From 0619ee4b5888774b17c9f083b9ae04593ad2d9c7 Mon Sep 17 00:00:00 2001
From: Felicity Chapman <felicitymay@github.com>
Date: Mon, 13 Jan 2025 09:50:18 +0000
Subject: [PATCH] Create docs to help users run an unsupported trial of GHAS
 (#53712)

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: hubwriter <hubwriter@github.com>
---
 ...curity-and-analysis-for-your-enterprise.md |  13 ++
 content/code-security/index.md                |   1 +
 .../enable-security-features-trial.md         |  72 ++++++++++
 .../explore-trial-code-scanning.md            | 128 ++++++++++++++++++
 .../explore-trial-secret-scanning.md          |  69 ++++++++++
 .../index.md                                  |  17 +++
 .../planning-a-trial-of-ghas.md               |  81 +++++++++++
 .../code-review/using-copilot-code-review.md  |   7 +-
 .../copilot/code-review/preview-note.md       |   6 +
 ...ecurity-configuration-enterprise-enable.md |   2 +-
 10 files changed, 389 insertions(+), 7 deletions(-)
 create mode 100644 content/code-security/trialing-github-advanced-security/enable-security-features-trial.md
 create mode 100644 content/code-security/trialing-github-advanced-security/explore-trial-code-scanning.md
 create mode 100644 content/code-security/trialing-github-advanced-security/explore-trial-secret-scanning.md
 create mode 100644 content/code-security/trialing-github-advanced-security/index.md
 create mode 100644 content/code-security/trialing-github-advanced-security/planning-a-trial-of-ghas.md
 create mode 100644 data/reusables/copilot/code-review/preview-note.md

diff --git a/content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise.md b/content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise.md
index 1cbdf474d747..23c7d3be3123 100644
--- a/content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise.md
+++ b/content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise.md
@@ -128,3 +128,16 @@ Across all of your enterprise's organizations, you can allow or disallow people
 1. In the "{% data variables.product.prodname_GH_advanced_security %} policies" section, under "AI detection in {% data variables.product.prodname_secret_scanning %}", select the dropdown menu and click a policy.
 
 {% endif %}
+
+{% ifversion code-scanning-autofix %}
+
+## Enforcing a policy to manage the use of {% data variables.product.prodname_copilot_autofix_short %} in your enterprise's repositories
+
+Across all of your enterprise's organizations, you can allow or disallow people with admin access to repositories to manage where {% data variables.product.prodname_copilot_autofix_short %} is enabled. {% data reusables.advanced-security.ghas-must-be-enabled %}
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.policies-tab %}
+{% data reusables.enterprise-accounts.code-security-and-analysis-policies %}
+1. In the "{% data variables.product.prodname_GH_advanced_security %} policies" section, under "{% data variables.product.prodname_copilot_autofix_short %}", select the dropdown menu and click a policy.
+
+{% endif %}
diff --git a/content/code-security/index.md b/content/code-security/index.md
index 7484549c0087..a5b708081888 100644
--- a/content/code-security/index.md
+++ b/content/code-security/index.md
@@ -41,6 +41,7 @@ topics:
   - Vulnerabilities
 children:
   - /getting-started
+  - /trialing-github-advanced-security
   - /adopting-github-advanced-security-at-scale
   - /securing-your-organization
   - /secret-scanning
diff --git a/content/code-security/trialing-github-advanced-security/enable-security-features-trial.md b/content/code-security/trialing-github-advanced-security/enable-security-features-trial.md
new file mode 100644
index 000000000000..b5748756526d
--- /dev/null
+++ b/content/code-security/trialing-github-advanced-security/enable-security-features-trial.md
@@ -0,0 +1,72 @@
+---
+title: Enabling security features in your trial enterprise
+shortTitle: Enable security features in trial
+allowTitleToDifferFromFilename: true
+intro: 'Quickly create an enterprise-level configuration and apply security features across all repositories in your trial enterprise.'
+type: quick_start
+permissions: '{% data reusables.permissions.security-configuration-enterprise-enable %}'
+topics:
+  - Advanced Security
+versions:
+  fpt: '*'
+  ghec: '*'
+---
+
+This article assumes that you have planned and then started a trial of {% data variables.product.prodname_GH_advanced_security %}. For more information, see [AUTOTITLE](/code-security/trialing-github-advanced-security/planning-a-trial-of-ghas).
+
+The aim is to enable all the security features you want to trial quickly, as a starting point for deeper exploration. You should start getting results soon on the repositories in your trial enterprise and you can fine-tune the configuration later.
+
+## Step 1: Create an enterprise security configuration for your trial goals
+
+When you planned your trial, you identified the features that you want to test and any enforcement needs. You should create one or more security configurations for your enterprise that enable these features and set any enforcement levels you require.
+
+1. In the top-right corner of {% data variables.product.prodname_dotcom %}, click your profile photo.
+1. Depending on your environment, click **Your enterprise**, or click **Your enterprises** then click your trial enterprise.
+{% data reusables.enterprise-accounts.settings-tab %}
+1. In the left sidebar, click **Code security** to display the security configurations page.
+1. Click **New configuration** to create a new configuration.
+1. Give the configuration a meaningful name and description.
+1. You will see that most features are already enabled. Review the features that are **Not set** and enable any that you want to trial, for example: "Automatic dependency submission."
+1. In the "Policy" area, set the "Use as default for newly created repositories" option as needed to define whether or not to apply the configuration to new repositories created in the enterprise.
+1. In the "Policy" area, notice that the "Enforce configuration" option is set to **Enforce** so that applying the configuration to a repository enforces all settings apart from any left as "Not set".
+   > [!TIP] While you are testing {% data variables.product.prodname_GH_advanced_security %}, you may want to change this to **Don't enforce** to allow you to optimize repository settings as needed without modifying security configurations.
+1. When you have finished defining the configuration, click **Save configuration**.
+
+The new enterprise security configuration is now available for use at the enterprise level and also within every organization in the enterprise.
+
+## Step 2: Apply your enterprise security configuration to repositories
+
+You can apply an enterprise security configuration either at the enterprise level or at the organization level. The best option for you will depend on whether or not you want to apply the configuration to all repositories in the enterprise, or to a subset of repositories.
+
+> [!NOTE] Although {% data variables.product.prodname_GH_advanced_security %} is free of charge during trials, you will be charged for any actions minutes that you use. This includes actions minutes used by the default {% data variables.product.prodname_code_scanning %} setup or by any other workflows you run.
+
+* Enterprise-level application:
+   * Add an enterprise configuration to all repositories in the enterprise, or all repositories without an existing configuration in the enterprise.
+* Organization-level application:
+   * Add an enterprise or an organization configuration to all repositories in the organization, or all repositories without an existing configuration in the organization.
+   * Add an enterprise or an organization configuration to a subset of repositories in the organization.
+
+You may find it helpful to apply an enterprise security configuration to all repositories in your enterprise, and then work at the organization-level to select a subset of repositories and apply an alternative security configuration.
+
+### Enterprise-level application
+
+1. Open your trial enterprise.
+1. In the sidebar, click **Settings** and then **Code security** to display the security configurations page.
+1. For the configuration you want to apply, click **Apply to** and choose whether to apply the configuration to all repositories in the enterprise or just to the repositories without an existing security configuration.
+
+### Organization-level application
+
+1. Open an organization in your trial enterprise.
+1. Click the **Settings** tab to display the organization settings.
+1. In the sidebar, click **Code security** and then **Configurations** to display the security configurations page.
+1. Optionally, select the **Apply to** dropdown menu and click either **All repositories**, to apply any configuration to all repositories in the organization, or **All repositories without configurations**, to configure just the repositories in the organization without an existing security configuration.
+1. Optionally, in the "Apply configurations" section use the "Search repositories" field or **Filter** button to filter repositories. Then select one or more repositories and use the **Apply configuration** button to choose a configuration to apply to those repositories.
+
+For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-a-custom-security-configuration).
+
+## Next steps
+
+Now that you have enabled the security features you want to test, you are ready to look more deeply into how {% data variables.product.prodname_secret_scanning %} and {% data variables.product.prodname_code_scanning %} protect your code.
+
+1. [AUTOTITLE](/code-security/trialing-github-advanced-security/explore-trial-secret-scanning)
+1. [AUTOTITLE](/code-security/trialing-github-advanced-security/explore-trial-code-scanning)
diff --git a/content/code-security/trialing-github-advanced-security/explore-trial-code-scanning.md b/content/code-security/trialing-github-advanced-security/explore-trial-code-scanning.md
new file mode 100644
index 000000000000..74ef78e6d8ac
--- /dev/null
+++ b/content/code-security/trialing-github-advanced-security/explore-trial-code-scanning.md
@@ -0,0 +1,128 @@
+---
+title: Exploring your enterprise trial of code scanning
+shortTitle: Trial code scanning
+allowTitleToDifferFromFilename: true
+intro: 'Introduction to the features of code and dependency scanning available with {% data variables.product.prodname_GH_advanced_security %} in {% data variables.product.prodname_ghe_cloud %} so you can assess their fit to your business needs.'
+type: quick_start
+topics:
+  - Advanced Security
+versions:
+  fpt: '*'
+  ghec: '*'
+---
+
+This guide assumes that you have planned and started a trial of {% data variables.product.prodname_GH_advanced_security %} for an existing or trial {% data variables.product.github %} enterprise account, see [AUTOTITLE](/code-security/trialing-github-advanced-security/planning-a-trial-of-ghas).
+
+## Introduction
+
+{% data variables.product.prodname_code_scanning_caps %} and dependency analysis work in the same way in public repositories and in private and internal repositories with {% data variables.product.prodname_GH_advanced_security %} enabled. In addition, {% data variables.product.prodname_GH_advanced_security %} enables you to create security campaigns where security specialists and developers can collaborate to effectively reduce technical debt.
+
+This article focuses on how you can combine these features with enterprise-level controls to standardize and enforce your development process.
+
+### Refine your security configurations
+
+In contrast to {% data variables.product.prodname_secret_scanning %}, where a single security configuration is typically applied to all repositories, you probably want to fine-tune the configuration of {% data variables.product.prodname_code_scanning %} for different types of repositories. For example, you might need to create additional configurations so that:
+
+* {% data variables.product.prodname_code_scanning_caps %} uses runners with a specific label to apply to repositories that require a specialized environment or that use private registeries.
+* {% data variables.product.prodname_code_scanning_caps %} is "Not set" to apply to repositories that need to use advanced setup or that require a third-party tool.
+
+For your trial, it's simplest to create a primary enterprise-level security configuration and apply it to your test repositories. Then you can create any additional security configurations you need and apply them to a subset of repositories selected using code language, custom property, visibility, and  other filter options. For more information, see [AUTOTITLE](/code-security/trialing-github-advanced-security/enable-security-features-trial) and [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-a-custom-security-configuration).
+
+### Provide access to view results of {% data variables.product.prodname_code_scanning %}
+
+By default, only the repository administrator and the organization owner can view all {% data variables.product.prodname_code_scanning %} alerts in their area. You should assign the predefined security manager role to all organization teams and users who you want to access the alerts found during the trial. You may also want to give the enterprise account owner this role for each organization in the trial. For more information, see [AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/managing-security-managers-in-your-organization) and [AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/using-organization-roles#assigning-an-organization-role).
+
+## Evaluate and refine results from the default setup
+
+The default setup for {% data variables.product.prodname_code_scanning %} runs a set of high confidence queries. These are chosen to ensure that, when you roll out {% data variables.product.prodname_code_scanning %} across your whole codebase, developers see a limited set of high quality results, with few false positive results.
+
+You can see a summary of any results found in the organizations in your trial enterprise in the **Code security** tab for the enterprise. There are also separate views for each type of security alert, see [AUTOTITLE](/code-security/security-overview/viewing-security-insights).
+
+If you don't see the results you expect for {% data variables.product.prodname_code_scanning %}, you can update default setup to run an extended query suite for repositories where you expected to find more results. This is controlled at the repository level, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup).
+
+> [!TIP]
+> If you are blocked from editing the repository settings for {% data variables.product.prodname_code_scanning %}, edit the security configuration used by the repository so that settings are not enforced.
+
+If the extended suite still fails to find the results you expect, you may need to enable advanced setup so you can customize the analysis fully. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page) and [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning).
+
+## Enforce automated analysis of pull requests
+
+There are three different types of automated analysis of pull requests built into {% data variables.product.github %}:
+
+* **{% data variables.product.prodname_code_scanning_caps %} analysis** uses queries to highlight known bad coding patterns and security vulnerabilities. {% data variables.product.prodname_copilot_autofix_short %} suggests fixes to problems identified by {% data variables.product.prodname_code_scanning %}.
+* **Dependency review** summarizes the dependency changes made by the pull request and highlights any dependencies with known vulnerabilities or that do not meet your development standards.
+* **{% data variables.product.prodname_copilot_short %} code review** uses AI to provide feedback on your changes with suggested fixes where possible.
+
+These automated reviews are a valuable extension to self-review and make it easier for developers to present a more complete and secure pull request for peer review. In addition, {% data variables.product.prodname_code_scanning %} and dependency reviews can be enforced to protect the security and compliance of your code.
+
+> [!NOTE]
+> {% data variables.product.prodname_copilot_autofix %} is included in the license for {% data variables.product.prodname_GH_advanced_security %}. {% data variables.product.prodname_copilot_short %} code review requires a paid {% data variables.product.prodname_copilot_short %} plan.
+
+### {% data variables.product.prodname_code_scanning_caps %} analysis
+
+When {% data variables.product.prodname_code_scanning %} is enabled, you can then block merges into important branches unless the pull request meets your requirements by creating a code ruleset for the enterprise or organization. Typically, you would require that results from {% data variables.product.prodname_code_scanning %} are present and that any important alerts are resolved.
+
+* **Type of ruleset:** Branch.
+* **Require {% data variables.product.prodname_code_scanning %} results:** Enable to block merging until results are successfully generated for the commit and the reference the pull request targets.
+* **Required tools and alert thresholds:** Define the level of alerts that must be resolved before a pull request can be merged for each {% data variables.product.prodname_code_scanning %} tool you use.
+
+As with all rulesets, you can control exactly which organizations (enterprise-level), repositories, and branches it acts on and also define roles or teams who can bypass the rule. For more information, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets).
+
+### Dependency review
+
+When {% data variables.product.prodname_GH_advanced_security %} and dependency graph are enabled for a repository, manifest files have a rich diff view which shows a summary of the dependencies that it adds or updates. This is a useful summary for human reviewers of the pull request but does not provide any control of which dependencies are added to the codebase.
+
+Most enterprises put automatic checks in place to block the use of dependencies with known vulnerabilities or unsupported license terms.
+
+1. Create a private repository to serve as a central home where you can store reusable workflows for the enterprise.
+1. Edit the actions settings for the repository to allow all private repositories in the enterprise to access workflows in this central repository, see [Allowing access to components in a private repository](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-access-to-components-in-a-private-repository).
+1. In the central repository, create a reusable workflow to run the dependency review action, configuring the action to meet your business needs, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-review-action).
+1. In each organization, create or update branch rulesets to add the new workflow to the required status checks, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/enforcing-dependency-review-across-an-organization).
+
+This allows you to update the configuration in a single location, but use the workflow in many repositories. You may want to use this central repository to maintain other workflows. For more information, see [AUTOTITLE](/actions/sharing-automations/reusing-workflows).
+
+### {% data variables.product.prodname_copilot_short %} review
+
+{% data reusables.copilot.code-review.preview-note %}
+
+By default, users request a review from {% data variables.product.prodname_copilot_short %} in the same way as they do from human reviewers. However, you can update or create an organization-level branch ruleset to automatically add {% data variables.product.prodname_copilot_short %} as a reviewer to all pull requests made to selected branches in all or selected repositories. For more information, see [AUTOTITLE](/copilot/using-github-copilot/code-review/using-copilot-code-review#enabling-automatic-reviews-from-copilot).
+
+{% data variables.product.prodname_copilot_short %} leaves a review comment on each pull request it reviews, without approving the pull request or requesting changes. This ensures that its review is advisory and will not block development work. Similarly, you should not enforce the resolution of suggestions made by {% data variables.product.prodname_copilot_short %} because AI suggestions have known limitations, see [AUTOTITLE](/copilot/responsible-use-of-github-copilot-features/responsible-use-of-github-copilot-code-review#limitations-of-github-copilot-code-review).
+
+## Define where {% data variables.product.prodname_copilot_autofix_short %} is allowed and enabled
+
+{% data variables.product.prodname_copilot_autofix_short %} helps developers understand and fix {% data variables.product.prodname_code_scanning %} alerts found in their pull requests. We recommend that you enable this feature for all repositories to help developers resolve alerts efficiently and increase their understanding of secure coding.
+
+There are two levels of control:
+
+* Enterprises can allow or block use of {% data variables.product.prodname_copilot_autofix_short %} throughout the enterprise using the "Code security" policy, see: [AUTOTITLE](/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise).
+* Organizations can enable or disable {% data variables.product.prodname_copilot_autofix_short %} for all organization-owned repositories in the "Global settings" for the organization, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization).
+
+## Engage developers in security remediation
+
+Security campaigns provide a way for security teams to engage with developers to remediate security technical debt. They also provide a practical way to combine education in secure coding with examples of vulnerable code in code that your developers are familar with. For more information, see [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/about-security-campaigns) and [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/best-practice-fix-alerts-at-scale).
+
+## Provide a secure development environment
+
+The development environment has many components. Some of the most useful features for scaling and standardizing a secure development environment in {% data variables.product.github %} are:
+
+* **Security configurations:** define the setup of security features for the enterprise, an organization, a subset of organization repositories, or new repositories, see [Refine your security configurations](#refine-your-security-configurations).
+* **Policies:** protect and control use of resources for the enterprise or an organization, see [AUTOTITLE](/admin/enforcing-policies/enforcing-policies-for-your-enterprise).
+* **Rulesets:** protect and control branches, tags, and pushes for an organization, a subset of organization repositories, or a repository, see [AUTOTITLE](/organizations/managing-organization-settings/creating-rulesets-for-repositories-in-your-organization).
+* **Repository templates:** define the security workflows and processes needed for each type of environment, see [AUTOTITLE](/repositories/creating-and-managing-repositories/creating-a-template-repository). For example, each template might contain a specialized:
+   * Security policy file defining the company's security stance and how to report any security concerns.
+   * Workflow to enable {% data variables.product.prodname_dependabot_version_updates %} for package managers used by the company.
+   * Workflow defining advanced setup for {% data variables.product.prodname_code_scanning %} for supported development languages where the default setup results are not enough.
+
+In addition, when a developer creates a repository from a template they must define the value of any required custom properties. Custom properties are very useful for selecting a subset of repositories that you want to apply configurations, policies, or rulesets to, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-repositories-in-your-enterprise/managing-custom-properties-for-repositories-in-your-enterprise).
+
+## Next steps
+
+When you have finished exploring these options and {% data variables.product.prodname_secret_scanning %} features, you are ready to test your discoveries so far against your business needs, and then explore further.
+
+## Further reading
+
+* [AUTOTITLE](/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions)
+* [AUTOTITLE](/admin/enforcing-policies/enforcing-policies-for-your-enterprise)
+* [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-repositories-in-your-enterprise/governing-how-people-use-repositories-in-your-enterprise)
+* [Enforce {% data variables.product.prodname_GH_advanced_security %} at Scale](https://wellarchitected.github.com/library/application-security/scenarios-and-recommendations/enforce-ghas-at-scale/)
diff --git a/content/code-security/trialing-github-advanced-security/explore-trial-secret-scanning.md b/content/code-security/trialing-github-advanced-security/explore-trial-secret-scanning.md
new file mode 100644
index 000000000000..4364e09ec01c
--- /dev/null
+++ b/content/code-security/trialing-github-advanced-security/explore-trial-secret-scanning.md
@@ -0,0 +1,69 @@
+---
+title: Exploring your enterprise trial of secret scanning
+shortTitle: Trial secret scanning
+allowTitleToDifferFromFilename: true
+intro: 'Introduction to the features of {% data variables.product.prodname_secret_scanning %} available with {% data variables.product.prodname_GH_advanced_security %} in {% data variables.product.prodname_ghe_cloud %} so you can assess their fit to your business needs.'
+type: quick_start
+topics:
+  - Advanced Security
+versions:
+  fpt: '*'
+  ghec: '*'
+---
+
+This guide assumes that you have planned and started a trial of {% data variables.product.prodname_GH_advanced_security %} for an existing or trial {% data variables.product.github %} enterprise account, see [AUTOTITLE](/code-security/trialing-github-advanced-security/planning-a-trial-of-ghas).
+
+## Introduction
+
+{% data variables.product.prodname_secret_scanning_caps %} features work the same way in private and internal repositories with {% data variables.product.prodname_GH_advanced_security %} enabled as they do in all public repositories. This article focuses on the additional functionality that you can use to protect your business from security leaks when you use {% data variables.product.prodname_GH_advanced_security %}, that is:
+
+* Identify additional access tokens you use.
+* Detect potential passwords using AI.
+* Control and audit the bypass process for push protection.
+* Enable validity checks for exposed tokens.
+
+### Security configuration for {% data variables.product.prodname_secret_scanning %}
+
+Most enterprises choose to enable {% data variables.product.prodname_secret_scanning %} and push protection across all their repositories by applying security configurations with these features enabled. This ensures that repositories are checked for access tokens that have already been added to {% data variables.product.github %}, in addition to flagging when users are about to leak tokens in {% data variables.product.github %}. For information about creating an enterprise-level security configuration and applying it to your test repositories, see [AUTOTITLE](/code-security/trialing-github-advanced-security/enable-security-features-trial).
+
+### Provide access to view the results of {% data variables.product.prodname_secret_scanning %}
+
+By default, only the repository administrator and the organization owner can view all {% data variables.product.prodname_secret_scanning %} alerts in their area. You should assign the predefined security manager role to all organization teams and users who you want to access the alerts found during the trial. You may also want to give the enterprise account owner this role for each organization in the trial. For more information, see [AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/managing-security-managers-in-your-organization).
+
+You can see a summary of any results found in the organizations in your trial enterprise in the **Code security** tab for the enterprise. There are also separate views for each type of security alert, see [AUTOTITLE](/code-security/security-overview/viewing-security-insights).
+
+## Identify additional access tokens
+
+You can create custom patterns to identify additional access tokens at the repository, organization, and enterprise level. In most cases, you should define custom patterns at the enterprise level because this will ensure that the patterns are used across the whole enterprise. It will also make them easy to maintain if you need to update a pattern when the format for a token changes.
+
+Once you have created and published custom patterns, both {% data variables.product.prodname_secret_scanning %} and push protection automatically include the new patterns in all scans. For detailed information about creating custom patterns, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning).
+
+## Use AI to detect potential passwords
+
+At the enterprise level you have full control over whether or not to allow the use of AI to detect secrets that cannot be identified using regular expressions (also known as generic secrets or as non-provider patterns).
+
+* Turn the feature on or off for the whole enterprise.
+* Set a policy to block control of the feature at the organization and repository level.
+* Set a policy to allow organization owners or repository administrators to control the feature.
+
+Similar to custom patterns, if you enable AI detection both {% data variables.product.prodname_secret_scanning %} and push protection automatically start using AI detection in all scans. For information about enterprise-level control, see [AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/configuring-additional-secret-scanning-settings-for-your-enterprise) and [AUTOTITLE](/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise).
+
+## Control and audit the bypass process
+
+When push protection blocks a push to {% data variables.product.github %} in a public repository without {% data variables.product.prodname_GH_advanced_security %}, the user has two simple options: bypass the control, or remove the highlighted content from the branch and its history. If they chose to bypass push protection, a {% data variables.product.prodname_secret_scanning %} alert is automatically created. This allows developers to rapidly unblock their work while still providing an audit trail for the content identified by {% data variables.product.prodname_secret_scanning %}.
+
+Larger teams usually want to maintain tighter control over the potential publication of access tokens and other secrets. With {% data variables.product.prodname_GH_advanced_security %}, you can define a reviewers group to approve requests to bypass push protection, reducing the risk of a developer accidentally leaking a token that is still active. Reviewers are defined in an organization-level security configuration or in the settings for a repository. For more information, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection).
+
+## Enable validity checks
+
+You can enable validity checks to check whether detected tokens are still active at the repository, organization, and enterprise level. Generally, it is worth enabling this feature across the whole enterprise using enterprise or organization-level security configurations. For more information, see [AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository).
+
+## Next steps
+
+When you have enabled the additional controls for {% data variables.product.prodname_secret_scanning %} available with {% data variables.product.prodname_GH_advanced_security %}, you're ready to test them against your business needs, and explore further. You may also be ready to look into trialing {% data variables.product.prodname_code_scanning %}.
+
+* [AUTOTITLE](/code-security/trialing-github-advanced-security/explore-trial-code-scanning)
+
+## Further reading
+
+* [Enforce {% data variables.product.prodname_GH_advanced_security %} at Scale](https://wellarchitected.github.com/library/application-security/scenarios-and-recommendations/enforce-ghas-at-scale/)
diff --git a/content/code-security/trialing-github-advanced-security/index.md b/content/code-security/trialing-github-advanced-security/index.md
new file mode 100644
index 000000000000..d971eb17952b
--- /dev/null
+++ b/content/code-security/trialing-github-advanced-security/index.md
@@ -0,0 +1,17 @@
+---
+title: Trialing GitHub Advanced Security
+shortTitle: Trial GitHub Advanced Security
+intro: 'Learn how to get the most out of your trial of GitHub Advanced Security.'
+product: '{% data reusables.gated-features.ghas %}'
+versions:
+  fpt: '*'
+  ghec: '*'
+topics:
+  - Enterprise
+  - Advanced Security
+children:
+  - /planning-a-trial-of-ghas
+  - /enable-security-features-trial
+  - /explore-trial-secret-scanning
+  - /explore-trial-code-scanning
+---
diff --git a/content/code-security/trialing-github-advanced-security/planning-a-trial-of-ghas.md b/content/code-security/trialing-github-advanced-security/planning-a-trial-of-ghas.md
new file mode 100644
index 000000000000..e33a0002a2d8
--- /dev/null
+++ b/content/code-security/trialing-github-advanced-security/planning-a-trial-of-ghas.md
@@ -0,0 +1,81 @@
+---
+title: 'Planning a trial of GitHub Advanced Security'
+shortTitle: 'Plan GHAS trial'
+allowTitleToDifferFromFilename: true
+intro: 'Ensure that your trial gives you the answers you need to make a decision on whether or not {% data variables.product.prodname_GH_advanced_security %} meets your business needs.'
+type: overview
+topics:
+  - Advanced Security
+versions:
+  fpt: '*'
+  ghec: '*'
+---
+
+## About trialing {% data variables.product.prodname_GH_advanced_security %}
+
+You can trial {% data variables.product.prodname_GH_advanced_security %} independently, or working with an expert from {% data variables.product.github %} or a partner organization. The primary audience for these articles is people who will plan and run their trial independently, typically small and medium-sized organizations.
+
+> [!NOTE] Although {% data variables.product.prodname_GH_advanced_security %} is free of charge during trials, you will be charged for any actions minutes that you use. That is, actions minutes used by the {% data variables.product.prodname_code_scanning %} default setup or by any other workflows you run.
+
+### Existing {% data variables.product.prodname_ghe_cloud %} users
+
+{% data reusables.advanced-security.ghas-trial-availability %} For more information, see [AUTOTITLE](/enterprise-cloud@latest/billing/managing-billing-for-your-products/managing-billing-for-github-advanced-security/setting-up-a-trial-of-github-advanced-security#setting-up-your-trial-of-github-advanced-security){% ifversion fpt %} in the {% data variables.product.prodname_ghe_cloud %} documentation{% endif %}.
+
+{% data reusables.advanced-security.ghas-trial-invoiced %}
+
+### Users on other GitHub plans
+
+You can trial {% data variables.product.prodname_GH_advanced_security %} as part of a trial of {% data variables.product.prodname_ghe_cloud %}. For more information, see [AUTOTITLE](/admin/overview/setting-up-a-trial-of-github-enterprise-cloud){% ifversion fpt %} in the {% data variables.product.prodname_ghe_cloud %} documentation{% endif %}.
+
+### When the trial ends
+
+You can end your trial at any time by purchasing {% data variables.product.prodname_GH_advanced_security %}, and {% data variables.product.prodname_enterprise %} if you don't already use it, or by canceling the trial. For more information, see [What happens when the trial ends?](/enterprise-cloud@latest/admin/overview/setting-up-a-trial-of-github-enterprise-cloud#what-happens-when-the-trial-ends){% ifversion fpt %} in the {% data variables.product.prodname_ghe_cloud %} documentation{% endif %}.
+
+## Define your company goals
+
+Before you start a trial of {% data variables.product.prodname_GH_advanced_security %}, you should define the purpose of the trial and identify the key questions you need to answer. Maintaining a strong focus on these goals will enable you to plan a trial that maximizes discovery and ensures that you have the information needed to decide whether or not to upgrade.
+
+If your company already uses {% data variables.product.github %}, consider what needs are currently unmet that {% data variables.product.prodname_GH_advanced_security %} might address. You should also consider your current application security posture and longer term aims. For inspiration, see [Design Principles for Application security](https://wellarchitected.github.com/library/application-security/design-principles/) in the {% data variables.product.github %} well-architected documentation.
+
+{% rowheaders %}
+
+| Example need | Features to explore during the trial |
+|--|--|
+| Enforce use of security features | Enterprise-level security configurations and policies, see [AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/about-security-configurations) and [AUTOTITLE](/admin/enforcing-policies/enforcing-policies-for-your-enterprise/about-enterprise-policies) |
+| Protect custom access tokens | Custom patterns for {% data variables.product.prodname_secret_scanning %}, delegated bypass for push protection, and validity checks, see [AUTOTITLE](/code-security/trialing-github-advanced-security/explore-trial-secret-scanning) |
+| Define and enforce a development process | Dependency review, auto-triage rules, rulesets, and policies, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review), [AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/about-dependabot-auto-triage-rules), [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets), and [AUTOTITLE](/admin/enforcing-policies/enforcing-policies-for-your-enterprise/about-enterprise-policies) |
+| Reduce technical debt at scale | {% data variables.product.prodname_code_scanning_caps %} and security campaigns, see [AUTOTITLE](/code-security/trialing-github-advanced-security/explore-trial-code-scanning) |
+| Monitor and track trends in security risks | Security overview, see [AUTOTITLE](/code-security/security-overview/viewing-security-insights) |
+
+{% endrowheaders %}
+
+If your company doesn't use {% data variables.product.github %} yet, you are likely to have additional questions including how the platform handles data residency, secure account management, and repository migration. For more information, see [AUTOTITLE](/get-started/onboarding/getting-started-with-github-enterprise-cloud).
+
+## Identify the members of your trial team
+
+{% data variables.product.prodname_GH_advanced_security %} enables you to integrate security measures throughout the software development life cycle, so it's important to ensure that you include representatives from all areas of your development cycle. Otherwise you risk making a decision without having all the data you need. A trial includes 50 licenses which provides scope for representation from a wider range of people.
+
+You may also find it helpful to identify a champion for each company need that you want to investigate.
+
+## Determine whether preliminary research is needed
+
+If members of your trial team have not yet used the core features of {% data variables.product.prodname_GH_advanced_security %}, it may be helpful to add an experimentation phase in public repositories before you start a trial. Many of the primary features of {% data variables.product.prodname_code_scanning %} and {% data variables.product.prodname_secret_scanning %} can be used on public repositories. Having a good understanding of the core features will allow you to focus your trial period on private repositories, and exploring the additional features and control available with {% data variables.product.prodname_GH_advanced_security %}.
+
+For more information, see [AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning), [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security), and [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning).
+
+## Agree the organizations and repositories to test
+
+Generally it is best to use an existing organization for a trial. This ensures that you can trial the features in repositories you know well and that accurately represent your coding environment. Once you start the trial, you may want to create additional organizations with test code to expand your explorations.
+
+Be aware that deliberately insecure applications, such as WebGoat, may contain coding patterns that appear to be insecure, but which {% data variables.product.prodname_code_scanning %} determines cannot be exploited. {% data variables.product.prodname_code_scanning_caps %} typically generates fewer results for artificially insecure codebases than other static application security scanners.
+
+## Define the assessment criteria for the trial
+
+For each company need or goal that you identify, determine what criteria you will measure to determine whether it is successfully met or not. For example, if one need is to enforce the use of security features, you might define a range of test cases for security configurations and policies to give you confidence that they enforce processes as you expect.
+
+## Next steps
+
+1. [AUTOTITLE](/admin/overview/setting-up-a-trial-of-github-enterprise-cloud)
+1. [AUTOTITLE](/code-security/trialing-github-advanced-security/enable-security-features-trial)
+1. [AUTOTITLE](/code-security/trialing-github-advanced-security/explore-trial-secret-scanning)
+1. [AUTOTITLE](/code-security/trialing-github-advanced-security/explore-trial-code-scanning)
diff --git a/content/copilot/using-github-copilot/code-review/using-copilot-code-review.md b/content/copilot/using-github-copilot/code-review/using-copilot-code-review.md
index 196156325e07..82d7c1f7b030 100644
--- a/content/copilot/using-github-copilot/code-review/using-copilot-code-review.md
+++ b/content/copilot/using-github-copilot/code-review/using-copilot-code-review.md
@@ -14,12 +14,7 @@ redirect_from:
   - /early-access/copilot/code-reviews/using-copilot-code-reviews
 ---
 
-> [!NOTE]
->
-> * {% data variables.copilot.copilot_code-review %} is in {% data variables.release-phases.public_preview %} and subject to change.
-> * To participate in the {% data variables.release-phases.public_preview %}, an administrator of your {% ifversion ghec %}enterprise or{% endif %} organization must opt in to the use of previews of {% data variables.product.prodname_copilot_short %} features. See {% ifversion ghec %}[AUTOTITLE](/copilot/managing-copilot/managing-copilot-for-your-enterprise/managing-policies-and-features-for-copilot-in-your-enterprise#copilot-in-githubcom) and{% endif %} [AUTOTITLE](/copilot/managing-copilot/managing-github-copilot-in-your-organization/managing-policies-for-copilot-in-your-organization#enabling-copilot-features-in-your-organization).
-> * Some functionality is available to all enabled {% data variables.product.prodname_copilot_short %} subscribers, but other functionality is only available to a limited number of users. To join the waitlist for additional functionality, see [Join the {% data variables.copilot.copilot_code-review_short %} waitlist](https://gh.io/copilot-code-review-waitlist).
-> * The [AUTOTITLE](/free-pro-team@latest/site-policy/github-terms/github-pre-release-license-terms) apply to your use of this product.
+{% data reusables.copilot.code-review.preview-note %}
 
 ## About {% data variables.copilot.copilot_code-review_short %}
 
diff --git a/data/reusables/copilot/code-review/preview-note.md b/data/reusables/copilot/code-review/preview-note.md
new file mode 100644
index 000000000000..a65f6f1b291c
--- /dev/null
+++ b/data/reusables/copilot/code-review/preview-note.md
@@ -0,0 +1,6 @@
+> [!NOTE]
+>
+> * {% data variables.copilot.copilot_code-review %} is in {% data variables.release-phases.public_preview %} and subject to change.
+> * To participate in the {% data variables.release-phases.public_preview %}, an administrator of your {% ifversion ghec %}enterprise or{% endif %} organization must opt in to the use of previews of {% data variables.product.prodname_copilot_short %} features. See {% ifversion ghec %}[AUTOTITLE](/copilot/managing-copilot/managing-copilot-for-your-enterprise/managing-policies-and-features-for-copilot-in-your-enterprise#copilot-in-githubcom) and{% endif %} [AUTOTITLE](/copilot/managing-copilot/managing-github-copilot-in-your-organization/managing-policies-for-copilot-in-your-organization#enabling-copilot-features-in-your-organization).
+> * Some functionality is available to all enabled {% data variables.product.prodname_copilot_short %} subscribers, but other functionality is only available to a limited number of users. To join the waitlist for additional functionality, see [Join the {% data variables.copilot.copilot_code-review_short %} waitlist](https://gh.io/copilot-code-review-waitlist).
+> * The [AUTOTITLE](/free-pro-team@latest/site-policy/github-terms/github-pre-release-license-terms) apply to your use of this product.
diff --git a/data/reusables/permissions/security-configuration-enterprise-enable.md b/data/reusables/permissions/security-configuration-enterprise-enable.md
index 5fd5f7261566..af1afb07165f 100644
--- a/data/reusables/permissions/security-configuration-enterprise-enable.md
+++ b/data/reusables/permissions/security-configuration-enterprise-enable.md
@@ -1 +1 @@
-{% ifversion ghec %}Enterprise owners and members with the **admin** role{% else %}Site administrators{% endif %}
+{% ifversion fpt or ghec %}Enterprise owners and members with the **admin** role{% else %}Site administrators{% endif %}