From 0610fd1a0606dd5118b6c2629e55c8b70924683d Mon Sep 17 00:00:00 2001 From: Felicity Chapman Date: Mon, 23 Sep 2024 08:40:46 +0100 Subject: [PATCH 1/7] Remove redundant versioning for dependency graph (part 9) (#52380) --- .../about-the-github-advisory-database.md | 12 ++++++------ .../about-the-dependency-graph.md | 11 ----------- .../dependabot/dependabot-alerts-dependency-scope.md | 2 -- 3 files changed, 6 insertions(+), 19 deletions(-) diff --git a/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database.md b/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database.md index 8efe8f6daca7..91803c8ed693 100644 --- a/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database.md +++ b/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database.md @@ -39,18 +39,18 @@ In contrast, malicious software, or malware, is code that is intentionally desig Generally, we name our supported ecosystems after the software programming language's associated package registry. We review advisories if they are for a vulnerability in a package that comes from a supported registry. -* Composer (registry: https://packagist.org/){% ifversion GH-advisory-db-erlang-support %} -* Erlang (registry: https://hex.pm/){% endif %} +* Composer (registry: https://packagist.org/) +* Erlang (registry: https://hex.pm/) * Go (registry: https://pkg.go.dev/) * GitHub Actions (https://github.com/marketplace?type=actions/) * Maven (registry: https://repo.maven.apache.org/maven2) * npm (registry: https://www.npmjs.com/) * NuGet (registry: https://www.nuget.org/) -* pip (registry: https://pypi.org/){% ifversion dependency-graph-dart-support %} -* pub (registry: https://pub.dev/packages/registry){% endif %} +* pip (registry: https://pypi.org/) +* pub (registry: https://pub.dev/packages/registry) * RubyGems (registry: https://rubygems.org/) -* Rust (registry: https://crates.io/){% ifversion supply-chain-features-swift-support %} -* Swift (registry: N/A){% endif %} +* Rust (registry: https://crates.io/) +* Swift (registry: N/A) If you have a suggestion for a new ecosystem we should support, please open an [issue](https://github.com/github/advisory-database/issues) for discussion. diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md index 962ae5dc9d1c..162ff98063cc 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md @@ -75,14 +75,10 @@ The recommended formats explicitly define which versions are used for all direct | Package manager | Languages | Recommended formats | All supported formats | | --- | --- | --- | ---| -| {% ifversion dependency-graph-rust-support %} | | Cargo | Rust | `Cargo.lock` | `Cargo.toml`, `Cargo.lock` | -| {% endif %} | | Composer | PHP | `composer.lock` | `composer.json`, `composer.lock` | | NuGet | .NET languages (C#, F#, VB), C++ | `.csproj`, `.vbproj`, `.nuspec`, `.vcxproj`, `.fsproj` | `.csproj`, `.vbproj`, `.nuspec`, `.vcxproj`, `.fsproj`, `packages.config` | -| {% ifversion github-actions-in-dependency-graph %} | | {% data variables.product.prodname_actions %} workflows | YAML | `.yml`, `.yaml` | `.yml`, `.yaml` | -| {% endif %} | | Go modules | Go | `go.mod`| `go.mod` | | Maven | Java, Scala | `pom.xml` | `pom.xml` | | npm | JavaScript | `package-lock.json` | `package-lock.json`, `package.json`| @@ -90,14 +86,10 @@ The recommended formats explicitly define which versions are used for all direct | {% ifversion dependabot-dependency-graph-pnpm %} | | pnpm | JavaScript | `pnpm-lock.yaml` | `package.json`, `pnpm-lock.yaml` | | {% endif %} | -| {% ifversion dependency-graph-dart-support %} | | pub | Dart | `pubspec.lock` | `pubspec.yaml`, `pubspec.lock` | -| {% endif %} | | Python Poetry | Python | `poetry.lock` | `poetry.lock`, `pyproject.toml` | | RubyGems | Ruby | `Gemfile.lock` | `Gemfile.lock`, `Gemfile`, `*.gemspec` | -| {% ifversion supply-chain-features-swift-support %} | | Swift Package Manager | Swift | `Package.resolved` | `Package.resolved` | -| {% endif %} | | Yarn | JavaScript | `yarn.lock` | `package.json`, `yarn.lock` | {% note %} @@ -106,11 +98,8 @@ The recommended formats explicitly define which versions are used for all direct * If you list your Python dependencies within a `setup.py` file, we may not be able to parse and list every dependency in your project. -{% ifversion github-actions-in-dependency-graph %} * {% data variables.product.prodname_actions %} workflows must be located in the `.github/workflows/` directory of a repository to be recognized as manifests. Any actions or workflows referenced using the syntax `jobs[*].steps[*].uses` or `jobs..uses` will be parsed as dependencies. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions)." -{% endif %} - * {% data reusables.dependabot.dependabot-alert-actions-semver %} For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)" and "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates)." {% endnote %} diff --git a/data/reusables/dependabot/dependabot-alerts-dependency-scope.md b/data/reusables/dependabot/dependabot-alerts-dependency-scope.md index 276e17bebd5f..e87166741607 100644 --- a/data/reusables/dependabot/dependabot-alerts-dependency-scope.md +++ b/data/reusables/dependabot/dependabot-alerts-dependency-scope.md @@ -2,10 +2,8 @@ The table below summarizes whether dependency scope is supported for various eco | **Language** | **Ecosystem** | **Manifest file** | **Dependency scope supported** | |:---|:---:|:---:|:---| -| {% ifversion dependency-graph-dart-support %} | | Dart | pub | pubspec.yaml | {% octicon "check" aria-label="Supported" %} | | Dart | pub | pubspec.lock | {% octicon "check" aria-label="Supported" %} | -| {% endif %} | | Go | Go modules | go.mod | No, defaults to runtime | | Java | Maven | pom.xml | {% octicon "check" aria-label="Supported" %} `test` maps to development, else scope defaults to runtime | | JavaScript | npm | package.json | {% octicon "check" aria-label="Supported" %} | From d47c46efabfed5151c1812efba36d3659570814a Mon Sep 17 00:00:00 2001 From: Felicity Chapman Date: Mon, 23 Sep 2024 08:46:53 +0100 Subject: [PATCH 2/7] Remove references to dependency-review-action-configuration (part 10) (#52381) --- .../about-dependency-review.md | 2 -- .../reviewing-dependency-changes-in-a-pull-request.md | 2 -- 2 files changed, 4 deletions(-) diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review.md index 24305bef9717..cf3e10ef930f 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review.md @@ -61,9 +61,7 @@ The action uses the dependency review REST API to get the diff of dependency cha {% data reusables.dependency-review.works-with-submission-api-beta %} -{% ifversion dependency-review-action-configuration %} You can configure the {% data variables.dependency-review.action_name %} to better suit your needs. For example, you can specify the severity level that will make the action fail{% ifversion dependency-review-action-licenses %}, or set an allow or deny list for licenses to scan{% endif %}. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-dependency-review#configuring-the-dependency-review-github-action)." -{% endif %} {% endif %} diff --git a/content/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request.md b/content/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request.md index 1ea882d158ac..0422bf5b5936 100644 --- a/content/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request.md +++ b/content/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request.md @@ -33,9 +33,7 @@ Dependency review allows you to "shift left". You can use the provided predictiv You can use the {% data variables.dependency-review.action_name %} to help enforce dependency reviews on pull requests in your repository. {% data reusables.dependency-review.dependency-review-action-overview %} -{% ifversion dependency-review-action-configuration %} You can configure the {% data variables.dependency-review.action_name %} to better suit your needs by specifying the type of dependency vulnerability you wish to catch. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-dependency-review#configuring-the-dependency-review-github-action)." -{% endif %} ## Reviewing dependencies in a pull request From 69e71c1cff594f2015eca8e9a1dadf99c495d430 Mon Sep 17 00:00:00 2001 From: Felicity Chapman Date: Mon, 23 Sep 2024 09:09:32 +0100 Subject: [PATCH 3/7] Remove references to ghas-for-azure-devops (part 11) (#52382) --- .../preparing-your-code-for-codeql-analysis.md | 2 -- .../learning-about-github/about-github-advanced-security.md | 2 -- data/reusables/advanced-security/ghas-for-azdo-link.md | 3 +-- data/reusables/gated-features/ghas-ghec.md | 2 +- data/reusables/gated-features/ghas.md | 2 +- 5 files changed, 3 insertions(+), 8 deletions(-) diff --git a/content/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis.md b/content/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis.md index 95fc4a901be0..e413f395c75e 100644 --- a/content/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis.md +++ b/content/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis.md @@ -386,13 +386,11 @@ Once you have created a {% data variables.product.prodname_codeql %} database us ### Example of creating a {% data variables.product.prodname_codeql %} database using indirect build tracing -{% ifversion ghas-for-azure-devops %} {% note %} **Note:** If you use Azure DevOps pipelines, the simplest way to create a {% data variables.product.prodname_codeql %} database is to use {% data variables.product.prodname_ghas_azdo %}. For documentation, see [Configure {% data variables.product.prodname_ghas_azdo %}](https://learn.microsoft.com/en-us/azure/devops/repos/security/configure-github-advanced-security-features) in Microsoft Learn. {% endnote %} -{% endif %} The following example shows how you could use indirect build tracing in an Azure DevOps pipeline to create a {% data variables.product.prodname_codeql %} database: diff --git a/content/get-started/learning-about-github/about-github-advanced-security.md b/content/get-started/learning-about-github/about-github-advanced-security.md index 656ca67fb1cb..46c0bcb17b21 100644 --- a/content/get-started/learning-about-github/about-github-advanced-security.md +++ b/content/get-started/learning-about-github/about-github-advanced-security.md @@ -22,13 +22,11 @@ shortTitle: GitHub Advanced Security {% ifversion ghes %}For information about buying a license for {% data variables.product.prodname_GH_advanced_security %}, see "[AUTOTITLE](/billing/managing-billing-for-github-advanced-security/about-billing-for-github-advanced-security)."{% elsif ghec %}For information about buying a license for {% data variables.product.prodname_GH_advanced_security %}, see "[AUTOTITLE](/billing/managing-billing-for-github-advanced-security/signing-up-for-github-advanced-security)."{% elsif fpt %}To purchase a {% data variables.product.prodname_GH_advanced_security %} license, you must be using {% data variables.product.prodname_enterprise %}. For information about upgrading to {% data variables.product.prodname_enterprise %} with {% data variables.product.prodname_GH_advanced_security %}, see "[AUTOTITLE](/get-started/learning-about-github/githubs-plans)" and "[AUTOTITLE](/billing/managing-billing-for-github-advanced-security/about-billing-for-github-advanced-security)."{% endif %} -{% ifversion ghas-for-azure-devops %} {% note %} **Note:** If you want to use {% data variables.product.prodname_GH_advanced_security %} with Azure Repos, see [{% data variables.product.prodname_GH_advanced_security %} & Azure DevOps](https://resources.github.com/ghazdo/) in our resources site. For documentation, see [Configure {% data variables.product.prodname_ghas_azdo %}](https://learn.microsoft.com/en-us/azure/devops/repos/security/configure-github-advanced-security-features) in Microsoft Learn. {% endnote %} -{% endif %} ## About {% data variables.product.prodname_advanced_security %} features diff --git a/data/reusables/advanced-security/ghas-for-azdo-link.md b/data/reusables/advanced-security/ghas-for-azdo-link.md index b889fa1be95b..54c3fb155322 100644 --- a/data/reusables/advanced-security/ghas-for-azdo-link.md +++ b/data/reusables/advanced-security/ghas-for-azdo-link.md @@ -1,2 +1 @@ -{% ifversion ghas-for-azure-devops %}For information about {% data variables.product.prodname_ghas_azdo %}, see [Configure {% data variables.product.prodname_ghas_azdo %}](https://learn.microsoft.com/en-us/azure/devops/repos/security/configure-github-advanced-security-features) in Microsoft Learn. -{% endif %} +For information about {% data variables.product.prodname_ghas_azdo %}, see [Configure {% data variables.product.prodname_ghas_azdo %}](https://learn.microsoft.com/en-us/azure/devops/repos/security/configure-github-advanced-security-features) in Microsoft Learn. diff --git a/data/reusables/gated-features/ghas-ghec.md b/data/reusables/gated-features/ghas-ghec.md index d8a91c01565c..c490a5f9f720 100644 --- a/data/reusables/gated-features/ghas-ghec.md +++ b/data/reusables/gated-features/ghas-ghec.md @@ -1,3 +1,3 @@ -{% data variables.product.prodname_GH_advanced_security %} is available for enterprise accounts on {% data variables.product.prodname_ghe_cloud %}.{% ifversion fpt or ghec %} Some features of {% data variables.product.prodname_GH_advanced_security %} are also available for public repositories on {% data variables.product.prodname_dotcom %}. For more information, see "[AUTOTITLE](/get-started/learning-about-github/githubs-plans)."{% endif %}{% ifversion ghas-for-azure-devops %}

{% endif %} +{% data variables.product.prodname_GH_advanced_security %} is available for enterprise accounts on {% data variables.product.prodname_ghe_cloud %}.{% ifversion fpt or ghec %} Some features of {% data variables.product.prodname_GH_advanced_security %} are also available for public repositories on {% data variables.product.prodname_dotcom %}. For more information, see "[AUTOTITLE](/get-started/learning-about-github/githubs-plans)."{% endif %} {% data reusables.advanced-security.ghas-for-azdo-link %} diff --git a/data/reusables/gated-features/ghas.md b/data/reusables/gated-features/ghas.md index c450ecae940b..a67b1d5c0776 100644 --- a/data/reusables/gated-features/ghas.md +++ b/data/reusables/gated-features/ghas.md @@ -1,3 +1,3 @@ {% data variables.product.prodname_GH_advanced_security %} is available for enterprise accounts on {% data variables.product.prodname_ghe_cloud %} and {% data variables.product.prodname_ghe_server %}.{% ifversion fpt or ghec %} Some features of {% data variables.product.prodname_GH_advanced_security %} are also available for public repositories on {% data variables.product.prodname_dotcom %}.{% endif %} For more information, see "[AUTOTITLE](/get-started/learning-about-github/githubs-plans)." -{% ifversion ghas-for-azure-devops %}

{% endif %} + {% data reusables.advanced-security.ghas-for-azdo-link %} From 7c3dc08aff682ca14a9785a1416aa85299ee2a50 Mon Sep 17 00:00:00 2001 From: Felicity Chapman Date: Mon, 23 Sep 2024 09:29:30 +0100 Subject: [PATCH 4/7] Remove references to dependabot-updates-rebase-30-days-cutoff (part 12) (#52383) --- .../about-dependabot-version-updates.md | 2 +- ...guration-options-for-the-dependabot.yml-file.md | 14 +------------- ...anaging-pull-requests-for-dependency-updates.md | 2 +- 3 files changed, 3 insertions(+), 15 deletions(-) diff --git a/content/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates.md b/content/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates.md index 11101ecb7465..7f813273919d 100644 --- a/content/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates.md +++ b/content/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates.md @@ -62,7 +62,7 @@ If you've enabled security updates, you'll sometimes see extra pull requests for {% data reusables.dependabot.automatically-pause-dependabot-updates %} -{% ifversion dependabot-updates-rebase-30-days-cutoff %}{% data variables.product.prodname_dependabot %} also stops rebasing pull requests for version and security updates after 30 days, reducing notifications for inactive {% data variables.product.prodname_dependabot %} pull requests.{% endif %} +{% data variables.product.prodname_dependabot %} also stops rebasing pull requests for version and security updates after 30 days, reducing notifications for inactive {% data variables.product.prodname_dependabot %} pull requests. ## About notifications for {% data variables.product.prodname_dependabot %} version updates diff --git a/content/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md b/content/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md index 4ca16b766df8..36dd7123cf24 100644 --- a/content/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md +++ b/content/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md @@ -738,14 +738,11 @@ updates: By default, {% data variables.product.prodname_dependabot %} automatically rebases open pull requests when it detects any changes to the pull request. Use `rebase-strategy` to disable this behavior. -{% ifversion dependabot-updates-rebase-30-days-cutoff %} - {% note %} **Note:** {% data reusables.dependabot.pull-requests-30-days-cutoff %} {% endnote %} -{% endif %} Available rebase strategies @@ -758,20 +755,11 @@ When `rebase-strategy` is set to `auto`, {% data variables.product.prodname_depe * When you change the value of `target-branch` in the {% data variables.product.prodname_dependabot %} configuration file. For more information about this field, see "[`target-branch`](#target-branch)." * When {% data variables.product.prodname_dependabot %} detects that a {% data variables.product.prodname_dependabot %} pull request is in conflict after a recent push to the target branch. -{% ifversion dependabot-updates-rebase-30-days-cutoff %} -{% else %} -{% note %} - -**Note:** {% data variables.product.prodname_dependabot %} will keep rebasing a pull request indefinitely until the pull request is closed, merged or you disable {% data variables.product.prodname_dependabot_updates %}. - -{% endnote %} -{% endif %} - When `rebase-strategy` is set to `disabled`, {% data variables.product.prodname_dependabot %} stops rebasing pull requests. {% note %} -**Note:** This behavior only applies to pull requests that go into conflict with the target branch. {% data variables.product.prodname_dependabot %} will keep rebasing {% ifversion dependabot-updates-rebase-30-days-cutoff %}(until 30 days after opening){% endif %} pull requests opened prior to the `rebase-strategy` setting being changed, and pull requests that are part of a scheduled run. +**Note:** This behavior only applies to pull requests that go into conflict with the target branch. {% data variables.product.prodname_dependabot %} will keep rebasing (until 30 days after opening) pull requests opened prior to the `rebase-strategy` setting being changed, and pull requests that are part of a scheduled run. {% endnote %} diff --git a/content/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates.md b/content/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates.md index 3e2e4ce789ff..cea9c0047a57 100644 --- a/content/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates.md +++ b/content/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates.md @@ -47,7 +47,7 @@ If you have many dependencies to manage, you may want to customize the configura ## Changing the rebase strategy for {% data variables.product.prodname_dependabot %} pull requests -By default, {% data variables.product.prodname_dependabot %} automatically rebases pull requests to resolve any conflicts. {% ifversion dependabot-updates-rebase-30-days-cutoff %}{% data reusables.dependabot.pull-requests-30-days-cutoff %}{% endif %} If you'd prefer to handle merge conflicts manually, you can disable this using the `rebase-strategy` option. For details, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#rebase-strategy)." +By default, {% data variables.product.prodname_dependabot %} automatically rebases pull requests to resolve any conflicts. {% data reusables.dependabot.pull-requests-30-days-cutoff %} If you'd prefer to handle merge conflicts manually, you can disable this using the `rebase-strategy` option. For details, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#rebase-strategy)." ## Allowing {% data variables.product.prodname_dependabot %} to rebase and force push over extra commits From 251eda0b8445737c5a50934ff26a93689dfb1d9c Mon Sep 17 00:00:00 2001 From: Felicity Chapman Date: Mon, 23 Sep 2024 09:44:57 +0100 Subject: [PATCH 5/7] Remove references to GH-advisory-db-supports-malware (part 13) (#52384) --- .../dependabot-alerts/about-dependabot-alerts.md | 2 +- ...ing-the-detection-of-vulnerable-dependencies.md | 2 +- .../about-global-security-advisories.md | 14 ++------------ .../about-the-github-advisory-database.md | 14 +++----------- ...y-advisories-in-the-github-advisory-database.md | 12 +++++------- ...y-advisories-in-the-github-advisory-database.md | 3 +-- .../about-supply-chain-security.md | 2 +- data/learning-tracks/code-security.yml | 3 +-- .../advisory-database/beta-malware-advisories.md | 4 ++-- .../dependabot/no-dependabot-alerts-for-malware.md | 4 ---- data/reusables/security/displayed-information.md | 4 ++-- 11 files changed, 19 insertions(+), 45 deletions(-) diff --git a/content/code-security/dependabot/dependabot-alerts/about-dependabot-alerts.md b/content/code-security/dependabot/dependabot-alerts/about-dependabot-alerts.md index 2623f5015ad9..6b193119a29f 100644 --- a/content/code-security/dependabot/dependabot-alerts/about-dependabot-alerts.md +++ b/content/code-security/dependabot/dependabot-alerts/about-dependabot-alerts.md @@ -25,7 +25,7 @@ shortTitle: Dependabot alerts {% data variables.product.prodname_dependabot_alerts %} tell you when your code depends on a package that is insecure. Often, software is built using open-source code packages from a large variety of sources. The complex relationships between these dependencies, and the ease with which malicious actors can insert malware into upstream code, mean that you may unknowingly be using dependencies that have security flaws, also known as vulnerabilities. -If your code depends on a package with a security vulnerability, this can cause a range of problems for your project or the people who use it. Using a vulnerable package makes you a soft target for malicious users looking to exploit your system. For example, they may seek to get access to your code and data from your customers or contributors. You should upgrade to a secure version of the package as soon as possible.{% ifversion GH-advisory-db-supports-malware %} If your code uses malware, you need to replace the package with a secure alternative.{% endif %} +If your code depends on a package with a security vulnerability, this can cause a range of problems for your project or the people who use it. Using a vulnerable package makes you a soft target for malicious users looking to exploit your system. For example, they may seek to get access to your code and data from your customers or contributors. You should upgrade to a secure version of the package as soon as possible. If your code uses malware, you need to replace the package with a secure alternative. {% data reusables.dependabot.no-dependabot-alerts-for-malware %} diff --git a/content/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies.md b/content/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies.md index 63b7b2cf8250..e4a04320f423 100644 --- a/content/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies.md +++ b/content/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies.md @@ -29,7 +29,7 @@ topics: {% data variables.product.prodname_dotcom %} generates and displays dependency data differently than other tools. Consequently, if you've been using another tool to identify dependencies you will almost certainly see different results. Consider the following: -* {% data variables.product.prodname_advisory_database %} is one of the data sources that {% data variables.product.prodname_dotcom %} uses to identify vulnerable dependencies{% ifversion GH-advisory-db-supports-malware %} and malware{% endif %}. It's a free, curated database of security advisories for common package ecosystems on {% data variables.product.prodname_dotcom %}. It includes both data reported directly to {% data variables.product.prodname_dotcom %} from {% data variables.product.prodname_security_advisories %}, as well as official feeds and community sources. This data is reviewed and curated by {% data variables.product.prodname_dotcom %} to ensure that false or unactionable information is not shared with the development community. {% data reusables.security-advisory.link-browsing-advisory-db %} +* {% data variables.product.prodname_advisory_database %} is one of the data sources that {% data variables.product.prodname_dotcom %} uses to identify vulnerable dependencies and malware. It's a free, curated database of security advisories for common package ecosystems on {% data variables.product.prodname_dotcom %}. It includes both data reported directly to {% data variables.product.prodname_dotcom %} from {% data variables.product.prodname_security_advisories %}, as well as official feeds and community sources. This data is reviewed and curated by {% data variables.product.prodname_dotcom %} to ensure that false or unactionable information is not shared with the development community. {% data reusables.security-advisory.link-browsing-advisory-db %} * The dependency graph parses all known package manifest files in a user’s repository. For example, for npm it will parse the _package-lock.json_ file. It constructs a graph of all of the repository’s dependencies and public dependents. This happens when you enable the dependency graph and when anyone pushes to the default branch, and it includes commits that makes changes to a supported manifest format. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)" and "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph)." * {% data variables.product.prodname_dependabot %} scans any push, to the default branch, that contains a manifest file. When a new advisory is added, it scans all existing repositories and generates an alert for each repository that is affected. {% data variables.product.prodname_dependabot_alerts %} are aggregated at the repository level, rather than creating one alert per advisory. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)." * {% data variables.product.prodname_dependabot_security_updates %} are triggered when you receive an alert about a vulnerable dependency in your repository. Where possible, {% data variables.product.prodname_dependabot %} creates a pull request in your repository to upgrade the vulnerable dependency to the minimum possible secure version needed to avoid the vulnerability. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates)" and "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors)." diff --git a/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-global-security-advisories.md b/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-global-security-advisories.md index 9dee62e94fff..746d6e1364b3 100644 --- a/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-global-security-advisories.md +++ b/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-global-security-advisories.md @@ -19,9 +19,9 @@ redirect_from: {% ifversion fpt or ghec %}There are two types of advisories: global security advisories and repository security advisories. For more information about repository security advisories, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories)."{% endif %} -Global security advisories are grouped into these categories: {% data variables.product.company_short %}-reviewed advisories,{% ifversion GH-advisory-db-supports-malware %} unreviewed advisories, and malware advisories{% else %} and unreviewed advisories{% endif %}. +Global security advisories are grouped into these categories: {% data variables.product.company_short %}-reviewed advisories, unreviewed advisories, and malware advisories. * {% data reusables.advisory-database.github-reviewed-overview %} -* {% data reusables.advisory-database.unreviewed-overview %}{% ifversion GH-advisory-db-supports-malware %} +* {% data reusables.advisory-database.unreviewed-overview %} * {% data reusables.advisory-database.malware-overview %} {% note %} @@ -30,16 +30,6 @@ Global security advisories are grouped into these categories: {% data variables. {% endnote %} -{% else %} - -{% note %} - -**Note:** {% data variables.product.prodname_dependabot %} doesn't generate {% data variables.product.prodname_dependabot_alerts %} for unreviewed advisories. - -{% endnote %} - -{% endif %} - For more information about the {% data variables.product.prodname_advisory_database %}, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database)." {% data reusables.security-advisory.global-advisories %} diff --git a/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database.md b/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database.md index 91803c8ed693..87dfca5d0d1f 100644 --- a/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database.md +++ b/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database.md @@ -1,6 +1,6 @@ --- title: About the GitHub Advisory database -intro: 'The {% data variables.product.prodname_advisory_database %} contains a list of known security vulnerabilities {% ifversion GH-advisory-db-supports-malware %}and malware, grouped in three categories: {% data variables.product.company_short %}-reviewed advisories, unreviewed advisories, and malware advisories.{% else %} grouped in two categories: {% data variables.product.company_short %}-reviewed advisories and unreviewed advisories.{% endif %}' +intro: 'The {% data variables.product.prodname_advisory_database %} contains a list of known security vulnerabilities and malware, grouped in three categories: {% data variables.product.company_short %}-reviewed advisories, unreviewed advisories, and malware advisories.' versions: fpt: '*' ghec: '*' @@ -23,16 +23,12 @@ Security advisories are published as JSON files in the Open Source Vulnerability ## About types of security advisories -Each advisory in the {% data variables.product.prodname_advisory_database %} is for a vulnerability in open source projects{% ifversion GH-advisory-db-supports-malware %} or for malicious open source software{% endif %}. +Each advisory in the {% data variables.product.prodname_advisory_database %} is for a vulnerability in open source projects or for malicious open source software. {% data reusables.repositories.a-vulnerability-is %} Vulnerabilities in code are usually introduced by accident and fixed soon after they are discovered. You should update your code to use the fixed version of the dependency as soon as it is available. -{% ifversion GH-advisory-db-supports-malware %} - In contrast, malicious software, or malware, is code that is intentionally designed to perform unwanted or harmful functions. The malware may target hardware, software, confidential data, or users of any application that uses the malware. You need to remove the malware from your project and find an alternative, more secure replacement for the dependency. -{% endif %} - ### {% data variables.product.company_short %}-reviewed advisories {% data reusables.advisory-database.github-reviewed-overview %} @@ -62,8 +58,6 @@ If you enable {% data variables.product.prodname_dependabot_alerts %} for your r {% data variables.product.prodname_dependabot %} doesn't create {% data variables.product.prodname_dependabot_alerts %} for unreviewed advisories as this type of advisory isn't checked for validity or completion. -{% ifversion GH-advisory-db-supports-malware %} - ### Malware advisories {% data reusables.advisory-database.beta-malware-advisories %} @@ -74,8 +68,6 @@ If you enable {% data variables.product.prodname_dependabot_alerts %} for your r Our malware advisories are mostly about substitution attacks. During this type of attack, an attacker publishes a package to the public registry with the same name as a dependency that users rely on from a third party or private registry, with the hope that the malicious version is consumed. {% data variables.product.prodname_dependabot %} doesn’t look at project configurations to determine if the packages are coming from a private registry, so we aren't sure if you're using the malicious version or a non-malicious version. Users who have their dependencies appropriately scoped should not be affected by malware. -{% endif %} - ## About information in security advisories In this section, you can find more detailed information about security advisories in the {% data variables.product.prodname_advisory_database %}, such as: @@ -101,7 +93,7 @@ You can validate a GHSA ID using a regular expression. ### About CVSS levels -Each security advisory contains information about the vulnerability{% ifversion GH-advisory-db-supports-malware %} or malware,{% endif %} which may include the description, severity, affected package, package ecosystem, affected versions and patched versions, impact, and optional information such as references, workarounds, and credits. In addition, advisories from the National Vulnerability Database list contain a link to the CVE record, where you can read more details about the vulnerability, its CVSS scores, and its qualitative severity level. For more information, see the "[National Vulnerability Database](https://nvd.nist.gov/)" from the National Institute of Standards and Technology. +Each security advisory contains information about the vulnerability or malware, which may include the description, severity, affected package, package ecosystem, affected versions and patched versions, impact, and optional information such as references, workarounds, and credits. In addition, advisories from the National Vulnerability Database list contain a link to the CVE record, where you can read more details about the vulnerability, its CVSS scores, and its qualitative severity level. For more information, see the "[National Vulnerability Database](https://nvd.nist.gov/)" from the National Institute of Standards and Technology. The severity level is one of four possible levels defined in the "[Common Vulnerability Scoring System (CVSS), Section 5](https://www.first.org/cvss/specification-document)." * Low diff --git a/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/browsing-security-advisories-in-the-github-advisory-database.md b/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/browsing-security-advisories-in-the-github-advisory-database.md index 4bf871cd1167..2975b7c3c233 100644 --- a/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/browsing-security-advisories-in-the-github-advisory-database.md +++ b/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/browsing-security-advisories-in-the-github-advisory-database.md @@ -36,9 +36,9 @@ You can access any advisory in the {% data variables.product.prodname_advisory_d {% endnote %} -1. Click an advisory to view details. By default, you will see {% data variables.product.company_short %}-reviewed advisories for security vulnerabilities. {% ifversion GH-advisory-db-supports-malware %}To show malware advisories, use `type:malware` in the search bar.{% endif %} +1. Click an advisory to view details. By default, you will see {% data variables.product.company_short %}-reviewed advisories for security vulnerabilities. To show malware advisories, use `type:malware` in the search bar. -The database is also accessible using the GraphQL API. {% ifversion GH-advisory-db-supports-malware %}By default, queries will return {% data variables.product.company_short %}-reviewed advisories for security vulnerabilities unless you specify `type:malware`.{% endif %} For more information, see the "[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#security_advisory)." +The database is also accessible using the GraphQL API. By default, queries will return {% data variables.product.company_short %}-reviewed advisories for security vulnerabilities unless you specify `type:malware`. For more information, see the "[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#security_advisory)." {% ifversion security-advisories-rest-api %} Additionally, you can access the {% data variables.product.prodname_advisory_database %} using the REST API. For more information, see "[AUTOTITLE](/rest/security-advisories/global-advisories)."{% endif %} @@ -58,9 +58,7 @@ You can search the database, and use qualifiers to narrow your search. For examp | Qualifier | Example | | ---------- | ------- | | `type:reviewed`| [**type:reviewed**](https://github.com/advisories?query=type%3Areviewed) will show {% data variables.product.company_short %}-reviewed advisories for security vulnerabilities. | -| {% ifversion GH-advisory-db-supports-malware %} | | `type:malware` | [**type:malware**](https://github.com/advisories?query=type%3Amalware) will show malware advisories. | -| {% endif %} | | `type:unreviewed`| [**type:unreviewed**](https://github.com/advisories?query=type%3Aunreviewed) will show unreviewed advisories. | | `GHSA-ID`| [**GHSA-49wp-qq6x-g2rf**](https://github.com/advisories?query=GHSA-49wp-qq6x-g2rf) will show the advisory with this {% data variables.product.prodname_advisory_database %} ID. | | `CVE-ID`| [**CVE-2020-28482**](https://github.com/advisories?query=CVE-2020-28482) will show the advisory with this CVE ID number. | @@ -81,7 +79,7 @@ A `GHSA-ID` qualifier is a unique ID that we at {% data variables.product.prodna ## Viewing your vulnerable repositories -For any {% data variables.product.company_short %}-reviewed advisory in the {% data variables.product.prodname_advisory_database %}, you can see which of your repositories are affected by that security vulnerability{% ifversion GH-advisory-db-supports-malware %} or malware{% endif %}. To see a vulnerable repository, you must have access to {% data variables.product.prodname_dependabot_alerts %} for that repository. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts#access-to-dependabot-alerts)." +For any {% data variables.product.company_short %}-reviewed advisory in the {% data variables.product.prodname_advisory_database %}, you can see which of your repositories are affected by that security vulnerability or malware. To see a vulnerable repository, you must have access to {% data variables.product.prodname_dependabot_alerts %} for that repository. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts#access-to-dependabot-alerts)." 1. Navigate to https://github.com/advisories. 1. Click an advisory. @@ -105,7 +103,7 @@ You can use your local advisory database to check whether a specific security vu **Note:** Only reviewed advisories will be listed. Unreviewed advisories can be viewed in the {% data variables.product.prodname_advisory_database %} on {% data variables.product.prodname_dotcom_the_website %}. For more information, see "[Accessing an advisory in the GitHub Advisory Database](#accessing-an-advisory-in-the-github-advisory-database)". {% endnote %} -1. Click an advisory to view details.{% ifversion GH-advisory-db-supports-malware %} By default, you will see {% data variables.product.company_short %}-reviewed advisories for security vulnerabilities. To show malware advisories, use `type:malware` in the search bar.{% endif %} +1. Click an advisory to view details. By default, you will see {% data variables.product.company_short %}-reviewed advisories for security vulnerabilities. To show malware advisories, use `type:malware` in the search bar. You can also suggest improvements to any advisory directly from your local advisory database. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database#editing-advisories-from-your-github-enterprise-server-instance)". @@ -113,7 +111,7 @@ You can also suggest improvements to any advisory directly from your local advis {% data reusables.repositories.enable-security-alerts %} -In the local advisory database, you can see which repositories are affected by each security vulnerability{% ifversion GH-advisory-db-supports-malware %} or malware{% endif %}. To see a vulnerable repository, you must have access to {% data variables.product.prodname_dependabot_alerts %} for that repository. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts#access-to-dependabot-alerts)." +In the local advisory database, you can see which repositories are affected by each security vulnerability or malware. To see a vulnerable repository, you must have access to {% data variables.product.prodname_dependabot_alerts %} for that repository. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts#access-to-dependabot-alerts)." 1. Navigate to `https://HOSTNAME/advisories`. 1. Click an advisory. diff --git a/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database.md b/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database.md index 6051382afdcd..744f63e9db8e 100644 --- a/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database.md +++ b/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database.md @@ -35,9 +35,8 @@ Only repository owners and administrators can edit repository-level security adv 1. Navigate to https://github.com/advisories. 1. Select the security advisory you would like to contribute to. 1. On the right-hand side of the page, click the **Suggest improvements for this vulnerability** link. -1. In the "Improve security advisory" form, make the desired improvements. You can edit or add any detail.{% ifversion fpt or ghec %} For information about correctly specifying information on the form, including affected versions, see "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/best-practices-for-writing-repository-security-advisories)."{% endif %}{% ifversion security-advisories-reason-for-change %} +1. In the "Improve security advisory" form, make the desired improvements. You can edit or add any detail.{% ifversion fpt or ghec %} For information about correctly specifying information on the form, including affected versions, see "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/best-practices-for-writing-repository-security-advisories)."{% endif %} 1. Under **Reason for change**, explain why you want to make this improvement. If you include links to supporting material this will help our reviewers. -{% endif %} 1. When you finish editing the advisory, click **Submit improvements**. 1. Once you submit your improvements, a pull request containing your changes will be created for review in [github/advisory-database](https://github.com/github/advisory-database) by the {% data variables.product.prodname_security %} curation team. If the advisory originated from a {% data variables.product.prodname_dotcom %} repository, we will also tag the original publisher for optional commentary. You can view the pull request and get notifications when it is updated or closed. diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security.md index 60a35375f417..1a7c1945c0d7 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security.md @@ -25,7 +25,7 @@ When developing a software project, you likely use other software to build and r Your supply chain can pose a security problem. If one of your dependencies has a known security weakness or a bug, malicious actors could exploit this vulnerability to, for example, insert malicious code ("malware"), steal sensitive data, or cause some other type of disruption to your project. This type of threat is called a "supply chain attack". Having vulnerable dependencies in your supply chain compromises the security of your own project, and you put your users at risk, too. -One of the most important things you can do to protect your supply chain is to patch your vulnerable dependencies{% ifversion GH-advisory-db-supports-malware %} and replace any malware{% endif %}. +One of the most important things you can do to protect your supply chain is to patch your vulnerable dependencies and replace any malware. You add dependencies directly to your supply chain when you specify them in a manifest file or a lockfile. Dependencies can also be included transitively, that is, even if you don’t specify a particular dependency, but a dependency of yours uses it, then you’re also dependent on that dependency. diff --git a/data/learning-tracks/code-security.yml b/data/learning-tracks/code-security.yml index 1f5d26db59e5..e729c5089c09 100644 --- a/data/learning-tracks/code-security.yml +++ b/data/learning-tracks/code-security.yml @@ -39,8 +39,7 @@ security_advisories: dependabot_alerts: title: Get notifications for insecure dependencies description: >- - Set up Dependabot to alert you to new vulnerabilities{% ifversion - GH-advisory-db-supports-malware %} or malware{% endif %} in your + Set up Dependabot to alert you to new vulnerabilities or malware in your dependencies. guides: - /code-security/dependabot/dependabot-alerts/about-dependabot-alerts diff --git a/data/reusables/advisory-database/beta-malware-advisories.md b/data/reusables/advisory-database/beta-malware-advisories.md index 3c274857bbcf..94fc49a4c6fa 100644 --- a/data/reusables/advisory-database/beta-malware-advisories.md +++ b/data/reusables/advisory-database/beta-malware-advisories.md @@ -1,5 +1,5 @@ -{% ifversion GH-advisory-db-supports-malware %}{% note %} +{% note %} **Note:** Advisories for malware are currently in beta and subject to change. -{% endnote %}{% endif %} +{% endnote %} diff --git a/data/reusables/dependabot/no-dependabot-alerts-for-malware.md b/data/reusables/dependabot/no-dependabot-alerts-for-malware.md index 95bfbf3f27a9..4e9dbd18721a 100644 --- a/data/reusables/dependabot/no-dependabot-alerts-for-malware.md +++ b/data/reusables/dependabot/no-dependabot-alerts-for-malware.md @@ -1,5 +1 @@ -{% ifversion GH-advisory-db-supports-malware %} - {% data variables.product.prodname_dependabot %} doesn't generate {% data variables.product.prodname_dependabot_alerts %} for malware. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#malware-advisories)." - -{% endif %} diff --git a/data/reusables/security/displayed-information.md b/data/reusables/security/displayed-information.md index 82f9bee0138e..329557ce3687 100644 --- a/data/reusables/security/displayed-information.md +++ b/data/reusables/security/displayed-information.md @@ -1,8 +1,8 @@ When you enable one or more security and analysis features for existing repositories, you will see any results displayed on {% data variables.product.prodname_dotcom %} within minutes: * All the existing repositories will have the selected configuration. -* New repositories will follow the selected configuration if you've enabled the checkbox for new repositories.{% ifversion GH-advisory-db-supports-malware %} +* New repositories will follow the selected configuration if you've enabled the checkbox for new repositories. * We use the permissions to scan for manifest files to apply the relevant services. * If enabled, you'll see dependency information in the dependency graph. -* If enabled, {% data variables.product.prodname_dotcom %} will generate {% data variables.product.prodname_dependabot_alerts %} for vulnerable dependencies or malware.{% endif %} +* If enabled, {% data variables.product.prodname_dotcom %} will generate {% data variables.product.prodname_dependabot_alerts %} for vulnerable dependencies or malware. * If enabled, {% data variables.product.prodname_dependabot %} security updates will create pull requests to upgrade vulnerable dependencies when {% data variables.product.prodname_dependabot_alerts %} are triggered. From a5c70aa95b8692af861accda5877db241215abdd Mon Sep 17 00:00:00 2001 From: Ben Ahmady <32935794+subatoi@users.noreply.github.com> Date: Mon, 23 Sep 2024 09:48:28 +0100 Subject: [PATCH 6/7] Remove redundant secret scanning versioning (TO BE MERGED AFTER 3.10 IS DEPRECATED) (#52360) --- .../secret-scanning/introduction/about-secret-scanning.md | 2 +- .../evaluating-alerts.md | 8 ++------ .../troubleshooting-secret-scanning.md | 4 ---- 3 files changed, 3 insertions(+), 11 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/about-secret-scanning.md b/content/code-security/secret-scanning/introduction/about-secret-scanning.md index e0ca7ca894f3..3b8147990214 100644 --- a/content/code-security/secret-scanning/introduction/about-secret-scanning.md +++ b/content/code-security/secret-scanning/introduction/about-secret-scanning.md @@ -24,7 +24,7 @@ shortTitle: Secret scanning {% data variables.product.prodname_secret_scanning_caps %} is a security feature that helps detect and prevent the accidental inclusion of sensitive information such as API keys, passwords, tokens, and other secrets in your repository. When enabled, {% data variables.product.prodname_secret_scanning %} scans commits in repositories for known types of secrets and alerts repository administrators upon detection. -{% data variables.product.prodname_secret_scanning_caps %} scans your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repository for secrets{% ifversion ghec or ghes %}, even if the repository is archived{% endif %}.{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %}{% ifversion secret-scanning-backfills %} {% data variables.product.prodname_dotcom %} will also periodically run a full Git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled.{% endif %} +{% data variables.product.prodname_secret_scanning_caps %} scans your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repository for secrets{% ifversion ghec or ghes %}, even if the repository is archived{% endif %}.{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %} {% data variables.product.prodname_dotcom %} will also periodically run a full Git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled. {% data reusables.secret-scanning.what-is-scanned %} diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md index b733dcd5fe1c..ebd81acfb836 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md @@ -22,8 +22,8 @@ allowTitleToDifferFromFilename: true There are some additional features that can help you to evaluate alerts in order to better prioritize and manage them. You can: * Check the validity of a secret, to see if the secret is still active. {% ifversion fpt or ghes %}**Applies to {% data variables.product.company_short %} tokens only**.{% endif %} For more information, see "[Checking a secret's validity](#checking-a-secrets-validity)."{% ifversion secret-scanning-validity-check-partner-patterns %} -* Perform an "on-demand" validity check, to get the most up to date validation status. For more information, see "[Performing an on-demand-validity-check](#performing-an-on-demand-validity-check)."{% endif %}{% ifversion secret-scanning-github-token-metadata %} -* Review a token's metadata. **Applies to {% data variables.product.company_short %} tokens only**. For example, to see when the token was last used. For more information, see "[Reviewing {% data variables.product.company_short %} token metadata](#reviewing-github-token-metadata)."{% endif %}{% ifversion secret-scanning-multi-repo-public-leak %} +* Perform an "on-demand" validity check, to get the most up to date validation status. For more information, see "[Performing an on-demand-validity-check](#performing-an-on-demand-validity-check)."{% endif %} +* Review a token's metadata. **Applies to {% data variables.product.company_short %} tokens only**. For example, to see when the token was last used. For more information, see "[Reviewing {% data variables.product.company_short %} token metadata](#reviewing-github-token-metadata)."{% ifversion secret-scanning-multi-repo-public-leak %} * Review the labels assigned to the alert. For more information, see "[Reviewing alert labels](#reviewing-alert-labels)."{% endif %} ## Checking a secret's validity @@ -68,8 +68,6 @@ Once you have enabled validity checks for partner patterns for your repository, {% endif %} -{% ifversion secret-scanning-github-token-metadata %} - ## Reviewing {% data variables.product.company_short %} token metadata > [!NOTE] @@ -94,8 +92,6 @@ Tokens, like {% data variables.product.pat_generic %} and other credentials, are {% ifversion secret-scanning-user-owned-repos %}{% data reusables.secret-scanning.secret-scanning-user-owned-repo-access %} If access is granted, {% data variables.product.prodname_dotcom %} will notify the owner of the repository containing the leaked secret, report the action in the repository owner and enterprise audit logs, and enable access for 2 hours.{% ifversion ghec %} For more information, see "[AUTOTITLE](/admin/managing-accounts-and-repositories/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise)."{% endif %}{% endif %} -{% endif %} - {% ifversion secret-scanning-multi-repo-public-leak %} ## Reviewing alert labels diff --git a/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md b/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md index aa572adac2df..554728e9dc17 100644 --- a/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md +++ b/content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md @@ -24,14 +24,10 @@ redirect_from: Pairs pushed to different files, or not pushed to the same repository, will not result in alerts. For more information about the supported pattern pairs, see the table in "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)." -{% ifversion secret-scanning-validity-check %} - ## About legacy GitHub tokens For {% data variables.product.prodname_dotcom %} tokens, we check the validity of the secret to determine whether the secret is active or inactive. This means that for legacy tokens, {% data variables.product.prodname_secret_scanning %} won't detect a {% data variables.product.prodname_ghe_server %} {% data variables.product.pat_generic %} on {% data variables.product.prodname_ghe_cloud %}. Similarly, a {% data variables.product.prodname_ghe_cloud %} {% data variables.product.pat_generic %} won't be found on {% data variables.product.prodname_ghe_server %}. -{% endif %} - ## Push protection limitations If push protection did not detect a secret that you think should have been detected, then you should first check that push protection supports the secret type in the list of supported secrets. For further information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." From f1e837f2084bb67e069ac8652c909565d6e87c7d Mon Sep 17 00:00:00 2001 From: Felicity Chapman Date: Mon, 23 Sep 2024 10:05:37 +0100 Subject: [PATCH 7/7] Remove references to redundant security overview versions (part 14) (#52385) --- .../security-overview/assessing-code-security-risk.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/content/code-security/security-overview/assessing-code-security-risk.md b/content/code-security/security-overview/assessing-code-security-risk.md index e722aad442fa..7c62405ff0a4 100644 --- a/content/code-security/security-overview/assessing-code-security-risk.md +++ b/content/code-security/security-overview/assessing-code-security-risk.md @@ -80,7 +80,7 @@ You can view data for security alerts across organizations in an enterprise. {% {% data reusables.enterprise-accounts.access-enterprise-on-dotcom %} {% data reusables.code-scanning.click-code-security-enterprise %} -{% ifversion security-overview-feature-specific-alert-page %}{% ifversion security-overview-org-risk-coverage-enterprise %} +{% ifversion security-overview-org-risk-coverage-enterprise %} 1. To display the "Security coverage" view, in the sidebar, click **Risk**. {% data reusables.code-scanning.using-security-overview-risk %} @@ -88,6 +88,5 @@ You can view data for security alerts across organizations in an enterprise. {% {% else %} {% data reusables.organizations.security-overview-feature-specific-page %}{% endif %} -{% endif %} {% data reusables.security-overview.alert-differences %}