Merge branch 'main' into Remove-periods-from-list-in-developing-in-a-…

…codespace#about-development-with-github-codespaces#34947
github · Oct 17, 2024 · dcefd49 · dcefd49
2 parents 12d72fe + ae02d76
commit dcefd49
Show file tree

Hide file tree

Showing 40 changed files with 126 additions and 81 deletions.
diff --git a/.github/workflows/azure-prod-build-deploy.yml b/.github/workflows/azure-prod-build-deploy.yml
@@ -119,7 +119,7 @@ jobs:
 
       - name: 'Apply updated docker-compose.prod.yaml config to canary slot'
         run: |
-          az webapp config container set --multicontainer-config-type COMPOSE --multicontainer-config-file docker-compose.prod.yaml --slot ${{ env.SLOT_NAME }} -n ${{ env.APP_SERVICE_NAME }} -g ${{ env.RESOURCE_GROUP_NAME }}
+          az webapp config container set --multicontainer-config-type COMPOSE --multicontainer-config-file docker-compose.prod.yaml --slot ${{ env.SLOT_NAME }} -n ${{ env.APP_SERVICE_NAME }} -g ${{ env.RESOURCE_GROUP_NAME }} --container-registry-url ${{ secrets.PROD_REGISTRY_SERVER }} --container-registry-user ${{ env.ACR_TOKEN_NAME }} --container-registry-password ${{ env.ACR_TOKEN_VALUE }}
 
       # Watch canary slot instances to see when all the instances are ready
       - name: Check that canary slot is ready

diff --git a/...ding-iam-for-enterprises/abilities-and-restrictions-of-managed-user-accounts.md b/...ding-iam-for-enterprises/abilities-and-restrictions-of-managed-user-accounts.md
@@ -32,7 +32,7 @@ With {% data variables.product.prodname_emus %}, you can control the user accoun
 
 {% data variables.enterprise.prodname_managed_users_caps %}:
 
-* Cannot install {% data variables.product.prodname_github_apps %} on their user accounts.
+* Cannot install {% data variables.product.prodname_github_apps %} on their user accounts, unless the app is an internal app. See "[AUTOTITLE](/apps/using-github-apps/internal-github-apps)."
 * Can install {% data variables.product.prodname_github_apps %} on a repository if the app doesn't request organization permissions and if the {% data variables.enterprise.prodname_managed_user %} has admin access to the repository.
 * Can install {% data variables.product.prodname_github_apps %} on an organization if the {% data variables.enterprise.prodname_managed_user %} is an organization owner.
 * Can purchase and install paid {% data variables.product.prodname_github_apps %} only if the {% data variables.enterprise.prodname_managed_user %} is an enterprise owner.

diff --git a/content/apps/using-github-apps/internal-github-apps.md b/content/apps/using-github-apps/internal-github-apps.md
@@ -10,7 +10,7 @@ shortTitle: Internal apps
 
 Some {% data variables.product.prodname_github_apps %} are internal apps. These apps are owned by {% data variables.product.company_short %} and are granted special capabilities. For example, users can authorize these apps and use them to access data from an organization without requiring approval by the organization.
 
-Some of these internal apps are automatically included with {% data variables.product.company_short %} and do not require user authorization. These apps will not appear in your list of authorized {% data variables.product.prodname_github_apps %} or in your list of installed {% data variables.product.prodname_github_apps %}.
+Some of these internal apps are automatically included with {% data variables.product.company_short %} and do not require user authorization. These apps will not appear in your list of authorized {% data variables.product.prodname_github_apps %} or in your list of installed {% data variables.product.prodname_github_apps %}.{% ifversion ghec %}{% data variables.product.prodname_emus %} are allowed to install these internal apps on their user account, while standard, unprivileged apps cannot be installed on {% data variables.product.prodname_emus %} user accounts.{% endif %}
 
 These internal apps will appear in the user security log, but will not appear in organization{% ifversion ghes or ghec %} or enterprise{% endif %} audit logs. {% ifversion ghes or ghec %}For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/reviewing-your-security-log)," "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization)", and "[AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/about-the-audit-log-for-your-enterprise)."{% else %}For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/reviewing-your-security-log)" and "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization)."{% endif %}
 

diff --git a/...g/managing-the-plan-for-your-github-account/connecting-an-azure-subscription.md b/...g/managing-the-plan-for-your-github-account/connecting-an-azure-subscription.md
@@ -74,6 +74,8 @@ For example, you link your Azure subscription to your organization {% ifversion
 
   * Alternatively, before following the instructions in this article, users who are not able to provide tenant-wide admin consent can work with an Azure AD global administrator to configure an admin consent workflow. See [User and admin consent in Azure Active Directory](https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/user-admin-consent-overview#admin-consent-workflow) in Microsoft Docs.
 
+     >[!NOTE] If your tenant provides user consent settings, users included in those settings might not require admin consent to install {% data variables.product.company_short %}'s Subscription Permission Validation app. See [User consent](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/user-admin-consent-overview#user-consent) in Microsoft Docs.
+
 * To select an Azure subscription from the list of available subscriptions, the user must be an owner of the Azure subscription. See [Assign a user as an administrator of an Azure subscription](https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal-subscription-admin) in Microsoft docs.
 
 * You must know your Azure subscription ID. See [Get subscription and tenant IDs in the Azure portal](https://learn.microsoft.com/en-us/azure/azure-portal/get-subscription-tenant-id) in the Microsoft Docs or [contact Azure support](https://azure.microsoft.com/support/).

diff --git a/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md b/content/code-security/secret-scanning/enabling-secret-scanning-features/index.md
@@ -1,6 +1,6 @@
 ---
 title: Enabling secret scanning features
-shortTitle: Enable secret scanning features
+shortTitle: Enable features
 allowTitleToDifferFromFilename: true
 intro: 'Learn how to enable {% data variables.product.prodname_secret_scanning %} to detect secrets that are already visible in a repository, as well as push protection to proactively secure you against leaking additional secrets by blocking pushes containing secrets.'
 product: '{% data reusables.gated-features.secret-scanning %}'

diff --git a/...ent/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md b/...ent/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md
@@ -16,7 +16,7 @@ topics:
   - Advanced Security
   - Alerts
   - Repositories
-shortTitle: Managing alerts
+shortTitle: Manage alerts
 children:
   - /about-alerts
   - /viewing-alerts

diff --git a/...ty/secret-scanning/troubleshooting-secret-scanning-and-push-protection/index.md b/...ty/secret-scanning/troubleshooting-secret-scanning-and-push-protection/index.md
@@ -1,6 +1,6 @@
 ---
 title: Troubleshooting secret scanning and push protection
-shortTitle: Troubleshoot secret scanning
+shortTitle: Troubleshoot
 intro: 'If you have problems with {% data variables.product.prodname_secret_scanning %} or push protection, you can use these tips to help resolve issues.'
 product: '{% data reusables.gated-features.secret-scanning %}'
 versions:

diff --git a/...egated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md b/...egated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md
@@ -10,27 +10,33 @@ topics:
   - Advanced Security
   - Alerts
   - Repositories
-shortTitle: Delegated bypass
+shortTitle: About delegated bypass
 ---
 
 ## About delegated bypass for push protection
 
 {% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %}
 
-{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %}
+By default, when push protection is enabled for a repository, anyone with write access can still push a secret to the repository, provided that they specify a reason for bypassing push protection.
 
-When you enable push protection, by default, anyone with write access to the repository can choose to bypass the protection by specifying a reason for allowing the push containing a secret. With delegated bypass, only specific roles and teams can bypass push protection. All other contributors are instead obligated to make a request for "bypass privileges", which is sent to a designated group of reviewers who either approve or deny the request to bypass push protection.
+With delegated bypass for push protection, you can:
 
-If the request to bypass push protection is approved, the contributor can push the commit containing the secret. If the request is denied, the contributor must remove the secret from the commit (or commits) containing the secret before pushing again.
+* **Choose** which individuals, roles, and teams can bypass push protection.
+* Introduce a **review and approval** cycle for pushes containing secrets from all other contributors.
 
-To configure delegated bypass, organization owners or repository administrators must change the "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}" setting in the UI from **Anyone with write access** to **Specific roles and teams**.
+{% ifversion push-protection-delegated-bypass-file-upload-support %}Delegated bypass applies to files created, edited, and uploaded on {% data variables.product.prodname_dotcom %}.{% endif %}
 
-Organization owners or repository administrators are then prompted to create a "bypass list". The bypass list comprises the specific roles and teams, such as the security team or repository administrators, who oversee requests from non-members to bypass push protection. For more information, see "[Configuring delegated bypass for an organization](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection#configuring-delegated-bypass-for-an-organization)" and "[Configuring delegated bypass for a repository](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection#configuring-delegated-bypass-for-a-repository)."
+To set up delegated bypass, organization owners or repository administrators create a list of users with bypass privileges. This designated list of users can then:
+* Bypass push protection, by specifying a reason for bypassing the block.
+* Manage (approve or deny) bypass requests coming from all other contributors. These requests are located in the "Push protection bypass" page in the **Security** tab of the repository.
 
-{% ifversion push-protection-bypass-fine-grained-permissions %} Alternatively, instead of creating a bypass list, you can grant specific organization members the ability to review and manage bypass requests using fine-grained permissions. For more information, see "[Using fine-grained permissions to control who can review and manage bypass requests](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection#using-fine-grained-permissions-to-control-who-can-review-and-manage-bypass-requests)."{% endif %}
+The following types of users can always bypass push protection without having to request bypass privileges:
+* Organization owners
+* Security managers
+* Users in teams, default roles, or custom roles that have been added to the bypass list.{% ifversion push-protection-bypass-fine-grained-permissions %}
+* Users who are assigned (either directly or via a team) a custom role with the "review and manage secret scanning bypass requests" fine-grained permission.{% endif %}
 
-Members {% ifversion push-protection-bypass-fine-grained-permissions %}with permission to review (approve or deny) bypass requests can manage these {% else %}of the bypass list can review and manage {% endif %}requests through the "Push protection bypass" page in the **Security** tab of the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection)."
+## Next steps
 
-{% data reusables.secret-scanning.push-protection-delegated-bypass-note %}
-
-For information about enabling delegated bypass, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)."
+* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)"
+* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection)"
diff --git a/...ning-and-push-protection-features/delegated-bypass-for-push-protection/index.md b/...ning-and-push-protection-features/delegated-bypass-for-push-protection/index.md
@@ -6,7 +6,7 @@ intro: 'You can control the ability to bypass push protection by setting up a re
 product: '{% data reusables.gated-features.secret-scanning %}'
 versions:
   fpt: '*'
-  ghes: '*'
+  ghes: '>=3.14'
   ghec: '*'
 topics:
   - Secret scanning

diff --git a/content/code-security/security-overview/about-security-overview.md b/content/code-security/security-overview/about-security-overview.md
@@ -1,7 +1,6 @@
 ---
 title: About security overview
 intro: 'You can gain insights into the overall security landscape of your organization or enterprise and identify repositories that require intervention using security overview.'
-permissions: '{% data reusables.security-overview.permissions %}'
 product: '{% data reusables.gated-features.security-overview %}'
 redirect_from:
   - /code-security/security-overview/exploring-security-alerts