diff --git a/content/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities.md b/content/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities.md index 42bfd0cf8109..1ef76801af63 100644 --- a/content/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities.md +++ b/content/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities.md @@ -974,7 +974,7 @@ ghe-btop [ | --help | --usage ] #### ghe-governor -This utility helps to analyze Git traffic. It queries _Governor_ data files, located under `/data/user/gitmon`. {% data variables.product.company_short %} holds one hour of data per file, retained for two weeks. For more information, see [Analyzing Git traffic using Governor](https://github.com/orgs/community/discussions/34220) in {% data variables.product.prodname_github_community %}. +This utility helps to analyze Git traffic. It queries _Governor_ data files, located under `/data/user/governor/`. {% data variables.product.company_short %} holds one hour of data per file, retained for two weeks. For more information, see [AUTOTITLE](/admin/monitoring-and-managing-your-instance/monitoring-your-instance/analyze-git-traffic). ```bash ghe-governor [options] diff --git a/content/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise.md b/content/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise.md index 8146f7d67478..01f408426096 100644 --- a/content/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise.md +++ b/content/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise.md @@ -97,7 +97,7 @@ You can set a global announcement banner to be displayed to all users at the top You can also create announcement banners at the organization level. For more information, see [AUTOTITLE](/organizations/managing-organization-settings/creating-an-announcement-banner-for-your-organization). {% ifversion ghes %} -You can also set an announcement banner in the administrative shell using a command line utility or using the API. For more information, see [AUTOTITLE](/admin/configuration/configuring-your-enterprise/command-line-utilities#ghe-announce) and [AUTOTITLE](/rest/enterprise-admin#announcements). +You can also set an announcement banner in the administrative shell using a command line utility or using the API. For more information, see [AUTOTITLE](/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities#ghe-announce) and [AUTOTITLE](/rest/enterprise-admin#announcements). {% endif %} {% data reusables.enterprise-accounts.access-enterprise %} diff --git a/content/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise.md b/content/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise.md index 3f2e8bdf31a7..35eb19e6ae8d 100644 --- a/content/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise.md +++ b/content/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise.md @@ -38,8 +38,8 @@ If you use {% data variables.product.prodname_emus %}, the following limitations After you add an existing organization to your enterprise, the organization's resources remain accessible to members at the same URLs, and the following changes will apply. * **Two-factor authentication (2FA):** If required by the enterprise, members without 2FA, or with insecure 2FA, will be unable to access organization resources until they configure 2FA that meets the enterprise's 2FA security requirements. -* **Enterprise licenses:** Members become part of the enterprise, and usage is billed to the enterprise account. You must ensure that the enterprise account has enough licenses to accommodate any new members. See [AUTOTITLE](/billing/managing-your-billing/about-billing-for-your-enterprise). -* **Enterprise role management:** Enterprise owners can manage their roles within the organization. See [AUTOTITLE](/admin/user-management/managing-organizations-in-your-enterprise/managing-your-role-in-an-organization-owned-by-your-enterprise). +* **Enterprise licenses:** Members become part of the enterprise, and usage is billed to the enterprise account. You must ensure that the enterprise account has enough licenses to accommodate any new members. See [AUTOTITLE](/billing/concepts/enterprise-billing/billing-for-enterprises). +* **Enterprise role management:** Enterprise owners can manage their roles within the organization. See [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-your-role-in-an-organization-owned-by-your-enterprise). * **Enterprise policies:** Any policies applied to the enterprise will apply to the organization. {% data reusables.actions.org-to-enterprise-actions-permissions %} * **SAML SSO Configuration:** @@ -50,10 +50,10 @@ After you add an existing organization to your enterprise, the organization's re * If SAML is **not** configured for the destination enterprise, the organization will retain any existing SAML and SCIM settings. * If organization members have existing SAML authorizations for {% data variables.product.pat_generic_plural %} or SSH keys to access the organization, these authorizations will remain active. * To see these authorizations, SAML must be configured for either the organization or enterprise, and the user must have a linked SAML identity. - * To access additional organizations owned by the enterprise, members must authorize the {% data variables.product.pat_generic %} or key. See [AUTOTITLE](/authentication/authenticating-with-saml-single-sign-on/authorizing-a-personal-access-token-for-use-with-saml-single-sign-on) and [AUTOTITLE](/authentication/authenticating-with-saml-single-sign-on/authorizing-an-ssh-key-for-use-with-saml-single-sign-on). + * To access additional organizations owned by the enterprise, members must authorize the {% data variables.product.pat_generic %} or key. See [AUTOTITLE](/authentication/authenticating-with-single-sign-on/authorizing-a-personal-access-token-for-use-with-single-sign-on) and [AUTOTITLE](/authentication/authenticating-with-single-sign-on/authorizing-an-ssh-key-for-use-with-single-sign-on). * **Trial enterprise:** Certain features may be disabled if added to a trial enterprise. See [AUTOTITLE](/admin/overview/setting-up-a-trial-of-github-enterprise-cloud#features-not-included-in-the-trial). -* **{% data variables.product.prodname_github_connect %}:** If the organization was connected to {% data variables.product.prodname_ghe_server %} using {% data variables.product.prodname_github_connect %}, adding the organization to an enterprise will not update the connection. {% data variables.product.prodname_github_connect %} features will no longer function for the organization. To continue using {% data variables.product.prodname_github_connect %}, you must disable and re-enable the feature. See [AUTOTITLE](/enterprise-server@latest/admin/configuration/configuring-github-connect/managing-github-connect) in the {% data variables.product.prodname_ghe_server %} documentation. +* **{% data variables.product.prodname_github_connect %}:** If the organization was connected to {% data variables.product.prodname_ghe_server %} using {% data variables.product.prodname_github_connect %}, adding the organization to an enterprise will not update the connection. {% data variables.product.prodname_github_connect %} features will no longer function for the organization. To continue using {% data variables.product.prodname_github_connect %}, you must disable and re-enable the feature. See [AUTOTITLE](/enterprise-server@latest/admin/configuring-settings/configuring-github-connect/enabling-github-connect-for-githubcom) in the {% data variables.product.prodname_ghe_server %} documentation. * **{% data variables.product.prodname_marketplace %} apps:** If you add a standalone organization that uses billed {% data variables.product.prodname_marketplace %} apps, the organization can continue to use the apps, but usage will be billable to the enterprise. * If your enterprise is billed via invoice, contact the app vendor and pay directly. * If your enterprise is billed via credit card or PayPal, billing continues automatically. diff --git a/content/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/configuring-visibility-for-organization-membership.md b/content/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/configuring-visibility-for-organization-membership.md index 903110845b9f..c1aced3271f2 100644 --- a/content/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/configuring-visibility-for-organization-membership.md +++ b/content/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/configuring-visibility-for-organization-membership.md @@ -20,4 +20,4 @@ You can also enforce your default setting on all current organization members in 1. Under "Default organization membership visibility", select the drop-down menu, and click **Private** or **Public**. 1. Optionally, to prevent members from changing their membership visibility from the default, select **Enforce for all enterprise members**. ![Screenshot of the "Default organization membership visibility" section. The "Enforce for all enterprise members" checkbox is outlined.](/assets/images/enterprise/site-admin-settings/enforce-default-org-membership-visibility-setting.png) -1. If you'd like to enforce your new visibility setting on all existing members, use the `ghe-org-membership-update` command-line utility. For more information, see [AUTOTITLE](/admin/configuration/configuring-your-enterprise/command-line-utilities#ghe-org-membership-update). +1. If you'd like to enforce your new visibility setting on all existing members, use the `ghe-org-membership-update` command-line utility. For more information, see [AUTOTITLE](/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities#ghe-org-membership-update). diff --git a/content/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/removing-organizations-from-your-enterprise.md b/content/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/removing-organizations-from-your-enterprise.md index 4f77cf80d317..b483ed6d844b 100644 --- a/content/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/removing-organizations-from-your-enterprise.md +++ b/content/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/removing-organizations-from-your-enterprise.md @@ -53,4 +53,4 @@ As part of the downgrade to the free plan: ## Further reading -* [AUTOTITLE](/admin/overview/about-enterprise-accounts) +* [AUTOTITLE](/admin/concepts/enterprise-fundamentals/enterprise-accounts) diff --git a/content/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/restoring-a-deleted-organization.md b/content/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/restoring-a-deleted-organization.md index 33fc9ed18084..2e6beb794da3 100644 --- a/content/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/restoring-a-deleted-organization.md +++ b/content/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/restoring-a-deleted-organization.md @@ -16,7 +16,7 @@ category: You can use the site admin dashboard to restore an organization that was previously deleted on {% data variables.location.product_location %}, as long as the audit log Elasticsearch indices contain the data for the `org.delete` event. -Immediately after you restore an organization, the organization will not be exactly the same as it was prior to the deletion. You'll have to manually restore any repositories that were owned by the organization. For more information, see [AUTOTITLE](/admin/user-management/managing-repositories-in-your-enterprise/restoring-a-deleted-repository). +Immediately after you restore an organization, the organization will not be exactly the same as it was prior to the deletion. You'll have to manually restore any repositories that were owned by the organization. For more information, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-repositories-in-your-enterprise/restoring-a-deleted-repository). You can also use the audit log to help you manually re-add teams and organization members. For more information, see [Restoring members and teams](#restoring-members-and-teams). @@ -31,7 +31,7 @@ You can also use the audit log to help you manually re-add teams and organizatio ## Restoring members and teams -You can use the audit log to find a list of the previous members and teams of the organization, then recreate them manually. For more information about using the audit log, see [AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/auditing-users-across-your-enterprise). +You can use the audit log to find a list of the previous members and teams of the organization, then recreate them manually. For more information about using the audit log, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/auditing-users-across-your-enterprise). In all the search phrases below, replace ORGANIZATION with the name of the organization and TEAM with the name of the team. diff --git a/content/admin/managing-accounts-and-repositories/managing-repositories-in-your-enterprise/restoring-a-deleted-repository.md b/content/admin/managing-accounts-and-repositories/managing-repositories-in-your-enterprise/restoring-a-deleted-repository.md index c48c18f4fab7..d3dabbcfd7dd 100644 --- a/content/admin/managing-accounts-and-repositories/managing-repositories-in-your-enterprise/restoring-a-deleted-repository.md +++ b/content/admin/managing-accounts-and-repositories/managing-repositories-in-your-enterprise/restoring-a-deleted-repository.md @@ -13,7 +13,7 @@ category: ## About repository restoration -Usually, if someone deletes a repository, it will be available on disk for 90 days and can be restored via the site admin dashboard. For more information, see [AUTOTITLE](/admin/configuration/configuring-your-enterprise/site-admin-dashboard). +Usually, if someone deletes a repository, it will be available on disk for 90 days and can be restored via the site admin dashboard. For more information, see [AUTOTITLE](/admin/administering-your-instance/administering-your-instance-from-the-web-ui). Unless a legal hold is in effect on a user or organization, after 90 days the repository is purged and deleted forever. @@ -34,4 +34,4 @@ Restoring a repository will not restore release attachments or team permissions. ## Further reading -* [AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/placing-a-legal-hold-on-a-user-or-organization) +* [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/placing-a-legal-hold-on-a-user-or-organization) diff --git a/content/admin/managing-accounts-and-repositories/managing-repositories-in-your-enterprise/viewing-user-owned-repositories-in-your-enterprise.md b/content/admin/managing-accounts-and-repositories/managing-repositories-in-your-enterprise/viewing-user-owned-repositories-in-your-enterprise.md index 73686a64d9ea..884d3f677124 100644 --- a/content/admin/managing-accounts-and-repositories/managing-repositories-in-your-enterprise/viewing-user-owned-repositories-in-your-enterprise.md +++ b/content/admin/managing-accounts-and-repositories/managing-repositories-in-your-enterprise/viewing-user-owned-repositories-in-your-enterprise.md @@ -14,7 +14,7 @@ category: If your enterprise uses {% data variables.product.prodname_emus %}, and you've allowed users to create repositories owned by their user accounts, you can view all user-owned repositories within your enterprise. -You can also temporarily access any user-owned repository. For more information, see [AUTOTITLE](/admin/user-management/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise). +You can also temporarily access any user-owned repository. For more information, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise). {% data reusables.enterprise-accounts.access-enterprise %} {% data reusables.enterprise-accounts.policies-tab %} diff --git a/content/admin/managing-accounts-and-repositories/managing-roles-in-your-enterprise/abilities-of-roles.md b/content/admin/managing-accounts-and-repositories/managing-roles-in-your-enterprise/abilities-of-roles.md index 844cc4658d36..554940a8cfcb 100644 --- a/content/admin/managing-accounts-and-repositories/managing-roles-in-your-enterprise/abilities-of-roles.md +++ b/content/admin/managing-accounts-and-repositories/managing-roles-in-your-enterprise/abilities-of-roles.md @@ -60,7 +60,7 @@ Enterprise owners have complete control over the enterprise and can take every a * Managing billing settings{% endif %} * Managing security settings -Enterprise owners do not have access to organization settings or content by default, but they can gain access by joining any organization. See [AUTOTITLE](/admin/user-management/managing-organizations-in-your-enterprise/managing-your-role-in-an-organization-owned-by-your-enterprise). +Enterprise owners do not have access to organization settings or content by default, but they can gain access by joining any organization. See [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-your-role-in-an-organization-owned-by-your-enterprise). {% ifversion ghec %} @@ -82,10 +82,10 @@ Billing managers do not have access to organization settings or content by defau {% data variables.product.prodname_github_app %} managers: -* Can view, create, edit, and delete {% data variables.product.prodname_github_app %} registrations that are owned by the enterprise. For the specific app settings that {% data variables.product.prodname_github_app %} managers can control, see [AUTOTITLE](/apps/maintaining-github-apps/modifying-a-github-app). +* Can view, create, edit, and delete {% data variables.product.prodname_github_app %} registrations that are owned by the enterprise. For the specific app settings that {% data variables.product.prodname_github_app %} managers can control, see [AUTOTITLE](/apps/maintaining-github-apps/modifying-a-github-app-registration). * Cannot install and uninstall {% data variables.product.prodname_github_apps %} on an enterprise or organization. -App managers can also be assigned to individual apps. See [AUTOTITLE](/admin/managing-your-enterprise-account/adding-and-removing-github-app-managers-in-your-enterprise). +App managers can also be assigned to individual apps. See [AUTOTITLE](/admin/managing-github-apps-for-your-enterprise/adding-and-removing-github-app-managers-in-your-enterprise). {% endif %} @@ -160,6 +160,6 @@ To create a custom enterprise role, see [AUTOTITLE](/admin/managing-accounts-and ## Next steps -When you have decided which roles your users require, assign the roles to them. See [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/assign-roles). +When you have decided which roles your users require, assign the roles to them. See [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-roles-in-your-enterprise/assign-roles). {% endif %} diff --git a/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/deleting-users-from-your-instance.md b/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/deleting-users-from-your-instance.md index 299a20c2d5d4..d4952d2ef6e6 100644 --- a/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/deleting-users-from-your-instance.md +++ b/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/deleting-users-from-your-instance.md @@ -23,7 +23,7 @@ Once a user account has been deleted, the username will be available for use wit You cannot delete a user that is currently an **organization owner**. * **If the user is the only owner:** Transfer ownership to another person, or delete the organization. See [AUTOTITLE](/organizations/managing-organization-settings/transferring-organization-ownership) and [AUTOTITLE](/organizations/managing-organization-settings/deleting-an-organization-account). -* **If there are other owners:** Remove the user from the organization. See [AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-your-membership-in-organizations/removing-yourself-from-an-organization). +* **If there are other owners:** Remove the user from the organization. See [AUTOTITLE](/account-and-profile/how-tos/organization-membership/removing-yourself-from-an-organization). You cannot delete **your own user account**. If you need to delete your own user account, ask another site administrator to delete your account for you. diff --git a/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/enabling-guest-collaborators.md b/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/enabling-guest-collaborators.md index 912c4f15aec1..71eef5c64767 100644 --- a/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/enabling-guest-collaborators.md +++ b/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/enabling-guest-collaborators.md @@ -85,7 +85,7 @@ When guest collaborators are enabled in your IdP, you can use SCIM to provision * If you use a partner IdP, use the "Roles" attribute in the {% data variables.product.prodname_emus %} application. * If you use the SCIM endpoints of {% data variables.product.company_short %}'s REST API to provision users, use the `roles` user attribute. -For more information about partner IdPs and other identity management systems, see [AUTOTITLE](/admin/managing-iam/understanding-iam-for-enterprises/about-enterprise-managed-users#identity-management-systems). +For more information about partner IdPs and other identity management systems, see [AUTOTITLE](/admin/concepts/identity-and-access-management/enterprise-managed-users#identity-management-systems). ## Giving guest collaborators access to resources @@ -96,7 +96,7 @@ When you have added a guest collaborator to your enterprise, you can add the use To give the user access to repositories in an organization, add the user as a **member of the organization**. * As for all members, the base permission policy for the organization determines whether the user has access to internal and private repositories by default. See [AUTOTITLE](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/setting-base-permissions-for-an-organization). -* Guest collaborators can be members of IdP groups that are connected to {% data variables.product.prodname_dotcom %} teams, and will be added to the organization via SCIM, just like other enterprise members. See [AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/managing-team-memberships-with-identity-provider-groups). +* Guest collaborators can be members of IdP groups that are connected to {% data variables.product.prodname_dotcom %} teams, and will be added to the organization via SCIM, just like other enterprise members. See [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/managing-team-memberships-with-identity-provider-groups). ### Add the user to a repository @@ -108,5 +108,5 @@ This gives the user access to the repository without giving them access to other * [Tutorial: Configure GitHub Enterprise Managed User for automatic user provisioning](https://learn.microsoft.com/en-us/entra/identity/saas-apps/github-enterprise-managed-user-provisioning-tutorial) in the Entra ID documentation * [Configure PingFederate for provisioning and SSO](https://docs.pingidentity.com/integrations/github/github_emu_provisioner/pf_gh_emu_configure_pf_for_provisioning_and_sso.html) in the PingIdentity documentation -* [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-for-enterprise-managed-users/configuring-scim-provisioning-with-okta) -* [AUTOTITLE](/admin/identity-and-access-management/provisioning-user-accounts-for-enterprise-managed-users/provisioning-users-with-scim-using-the-rest-api) +* [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-with-okta) +* [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api) diff --git a/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/exporting-membership-information-for-your-enterprise.md b/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/exporting-membership-information-for-your-enterprise.md index 2f2ecaff4ab0..127bdcf88f7f 100644 --- a/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/exporting-membership-information-for-your-enterprise.md +++ b/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/exporting-membership-information-for-your-enterprise.md @@ -31,7 +31,7 @@ You can also use {% data variables.product.prodname_dotcom %}'s APIs to retrieve Organization owners can also export membership information for an organization. For more information, see [AUTOTITLE](/organizations/managing-membership-in-your-organization/exporting-member-information-for-your-organization). -The membership information report includes everyone associated with the enterprise, regardless of whether they consume a license. This report is useful for reviewing current enterprise membership, permissions, and roles for all individuals currently associated with the enterprise. For information about current and billable licenses, see [AUTOTITLE](/billing/managing-your-license-for-github-enterprise/viewing-license-usage-for-github-enterprise). +The membership information report includes everyone associated with the enterprise, regardless of whether they consume a license. This report is useful for reviewing current enterprise membership, permissions, and roles for all individuals currently associated with the enterprise. For information about current and billable licenses, see [AUTOTITLE](/billing/how-tos/manage-plan-and-licenses/view-enterprise-usage). ## Exporting a membership information report diff --git a/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/invite-users-directly.md b/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/invite-users-directly.md index af528e62b616..1e2108da6e47 100644 --- a/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/invite-users-directly.md +++ b/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/invite-users-directly.md @@ -11,7 +11,7 @@ category: - Manage accounts and repositories --- -You can invite people directly to your enterprise as **unaffiliated users**. You can then add these users to organizations or enterprise teams and assign {% data variables.product.prodname_copilot_short %} licenses to them. For more information about unaffiliated users, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/roles-in-an-enterprise#unaffiliated-users). +You can invite people directly to your enterprise as **unaffiliated users**. You can then add these users to organizations or enterprise teams and assign {% data variables.product.prodname_copilot_short %} licenses to them. For more information about unaffiliated users, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-roles-in-your-enterprise/abilities-of-roles#unaffiliated-users). ## Inviting users @@ -21,6 +21,6 @@ You can invite people directly to your enterprise as **unaffiliated users**. You ## Next steps -* To add users to organizations, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/managing-organization-members-in-your-enterprise). +* To add users to organizations, see [AUTOTITLE](/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization). * To add users to an enterprise team, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/create-enterprise-teams). * To assign {% data variables.product.prodname_copilot_short %} licenses, see [AUTOTITLE](/copilot/how-tos/administer-copilot/manage-for-enterprise/manage-access/grant-access). diff --git a/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise.md b/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise.md index 97d7ccc2bcbf..9ac0585c50df 100644 --- a/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise.md +++ b/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise.md @@ -20,16 +20,16 @@ category: ## About administrator management -{% ifversion ghec %}If you do not use {% data variables.product.prodname_emus %}, you{% else %}You{% endif %} can add or remove enterprise owners{% ifversion ghec %} and billing managers{% endif %} in your enterprise. For more information about the privileges that come with each enterprise role, see [AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/roles-in-an-enterprise). +{% ifversion ghec %}If you do not use {% data variables.product.prodname_emus %}, you{% else %}You{% endif %} can add or remove enterprise owners{% ifversion ghec %} and billing managers{% endif %} in your enterprise. For more information about the privileges that come with each enterprise role, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-roles-in-your-enterprise/abilities-of-roles). {% ifversion ghes %} -If you want to manage enterprise owners and billing managers for an enterprise account on {% data variables.product.prodname_dotcom_the_website %}, see [the {% data variables.product.prodname_ghe_cloud %} documentation](/enterprise-cloud@latest/admin/user-management/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise). +If you want to manage enterprise owners and billing managers for an enterprise account on {% data variables.product.prodname_dotcom_the_website %}, see [the {% data variables.product.prodname_ghe_cloud %} documentation](/enterprise-cloud@latest/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise). {% endif %} {% ifversion ghec %} -If you do use {% data variables.product.prodname_emus %}, enterprise owners and billing managers can only be added or removed through your identity provider. For more information, see [AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users). +If you do use {% data variables.product.prodname_emus %}, enterprise owners and billing managers can only be added or removed through your identity provider. For more information, see [AUTOTITLE](/admin/concepts/identity-and-access-management/enterprise-managed-users). {% endif %} @@ -37,7 +37,7 @@ If you do use {% data variables.product.prodname_emus %}, enterprise owners and {% ifversion ghec %}After you invite someone to join the enterprise account, they must accept the emailed invitation before they can access the enterprise account. Pending invitations will expire after 7 days.{% endif %} -You can see all pending invitations to become an administrator of your enterprise account. For more information, see [AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/viewing-people-in-your-enterprise#viewing-pending-invitations). +You can see all pending invitations to become an administrator of your enterprise account. For more information, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-people-in-your-enterprise#viewing-pending-invitations). {% data reusables.enterprise-accounts.access-enterprise %} {% data reusables.enterprise-accounts.people-tab %} diff --git a/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/promoting-or-demoting-a-site-administrator.md b/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/promoting-or-demoting-a-site-administrator.md index bca52a5f454a..5e27d1f855ae 100644 --- a/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/promoting-or-demoting-a-site-administrator.md +++ b/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/promoting-or-demoting-a-site-administrator.md @@ -15,7 +15,7 @@ category: - Manage accounts and repositories --- -> [!NOTE] For information about promoting a user to an organization owner, see the `ghe-org-admin-promote` section of [AUTOTITLE](/admin/configuration/configuring-your-enterprise/command-line-utilities#ghe-org-admin-promote). +> [!NOTE] For information about promoting a user to an organization owner, see the `ghe-org-admin-promote` section of [AUTOTITLE](/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities#ghe-org-admin-promote). ## Considerations with external authentication @@ -45,8 +45,8 @@ If you use certain external authentication features, you may not be able to mana ## Promoting a user from the command line -1. [SSH](/admin/configuration/configuring-your-enterprise/accessing-the-administrative-shell-ssh) into your appliance. -1. Run [ghe-user-promote](/admin/configuration/configuring-your-enterprise/command-line-utilities#ghe-user-promote) with the username to promote. +1. [SSH](/admin/administering-your-instance/administering-your-instance-from-the-command-line/accessing-the-administrative-shell-ssh) into your appliance. +1. Run [ghe-user-promote](/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities#ghe-user-promote) with the username to promote. ```shell ghe-user-promote USERNAME @@ -54,8 +54,8 @@ If you use certain external authentication features, you may not be able to mana ## Demoting a site administrator from the command line -1. [SSH](/admin/configuration/configuring-your-enterprise/accessing-the-administrative-shell-ssh) into your appliance. -1. Run [ghe-user-demote](/admin/configuration/configuring-your-enterprise/command-line-utilities#ghe-user-demote) with the username to demote. +1. [SSH](/admin/administering-your-instance/administering-your-instance-from-the-command-line/accessing-the-administrative-shell-ssh) into your appliance. +1. Run [ghe-user-demote](/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities#ghe-user-demote) with the username to demote. ```shell ghe-user-demote USERNAME diff --git a/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/suspending-and-unsuspending-users.md b/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/suspending-and-unsuspending-users.md index 46003d3b8797..3a585463d2a9 100644 --- a/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/suspending-and-unsuspending-users.md +++ b/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/suspending-and-unsuspending-users.md @@ -36,11 +36,11 @@ fatal: The remote end hung up unexpectedly ## Scenarios where you cannot suspend users -Before suspending site administrators, you must demote them to regular users. See [AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/promoting-or-demoting-a-site-administrator). +Before suspending site administrators, you must demote them to regular users. See [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/promoting-or-demoting-a-site-administrator). If you use certain external authentication features, you cannot manage user suspension from the site admin dashboard or command line: -* If LDAP Sync is enabled for {% data variables.location.product_location %}, users are automatically suspended based on the scenarios that are described in [AUTOTITLE](/admin/identity-and-access-management/using-ldap-for-enterprise-iam/using-ldap#enabling-ldap-sync). +* If LDAP Sync is enabled for {% data variables.location.product_location %}, users are automatically suspended based on the scenarios that are described in [AUTOTITLE](/admin/managing-iam/using-ldap-for-enterprise-iam/using-ldap#enabling-ldap-sync). * If SCIM provisioning is enabled, SCIM-provisioned users must be suspended or unsuspended through your identity provider. See [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api#provisioning-users-with-the-rest-api). ## Viewing suspended users in the site admin dashboard @@ -74,7 +74,7 @@ As when suspending a user, unsuspending a user takes effect immediately. The use ## Suspending a user from the command line {% data reusables.enterprise_installation.ssh-into-instance %} -1. Run [ghe-user-suspend](/admin/configuration/configuring-your-enterprise/command-line-utilities#ghe-user-suspend) with the username to suspend. +1. Run [ghe-user-suspend](/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities#ghe-user-suspend) with the username to suspend. ```shell ghe-user-suspend USERNAME @@ -97,7 +97,7 @@ You can create a custom message that suspended users will see when attempting to ## Unsuspending a user from the command line {% data reusables.enterprise_installation.ssh-into-instance %} -1. Run [ghe-user-unsuspend](/admin/configuration/configuring-your-enterprise/command-line-utilities#ghe-user-unsuspend) with the username to unsuspend. +1. Run [ghe-user-unsuspend](/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities#ghe-user-unsuspend) with the username to unsuspend. ```shell ghe-user-unsuspend USERNAME diff --git a/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise.md b/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise.md index 624f65f6ed36..2cc824971da4 100644 --- a/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise.md +++ b/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise.md @@ -23,7 +23,7 @@ When you enable SAML single sign-on for your enterprise account, each enterprise {% ifversion ghec %} -If your enterprise is uses {% data variables.product.prodname_emus %}, your members will use accounts provisioned through your IdP. {% data variables.enterprise.prodname_managed_users_caps %} will not use their existing user account on {% data variables.product.github %}. For more information, see [AUTOTITLE](/enterprise-cloud@latest/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users). +If your enterprise uses {% data variables.product.prodname_emus %}, your members will use accounts provisioned through your IdP. {% data variables.enterprise.prodname_managed_users_caps %} will not use their existing user account on {% data variables.product.github %}. For more information, see [AUTOTITLE](/enterprise-cloud@latest/admin/concepts/identity-and-access-management/enterprise-managed-users). {% endif %} diff --git a/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-people-in-your-enterprise.md b/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-people-in-your-enterprise.md index 532b7e2205c4..b450d248f311 100644 --- a/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-people-in-your-enterprise.md +++ b/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-people-in-your-enterprise.md @@ -31,12 +31,12 @@ If {% data variables.product.prodname_github_connect %} is configured for your e * The filter for two-factor authentication (2FA) status does not show people who only have an account on a {% data variables.product.prodname_ghe_server %} instance. * If you combine the filter for accounts on {% data variables.product.prodname_ghe_server %} instances with either the filter for organizations or 2FA status, you will not see any results. -For more information about {% data variables.product.prodname_github_connect %}, see [AUTOTITLE](/enterprise-server@latest/admin/configuration/configuring-github-connect/about-github-connect) in the {% data variables.product.prodname_ghe_server %} documentation. +For more information about {% data variables.product.prodname_github_connect %}, see [AUTOTITLE](/enterprise-server@latest/admin/configuring-settings/configuring-github-connect/about-github-connect) in the {% data variables.product.prodname_ghe_server %} documentation. {% endif %} {% ifversion enterprise-member-csv %} -You can also export membership information for your enterprise. For more information, see [AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/exporting-membership-information-for-your-enterprise). +You can also export membership information for your enterprise. For more information, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/exporting-membership-information-for-your-enterprise). {% endif %} ## Viewing enterprise administrators @@ -44,10 +44,10 @@ You can also export membership information for your enterprise. For more informa You can view all the current enterprise owners{% ifversion ghec %} and billing managers{% endif %} for your enterprise. You can see useful information about each administrator{% ifversion ghec %} and filter the list by role{% endif %}. You can find a specific person by searching for their username or display name. {% ifversion ghes %} -Enterprise owners whose accounts are suspended are included in the list of enterprise administrators, and are identified as suspended. You should consider demoting any suspended owners you see. For more information, see [AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/promoting-or-demoting-a-site-administrator#demoting-a-site-administrator-from-the-enterprise-settings). +Enterprise owners whose accounts are suspended are included in the list of enterprise administrators, and are identified as suspended. You should consider demoting any suspended owners you see. For more information, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/promoting-or-demoting-a-site-administrator#demoting-a-site-administrator-from-the-enterprise-settings). {% endif %} -You can also remove an administrator. For more information. see [AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise#removing-an-enterprise-administrator-from-your-enterprise-account). +You can also remove an administrator. For more information, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise#removing-an-enterprise-administrator-from-your-enterprise-account). {% data reusables.enterprise-accounts.access-enterprise %} {% data reusables.enterprise-accounts.people-tab %} @@ -60,23 +60,23 @@ You can see all the current members for your enterprise. You can see useful info You can find a specific person by searching for the person's username or display name. To view more information about the person's access to your enterprise, such as the organizations the person belongs to, you can select the person's name. {% ifversion remove-enterprise-members %} -You can also remove any enterprise member from all organizations owned by the enterprise. For more information, see [AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/removing-a-member-from-your-enterprise). +You can also remove any enterprise member from all organizations owned by the enterprise. For more information, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/removing-a-member-from-your-enterprise). {% endif %} {% data reusables.enterprise-accounts.access-enterprise %} {% data reusables.enterprise-accounts.people-tab %} {% ifversion enterprise-member-csv %} -1. Optionally, to export the list of members as a CSV report, select **CSV report**. For more information about the information included in the report, see [AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/exporting-membership-information-for-your-enterprise).{% endif %} +1. Optionally, to export the list of members as a CSV report, select **CSV report**. For more information about the information included in the report, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/exporting-membership-information-for-your-enterprise).{% endif %} ### About the membership overview -On the "Members" page, you will find an overview of the number of members in your enterprise, grouped by role{% ifversion ghec %}, type of license consumed, and the type of deployment the member is on. The following sections explain how the numbers in this overview are calculated. +On the "Members" page, you will find an overview of the number of members in your enterprise, grouped by role{% ifversion ghec %}, type of license consumed, and the type of deployment the member is on{% endif %}. The following sections explain how the numbers in this overview are calculated. -If your enterprise uses both {% data variables.product.prodname_ghe_cloud %} and {% data variables.product.prodname_ghe_server %}, to get accurate data about your members and licenses across your deployments, you will need to enable {% data variables.product.prodname_github_connect %} and synchronize license usage. For more information, see [AUTOTITLE](/enterprise-server@latest/admin/configuration/configuring-github-connect/about-github-connect) in the {% data variables.product.prodname_ghe_server %} documentation. +If your enterprise uses both {% data variables.product.prodname_ghe_cloud %} and {% data variables.product.prodname_ghe_server %}, to get accurate data about your members and licenses across your deployments, you will need to enable {% data variables.product.prodname_github_connect %} and synchronize license usage. For more information, see [AUTOTITLE](/enterprise-server@latest/admin/configuring-settings/configuring-github-connect/about-github-connect) in the {% data variables.product.prodname_ghe_server %} documentation. #### Roles -The "Roles" column groups members by their role in the enterprise{% endif %}. For more information, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/roles-in-an-enterprise). +The "Roles" column groups members by their role in the enterprise. For more information, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-roles-in-your-enterprise/abilities-of-roles). If a user has multiple roles in an enterprise, the user is counted once for each role. For example, if the same user is a member of three organizations and an owner of two organizations, the user counts once towards "Organization member" and once towards "Organization owner." @@ -86,11 +86,11 @@ An "outside collaborator" is a user who has access to a repository in an organiz #### User licenses consumed -The "User licenses consumed" column shows you how licenses are consumed in your enterprise. For more information, see [AUTOTITLE](/billing/managing-your-license-for-github-enterprise/about-licenses-for-github-enterprise). +The "User licenses consumed" column shows you how licenses are consumed in your enterprise. For more information, see [AUTOTITLE](/billing/concepts/enterprise-billing/combined-enterprise-use). If there are outside collaborators in your enterprise, the "total consumed" number of licenses may be larger than the number of people listed for your enterprise. An outside collaborator consumes a license, but is not counted in the total member count displayed next to "people in YOUR-ENTERPRISE". A pending invitation to an outside collaborator also consumes a license, but is not counted in the "By invitations" count in the overview. -For more information about how license usage is calculated across deployments, see [AUTOTITLE](/billing/managing-your-license-for-github-enterprise/troubleshooting-license-usage-for-github-enterprise#about-the-calculation-of-consumed-licenses). +For more information about how license usage is calculated across deployments, see [AUTOTITLE](/billing/how-tos/troubleshooting/enterprise-license-usage#about-the-calculation-of-consumed-licenses). #### Deployment @@ -107,7 +107,7 @@ You may be able to view the email addresses for members of your enterprise on ei * If you use {% data variables.product.prodname_emus %} and the `NameID` for your SAML configuration is an email address, you can view the `NameID` for each of your enterprise members. -* If you verify a domain for your enterprise, you can view members' email addresses for the verified domain. For more information, see [AUTOTITLE](/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise). +* If you verify a domain for your enterprise, you can view members' email addresses for the verified domain. For more information, see [AUTOTITLE](/admin/configuring-settings/configuring-user-applications-for-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise). > [!NOTE] > Email addresses for verified domains are not returned in a guaranteed order. If a member has email addresses for multiple verified domains, old or stale email addresses may remain after an IdP change. The list of verified domain email addresses cannot reliably identify the member's canonical or current corporate email address. @@ -116,15 +116,15 @@ You may be able to view the email addresses for members of your enterprise on ei If you use {% data variables.product.prodname_emus %}, verify a domain, or configure SAML SSO for your enterprise, you may be able to view the email addresses in one or more of the following ways. -1. On your SAML Identity Provider (IdP), review the email addresses of users with access to your enterprise. For more information, see [AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam/about-saml-for-enterprise-iam). +1. On your SAML Identity Provider (IdP), review the email addresses of users with access to your enterprise. For more information, see [AUTOTITLE](/admin/managing-iam/understanding-iam-for-enterprises/about-saml-for-enterprise-iam). 1. Export the membership report for your enterprise on {% data variables.product.prodname_dotcom %}. The report may contain the user's email address, stored as the following values. - * `GitHub com saml name`: The `NameID` from the user's linked SAML identity, which is typically the user's email address (for more information, see [AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam/saml-configuration-reference)) - * `GitHub com verified domain emails`: Email addresses for any verified domains (for more information, see [AUTOTITLE](/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise)) + * `GitHub com saml name`: The `NameID` from the user's linked SAML identity, which is typically the user's email address (for more information, see [AUTOTITLE](/admin/managing-iam/iam-configuration-reference/saml-configuration-reference)) + * `GitHub com verified domain emails`: Email addresses for any verified domains (for more information, see [AUTOTITLE](/admin/configuring-settings/configuring-user-applications-for-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise)) The `GitHub com verified domain emails` value is unordered. Emails may be returned in a non-deterministic order, and you cannot request priority, sorting, or filtering for the user's current email address. - For more information, see [AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/exporting-membership-information-for-your-enterprise). + For more information, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/exporting-membership-information-for-your-enterprise). {% data reusables.saml.use-api-to-get-externalidentity %} {% endif %} @@ -150,7 +150,7 @@ In the list of pending members, for any individual account, you can cancel all i > [!NOTE] > If an invitation was provisioned via SCIM, you must cancel the invitation via your identity provider (IdP) instead of on {% data variables.product.prodname_dotcom %}. -If you use {% data variables.visual_studio.prodname_vss_ghe %}, the list of pending invitations includes all {% data variables.product.prodname_vs %} subscribers that haven't joined any of your organizations on {% data variables.product.prodname_dotcom %}, even if the subscriber does not have a pending invitation to join an organization. For more information about how to get {% data variables.product.prodname_vs %} subscribers access to {% data variables.product.prodname_enterprise %}, see [AUTOTITLE](/billing/managing-billing-for-your-products/managing-licenses-for-visual-studio-subscriptions-with-github-enterprise/setting-up-visual-studio-subscriptions-with-github-enterprise). +If you use {% data variables.visual_studio.prodname_vss_ghe %}, the list of pending invitations includes all {% data variables.product.prodname_vs %} subscribers that haven't joined any of your organizations on {% data variables.product.prodname_dotcom %}, even if the subscriber does not have a pending invitation to join an organization. For more information about how to get {% data variables.product.prodname_vs %} subscribers access to {% data variables.product.prodname_enterprise %}, see [AUTOTITLE](/billing/how-tos/set-up-payment/set-up-vs-subscription). {% data reusables.enterprise-accounts.access-enterprise %} {% data reusables.enterprise-accounts.people-tab %} @@ -175,11 +175,11 @@ If your enterprise uses {% ifversion ghec %}{% data variables.product.prodname_e ## Viewing dormant users -You can view a list of all dormant users {% ifversion ghes %} who have not been suspended and {% endif %}who are not site administrators. {% data reusables.enterprise-accounts.dormant-user-activity-threshold %} For more information, see [AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/managing-dormant-users). +You can view a list of all dormant users {% ifversion ghes %} who have not been suspended and {% endif %}who are not site administrators. {% data reusables.enterprise-accounts.dormant-user-activity-threshold %} For more information, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/managing-dormant-users). ## Filtering by member type{% ifversion ghec %} in an {% data variables.enterprise.prodname_emu_enterprise %}{% endif %} -{% ifversion ghec %}If your enterprise uses {% data variables.product.prodname_emus %}, you{% elsif ghes %}You{% endif %} can filter the member list of an organization by type to determine if memberships are managed through an IdP or managed directly. Memberships managed through an IdP were added through an IdP group, and the IdP group was connected to a team within the organization. Memberships managed directly were added to the organization manually. The way a membership is managed in an organization determines how it must be removed. You can use this filter to determine how members were added to an organization, so you know how to remove them.{% ifversion ghec %} For more information, see [AUTOTITLE](/enterprise-cloud@latest/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users#about-organization-membership-management).{% endif %} +{% ifversion ghec %}If your enterprise uses {% data variables.product.prodname_emus %}, you{% elsif ghes %}You{% endif %} can filter the member list of an organization by type to determine if memberships are managed through an IdP or managed directly. Memberships managed through an IdP were added through an IdP group, and the IdP group was connected to a team within the organization. Memberships managed directly were added to the organization manually. The way a membership is managed in an organization determines how it must be removed. You can use this filter to determine how members were added to an organization, so you know how to remove them.{% ifversion ghec %} For more information, see [AUTOTITLE](/enterprise-cloud@latest/admin/concepts/identity-and-access-management/enterprise-managed-users#about-organization-membership-management).{% endif %} {% data reusables.enterprise-accounts.access-enterprise %} 1. Under "Organizations", in the search bar, begin typing the organization's name until it appears in the search results. @@ -254,4 +254,4 @@ You can see which people in your enterprise have enabled two-factor authenticati ## Further reading -* [AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/roles-in-an-enterprise) +* [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-roles-in-your-enterprise/abilities-of-roles) diff --git a/content/admin/managing-iam/configuring-authentication-for-enterprise-managed-users/disabling-authentication-and-provisioning-for-enterprise-managed-users.md b/content/admin/managing-iam/configuring-authentication-for-enterprise-managed-users/disabling-authentication-and-provisioning-for-enterprise-managed-users.md index de08eddc059e..eaa600e65640 100644 --- a/content/admin/managing-iam/configuring-authentication-for-enterprise-managed-users/disabling-authentication-and-provisioning-for-enterprise-managed-users.md +++ b/content/admin/managing-iam/configuring-authentication-for-enterprise-managed-users/disabling-authentication-and-provisioning-for-enterprise-managed-users.md @@ -21,12 +21,16 @@ After you disable SAML or OIDC authentication for your enterprise, the following * All external identities for the enterprise, and associated email addresses for {% data variables.enterprise.prodname_managed_users %}, will be removed. For more information, see [AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise). * All {% data variables.enterprise.prodname_managed_users %} will be suspended. The suspended accounts will not be renamed. For more information, see [AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/viewing-people-in-your-enterprise#viewing-suspended-members). -* All {% data variables.product.pat_generic_plural %} and SSH keys associated with {% data variables.enterprise.prodname_managed_users %} will be deleted. +* {% data variables.product.pat_v1_caps_plural %}, SSH keys, {% data variables.product.prodname_oauth_app %} authorizations, and {% data variables.product.prodname_github_app %} user-to-server tokens associated with {% data variables.enterprise.prodname_managed_users %} will be deleted. +* {% data variables.product.pat_v2_caps_plural %} are not deleted, but they stop working while the accounts are suspended. * All of the external groups provisioned by SCIM will be deleted. For more information, see [AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/managing-team-memberships-with-identity-provider-groups). +Resources owned by an organization are not affected. {% data variables.product.prodname_actions %} secrets and {% data variables.product.prodname_github_app %} installations remain in place, so automation that authenticates as an installed {% data variables.product.prodname_github_app %}—rather than as a managed user—keeps working. + If you later reconfigure authentication for the enterprise, external groups must be reprovisioned via SCIM, and {% data variables.enterprise.prodname_managed_users %} must be reprovisioned before users can sign in. > [!NOTE] +> > * The authentication disabling process can require substantial time to complete for enterprises with a large number of members. > * Avatar data for {% data variables.enterprise.prodname_managed_users %} is permanently removed upon suspension. Reprovisioned users will need to reupload their avatar. @@ -38,6 +42,7 @@ If you want to migrate to a new identity provider (IdP) or tenant rather than di > Disabling authentication and provisioning will prevent your enterprise's {% data variables.enterprise.prodname_managed_users %} from signing in to access your enterprise on {% data variables.product.github %}. {% data reusables.emus.sign-in-as-setup-user %} + 1. Attempt to access your enterprise account, and use a recovery code to bypass SAML SSO or OIDC. For more information, see [AUTOTITLE](/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/accessing-your-enterprise-account-if-your-identity-provider-is-unavailable). {% data reusables.enterprise-accounts.access-enterprise %} {% data reusables.enterprise-accounts.identity-provider-tab %} diff --git a/content/admin/managing-iam/using-saml-for-enterprise-iam/disabling-saml-single-sign-on-for-your-enterprise.md b/content/admin/managing-iam/using-saml-for-enterprise-iam/disabling-saml-single-sign-on-for-your-enterprise.md index 76ec12b40cd8..9811144de436 100644 --- a/content/admin/managing-iam/using-saml-for-enterprise-iam/disabling-saml-single-sign-on-for-your-enterprise.md +++ b/content/admin/managing-iam/using-saml-for-enterprise-iam/disabling-saml-single-sign-on-for-your-enterprise.md @@ -15,9 +15,11 @@ category: After you disable SAML SSO for your enterprise, the following effects apply: -* All external identities for your enterprise will be removed. For more information, see - All external identities for the enterprise will be removed. For more information, see [AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise). +* All external identities for your enterprise will be removed. For more information, see [AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise). * Any SAML settings configured for individual organizations within the enterprise will take effect. For more information, see [AUTOTITLE](/organizations/managing-saml-single-sign-on-for-your-organization/enabling-and-testing-saml-single-sign-on-for-your-organization). +{% data reusables.saml.credentials-persist-when-sso-disabled %} + ## Disabling SAML {% data reusables.enterprise-accounts.access-enterprise %} @@ -27,6 +29,7 @@ After you disable SAML SSO for your enterprise, the following effects apply: {% data reusables.enterprise-accounts.settings-tab %} {% data reusables.enterprise-accounts.security-tab %} + 1. Under "SAML single sign-on", deselect **Require SAML authentication**. 1. Click **Save**. diff --git a/content/admin/monitoring-and-managing-your-instance/monitoring-your-instance/analyze-git-traffic.md b/content/admin/monitoring-and-managing-your-instance/monitoring-your-instance/analyze-git-traffic.md new file mode 100644 index 000000000000..7d8bbaee5088 --- /dev/null +++ b/content/admin/monitoring-and-managing-your-instance/monitoring-your-instance/analyze-git-traffic.md @@ -0,0 +1,285 @@ +--- +title: Analyzing Git traffic on your {% data variables.product.prodname_ghe_server %} instance +shortTitle: Analyze Git traffic +intro: 'Use Governor to identify Git traffic patterns that are driving load on your instance, so you can troubleshoot slow Git operations and reduce performance impact.' +versions: + ghes: '*' +contentType: how-tos +category: + - Monitor and audit your enterprise +--- + +## About Governor + +Governor is a built-in monitor for Git activity on your instance. Use the `ghe-governor` command to see which repositories, users, IP addresses, and Git operations are creating load. + +Use this data when CPU, memory, or disk usage increases and you need to confirm whether Git traffic is the cause. For command syntax and subcommands, see [AUTOTITLE](/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities#ghe-governor). + +Governor records Git operations only. It does not include API or web traffic. To inspect operations currently running, see the `ghe-btop` utility in [AUTOTITLE](/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities#ghe-btop). + +### About Governor data files + +Governor stores its data in files under `/data/user/governor/`. Each file holds one hour of data and is retained for two weeks. The file names contain Unix timestamps that indicate the time period each file covers. + +> [!NOTE] +> On {% data variables.product.prodname_ghe_server %} 3.13 and earlier, Governor data files are located under `/data/user/gitmon/` and use the naming pattern `gitmon..db`. + +To confirm the range of data currently held on disk, convert the timestamps in the earliest and latest file names to human-readable dates. + +```shell +for epoch in $(sudo ls /data/user/governor/ 2>/dev/null | grep '^governor\.' | sort | sed -n '1p;$p' | cut -f2 -d.); do echo "${epoch} = $(date -d @${epoch})"; done +``` + +The output shows the start time of the earliest and latest data files. + +```text +1551186000 = Tue Feb 26 13:00:00 UTC 2019 +1552392000 = Tue Mar 12 12:00:00 UTC 2019 +``` + +## Before you start + +Before you run Governor queries, gather this information: + +* **SSH access to the appliance.** You need access to the administrative shell to run `ghe-governor`. See [AUTOTITLE](/admin/administering-your-instance/administering-your-instance-from-the-command-line/accessing-the-administrative-shell-ssh). +* **Which node to query.** For standalone or high-availability deployments, start on the primary node. For clusters, run queries on each `git-server` node because no single node contains all Git traffic. +* **The impact window.** Note the start and end times of reported degradation so you can scope queries with `-t` and `-u`. +* **Repository or organization names**, if users have reported problems with specific repositories or organizations. + +## Identify whether Git is contributing to load + +Start with a broad summary, then attribute load to specific repositories or programs. + +* Summarize all recent Git activity on your instance: + + ```shell + ghe-governor health + ``` + +* Find repositories with the slowest average response time: + + ```shell + ghe-governor aggregate repo avg_rt + ``` + +* Find repositories with the longest single operation: + + ```shell + ghe-governor aggregate repo max_rt + ``` + +* Find the slowest individual operations (not grouped): + + ```shell + ghe-governor top rt -n 50 + ``` + +* Find the repositories consuming the most CPU time: + + ```shell + ghe-governor aggregate repo cpu + ``` + +* For a repository that stands out, find which Git subprogram is responsible for its CPU usage: + + ```shell + ghe-governor aggregate program cpu -r OWNER/REPOSITORY + ``` + +* Find the repositories where `pack-objects` consumed the most CPU time. The `pack-objects` program assembles data sent to clients during clones and fetches; a high count places significant CPU and memory pressure on the appliance: + + ```shell + ghe-governor aggregate repo cpu -P pack-objects + ``` + +* Find the individual operations that used the most CPU time (not grouped): + + ```shell + ghe-governor top cpu -n 50 + ``` + +* Find the repositories driving the most disk writes during a specific time interval: + + ```shell + ghe-governor aggregate repo disk_write_kb -t START-TIME -u END-TIME + ``` + +* Check for high concurrency, which indicates many Git operations running simultaneously: + + ```shell + ghe-governor aggregate repo max_parallelism + ``` + +If the results point to a specific repository or program, continue with the relevant section below. + +## Identify top clone and fetch traffic + +The `upload-pack` program handles data served to clients during clones and fetches. Use these queries to find which repositories, users, and IP addresses are driving the most clone and fetch activity. + +* Count clone and fetch operations by repository: + + ```shell + ghe-governor aggregate repo count -P upload-pack + ``` + +* Identify users running clones and fetches and count their operations: + + ```shell + ghe-governor aggregate user_id count -P upload-pack + ``` + +* Identify the IP addresses generating the most clone and fetch requests. A small set of IP addresses with a high count often indicates a CI runner fleet: + + ```shell + ghe-governor aggregate ip count -P upload-pack + ``` + +* Measure the total volume of data served per repository: + + ```shell + ghe-governor aggregate repo uploaded_kb -P upload-pack + ``` + +* Measure the average volume of data uploaded per user: + + ```shell + ghe-governor aggregate user_id avg_uploaded -P upload-pack + ``` + +* Find peak clone and fetch concurrency per repository. The `MAXPL` column shows the highest number of simultaneous operations recorded for each repository. A high value for a small number of repositories suggests a thundering herd: + + ```shell + ghe-governor aggregate repo max_parallelism -P upload-pack + ``` + +* Find the largest individual clone or fetch operations (not grouped): + + ```shell + ghe-governor top uploaded -P upload-pack -n 50 + ``` + +## Identify push-heavy traffic + +The `receive-pack` and `spokes-receive-pack` programs handle data received from clients during pushes. Use these queries to find which repositories, users, and IP addresses are generating the most push activity. + +* Count push operations by repository: + + ```shell + ghe-governor aggregate repo count -P receive-pack -P spokes-receive-pack + ``` + +* Identify users pushing to an organization and count their push operations: + + ```shell + ghe-governor aggregate user_id count -o ORGANIZATION -P receive-pack -P spokes-receive-pack + ``` + +* Measure the total volume of data received per repository: + + ```shell + ghe-governor aggregate repo received_kb -P receive-pack -P spokes-receive-pack + ``` + +* Identify IP addresses sending the most push data: + + ```shell + ghe-governor aggregate ip received_kb -P receive-pack -P spokes-receive-pack + ``` + +* Find the largest individual push operations (not grouped): + + ```shell + ghe-governor top received -P receive-pack -P spokes-receive-pack -n 50 + ``` + +## Narrow the analysis + +You can add any combination of the following options to a `ghe-governor top` or `ghe-governor aggregate` command to focus the query on a specific time window, repository, owner, or program. + +### Time filters + +| Option | Description | +| --- | --- | +| `-t ` | Consider only operations since a given start time. The default is 48 hours ago. | +| `-u ` | Consider only operations up to a given end time. The default is the current time. | + +The following formats are accepted for ``. + +| Format | Example | Meaning | +| --- | --- | --- | +| Unix timestamp | `-t 1371614483` | Seconds since January 1, 1970 | +| Java timestamp | `-t 1371614483637` | Milliseconds since January 1, 1970 | +| Relative days | `-t 1d` | The last day | +| Relative hours | `-t 2h` | The last two hours | +| Relative minutes | `-t 20m` | The last twenty minutes | + +### Scope filters + +| Option | Description | +| --- | --- | +| `-r /` | Consider only operations matching a given owner and repository. Specify this option multiple times to match several repositories. | +| `-o ` | Consider only operations matching a given owner, such as a user or organization. Specify this option multiple times to match several owners. | +| `-P ` | Consider only operations that ran a given Git subprogram, such as `upload-pack`, `receive-pack`, `rev-list`, or `pack-objects`. Specify this option multiple times to match several programs. | +| `-I
` | Consider only operations from a specific IP address. Specify this option multiple times to match several addresses. | + +### Output options + +| Option | Description | +| --- | --- | +| `-j` | Set the output format to JSON instead of an ASCII table. | +| `-n ` | Limit the output to N records. The default is 20 for aggregate queries and 200 for top queries. | +| `--count-only` | Show only the `KEY` and `COUNT` columns. Applies to aggregate queries only. | + +### Interpreting result columns + +The following abbreviations appear in `ghe-governor` result tables. + +| Column | Meaning | +| --- | --- | +| `AVG RT` | Average time, in seconds, that Git invocations took | +| `MAX RT` | Running time, in seconds, of the longest-running invocation, per host | +| `MAXPL` / `AVGPL` | Maximum and average parallelism: how many Git invocations were outstanding at one time | +| `CPU/SEC` | Seconds of CPU time used by Git per second of wall-clock time. Divide by the number of CPU cores and multiply by 100 to get the Git-specific CPU percentage. This value cannot exceed the number of CPU cores. | +| `UPL` | Data the server uploaded to clients, such as during fetches and clones | +| `RECV` | Data the server received from clients, such as during pushes | + +The `READ`, `WRITE`, `UPL`, and `RECV` columns are reported in gigabytes (GB), and the corresponding rate is reported in megabytes per second (MB/s). + +## Interpret common patterns + +The following table maps common Governor output patterns to their likely causes. + +| Pattern | Likely cause | +| --- | --- | +| High `upload-pack` count from a small set of IP addresses | A CI runner fleet is repeatedly cloning one or more repositories instead of reusing local checkouts | +| High `max_parallelism` for a small number of repositories | Thundering herd: many runners triggering concurrent clones at the same time, often because scheduled jobs start simultaneously | +| Large `uploaded_kb` per repository combined with high `avg_uploaded` per user | Repeated full clones; clients are not reusing local checkouts or are not using shallow or partial clones | +| High `received_kb` for a repository or organization | Push-intensive workload; may involve large binary files or frequent commits to a monorepo | +| High `pack-objects` CPU with moderate operation counts | Expensive object packing; the repository may benefit from a maintenance run or from client-side use of partial clones with `--filter` | +| High `avg_rt` or `max_rt` for a repository | Slow operations; often caused by large `pack-objects` runs, high concurrency, or resource contention from another workload | + +## Recommended actions for Git load reduction + +If Governor data shows that a repository, user, or runner fleet is generating excessive load, the following actions can reduce the impact. + +* **Reuse local checkouts.** Replace fresh clones with `git fetch` in automated workflows. This avoids transferring the full object graph on each run. +* **Use shallow clones.** For workflows that do not require full commit history, pass `--depth` to the clone command, for example `git clone --depth 1`. This reduces both the data transferred and the work `pack-objects` must do. +* **Use partial clones.** For repositories with large binary objects or many files not needed in a given workflow, use `--filter` to request only the objects the workflow requires, for example `git clone --filter=blob:none`. +* **Add a local mirror or caching proxy.** For large runner fleets that clone the same repositories repeatedly, a pull-through proxy or local mirror can absorb fetch traffic and reduce load on your instance. +* **Stagger scheduled jobs.** Offset CI/CD workflows triggered on a schedule so that not all runners start at the same time, reducing the size of concurrent clone bursts. +* **Reduce workflow parallelism.** Workflows that clone multiple repositories in parallel can be reconfigured to limit concurrency and spread the load over time. + +## When to contact {% data variables.product.company_short %} Support + +Contact {% data variables.contact.contact_ent_support %} and include a support bundle if any of the following apply. + +* Performance remains degraded after reducing clone pressure or staggering scheduled jobs. +* Your instance is serving widespread Git errors or connection failures that are not explained by client workload. +* Governor shows persistent `max_parallelism` values suggesting the instance is at or near capacity, and workload changes alone are unlikely to resolve the issue. +* You see a clear pattern in Governor output but are uncertain how to interpret it or what action to take. + +For more information about generating a support bundle, see [AUTOTITLE](/support/contacting-github-support/providing-data-to-github-support#creating-and-sharing-support-bundles). + +## Further reading + +For more information about monitoring system resources, see [AUTOTITLE](/admin/monitoring-and-managing-your-instance/monitoring-your-instance/about-the-monitor-dashboards). diff --git a/content/admin/monitoring-and-managing-your-instance/monitoring-your-instance/index.md b/content/admin/monitoring-and-managing-your-instance/monitoring-your-instance/index.md index a2e2ca87d641..df62e91f7864 100644 --- a/content/admin/monitoring-and-managing-your-instance/monitoring-your-instance/index.md +++ b/content/admin/monitoring-and-managing-your-instance/monitoring-your-instance/index.md @@ -14,6 +14,7 @@ versions: children: - /about-monitoring-your-instance - /about-the-monitor-dashboards + - /analyze-git-traffic - /recommended-alert-thresholds - /opentelemetry-metrics - /collectd-metrics @@ -24,4 +25,4 @@ children: - /generating-a-health-check-for-your-enterprise shortTitle: Monitor your instance ---- \ No newline at end of file +--- diff --git a/content/billing/concepts/product-billing/github-code-quality.md b/content/billing/concepts/product-billing/github-code-quality.md index 9db9e1d7e417..a0c4c1918d1e 100644 --- a/content/billing/concepts/product-billing/github-code-quality.md +++ b/content/billing/concepts/product-billing/github-code-quality.md @@ -17,7 +17,7 @@ category: -## How use of {% data variables.product.prodname_code_quality %} is measured +## How {% data variables.product.prodname_code_quality %} billing is measured @@ -27,11 +27,23 @@ category: When you scan private repositories during the {% data variables.release-phases.public_preview %}, you **will not be billed** for {% data variables.product.prodname_ai_credits_short %} or active committer usage, but {% data variables.product.prodname_actions %} minutes **will be consumed**. +#### Check {% data variables.product.prodname_actions %} usage during preview + To view consumption of actions by the `{% data variables.code-quality.workflow_name_billing %}` workflow, download a detailed usage report from the "Billing and licensing" tab. See [AUTOTITLE](/billing/how-tos/products/view-productlicense-use). > [!NOTE] > {% data reusables.code-quality.shared-workflow-preview %} +#### View your license estimate during preview + +During the {% data variables.release-phases.public_preview %}, you can preview your license cost for {% data variables.product.prodname_code_quality_short %} before charges begin on July 20, 2026. On the licensing page of the "Billing and licensing" tab, the **Consumed licenses** and **Estimated monthly payment** for {% data variables.product.prodname_code_quality_short %} show how many active committers would count toward your license and the estimated cost. + +Because active-committer counts use a rolling 90-day window, this estimate can still change before then. When {% data variables.product.prodname_code_quality_short %} becomes generally available, the same calculation applied to your then-current committers determines your bill. + +#### What the estimate includes and excludes + +The estimate only reflects the per-committer license cost. It does not include the {% data variables.product.prodname_actions %} minutes that {% data variables.product.prodname_codeql %} analysis consumes or usage-based charges for AI-powered capabilities such as {% data variables.copilot.copilot_autofix %}. It also reflects standard list pricing, so it does not account for any discounts that may apply to your account. + diff --git a/content/code-security/concepts/security-at-scale/security-overview.md b/content/code-security/concepts/security-at-scale/security-overview.md index 4b684ef15d18..9f7290d5374c 100644 --- a/content/code-security/concepts/security-at-scale/security-overview.md +++ b/content/code-security/concepts/security-at-scale/security-overview.md @@ -25,7 +25,7 @@ category: Security overview provides insights into the security of code stored in repositories in your organization. -* **All organizations** on {% data variables.product.prodname_team %} can use the free **{% data variables.product.prodname_secret_risk_assessment %}** to evaluate the exposure of their organization to leaked secrets, see [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/viewing-the-secret-risk-assessment-report-for-your-organization). +* **All organizations** on {% data variables.product.prodname_team %} can use the free **{% data variables.product.prodname_secret_risk_assessment %}** to evaluate the exposure of their organization to leaked secrets, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/configure-specific-tools/viewing-your-security-risk-assessment-reports). * {% data variables.product.prodname_team %} accounts that purchase **{% data variables.product.prodname_GH_cs_or_sp %}** have access to views with additional insights. The information below describes the views available to organizations with {% data variables.product.prodname_GH_cs_or_sp %} that you can use to identify trends in detection, remediation, and prevention of security alerts and dig deep into the current state of your repositories. @@ -36,13 +36,13 @@ Security overview contains focused views where you can explore trends in detecti {% ifversion ghec %} All organizations on {% data variables.product.prodname_enterprise %} can use: -* **{% data variables.product.prodname_secret_risk_assessment_caps %}** to evaluate the exposure of their organization to leaked secrets, see [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/viewing-the-secret-risk-assessment-report-for-your-organization). +* **{% data variables.product.prodname_secret_risk_assessment_caps %}** to evaluate the exposure of their organization to leaked secrets, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/configure-specific-tools/viewing-your-security-risk-assessment-reports). * **{% data variables.product.prodname_dependabot %}** data to evaluate the security of their supply chain in all repositories. {% else %} All organizations on {% data variables.product.prodname_enterprise %} can use {% data variables.product.prodname_dependabot %} data to evaluate the security of their supply chain in all repositories. {% endif %} -In addition, data for **{% data variables.product.prodname_AS %}** features, such as {% data variables.product.prodname_code_scanning %} and {% data variables.product.prodname_secret_scanning %}, is shown for organizations and enterprises that use {% data variables.product.prodname_GHAS_cs_or_sp %}{% ifversion ghec %}, and for public repositories{% endif %}, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts#dependabot-alerts-for-vulnerable-dependencies) and [AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security). +In addition, data for **{% data variables.product.prodname_AS %}** features, such as {% data variables.product.prodname_code_scanning %} and {% data variables.product.prodname_secret_scanning %}, is shown for organizations and enterprises that use {% data variables.product.prodname_GHAS_cs_or_sp %}{% ifversion ghec %}, and for public repositories{% endif %}, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-alerts#dependabot-alerts-for-vulnerable-dependencies) and [AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security). {% endif %} @@ -51,10 +51,10 @@ In addition, data for **{% data variables.product.prodname_AS %}** features, suc > [!NOTE] > All views show information and metrics for the **default** branches of the repositories you have permission to view in an organization or enterprise. -The views are interactive with filters that allow you to look at the aggregated data in detail and identify sources of high risk, see security trends, and see the impact of pull request analysis on blocking security vulnerabilities entering your code. As you apply multiple filters to focus on narrower areas of interest, all data and metrics across the view change to reflect your current selection. For more information, see [AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview). +The views are interactive with filters that allow you to look at the aggregated data in detail and identify sources of high risk, see security trends, and see the impact of pull request analysis on blocking security vulnerabilities entering your code. As you apply multiple filters to focus on narrower areas of interest, all data and metrics across the view change to reflect your current selection. For more information, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/remediate-alerts-at-scale/filtering-alerts-in-security-overview). {% ifversion security-overview-export-data %} -{% data reusables.security-overview.download-csv-files %} For more information, see [AUTOTITLE](/code-security/security-overview/exporting-data-from-security-overview). +{% data reusables.security-overview.download-csv-files %} For more information, see [AUTOTITLE](/code-security/how-tos/view-and-interpret-data/analyze-organization-data/export-data). {% endif %} There are dedicated views for each type of security alert. You can limit your analysis to a specific type of alert, and then narrow the results further with a range of filters specific to each view. For example, in the {% data variables.product.prodname_secret_scanning %} view, you can use the "Secret type" filter to view only {% data variables.secret-scanning.alerts %} for a specific secret, like a {% data variables.product.prodname_dotcom %} {% data variables.product.pat_generic %}. @@ -70,25 +70,25 @@ You can find security overview on the **{% data variables.product.prodname_secur Security overview has multiple views that provide different ways to explore enablement and alert data. -* **Overview:** visualize trends in **Detection**, **Remediation**, and **Prevention** of security alerts. For information about accessing and using the dashboard, see [AUTOTITLE](/code-security/security-overview/viewing-security-insights). For detailed explanations of metrics and calculations, see [AUTOTITLE](/code-security/reference/security-at-scale/security-overview-dashboard-metrics). -* **Risk:** explore the risk from security alerts of all types or focus on a single alert type and identify your risk from specific vulnerable dependencies, code weaknesses, or leaked secrets, see [AUTOTITLE](/code-security/security-overview/assessing-code-security-risk). -* **Coverage:** assess the adoption of security features across repositories in the organization, see [AUTOTITLE](/code-security/security-overview/assessing-adoption-code-security).{% ifversion secret-risk-assessment %} -* **Assessments:** regardless of the enablement status of {% data variables.product.prodname_AS %} features, organizations on {% data variables.product.prodname_team %} and {% data variables.product.prodname_enterprise %} can run a free report to scan the code in the organization for leaked secrets, see [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/about-secret-risk-assessment).{% endif %}{% ifversion security-campaigns %} +* **Overview:** visualize trends in **Detection**, **Remediation**, and **Prevention** of security alerts. For information about accessing and using the dashboard, see [AUTOTITLE](/code-security/how-tos/view-and-interpret-data/analyze-organization-data/viewing-security-insights). For detailed explanations of metrics and calculations, see [AUTOTITLE](/code-security/reference/security-at-scale/overview-dashboard-metrics). +* **Risk:** explore the risk from security alerts of all types or focus on a single alert type and identify your risk from specific vulnerable dependencies, code weaknesses, or leaked secrets, see [AUTOTITLE](/code-security/how-tos/view-and-interpret-data/analyze-organization-data/assessing-code-security-risk). +* **Coverage:** assess the adoption of security features across repositories in the organization, see [AUTOTITLE](/code-security/how-tos/view-and-interpret-data/analyze-organization-data/assessing-adoption-code-security).{% ifversion secret-risk-assessment %} +* **Assessments:** regardless of the enablement status of {% data variables.product.prodname_AS %} features, organizations on {% data variables.product.prodname_team %} and {% data variables.product.prodname_enterprise %} can run a free report to scan the code in the organization for leaked secrets, see [AUTOTITLE](/code-security/concepts/secret-security/secret-security-with-github).{% endif %}{% ifversion security-campaigns %} * **Campaigns:** coordinate and measure targeted remediation efforts, grouping related security tasks across repositories, assigning owners, and tracking progress toward defined risk‑reduction goals.{% endif %} * **Enablement:** see how quickly different teams are adopting security features. -* **{% data variables.product.prodname_codeql %} pull requests:** assess the impact of running {% data variables.product.prodname_codeql %} on pull requests and how development teams are resolving {% data variables.product.prodname_code_scanning %} alerts, see [AUTOTITLE](/code-security/security-overview/viewing-metrics-for-pull-request-alerts).{% ifversion dependabot-metrics %} +* **{% data variables.product.prodname_codeql %} pull requests:** assess the impact of running {% data variables.product.prodname_codeql %} on pull requests and how development teams are resolving {% data variables.product.prodname_code_scanning %} alerts, see [AUTOTITLE](/code-security/how-tos/view-and-interpret-data/analyze-organization-data/viewing-metrics-for-pull-request-alerts).{% ifversion dependabot-metrics %} * **{% data variables.product.prodname_dependabot %}**: prioritize and track critical vulnerabilities by identifying, remediating, and measuring security improvements across repositories.{% endif %} -* **{% data variables.product.prodname_secret_scanning_caps %}:** find out which types of secret are blocked by push protection and which teams are bypassing push protection, see [AUTOTITLE](/code-security/security-overview/viewing-metrics-for-secret-scanning-push-protection) and [AUTOTITLE](/code-security/security-overview/reviewing-requests-to-bypass-push-protection). +* **{% data variables.product.prodname_secret_scanning_caps %}:** find out which types of secret are blocked by push protection and which teams are bypassing push protection, see [AUTOTITLE](/code-security/how-tos/view-and-interpret-data/analyze-organization-data/viewing-metrics-for-secret-scanning-push-protection) and [AUTOTITLE](/code-security/how-tos/secure-your-secrets/manage-bypass-requests/review-bypass-requests). {% ifversion security-campaigns %} -You also create and manage security campaigns to remediate alerts from security overview, see [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/creating-managing-security-campaigns) and [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/best-practice-fix-alerts-at-scale). +You also create and manage security campaigns to remediate alerts from security overview, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/remediate-alerts-at-scale/creating-managing-security-campaigns) and [AUTOTITLE](/code-security/tutorials/secure-your-organization/best-practice-fix-alerts-at-scale). {% endif %} ## About security overview for enterprises You can find security overview on the **{% data variables.product.prodname_security_and_quality_tab %}** tab for your enterprise. Each page displays aggregated and repository-specific security information for your enterprise. -Security overview for enterprises has multiple views that provide different ways to explore data, including an overview dashboard that visualizes alert trends. For information about the dashboard, see [AUTOTITLE](/code-security/security-overview/viewing-security-insights) and [AUTOTITLE](/code-security/reference/security-at-scale/security-overview-dashboard-metrics). +Security overview for enterprises has multiple views that provide different ways to explore data, including an overview dashboard that visualizes alert trends. For information about the dashboard, see [AUTOTITLE](/code-security/how-tos/view-and-interpret-data/analyze-organization-data/viewing-security-insights) and [AUTOTITLE](/code-security/reference/security-at-scale/overview-dashboard-metrics). ## Access to data in security overview @@ -102,13 +102,13 @@ In general: Security overview displays data only for repositories you have permission to view, and some views or actions may be limited based on your role. -For detailed, role-by-role permission information, including which views are available and how repository access affects visibility, see [AUTOTITLE](/code-security/reference/permissions/security-overview-permissions). +For detailed, role-by-role permission information, including which views are available and how repository access affects visibility, see [AUTOTITLE](/code-security/reference/permissions/security-overview). ## Understanding dashboard data accuracy The overview dashboard displays metrics based on the current state of your repositories and the historical state of security alerts. This data model has important implications for data consistency: -**Data changes over time:** Dashboard metrics can change for the same historical time period when viewed at different times. This occurs when repositories are deleted, security advisories are modified, or other changes affect the underlying data. If you need consistent data for compliance reports or auditing purposes, use the audit log instead. See [AUTOTITLE](/code-security/getting-started/auditing-security-alerts). +**Data changes over time:** Dashboard metrics can change for the same historical time period when viewed at different times. This occurs when repositories are deleted, security advisories are modified, or other changes affect the underlying data. If you need consistent data for compliance reports or auditing purposes, use the audit log instead. See [AUTOTITLE](/code-security/concepts/security-at-scale/audit-security-alerts). **Alert data is historical; repository attributes are current:** The dashboard tracks security alerts based on their historical state during the selected time period. However, repository filters (such as archived/active status) reflect the _current state_ of repositories. @@ -121,7 +121,7 @@ This design ensures alert trends accurately reflect security activity during the ## Further reading -* [AUTOTITLE](/code-security/getting-started/securing-your-repository){% ifversion fpt or ghec %} -* [AUTOTITLE](/code-security/securing-your-organization){% elsif ghes %} +* [AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-repository){% ifversion fpt or ghec %} +* [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security){% elsif ghes %} * [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/establish-complete-coverage){% endif %} -* [AUTOTITLE](/code-security/adopting-github-advanced-security-at-scale/introduction-to-adopting-github-advanced-security-at-scale) +* [AUTOTITLE](/code-security/tutorials/adopting-github-advanced-security-at-scale/introduction-to-adopting-github-advanced-security-at-scale) diff --git a/content/code-security/concepts/security-at-scale/supply-chain-security.md b/content/code-security/concepts/security-at-scale/supply-chain-security.md index b48796c6232d..ca4d69aa7106 100644 --- a/content/code-security/concepts/security-at-scale/supply-chain-security.md +++ b/content/code-security/concepts/security-at-scale/supply-chain-security.md @@ -14,10 +14,10 @@ category: - Secure your dependencies --- -You can allow users to identify their projects' dependencies by enabling the dependency graph for {% data variables.product.prodname_ghe_server %}. For more information, see [Enabling the dependency graph for your enterprise](/admin/code-security/managing-supply-chain-security-for-your-enterprise/enabling-the-dependency-graph-for-your-enterprise). +You can allow users to identify their projects' dependencies by enabling the dependency graph for {% data variables.product.prodname_ghe_server %}. For more information, see [Enabling the dependency graph for your enterprise](/code-security/how-tos/secure-at-scale/configure-enterprise-security/configure-specific-tools/enable-dependency-graph). {% data reusables.dependency-review.dependency-review-enabled-ghes %} -You can also allow users to find and fix vulnerabilities in their code dependencies by enabling {% data variables.product.prodname_dependabot_alerts %} and {% data variables.product.prodname_dependabot_updates %}. For more information, see [AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise). +You can also allow users to find and fix vulnerabilities in their code dependencies by enabling {% data variables.product.prodname_dependabot_alerts %} and {% data variables.product.prodname_dependabot_updates %}. For more information, see [AUTOTITLE](/admin/configuring-settings/configuring-github-connect/enabling-dependabot-for-your-enterprise). -After you enable {% data variables.product.prodname_dependabot_alerts %}, you can view vulnerability data from the {% data variables.product.prodname_advisory_database %} on {% data variables.product.prodname_ghe_server %} and manually sync the data. For more information, see [AUTOTITLE](/admin/code-security/managing-supply-chain-security-for-your-enterprise/viewing-the-vulnerability-data-for-your-enterprise). +After you enable {% data variables.product.prodname_dependabot_alerts %}, you can view vulnerability data from the {% data variables.product.prodname_advisory_database %} on {% data variables.product.prodname_ghe_server %} and manually sync the data. For more information, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/configure-specific-tools/view-vulnerability-data). diff --git a/content/code-security/concepts/supply-chain-security/about-the-dependabot-yml-file.md b/content/code-security/concepts/supply-chain-security/about-the-dependabot-yml-file.md index 23976473d5df..6b69ef5bc032 100644 --- a/content/code-security/concepts/supply-chain-security/about-the-dependabot-yml-file.md +++ b/content/code-security/concepts/supply-chain-security/about-the-dependabot-yml-file.md @@ -19,7 +19,7 @@ Without a `dependabot.yml` file, {% data variables.product.prodname_dependabot % The `dependabot.yml` file uses YAML syntax. If you're new to YAML and want to learn more, see [Learn YAML in five minutes](https://learnxinyminutes.com/yaml/). > [!NOTE] -> {% data variables.product.prodname_dependabot_alerts %} are configured in the repository or organization "Settings" tab and not in the `dependabot.yml` file, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts). +> {% data variables.product.prodname_dependabot_alerts %} are configured in the repository or organization "Settings" tab and not in the `dependabot.yml` file, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-dependabot-alerts). ## What the `dependabot.yml` file does @@ -72,4 +72,4 @@ updates: ## Next step -* Configure your repository so that Dependabot automatically updates the packages you use, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configuring-dependabot-version-updates) +* Configure your repository so that Dependabot automatically updates the packages you use, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-version-updates) diff --git a/content/code-security/concepts/supply-chain-security/automatic-dependabot-access-to-github-registries.md b/content/code-security/concepts/supply-chain-security/automatic-dependabot-access-to-github-registries.md index 92e33d314092..8661d3c173f2 100644 --- a/content/code-security/concepts/supply-chain-security/automatic-dependabot-access-to-github-registries.md +++ b/content/code-security/concepts/supply-chain-security/automatic-dependabot-access-to-github-registries.md @@ -34,11 +34,11 @@ Use automatic access to {% data variables.product.github %}-hosted registries wh * You want to reduce credential management overhead. * You want to avoid silent update failures caused by expired {% data variables.product.pat_generic_plural %}. -For third-party registries (such as Artifactory, Azure Artifacts, or Nexus), you can only use the `dependabot.yml` registry configuration or organization-level private registry settings. See [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot). +For third-party registries (such as Artifactory, Azure Artifacts, or Nexus), you can only use the `dependabot.yml` registry configuration or organization-level private registry settings. See [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries). ## How to enable automatic access -For each package that {% data variables.product.prodname_dependabot %} needs to read, you need to go to the package's settings page and add the repository that runs {% data variables.product.prodname_dependabot %} with **Read** access. See [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot#configuring-private-github-hosted-registries). +For each package that {% data variables.product.prodname_dependabot %} needs to read, you need to go to the package's settings page and add the repository that runs {% data variables.product.prodname_dependabot %} with **Read** access. See [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries#configuring-private-github-hosted-registries). Once the repository has been granted access, {% data variables.product.prodname_dependabot %} can pull from that package automatically. You do not need to configure the `dependabot.yml` file, and you can remove any existing {% data variables.product.pat_generic %}-based registry entries you previously added for these packages. diff --git a/content/code-security/concepts/supply-chain-security/best-practices-for-maintaining-dependencies.md b/content/code-security/concepts/supply-chain-security/best-practices-for-maintaining-dependencies.md index e1845ac6bbe0..49aab470acf0 100644 --- a/content/code-security/concepts/supply-chain-security/best-practices-for-maintaining-dependencies.md +++ b/content/code-security/concepts/supply-chain-security/best-practices-for-maintaining-dependencies.md @@ -76,15 +76,15 @@ By following these practices, you can significantly reduce the risk posed by out {% data variables.product.github %} provides security features to help you maintain dependencies: -**Dependency graph**: Tracks your project dependencies and identifies vulnerabilities. See [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph). +**Dependency graph**: Tracks your project dependencies and identifies vulnerabilities. See [AUTOTITLE](/code-security/concepts/supply-chain-security/dependency-graph). -**Dependency review**: Catches insecure dependencies in pull requests before they're merged. In addition, the {% data variables.dependency-review.action_name %} can fail checks and, when required by branch protection rules, prevent pull requests that introduce vulnerabilities from being merged. See [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review). +**Dependency review**: Catches insecure dependencies in pull requests before they're merged. In addition, the {% data variables.dependency-review.action_name %} can fail checks and, when required by branch protection rules, prevent pull requests that introduce vulnerabilities from being merged. See [AUTOTITLE](/code-security/concepts/supply-chain-security/dependency-review). -**{% data variables.product.prodname_dependabot %}**: Automatically scans for vulnerabilities, creates alerts, and opens pull requests to update vulnerable or outdated dependencies. You can group multiple updates into single pull requests to streamline reviews. See [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts). +**{% data variables.product.prodname_dependabot %}**: Automatically scans for vulnerabilities, creates alerts, and opens pull requests to update vulnerable or outdated dependencies. You can group multiple updates into single pull requests to streamline reviews. See [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-alerts). -**{% data variables.product.prodname_advisory_database %}**: Provides security advisories that power {% data variables.product.prodname_dependabot %}'s vulnerability detection. See [AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database).{% ifversion fpt or ghec %} +**{% data variables.product.prodname_advisory_database %}**: Provides security advisories that power {% data variables.product.prodname_dependabot %}'s vulnerability detection. See [AUTOTITLE](/code-security/concepts/vulnerability-reporting-and-management/github-advisory-database).{% ifversion fpt or ghec %} **Private vulnerability reporting**: Enables maintainers to receive, discuss, and fix vulnerability reports in private before public disclosure. {% endif %} -**Security overview**: Shows your organization's security posture with dashboards for at-risk repositories, alert trends, and feature enablement status. See [AUTOTITLE](/code-security/security-overview/about-security-overview). +**Security overview**: Shows your organization's security posture with dashboards for at-risk repositories, alert trends, and feature enablement status. See [AUTOTITLE](/code-security/concepts/security-at-scale/security-overview). -For end-to-end supply chain guidance, see [AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/end-to-end-supply-chain-overview). +For end-to-end supply chain guidance, see [AUTOTITLE](/code-security/tutorials/implement-supply-chain-best-practices/end-to-end-supply-chain-overview). diff --git a/content/code-security/concepts/supply-chain-security/dependabot-alert-metrics.md b/content/code-security/concepts/supply-chain-security/dependabot-alert-metrics.md index ea2cac60ee54..94cb32d1d21b 100644 --- a/content/code-security/concepts/supply-chain-security/dependabot-alert-metrics.md +++ b/content/code-security/concepts/supply-chain-security/dependabot-alert-metrics.md @@ -36,7 +36,7 @@ These metrics help both application security managers measure the effectiveness The metrics dashboard shows the number of **open {% data variables.product.prodname_dependabot_alerts %}**. You can use filters such as availability of patches, severity, and EPSS score to narrow down the list of alerts to those matching specific criteria. {% data reusables.security-overview.dependabot-filters-link %} -For more information about how AppSec managers can best use these metrics to optimize alert fixing, see [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-vulnerabilities/prioritizing-dependabot-alerts-using-metrics). +For more information about how AppSec managers can best use these metrics to optimize alert fixing, see [AUTOTITLE](/code-security/tutorials/manage-security-alerts/prioritizing-dependabot-alerts-using-metrics). Key metrics for prioritization include: diff --git a/content/code-security/concepts/supply-chain-security/dependabot-alerts.md b/content/code-security/concepts/supply-chain-security/dependabot-alerts.md index bbd448feafdd..f95709bb69ac 100644 --- a/content/code-security/concepts/supply-chain-security/dependabot-alerts.md +++ b/content/code-security/concepts/supply-chain-security/dependabot-alerts.md @@ -32,7 +32,7 @@ Software often relies on packages from various sources, creating dependency rela * Your enterprise publishes an innersource advisory for a component you depend on. For more information, see [AUTOTITLE](/code-security/concepts/vulnerability-reporting-and-management/innersource-advisories).{% endif %} * Your dependency graph changes—for example, when you push commits that update packages or versions -For supported ecosystems, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems#supported-package-ecosystems). +For supported ecosystems, see [AUTOTITLE](/code-security/reference/supply-chain-security/dependency-graph-supported-package-ecosystems#supported-package-ecosystems). ## Understanding alerts @@ -44,7 +44,7 @@ When {% data variables.product.github %} detects a vulnerable dependency, a {% d {% ifversion ghec %}Alerts generated from an innersource advisory carry a distinct "Innersource" label, distinguishing them from alerts based on public advisories. -{% endif %}For information about viewing and managing alerts, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts). +{% endif %}For information about viewing and managing alerts, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-dependabot-alerts/view-dependabot-alerts). ## Who can enable alerts? @@ -52,7 +52,7 @@ Repository administrators and organization owners can enable {% data variables.p {% data reusables.repositories.enable-security-alerts %} -See [AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts). +See [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-dependabot-alerts). {% ifversion dependabot-alerts-assignees %} @@ -78,7 +78,7 @@ When an alert's assignees change, {% data variables.product.github %} sends an ` You can manage alert assignments programmatically using the REST API. For more information, see [AUTOTITLE](/rest/dependabot/alerts). -For information about assigning alerts, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-dependabot-alerts/viewing-and-updating-dependabot-alerts#viewing-and-prioritizing-dependabot-alerts). +For information about assigning alerts, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-dependabot-alerts/view-dependabot-alerts#viewing-and-prioritizing-dependabot-alerts). {% endif %} @@ -95,7 +95,7 @@ You can override the default behavior by choosing the type of notifications you Regardless of your notification preferences, when {% data variables.product.prodname_dependabot %} is first enabled, {% data variables.product.github %} does not send notifications for all vulnerable dependencies found in your repository. Instead, you will receive notifications for new vulnerable dependencies identified after {% data variables.product.prodname_dependabot %} is enabled, if your notification preferences allow it. -If you are concerned about receiving too many notifications, we recommend leveraging {% data variables.dependabot.auto_triage_rules %} to auto-dismiss low-risk alerts. Rules are applied before alert notifications are sent, so alerts that are auto-dismissed upon creation do not send notifications. See [AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/about-dependabot-auto-triage-rules). +If you are concerned about receiving too many notifications, we recommend leveraging {% data variables.dependabot.auto_triage_rules %} to auto-dismiss low-risk alerts. Rules are applied before alert notifications are sent, so alerts that are auto-dismissed upon creation do not send notifications. See [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-auto-triage-rules). Alternatively, you can opt into the weekly email digest, or even completely turn off notifications while keeping {% data variables.product.prodname_dependabot_alerts %} enabled. @@ -116,15 +116,15 @@ Alternatively, you can opt into the weekly email digest, or even completely turn ## {% data variables.copilot.copilot_chat %} integration -With a {% data variables.copilot.copilot_enterprise %} license, you can ask {% data variables.copilot.copilot_chat_short %} questions about {% data variables.product.prodname_dependabot_alerts %} in your organization's repositories. For more information, see [AUTOTITLE](/copilot/using-github-copilot/asking-github-copilot-questions-in-githubcom#asking-questions-about-alerts-from-github-advanced-security-features). +With a {% data variables.copilot.copilot_enterprise %} license, you can ask {% data variables.copilot.copilot_chat_short %} questions about {% data variables.product.prodname_dependabot_alerts %} in your organization's repositories. For more information, see [AUTOTITLE](/copilot/how-tos/copilot-on-github/chat-with-copilot/get-started-with-chat#security-alert-questions). {% endif %} ## Further reading {% ifversion dependabot-malware-alerts %} -* [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-malware-alerts){% endif %}{% ifversion ghec %} +* [AUTOTITLE](/code-security/concepts/supply-chain-security/malware-alerts){% endif %}{% ifversion ghec %} * [AUTOTITLE](/code-security/concepts/vulnerability-reporting-and-management/innersource-advisories){% endif %} -* [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts) -* [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates) -* [AUTOTITLE](/code-security/getting-started/auditing-security-alerts) +* [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-dependabot-alerts/view-dependabot-alerts) +* [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-security-updates) +* [AUTOTITLE](/code-security/concepts/security-at-scale/audit-security-alerts) diff --git a/content/code-security/concepts/supply-chain-security/dependabot-auto-triage-rules.md b/content/code-security/concepts/supply-chain-security/dependabot-auto-triage-rules.md index 75c391ba76c1..17bae70cf668 100644 --- a/content/code-security/concepts/supply-chain-security/dependabot-auto-triage-rules.md +++ b/content/code-security/concepts/supply-chain-security/dependabot-auto-triage-rules.md @@ -44,7 +44,7 @@ There are two types of {% data variables.dependabot.auto_triage_rules %}: * At worst, have limited effects like slow builds or long-running tests. * Are not indicative of issues in production. -The rule is enabled by default for public repositories and can be opted into for private repositories. For instructions, see [Enabling the `Dismiss low impact issues for development-scoped dependencies` rule for your private repository](/code-security/dependabot/dependabot-auto-triage-rules/using-github-preset-rules-to-prioritize-dependabot-alerts#enabling-the-dismiss-low-impact-issues-for-development-scoped-dependencies-rule-for-your-private-repository). +The rule is enabled by default for public repositories and can be opted into for private repositories. For instructions, see [Enabling the `Dismiss low impact issues for development-scoped dependencies` rule for your private repository](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/prioritize-with-preset-rules#enabling-the-dismiss-low-impact-issues-for-development-scoped-dependencies-rule-for-your-private-repository). For more information about the criteria used by the rule, see [AUTOTITLE](/code-security/reference/supply-chain-security/criteria-for-preset-rules). @@ -66,13 +66,13 @@ The `Dismiss package malware alerts` rule is disabled by default, but can be ena > [!NOTE] > {% data reusables.gated-features.dependabot-custom-auto-triage-rules %} -With {% data variables.dependabot.custom_rules %}, you can create your own rules to automatically dismiss or reopen alerts based on targeted metadata, such as severity, package name, CWE, and more. You can also specify which {% data variables.product.prodname_dependabot_alerts %} you want {% data variables.product.prodname_dependabot %} to open pull requests for. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/customizing-auto-triage-rules-to-prioritize-dependabot-alerts). +With {% data variables.dependabot.custom_rules %}, you can create your own rules to automatically dismiss or reopen alerts based on targeted metadata, such as severity, package name, CWE, and more. You can also specify which {% data variables.product.prodname_dependabot_alerts %} you want {% data variables.product.prodname_dependabot %} to open pull requests for. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/auto-triage-dependabot-alerts). -You can create custom rules from the **Settings** tab of the repository, provided the repository belongs to an organization that has a license for {% data variables.product.prodname_GHAS_or_code_security %}. For more information, see [Adding custom auto-triage rules to your repository](/code-security/dependabot/dependabot-auto-triage-rules/customizing-auto-triage-rules-to-prioritize-dependabot-alerts#adding-custom-auto-triage-rules-to-your-repository). +You can create custom rules from the **Settings** tab of the repository, provided the repository belongs to an organization that has a license for {% data variables.product.prodname_GHAS_or_code_security %}. For more information, see [Adding custom auto-triage rules to your repository](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/auto-triage-dependabot-alerts#adding-custom-auto-triage-rules-to-your-repository). ### About auto-dismissing alerts -Whilst you may find it useful to use auto-triage rules to auto-dismiss alerts, you can still reopen auto-dismissed alerts and filter to see which alerts have been auto-dismissed. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/managing-automatically-dismissed-alerts). +Whilst you may find it useful to use auto-triage rules to auto-dismiss alerts, you can still reopen auto-dismissed alerts and filter to see which alerts have been auto-dismissed. For more information, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-dependabot-alerts/managing-automatically-dismissed-alerts). Additionally, auto-dismissed alerts are still available for reporting and reviewing, and can be auto-reopened if the alert metadata changes, for example: * If you change the scope of a dependency from development to production. @@ -82,6 +82,6 @@ Auto-dismissed alerts are defined by the `resolution:auto-dismiss` close reason. ## Next steps -To get started with {% data variables.dependabot.auto_triage_rules %}, see [AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/using-github-preset-rules-to-prioritize-dependabot-alerts). +To get started with {% data variables.dependabot.auto_triage_rules %}, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/prioritize-with-preset-rules). -To customize your auto-triage experience, see [AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/customizing-auto-triage-rules-to-prioritize-dependabot-alerts). +To customize your auto-triage experience, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/auto-triage-dependabot-alerts). diff --git a/content/code-security/concepts/supply-chain-security/dependabot-job-logs.md b/content/code-security/concepts/supply-chain-security/dependabot-job-logs.md index 674519849b85..762255c7bdf3 100644 --- a/content/code-security/concepts/supply-chain-security/dependabot-job-logs.md +++ b/content/code-security/concepts/supply-chain-security/dependabot-job-logs.md @@ -49,4 +49,4 @@ Job logs give you two levels of detail for troubleshooting: ## Next steps -Now that you know what {% data variables.product.prodname_dependabot %} job logs are, you may want to find out how to access them. See [AUTOTITLE](/code-security/how-tos/view-and-interpret-data/viewing-dependabot-job-logs). +Now that you know what {% data variables.product.prodname_dependabot %} job logs are, you may want to find out how to access them. See [AUTOTITLE](/code-security/how-tos/view-and-interpret-data/view-dependabot-logs). diff --git a/content/code-security/concepts/supply-chain-security/dependabot-on-actions.md b/content/code-security/concepts/supply-chain-security/dependabot-on-actions.md index 2cc7eea81183..a4a0b05dfd38 100644 --- a/content/code-security/concepts/supply-chain-security/dependabot-on-actions.md +++ b/content/code-security/concepts/supply-chain-security/dependabot-on-actions.md @@ -32,10 +32,10 @@ Future releases of {% data variables.product.github %} will remove the ability t You can run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} using: * **Standard {% data variables.product.prodname_dotcom %}-hosted runners.** These are the default runners used by {% data variables.product.github %} to execute {% data variables.product.prodname_actions %} jobs. -* **{% data variables.actions.hosted_runners_caps %}.** These are {% data variables.product.prodname_dotcom %}-hosted runners with advanced features like more RAM, CPU, and disk space. For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners). +* **{% data variables.actions.hosted_runners_caps %}.** These are {% data variables.product.prodname_dotcom %}-hosted runners with advanced features like more RAM, CPU, and disk space. For more information, see [AUTOTITLE](/actions/how-tos/manage-runners/larger-runners). * **Self-hosted runners.** These runners grant you greater control over {% data variables.product.prodname_dependabot %} access to your private registries and internal network resources. Be aware that for security reasons, {% data variables.product.prodname_dependabot_updates %} on self-hosted runners will not run on public repositories. For more information on assigning a `dependabot` label on self-hosted runners, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-on-self-hosted-runners). -Running {% data variables.product.prodname_dependabot %} on standard {% data variables.product.prodname_dotcom %}-hosted or self-hosted runners **does not** count towards your included {% data variables.product.prodname_actions %} minutes. For {% data variables.product.prodname_dependabot %} on {% data variables.actions.hosted_runners %}, {% data variables.product.prodname_dotcom %} will bill your organization at the regular rate. See [AUTOTITLE](/billing/reference/actions-minute-multipliers). +Running {% data variables.product.prodname_dependabot %} on standard {% data variables.product.prodname_dotcom %}-hosted or self-hosted runners **does not** count towards your included {% data variables.product.prodname_actions %} minutes. For {% data variables.product.prodname_dependabot %} on {% data variables.actions.hosted_runners %}, {% data variables.product.prodname_dotcom %} will bill your organization at the regular rate. See [AUTOTITLE](/billing/reference/actions-runner-pricing). {% data reusables.dependabot.vnet-arc-note %} diff --git a/content/code-security/concepts/supply-chain-security/dependabot-pull-requests.md b/content/code-security/concepts/supply-chain-security/dependabot-pull-requests.md index 63359c9d84a6..a3eb4495e741 100644 --- a/content/code-security/concepts/supply-chain-security/dependabot-pull-requests.md +++ b/content/code-security/concepts/supply-chain-security/dependabot-pull-requests.md @@ -19,7 +19,7 @@ If you've enabled security updates, pull requests for security updates are trigg Each pull request contains everything you need to quickly and safely review and merge a proposed fix into your project. This includes information about the vulnerability like release notes, changelog entries, and commit details. Details of which vulnerability a pull request resolves are hidden from anyone who does not have access to {% data variables.product.prodname_dependabot_alerts %} for the repository. -When you merge a pull request that contains a security update, the corresponding {% data variables.product.prodname_dependabot %} alert is marked as resolved for your repository. For more information about {% data variables.product.prodname_dependabot %} pull requests, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates). +When you merge a pull request that contains a security update, the corresponding {% data variables.product.prodname_dependabot %} alert is marked as resolved for your repository. For more information about {% data variables.product.prodname_dependabot %} pull requests, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/manage-dependabot-prs). {% data reusables.dependabot.automated-tests-note %} @@ -39,7 +39,7 @@ For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply- For version updates, you specify how often to check each ecosystem for new versions in the configuration file: daily, weekly, or monthly. -{% data reusables.dependabot.initial-updates %} For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates). +{% data reusables.dependabot.initial-updates %} For more information, see [AUTOTITLE](/code-security/tutorials/secure-your-dependencies/optimizing-pr-creation-version-updates). ## Commands for {% data variables.product.prodname_dependabot %} pull requests diff --git a/content/code-security/concepts/supply-chain-security/dependabot-security-updates.md b/content/code-security/concepts/supply-chain-security/dependabot-security-updates.md index 3a4feebef8f8..c048c8232556 100644 --- a/content/code-security/concepts/supply-chain-security/dependabot-security-updates.md +++ b/content/code-security/concepts/supply-chain-security/dependabot-security-updates.md @@ -27,7 +27,7 @@ category: {% data variables.product.prodname_dependabot_security_updates %} make it easier for you to fix vulnerable dependencies in your repository. -If you enable {% data variables.product.prodname_dependabot_security_updates %}, when a {% data variables.product.prodname_dependabot %} alert is raised for a vulnerable dependency in the dependency graph of your repository, {% data variables.product.prodname_dependabot %} automatically tries to fix it. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates). +If you enable {% data variables.product.prodname_dependabot_security_updates %}, when a {% data variables.product.prodname_dependabot %} alert is raised for a vulnerable dependency in the dependency graph of your repository, {% data variables.product.prodname_dependabot %} automatically tries to fix it. For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-alerts) and [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-security-updates). You can add a `dependabot.yml` configuration file to your repository to customize {% data variables.product.prodname_dependabot %} behavior, including update schedules, pull request settings, and which dependencies to monitor. For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/about-the-dependabot-yml-file). You then configure options in this file to tell {% data variables.product.prodname_dependabot %} how to secure the dependencies your repository relies on. @@ -44,18 +44,18 @@ You can add a `dependabot.yml` configuration file to your repository to customiz {% data variables.product.prodname_dotcom %} may send {% data variables.product.prodname_dependabot_alerts %} to repositories affected by a vulnerability disclosed by a recently published {% data variables.product.prodname_dotcom %} security advisory. {% data reusables.security-advisory.link-browsing-advisory-db %} -{% data variables.product.prodname_dependabot %} checks whether it's possible to upgrade the vulnerable dependency to a fixed version without disrupting the dependency graph for the repository. Then {% data variables.product.prodname_dependabot %} raises a pull request to update the dependency to the minimum version that includes the patch and links the pull request to the {% data variables.product.prodname_dependabot %} alert, or reports an error on the alert. For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-errors). +{% data variables.product.prodname_dependabot %} checks whether it's possible to upgrade the vulnerable dependency to a fixed version without disrupting the dependency graph for the repository. Then {% data variables.product.prodname_dependabot %} raises a pull request to update the dependency to the minimum version that includes the patch and links the pull request to the {% data variables.product.prodname_dependabot %} alert, or reports an error on the alert. For more information, see [AUTOTITLE](/code-security/reference/supply-chain-security/troubleshoot-dependabot/dependabot-errors). -The {% data variables.product.prodname_dependabot_security_updates %} feature is available for repositories where you have enabled the dependency graph and {% data variables.product.prodname_dependabot_alerts %}. You will see a {% data variables.product.prodname_dependabot %} alert for every vulnerable dependency identified in your full dependency graph. However, security updates are triggered only for dependencies that are specified in a manifest or lock file. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph#dependencies-included). +The {% data variables.product.prodname_dependabot_security_updates %} feature is available for repositories where you have enabled the dependency graph and {% data variables.product.prodname_dependabot_alerts %}. You will see a {% data variables.product.prodname_dependabot %} alert for every vulnerable dependency identified in your full dependency graph. However, security updates are triggered only for dependencies that are specified in a manifest or lock file. For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependency-graph#dependencies-included). > [!NOTE] -> For npm, {% data variables.product.prodname_dependabot %} will raise a pull request to update an explicitly defined dependency to a secure version, even if it means updating the parent dependency or dependencies, or even removing a sub-dependency that is no longer needed by the parent. For other ecosystems, {% data variables.product.prodname_dependabot %} is unable to update an indirect or transitive dependency if it would also require an update to the parent dependency. For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-errors#dependabot-tries-to-update-dependencies-without-an-alert). +> For npm, {% data variables.product.prodname_dependabot %} will raise a pull request to update an explicitly defined dependency to a secure version, even if it means updating the parent dependency or dependencies, or even removing a sub-dependency that is no longer needed by the parent. For other ecosystems, {% data variables.product.prodname_dependabot %} is unable to update an indirect or transitive dependency if it would also require an update to the parent dependency. For more information, see [AUTOTITLE](/code-security/reference/supply-chain-security/troubleshoot-dependabot/dependabot-errors#dependabot-tries-to-update-dependencies-without-an-alert). -You can enable a related feature, {% data variables.product.prodname_dependabot_version_updates %}, so that {% data variables.product.prodname_dependabot %} raises pull requests to update the manifest to the latest version of the dependency, whenever it detects an outdated dependency. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates). +You can enable a related feature, {% data variables.product.prodname_dependabot_version_updates %}, so that {% data variables.product.prodname_dependabot %} raises pull requests to update the manifest to the latest version of the dependency, whenever it detects an outdated dependency. For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-version-updates). {% data reusables.dependabot.pull-request-security-vs-version-updates %} -If you enable _{% data variables.product.prodname_dependabot_security_updates %}_, parts of the configuration may also affect pull requests created for _{% data variables.product.prodname_dependabot_version_updates %}_. This is because some configuration settings are common to both types of updates. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/customizing-dependabot-security-prs). +If you enable _{% data variables.product.prodname_dependabot_security_updates %}_, parts of the configuration may also affect pull requests created for _{% data variables.product.prodname_dependabot_version_updates %}_. This is because some configuration settings are common to both types of updates. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/customizing-dependabot-security-prs). {% data reusables.dependabot.dependabot-updates-prs-and-actions %} @@ -70,7 +70,7 @@ For security updates, {% data variables.product.prodname_dependabot %} will only {% data reusables.dependabot.dependabot-grouped-security-updates-how-enable %} {% data reusables.dependabot.dependabot-grouped-security-updates-order %} - For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#grouping-dependabot-updates-into-a-single-pull-request). + For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-security-updates#grouping-into-a-single-pull-request). {% ifversion fpt or ghec %} @@ -86,4 +86,4 @@ For security updates, {% data variables.product.prodname_dependabot %} will only ## About notifications for {% data variables.product.prodname_dependabot %} security updates -You can filter your notifications on {% data variables.product.company_short %} to show {% data variables.product.prodname_dependabot %} security updates. For more information, see [AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/viewing-and-triaging-notifications/managing-notifications-from-your-inbox#dependabot-custom-filters). +You can filter your notifications on {% data variables.product.company_short %} to show {% data variables.product.prodname_dependabot %} security updates. For more information, see [AUTOTITLE](/subscriptions-and-notifications/reference/inbox-filters#custom-filters). diff --git a/content/code-security/concepts/supply-chain-security/dependabot-version-updates.md b/content/code-security/concepts/supply-chain-security/dependabot-version-updates.md index 426ab5bd6803..6f2f939f799a 100644 --- a/content/code-security/concepts/supply-chain-security/dependabot-version-updates.md +++ b/content/code-security/concepts/supply-chain-security/dependabot-version-updates.md @@ -45,7 +45,7 @@ The `dependabot.yml` file can also be configured to tell {% data variables.produ For certain package managers, {% data variables.product.prodname_dependabot_version_updates %} also supports vendoring. Vendored (or cached) dependencies are dependencies that are checked in to a specific directory in a repository rather than referenced in a manifest. Vendored dependencies are available at build time even if package servers are unavailable. {% data variables.product.prodname_dependabot_version_updates %} can be configured to check vendored dependencies for new versions and update them if necessary. -When {% data variables.product.prodname_dependabot %} identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. For vendored dependencies, {% data variables.product.prodname_dependabot %} raises a pull request to replace the outdated dependency with the new version directly. You check that your tests pass, review the changelog and release notes included in the pull request summary, and then merge it. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates). +When {% data variables.product.prodname_dependabot %} identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. For vendored dependencies, {% data variables.product.prodname_dependabot %} raises a pull request to replace the outdated dependency with the new version directly. You check that your tests pass, review the changelog and release notes included in the pull request summary, and then merge it. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-version-updates). {% ifversion dependabot-cooldown-default-days %} @@ -53,7 +53,7 @@ When {% data variables.product.prodname_dependabot %} identifies an outdated dep {% endif %} -If you enable _security updates_, {% data variables.product.prodname_dependabot %} also raises pull requests to update vulnerable dependencies. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates). +If you enable _security updates_, {% data variables.product.prodname_dependabot %} also raises pull requests to update vulnerable dependencies. For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-security-updates). ## Updates for actions @@ -63,7 +63,7 @@ For each action in the file, {% data variables.product.prodname_dependabot %} ch {% data variables.product.prodname_dependabot %} also checks workflow files for uses of reusable workflows, and updates the Git reference for these called reusable workflows. -To enable this feature, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/keeping-your-actions-up-to-date-with-dependabot). +To enable this feature, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/auto-update-actions). ## About automatic deactivation of {% data variables.product.prodname_dependabot_updates %} @@ -71,4 +71,4 @@ To enable this feature, see [AUTOTITLE](/code-security/how-tos/secure-your-suppl ## About notifications for {% data variables.product.prodname_dependabot %} version updates -You can filter your notifications on {% data variables.product.company_short %} to show notifications for pull requests created by {% data variables.product.prodname_dependabot %}. For more information, see [AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/viewing-and-triaging-notifications/managing-notifications-from-your-inbox). +You can filter your notifications on {% data variables.product.company_short %} to show notifications for pull requests created by {% data variables.product.prodname_dependabot %}. For more information, see [AUTOTITLE](/subscriptions-and-notifications/how-tos/viewing-and-triaging-notifications/managing-notifications-from-your-inbox). diff --git a/content/code-security/concepts/supply-chain-security/dependency-graph-data.md b/content/code-security/concepts/supply-chain-security/dependency-graph-data.md index 3b21b2bbe40a..0a10d432e63a 100644 --- a/content/code-security/concepts/supply-chain-security/dependency-graph-data.md +++ b/content/code-security/concepts/supply-chain-security/dependency-graph-data.md @@ -42,11 +42,11 @@ For the most reliable graph, you should use lock files (or their equivalent), be ## Automatic dependency submission -Some ecosystems resolve indirect dependencies at build time, so static analysis can't see the full dependency tree. When you enable automatic dependency submission for a repository, {% data variables.product.company_short %} automatically identifies the transitive dependencies in the repository for supported ecosystems. See [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems). +Some ecosystems resolve indirect dependencies at build time, so static analysis can't see the full dependency tree. When you enable automatic dependency submission for a repository, {% data variables.product.company_short %} automatically identifies the transitive dependencies in the repository for supported ecosystems. See [AUTOTITLE](/code-security/reference/supply-chain-security/dependency-graph-supported-package-ecosystems). In the background, automatic dependency submission runs a {% data variables.product.prodname_actions %} workflow that generates the complete tree and uploads it using the {% data variables.dependency-submission-api.name %}.{% ifversion fpt or ghec %} Automatic dependency submission runs on {% data variables.product.github %}-hosted runners by default and counts toward your {% data variables.product.prodname_actions %} minutes. Optionally, you can choose to run it on self-hosted runners or {% data variables.actions.hosted_runners %}.{% endif %} -To enable automatic dependency submission, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-automatic-dependency-submission-for-your-repository). +To enable automatic dependency submission, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/submit-dependencies-automatically). {% endif %} @@ -59,7 +59,7 @@ To enable automatic dependency submission, see [AUTOTITLE](/code-security/supply For supported ecosystems, {% data variables.product.prodname_dependabot %} graph jobs provide: * Full transitive dependency coverage, which means {% data variables.product.prodname_dependabot %} can alert you to vulnerabilities in indirect dependencies that static analysis may miss. -* Private registry access through {% data variables.product.prodname_dependabot %} secrets configured at the organization or repository level. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot). +* Private registry access through {% data variables.product.prodname_dependabot %} secrets configured at the organization or repository level. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries). * Private packages that are not accessible through configured {% data variables.product.prodname_dependabot %} secrets are gracefully omitted from the dependency graph without causing a failure. This approach is similar to automatic dependency submission, but does not incur charges for {% data variables.product.prodname_actions %} minutes. It can also access organization-wide configurations for private registries you've set up for {% data variables.product.prodname_dependabot %}. @@ -81,7 +81,7 @@ If you are calling the API in a {% data variables.product.prodname_actions %} wo {% data reusables.dependency-submission.about-dependency-submission %} -For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api). +For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/use-dependency-submission-api). ## Prioritization diff --git a/content/code-security/concepts/supply-chain-security/dependency-graph.md b/content/code-security/concepts/supply-chain-security/dependency-graph.md index 6d5cd7fe797c..3020d61ecb36 100644 --- a/content/code-security/concepts/supply-chain-security/dependency-graph.md +++ b/content/code-security/concepts/supply-chain-security/dependency-graph.md @@ -22,9 +22,9 @@ category: {% data reusables.dependabot.about-the-dependency-graph %} -For information on the supported ecosystems and manifest files, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems#supported-package-ecosystems). +For information on the supported ecosystems and manifest files, see [AUTOTITLE](/code-security/reference/supply-chain-security/dependency-graph-supported-package-ecosystems#supported-package-ecosystems). -When you create a pull request containing changes to dependencies that targets the default branch, {% data variables.product.prodname_dotcom %} uses the dependency graph to add dependency reviews to the pull request. These indicate whether the dependencies contain vulnerabilities and, if so, the version of the dependency in which the vulnerability was fixed. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review). +When you create a pull request containing changes to dependencies that targets the default branch, {% data variables.product.prodname_dotcom %} uses the dependency graph to add dependency reviews to the pull request. These indicate whether the dependencies contain vulnerabilities and, if so, the version of the dependency in which the vulnerability was fixed. For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependency-review). ## How the dependency graph is built @@ -35,14 +35,14 @@ The dependency graph automatically parses dependencies by analyzing manifests an {% ifversion fpt or ghec %} {% data reusables.dependency-graph.feature-availability %} For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository). -{% data reusables.dependency-graph.feature-availability %} See [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph). +{% data reusables.dependency-graph.feature-availability %} See [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/enable-dependency-graph). {% endif %} {% data reusables.dependabot.dependabot-alerts-dependency-graph-enterprise %} {% ifversion ghes %} -For more information about configuration of the dependency graph, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph).{% endif %} +For more information about configuration of the dependency graph, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/enable-dependency-graph).{% endif %} {% ifversion fpt or ghec %} @@ -54,7 +54,7 @@ For public repositories, the dependency graph lists dependents. These are other Your repository will have a "Used by" section if: * The dependency graph is enabled for the repository. -* Your repository contains a package that is published on a supported package ecosystem. See [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems#supported-package-ecosystems). +* Your repository contains a package that is published on a supported package ecosystem. See [AUTOTITLE](/code-security/reference/supply-chain-security/dependency-graph-supported-package-ecosystems#supported-package-ecosystems). * Within the ecosystem, your package has a link to a _public_ repository where the source is stored. * More than 100 repositories depend on your package. @@ -68,15 +68,15 @@ The "Used by" section represents a single package from the repository. If you ha You can use the dependency graph to: -* Explore the repositories your code depends on{% ifversion fpt or ghec %}, and those that depend on it{% endif %}. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository). {% ifversion fpt or ghec %} +* Explore the repositories your code depends on{% ifversion fpt or ghec %}, and those that depend on it{% endif %}. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/explore-dependencies). {% ifversion fpt or ghec %} * View a summary of the dependencies used in your organization's repositories in a single dashboard. For more information, see [AUTOTITLE](/organizations/collaborating-with-groups-in-organizations/viewing-insights-for-dependencies-in-your-organization#viewing-organization-dependency-insights).{% endif %} -* View and update vulnerable dependencies for your repository. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts). +* View and update vulnerable dependencies for your repository. For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-alerts). * See information about vulnerable dependencies in pull requests. For more information, see [AUTOTITLE](/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request). -* Export a software bill of materials (SBOM) for audit or compliance purposes. This is a formal, machine-readable inventory of a project's dependencies. See [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/establish-provenance-and-integrity/exporting-a-software-bill-of-materials-for-your-repository). +* Export a software bill of materials (SBOM) for audit or compliance purposes. This is a formal, machine-readable inventory of a project's dependencies. See [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/establish-provenance-and-integrity/export-dependencies-as-sbom). ## Further reading * [Dependency graph](https://en.wikipedia.org/wiki/Dependency_graph) on Wikipedia -* [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository) -* [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts) -* [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies) +* [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/explore-dependencies) +* [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-dependabot-alerts/view-dependabot-alerts) +* [AUTOTITLE](/code-security/reference/supply-chain-security/troubleshoot-dependabot/vulnerability-detection) diff --git a/content/code-security/concepts/supply-chain-security/dependency-review.md b/content/code-security/concepts/supply-chain-security/dependency-review.md index 3ef3a61e8faf..5e864c2995c6 100644 --- a/content/code-security/concepts/supply-chain-security/dependency-review.md +++ b/content/code-security/concepts/supply-chain-security/dependency-review.md @@ -29,15 +29,15 @@ Sometimes you might just want to update the version of one dependency in a manif By checking the dependency reviews in a pull request, and changing any dependencies that are flagged as vulnerable, you can avoid vulnerabilities being added to your project. For more information about how dependency review works, see [AUTOTITLE](/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request). -{% data variables.product.prodname_dependabot_alerts %} will find vulnerabilities that are already in your dependencies, but it's much better to avoid introducing potential problems than to fix problems at a later date. For more information about {% data variables.product.prodname_dependabot_alerts %}, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts#dependabot-alerts-for-vulnerable-dependencies). +{% data variables.product.prodname_dependabot_alerts %} will find vulnerabilities that are already in your dependencies, but it's much better to avoid introducing potential problems than to fix problems at a later date. For more information about {% data variables.product.prodname_dependabot_alerts %}, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-alerts#dependabot-alerts-for-vulnerable-dependencies). -Dependency review supports the same languages and package management ecosystems as the dependency graph. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems#supported-package-ecosystems). +Dependency review supports the same languages and package management ecosystems as the dependency graph. For more information, see [AUTOTITLE](/code-security/reference/supply-chain-security/dependency-graph-supported-package-ecosystems#supported-package-ecosystems). -For more information on supply chain features available on {% data variables.product.github %}, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security). +For more information on supply chain features available on {% data variables.product.github %}, see [AUTOTITLE](/code-security/concepts/supply-chain-security/supply-chain-security). ## Enabling dependency review -The dependency review feature becomes available when you enable the dependency graph. For more information, see {% ifversion fpt or ghec %}[Enabling the dependency graph](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph#enabling-the-dependency-graph){% elsif ghes %}[Enabling the dependency graph for your enterprise](/admin/code-security/managing-supply-chain-security-for-your-enterprise/enabling-the-dependency-graph-for-your-enterprise){% endif %}." +The dependency review feature becomes available when you enable the dependency graph. For more information, see {% ifversion fpt or ghec %}[Enabling the dependency graph](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/enable-dependency-graph#enabling-the-dependency-graph-for-a-repository){% elsif ghes %}[Enabling the dependency graph for your enterprise](/code-security/how-tos/secure-at-scale/configure-enterprise-security/configure-specific-tools/enable-dependency-graph){% endif %}. ## About the {% data variables.dependency-review.action_name %} @@ -53,11 +53,11 @@ The action is available for all {% ifversion fpt or ghec %}public repositories, {% data reusables.dependency-review.action-enterprise %} -The action uses the dependency review REST API to get the diff of dependency changes between the base commit and head commit. You can use the dependency review API to get the diff of dependency changes, including vulnerability data, between any two commits on a repository. For more information, see [AUTOTITLE](/rest/dependency-graph/dependency-review). The action also considers dependencies submitted via the {% data variables.dependency-submission-api.name %}. For more information about the {% data variables.dependency-submission-api.name %}, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api). +The action uses the dependency review REST API to get the diff of dependency changes between the base commit and head commit. You can use the dependency review API to get the diff of dependency changes, including vulnerability data, between any two commits on a repository. For more information, see [AUTOTITLE](/rest/dependency-graph/dependency-review). The action also considers dependencies submitted via the {% data variables.dependency-submission-api.name %}. For more information about the {% data variables.dependency-submission-api.name %}, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/use-dependency-submission-api). {% data reusables.dependency-review.works-with-submission-api-beta %} -You can configure the {% data variables.dependency-review.action_name %} to better suit your needs. For example, you can specify the severity level that will make the action fail{% ifversion dependency-review-action-licenses %}, or set an allow or deny list for licenses to scan{% endif %}. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-review-action). +You can configure the {% data variables.dependency-review.action_name %} to better suit your needs. For example, you can specify the severity level that will make the action fail{% ifversion dependency-review-action-licenses %}, or set an allow or deny list for licenses to scan{% endif %}. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-dependency-review-action). ## Best practices for using the dependency review API and the {% data variables.dependency-submission-api.name %} together @@ -88,4 +88,4 @@ If you don’t use {% data variables.product.prodname_actions %}, and your code ## Further reading -* [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/customizing-your-dependency-review-action-configuration) +* [AUTOTITLE](/code-security/tutorials/secure-your-dependencies/customize-dependency-review-action) diff --git a/content/code-security/concepts/supply-chain-security/immutable-releases.md b/content/code-security/concepts/supply-chain-security/immutable-releases.md index 5fc0abf1e3ca..eb2aabfe5b98 100644 --- a/content/code-security/concepts/supply-chain-security/immutable-releases.md +++ b/content/code-security/concepts/supply-chain-security/immutable-releases.md @@ -41,6 +41,6 @@ This ensures that all assets are in place before the release becomes immutable, ## Next steps -To learn how to enable immutable releases for your repository or organization, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/preventing-changes-to-your-releases). +To learn how to enable immutable releases for your repository or organization, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/establish-provenance-and-integrity/prevent-release-changes). -To learn how to ensure a release and local assets have not been changed, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/verifying-the-integrity-of-a-release). +To learn how to ensure a release and local assets have not been changed, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/verify-release-integrity). diff --git a/content/code-security/concepts/supply-chain-security/malware-alerts.md b/content/code-security/concepts/supply-chain-security/malware-alerts.md index e9cb330bed08..9114c24f8366 100644 --- a/content/code-security/concepts/supply-chain-security/malware-alerts.md +++ b/content/code-security/concepts/supply-chain-security/malware-alerts.md @@ -48,7 +48,7 @@ By default, {% data variables.product.github %} sends email notifications about On {% data variables.product.prodname_dotcom_the_website %}, you can override the default behavior by choosing the type of notifications you want to receive, or switching notifications off altogether in the settings page for your user notifications at [https://github.com/settings/notifications](https://github.com/settings/notifications). {% endif %} -If you are concerned about receiving too many notifications, we recommend leveraging {% data variables.dependabot.auto_triage_rules %} to auto-dismiss low-risk alerts. See [AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/about-dependabot-auto-triage-rules). +If you are concerned about receiving too many notifications, we recommend leveraging {% data variables.dependabot.auto_triage_rules %} to auto-dismiss low-risk alerts. See [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-auto-triage-rules). ## Limitations diff --git a/content/code-security/concepts/supply-chain-security/supply-chain-security.md b/content/code-security/concepts/supply-chain-security/supply-chain-security.md index 4856861ca01a..621a0084ff34 100644 --- a/content/code-security/concepts/supply-chain-security/supply-chain-security.md +++ b/content/code-security/concepts/supply-chain-security/supply-chain-security.md @@ -50,7 +50,7 @@ The following supply chain features on {% data variables.product.prodname_dotcom {% data variables.product.prodname_dependabot_version_updates %} don't use the dependency graph and rely on the semantic versioning of dependencies instead. {% data variables.product.prodname_dependabot_version_updates %} help you keep your dependencies updated, even when they don’t have any vulnerabilities. -For best practice guides on end-to-end supply chain security including the protection of personal accounts, code, and build processes, see [AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/end-to-end-supply-chain-overview). +For best practice guides on end-to-end supply chain security including the protection of personal accounts, code, and build processes, see [AUTOTITLE](/code-security/tutorials/implement-supply-chain-best-practices/end-to-end-supply-chain-overview). ## Feature overview @@ -66,7 +66,7 @@ To generate the dependency graph, {% data variables.product.company_short %} loo {% data reusables.dependency-submission.dependency-submission-link %} -For more information about the dependency graph, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph). +For more information about the dependency graph, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependency-graph). ### What is dependency review? @@ -75,7 +75,7 @@ Dependency review helps reviewers and contributors understand dependency changes * Dependency review tells you which dependencies were added, removed, or updated, in a pull request. You can use the release dates, popularity of dependencies, and vulnerability information to help you decide whether to accept the change. * You can see the dependency review for a pull request by showing the rich diff on the **Files Changed** tab. -For more information about dependency review, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review). +For more information about dependency review, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependency-review). ### What is Dependabot? @@ -87,7 +87,7 @@ The term "{% data variables.product.prodname_dependabot %}" encompasses the foll * {% data variables.product.prodname_dependabot_security_updates %}: Triggered updates to upgrade your dependencies to a secure version when an alert is triggered. * {% data variables.product.prodname_dependabot_version_updates %}: Scheduled updates to keep your dependencies up to date with the latest version. -{% ifversion fpt or ghec %}Pull requests opened by {% data variables.product.prodname_dependabot %} can trigger workflows that run actions. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions).{% endif %} +{% ifversion fpt or ghec %}Pull requests opened by {% data variables.product.prodname_dependabot %} can trigger workflows that run actions. For more information, see [AUTOTITLE](/code-security/tutorials/secure-your-dependencies/automate-dependabot-with-actions).{% endif %} {% ifversion dependabot-on-actions-opt-in %}By default: @@ -95,15 +95,15 @@ The term "{% data variables.product.prodname_dependabot %}" encompasses the foll * If {% data variables.product.prodname_actions %} is not enabled for the repository, {% data variables.product.github %} generates {% data variables.product.prodname_dependabot_alerts %} using its built-in {% data variables.product.prodname_dependabot %} application. -For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners). +For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-on-actions). {% else %} -{% data variables.product.prodname_dependabot_security_updates %} and {% data variables.product.prodname_dependabot_version_updates %} require {% data variables.product.prodname_actions %} to run on {% data variables.product.prodname_ghe_server %}. {% data variables.product.prodname_dependabot_alerts %} do not require {% data variables.product.prodname_actions %}. For more information, see [AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise). +{% data variables.product.prodname_dependabot_security_updates %} and {% data variables.product.prodname_dependabot_version_updates %} require {% data variables.product.prodname_actions %} to run on {% data variables.product.prodname_ghe_server %}. {% data variables.product.prodname_dependabot_alerts %} do not require {% data variables.product.prodname_actions %}. For more information, see [AUTOTITLE](/admin/configuring-settings/configuring-github-connect/enabling-dependabot-for-your-enterprise). {% endif %} -{% data reusables.dependabot.dependabot-actions-support %} For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates). +{% data reusables.dependabot.dependabot-actions-support %} For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-security-updates). #### What are Dependabot alerts? @@ -116,7 +116,7 @@ For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dep * The dependency graph for the repository changes * {% data variables.product.prodname_dependabot_alerts %} are displayed on the **{% data variables.product.prodname_security_and_quality_tab %}** tab for the repository and in the repository's dependency graph. The alert includes a link to the affected file in the project, and information about a fixed version. -For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts). +For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-alerts). {% ifversion dependabot-malware-alerts %} @@ -153,7 +153,7 @@ There are two types of {% data variables.product.prodname_dependabot_updates %}: * Update dependencies to the latest version that matches the configuration * Supported for a different group of ecosystems -For more information about {% data variables.product.prodname_dependabot_updates %}, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates) and [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates). +For more information about {% data variables.product.prodname_dependabot_updates %}, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-security-updates) and [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-version-updates). ### What are immutable releases? @@ -177,27 +177,27 @@ Public repositories: * **Dependency graph:** Enabled by default and cannot be disabled. * **Dependency review:** Enabled by default and cannot be disabled. * **{% data variables.product.prodname_dependabot_alerts %}:** Not enabled by default. {% data variables.product.prodname_dotcom %} detects insecure dependencies and displays information in the dependency graph, but does not generate {% data variables.product.prodname_dependabot_alerts %} by default. Repository owners or people with admin access can enable {% data variables.product.prodname_dependabot_alerts %}. - You can also enable or disable Dependabot alerts for all repositories owned by your user account or organization. For more information, see [AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-personal-account-settings/managing-security-and-analysis-settings-for-your-personal-account) or [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization). + You can also enable or disable Dependabot alerts for all repositories owned by your user account or organization. For more information, see [AUTOTITLE](/account-and-profile/how-tos/account-settings/managing-security-and-analysis-features) or [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization). * **Artifact attestations:** Available in all public repositories, but you must explicitly generate attestations in your build workflows. See [AUTOTITLE](/actions/how-tos/secure-your-work/use-artifact-attestations/use-artifact-attestations). Private repositories: -* **Dependency graph:** Not enabled by default. The feature can be enabled by repository administrators. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#enabling-and-disabling-the-dependency-graph). -* **Dependency review:** Available in private repositories owned by organizations that use {% data variables.product.prodname_team %} or {% data variables.product.prodname_ghe_cloud %} and have a license for {% data variables.product.prodname_GHAS_or_code_security %}. For more information, see [AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security) and [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#enabling-and-disabling-the-dependency-graph). +* **Dependency graph:** Not enabled by default. The feature can be enabled by repository administrators. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/explore-dependencies#enabling-and-disabling-the-dependency-graph). +* **Dependency review:** Available in private repositories owned by organizations that use {% data variables.product.prodname_team %} or {% data variables.product.prodname_ghe_cloud %} and have a license for {% data variables.product.prodname_GHAS_or_code_security %}. For more information, see [AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security) and [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/explore-dependencies#enabling-and-disabling-the-dependency-graph). * **{% data variables.product.prodname_dependabot_alerts %}:** Not enabled by default. Owners of private repositories, or people with admin access, can enable {% data variables.product.prodname_dependabot_alerts %} by enabling the dependency graph and {% data variables.product.prodname_dependabot_alerts %} for their repositories. - You can also enable or disable Dependabot alerts for all repositories owned by your user account or organization. For more information, see [AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-personal-account-settings/managing-security-and-analysis-settings-for-your-personal-account) or [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization). + You can also enable or disable Dependabot alerts for all repositories owned by your user account or organization. For more information, see [AUTOTITLE](/account-and-profile/how-tos/account-settings/managing-security-and-analysis-features) or [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization). * **Artifact attestations:** Only available in private repositories on {% data variables.product.prodname_ghe_cloud %}. Any repository type: -* **{% data variables.product.prodname_dependabot_security_updates %}:** Not enabled by default. You can enable {% data variables.product.prodname_dependabot_security_updates %} for any repository that uses {% data variables.product.prodname_dependabot_alerts %} and the dependency graph. For information about enabling security updates, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates). -* **{% data variables.product.prodname_dependabot_version_updates %}:** Not enabled by default. People with write permissions to a repository can enable {% data variables.product.prodname_dependabot_version_updates %}. For information about enabling version updates, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates). -* **Immutable releases*:** Not enabled by default. You can enable release immutability for a repository or organization. See [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/establish-provenance-and-integrity/preventing-changes-to-your-releases). +* **{% data variables.product.prodname_dependabot_security_updates %}:** Not enabled by default. You can enable {% data variables.product.prodname_dependabot_security_updates %} for any repository that uses {% data variables.product.prodname_dependabot_alerts %} and the dependency graph. For information about enabling security updates, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-security-updates). +* **{% data variables.product.prodname_dependabot_version_updates %}:** Not enabled by default. People with write permissions to a repository can enable {% data variables.product.prodname_dependabot_version_updates %}. For information about enabling version updates, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-version-updates). +* **Immutable releases*:** Not enabled by default. You can enable release immutability for a repository or organization. See [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/establish-provenance-and-integrity/prevent-release-changes). {% endif %} {% ifversion ghes %} -* **Dependency graph and {% data variables.product.prodname_dependabot_alerts %}:** Not enabled by default. Both features are configured at an enterprise level by the enterprise owner. For more information, see [AUTOTITLE](/admin/code-security/managing-supply-chain-security-for-your-enterprise/enabling-the-dependency-graph-for-your-enterprise) and [AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise). +* **Dependency graph and {% data variables.product.prodname_dependabot_alerts %}:** Not enabled by default. Both features are configured at an enterprise level by the enterprise owner. For more information, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/configure-specific-tools/enable-dependency-graph) and [AUTOTITLE](/admin/configuring-settings/configuring-github-connect/enabling-dependabot-for-your-enterprise). * **Dependency review:** Available when dependency graph is enabled for your instance and {% data variables.product.prodname_GHAS_or_code_security %} is enabled for the organization or repository. For more information, see [AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security). {% endif %} {% ifversion ghes %} -* **{% data variables.product.prodname_dependabot_security_updates %}:** Not enabled by default. You can enable {% data variables.product.prodname_dependabot_security_updates %} for any repository that uses {% data variables.product.prodname_dependabot_alerts %} and the dependency graph. For information about enabling security updates, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates). -* **{% data variables.product.prodname_dependabot_version_updates %}:** Not enabled by default. People with write permissions to a repository can enable {% data variables.product.prodname_dependabot_version_updates %}. For information about enabling version updates, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates). +* **{% data variables.product.prodname_dependabot_security_updates %}:** Not enabled by default. You can enable {% data variables.product.prodname_dependabot_security_updates %} for any repository that uses {% data variables.product.prodname_dependabot_alerts %} and the dependency graph. For information about enabling security updates, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-security-updates). +* **{% data variables.product.prodname_dependabot_version_updates %}:** Not enabled by default. People with write permissions to a repository can enable {% data variables.product.prodname_dependabot_version_updates %}. For information about enabling version updates, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-version-updates). {% endif %} diff --git a/content/code-security/concepts/vulnerability-reporting-and-management/coordinated-disclosure.md b/content/code-security/concepts/vulnerability-reporting-and-management/coordinated-disclosure.md index bb10c2cb7fc5..1b014f26b779 100644 --- a/content/code-security/concepts/vulnerability-reporting-and-management/coordinated-disclosure.md +++ b/content/code-security/concepts/vulnerability-reporting-and-management/coordinated-disclosure.md @@ -65,7 +65,7 @@ There are two processes available on {% data variables.product.github %}: The process for reporting and disclosing vulnerabilities for projects on {% data variables.product.github %} is as follows: - If you are a vulnerability reporter (for example, a security researcher) who would like report a vulnerability, first check if there is a security policy for the related repository. For more information, see [AUTOTITLE](/code-security/getting-started/adding-a-security-policy-to-your-repository#about-security-policies). If there is one, follow it to understand the process before contacting the security team for that repository. + If you are a vulnerability reporter (for example, a security researcher) who would like report a vulnerability, first check if there is a security policy for the related repository. For more information, see [AUTOTITLE](/code-security/how-tos/report-and-fix-vulnerabilities/configure-vulnerability-reporting/add-security-policy#about-security-policies). If there is one, follow it to understand the process before contacting the security team for that repository. If there isn't a security policy in place, the most efficient way to establish a private means of communication with maintainers is to create an issue asking for a preferred security contact. It's worth noting that the issue will be immediately publicly visible, so it should not include any information about the bug. Once communication is established, you can suggest the maintainers define a security policy for future use. @@ -74,11 +74,11 @@ The process for reporting and disclosing vulnerabilities for projects on {% data If you've found a security vulnerability in {% data variables.product.github %}, please report the vulnerability through our coordinated disclosure process. For more information, see the [{% data variables.product.github %} Security Bug Bounty](https://bounty.github.com/) website. - If you are a maintainer, you can take ownership of the process at the very beginning of the pipeline by setting up a security policy for your repository, or otherwise making security reporting instructions clearly available, for example in your project’s README file. For information about adding a security policy, see [AUTOTITLE](/code-security/getting-started/adding-a-security-policy-to-your-repository#about-security-policies). If there is no security policy, it's likely that a vulnerability reporter will try to email you or otherwise privately contact you. Alternatively, someone may open a (public) issue with details of a security issue. + If you are a maintainer, you can take ownership of the process at the very beginning of the pipeline by setting up a security policy for your repository, or otherwise making security reporting instructions clearly available, for example in your project’s README file. For information about adding a security policy, see [AUTOTITLE](/code-security/how-tos/report-and-fix-vulnerabilities/configure-vulnerability-reporting/add-security-policy#about-security-policies). If there is no security policy, it's likely that a vulnerability reporter will try to email you or otherwise privately contact you. Alternatively, someone may open a (public) issue with details of a security issue. - As a maintainer, to disclose a vulnerability in your code, you first create a draft security advisory in the package's repository in {% data variables.product.github %}. {% data reusables.security-advisory.security-advisory-overview %} For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories). + As a maintainer, to disclose a vulnerability in your code, you first create a draft security advisory in the package's repository in {% data variables.product.github %}. {% data reusables.security-advisory.security-advisory-overview %} For more information, see [AUTOTITLE](/code-security/concepts/vulnerability-reporting-and-management/repository-security-advisories). - To get started, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory). + To get started, see [AUTOTITLE](/code-security/how-tos/report-and-fix-vulnerabilities/fix-reported-vulnerabilities/create-repository-advisory). ### Private vulnerability reporting @@ -106,6 +106,6 @@ For maintainers, the benefits of using private vulnerability reporting are: ## Next steps -If you are a security researcher, see [AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability) to learn how to privately report a vulnerability to a repository maintainer. +If you are a security researcher, see [AUTOTITLE](/code-security/how-tos/report-and-fix-vulnerabilities/report-privately) to learn how to privately report a vulnerability to a repository maintainer. -If you are a repository maintainer, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository) to enable private vulnerability reporting for your repository, or [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration) to manage it across your organization. +If you are a repository maintainer, see [AUTOTITLE](/code-security/how-tos/report-and-fix-vulnerabilities/configure-vulnerability-reporting/configure-for-a-repository) to enable private vulnerability reporting for your repository, or [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/create-custom-configuration) to manage it across your organization. diff --git a/content/code-security/concepts/vulnerability-reporting-and-management/github-advisory-database.md b/content/code-security/concepts/vulnerability-reporting-and-management/github-advisory-database.md index 8e27f99f1219..4c7c818350bc 100644 --- a/content/code-security/concepts/vulnerability-reporting-and-management/github-advisory-database.md +++ b/content/code-security/concepts/vulnerability-reporting-and-management/github-advisory-database.md @@ -56,7 +56,7 @@ Generally, we name our supported ecosystems after the software programming langu If you have a suggestion for a new ecosystem we should support, please open an [issue](https://github.com/github/advisory-database/issues) for discussion. -If you enable {% data variables.product.prodname_dependabot_alerts %} for your repositories, you are automatically notified when a new {% data variables.product.company_short %}-reviewed advisory reports a vulnerability for a package you depend on. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts). +If you enable {% data variables.product.prodname_dependabot_alerts %} for your repositories, you are automatically notified when a new {% data variables.product.company_short %}-reviewed advisory reports a vulnerability for a package you depend on. For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-alerts). ### Unreviewed vulnerability advisories @@ -126,16 +126,16 @@ FIRST also provides additional information around the distribution of their EPSS >[!NOTE] {% data variables.product.company_short %} keeps EPSS data up to date with a daily synchronization action. While EPSS score percentages will always be fully synchronized, score percentiles will only be updated when significantly different. -At {% data variables.product.company_short %}, we do not author this data, but rather source it from FIRST, which means that this data is not editable in community contributions. For more information about community contributions, see [AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database). +At {% data variables.product.company_short %}, we do not author this data, but rather source it from FIRST, which means that this data is not editable in community contributions. For more information about community contributions, see [AUTOTITLE](/code-security/how-tos/report-and-fix-vulnerabilities/fix-reported-vulnerabilities/edit-advisory-database). ## Community contributions A **community contribution** is a pull request submitted to the [github/advisory-database](https://github.com/github/advisory-database?ref_product=security-advisories&ref_type=engagement&ref_style=text) repository that improves the content of a global security advisory. When you make a community contribution, you can edit or add any detail, including additional affected ecosystems, the severity level, or the description of who is impacted. The {% data variables.product.prodname_security %} curation team will review the submitted contributions and publish them onto the {% data variables.product.prodname_advisory_database %} if accepted. {% ifversion security-advisories-credit-types %} -If we accept and publish the community contribution, the person who submitted the community contribution pull request will automatically be assigned a credit type of "Analyst". For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory#about-credits-for-repository-security-advisories).{% endif %} +If we accept and publish the community contribution, the person who submitted the community contribution pull request will automatically be assigned a credit type of "Analyst". For more information, see [AUTOTITLE](/code-security/how-tos/report-and-fix-vulnerabilities/fix-reported-vulnerabilities/create-repository-advisory#about-credits-for-repository-security-advisories).{% endif %} ## Further reading -* [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) +* [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-alerts) * The CVE Program's [definition of "vulnerability"](https://www.cve.org/ResourcesSupport/Glossary#glossaryVulnerability) diff --git a/content/code-security/concepts/vulnerability-reporting-and-management/global-security-advisories.md b/content/code-security/concepts/vulnerability-reporting-and-management/global-security-advisories.md index 486d044c50bb..48eb5293cfeb 100644 --- a/content/code-security/concepts/vulnerability-reporting-and-management/global-security-advisories.md +++ b/content/code-security/concepts/vulnerability-reporting-and-management/global-security-advisories.md @@ -31,10 +31,10 @@ Anyone can suggest improvements on any global security advisory. You can edit or ## Next steps -Access advisories in the {% data variables.product.prodname_advisory_database %}. See [AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/browsing-security-advisories-in-the-github-advisory-database). +Access advisories in the {% data variables.product.prodname_advisory_database %}. See [AUTOTITLE](/code-security/how-tos/report-and-fix-vulnerabilities/fix-reported-vulnerabilities/browse-advisory-database). {% ifversion fpt or ghec %} ## Further reading -* [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories) +* [AUTOTITLE](/code-security/concepts/vulnerability-reporting-and-management/repository-security-advisories) {% endif %} diff --git a/content/code-security/concepts/vulnerability-reporting-and-management/repository-security-advisories.md b/content/code-security/concepts/vulnerability-reporting-and-management/repository-security-advisories.md index d9c1c8fae442..bec280be2da4 100644 --- a/content/code-security/concepts/vulnerability-reporting-and-management/repository-security-advisories.md +++ b/content/code-security/concepts/vulnerability-reporting-and-management/repository-security-advisories.md @@ -22,7 +22,7 @@ category: ## About repository security advisories -{% data reusables.security-advisory.disclosing-vulnerabilities %} For more information, see [AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/about-coordinated-disclosure-of-security-vulnerabilities). +{% data reusables.security-advisory.disclosing-vulnerabilities %} For more information, see [AUTOTITLE](/code-security/concepts/vulnerability-reporting-and-management/coordinated-disclosure). {% data reusables.security-advisory.security-advisory-overview %} @@ -38,11 +38,11 @@ With repository security advisories, you can: You can also use the REST API to create, list, and update repository security advisories. For more information, see [AUTOTITLE](/rest/security-advisories/repository-advisories). {% endif %} -You can give credit to individuals who contributed to a security advisory. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory#about-credits-for-security-advisories). +You can give credit to individuals who contributed to a security advisory. For more information, see [AUTOTITLE](/code-security/how-tos/report-and-fix-vulnerabilities/fix-reported-vulnerabilities/create-repository-advisory#about-credits-for-repository-security-advisories). {% data reusables.repositories.security-guidelines %} -If you created a security advisory in your repository, the security advisory will stay in your repository. We publish security advisories for any of the ecosystems supported by the dependency graph to the {% data variables.product.prodname_advisory_database %} on [github.com/advisories](https://github.com/advisories). Anyone can submit a change to an advisory published in the {% data variables.product.prodname_advisory_database %}. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database). +If you created a security advisory in your repository, the security advisory will stay in your repository. We publish security advisories for any of the ecosystems supported by the dependency graph to the {% data variables.product.prodname_advisory_database %} on [github.com/advisories](https://github.com/advisories). Anyone can submit a change to an advisory published in the {% data variables.product.prodname_advisory_database %}. For more information, see [AUTOTITLE](/code-security/how-tos/report-and-fix-vulnerabilities/fix-reported-vulnerabilities/edit-advisory-database). If a security advisory is specifically for npm, we also publish the advisory to the npm security advisories. For more information, see [npmjs.com/advisories](https://www.npmjs.com/advisories). @@ -69,7 +69,7 @@ When you publish a draft advisory from a public repository, visibility levels va The URL of a security advisory does not change after publication. -If you need to update or correct information in a security advisory that you've published, you can edit the security advisory. See [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory). +If you need to update or correct information in a security advisory that you've published, you can edit the security advisory. See [AUTOTITLE](/code-security/how-tos/report-and-fix-vulnerabilities/fix-reported-vulnerabilities/edit-repository-advisories). ### {% data variables.product.prodname_dependabot_alerts %} for published security advisories diff --git a/content/code-security/concepts/vulnerability-reporting-and-management/vulnerability-exposure.md b/content/code-security/concepts/vulnerability-reporting-and-management/vulnerability-exposure.md index 3011a5d34afc..9b7d9c548f93 100644 --- a/content/code-security/concepts/vulnerability-reporting-and-management/vulnerability-exposure.md +++ b/content/code-security/concepts/vulnerability-reporting-and-management/vulnerability-exposure.md @@ -33,11 +33,11 @@ Regularly assessing vulnerability exposure helps you identify risks early and pr ## Ways to monitor your repositories for vulnerable code -* **{% data variables.product.prodname_code_scanning_caps %}** automatically monitors your project's code for vulnerabilities. When it detects a security issue in a pull request, it creates an alert with an autofix suggestion to resolve the vulnerability. This lowers the barrier to resolution and helps ensure your project remains secure. See [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning). +* **{% data variables.product.prodname_code_scanning_caps %}** automatically monitors your project's code for vulnerabilities. When it detects a security issue in a pull request, it creates an alert with an autofix suggestion to resolve the vulnerability. This lowers the barrier to resolution and helps ensure your project remains secure. See [AUTOTITLE](/code-security/how-tos/find-and-fix-code-vulnerabilities/configure-code-scanning/configure-code-scanning). -* **{% data variables.product.prodname_dependabot %}** automatically monitors your project’s dependencies for vulnerabilities and outdated packages. When it detects a security issue or a new version, it creates pull requests to update the affected dependencies, helping you quickly address security risks and keep your software up to date. This reduces manual effort and helps ensure your project remains secure. See [AUTOTITLE](/code-security/getting-started/dependabot-quickstart-guide). +* **{% data variables.product.prodname_dependabot %}** automatically monitors your project’s dependencies for vulnerabilities and outdated packages. When it detects a security issue or a new version, it creates pull requests to update the affected dependencies, helping you quickly address security risks and keep your software up to date. This reduces manual effort and helps ensure your project remains secure. See [AUTOTITLE](/code-security/tutorials/secure-your-dependencies/dependabot-quickstart). -{% data variables.product.github %} provides a comprehensive set of {% data variables.product.prodname_dependabot %} metrics to help you monitor, prioritize, and remediate these risks across all repositories in your organization. See [AUTOTITLE](/code-security/concepts/supply-chain-security/about-metrics-for-dependabot-alerts). +{% data variables.product.github %} provides a comprehensive set of {% data variables.product.prodname_dependabot %} metrics to help you monitor, prioritize, and remediate these risks across all repositories in your organization. See [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-alert-metrics). ## Reducing organizational vulnerability exposure @@ -45,7 +45,7 @@ Reducing organizational vulnerability exposure requires ongoing visibility into ### Monitor vulnerability metrics for dependencies -Use the metrics overview for {% data variables.product.prodname_dependabot %} to gain visibility into the current state of your organization's dependency vulnerabilities. See [AUTOTITLE](/code-security/security-overview/viewing-metrics-for-dependabot-alerts). +Use the metrics overview for {% data variables.product.prodname_dependabot %} to gain visibility into the current state of your organization's dependency vulnerabilities. See [AUTOTITLE](/code-security/how-tos/view-and-interpret-data/analyze-organization-data/viewing-metrics-for-dependabot-alerts). * **Alert prioritization:** Review the number of open {% data variables.product.prodname_dependabot_alerts %} and use filters such as CVSS severity, EPSS exploit likelihood, patch availability, and whether a vulnerable dependency is actually used in deployed artifacts. {% data reusables.security-overview.dependabot-filters-link %} * **Repository-level breakdown:** Identify which repositories have the highest number of critical or exploitable vulnerabilities. @@ -53,7 +53,7 @@ Use the metrics overview for {% data variables.product.prodname_dependabot %} to ### Monitor introduction of new {% data variables.product.prodname_code_scanning %} alerts -Use the alert view for {% data variables.product.prodname_code_scanning %} to gain visibility into remediation activity in your organization's pull requests. See [AUTOTITLE](/code-security/security-overview/viewing-metrics-for-pull-request-alerts). +Use the alert view for {% data variables.product.prodname_code_scanning %} to gain visibility into remediation activity in your organization's pull requests. See [AUTOTITLE](/code-security/how-tos/view-and-interpret-data/analyze-organization-data/viewing-metrics-for-pull-request-alerts). * **Alerts in pull requests:** Review how many alerts were detected and merged into the default branch without resolution. * **Most prevalent rules:** Identify rules that are frequently triggered where developer education is needed. @@ -66,8 +66,8 @@ Focus on vulnerabilities that present the highest risk to your organization. * Prioritize alerts with high or critical severity. For {% data variables.product.prodname_dependabot_alerts %}, also prioritize high EPSS scores, and available patches. * Use the repository breakdown information to direct remediation efforts to the most at-risk projects.{% ifversion fpt or ghec %} -* Encourage development teams to address vulnerabilities that are actually used in deployed artifacts through repository custom properties and using production context. See [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-vulnerabilities/alerts-in-production-code).{% endif %}{% ifversion security-campaigns %} -* Create security campaigns to encourage and track the remediation of high priority {% data variables.product.prodname_code_scanning %} alerts. See [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/creating-managing-security-campaigns).{% endif %} +* Encourage development teams to address vulnerabilities that are actually used in deployed artifacts through repository custom properties and using production context. See [AUTOTITLE](/code-security/tutorials/secure-your-organization/prioritize-alerts-in-production-code).{% endif %}{% ifversion security-campaigns %} +* Create security campaigns to encourage and track the remediation of high priority {% data variables.product.prodname_code_scanning %} alerts. See [AUTOTITLE](/code-security/how-tos/manage-security-alerts/remediate-alerts-at-scale/creating-managing-security-campaigns).{% endif %} ### Communicate risk and progress @@ -77,10 +77,10 @@ Focus on vulnerabilities that present the highest risk to your organization. ### Establish and enforce policies -* Set an organization-wide security configuration that enables {% data variables.product.prodname_dependabot %} and {% data variables.product.prodname_code_scanning %} on all existing and new repositories. See [AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale). +* Set an organization-wide security configuration that enables {% data variables.product.prodname_dependabot %} and {% data variables.product.prodname_code_scanning %} on all existing and new repositories. See [AUTOTITLE](/code-security/concepts/security-at-scale/organization-security). * Enable dependency review to comment on pull requests in all repositories. * Create an organization-wide ruleset to protect the default branch and require critical {% data variables.product.prodname_code_scanning %} alerts to be fixed before a pull request can be merged. See [AUTOTITLE](/organizations/managing-organization-settings/managing-rulesets-for-repositories-in-your-organization). -* Work with repository administrators to enable automated security updates where possible. See [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates). +* Work with repository administrators to enable automated security updates where possible. See [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-security-updates). ### Assess the impact of alerts diff --git a/content/code-security/reference/code-scanning/troubleshoot-analysis-errors/resource-not-accessible.md b/content/code-security/reference/code-scanning/troubleshoot-analysis-errors/resource-not-accessible.md index def5435f31f0..4cd27839a580 100644 --- a/content/code-security/reference/code-scanning/troubleshoot-analysis-errors/resource-not-accessible.md +++ b/content/code-security/reference/code-scanning/troubleshoot-analysis-errors/resource-not-accessible.md @@ -61,6 +61,6 @@ on: If the {% data variables.code-scanning.codeql_workflow %} still fails on a commit made on the default branch, you need to check: * Whether {% data variables.product.prodname_dependabot %} authored the commit -* Whether the pull request that includes the commit has been merged using `@dependabot squash and merge` +* Whether the pull request that includes the commit has been merged using squash and merge -This type of merge commit is authored by {% data variables.product.prodname_dependabot %} and therefore, any workflows running on the commit will have read-only permissions. If you enabled {% data variables.product.prodname_code_scanning %} and {% data variables.product.prodname_dependabot %} security updates or version updates on your repository, we recommend you avoid using the {% data variables.product.prodname_dependabot %} `@dependabot squash and merge` command. Instead, you can enable auto-merge for your repository. This means that pull requests will be automatically merged when all required reviews are met and status checks have passed. For more information about enabling auto-merge, see [AUTOTITLE](/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/automatically-merging-a-pull-request#enabling-auto-merge). +This type of merge commit is authored by {% data variables.product.prodname_dependabot %} and therefore, any workflows running on the commit will have read-only permissions. If you enabled {% data variables.product.prodname_code_scanning %} and {% data variables.product.prodname_dependabot %} security updates or version updates on your repository, we recommend you enable auto-merge on the pull request with the **Create a merge commit** strategy. This avoids the squash-merge commit that would be authored by {% data variables.product.prodname_dependabot %}. For more information about enabling auto-merge, see [AUTOTITLE](/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/automatically-merging-a-pull-request#enabling-auto-merge). diff --git a/content/code-security/reference/supply-chain-security/dependabot-pull-request-comment-commands.md b/content/code-security/reference/supply-chain-security/dependabot-pull-request-comment-commands.md index 70f7d80d7204..4d05023ede06 100644 --- a/content/code-security/reference/supply-chain-security/dependabot-pull-request-comment-commands.md +++ b/content/code-security/reference/supply-chain-security/dependabot-pull-request-comment-commands.md @@ -12,7 +12,7 @@ category: - Secure your dependencies --- -{% data variables.product.prodname_dependabot %} responds to simple commands in comments. Each pull request contains details of the commands you can use to process the pull request (for example: to merge, squash, reopen, close, or rebase the pull request) under the "{% data variables.product.prodname_dependabot %} commands and options" section. The aim is to make it as easy as possible for you to triage these automatically generated pull requests. +{% data variables.product.prodname_dependabot %} responds to simple commands in comments. Each pull request contains details of the commands you can use to process the pull request (for example, to rebase the pull request) under the "{% data variables.product.prodname_dependabot %} commands and options" section. The aim is to make it as easy as possible for you to triage these automatically generated pull requests. ## Commands for {% data variables.product.prodname_dependabot %} pull requests @@ -20,18 +20,13 @@ You can use any of the following commands on a {% data variables.product.prodnam | Command | Description | | --- | --- | -| `@dependabot cancel merge` | Cancels a previously requested merge. | -| `@dependabot close` | Closes the pull request and prevents {% data variables.product.prodname_dependabot %} from recreating that pull request. You can achieve the same result by closing the pull request manually. | | `@dependabot ignore this dependency` | Closes the pull request and prevents {% data variables.product.prodname_dependabot %} from creating any more pull requests for this dependency (unless you reopen the pull request or upgrade to the suggested version yourself). | | `@dependabot ignore this major version` | Closes the pull request and prevents {% data variables.product.prodname_dependabot %} from creating any more pull requests for this major version (unless you reopen the pull request or upgrade to this major version yourself). | | `@dependabot ignore this minor version` | Closes the pull request and prevents {% data variables.product.prodname_dependabot %} from creating any more pull requests for this minor version (unless you reopen the pull request or upgrade to this minor version yourself). | | `@dependabot ignore this patch version` | Closes the pull request and prevents {% data variables.product.prodname_dependabot %} from creating any more pull requests for this patch version (unless you reopen the pull request or upgrade to this patch version yourself). | -| `@dependabot merge` | Merges the pull request once your CI tests have passed. | | `@dependabot rebase` | Rebases the pull request. | | `@dependabot recreate` | Recreates the pull request, overwriting any edits that have been made to the pull request. | -| `@dependabot reopen` | Reopens the pull request if the pull request is closed. | | `@dependabot show DEPENDENCY_NAME ignore conditions` | Retrieves information on the ignore conditions for the specified dependency, and comments on the pull request with a table that displays all ignore conditions for the dependency. For example, `@dependabot show express ignore conditions` would find all `ignore` conditions stored for the Express dependency, and comment on the pull request with that information. | -| `@dependabot squash and merge` | Squashes and merges the pull request once your CI tests have passed. | ## Commands for grouped version updates diff --git a/content/copilot/concepts/agents/copilot-cli/context-management.md b/content/copilot/concepts/agents/copilot-cli/context-management.md index 15bd23eace6e..f576f8cfc533 100644 --- a/content/copilot/concepts/agents/copilot-cli/context-management.md +++ b/content/copilot/concepts/agents/copilot-cli/context-management.md @@ -26,7 +26,13 @@ The context window has a fixed size, measured in tokens, that varies by model. T All of this accumulates in the context window. In a long or complex session, the context window can fill up. -### Why the context window matters +### Managing large tool output + +To prevent a single tool response from consuming too much of the context window, tool output larger than 20 KiB is saved to a temporary file by default. The model receives the file path and a preview instead of the full output. This applies to all tools, including tools provided by MCP servers. + +To change the limit, set `COPILOT_LARGE_OUTPUT_THRESHOLD_BYTES` to a positive number of UTF-8 bytes before starting the CLI. Increasing the limit leaves less context available for the conversation and subsequent tool calls. + +## Why the context window matters The context window is what gives {% data variables.product.prodname_copilot_short %} its "memory" of your conversation. Everything inside the context window is available for {% data variables.product.prodname_copilot_short %} to reference when responding to you. diff --git a/content/copilot/concepts/agents/copilot-memory.md b/content/copilot/concepts/agents/copilot-memory.md index f797c0ccfef9..7306356cd42b 100644 --- a/content/copilot/concepts/agents/copilot-memory.md +++ b/content/copilot/concepts/agents/copilot-memory.md @@ -39,7 +39,7 @@ Facts and preferences captured by one {% data variables.product.prodname_copilot A few feature-specific limits apply: -* {% data variables.copilot.copilot_cli_short %} only applies stored facts and preferences for the user who initiated the operation. +* {% data variables.copilot.copilot_cli_short %} applies repository-level facts and the user-level preferences of the user who initiated the operation. * {% data variables.copilot.copilot_code-review_short %} uses repository-level facts only. User-level preferences are not applied during code review. ## Benefits of using {% data variables.copilot.copilot_memory %} diff --git a/content/copilot/how-tos/copilot-on-github/set-up-copilot/enable-copilot/set-up-a-dedicated-enterprise-for-copilot-business.md b/content/copilot/how-tos/copilot-on-github/set-up-copilot/enable-copilot/set-up-a-dedicated-enterprise-for-copilot-business.md index a4cc94488870..9d73b89d371a 100644 --- a/content/copilot/how-tos/copilot-on-github/set-up-copilot/enable-copilot/set-up-a-dedicated-enterprise-for-copilot-business.md +++ b/content/copilot/how-tos/copilot-on-github/set-up-copilot/enable-copilot/set-up-a-dedicated-enterprise-for-copilot-business.md @@ -22,7 +22,7 @@ With a dedicated enterprise account, you get enterprise-grade identity provider ## Create an enterprise account -To create an enterprise account, contact {% data variables.product.company_short %}'s [sales team](https://github.com/enterprise/contact?ref_product=copilot&ref_type=purchase). They will provision you with a standard enterprise account with {% data variables.product.prodname_copilot_short %} enabled. +To create an enterprise account, contact {% data variables.product.company_short %}'s [sales team](https://github.com/enterprise/contact?ref_product=copilot&ref_type=purchase&ref_style=text). They will provision you with a standard enterprise account with {% data variables.product.prodname_copilot_short %} enabled. ## Add users to your enterprise diff --git a/content/copilot/reference/copilot-cli-reference/cli-command-reference.md b/content/copilot/reference/copilot-cli-reference/cli-command-reference.md index 71407bd45b82..00e6ea8413a7 100644 --- a/content/copilot/reference/copilot-cli-reference/cli-command-reference.md +++ b/content/copilot/reference/copilot-cli-reference/cli-command-reference.md @@ -465,6 +465,7 @@ copilot --allow-tool='MyMCP' | `COPILOT_GH_HOST` |{% data variables.product.github %} hostname for {% data variables.copilot.copilot_cli_short %} only, overriding `GH_HOST`. Use when `GH_HOST` targets {% data variables.product.prodname_ghe_server %} but {% data variables.product.prodname_copilot_short %} needs to authenticate against {% data variables.product.prodname_dotcom_the_website %} or a {% data variables.product.prodname_ghe_cloud %} hostname. | | `COPILOT_GITHUB_TOKEN` | Authentication token. Takes precedence over `GH_TOKEN` and `GITHUB_TOKEN`. | | `COPILOT_HOME` | Override the configuration and state directory. Default: `$HOME/.copilot`. | +| `COPILOT_LARGE_OUTPUT_THRESHOLD_BYTES` | Maximum UTF-8 byte size for tool output returned directly to the model. Default: `20480` (20 KiB). See [AUTOTITLE](/copilot/concepts/agents/copilot-cli/context-management#managing-large-tool-output). | | `COPILOT_MODEL` | Set the AI model. | | `COPILOT_PROMPT_FRAME` | Set to `1` to enable the decorative UI frame around the input prompt, or `0` to disable it. Overrides the `PROMPT_FRAME` experimental feature flag for the current session. | | `COPILOT_SKILLS_DIRS` | Comma-separated list of additional directories for skills. | diff --git a/content/copilot/tutorials/budgets/getting-started-with-budget-controls.md b/content/copilot/tutorials/budgets/getting-started-with-budget-controls.md index dff17c5c132a..ac8c0466a3d1 100644 --- a/content/copilot/tutorials/budgets/getting-started-with-budget-controls.md +++ b/content/copilot/tutorials/budgets/getting-started-with-budget-controls.md @@ -13,12 +13,6 @@ category: Under usage-based billing, your enterprise's included {% data variables.product.prodname_ai_credits_short %} are pooled and shared across all licensed users. Without budget controls in place, a single heavy user or automated agent session can consume a disproportionate share of the pool early in the billing cycle, leaving less for everyone else. - - -This tutorial walks you through the recommended setup steps in order. Complete them as soon as usage-based billing is available for your enterprise. - - - Before you begin, make sure you understand how the four budget controls work and how the system evaluates them. See [AUTOTITLE](/copilot/concepts/billing/budgets-for-usage-based-billing). diff --git a/content/organizations/managing-saml-single-sign-on-for-your-organization/disabling-saml-single-sign-on-for-your-organization.md b/content/organizations/managing-saml-single-sign-on-for-your-organization/disabling-saml-single-sign-on-for-your-organization.md index cf01059d9027..98a8fd8e44cc 100644 --- a/content/organizations/managing-saml-single-sign-on-for-your-organization/disabling-saml-single-sign-on-for-your-organization.md +++ b/content/organizations/managing-saml-single-sign-on-for-your-organization/disabling-saml-single-sign-on-for-your-organization.md @@ -11,6 +11,8 @@ category: After you disable SAML SSO for your organization, all external identities for your organization will be removed. For more information, see [AUTOTITLE](/organizations/granting-access-to-your-organization-with-saml-single-sign-on/viewing-and-managing-a-members-saml-access-to-your-organization). +{% data reusables.saml.credentials-persist-when-sso-disabled %} + {% data reusables.profile.access_org %} {% data reusables.profile.org_settings %} @@ -18,5 +20,6 @@ After you disable SAML SSO for your organization, all external identities for yo > If you're unable to access the organization because your identity provider (IdP) is unavailable, you can use a recovery code to bypass SSO. For more information, see [AUTOTITLE](/organizations/managing-saml-single-sign-on-for-your-organization/accessing-your-organization-if-your-identity-provider-is-unavailable). {% data reusables.organizations.security %} + 1. Under "SAML single sign-on", deselect **Enable SAML authentication**. 1. Click **Save**. diff --git a/data/reusables/saml/credentials-persist-when-sso-disabled.md b/data/reusables/saml/credentials-persist-when-sso-disabled.md new file mode 100644 index 000000000000..82bc05bb74fc --- /dev/null +++ b/data/reusables/saml/credentials-persist-when-sso-disabled.md @@ -0,0 +1 @@ +Disabling SAML SSO does not delete members' credentials. Their {% data variables.product.pat_generic_plural %}, SSH keys, and existing authorizations for {% data variables.product.prodname_oauth_apps %} and {% data variables.product.prodname_github_apps %} remain valid, and their SSO authorizations are not revoked. If you enable SAML SSO again, members link their identity again the next time they sign in, but do not need to authorize their existing tokens and SSH keys again. diff --git a/src/secret-scanning/data/pattern-docs/fpt/public-docs.yml b/src/secret-scanning/data/pattern-docs/fpt/public-docs.yml index 4b7403ac7573..f0661fc4320e 100644 --- a/src/secret-scanning/data/pattern-docs/fpt/public-docs.yml +++ b/src/secret-scanning/data/pattern-docs/fpt/public-docs.yml @@ -2157,7 +2157,7 @@ isPrivateWithGhas: true hasPushProtection: true hasValidityCheck: true - hasExtendedMetadata: false + hasExtendedMetadata: '{% ifversion ghes %}false{% else %}true{% endif %}' base64Supported: false isduplicate: false - provider: Frame.io @@ -2167,7 +2167,7 @@ isPrivateWithGhas: true hasPushProtection: true hasValidityCheck: true - hasExtendedMetadata: false + hasExtendedMetadata: '{% ifversion ghes %}false{% else %}true{% endif %}' base64Supported: false isduplicate: false - provider: FullStory diff --git a/src/secret-scanning/data/pattern-docs/ghec/public-docs.yml b/src/secret-scanning/data/pattern-docs/ghec/public-docs.yml index 4b7403ac7573..f0661fc4320e 100644 --- a/src/secret-scanning/data/pattern-docs/ghec/public-docs.yml +++ b/src/secret-scanning/data/pattern-docs/ghec/public-docs.yml @@ -2157,7 +2157,7 @@ isPrivateWithGhas: true hasPushProtection: true hasValidityCheck: true - hasExtendedMetadata: false + hasExtendedMetadata: '{% ifversion ghes %}false{% else %}true{% endif %}' base64Supported: false isduplicate: false - provider: Frame.io @@ -2167,7 +2167,7 @@ isPrivateWithGhas: true hasPushProtection: true hasValidityCheck: true - hasExtendedMetadata: false + hasExtendedMetadata: '{% ifversion ghes %}false{% else %}true{% endif %}' base64Supported: false isduplicate: false - provider: FullStory