You can do this with a {% data variables.product.prodname_security_configuration %}. For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration). +You need to enable {% data variables.product.prodname_secret_scanning %} and push protection for each pilot project. You can do this with a {% data variables.product.prodname_security_configuration %}. For more information, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/create-custom-configuration). If you plan to configure a link to a resource in the message that's displayed when a developer attempts to push a blocked secret, now would be a good time to test and start to refine the guidance that you plan to make available. Start to review activity using the push protection metrics page in security overview. For more information, see [AUTOTITLE](/code-security/concepts/secret-security/push-protection-metrics). -If you have collated any custom patterns specific to your enterprise, especially any related to the projects piloting {% data variables.product.prodname_secret_scanning %}, you can configure those. For more information, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning). +If you have collated any custom patterns specific to your enterprise, especially any related to the projects piloting {% data variables.product.prodname_secret_scanning %}, you can configure those. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-secrets/customize-leak-detection/define-custom-patterns). -To learn how to view and close alerts for secrets checked into your repository, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning). +To learn how to view and close alerts for secrets checked into your repository, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-secret-scanning-alerts). ->[!TIP] -> For the next article in this series, see [AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/phase-4-create-internal-documentation). +> [!TIP] +> For the next article in this series, see [AUTOTITLE](/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-4-create-internal-documentation). diff --git a/content/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-4-create-internal-documentation.md b/content/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-4-create-internal-documentation.md index 7573525bf7bd..9e9b7c5d2761 100644 --- a/content/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-4-create-internal-documentation.md +++ b/content/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-4-create-internal-documentation.md @@ -12,8 +12,8 @@ category: - Plan your security strategy --- ->[!TIP] -> This article is part of a series on adopting {% data variables.product.prodname_GHAS %} at scale. For the previous article in this series, see [AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/phase-3-pilot-programs). +> [!TIP] +> This article is part of a series on adopting {% data variables.product.prodname_GHAS %} at scale. For the previous article in this series, see [AUTOTITLE](/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-3-pilot-programs). Before enabling {% data variables.product.prodname_GHAS %}, you should create internal documentation that defines processes for teams to follow. Everyone needs to know what to do when they receive a security alert, even if the process simply asks the team to apply their best judgment. Documentation will also prevent developers from getting blocked when they have questions. You should put the documentation about GHAS with existing developer-focused documentation, such as your developer portal or custom knowledge base. @@ -23,5 +23,5 @@ If you skip creating internal documentation, your rollout won’t go at your int Education is probably the most crucial part of the rollout as it teaches developers what to do in different situations. You should ensure developers are empowered to maintain the security of their repository and that the security team are authorized to verify both what developers are doing and that it's in the best interest of security. In addition to internal documentation, education can take the form of online sessions, Q&As, etc. ->[!TIP] -> For the next article in this series, see [AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/phase-5-rollout-and-scale-code-scanning). +> [!TIP] +> For the next article in this series, see [AUTOTITLE](/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-5-rollout-and-scale-code-scanning). diff --git a/content/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-5-rollout-and-scale-code-scanning.md b/content/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-5-rollout-and-scale-code-scanning.md index c4fed8b654fa..b4124c47c3fa 100644 --- a/content/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-5-rollout-and-scale-code-scanning.md +++ b/content/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-5-rollout-and-scale-code-scanning.md @@ -12,14 +12,14 @@ category: - Plan your security strategy --- ->[!TIP] -> This article is part of a series on adopting {% data variables.product.prodname_GHAS %} at scale. For the previous article in this series, see [AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/phase-4-create-internal-documentation). +> [!TIP] +> This article is part of a series on adopting {% data variables.product.prodname_GHAS %} at scale. For the previous article in this series, see [AUTOTITLE](/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-4-create-internal-documentation). {% data reusables.security-configurations.enable-security-features-with-gh-config %} ## Enabling code scanning -After piloting {% data variables.product.prodname_code_scanning %} and creating internal documentation for best practices, you can enable {% data variables.product.prodname_code_scanning %} across your company. You can configure {% data variables.product.prodname_code_scanning %} default setup for all repositories in an organization from security overview. For more information, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale#configuring-default-setup-for-all-eligible-repositories-in-an-organization). +After piloting {% data variables.product.prodname_code_scanning %} and creating internal documentation for best practices, you can enable {% data variables.product.prodname_code_scanning %} across your company. You can configure {% data variables.product.prodname_code_scanning %} default setup for all repositories in an organization from security overview. For more information, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/configure-specific-tools/code-scanning-at-scale#configuring-default-setup-for-all-eligible-repositories-in-an-organization). {% data reusables.advanced-security.enable-default-setup-first %} @@ -27,9 +27,9 @@ After piloting {% data variables.product.prodname_code_scanning %} and creating To successfully manage and use {% data variables.product.prodname_code_scanning %} across your company, you should build internal subject matter expertise. For default setup for {% data variables.product.prodname_code_scanning %}, one of the most important areas for subject matter experts (SMEs) to understand is interpreting and fixing {% data variables.product.prodname_code_scanning %} alerts. For more information about {% data variables.product.prodname_code_scanning %} alerts, see: -* [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts) -* [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository) -* [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/resolving-code-scanning-alerts) +* [AUTOTITLE](/code-security/concepts/code-scanning/code-scanning-alerts) +* [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-code-scanning-alerts/assess-alerts) +* [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-code-scanning-alerts/resolve-alerts) You'll also need SMEs if you need to use advanced setup for {% data variables.product.prodname_code_scanning %}. These SMEs will need knowledge of {% data variables.product.prodname_code_scanning %} alerts, as well as topics like {% data variables.product.prodname_actions %} and customizing {% data variables.product.prodname_code_scanning %} workflows for particular frameworks. For custom configurations of advanced setup, consider running meetings on complicated topics to scale the knowledge of several SMEs at once. @@ -37,9 +37,9 @@ For {% data variables.product.prodname_code_scanning %} alerts from {% data vari {% ifversion copilot-chat-ghas-alerts %} -With a {% data variables.copilot.copilot_enterprise %} license, you can also ask {% data variables.copilot.copilot_chat %} for help to better understand {% data variables.product.prodname_code_scanning %} alerts in repositories in your organization. For more information, see [AUTOTITLE](/copilot/using-github-copilot/asking-github-copilot-questions-in-githubcom#asking-questions-about-alerts-from-github-advanced-security-features). +With a {% data variables.copilot.copilot_enterprise %} license, you can also ask {% data variables.copilot.copilot_chat %} for help to better understand {% data variables.product.prodname_code_scanning %} alerts in repositories in your organization. For more information, see [AUTOTITLE](/copilot/how-tos/copilot-on-github/chat-with-copilot/chat-in-github#asking-questions-about-alerts-from-github-advanced-security-features). {% endif %} ->[!TIP] -> For the next article in this series, see [AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/phase-6-rollout-and-scale-secret-scanning). +> [!TIP] +> For the next article in this series, see [AUTOTITLE](/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-6-rollout-and-scale-secret-scanning). diff --git a/content/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-6-rollout-and-scale-secret-scanning.md b/content/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-6-rollout-and-scale-secret-scanning.md index 6bc0c5723df5..0ff02f6d68f7 100644 --- a/content/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-6-rollout-and-scale-secret-scanning.md +++ b/content/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-6-rollout-and-scale-secret-scanning.md @@ -12,8 +12,8 @@ category: - Plan your security strategy --- ->[!TIP] -> This article is part of a series on adopting {% data variables.product.prodname_GHAS %} at scale. For the previous article in this series, see [AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/phase-5-rollout-and-scale-code-scanning). +> [!TIP] +> This article is part of a series on adopting {% data variables.product.prodname_GHAS %} at scale. For the previous article in this series, see [AUTOTITLE](/code-security/tutorials/adopting-github-advanced-security-at-scale/phase-5-rollout-and-scale-code-scanning). {% data reusables.security-configurations.enable-security-features-with-gh-config %} @@ -21,7 +21,7 @@ This article explains a high-level process focusing on enabling {% data variable {% ifversion copilot-chat-ghas-alerts %} -With a {% data variables.copilot.copilot_enterprise %} license, you can also ask {% data variables.copilot.copilot_chat %} for help to better understand {% data variables.product.prodname_secret_scanning %} alerts in repositories in your organization. For more information, see [AUTOTITLE](/copilot/using-github-copilot/asking-github-copilot-questions-in-githubcom#asking-questions-about-alerts-from-github-advanced-security-features). +With a {% data variables.copilot.copilot_enterprise %} license, you can also ask {% data variables.copilot.copilot_chat %} for help to better understand {% data variables.product.prodname_secret_scanning %} alerts in repositories in your organization. For more information, see [AUTOTITLE](/copilot/how-tos/copilot-on-github/chat-with-copilot/chat-in-github#asking-questions-about-alerts-from-github-advanced-security-features). {% endif %} @@ -31,7 +31,7 @@ When you enable {% data variables.product.prodname_secret_scanning %}, you shoul There are a few approaches for tackling newly committed credentials, but one example approach would be: -1. **Notify:** Use webhooks to ensure that any new secret alerts are seen by the right teams as quickly as possible. A webhook fires when a secret alert is either created, resolved, or reopened. You can then parse the webhook payload, and integrate it into any tools you and your team use such Slack, Teams, Splunk, or email. For more information, see [AUTOTITLE](/webhooks-and-events/webhooks/about-webhooks) and [AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#secret_scanning_alert). +1. **Notify:** Use webhooks to ensure that any new secret alerts are seen by the right teams as quickly as possible. A webhook fires when a secret alert is either created, resolved, or reopened. You can then parse the webhook payload, and integrate it into any tools you and your team use such Slack, Teams, Splunk, or email. For more information, see [AUTOTITLE](/webhooks/about-webhooks) and [AUTOTITLE](/webhooks/webhook-events-and-payloads#secret_scanning_alert). 1. **Follow Up:** Create a high-level remediation process that works for all secret types. For example, you could contact the developer who committed the secret and their technical lead on that project, highlighting the dangers of committing secrets to {% data variables.product.prodname_dotcom %}, and asking the them to revoke, and update the detected secret. > [!NOTE] @@ -46,13 +46,13 @@ Repeat the last two steps for any new secrets leaked. This process encourages de ## 2. Enable push protection -Once you have enabled {% data variables.product.prodname_secret_scanning %}, you should also enable push protection. With push protection, {% data variables.product.prodname_secret_scanning %} checks pushes for supported secrets and blocks pushes to {% data variables.product.prodname_dotcom %} _before_ the secrets are exposed to other users. For information on how to enable push protection, see [AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository). +Once you have enabled {% data variables.product.prodname_secret_scanning %}, you should also enable push protection. With push protection, {% data variables.product.prodname_secret_scanning %} checks pushes for supported secrets and blocks pushes to {% data variables.product.prodname_dotcom %} _before_ the secrets are exposed to other users. For information on how to enable push protection, see [AUTOTITLE](/code-security/how-tos/secure-your-secrets/prevent-future-leaks/enable-push-protection). Once enabled, you can do the following: -1. **Provide guidance:** Configure a custom link in the message that contributors will see if their push is blocked by {% data variables.product.prodname_secret_scanning %}. The linked resource can provide guidance for contributors on how to resolve the blocked push. For more information, see [AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository). +1. **Provide guidance:** Configure a custom link in the message that contributors will see if their push is blocked by {% data variables.product.prodname_secret_scanning %}. The linked resource can provide guidance for contributors on how to resolve the blocked push. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-secrets/prevent-future-leaks/enable-push-protection). -1. **Notify:** Define a webhook that specifically tracks {% data variables.secret-scanning.alerts %} created when someone bypasses push protection by using the alert property `"push_protection_bypassed": true`. Or, use the API to get updates on which {% data variables.secret-scanning.alerts %} were the result of a push protection bypass by filtering the list of results for `"push_protection_bypassed": true`. For more information, see [AUTOTITLE](/code-security/getting-started/auditing-security-alerts). +1. **Notify:** Define a webhook that specifically tracks {% data variables.secret-scanning.alerts %} created when someone bypasses push protection by using the alert property `"push_protection_bypassed": true`. Or, use the API to get updates on which {% data variables.secret-scanning.alerts %} were the result of a push protection bypass by filtering the list of results for `"push_protection_bypassed": true`. For more information, see [AUTOTITLE](/code-security/concepts/security-at-scale/audit-security-alerts). 1. **Monitor:** Use security overview to view metrics on how push protection is performing in repositories across your organization, so you can quickly identify any repositories where you might need to take action. For more information, see [AUTOTITLE](/code-security/concepts/secret-security/push-protection-metrics). @@ -71,7 +71,7 @@ Once you have decided on the secret types, you can do the following: 1. When you have created the process that teams will follow for revoking credentials, you can collate information about the types of secrets and other metadata associated with the leaked secrets so you can discern who to communicate the new process to. - You can use security overview to collect this information. For more information about using security overview, see [AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview). + You can use security overview to collect this information. For more information about using security overview, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/remediate-alerts-at-scale/filtering-alerts-in-security-overview). Some information you may want to collect includes: @@ -90,9 +90,9 @@ Once you have decided on the secret types, you can do the following: You can now expand beyond the five most critical secret types into a more comprehensive list, with an additional focus on education. You can repeat the previous step, remediating previously committed secrets, for the different secret types you have targeted. -You can also include more of the custom patterns collated in the earlier phases and invite security teams and developer teams to submit more patterns, establishing a process for submitting new patterns as new secret types are created. For more information, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning). +You can also include more of the custom patterns collated in the earlier phases and invite security teams and developer teams to submit more patterns, establishing a process for submitting new patterns as new secret types are created. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-secrets/customize-leak-detection/define-custom-patterns). As you continue to build your remediation processes for other secret types, start to create proactive training material that can be shared with all developers of GitHub in your organization. Until this point, a lot of the focus has been reactive. It is an excellent idea to shift focus to being proactive and encourage developers not to push credentials to GitHub in the first place. This can be achieved in multiple ways but creating a short document explaining the risks and reasons would be a great place to start. ->[!TIP] -> This is the final article of a series on adopting {% data variables.product.prodname_GHAS %} at scale. If you have questions or need support, see the section on {% data variables.contact.github_support %} and {% data variables.product.prodname_professional_services %} in [AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/introduction-to-adopting-github-advanced-security-at-scale#github-support-and-professional-services). +> [!TIP] +> This is the final article of a series on adopting {% data variables.product.prodname_GHAS %} at scale. If you have questions or need support, see the section on {% data variables.contact.github_support %} and {% data variables.product.prodname_professional_services %} in [AUTOTITLE](/code-security/tutorials/adopting-github-advanced-security-at-scale/introduction-to-adopting-github-advanced-security-at-scale#github-support-and-professional-services). diff --git a/content/code-security/tutorials/customize-code-scanning/analyze-code.md b/content/code-security/tutorials/customize-code-scanning/analyze-code.md index 13fbb5f7c7c7..6a5c814e1440 100644 --- a/content/code-security/tutorials/customize-code-scanning/analyze-code.md +++ b/content/code-security/tutorials/customize-code-scanning/analyze-code.md @@ -27,8 +27,8 @@ To analyze a codebase, you run queries against a {% data variables.product.prodn Before starting an analysis you must: -* [Set up the {% data variables.product.prodname_codeql_cli %}](/code-security/codeql-cli/getting-started-with-the-codeql-cli/setting-up-the-codeql-cli) to run commands locally. -* [Create a {% data variables.product.prodname_codeql %} database](/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis) for the source code you want to analyze. +* [Set up the {% data variables.product.prodname_codeql_cli %}](/code-security/how-tos/find-and-fix-code-vulnerabilities/scan-from-the-command-line/set-up-codeql-cli) to run commands locally. +* [Create a {% data variables.product.prodname_codeql %} database](/code-security/tutorials/customize-code-scanning/prepare-code-for-analysis) for the source code you want to analyze. The simplest way to run `codeql database analyze` is using the standard queries included in the {% data variables.product.prodname_codeql_cli %} bundle. @@ -62,17 +62,17 @@ You must specify ``, `--format`, and `--output`. You can specify addit | Option | Required | Usage | |--------|:--------:|-----| | `` | {% octicon "check" aria-label="Required" %} | Specify the path for the directory that contains the {% data variables.product.prodname_codeql %} database to analyze. | -| `` | {% octicon "x" aria-label="Optional" %} | Specify {% data variables.product.prodname_codeql %} packs or queries to run. To run the standard queries used for {% data variables.product.prodname_code_scanning %}, omit this parameter. To see the other query suites included in the {% data variables.product.prodname_codeql_cli %} bundle, run `codeql resolve queries`. The suites listed there can be provided with or without the `.qls` extension. For information about creating your own query suite, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-codeql-query-suites) in the documentation for the {% data variables.product.prodname_codeql_cli %}. | -| --format | {% octicon "check" aria-label="Required" %} | Specify the format for the results file generated during analysis. A number of different formats are supported, including CSV, [SARIF](https://codeql.github.com/docs/codeql-overview/codeql-glossary/#sarif-file), and graph formats. For upload to {% data variables.product.company_short %} this should be: {% ifversion fpt or ghec %}`sarif-latest`{% else %}`sarifv2.1.0`{% endif %}. For more information, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning). | +| `` | {% octicon "x" aria-label="Optional" %} | Specify {% data variables.product.prodname_codeql %} packs or queries to run. To run the standard queries used for {% data variables.product.prodname_code_scanning %}, omit this parameter. To see the other query suites included in the {% data variables.product.prodname_codeql_cli %} bundle, run `codeql resolve queries`. The suites listed there can be provided with or without the `.qls` extension. For information about creating your own query suite, see [AUTOTITLE](/code-security/tutorials/customize-code-scanning/create-query-suites) in the documentation for the {% data variables.product.prodname_codeql_cli %}. | +| --format | {% octicon "check" aria-label="Required" %} | Specify the format for the results file generated during analysis. A number of different formats are supported, including CSV, [SARIF](https://codeql.github.com/docs/codeql-overview/codeql-glossary/#sarif-file), and graph formats. For upload to {% data variables.product.company_short %} this should be: {% ifversion fpt or ghec %}`sarif-latest`{% else %}`sarifv2.1.0`{% endif %}. For more information, see [AUTOTITLE](/code-security/reference/code-scanning/sarif-files/sarif-support). | | --output | {% octicon "check" aria-label="Required" %} | Specify the location where you want to save the SARIF results file, including the desired filename with the `.sarif` extension. | | --sarif-category | {% octicon "question" aria-label="Required with multiple results sets" %} | Optional for single database analysis. Required to define the language when you analyze multiple databases for a single commit in a repository.

Specify a category to include in the SARIF results file for this analysis. A category is used to distinguish multiple analyses for the same tool and commit, but performed on different languages or different parts of the code. | -| --sarif-add-baseline-file-info | {% octicon "x" aria-label="Optional" %} | **Recommended.** Use to submit file coverage information to the {% data variables.code-scanning.tool_status_page %}. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page#how-codeql-defines-scanned-files). | -| --sarif-include-query-help | {% octicon "x" aria-label="Optional" %} | Specify whether to include query help in the SARIF output. One of: `always`: Include query help for all queries. `custom_queries_only` (default): Include query help only for custom queries, that is, queries in query packs which are not of the form `codeql/-queries`. `never`: Do not include query help for any queries. Any query help for custom queries included in the SARIF output will be displayed in any code scanning alerts for the query. For more information, see [AUTOTITLE](/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/writing-and-sharing-custom-queries-for-the-codeql-cli#including-query-help-for-custom-codeql-queries-in-sarif-files). | -| `` | {% octicon "x" aria-label="Optional" %} | Use if you want to include {% data variables.product.prodname_codeql %} query packs in your analysis. For more information, see [Downloading and using {% data variables.product.prodname_codeql %} packs](/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs#downloading-and-using-codeql-query-packs). | +| --sarif-add-baseline-file-info | {% octicon "x" aria-label="Optional" %} | **Recommended.** Use to submit file coverage information to the {% data variables.code-scanning.tool_status_page %}. For more information, see [AUTOTITLE](/code-security/how-tos/find-and-fix-code-vulnerabilities/manage-your-configuration/use-the-tools-status-page-for-code-scanning#how-codeql-defines-scanned-files). | +| --sarif-include-query-help | {% octicon "x" aria-label="Optional" %} | Specify whether to include query help in the SARIF output. One of: `always`: Include query help for all queries. `custom_queries_only` (default): Include query help only for custom queries, that is, queries in query packs which are not of the form `codeql/-queries`. `never`: Do not include query help for any queries. Any query help for custom queries included in the SARIF output will be displayed in any code scanning alerts for the query. For more information, see [AUTOTITLE](/code-security/how-tos/find-and-fix-code-vulnerabilities/scan-from-the-command-line/write-custom-queries#including-query-help-for-custom-codeql-queries-in-sarif-files). | +| `` | {% octicon "x" aria-label="Optional" %} | Use if you want to include {% data variables.product.prodname_codeql %} query packs in your analysis. For more information, see [Downloading and using {% data variables.product.prodname_codeql %} packs](/code-security/tutorials/customize-code-scanning/customize-analysis#downloading-and-using-codeql-query-packs). | | --download | {% octicon "x" aria-label="Optional" %} | Use if some of your {% data variables.product.prodname_codeql %} query packs are not yet on disk and need to be downloaded before running queries. | | --threads | {% octicon "x" aria-label="Optional" %} | Use if you want to use more than one thread to run queries. The default value is `1`. You can specify more threads to speed up query execution. To set the number of threads to the number of logical processors, specify `0`. | | --verbose | {% octicon "x" aria-label="Optional" %} | Use to get more detailed information about the analysis process and diagnostic data from the database creation process. | -| --threat-model | {% octicon "x" aria-label="Optional" %} | ({% data variables.release-phases.public_preview_caps %}) Use to add threat models to configure additional sources in your {% data variables.product.prodname_codeql %} analysis. During the {% data variables.release-phases.public_preview %}, threat models are supported only by Java analysis. For more information, see [AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/database-analyze#--threat-modelname). | +| --threat-model | {% octicon "x" aria-label="Optional" %} | ({% data variables.release-phases.public_preview_caps %}) Use to add threat models to configure additional sources in your {% data variables.product.prodname_codeql %} analysis. During the {% data variables.release-phases.public_preview %}, threat models are supported only by Java analysis. For more information, see [AUTOTITLE](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-analyze#--threat-modelname). | > [!NOTE] > **Upgrading databases** @@ -83,7 +83,7 @@ that your database needs to be upgraded when you run `database analyze`. > > For databases that were created by {% data variables.product.prodname_codeql_cli %} v2.3.4 or later, the CLI will implicitly run any required upgrades. Explicitly running the upgrade command is not necessary. -For full details of all the options you can use when analyzing databases, see [AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/database-analyze). +For full details of all the options you can use when analyzing databases, see [AUTOTITLE](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-analyze). ### Basic example of analyzing a {% data variables.product.prodname_codeql %} database @@ -103,7 +103,7 @@ $ codeql database analyze /codeql-dbs/example-repo \ ### Adding file coverage information to your results for monitoring -You can optionally submit file coverage information to {% data variables.product.github %} for display on the {% data variables.code-scanning.tool_status_page %} for {% data variables.product.prodname_code_scanning %}. For more information about file coverage information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page#how-codeql-defines-scanned-files). +You can optionally submit file coverage information to {% data variables.product.github %} for display on the {% data variables.code-scanning.tool_status_page %} for {% data variables.product.prodname_code_scanning %}. For more information about file coverage information, see [AUTOTITLE](/code-security/how-tos/find-and-fix-code-vulnerabilities/manage-your-configuration/use-the-tools-status-page-for-code-scanning#how-codeql-defines-scanned-files). To include file coverage information with your {% data variables.product.prodname_code_scanning %} results, add the `--sarif-add-baseline-file-info` flag to the `codeql database analyze` invocation in your CI system, for example: @@ -126,7 +126,7 @@ To run an existing {% data variables.product.prodname_codeql %} query pack from codeql database analyze microsoft/coding-standards@1.0.0 github/security-queries --format=sarifv2.1.0 --output=query-results.sarif --download ``` -This command runs the default query suite of two {% data variables.product.prodname_codeql %} query packs: `microsoft/coding-standards` version 1.0.0 and the latest version of `github/security-queries` on the specified database. For further information about default suites, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs). +This command runs the default query suite of two {% data variables.product.prodname_codeql %} query packs: `microsoft/coding-standards` version 1.0.0 and the latest version of `github/security-queries` on the specified database. For further information about default suites, see [AUTOTITLE](/code-security/how-tos/find-and-fix-code-vulnerabilities/scan-from-the-command-line/publish-and-use-packs). The `--download` flag is optional. Using it will ensure the query pack is downloaded if it isn’t yet available locally. @@ -154,7 +154,7 @@ codeql database analyze ../ql/javascript/ql/src/Declaratio You can also run your own custom queries with the `database analyze` command. For more information about preparing your queries to use with the {% data variables.product.prodname_codeql_cli %}, -see [AUTOTITLE](/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/writing-and-sharing-custom-queries-for-the-codeql-cli). +see [AUTOTITLE](/code-security/how-tos/find-and-fix-code-vulnerabilities/scan-from-the-command-line/write-custom-queries). ### Running all queries in a directory @@ -238,7 +238,7 @@ codeql database analyze --format=sarif-latest --output=results \ path:C:/Users/ci/workspace@2/security/query.ql ``` -For more information about {% data variables.product.prodname_codeql %} packs, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs). +For more information about {% data variables.product.prodname_codeql %} packs, see [AUTOTITLE](/code-security/tutorials/customize-code-scanning/customize-analysis). ### Running query suites @@ -250,16 +250,16 @@ codeql database analyze codeql/cpp-queries:codeql-suites/cpp-code ``` This command downloads the `codeql/cpp-queries` {% data variables.product.prodname_codeql %} query pack, runs the analysis, and generates a file in the SARIF version 2.1.0 format that is supported by all versions of {% data variables.product.prodname_dotcom %}. This file can be uploaded to {% data variables.product.prodname_dotcom %} by executing `codeql github upload-results` or the code scanning API. -For more information, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/uploading-codeql-analysis-results-to-github) +For more information, see [AUTOTITLE](/code-security/tutorials/customize-code-scanning/upload-results) or [AUTOTITLE](/rest/code-scanning/code-scanning). {% data variables.product.prodname_codeql %} query suites are `.qls` files that use directives to select queries to run based on certain metadata properties. The standard {% data variables.product.prodname_codeql %} packs have metadata that specify the location of the query suites used by code scanning, so the {% data variables.product.prodname_codeql_cli %} knows where to find these suite files automatically, and you don’t have to specify the full path on the command line. -For more information, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-codeql-query-suites). +For more information, see [AUTOTITLE](/code-security/tutorials/customize-code-scanning/create-query-suites). -For information about creating custom query suites, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-codeql-query-suites). +For information about creating custom query suites, see [AUTOTITLE](/code-security/tutorials/customize-code-scanning/create-query-suites). ### Including model packs to add potential sources of tainted data @@ -279,9 +279,9 @@ In this example, the relevant queries in the standard query pack `codeql/java-qu You can save analysis results in a number of different formats, including SARIF and CSV. -The SARIF format is designed to represent the output of a broad range of static analysis tools. For more information, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/sarif-output). +The SARIF format is designed to represent the output of a broad range of static analysis tools. For more information, see [AUTOTITLE](/code-security/reference/code-scanning/codeql/codeql-cli/sarif-output). -For more information about what the results look like in CSV format, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/csv-output). +For more information about what the results look like in CSV format, see [AUTOTITLE](/code-security/reference/code-scanning/codeql/codeql-cli/csv-output). Results files can be integrated into your own code-review or debugging infrastructure. For example, SARIF file output can be used to highlight alerts in the correct location in your source code using a SARIF viewer plugin for your IDE. @@ -291,8 +291,8 @@ When you analyze a {% data variables.product.prodname_codeql %} database using a For more information about the type of diagnostic information available, see [AUTOTITLE](/code-security/reference/code-scanning/code-scanning-logs). -You can choose to export and upload diagnostic information to {% data variables.product.github %} even if a {% data variables.product.prodname_codeql %} analysis fails. For more information, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/uploading-codeql-analysis-results-to-github#uploading-diagnostic-information-to-github-if-the-analysis-fails). +You can choose to export and upload diagnostic information to {% data variables.product.github %} even if a {% data variables.product.prodname_codeql %} analysis fails. For more information, see [AUTOTITLE](/code-security/tutorials/customize-code-scanning/upload-results#uploading-diagnostic-information-to-github-if-the-analysis-fails). ## Next steps -* To learn how to upload your {% data variables.product.prodname_codeql %} analysis results to {% data variables.product.github %}, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/uploading-codeql-analysis-results-to-github). +* To learn how to upload your {% data variables.product.prodname_codeql %} analysis results to {% data variables.product.github %}, see [AUTOTITLE](/code-security/tutorials/customize-code-scanning/upload-results). diff --git a/content/code-security/tutorials/customize-code-scanning/create-and-work-with-codeql-packs.md b/content/code-security/tutorials/customize-code-scanning/create-and-work-with-codeql-packs.md index 5ce4035d7111..e1b042b3b165 100644 --- a/content/code-security/tutorials/customize-code-scanning/create-and-work-with-codeql-packs.md +++ b/content/code-security/tutorials/customize-code-scanning/create-and-work-with-codeql-packs.md @@ -46,7 +46,7 @@ The `codeql pack init` command creates the directory structure and configuration {% data reusables.code-scanning.beta-model-packs %} -Model packs can be used to expand {% data variables.product.prodname_code_scanning %} analysis to recognize libraries and frameworks that are not supported by default. Model packs use data extensions, which are implemented as YAML and describe how to add data for new dependencies. When a model pack is specified, the data extensions in that pack will be added to the {% data variables.product.prodname_code_scanning %} analysis automatically. For more information about {% data variables.product.prodname_codeql %} model packs and data extensions, see [AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/using-the-codeql-model-editor). +Model packs can be used to expand {% data variables.product.prodname_code_scanning %} analysis to recognize libraries and frameworks that are not supported by default. Model packs use data extensions, which are implemented as YAML and describe how to add data for new dependencies. When a model pack is specified, the data extensions in that pack will be added to the {% data variables.product.prodname_code_scanning %} analysis automatically. For more information about {% data variables.product.prodname_codeql %} model packs and data extensions, see [AUTOTITLE](/code-security/how-tos/find-and-fix-code-vulnerabilities/scan-from-vs-code/use-the-model-editor). A model pack is a {% data variables.product.prodname_codeql %} pack with the following characteristics in the `qlpack.yml` file: @@ -69,7 +69,7 @@ dataExtensions: In this example, the model pack will inject all the data extensions in `models/**/` into a `codeql/java-all` query pack that is at a version from `1.2.3` up to and including `1.3.0`, and a `codeql/util` query pack that is at a version from `4.5.6` up to and including `4.6.0`. For more information, see [Using semantic versioning](https://docs.npmjs.com/about-semantic-versioning#using-semantic-versioning-to-specify-update-types-your-package-can-accept) in the npm documentation and the [Semantic versioning specification](https://semver.org/). -Once you've created a model pack, you can publish it in the same way as other {% data variables.product.prodname_codeql %} packs. For more information, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs). You can then use published model packs in a {% data variables.product.prodname_code_scanning %} analysis with the `--model-packs` option. For more information, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs#using-model-packs-to-analyze-calls-to-custom-dependencies). +Once you've created a model pack, you can publish it in the same way as other {% data variables.product.prodname_codeql %} packs. For more information, see [AUTOTITLE](/code-security/how-tos/find-and-fix-code-vulnerabilities/scan-from-the-command-line/publish-and-use-packs). You can then use published model packs in a {% data variables.product.prodname_code_scanning %} analysis with the `--model-packs` option. For more information, see [AUTOTITLE](/code-security/tutorials/customize-code-scanning/customize-analysis#using-model-packs-to-analyze-calls-to-custom-dependencies). ## Adding and installing dependencies on a {% data variables.product.prodname_codeql %} pack @@ -95,8 +95,8 @@ codeql pack install This command downloads all dependencies to the shared cache on the local disk. > [!NOTE] -> * Running the `codeql pack add` and `codeql pack install` commands will generate or update the `codeql-pack.lock.yml` file. This file should be checked-in to version control. The `codeql-pack.lock.yml` file contains the precise version numbers used by the pack. For more information, see [About codeql-pack.lock.yml files](/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs##about-codeql-packlockyml-files). -> * By default `codeql pack install` will install dependencies from the {% data variables.product.prodname_container_registry %} on {% data variables.product.prodname_dotcom_the_website %}. You can install dependencies from a {% data variables.product.prodname_ghe_server %} {% data variables.product.prodname_container_registry %} by creating a `qlconfig.yml` file. For more information, see [AUTOTITLE](/enterprise-server@latest/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs) in the {% data variables.product.prodname_ghe_server %} documentation. +> * Running the `codeql pack add` and `codeql pack install` commands will generate or update the `codeql-pack.lock.yml` file. This file should be checked-in to version control. The `codeql-pack.lock.yml` file contains the precise version numbers used by the pack. For more information, see [About codeql-pack.lock.yml files](/code-security/reference/code-scanning/codeql/codeql-cli/codeql-query-packs#codeql-packlockyml-files). +> * By default `codeql pack install` will install dependencies from the {% data variables.product.prodname_container_registry %} on {% data variables.product.prodname_dotcom_the_website %}. You can install dependencies from a {% data variables.product.prodname_ghe_server %} {% data variables.product.prodname_container_registry %} by creating a `qlconfig.yml` file. For more information, see [AUTOTITLE](/enterprise-server@latest/code-security/how-tos/find-and-fix-code-vulnerabilities/scan-from-the-command-line/publish-and-use-packs) in the {% data variables.product.prodname_ghe_server %} documentation. ## Organizing a {% data variables.product.prodname_codeql %} pack's directory structure diff --git a/content/code-security/tutorials/customize-code-scanning/create-query-suites.md b/content/code-security/tutorials/customize-code-scanning/create-query-suites.md index c280b9558990..02f7e7ce1d3f 100644 --- a/content/code-security/tutorials/customize-code-scanning/create-query-suites.md +++ b/content/code-security/tutorials/customize-code-scanning/create-query-suites.md @@ -22,7 +22,7 @@ category: You can create query suites for the queries that you want to frequently use in your {% data variables.product.prodname_codeql %} analyses. For more information, see [AUTOTITLE](/code-security/concepts/code-scanning/codeql/codeql-query-suites). > [!NOTE] -> Any custom queries that you want to add to a query suite must be in a [{% data variables.product.prodname_codeql %} pack](/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs) and contain the correct query metadata. For more information, see [AUTOTITLE](/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/writing-and-sharing-custom-queries-for-the-codeql-cli). +> Any custom queries that you want to add to a query suite must be in a [{% data variables.product.prodname_codeql %} pack](/code-security/tutorials/customize-code-scanning/customize-analysis) and contain the correct query metadata. For more information, see [AUTOTITLE](/code-security/how-tos/find-and-fix-code-vulnerabilities/scan-from-the-command-line/write-custom-queries). ## Locating queries to add to a query suite @@ -231,7 +231,7 @@ use: ``` > [!NOTE] -> You can use the `codeql resolve queries /path/to/suite.qls` command to see which queries are selected by a query suite definition. For more information, see [AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/resolve-queries). +> You can use the `codeql resolve queries /path/to/suite.qls` command to see which queries are selected by a query suite definition. For more information, see [AUTOTITLE](/code-security/reference/code-scanning/codeql/codeql-cli-manual/resolve-queries). ## Reusing existing query suite definitions @@ -357,7 +357,7 @@ instruction: ## Saving a query suite Save your query suite in a file with a `.qls` extension and add it to a {% data variables.product.prodname_codeql %} -pack. For more information, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs#custom-codeql-packs). +pack. For more information, see [AUTOTITLE](/code-security/tutorials/customize-code-scanning/customize-analysis#custom-codeql-packs). ## Using query suites with {% data variables.product.prodname_codeql %} @@ -365,7 +365,7 @@ You can specify query suites on the command line for any command that accepts `.qls` files. For example, you can compile the queries selected by a suite definition using `query compile`, or use the queries in an analysis using `database analyze`. For more information about analyzing {% data variables.product.prodname_codeql %} databases, see -[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries). +[AUTOTITLE](/code-security/tutorials/customize-code-scanning/analyze-code). ## Further reading diff --git a/content/code-security/tutorials/customize-code-scanning/customize-analysis.md b/content/code-security/tutorials/customize-code-scanning/customize-analysis.md index 0e0717391bfd..ed1899b0d40b 100644 --- a/content/code-security/tutorials/customize-code-scanning/customize-analysis.md +++ b/content/code-security/tutorials/customize-code-scanning/customize-analysis.md @@ -17,11 +17,11 @@ category: - Customize vulnerability detection with CodeQL --- -You can customize your {% data variables.product.prodname_codeql %} analysis by downloading packs created by others and running them on your codebase. For more information, see [AUTOTITLE](/code-security/concepts/code-scanning/codeql/codeql-query-packs). +You can customize your {% data variables.product.prodname_codeql %} analysis by downloading packs created by others and running them on your codebase. For more information, see [AUTOTITLE](/code-security/concepts/code-scanning/codeql/query-packs). ## Downloading and using {% data variables.product.prodname_codeql %} query packs -Before you can use a {% data variables.product.prodname_codeql %} query pack to analyze a database, you must download any packages you require from the {% data variables.product.company_short %} {% data variables.product.prodname_container_registry %}. This can be done either by using the `--download` flag as part of the `codeql database analyze` command, or running `codeql pack download`. If a package is not publicly available, you will need to use a {% data variables.product.prodname_github_app %} or {% data variables.product.pat_generic %} to authenticate. For more information and an example, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/uploading-codeql-analysis-results-to-github#uploading-results-to-github). +Before you can use a {% data variables.product.prodname_codeql %} query pack to analyze a database, you must download any packages you require from the {% data variables.product.company_short %} {% data variables.product.prodname_container_registry %}. This can be done either by using the `--download` flag as part of the `codeql database analyze` command, or running `codeql pack download`. If a package is not publicly available, you will need to use a {% data variables.product.prodname_github_app %} or {% data variables.product.pat_generic %} to authenticate. For more information and an example, see [AUTOTITLE](/code-security/tutorials/customize-code-scanning/upload-results#uploading-results-to-github). | Option | Required | Usage | |--------|:--------:|-----| @@ -73,7 +73,7 @@ echo $OCTO-ORG_ACCESS_TOKEN | codeql pack download [!NOTE] - > If you specify one of the alternative identifiers, this is equivalent to using the standard language identifier. For example, specifying `javascript` instead of `javascript-typescript` will not exclude analysis of TypeScript code. Instead, you can use the `--codescanning-config` CLI option to load a configuration file that specifies files to exclude with the `paths-ignore` configuration key. See [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#custom-configuration-files). + > If you specify one of the alternative identifiers, this is equivalent to using the standard language identifier. For example, specifying `javascript` instead of `javascript-typescript` will not exclude analysis of TypeScript code. Instead, you can use the `--codescanning-config` CLI option to load a configuration file that specifies files to exclude with the `paths-ignore` configuration key. See [AUTOTITLE](/code-security/reference/code-scanning/workflow-configuration-options#custom-configuration-files). > - > Alternatively, for languages that support it, use a custom build command that only builds the files that you want to scan. See [Creating databases for compiled languages](/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis#creating-databases-for-compiled-languages). + > Alternatively, for languages that support it, use a custom build command that only builds the files that you want to scan. See [Creating databases for compiled languages](/code-security/tutorials/customize-code-scanning/prepare-code-for-analysis#creating-databases-for-compiled-languages). If your codebase has a build command or script that invokes the build process, we recommend that you specify it as well: @@ -79,16 +79,16 @@ You can specify additional options depending on the location of your source file | `` | {% octicon "check" aria-label="Required" %} | Specify the name and location of a directory to create for the {% data variables.product.prodname_codeql %} database. The command will fail if you try to overwrite an existing directory. If you also specify `--db-cluster`, this is the parent directory and a subdirectory is created for each language analyzed. | | --language | {% octicon "check" aria-label="Required" %} | Specify the identifier for the language to create a database for, one of: {% data reusables.code-scanning.codeql-languages-keywords %}. When used with --db-cluster, the option accepts a comma-separated list, or can be specified more than once. | | --command | {% octicon "x" aria-label="Optional" %} | **Recommended.** Use to specify the build command or script that invokes the build process for the codebase. Commands are run from the current folder or, where it is defined, from --source-root. Not needed for Python and JavaScript/TypeScript analysis. | -| --build-mode | {% octicon "x" aria-label="Optional" %} | **Recommended.** Use for {% data variables.code-scanning.no_build_support %} when not providing a `--command` to specify whether to create a CodeQL database without a build (`none`) or by attempting to automatically detect a build command (`autobuild`). By default, autobuild detection is used. For a comparison of build modes, see [CodeQL build modes](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#codeql-build-modes). | +| --build-mode | {% octicon "x" aria-label="Optional" %} | **Recommended.** Use for {% data variables.code-scanning.no_build_support %} when not providing a `--command` to specify whether to create a CodeQL database without a build (`none`) or by attempting to automatically detect a build command (`autobuild`). By default, autobuild detection is used. For a comparison of build modes, see [CodeQL build modes](/code-security/how-tos/find-and-fix-code-vulnerabilities/manage-your-configuration/codeql-for-compiled-languages#codeql-build-modes). | | --db-cluster | {% octicon "x" aria-label="Optional" %} | Use in multi-language codebases to generate one database for each language specified by --language. | | --no-run-unnecessary-builds | {% octicon "x" aria-label="Optional" %} | **Recommended.** Use to suppress the build command for languages where the {% data variables.product.prodname_codeql_cli %} does not need to monitor the build (for example, Python and JavaScript/TypeScript). | | --source-root | {% octicon "x" aria-label="Optional" %} | Use if you run the CLI outside the checkout root of the repository. By default, the `database create` command assumes that the current directory is the root directory for the source files, use this option to specify a different location. | -| --codescanning-config | {% octicon "x" aria-label="Optional" %} | Advanced. Use if you have a configuration file that specifies how to create the {% data variables.product.prodname_codeql %} databases and what queries to run in later steps. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#custom-configuration-files) and [AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/database-create#--codescanning-configfile). | +| --codescanning-config | {% octicon "x" aria-label="Optional" %} | Advanced. Use if you have a configuration file that specifies how to create the {% data variables.product.prodname_codeql %} databases and what queries to run in later steps. For more information, see [AUTOTITLE](/code-security/reference/code-scanning/workflow-configuration-options#custom-configuration-files) and [AUTOTITLE](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-create#--codescanning-configfile). | You can specify extractor options to customize the behavior of extractors that create {% data variables.product.prodname_codeql %} databases. For more information, see -[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/extractor-options). +[AUTOTITLE](/code-security/reference/code-scanning/codeql/codeql-cli/extractor-options). -For full details of all the options you can use when creating databases, see [AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/database-create). +For full details of all the options you can use when creating databases, see [AUTOTITLE](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-create). ### Single language example @@ -194,13 +194,13 @@ Here, we have specified a `--source-root` path, which is the location where data For most compiled languages, {% data variables.product.prodname_codeql %} needs to invoke the required build system to generate a database, therefore the build method must be available to the CLI. This approach creates databases that include generated code. {% data variables.product.prodname_codeql %} has two methods for building codebases: * [Automatic build detection (autobuild)](#automatically-detecting-the-build-system) -* [User-specified build commands](/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis#specifying-build-commands) +* [User-specified build commands](/code-security/tutorials/customize-code-scanning/prepare-code-for-analysis#specifying-build-commands) -In addition, for {% data variables.code-scanning.no_build_support %}, there is an option to generate a database without building the code. This is particularly useful when you want to enable {% data variables.product.prodname_code_scanning %} for many repositories. For more information, see [CodeQL build modes](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#codeql-build-modes). +In addition, for {% data variables.code-scanning.no_build_support %}, there is an option to generate a database without building the code. This is particularly useful when you want to enable {% data variables.product.prodname_code_scanning %} for many repositories. For more information, see [CodeQL build modes](/code-security/how-tos/find-and-fix-code-vulnerabilities/manage-your-configuration/codeql-for-compiled-languages#codeql-build-modes). ### Automatically detecting the build system -The {% data variables.product.prodname_codeql_cli %} includes autobuilders for {% data variables.code-scanning.autobuild_support %} code. {% data variables.product.prodname_codeql %} autobuilders allow you to build projects for compiled languages without specifying any build commands. When an autobuilder is invoked, {% data variables.product.prodname_codeql %} examines the source for evidence of a build system and attempts to run the optimal set of commands required to extract a database. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#about-autobuild). +The {% data variables.product.prodname_codeql_cli %} includes autobuilders for {% data variables.code-scanning.autobuild_support %} code. {% data variables.product.prodname_codeql %} autobuilders allow you to build projects for compiled languages without specifying any build commands. When an autobuilder is invoked, {% data variables.product.prodname_codeql %} examines the source for evidence of a build system and attempts to run the optimal set of commands required to extract a database. For more information, see [AUTOTITLE](/code-security/how-tos/find-and-fix-code-vulnerabilities/manage-your-configuration/codeql-for-compiled-languages#about-autobuild). An autobuilder is invoked automatically when you execute `codeql database create` for a compiled language if you don’t include a `--command` option or set `--build-mode none`. For example, for a Swift codebase, you could simply run: @@ -462,4 +462,4 @@ steps: ## Next steps -* To learn how to use the {% data variables.product.prodname_codeql_cli %} to analyze the database you created from your code, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries). +* To learn how to use the {% data variables.product.prodname_codeql_cli %} to analyze the database you created from your code, see [AUTOTITLE](/code-security/tutorials/customize-code-scanning/analyze-code). diff --git a/content/code-security/tutorials/customize-code-scanning/run-in-a-container.md b/content/code-security/tutorials/customize-code-scanning/run-in-a-container.md index 25c657f35d95..ce1f6c983e5f 100644 --- a/content/code-security/tutorials/customize-code-scanning/run-in-a-container.md +++ b/content/code-security/tutorials/customize-code-scanning/run-in-a-container.md @@ -25,7 +25,7 @@ category: If you're configuring {% data variables.product.prodname_code_scanning %} for a compiled language, and you're building the code in a containerized environment, the analysis may fail with the error message "No source code was seen during the build." This indicates that {% data variables.product.prodname_codeql %} was unable to monitor your code as it was compiled. -You must run {% data variables.product.prodname_codeql %} inside the container in which you build your code. This applies whether you are using the {% data variables.product.prodname_codeql_cli %} or {% data variables.product.prodname_actions %}. For the {% data variables.product.prodname_codeql_cli %}, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system) for more information. If you're using {% data variables.product.prodname_actions %}, configure your workflow to run all the actions in the same container. For more information, see [Example workflow](#example-workflow). +You must run {% data variables.product.prodname_codeql %} inside the container in which you build your code. This applies whether you are using the {% data variables.product.prodname_codeql_cli %} or {% data variables.product.prodname_actions %}. For the {% data variables.product.prodname_codeql_cli %}, see [AUTOTITLE](/code-security/how-tos/find-and-fix-code-vulnerabilities/integrate-with-existing-tools/use-with-existing-ci-system) for more information. If you're using {% data variables.product.prodname_actions %}, configure your workflow to run all the actions in the same container. For more information, see [Example workflow](#example-workflow). > [!NOTE] > {% data reusables.code-scanning.non-glibc-linux-support %} @@ -42,7 +42,7 @@ You may have difficulty running {% data variables.product.prodname_code_scanning {% data reusables.code-scanning.codeql-action-version-ghes %} -This sample workflow uses {% data variables.product.prodname_actions %} to run {% data variables.product.prodname_codeql %} analysis in a containerized environment. The value of `container.image` identifies the container to use. In this example the image is named `codeql-container`, with a tag of `f0f91db`. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idcontainer). +This sample workflow uses {% data variables.product.prodname_actions %} to run {% data variables.product.prodname_codeql %} analysis in a containerized environment. The value of `container.image` identifies the container to use. In this example the image is named `codeql-container`, with a tag of `f0f91db`. For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idcontainer). ```yaml name: "{% data variables.product.prodname_codeql %}" diff --git a/content/code-security/tutorials/customize-code-scanning/upload-results.md b/content/code-security/tutorials/customize-code-scanning/upload-results.md index 6c9bf5d1eae6..fb1b8de63065 100644 --- a/content/code-security/tutorials/customize-code-scanning/upload-results.md +++ b/content/code-security/tutorials/customize-code-scanning/upload-results.md @@ -18,16 +18,16 @@ category: After analyzing a {% data variables.product.prodname_codeql %} database using the {% data variables.product.prodname_codeql_cli %}, you will have a SARIF file that contains the results. You can then use the {% data variables.product.prodname_codeql_cli %} to upload results to {% data variables.product.github %}. -If you used a method other than the {% data variables.product.prodname_codeql_cli %} to generate results, you can use other upload methods. For more information, see [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github). +If you used a method other than the {% data variables.product.prodname_codeql_cli %} to generate results, you can use other upload methods. For more information, see [AUTOTITLE](/code-security/how-tos/find-and-fix-code-vulnerabilities/integrate-with-existing-tools/upload-sarif-file). ## Generating a token for authentication with {% data variables.product.github %} -Before you can upload your results to {% data variables.product.github %}, you will first need to generate a {% data variables.product.pat_generic %}. See [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token). +Before you can upload your results to {% data variables.product.github %}, you will first need to generate a {% data variables.product.pat_generic %}. See [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens). * **{% data variables.product.pat_v1_caps %}** requires "{% data variables.product.prodname_code_scanning_caps %} alerts" **Read and write** access for the required repositories. * **{% data variables.product.pat_v2_caps %}** requires "repo" **security_events** access. -If you have installed the {% data variables.product.prodname_codeql_cli %} in a third-party CI system, you can also use a {% data variables.product.prodname_github_app %} to upload results to {% data variables.product.github %}. See [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system#generating-a-token-for-authentication-with-github). +If you have installed the {% data variables.product.prodname_codeql_cli %} in a third-party CI system, you can also use a {% data variables.product.prodname_github_app %} to upload results to {% data variables.product.github %}. See [AUTOTITLE](/code-security/how-tos/find-and-fix-code-vulnerabilities/integrate-with-existing-tools/use-with-existing-ci-system#generating-a-token-for-authentication-with-github). ## Uploading results to {% data variables.product.github %} @@ -67,10 +67,10 @@ If you have installed the {% data variables.product.prodname_codeql_cli %} in a | {% endif %} | | --github-auth-stdin | {% octicon "x" aria-label="Optional" %} | Pass the CLI the {% data variables.product.prodname_github_app %} or {% data variables.product.pat_generic %} created for authentication with {% data variables.product.company_short %}'s REST API from your secret store via standard input. This is not needed if the command has access to a `GITHUB_TOKEN` environment variable set with this token. | -For more information, see [AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/github-upload-results). +For more information, see [AUTOTITLE](/code-security/reference/code-scanning/codeql/codeql-cli-manual/github-upload-results). > [!NOTE] -> If you analyzed more than one {% data variables.product.prodname_codeql %} database for a single commit, you must have specified a SARIF category for each set of results generated by this command. When you upload the results to {% data variables.product.github %}, {% data variables.product.prodname_code_scanning %} uses this category to store the results for each language separately. If you forget to do this, each upload overwrites the previous results. For more information, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#running-codeql-database-analyze). +> If you analyzed more than one {% data variables.product.prodname_codeql %} database for a single commit, you must have specified a SARIF category for each set of results generated by this command. When you upload the results to {% data variables.product.github %}, {% data variables.product.prodname_code_scanning %} uses this category to store the results for each language separately. If you forget to do this, each upload overwrites the previous results. For more information, see [AUTOTITLE](/code-security/tutorials/customize-code-scanning/analyze-code#running-codeql-database-analyze). ### Basic example of uploading results to {% data variables.product.github %} @@ -88,7 +88,7 @@ There is no output from this command unless the upload was unsuccessful. The com ## Uploading diagnostic information to {% data variables.product.github %} if the analysis fails -When {% data variables.product.prodname_codeql_cli %} finishes analyzing a database successfully, it gathers diagnostic information such as file coverage, warnings, and errors, and includes it in the SARIF file with the results. When you upload the SARIF file to {% data variables.product.company_short %} the diagnostic information is displayed on the {% data variables.product.prodname_code_scanning %} {% data variables.code-scanning.tool_status_page %} for the repository to make it easy to see how well {% data variables.product.prodname_codeql %} is working and debug any problems. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page). +When {% data variables.product.prodname_codeql_cli %} finishes analyzing a database successfully, it gathers diagnostic information such as file coverage, warnings, and errors, and includes it in the SARIF file with the results. When you upload the SARIF file to {% data variables.product.company_short %} the diagnostic information is displayed on the {% data variables.product.prodname_code_scanning %} {% data variables.code-scanning.tool_status_page %} for the repository to make it easy to see how well {% data variables.product.prodname_codeql %} is working and debug any problems. For more information, see [AUTOTITLE](/code-security/how-tos/find-and-fix-code-vulnerabilities/manage-your-configuration/use-the-tools-status-page-for-code-scanning). However, if `codeql database analyze` fails for any reason there is no SARIF file to upload to {% data variables.product.company_short %} and no diagnostic information to show on the {% data variables.product.prodname_code_scanning %} {% data variables.code-scanning.tool_status_page %} for the repository. This makes it difficult for users to troubleshoot analysis unless they have access to log files in your CI system. @@ -96,7 +96,7 @@ We recommend that you configure your CI workflow to export and upload diagnostic ### Exporting diagnostic information if the analysis fails -You can create a SARIF file for the failed analysis using [AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/database-export-diagnostics), for example: +You can create a SARIF file for the failed analysis using [AUTOTITLE](/code-security/reference/code-scanning/codeql/codeql-cli-manual/database-export-diagnostics), for example: ```shell $ codeql database export-diagnostics codeql-dbs/example-repo \ @@ -108,7 +108,7 @@ This SARIF file will contain diagnostic information for the failed analysis, inc ### Uploading diagnostic information if the analysis fails -You can make this diagnostic information available on the {% data variables.code-scanning.tool_status_page %} by uploading the SARIF file to {% data variables.product.github %} using [AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/github-upload-results), for example: +You can make this diagnostic information available on the {% data variables.code-scanning.tool_status_page %} by uploading the SARIF file to {% data variables.product.github %} using [AUTOTITLE](/code-security/reference/code-scanning/codeql/codeql-cli-manual/github-upload-results), for example: ```shell codeql github upload-results \ diff --git a/content/code-security/tutorials/fix-reported-vulnerabilities/collaborate-in-a-fork.md b/content/code-security/tutorials/fix-reported-vulnerabilities/collaborate-in-a-fork.md index 219d383fcff2..b2773c0122b6 100644 --- a/content/code-security/tutorials/fix-reported-vulnerabilities/collaborate-in-a-fork.md +++ b/content/code-security/tutorials/fix-reported-vulnerabilities/collaborate-in-a-fork.md @@ -22,7 +22,7 @@ category: ## Prerequisites -Before you can collaborate in a temporary private fork, you must create a draft security advisory. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory). +Before you can collaborate in a temporary private fork, you must create a draft security advisory. For more information, see [AUTOTITLE](/code-security/how-tos/report-and-fix-vulnerabilities/fix-reported-vulnerabilities/create-repository-advisory). ## Creating a temporary private fork @@ -51,7 +51,7 @@ You can also use the REST API to create temporary private forks. For more inform ## Adding collaborators to a temporary private fork -Anyone with admin permissions to a security advisory can add additional collaborators to the security advisory, and collaborators on the security advisory can access the temporary private fork. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory). +Anyone with admin permissions to a security advisory can add additional collaborators to the security advisory, and collaborators on the security advisory can access the temporary private fork. For more information, see [AUTOTITLE](/code-security/how-tos/report-and-fix-vulnerabilities/fix-reported-vulnerabilities/add-collaborators). ## Adding changes to a temporary private fork @@ -104,9 +104,9 @@ Additionally, there can be no merge conflicts, and {% data variables.product.pro > [!NOTE] > You can only merge one pull request into the `main` branch of a temporary private fork. If more than one pull request targets the `main` branch, merging is blocked. -After you merge changes in a security advisory, you can publish the security advisory to alert your community about the security vulnerability in previous versions of your project. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory). +After you merge changes in a security advisory, you can publish the security advisory to alert your community about the security vulnerability in previous versions of your project. For more information, see [AUTOTITLE](/code-security/how-tos/report-and-fix-vulnerabilities/fix-reported-vulnerabilities/publish-repository-advisory). ## Further reading -* [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/permission-levels-for-repository-security-advisories) -* [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory) +* [AUTOTITLE](/code-security/reference/permissions/repository-security-advisory) +* [AUTOTITLE](/code-security/how-tos/report-and-fix-vulnerabilities/fix-reported-vulnerabilities/publish-repository-advisory) diff --git a/content/code-security/tutorials/fix-reported-vulnerabilities/write-security-advisories.md b/content/code-security/tutorials/fix-reported-vulnerabilities/write-security-advisories.md index 7810caa5512d..ba3defc384f5 100644 --- a/content/code-security/tutorials/fix-reported-vulnerabilities/write-security-advisories.md +++ b/content/code-security/tutorials/fix-reported-vulnerabilities/write-security-advisories.md @@ -20,7 +20,7 @@ category: ## About security advisories for repositories -{% data reusables.security-advisory.security-advisory-overview %} For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories). +{% data reusables.security-advisory.security-advisory-overview %} For more information, see [AUTOTITLE](/code-security/concepts/vulnerability-reporting-and-management/repository-security-advisories). We recommend you use the syntax used in the {% data variables.product.prodname_advisory_database %}, especially the version formatting, when you write a repository security advisory, or make a community contribution to a global security advisory. @@ -29,13 +29,13 @@ If you follow the syntax for the {% data variables.product.prodname_advisory_dat * {% data variables.product.prodname_dependabot %} will have the information to accurately identify repositories that are affected and send them {% data variables.product.prodname_dependabot_alerts %} to notify them. * Community members are less likely to suggest edits to your advisory to fix missing or incorrect information. -You add or edit a repository advisory using the _Draft security advisory_ form. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory). +You add or edit a repository advisory using the _Draft security advisory_ form. For more information, see [AUTOTITLE](/code-security/how-tos/report-and-fix-vulnerabilities/fix-reported-vulnerabilities/create-repository-advisory). -You suggest an improvement to an existing global advisory using the _Improve security advisory_ form. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database). +You suggest an improvement to an existing global advisory using the _Improve security advisory_ form. For more information, see [AUTOTITLE](/code-security/how-tos/report-and-fix-vulnerabilities/fix-reported-vulnerabilities/edit-advisory-database). ## Ecosystem -You need to assign the advisory to one of our supported ecosystems using the **Ecosystem** field. For more information about the ecosystems we support, see [AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/browsing-security-advisories-in-the-github-advisory-database#github-reviewed-advisories). +You need to assign the advisory to one of our supported ecosystems using the **Ecosystem** field. For more information about the ecosystems we support, see [AUTOTITLE](/code-security/how-tos/report-and-fix-vulnerabilities/fix-reported-vulnerabilities/browse-advisory-database#github-reviewed-advisories). ![Screenshot of the "Affected products" area of the security advisory form. The "Ecosystem" field is highlighted with a dark orange outline.](/assets/images/help/security/security-advisory-ecosystem.png) diff --git a/content/code-security/tutorials/implement-supply-chain-best-practices/end-to-end-supply-chain-overview.md b/content/code-security/tutorials/implement-supply-chain-best-practices/end-to-end-supply-chain-overview.md index 07ab0b73cb89..ff7616a94f9e 100644 --- a/content/code-security/tutorials/implement-supply-chain-best-practices/end-to-end-supply-chain-overview.md +++ b/content/code-security/tutorials/implement-supply-chain-best-practices/end-to-end-supply-chain-overview.md @@ -18,7 +18,7 @@ category: At its core, end-to-end software supply chain security is about making sure the code you distribute hasn't been tampered with. Previously, attackers focused on targeting dependencies you use, for example libraries and frameworks. Attackers have now expanded their focus to include targeting user accounts and build processes, and so those systems must be defended as well. -For information about features in {% data variables.product.prodname_dotcom %} that can help you secure dependencies, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security). +For information about features in {% data variables.product.prodname_dotcom %} that can help you secure dependencies, see [AUTOTITLE](/code-security/concepts/supply-chain-security/supply-chain-security). ## About these guides @@ -26,11 +26,11 @@ This series of guides explains how to think about securing your end-to-end suppl Everyone's needs are different, so each guide starts with the highest impact change, and continues from there with additional improvements you should consider. You should feel free to skip around and focus on improvements you think will have the biggest benefit. The goal isn't to do everything at once but to continuously improve security in your systems over time. -* [AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/securing-accounts) +* [AUTOTITLE](/code-security/tutorials/implement-supply-chain-best-practices/securing-accounts) -* [AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/securing-code) +* [AUTOTITLE](/code-security/tutorials/implement-supply-chain-best-practices/securing-code) -* [AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/securing-builds) +* [AUTOTITLE](/code-security/tutorials/implement-supply-chain-best-practices/securing-builds) ## Further reading diff --git a/content/code-security/tutorials/implement-supply-chain-best-practices/securing-accounts.md b/content/code-security/tutorials/implement-supply-chain-best-practices/securing-accounts.md index 7578094a894f..7db80cd3e8aa 100644 --- a/content/code-security/tutorials/implement-supply-chain-best-practices/securing-accounts.md +++ b/content/code-security/tutorials/implement-supply-chain-best-practices/securing-accounts.md @@ -30,7 +30,7 @@ Account security is fundamental to the security of your supply chain. If an atta {% ifversion ghec %} If you're an enterprise or organization owner, you can configure centralized authentication with SAML. While you can add or remove members manually, it's simpler and more secure to set up single sign-on (SSO) and SCIM between {% data variables.product.github %} and your SAML identity provider (IdP). This also simplifies the authentication process for all members of your enterprise. -You can configure SAML authentication for an enterprise or organization account. With SAML, you can grant access to the personal accounts of members of your enterprise or organization on {% data variables.product.prodname_dotcom %} through your IdP, or you can create and control the accounts that belong to your enterprise by using {% data variables.product.prodname_emus %}. For more information, see [AUTOTITLE](/admin/identity-and-access-management/managing-iam-for-your-enterprise/about-authentication-for-your-enterprise). +You can configure SAML authentication for an enterprise or organization account. With SAML, you can grant access to the personal accounts of members of your enterprise or organization on {% data variables.product.prodname_dotcom %} through your IdP, or you can create and control the accounts that belong to your enterprise by using {% data variables.product.prodname_emus %}. For more information, see [AUTOTITLE](/admin/concepts/identity-and-access-management/identity-and-access-management-fundamentals). After you configure SAML authentication, when members request access to your resources, they'll be directed to your SSO flow to ensure they are still recognized by your IdP. If they are unrecognized, their request is declined. @@ -42,7 +42,7 @@ If you're the site administrator for your instance, you can simplify the login e Some authentication methods also support communicating additional information to {% data variables.product.github %}, for example, what groups the user is a member of, or synchronizing cryptographic keys for the user. This is a great way to simplify your administration as your organization grows. -For more information about the authentication methods available for {% data variables.product.github %}, see [AUTOTITLE](/admin/identity-and-access-management/managing-iam-for-your-enterprise/about-authentication-for-your-enterprise). +For more information about the authentication methods available for {% data variables.product.github %}, see [AUTOTITLE](/admin/concepts/identity-and-access-management/identity-and-access-management-fundamentals). {% endif %} ## Configure two-factor authentication @@ -91,7 +91,7 @@ If your enterprise uses {% data variables.product.prodname_emus %} or SAML authe {% endif %} -For more information, see {% ifversion ghec %}[AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam/about-saml-for-enterprise-iam) and {% endif %}[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#requiring-two-factor-authentication-for-organizations-in-your-enterprise). +For more information, see {% ifversion ghec %}[AUTOTITLE](/admin/managing-iam/understanding-iam-for-enterprises/about-saml-for-enterprise-iam) and {% endif %}[AUTOTITLE](/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#requiring-two-factor-authentication-for-organizations-in-your-enterprise). {% endif %} @@ -137,7 +137,7 @@ Hardware-backed SSH keys are quite secure, but the hardware requirement might no ## Next steps -* [AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/end-to-end-supply-chain-overview) -* [AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/securing-code) -* [AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/securing-builds) -* [AUTOTITLE](/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization) +* [AUTOTITLE](/code-security/tutorials/implement-supply-chain-best-practices/end-to-end-supply-chain-overview) +* [AUTOTITLE](/code-security/tutorials/implement-supply-chain-best-practices/securing-code) +* [AUTOTITLE](/code-security/tutorials/implement-supply-chain-best-practices/securing-builds) +* [AUTOTITLE](/code-security/tutorials/secure-your-organization/prevent-data-leaks) diff --git a/content/code-security/tutorials/implement-supply-chain-best-practices/securing-builds.md b/content/code-security/tutorials/implement-supply-chain-best-practices/securing-builds.md index 52f622f00ca7..c24557dd6381 100644 --- a/content/code-security/tutorials/implement-supply-chain-best-practices/securing-builds.md +++ b/content/code-security/tutorials/implement-supply-chain-best-practices/securing-builds.md @@ -36,7 +36,7 @@ There are several security capabilities a build system should have: In addition to the security benefits, {% data variables.product.prodname_actions %} lets you trigger builds manually, periodically, or on git events in your repository for frequent and fast builds. -{% data variables.product.prodname_actions %} is a big topic, but a good place to get started is [AUTOTITLE](/actions/learn-github-actions/understanding-github-actions), as well as [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#choosing-github-hosted-runners), and [AUTOTITLE](/actions/using-workflows/triggering-a-workflow). +{% data variables.product.prodname_actions %} is a big topic, but a good place to get started is [AUTOTITLE](/actions/get-started/understand-github-actions), as well as [AUTOTITLE](/actions/reference/workflows-and-actions/workflow-syntax#choosing-github-hosted-runners), and [AUTOTITLE](/actions/how-tos/write-workflows/choose-when-workflows-run/trigger-a-workflow). {% ifversion artifact-attestations %} @@ -46,7 +46,7 @@ In addition to the security benefits, {% data variables.product.prodname_actions Artifact attestations include a signature over a built artifact, along with links to the source code and build instructions. If you sign your build with artifact attestations, you do not have to manage your own signing key material. {% data variables.product.prodname_dotcom %} handles this for you with the signing authority we operate. -For more information, see [AUTOTITLE](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds). +For more information, see [AUTOTITLE](/actions/how-tos/secure-your-work/use-artifact-attestations/use-artifact-attestations). {% endif %} @@ -56,25 +56,25 @@ After your build process is secure, you want to prevent someone from tampering w How exactly you sign your build will depend on what sort of code you're writing, and who your users are. Often it's difficult to know how to securely store the private key. One basic option here is to use {% data variables.product.prodname_actions %} encrypted secrets, although you'll need to be careful to limit who has access to those {% data variables.product.prodname_actions %} workflows. {% ifversion fpt or ghec %}If your private key is stored in another system accessible over the public internet (like Microsoft Azure, or HashiCorp Vault), a more advanced option is to authenticate with OpenID Connect, so you don't have to share secrets across systems.{% endif %} If your private key is only accessible from a private network, another option is to use self-hosted runners for {% data variables.product.prodname_actions %}. -For more information, see [AUTOTITLE](/actions/security-guides/encrypted-secrets){% ifversion fpt or ghec %}, [AUTOTITLE](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect),{% endif %} and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners). +For more information, see [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets){% ifversion fpt or ghec %}, [AUTOTITLE](/actions/concepts/security/openid-connect),{% endif %} and [AUTOTITLE](/actions/concepts/runners/self-hosted-runners). {% ifversion immutable-releases %} ## Use immutable releases -If you are using release assets from other projects in your build system, or creating releases for your own work, you should reduce security risk by ensuring those releases are immutable, meaning they cannot be changed after publication. Immutable releases help prevent supply chain attacks and accidental breaking changes. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/immutable-releases). +If you are using release assets from other projects in your build system, or creating releases for your own work, you should reduce security risk by ensuring those releases are immutable, meaning they cannot be changed after publication. Immutable releases help prevent supply chain attacks and accidental breaking changes. For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/immutable-releases). {% endif %} ## Harden security for {% data variables.product.prodname_actions %} There are many further steps you can take to additionally secure {% data variables.product.prodname_actions %}. In particular, be careful when evaluating third-party workflows, and consider using `CODEOWNERS` to limit who can make changes to your workflows. -For more information, see [AUTOTITLE](/actions/security-guides/security-hardening-for-github-actions) and [AUTOTITLE](/actions/security-guides/using-githubs-security-features-to-secure-your-use-of-github-actions). +For more information, see [AUTOTITLE](/actions/reference/security/secure-use#writing-workflows) and [AUTOTITLE](/actions/reference/security/secure-use#s-security-features). ## Next steps -* [AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/end-to-end-supply-chain-overview) +* [AUTOTITLE](/code-security/tutorials/implement-supply-chain-best-practices/end-to-end-supply-chain-overview) -* [AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/securing-accounts) +* [AUTOTITLE](/code-security/tutorials/implement-supply-chain-best-practices/securing-accounts) -* [AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/securing-code) +* [AUTOTITLE](/code-security/tutorials/implement-supply-chain-best-practices/securing-code) diff --git a/content/code-security/tutorials/secure-your-dependencies/optimizing-pr-creation-version-updates.md b/content/code-security/tutorials/secure-your-dependencies/optimizing-pr-creation-version-updates.md index 669f4f42b040..d9a96919c47d 100644 --- a/content/code-security/tutorials/secure-your-dependencies/optimizing-pr-creation-version-updates.md +++ b/content/code-security/tutorials/secure-your-dependencies/optimizing-pr-creation-version-updates.md @@ -60,7 +60,13 @@ See also [schedule](/code-security/dependabot/working-with-dependabot/dependabot ### Setting up a cooldown period for dependency updates -You can use `cooldown` with a combination of options to control when {% data variables.product.prodname_dependabot %} creates pull requests for **version updates**, but not **security updates**. +You can use `cooldown` with a combination of options to control when {% data variables.product.prodname_dependabot %} creates pull requests for **version updates**, but not **security updates**. + +{% ifversion dependabot-cooldown-default-days %} + +{% data reusables.dependabot.default-cooldown-period %} + +{% endif %} The example `dependabot.yml` file below shows a cooldown period being applied to the dependencies `requests`, `numpy`, and those prefixed with `pandas` or `django`, but not to the dependency called `pandas` (exact match), which is excluded via the **exclude** list. diff --git a/content/code-security/tutorials/trialing-github-advanced-security/planning-a-trial-of-ghas.md b/content/code-security/tutorials/trialing-github-advanced-security/planning-a-trial-of-ghas.md index 87f3aa111ff7..5e637d074133 100644 --- a/content/code-security/tutorials/trialing-github-advanced-security/planning-a-trial-of-ghas.md +++ b/content/code-security/tutorials/trialing-github-advanced-security/planning-a-trial-of-ghas.md @@ -36,11 +36,11 @@ If your company already uses {% data variables.product.github %}, consider what | Example need | Features to explore during the trial | |--|--| -| Enforce use of security features | Enterprise-level security configurations and policies. See [AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/about-security-configurations) and [AUTOTITLE](/admin/enforcing-policies/enforcing-policies-for-your-enterprise/about-enterprise-policies) | -| Protect custom access tokens | Custom patterns for {% data variables.product.prodname_secret_scanning %}, delegated bypass for push protection, and validity checks. See [AUTOTITLE](/code-security/trialing-github-advanced-security/explore-trial-secret-scanning) | -| Define and enforce a development process | Dependency review, auto-triage rules, rulesets, and policies. See [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review), [AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/about-dependabot-auto-triage-rules), [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets), and [AUTOTITLE](/admin/enforcing-policies/enforcing-policies-for-your-enterprise/about-enterprise-policies) | -| Reduce technical debt at scale | Security campaigns. See {% ifversion fpt or ghec %}[AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/about-security-campaigns){% else %}[AUTOTITLE](/enterprise-cloud@latest/code-security/securing-your-organization/fixing-security-alerts-at-scale/about-security-campaigns) in the {% data variables.product.prodname_ghe_cloud %} documentation{% endif %}. | -| Monitor and track trends in security risks | Security overview. See [AUTOTITLE](/code-security/security-overview/viewing-security-insights) | +| Enforce use of security features | Enterprise-level security configurations and policies. See [AUTOTITLE](/code-security/concepts/security-at-scale/organization-security) and [AUTOTITLE](/admin/concepts/security-and-compliance/enterprise-policies) | +| Protect custom access tokens | Custom patterns for {% data variables.product.prodname_secret_scanning %}, delegated bypass for push protection, and validity checks. See [AUTOTITLE](/code-security/tutorials/trialing-github-advanced-security/explore-trial-secret-scanning) | +| Define and enforce a development process | Dependency review, auto-triage rules, rulesets, and policies. See [AUTOTITLE](/code-security/concepts/supply-chain-security/dependency-review), [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-auto-triage-rules), [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets), and [AUTOTITLE](/admin/concepts/security-and-compliance/enterprise-policies) | +| Reduce technical debt at scale | Security campaigns. See {% ifversion fpt or ghec %}[AUTOTITLE](/code-security/concepts/security-at-scale/about-security-campaigns){% else %}[AUTOTITLE](/enterprise-cloud@latest/code-security/concepts/security-at-scale/about-security-campaigns) in the {% data variables.product.prodname_ghe_cloud %} documentation{% endif %}. | +| Monitor and track trends in security risks | Security overview. See [AUTOTITLE](/code-security/how-tos/view-and-interpret-data/analyze-organization-data/viewing-security-insights) | {% endrowheaders %} @@ -57,13 +57,13 @@ You may also find it helpful to identify a champion for each company need that y Decide whether your team would benefit from hands-on experience with our free security features **before** you begin your trial. Testing code scanning and secret scanning on public repositories can help new users get familiar with the core features of {% data variables.product.prodname_GHAS %}. This will allow you to focus your trial period on private repositories and the advanced features and controls available in {% data variables.product.prodname_cs_and_sp %}. For more information, see: -* [AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository) -* [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning) -* [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph) +* [AUTOTITLE](/code-security/how-tos/secure-your-secrets/detect-secret-leaks/enable-secret-scanning) +* [AUTOTITLE](/code-security/how-tos/find-and-fix-code-vulnerabilities/configure-code-scanning/configure-code-scanning) +* [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/enable-dependency-graph) {% ifversion secret-risk-assessment %} -Organizations on {% data variables.product.prodname_team %} and {% data variables.product.prodname_enterprise %} can run a free report to scan their code for leaked secrets. This helps you assess your repositories' current exposure to leaked secrets and shows how many existing secret leaks could have been prevented by {% data variables.product.prodname_secret_protection %}. See [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/about-secret-risk-assessment).{% endif %} +Organizations on {% data variables.product.prodname_team %} and {% data variables.product.prodname_enterprise %} can run a free report to scan their code for leaked secrets. This helps you assess your repositories' current exposure to leaked secrets and shows how many existing secret leaks could have been prevented by {% data variables.product.prodname_secret_protection %}. See [AUTOTITLE](/code-security/concepts/secret-security/secret-security-with-github).{% endif %} ## 4. Decide which organizations and repositories to test @@ -77,7 +77,7 @@ For each company need or goal you set for the trial, decide how you will measure ## 6. Start your trial -If you already use {% data variables.product.prodname_ghe_cloud %} (as a paying customer or as part of a free trial), see [AUTOTITLE](/code-security/trialing-github-advanced-security/trial-advanced-security). +If you already use {% data variables.product.prodname_ghe_cloud %} (as a paying customer or as part of a free trial), see [AUTOTITLE](/code-security/tutorials/trialing-github-advanced-security/trial-advanced-security). Otherwise, you can trial {% data variables.product.prodname_GHAS %} as part of a trial of {% data variables.product.prodname_ghe_cloud %}. See [AUTOTITLE](/enterprise-cloud@latest/admin/overview/setting-up-a-trial-of-github-enterprise-cloud){% ifversion fpt %} in the {% data variables.product.prodname_ghe_cloud %} documentation{% endif %}. diff --git a/content/code-security/tutorials/trialing-github-advanced-security/trial-advanced-security.md b/content/code-security/tutorials/trialing-github-advanced-security/trial-advanced-security.md index cef6247ffa3a..45e9a5e0f883 100644 --- a/content/code-security/tutorials/trialing-github-advanced-security/trial-advanced-security.md +++ b/content/code-security/tutorials/trialing-github-advanced-security/trial-advanced-security.md @@ -22,7 +22,7 @@ category: To set up a trial of {% data variables.product.prodname_GHAS %} using this method, you must meet the following criteria: -1. You are an owner of an enterprise account. See [AUTOTITLE](/enterprise-cloud@latest/admin/overview/about-enterprise-accounts). +1. You are an owner of an enterprise account. See [AUTOTITLE](/enterprise-cloud@latest/admin/concepts/enterprise-fundamentals/enterprise-accounts). 1. You pay by credit card or PayPal. 1. You have not previously purchased {% data variables.product.prodname_GHAS %} (that is, you do not currently or in the past have a paid license for {% data variables.product.prodname_GHAS %}). 1. You are not already using metered billing for {% data variables.product.prodname_GHAS %}. diff --git a/content/copilot/how-tos/copilot-cli/automate-copilot-cli/schedule-prompts.md b/content/copilot/how-tos/copilot-cli/automate-copilot-cli/schedule-prompts.md index e6f404b3d7c0..1846c08d9323 100644 --- a/content/copilot/how-tos/copilot-cli/automate-copilot-cli/schedule-prompts.md +++ b/content/copilot/how-tos/copilot-cli/automate-copilot-cli/schedule-prompts.md @@ -45,6 +45,9 @@ The prompt will be submitted after the interval you specified has elapsed and th /every 30m check for new comments on my open pull requests ``` +> [!NOTE] +> `/loop` is an alias of `/every`. So you can enter `/loop` instead of `/every`, if you prefer, and the effect is the same. + ## Scheduling a once-only prompt with `/after` Type `/after` followed by a delay and the prompt you want to submit: diff --git a/content/enterprise-onboarding/getting-started-with-your-enterprise/index.md b/content/enterprise-onboarding/getting-started-with-your-enterprise/index.md index 0cc50f20730b..a4da2e924741 100644 --- a/content/enterprise-onboarding/getting-started-with-your-enterprise/index.md +++ b/content/enterprise-onboarding/getting-started-with-your-enterprise/index.md @@ -5,7 +5,6 @@ versions: ghec: '*' shortTitle: Get started children: - - /choose-an-enterprise-type - /setting-up-a-trial-of-github-enterprise - /adding-users-to-your-enterprise - /about-enterprise-billing diff --git a/content/enterprise-onboarding/index.md b/content/enterprise-onboarding/index.md index 0e40a8272d44..bf1acfc82c70 100644 --- a/content/enterprise-onboarding/index.md +++ b/content/enterprise-onboarding/index.md @@ -7,7 +7,7 @@ journeyTracks: title: 'Getting started with your enterprise' description: 'Master the fundamentals of {% data variables.product.prodname_ghe_cloud %} and get started with a trial.' guides: - - href: '/enterprise-onboarding/getting-started-with-your-enterprise/choose-an-enterprise-type' + - href: '/admin/concepts/enterprise-fundamentals/choose-an-enterprise-type' - href: '/enterprise-onboarding/getting-started-with-your-enterprise/setting-up-a-trial-of-github-enterprise' - href: '/enterprise-onboarding/getting-started-with-your-enterprise/adding-users-to-your-enterprise' - href: '/enterprise-onboarding/getting-started-with-your-enterprise/about-enterprise-billing' diff --git a/data/features/dependabot-cooldown-default-days.yml b/data/features/dependabot-cooldown-default-days.yml new file mode 100644 index 000000000000..6acd99345a6d --- /dev/null +++ b/data/features/dependabot-cooldown-default-days.yml @@ -0,0 +1,5 @@ +# Default cooldown period of 3 days applied to Dependabot version updates +versions: + fpt: '*' + ghec: '*' + ghes: '>3.21' diff --git a/data/features/secret-scanning-custom-patterns-metrics.yml b/data/features/secret-scanning-custom-patterns-metrics.yml deleted file mode 100644 index 052155e32991..000000000000 --- a/data/features/secret-scanning-custom-patterns-metrics.yml +++ /dev/null @@ -1,7 +0,0 @@ -# Reference: #9140. -# Documentation for secret scanning metrics for custom patterns. -# Ref 17108 Advanced Security available to Team plans -versions: - fpt: '*' - ghec: '*' - ghes: '>=3.10' diff --git a/data/reusables/dependabot/default-cooldown-period.md b/data/reusables/dependabot/default-cooldown-period.md new file mode 100644 index 000000000000..19e2c78229bd --- /dev/null +++ b/data/reusables/dependabot/default-cooldown-period.md @@ -0,0 +1 @@ +By default, {% data variables.product.prodname_dependabot %} applies a cooldown period of 3 days to version updates, so a new version is not considered for a version update until 3 days after its release. **This default cooldown does not apply to security updates.** diff --git a/data/ui.yml b/data/ui.yml index 3c0042112d20..4d05da595a18 100644 --- a/data/ui.yml +++ b/data/ui.yml @@ -19,6 +19,10 @@ header: menu: Menu open_menu_label: Open menu go_home: Home + collapse_sidebar: Collapse sidebar + expand_sidebar: Expand sidebar + scroll_breadcrumbs_left: Scroll breadcrumbs left + scroll_breadcrumbs_right: Scroll breadcrumbs right picker: language_picker_label: Language diff --git a/src/automated-pipelines/components/AutomatedPage.tsx b/src/automated-pipelines/components/AutomatedPage.tsx index 8c3208d7b6e9..e16a2042f9b8 100644 --- a/src/automated-pipelines/components/AutomatedPage.tsx +++ b/src/automated-pipelines/components/AutomatedPage.tsx @@ -8,7 +8,6 @@ import { ArticleGridLayout } from '@/frame/components/article/ArticleGridLayout' import { ArticleInlineLayout } from '@/frame/components/article/ArticleInlineLayout' import { MiniTocs } from '@/frame/components/ui/MiniTocs' import { useAutomatedPageContext } from '@/automated-pipelines/components/AutomatedPageContext' -import { Breadcrumbs } from '@/frame/components/page-header/Breadcrumbs' import { JourneyTrackCard, JourneyTrackNav } from '@/journeys/components' type Props = { @@ -70,7 +69,6 @@ export const AutomatedPage = ({ children, rawChildren, fullWidth }: Props) => { topper={{title}} intro={introProp} toc={toc} - breadcrumbs={} > {articleContents} @@ -84,14 +82,7 @@ export const AutomatedPage = ({ children, rawChildren, fullWidth }: Props) => {
-
- -
- {title} - - } + topper={{title}} intro={introProp} toc={toc} > diff --git a/src/fixtures/fixtures/data/ui.yml b/src/fixtures/fixtures/data/ui.yml index 3c0042112d20..4d05da595a18 100644 --- a/src/fixtures/fixtures/data/ui.yml +++ b/src/fixtures/fixtures/data/ui.yml @@ -19,6 +19,10 @@ header: menu: Menu open_menu_label: Open menu go_home: Home + collapse_sidebar: Collapse sidebar + expand_sidebar: Expand sidebar + scroll_breadcrumbs_left: Scroll breadcrumbs left + scroll_breadcrumbs_right: Scroll breadcrumbs right picker: language_picker_label: Language diff --git a/src/fixtures/tests/breadcrumbs.ts b/src/fixtures/tests/breadcrumbs.ts index ce435f85f3ab..efa8f699d9b9 100644 --- a/src/fixtures/tests/breadcrumbs.ts +++ b/src/fixtures/tests/breadcrumbs.ts @@ -7,16 +7,21 @@ import { getDOM } from '@/tests/helpers/e2etest' describe('breadcrumbs', () => { test('links always prefixed with language', async () => { const $ = await getDOM('/get-started/start-your-journey/hello-world') - const links = $('[data-testid=breadcrumbs-in-article] a') + const links = $('[data-testid=breadcrumbs-bar] a') links.each((i, element) => { - expect($(element).attr('href')!.startsWith('/en/')).toBe(true) + const href = $(element).attr('href')! + // The Home crumb points at the locale root (`/en` on the default version, + // no trailing slash); every other crumb is under `/en/…`. Both are + // language-prefixed, which is what this test guards. + expect(href === '/en' || href.startsWith('/en/')).toBe(true) }) - expect.assertions(3) + // Home crumb + the three trail crumbs for this path. + expect.assertions(4) }) test('top-level hidden /search page has no breadcrumbs', async () => { const $ = await getDOM('/search') - const links = $('[data-testid=breadcrumbs-in-article] a') + const links = $('[data-testid=breadcrumbs-bar] a') expect(links.length).toBe(0) const headers = $('[data-testid=breadcrumbs-header]') expect(headers.length).toBe(0) @@ -24,53 +29,58 @@ describe('breadcrumbs', () => { test('short titles are preferred', async () => { const $ = await getDOM('/get-started/foo/bar') - const links = $('[data-testid=breadcrumbs-in-article] li:last-child a') + const links = $('[data-testid=breadcrumbs-bar] li:last-child a') expect(links.text()).toBe('Bar') }) - test('article pages have breadcrumbs in article with product, category, subcategory, and article and last breadcrumb is not viewable', async () => { + test('article pages have breadcrumbs in the secondary bar with home, product, category, subcategory, and article (all shown)', async () => { const $ = await getDOM('/get-started/start-your-journey/hello-world') - const links = $('[data-testid=breadcrumbs-in-article] a') - expect(links.length).toBe(3) - expect($(links[0]).text()).toBe('Get started') - expect($(links[0]).attr('class')!.includes('d-none')).toBe(false) - expect($(links[1]).text()).toBe('Start your journey') + const links = $('[data-testid=breadcrumbs-bar] a') + // The secondary bar leads with a Home crumb, then the page trail. + expect(links.length).toBe(4) + expect($(links[0]).text()).toBe('Home') + expect($(links[1]).text()).toBe('Get started') expect($(links[1]).attr('class')!.includes('d-none')).toBe(false) - expect($(links[2]).text()).toBe('Hello World') - expect($(links[2]).attr('class')!.includes('d-none')).toBe(true) + expect($(links[2]).text()).toBe('Start your journey') + expect($(links[2]).attr('class')!.includes('d-none')).toBe(false) + expect($(links[3]).text()).toBe('Hello World') + // The secondary-bar variant shows the full trail (no hidden last crumb). + expect($(links[3]).attr('class')!.includes('d-none')).toBe(false) }) test('works for enterprise-server articles too', async () => { const $ = await getDOM('/enterprise-server@latest/get-started/start-your-journey/hello-world') - const links = $('[data-testid=breadcrumbs-in-article] a') - expect(links.length).toBe(3) - expect($(links[0]).text()).toBe('Get started') - expect($(links[1]).text()).toBe('Start your journey') - expect($(links[2]).text()).toBe('Hello World') + const links = $('[data-testid=breadcrumbs-bar] a') + expect(links.length).toBe(4) + expect($(links[0]).text()).toBe('Home') + expect($(links[1]).text()).toBe('Get started') + expect($(links[2]).text()).toBe('Start your journey') + expect($(links[3]).text()).toBe('Hello World') }) test('works for titles that depend on Liquid', async () => { const $fpt = await getDOM('/get-started/start-your-journey/dynamic-title') - const fptLinks = $fpt('[data-testid=breadcrumbs-in-article] a') - expect($fpt(fptLinks[2]).text()).toBe('Hello HubGit') + const fptLinks = $fpt('[data-testid=breadcrumbs-bar] a') + // [0] is the Home crumb; the article is the last crumb. + expect($fpt(fptLinks[3]).text()).toBe('Hello HubGit') const $ghec = await getDOM( '/enterprise-cloud@latest/get-started/start-your-journey/dynamic-title', ) - const ghecLinks = $ghec('[data-testid=breadcrumbs-in-article] a') - expect($ghec(ghecLinks[2]).text()).toBe('Greetings HubGit Enterprise Cloud') + const ghecLinks = $ghec('[data-testid=breadcrumbs-bar] a') + expect($ghec(ghecLinks[3]).text()).toBe('Greetings HubGit Enterprise Cloud') }) - test('early access article pages have breadcrumbs with product, category, and article', async () => { + test('early access article pages have breadcrumbs with home, product, category, and article', async () => { const $ = await getDOM('/early-access/secrets/deeper/mariana-trench') - const $breadcrumbTitles = $( - '[data-testid=breadcrumbs-in-article] [data-testid=breadcrumb-title]', - ) - const $breadcrumbLinks = $('[data-testid=breadcrumbs-in-article] a') + const $breadcrumbTitles = $('[data-testid=breadcrumbs-bar] [data-testid=breadcrumb-title]') + const $breadcrumbLinks = $('[data-testid=breadcrumbs-bar] a') expect($breadcrumbTitles.length).toBe(0) - expect($breadcrumbLinks.length).toBe(2) - expect(($breadcrumbLinks[0] as Element).attribs.title).toBe('Deeper secrets') - expect(($breadcrumbLinks[1] as Element).attribs.title).toBe('Mariana Trench') + // Home crumb + the two early-access crumbs. + expect($breadcrumbLinks.length).toBe(3) + expect(($breadcrumbLinks[0] as Element).attribs.title).toBe('Home') + expect(($breadcrumbLinks[1] as Element).attribs.title).toBe('Deeper secrets') + expect(($breadcrumbLinks[2] as Element).attribs.title).toBe('Mariana Trench') }) }) diff --git a/src/fixtures/tests/playwright-rendering.spec.ts b/src/fixtures/tests/playwright-rendering.spec.ts index a48fd3675477..a8eeed35e7d0 100644 --- a/src/fixtures/tests/playwright-rendering.spec.ts +++ b/src/fixtures/tests/playwright-rendering.spec.ts @@ -540,21 +540,21 @@ test.describe('test nav at different viewports', () => { }) await page.goto('/get-started/foo/bar') - // in article breadcrumbs at our custom xl viewport should remove last - // breadcrumb so for this page we should only have 'Get Started / Foo' - expect(await page.getByTestId('breadcrumbs-in-article').getByRole('link').all()).toHaveLength(2) - await expect(page.getByTestId('breadcrumbs-in-article').getByText('Foo')).toBeVisible() - await expect(page.getByTestId('breadcrumbs-in-article').getByText('Bar')).not.toBeVisible() + // The Docs 2026 secondary bar leads with a Home crumb, then the full trail + // 'Get started / Foo / Bar' (no hidden last crumb). + expect(await page.getByTestId('breadcrumbs-bar').getByRole('link').all()).toHaveLength(4) + await expect(page.getByTestId('breadcrumbs-bar').getByText('Foo')).toBeVisible() + await expect(page.getByTestId('breadcrumbs-bar').getByText('Bar')).toBeVisible() // breadcrumbs show up in rest reference pages await page.goto('/rest/actions/artifacts') - await expect(page.getByTestId('breadcrumbs-in-article')).toBeVisible() + await expect(page.getByTestId('breadcrumbs-bar')).toBeVisible() // breadcrumbs show up in one of the pages that use the AutomatedPage // component (e.g. graphql, audit log, etc.) -- we test the webhooks // reference page here await page.goto('/webhooks/webhook-events-and-payloads') - await expect(page.getByTestId('breadcrumbs-in-article')).toBeVisible() + await expect(page.getByTestId('breadcrumbs-bar')).toBeVisible() }) test('large -> x-large viewports - 1012+', async ({ page }) => { @@ -584,17 +584,15 @@ test.describe('test nav at different viewports', () => { }) await page.goto('/get-started/foo/bar') - // breadcrumbs show up in the header, for this page we should have - // 3 items 'Get Started / Foo / Bar' - // in-article breadcrumbs don't show up - await expect(page.getByTestId('breadcrumbs-header')).toBeVisible() - expect(await page.getByTestId('breadcrumbs-header').getByRole('link').all()).toHaveLength(3) - await expect(page.getByTestId('breadcrumbs-in-article')).not.toBeVisible() + // breadcrumbs show up in the secondary bar; for this page we should have + // a Home crumb plus 'Get started / Foo / Bar' + await expect(page.getByTestId('breadcrumbs-bar')).toBeVisible() + expect(await page.getByTestId('breadcrumbs-bar').getByRole('link').all()).toHaveLength(4) - // hamburger button for sidebar overlay is visible - await expect(page.getByTestId('sidebar-hamburger')).toBeVisible() - await page.getByTestId('sidebar-hamburger').click() - await expect(page.locator('[role="dialog"][class*="Header_dialog"]')).toBeVisible() + // the mobile nav toggle is visible and expands the doc-tree nav inline + await expect(page.getByTestId('sidebar-mobile-toggle')).toBeVisible() + await page.getByTestId('sidebar-mobile-toggle').click() + await expect(page.getByTestId('sidebar')).toBeVisible() }) test('medium viewports - 768-1011', async ({ page }) => { @@ -617,9 +615,9 @@ test.describe('test nav at different viewports', () => { await expect(page.getByTestId('mobile-signup')).toBeVisible() // hamburger button for sidebar overlay is visible - await expect(page.getByTestId('sidebar-hamburger')).toBeVisible() - await page.getByTestId('sidebar-hamburger').click() - await expect(page.locator('[role="dialog"][class*="Header_dialog"]')).toBeVisible() + await expect(page.getByTestId('sidebar-mobile-toggle')).toBeVisible() + await page.getByTestId('sidebar-mobile-toggle').click() + await expect(page.getByTestId('sidebar')).toBeVisible() }) test('small viewports - 544-767', async ({ page }) => { @@ -646,9 +644,9 @@ test.describe('test nav at different viewports', () => { await expect(page.getByTestId('mobile-signup')).toBeVisible() // hamburger button for sidebar overlay is visible - await expect(page.getByTestId('sidebar-hamburger')).toBeVisible() - await page.getByTestId('sidebar-hamburger').click() - await expect(page.locator('[role="dialog"][class*="Header_dialog"]')).toBeVisible() + await expect(page.getByTestId('sidebar-mobile-toggle')).toBeVisible() + await page.getByTestId('sidebar-mobile-toggle').click() + await expect(page.getByTestId('sidebar')).toBeVisible() }) test('x-small viewports - 0-544', async ({ page }) => { @@ -680,9 +678,9 @@ test.describe('test nav at different viewports', () => { await expect(page.getByTestId('mobile-signup')).toBeVisible() // hamburger button for sidebar overlay is visible - await expect(page.getByTestId('sidebar-hamburger')).toBeVisible() - await page.getByTestId('sidebar-hamburger').click() - await expect(page.locator('[role="dialog"][class*="Header_dialog"]')).toBeVisible() + await expect(page.getByTestId('sidebar-mobile-toggle')).toBeVisible() + await page.getByTestId('sidebar-mobile-toggle').click() + await expect(page.getByTestId('sidebar')).toBeVisible() }) test('do a search when the viewport is x-small', async ({ page }) => { @@ -881,7 +879,10 @@ test.describe('survey', () => { await expect(page.getByRole('button', { name: 'Send' })).toBeVisible() await expect(page.locator('[for=survey-comment]')).toBeVisible() - await page.getByTestId('product-sidebar').getByLabel('Bar', { exact: true }).click() + await page + .getByTestId('product-sidebar') + .getByRole('link', { name: 'Bar', exact: true }) + .click() await expect(page.getByRole('button', { name: 'Send' })).not.toBeVisible() await expect(page.locator('[for=survey-comment]')).not.toBeVisible() }) @@ -894,8 +895,13 @@ test.describe('rest API reference pages', () => { // URL that has that `?apiVersion=` query parameter. await expect(page).toHaveURL(/\/en\/rest\?apiVersion=/) await page.getByTestId('sidebar').getByText('Actions').click() - await page.getByTestId('sidebar').getByLabel('Artifacts').click() - await page.getByLabel('About artifacts in HubGit Actions').click() + // Brand NavList renders leaf articles as links (not the label-associated + // controls Primer used), so locate them by link role rather than getByLabel. + await page.getByTestId('sidebar').getByRole('link', { name: 'Artifacts' }).click() + await page + .getByTestId('sidebar') + .getByRole('link', { name: 'About artifacts in HubGit Actions' }) + .click() await expect(page).toHaveURL(/\/en\/rest\/actions\/artifacts\?apiVersion=/) await expect(page).toHaveTitle(/GitHub Actions Artifacts - GitHub Docs/) }) diff --git a/src/fixtures/tests/sidebar.ts b/src/fixtures/tests/sidebar.ts index 568b5bb6a369..8607f0ed57ee 100644 --- a/src/fixtures/tests/sidebar.ts +++ b/src/fixtures/tests/sidebar.ts @@ -10,9 +10,9 @@ describe('sidebar', () => { const sidebarProduct = $('[data-testid="sidebar-product-xl"]') expect(sidebarProduct.text()).toBe('Get started') expect(sidebarProduct.attr('href')).toBe('/en/get-started') - // Mobile - expect($('[data-testid="header-subnav"]').length).toBe(1) - expect($('[data-testid="header-subnav-hamburger"]').length).toBe(1) + // Docs 2026 secondary bar (breadcrumbs + nav toggle) replaces the old subnav + expect($('[data-testid="docs-secondary-bar"]').length).toBe(1) + expect($('[data-testid="sidebar-mobile-toggle"]').length).toBe(1) }) test('REST pages get the REST sidebar', async () => { @@ -73,9 +73,9 @@ describe('sidebar', () => { const $: CheerioAPI = await getDOM('/early-access/secrets/deeper/mariana-trench') // Deskop expect($('[data-testid="sidebar-product-xl"]').length).toBe(0) - // Mobile - expect($('[data-testid="header-subnav"]').length).toBe(1) - expect($('[data-testid="header-subnav-hamburger"]').length).toBe(0) + // The secondary bar renders, but early-access has no nav toggle + expect($('[data-testid="docs-secondary-bar"]').length).toBe(1) + expect($('[data-testid="sidebar-mobile-toggle"]').length).toBe(0) }) test('category-landing pages show title entry in sidebar', async () => { diff --git a/src/frame/components/DefaultLayout.module.scss b/src/frame/components/DefaultLayout.module.scss index 3612da8c340b..9d113e41e172 100644 --- a/src/frame/components/DefaultLayout.module.scss +++ b/src/frame/components/DefaultLayout.module.scss @@ -1,3 +1,16 @@ +@import "src/frame/stylesheets/breakpoint-xxl.scss"; + .mainContent { scroll-margin-top: 5rem; } + +// When the inline mobile/tablet nav is open, it takes over the viewport — hide +// the content column so the full-width rail isn't squeezed beside it. Above the +// xxl breakpoint the rail is a fixed-width sibling, so content always shows. +.contentHiddenForNav { + display: none; + + @include breakpoint-xxl { + display: flex; + } +} diff --git a/src/frame/components/DefaultLayout.tsx b/src/frame/components/DefaultLayout.tsx index abff184d2be5..64bc41cc6744 100644 --- a/src/frame/components/DefaultLayout.tsx +++ b/src/frame/components/DefaultLayout.tsx @@ -1,9 +1,15 @@ import React from 'react' import Head from 'next/head' import { useRouter } from 'next/router' +import cx from 'classnames' import { SidebarNav } from '@/frame/components/sidebar/SidebarNav' import { Header } from '@/frame/components/page-header/Header' +import { DocsSecondaryBar } from '@/frame/components/page-header/DocsSecondaryBar' +import { + SidebarCollapseProvider, + useSidebarCollapsed, +} from '@/frame/components/sidebar/SidebarCollapseContext' import { LegalFooter } from '@/frame/components/page-footer/LegalFooter' import { ScrollButton } from '@/frame/components/ui/ScrollButton' import { SupportSection } from '@/frame/components/page-footer/SupportSection' @@ -216,29 +222,73 @@ export const DefaultLayout = (props: Props) => { > Skip to main content -
- -
- {isHomepageVersion ? null : } - {/* Need to set an explicit height for sticky elements since we also - set overflow to auto */} -
-
- - - - {props.children} -
-
- - - -
-
-
+ +
+ + {isHomepageVersion ? ( +
+
+
+ + + + {props.children} +
+
+ + + +
+
+
+ ) : ( + <> + + {props.children} + + )} + ) } + +// The doc-tree rail + content column, split out so it can read the collapse +// context that DefaultLayout provides. On desktop the rail shows unless +// collapsed; on mobile it shows inline (in the page flow, like desktop) only +// when the nav is opened from the secondary bar. The content column (flex-1) +// fills the row when the rail is absent. +type LayoutBodyProps = { children?: React.ReactNode; scrollToTopLabel: string } +const LayoutBody = ({ children, scrollToTopLabel }: LayoutBodyProps) => { + const { collapsed, mobileNavOpen } = useSidebarCollapsed() + return ( +
+ {collapsed ? null : } + {/* Need to set an explicit height for sticky elements since we also + set overflow to auto */} +
+
+ + + + {children} +
+
+ + + +
+
+
+ ) +} diff --git a/src/frame/components/article/ArticleInlineLayout.module.scss b/src/frame/components/article/ArticleInlineLayout.module.scss index 05b340089892..85c9e381b29c 100644 --- a/src/frame/components/article/ArticleInlineLayout.module.scss +++ b/src/frame/components/article/ArticleInlineLayout.module.scss @@ -10,7 +10,6 @@ column-gap: 80px; row-gap: 0; grid-template-areas: - "breadcrumbs" "topper" "sidebar" "intro" diff --git a/src/frame/components/article/ArticleInlineLayout.tsx b/src/frame/components/article/ArticleInlineLayout.tsx index 7833145e5284..f148604b14b2 100644 --- a/src/frame/components/article/ArticleInlineLayout.tsx +++ b/src/frame/components/article/ArticleInlineLayout.tsx @@ -5,7 +5,6 @@ import { SupportPortalVaIframe, SupportPortalVaIframeProps } from './SupportPort import styles from './ArticleInlineLayout.module.scss' type Props = { - breadcrumbs?: React.ReactNode intro?: React.ReactNode introCallOuts?: React.ReactNode topper?: React.ReactNode @@ -15,7 +14,6 @@ type Props = { supportPortalVaIframeProps?: SupportPortalVaIframeProps } export const ArticleInlineLayout = ({ - breadcrumbs, intro, introCallOuts, topper, @@ -26,14 +24,6 @@ export const ArticleInlineLayout = ({ }: Props) => { return (
- {breadcrumbs && ( -
- {breadcrumbs} -
- )}
{topper &&
{topper}
} diff --git a/src/frame/components/article/ArticlePage.tsx b/src/frame/components/article/ArticlePage.tsx index c2c58c042e8b..dd8da9394851 100644 --- a/src/frame/components/article/ArticlePage.tsx +++ b/src/frame/components/article/ArticlePage.tsx @@ -1,6 +1,5 @@ import { useRouter } from 'next/router' import dynamic from 'next/dynamic' -import cx from 'classnames' import { useArticleContext } from '@/frame/components/context/ArticleContext' import { DefaultLayout } from '@/frame/components/DefaultLayout' @@ -14,7 +13,6 @@ import { PlatformPicker } from '@/tools/components/PlatformPicker' import { ToolPicker } from '@/tools/components/ToolPicker' import { MiniTocs } from '@/frame/components/ui/MiniTocs' import { RestRedirect } from '@/rest/components/RestRedirect' -import { Breadcrumbs } from '@/frame/components/page-header/Breadcrumbs' import { LinkPreviewPopover } from '@/links/components/LinkPreviewPopover' import { UtmPreserver } from '@/frame/components/UtmPreserver' import { JourneyTrackCard, JourneyTrackNav } from '@/journeys/components' @@ -112,7 +110,6 @@ export const ArticlePage = () => { intro={introProp} introCallOuts={introCalloutsProp} toc={toc} - breadcrumbs={} > {articleContents} @@ -124,10 +121,6 @@ export const ArticlePage = () => { ) : (
-
- -
- {title}} diff --git a/src/frame/components/context/MainContext.tsx b/src/frame/components/context/MainContext.tsx index 31e2afc7e877..de15901f3f9c 100644 --- a/src/frame/components/context/MainContext.tsx +++ b/src/frame/components/context/MainContext.tsx @@ -5,6 +5,7 @@ import type { Response } from 'express' import type { BreadcrumbT } from '@/frame/components/page-header/Breadcrumbs' import type { FeatureFlags } from '@/frame/components/hooks/useFeatureFlags' import type { ExtendedRequest, Permalink, SidebarLink } from '@/types' +import { SIDEBAR_EXPANDED_COOKIE_NAME, SIDEBAR_COLLAPSED_COOKIE_NAME } from '@/frame/lib/constants' export type ProductT = { external: boolean @@ -130,6 +131,14 @@ export type MainContextT = { } | null relativePath?: string | null sidebarTree?: ProductTreeNode | null + // Per-category expand/collapse overrides for the doc-tree sidebar, read from the + // sidebar_expanded cookie during SSR so the tree renders in its persisted state + // on first paint (no post-mount flash). Keyed by locale-prefixed href. + sidebarExpanded?: Record | null + // Whether the desktop doc-tree rail is collapsed, read from the sidebar_collapsed + // cookie during SSR so the rail renders in its persisted state on first paint + // (no flash of the open sidebar before it collapses post-mount). + sidebarCollapsed?: boolean status: number xHost?: string } @@ -169,6 +178,19 @@ export function addUINamespaces(req: ExtendedRequest, ui: UIStrings, namespaces: } } +// Parse the sidebar_expanded cookie (a JSON map of href -> bool) from the request. +// Guarded so a malformed or absent cookie degrades to no overrides. +function parseSidebarExpandedCookie(req: ExtendedRequest): Record { + const raw = req.cookies?.[SIDEBAR_EXPANDED_COOKIE_NAME] + if (!raw) return {} + try { + const parsed = JSON.parse(raw) + return parsed && typeof parsed === 'object' ? (parsed as Record) : {} + } catch { + return {} + } +} + export const getMainContext = async ( req: ExtendedRequest, res: Response, @@ -293,6 +315,10 @@ export const getMainContext = async ( // The minimal product tree is needed on all pages that depend on // the product sidebar or the rest sidebar. sidebarTree: (includeSidebarTree && context.sidebarTree) || null, + sidebarExpanded: includeSidebarTree ? parseSidebarExpandedCookie(req) : null, + sidebarCollapsed: includeSidebarTree + ? req.cookies?.[SIDEBAR_COLLAPSED_COOKIE_NAME] === 'true' + : false, status: res.statusCode, xHost: req.get('x-host') || '', } diff --git a/src/frame/components/page-header/Breadcrumbs.tsx b/src/frame/components/page-header/Breadcrumbs.tsx index a2a6c44442f5..b3e7b854159e 100644 --- a/src/frame/components/page-header/Breadcrumbs.tsx +++ b/src/frame/components/page-header/Breadcrumbs.tsx @@ -4,9 +4,16 @@ import cx from 'classnames' import { Breadcrumbs as BrandBreadcrumbs } from '@primer/react-brand' import { useMainContext } from '../context/MainContext' +import { DEFAULT_VERSION, useVersion } from '@/versions/components/useVersion' +import { useTranslation } from '@/languages/components/useTranslation' type Props = { inHeader?: boolean + // Placement variant. Defaults derived from `inHeader` for back-compat: + // - 'in-article' (default): sits above the article; hides the last (current) crumb. + // - 'header': the mobile subnav row; shows all crumbs. + // - 'bar': the Docs 2026 secondary bar; shows all crumbs and a leading Home crumb. + variant?: 'in-article' | 'header' | 'bar' } export type BreadcrumbT = { @@ -14,9 +21,28 @@ export type BreadcrumbT = { href?: string } -export const Breadcrumbs = ({ inHeader }: Props) => { +export const Breadcrumbs = ({ inHeader, variant }: Props) => { const { breadcrumbs } = useMainContext() const router = useRouter() + const { currentVersion } = useVersion() + const { t } = useTranslation('header') + + const placement = variant ?? (inHeader ? 'header' : 'in-article') + // Only the in-article placement hides the current (last) crumb; the header and + // secondary-bar placements show the full trail. + const hideLastCrumb = placement === 'in-article' + // The secondary bar leads with a Home crumb (replacing the old "← Home" rail link). + const showHomeCrumb = placement === 'bar' + const testId = + placement === 'bar' + ? 'breadcrumbs-bar' + : placement === 'header' + ? 'breadcrumbs-header' + : 'breadcrumbs-in-article' + + const homeHref = `/${router.locale}${ + currentVersion === DEFAULT_VERSION ? '' : `/${currentVersion}` + }` // BrandBreadcrumbs.Item renders a plain , so intercept clicks to restore // next/link-style client-side navigation. Modifier/middle clicks fall through @@ -41,11 +67,17 @@ export const Breadcrumbs = ({ inHeader }: Props) => { } return ( - + + {showHomeCrumb && ( + handleClick(event, homeHref)} + > + {t('go_home')} + + )} {Object.values(breadcrumbs) .filter(Boolean) .map((breadcrumb, i, arr) => { @@ -65,9 +97,9 @@ export const Breadcrumbs = ({ inHeader }: Props) => { title={title} onClick={(event) => handleClick(event, breadcrumb.href!)} className={cx( - // Show the last breadcrumb if it's in the header, but not if it's in the article. + // Show the last breadcrumb if it's in the header/bar, but not if it's in the article. // If there's only 1 breadcrumb, show it. - !inHeader && i === arr.length - 1 && arr.length !== 1 && 'd-none', + hideLastCrumb && i === arr.length - 1 && arr.length !== 1 && 'd-none', )} > {breadcrumb.title} diff --git a/src/frame/components/page-header/BreadcrumbsScroller.module.scss b/src/frame/components/page-header/BreadcrumbsScroller.module.scss new file mode 100644 index 000000000000..1eed9814d65a --- /dev/null +++ b/src/frame/components/page-header/BreadcrumbsScroller.module.scss @@ -0,0 +1,92 @@ +// Horizontal scroll wrapper for the secondary-bar breadcrumbs. When the trail +// overflows, the scroll area is anchored to the right (current page visible) +// and a left chevron reveals ancestor crumbs. A left-edge fade signals that +// there is more content scrolled off to the left. + +.scroller { + display: flex; + align-items: center; + flex: 1 1 auto; + min-width: 0; + min-height: 44px; + position: relative; +} + +// The chevrons overlay the ends of the scroll area (absolutely positioned) +// rather than sitting in the flex flow. This keeps the scroll area full-width +// and constant — so its scrollable range never shifts when a chevron toggles — +// while a hidden chevron leaves NO reserved gap at that edge. Each chevron +// carries the secondary bar's own background so a crumb scrolling underneath is +// masked rather than showing through the icon. +.leftChevron { + position: absolute; + left: 0; + top: 50%; + transform: translateY(-50%); + z-index: 1; + color: var(--fgColor-muted, var(--color-fg-muted)); + background-color: var(--bgColor-default, var(--color-canvas-default)); +} + +.rightChevron { + position: absolute; + right: 0; + top: 50%; + transform: translateY(-50%); + z-index: 1; + color: var(--fgColor-muted, var(--color-fg-muted)); + background-color: var(--bgColor-default, var(--color-canvas-default)); +} + +// Hidden chevrons are removed from view and interaction (and from the tab +// order / a11y tree in the component). Because they're absolutely positioned +// they already occupy no layout space, so the scroll area is unaffected. +.chevronHidden { + visibility: hidden; + pointer-events: none; +} + +.scrollArea { + flex: 1 1 auto; + min-width: 0; + overflow-x: auto; + overflow-y: hidden; + // Constant 16px on both ends: keeps a crumb off the border at the scroll + // extremes, and mid-scroll the chevron overlays the end of the trail (its + // solid background masks whatever passes underneath). Keeping this padding + // fixed — never toggled with the chevrons — means the scroll content's width + // never changes, so toggling a chevron can't reflow the trail or nudge the + // scroll position (no hop, no mount bounce, no click-lands-short). + padding: 0 16px; + scrollbar-width: none; // Firefox — hide the horizontal scrollbar + -ms-overflow-style: none; + + &::-webkit-scrollbar { + display: none; // Chrome/Safari + } + + // Make the brand Breadcrumbs
- {!isHomepageVersion && !isSearchResultsPage && ( -
- {!isEarlyAccessPage && ( -
- - {isSidebarOpen && ( - } - width="medium" - > - - - )} -
- )} -
- -
-
- )} void + setCollapsed: (collapsed: boolean) => void + // Mobile: whether the doc-tree nav is expanded inline (not persisted). The + // nav renders in the page flow, same as desktop — not in a dialog overlay. + mobileNavOpen: boolean + toggleMobileNav: () => void + closeMobileNav: () => void +} + +const SidebarCollapseContext = createContext(null) + +export function SidebarCollapseProvider({ + children, + initialCollapsed, +}: { + children: ReactNode + initialCollapsed?: boolean +}) { + const { asPath } = useRouter() + // Seed from the SSR-read cookie value so server and first client render agree. + // When no initial is supplied, fall back to reading the cookie client-side. + const [collapsed, setCollapsedState] = useState(() => initialCollapsed ?? readCollapsed()) + const [mobileNavOpen, setMobileNavOpen] = useState(false) + + const setCollapsed = useCallback((next: boolean) => { + setCollapsedState(next) + persistCollapsed(next) + }, []) + + const toggleCollapsed = useCallback(() => { + setCollapsedState((prev) => { + const next = !prev + persistCollapsed(next) + return next + }) + }, []) + + const toggleMobileNav = useCallback(() => setMobileNavOpen((prev) => !prev), []) + const closeMobileNav = useCallback(() => setMobileNavOpen(false), []) + + // Client-side navigation doesn't unmount the inline mobile nav, so close it + // when the route (or REST in-page hash) changes. + useEffect(() => { + setMobileNavOpen(false) + }, [asPath]) + + const value = useMemo( + () => ({ + collapsed, + toggleCollapsed, + setCollapsed, + mobileNavOpen, + toggleMobileNav, + closeMobileNav, + }), + [collapsed, toggleCollapsed, setCollapsed, mobileNavOpen, toggleMobileNav, closeMobileNav], + ) + + return {children} +} + +/** + * Read/toggle the desktop rail's collapsed state and the inline mobile nav's + * open state. Falls back to a no-op expanded/closed state if used outside the + * provider. + */ +export function useSidebarCollapsed(): SidebarCollapseContextValue { + const ctx = useContext(SidebarCollapseContext) + if (!ctx) { + return { + collapsed: false, + toggleCollapsed: () => {}, + setCollapsed: () => {}, + mobileNavOpen: false, + toggleMobileNav: () => {}, + closeMobileNav: () => {}, + } + } + return ctx +} diff --git a/src/frame/components/sidebar/SidebarNav.module.scss b/src/frame/components/sidebar/SidebarNav.module.scss index 252926924764..4f30e7bdaccf 100644 --- a/src/frame/components/sidebar/SidebarNav.module.scss +++ b/src/frame/components/sidebar/SidebarNav.module.scss @@ -1,15 +1,27 @@ +@import "src/frame/stylesheets/breakpoint-xxl.scss"; + .sidebarFull { - // Fixed width for consistent sidebar layout - width: 326px; - // 65px accounts for the header height - height: calc(100vh - 65px); - top: 65px; + @include breakpoint-xxl { + // Fixed width for consistent sidebar layout + width: 326px; + // 109px accounts for the header (65px) + the Docs 2026 secondary bar (44px) + height: calc(100vh - 109px); + top: 109px; + } +} + +// When the mobile nav is expanded inline, the rail spans the full width and +// flows in the page (no fixed height / sticky) below the xxl breakpoint. +.sidebarFullMobileOpen { + width: 100%; } .sidebarContentFull { - width: 326px; - // 175px accounts for header (65px) + sidebar header (110px) - height: calc(100vh - 175px); + @include breakpoint-xxl { + width: 326px; + // 219px accounts for header (65px) + secondary bar (44px) + sidebar header (110px) + height: calc(100vh - 219px); + } } .sidebarContentOverlay { diff --git a/src/frame/components/sidebar/SidebarNav.tsx b/src/frame/components/sidebar/SidebarNav.tsx index e907a700681d..689582bf098a 100644 --- a/src/frame/components/sidebar/SidebarNav.tsx +++ b/src/frame/components/sidebar/SidebarNav.tsx @@ -4,7 +4,6 @@ import { useRouter } from 'next/router' import { useMainContext } from '@/frame/components/context/MainContext' import { SidebarProduct } from '@/landings/components/SidebarProduct' import { SidebarSearchAggregates } from '@/search/components/results/SidebarSearchAggregates' -import { AllProductsLink } from './AllProductsLink' import { ApiVersionPicker } from '@/rest/components/ApiVersionPicker' import { Link } from '@/frame/components/Link' @@ -12,9 +11,13 @@ import styles from './SidebarNav.module.scss' type Props = { variant?: 'full' | 'overlay' + // When true (full variant only), the rail is also shown on mobile, inline in + // the page flow — the Docs 2026 mobile nav expands like the desktop view + // rather than opening a dialog overlay. + mobileOpen?: boolean } -export const SidebarNav = ({ variant = 'full' }: Props) => { +export const SidebarNav = ({ variant = 'full', mobileOpen = false }: Props) => { const { currentProduct, currentProductName } = useMainContext() const router = useRouter() const isRestPage = currentProduct && currentProduct.id === 'rest' @@ -29,9 +32,18 @@ export const SidebarNav = ({ variant = 'full' }: Props) => { return (