diff --git a/assets/images/help/organizations/security-and-analysis-disable-or-enable-all.png b/assets/images/help/organizations/security-and-analysis-disable-or-enable-all.png index a09eb6581fb8..80f95c37a473 100644 Binary files a/assets/images/help/organizations/security-and-analysis-disable-or-enable-all.png and b/assets/images/help/organizations/security-and-analysis-disable-or-enable-all.png differ diff --git a/assets/images/help/organizations/security-and-analysis-enable-or-disable-feature-checkbox.png b/assets/images/help/organizations/security-and-analysis-enable-or-disable-feature-checkbox.png index f0fea298c5a6..6b01311f0e70 100644 Binary files a/assets/images/help/organizations/security-and-analysis-enable-or-disable-feature-checkbox.png and b/assets/images/help/organizations/security-and-analysis-enable-or-disable-feature-checkbox.png differ diff --git a/assets/images/help/repository/security-and-analysis-security-alerts-person-or-team-search.png b/assets/images/help/repository/security-and-analysis-security-alerts-person-or-team-search.png index 8a376966ec2f..d61cf4c9c102 100644 Binary files a/assets/images/help/repository/security-and-analysis-security-alerts-person-or-team-search.png and b/assets/images/help/repository/security-and-analysis-security-alerts-person-or-team-search.png differ diff --git a/assets/images/help/repository/security-and-analysis-security-alerts-save-changes.png b/assets/images/help/repository/security-and-analysis-security-alerts-save-changes.png index 6d41a941eb32..1805e3ff12e8 100644 Binary files a/assets/images/help/repository/security-and-analysis-security-alerts-save-changes.png and b/assets/images/help/repository/security-and-analysis-security-alerts-save-changes.png differ diff --git a/assets/images/help/repository/security-and-analysis-security-alerts-username-x.png b/assets/images/help/repository/security-and-analysis-security-alerts-username-x.png index a66f674c55c0..85298bdee4d7 100644 Binary files a/assets/images/help/repository/security-and-analysis-security-alerts-username-x.png and b/assets/images/help/repository/security-and-analysis-security-alerts-username-x.png differ diff --git a/content/github/administering-a-repository/about-secret-scanning.md b/content/github/administering-a-repository/about-secret-scanning.md index 125f7333aa1b..5a1e1c486b5a 100644 --- a/content/github/administering-a-repository/about-secret-scanning.md +++ b/content/github/administering-a-repository/about-secret-scanning.md @@ -18,6 +18,8 @@ Service providers can partner with {% data variables.product.company_short %} to ### About {% data variables.product.prodname_secret_scanning %} for public repositories + {% data variables.product.prodname_secret_scanning_caps %} is automatically enabled on public repositories, where it scans code for secrets, to check for known secret formats. When a match of your secret format is found in a public repository, {% data variables.product.company_short %} doesn't publicly disclose the information as an alert, but instead sends a payload to an HTTP endpoint of your choice. For an overview of how secret scanning works on public repositories, see "[Secret scanning](/developers/overview/secret-scanning)." + When you push to a public repository, {% data variables.product.product_name %} scans the content of the commits for secrets. If you switch a private repository to public, {% data variables.product.product_name %} scans the entire repository for secrets. When {% data variables.product.prodname_secret_scanning %} detects a set of credentials, we notify the service provider who issued the secret. The service provider validates the credential and then decides whether they should revoke the secret, issue a new secret, or reach out to you directly, which will depend on the associated risks to you or the service provider. @@ -65,6 +67,8 @@ When {% data variables.product.prodname_secret_scanning %} detects a set of cred {% data reusables.secret-scanning.beta %} +If you're a repository administrator or an organization owner, you can enable {% data variables.product.prodname_secret_scanning %} for private repositories that are owned by organizations. You can enable {% data variables.product.prodname_secret_scanning %} for all your repositories, or for all new repositories within your organization. {% data variables.product.prodname_secret_scanning_caps %} is not available for user account-owned private repositories. For more information, see "[Managing security and analysis settings for your repository](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository)" and "[Managing security and analysis settings for your organization](/github/setting-up-and-managing-organizations-and-teams/managing-security-and-analysis-settings-for-your-organization)." + When you push commits to a private repository with {% data variables.product.prodname_secret_scanning %} enabled, {% data variables.product.product_name %} scans the contents of the commits for secrets. When {% data variables.product.prodname_secret_scanning %} detects a secret in a private repository, {% data variables.product.prodname_dotcom %} sends alerts. @@ -73,6 +77,8 @@ When {% data variables.product.prodname_secret_scanning %} detects a secret in a - {% data variables.product.prodname_dotcom %} displays an alert in the repository. For more information, see "[Managing alerts from {% data variables.product.prodname_secret_scanning %}](/github/administering-a-repository/managing-alerts-from-secret-scanning)." +Repository administrators and organization owners can grant users and team access to {% data variables.product.prodname_secret_scanning %} alerts. For more information, see "[Managing security and analysis settings for your repository](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts)." + {% data variables.product.product_name %} currently scans private repositories for secrets issued by the following service providers. - Adafruit diff --git a/content/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository.md b/content/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository.md index 8ad1e17cf40e..c43877ac01a7 100644 --- a/content/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository.md +++ b/content/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository.md @@ -23,31 +23,31 @@ versions: 4. Under "Configure security and analysis features", to the right of the feature, click **Disable** or **Enable**. !["Enable" or "Disable" button for "Configure security and analysis" features](/assets/images/help/repository/security-and-analysis-disable-or-enable.png) -### Granting access to {% data variables.product.prodname_dependabot_alerts %} +### Granting access to security alerts -After you enable {% data variables.product.prodname_dependabot_alerts %} for a repository in an organization, organization owners and repository administrators can view the alerts by default. You can give additional teams and people access to the alerts for a repository. +After you enable {% data variables.product.prodname_dependabot %} or {% data variables.product.prodname_secret_scanning %} alerts for a repository in an organization, organization owners and repository administrators can view the alerts by default. You can give additional teams and people access to the alerts for a repository. {% note %} -Organization owners and repository administrators can only grant access to view {% data variables.product.prodname_dependabot_alerts %} to people or teams who have write access to the repo. +Organization owners and repository administrators can only grant access to view security alerts, such as {% data variables.product.prodname_dependabot %} and {% data variables.product.prodname_secret_scanning %} alerts, to people or teams who have write access to the repo. {% endnote %} {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-settings %} {% data reusables.repositories.navigate-to-security-and-analysis %} -4. Under "Dependabot alerts", in the search field, start typing the name of the person or team you'd like to find, then click a name in the list of matches. - ![Search field for granting people or teams access to Dependabot alerts](/assets/images/help/repository/security-and-analysis-security-alerts-person-or-team-search.png) +4. Under "Access to alerts", in the search field, start typing the name of the person or team you'd like to find, then click a name in the list of matches. + ![Search field for granting people or teams access to security alerts](/assets/images/help/repository/security-and-analysis-security-alerts-person-or-team-search.png) 5. Click **Save changes**. - !["Save changes" button for changes to Dependabot alert settings](/assets/images/help/repository/security-and-analysis-security-alerts-save-changes.png) + !["Save changes" button for changes to security alert settings](/assets/images/help/repository/security-and-analysis-security-alerts-save-changes.png) -### Removing access to {% data variables.product.prodname_dependabot_alerts %} +### Removing access to security alerts {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-settings %} {% data reusables.repositories.navigate-to-security-and-analysis %} -4. Under "Dependabot alerts", to the right of the person or team whose access you'd like to remove, click {% octicon "x" aria-label="X symbol" %}. - !["x" button to remove someone's access to Dependabot alerts for your repository](/assets/images/help/repository/security-and-analysis-security-alerts-username-x.png) +4. Under "Access to alerts", to the right of the person or team whose access you'd like to remove, click {% octicon "x" aria-label="X symbol" %}. + !["x" button to remove someone's access to security alerts for your repository](/assets/images/help/repository/security-and-analysis-security-alerts-username-x.png) ### Further reading diff --git a/content/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies.md b/content/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies.md index c0f46c36576b..a628b146fd7f 100644 --- a/content/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies.md +++ b/content/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies.md @@ -71,7 +71,7 @@ When {% data variables.product.product_name %} identifies a vulnerable dependenc You can see all of the alerts that affect a particular project{% if currentVersion == "free-pro-team@latest" %} on the repository's Security tab or{% endif %} in the repository's dependency graph.{% if currentVersion == "free-pro-team@latest" %} For more information, see "[Viewing and updating vulnerable dependencies in your repository](/articles/viewing-and-updating-vulnerable-dependencies-in-your-repository)."{% endif %} {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %} -By default, we notify people with admin permissions in the affected repositories about new {% data variables.product.prodname_dependabot_alerts %}.{% endif %} {% if currentVersion == "free-pro-team@latest" %}{% data variables.product.product_name %} never publicly discloses identified vulnerabilities for any repository. You can also make {% data variables.product.prodname_dependabot_alerts %} visible to additional people or teams working repositories that you own or have admin permissions for. For more information, see "[Managing security and analysis settings for your repository](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-dependabot-alerts)." +By default, we notify people with admin permissions in the affected repositories about new {% data variables.product.prodname_dependabot_alerts %}.{% endif %} {% if currentVersion == "free-pro-team@latest" %}{% data variables.product.product_name %} never publicly discloses identified vulnerabilities for any repository. You can also make {% data variables.product.prodname_dependabot_alerts %} visible to additional people or teams working repositories that you own or have admin permissions for. For more information, see "[Managing security and analysis settings for your repository](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts)." {% endif %} {% if enterpriseServerVersions contains currentVersion and currentVersion ver_lt "enterprise-server@2.22" %} diff --git a/content/github/setting-up-and-managing-organizations-and-teams/reviewing-the-audit-log-for-your-organization.md b/content/github/setting-up-and-managing-organizations-and-teams/reviewing-the-audit-log-for-your-organization.md index 12d028716278..178a583f564b 100644 --- a/content/github/setting-up-and-managing-organizations-and-teams/reviewing-the-audit-log-for-your-organization.md +++ b/content/github/setting-up-and-managing-organizations-and-teams/reviewing-the-audit-log-for-your-organization.md @@ -474,7 +474,7 @@ For more information, see "[Restricting publication of {% data variables.product | Action | Description |------------------|------------------- -| `authorized_users_teams` | Triggered when an organization owner or a person with admin permissions to the repository updates the list of people or teams authorized to receive {% data variables.product.prodname_dependabot_alerts %} for vulnerable dependencies in the repository. For more information, see "[Managing security and analysis settings for your repository](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-dependabot-alerts)." +| `authorized_users_teams` | Triggered when an organization owner or a person with admin permissions to the repository updates the list of people or teams authorized to receive {% data variables.product.prodname_dependabot_alerts %} for vulnerable dependencies in the repository. For more information, see "[Managing security and analysis settings for your repository](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts)." | `disable` | Triggered when a repository owner or person with admin access to the repository disables {% data variables.product.prodname_dependabot_alerts %}. | `enable` | Triggered when a repository owner or person with admin access to the repository enables {% data variables.product.prodname_dependabot_alerts %}.