Multi-repo enablement (#36351)

Co-authored-by: Kelly Arwine <kellyarwine@github.com>
Co-authored-by: Sarita Iyer <66540150+saritai@users.noreply.github.com>
Co-authored-by: Felicity Chapman <felicitymay@github.com>

content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-at-scale.md

@@ -14,9 +14,11 @@ allowTitleToDifferFromFilename: true
 
 ## About configuring {% data variables.product.prodname_code_scanning %} in multiple repositories
 
-There are two ways to configure {% data variables.product.prodname_code_scanning %} in multiple repositories at the same time. The best method to use depends on the analysis needs of the repositories.
+There are multiple ways to configure {% data variables.product.prodname_code_scanning %} in multiple repositories at the same time.
 
-1. The repositories are eligible for default setup for {% data variables.product.prodname_codeql %} and owned by an organization.
+The best method to use depends on the analysis needs of the repositories.
+
+1. The repositories are eligible for default setup for {% data variables.product.prodname_codeql %} and are owned by an organization.
 2. The group of repositories has similar configuration needs for {% data variables.product.prodname_codeql %} advanced setup.
 
 In addition, {% data variables.product.prodname_actions %} must be enabled for the {% ifversion fpt %}organization{% elsif ghec or ghae %}organization or enterprise{% elsif ghes %}site{% endif %}.
@@ -28,11 +30,18 @@ In addition, {% data variables.product.prodname_actions %} must be enabled for t
 
 {% data reusables.code-scanning.beta-org-enable-all %}
 
-You can use the organization settings page for "Code security and analysis" to enable {% data variables.product.prodname_code_scanning %} for any repositories in the organization that are eligible for {% data variables.product.prodname_codeql %} default setup. 
+{% ifversion code-security-multi-repo-enablement %}
+
+You can use security overview to find a set of repositories and enable or disable default setup for {% data variables.product.prodname_code_scanning %} for them all at the same time. For more information, see "[AUTOTITLE](/code-security/security-overview/enabling-security-features-for-multiple-repositories)."
+
+You can also use the organization settings page for "Code security and analysis" to enable {% data variables.product.prodname_code_scanning %} for all repositories in the organization that are eligible for {% data variables.product.prodname_codeql %} default setup.
+{% else %}
+You can use the organization settings page for "Code security and analysis" to enable {% data variables.product.prodname_code_scanning %} for all repositories in the organization that are eligible for {% data variables.product.prodname_codeql %} default setup.
+{% endif %}
 
 ### Eligibility criteria for organization-level enablement
 
-A repository must meet all the following criteria to be eligible for default setup, otherwise you need to use advanced set up.
+A repository must meet all the following criteria to be eligible for default setup, otherwise you need to use advanced setup.
 
 - {% data variables.product.prodname_code_scanning_caps %} is not already enabled.
 - {% data variables.product.prodname_actions %} are enabled.
@@ -48,25 +57,30 @@ For more information about default setup, see "[AUTOTITLE](/code-security/code-s
 
 ### Finding repositories that are eligible for default setup
 
-The security coverage page, part of security overview, makes it easy to filter the repositories in your organization to show repositories that are eligible for default setup.
+You can use the "Security coverage" view in security overview to show repositories in your organization that are eligible for default setup.
+
+{% data reusables.organizations.navigate-to-org %}
+{% data reusables.organizations.security-overview %}
+1. In the sidebar, click **{% octicon "meter" aria-hidden="true"  %} Coverage** to display the "Security coverage" view.
+1. In the search bar, enter one of the following queries:
 
 {%- ifversion ghec %}
-- `code-scanning-default-setup:eligible is:public` shows repositories that have languages suitable for default setup and are eligible because they are visible to the public.
-- `code-scanning-default-setup:eligible advanced-security:enabled` shows private or internal repositories that have languages suitable for default setup and are eligible because they have {% data variables.product.prodname_GH_advanced_security %} enabled.
-- `code-scanning-default-setup:eligible is:private,internal advanced-security:not-enabled` shows private or internal repositories that have languages suitable for default setup but do not have {% data variables.product.prodname_GH_advanced_security %} enabled. Once you enable {% data variables.product.prodname_GH_advanced_security %} for these repositories, they can also be added to default setup.
+    - `code-scanning-default-setup:eligible is:public` shows repositories that have languages suitable for default setup and are eligible because they are visible to the public.
+    - `code-scanning-default-setup:eligible advanced-security:enabled` shows private or internal repositories that have languages suitable for default setup and are eligible because they have {% data variables.product.prodname_GH_advanced_security %} enabled.
+    - `code-scanning-default-setup:eligible is:private,internal advanced-security:not-enabled` shows private or internal repositories that have languages suitable for default setup but do not have {% data variables.product.prodname_GH_advanced_security %} enabled. Once you enable {% data variables.product.prodname_GH_advanced_security %} for these repositories, they can also be added to default setup.
 {%- elsif ghes or ghae %}
-- `code-scanning-default-setup:eligible advanced-security:enabled` shows which repositories can be added to default setup immediately.
-- `code-scanning-default-setup:eligible advanced-security:not-enabled` shows which repositories have languages suitable for default setup but do not have {% data variables.product.prodname_GH_advanced_security %} enabled. Once you enable {% data variables.product.prodname_GH_advanced_security %} for these repositories, they can also be added to default setup.
+    - `code-scanning-default-setup:eligible advanced-security:enabled` shows which repositories can be added to default setup immediately.
+    - `code-scanning-default-setup:eligible advanced-security:not-enabled` shows which repositories have languages suitable for default setup but do not have {% data variables.product.prodname_GH_advanced_security %} enabled. Once you enable {% data variables.product.prodname_GH_advanced_security %} for these repositories, they can also be added to default setup.
 {%- endif %}
-- `code-scanning-default-setup:not-eligible` shows repositories that either have advanced setup configured already, or where the languages not are suitable for default setup.
+    - `code-scanning-default-setup:not-eligible` shows repositories that either have advanced setup configured already, or where the languages not are suitable for default setup.
 
-For more information about the security coverage page, see "[AUTOTITLE](/code-security/security-overview/assessing-adoption-code-security)."
+You can select all of the displayed repositories, or a subset of them, and enable or disable default setup for {% data variables.product.prodname_code_scanning %} for them all at the same time. For more information, see "[AUTOTITLE](/code-security/security-overview/enabling-security-features-for-multiple-repositories)."
 
 {% endif %}
 
 ## Using a script to configure advanced setup
 
-For repositories that are not eligible for default setup, you can use a bulk configuration script to configure advanced setup across multiple repositories. 
+For repositories that are not eligible for default setup, you can use a bulk configuration script to configure advanced setup across multiple repositories.
 
 1. Identify a group of repositories that can be analyzed using the same {% data variables.product.prodname_code_scanning %} configuration. For example, all repositories that build Java artifacts using the production environment.
 2. Create and test a {% data variables.product.prodname_actions %} workflow to call the {% data variables.product.prodname_codeql %} action with the appropriate configuration. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository#creating-an-advanced-setup)."

content/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts.md

@@ -83,6 +83,14 @@ By default, we notify people with admin permissions in the affected repositories
 
 ### Enabling or disabling {% data variables.product.prodname_dependabot_alerts %} for all existing repositories
 
+{% ifversion code-security-multi-repo-enablement %}
+You can use security overview to find a set of repositories and enable or disable {% data variables.product.prodname_dependabot_alerts %} for them all at the same time. For more information, see "[AUTOTITLE](/code-security/security-overview/enabling-security-features-for-multiple-repositories)."
+
+You can also use the organization settings page for "Code security and analysis" to enable or disable {% data variables.product.prodname_dependabot_alerts %} for all existing repositories in an organization:
+{% else %}
+You can use the organization settings page for "Code security and analysis" to enable {% data variables.product.prodname_code_scanning %} for all existing repositories in an organization:
+{% endif %}
+
 {% data reusables.profile.access_org %}
 {% data reusables.profile.org_settings %}
 {% data reusables.organizations.security-and-analysis %}

content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md

@@ -42,6 +42,15 @@ You can enable {% data variables.secret-scanning.user_alerts %} for any {% ifver
 {% endnote %}
 {% endif %}
 
+{% ifversion code-security-multi-repo-enablement %}
+You can use security overview to find a set of repositories and enable or disable {% data variables.secret-scanning.user_alerts %} for them all at the same time. For more information, see "[AUTOTITLE](/code-security/security-overview/enabling-security-features-for-multiple-repositories)."
+
+You can also use the organization settings page for "Code security and analysis" to enable or disable {% data variables.secret-scanning.user_alerts %} for all public repositories in an organization:
+{% else %}
+You can use the organization settings page for "Code security and analysis" to enable {% data variables.product.prodname_code_scanning %} for all public repositories in an organization:
+{% endif %}
+
+
 {% data reusables.repositories.navigate-to-repo %}
 {% data reusables.repositories.sidebar-settings %}
 {% data reusables.repositories.navigate-to-code-security-and-analysis %}{% ifversion ghec or ghes or ghae %}

content/code-security/secret-scanning/protecting-pushes-with-secret-scanning.md

@@ -53,6 +53,14 @@ Enterprise administrators can also enable or disable {% data variables.product.p
 
 ### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection for an organization
 
+{% ifversion code-security-multi-repo-enablement %}
+You can use security overview to find a set of repositories and enable or disable {% data variables.product.prodname_secret_scanning %} as a push protection for them all at the same time. For more information, see "[AUTOTITLE](/code-security/security-overview/enabling-security-features-for-multiple-repositories)."
+
+You can also use the organization settings page for "Code security and analysis" to enable or disable {% data variables.product.prodname_secret_scanning %} as a push protection for all existing repositories in an organization:
+{% else %}
+You can use the organization settings page for "Code security and analysis" to enable or disable {% data variables.product.prodname_secret_scanning %} as a push protection for all existing repositories in an organization:
+{% endif %}
+
 {% data reusables.organizations.navigate-to-org %}
 {% data reusables.organizations.org_settings %}
 {% data reusables.organizations.security-and-analysis %}

content/code-security/security-overview/about-security-overview.md

@@ -54,7 +54,7 @@ There are also dedicated views for each type of security alert that you can use
 
 ## About security overview for organizations
 
-The application security team at your company can use the different views for both broad and specific analyses of your organization's security status. {% ifversion security-overview-org-risk-coverage %}For example, the team can use the "Security coverage" page to monitor the adoption of features across your organization or by a specific team as you roll out {% data variables.product.prodname_GH_advanced_security %}, or use the "Security risk" page to identify repositories with more than five open {% data variables.secret-scanning.alerts %}.{% else %}For example, they can use the overview page to monitor adoption of features by your organization or by a specific team as you roll out {% data variables.product.prodname_GH_advanced_security %} to your enterprise, or to review all alerts of a specific type and severity level across all repositories in your organization.{% endif %}
+The application security team at your company can use the different views for both broad and specific analyses of your organization's security status. {% ifversion security-overview-org-risk-coverage %} For example, the team can use the "Security coverage" view to monitor the adoption of features across your organization or by a specific team as you roll out {% data variables.product.prodname_GH_advanced_security %}, or use the "Security risk" view to identify repositories with more than five open {% data variables.secret-scanning.alerts %}. {% else %}For example, they can use the overview page to monitor adoption of features by your organization or by a specific team as you roll out {% data variables.product.prodname_GH_advanced_security %} to your enterprise, or to review all alerts of a specific type and severity level across all repositories in your organization.{% endif %} {% ifversion code-security-multi-repo-enablement %}You can also use security overview to find a set of repositories and enable or disable security features for them all at the same time. For more information, see "[AUTOTITLE](/code-security/security-overview/enabling-security-features-for-multiple-repositories)."{% endif %}
 
 You can find security overview on the **Security** tab for any organization that's owned by an enterprise. Each view shows a summary of the data that you have access to. As you add filters, all data and metrics across the view change to reflect the repositories or alerts that you've selected. For information about permissions, see "[Permission to view data in security overview](#permission-to-view-data-in-security-overview)."
 

content/code-security/security-overview/assessing-adoption-code-security.md

@@ -20,7 +20,7 @@ versions:
 
 ## About adoption of code security features
 
-You can use security overview to see which repositories and teams have already enabled each code security feature, and where people need more encouragement to adopt these features. The "Security coverage" page shows a summary and detailed information on feature enablement for an organization. You can filter the view to show a subset of repositories using the "enabled" and "not enabled" links, the "Teams" dropdown menu, and a search field in the page header.
+You can use security overview to see which repositories and teams have already enabled each code security feature, and where people need more encouragement to adopt these features. The "Security coverage" view shows a summary and detailed information on feature enablement for an organization. You can filter the view to show a subset of repositories using the "enabled" and "not enabled" links, the "Teams" dropdown menu, and a search field in the page header.
 
 ![Screenshot of the header section of the "Security coverage" view on the "Security" tab for an organization. The options for filtering are outlined in dark orange, including "enabled" and "not enabled" links, "Teams" selector, and search field.](/assets/images/help/security-overview/security-coverage-view-summary.png)
 
@@ -40,7 +40,9 @@ You can use security overview to see which repositories and teams have already e
     ![Screenshot of the header section of the "Security coverage" view on the "Security" tab for an organization. The options for filtering are outlined in dark orange, including "enabled" and "not enabled" links, "Teams" selector, archived repositories, and search field.](/assets/images/help/security-overview/security-coverage-view-highlights.png)
 
 1. Optionally, click **{% octicon "gear" aria-hidden="true" %} Security settings** to enable code security features for a repository and click **Save security settings** to confirm the changes. If a feature is not shown, it has more complex configuration requirements and you need to use the repository settings dialog. For more information, see "[AUTOTITLE](/code-security/getting-started/securing-your-repository)."
-
+{% ifversion code-security-multi-repo-enablement %}
+1. Optionally, select some or all of the repositories that match your current search and click **Security settings** in the table header to display a side panel where you can enable security features for the selected repositories. When you've finished, click **Apply changes** to confirm the changes. For more information, see "[AUTOTITLE](/code-security/security-overview/enabling-security-features-for-multiple-repositories)."
+{% endif %}
 ## Interpreting and acting on the enablement data
 
 Some code security features can and should be enabled on all repositories. For example, secret scanning alerts and push protection. These features reduce the risk of a security leak no matter what information is stored in the repository. If you see repositories that don't already use these features, you should either enable them or discuss an enablement plan with the team who owns the repository. For information on enabling features for a whole organization, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)."

content/code-security/security-overview/enabling-security-features-for-multiple-repositories.md

@@ -0,0 +1,54 @@
+---
+title: Enabling security features for multiple repositories
+shortTitle: Enable security features
+intro: 'You can use security overview to select a subset of repositories and enable security features for them all.'
+permissions: '{% data reusables.security-overview.permissions %}'
+product: '{% data reusables.gated-features.security-overview %}'
+allowTitleToDifferFromFilename: true
+versions:
+  feature: code-security-multi-repo-enablement
+type: how_to
+topics:
+  - Security overview
+  - Advanced Security
+  - Alerts
+  - Organizations
+  - Teams
+---
+
+{% ifversion ghes < 3.5 or ghae %}
+{% data reusables.security-overview.beta %}
+{% endif %}
+
+## About enabling security features
+
+If you're a security manager, repository administrator, or organization owner, you can use security overview to enable or disable security features for multiple repositories at the same time. You can enable or disable security features for all repositories visible on the "Security coverage" view in security overview. You can also use the search bar to narrow down to a specific subset of repositories, and enable or disable security features for that group.
+
+## Enabling security features for multiple repositories
+
+{% data reusables.organizations.navigate-to-org %}
+{% data reusables.organizations.security-overview %}
+
+1. In the sidebar, click **{% octicon "meter" aria-hidden="true"  %} Coverage** to display the "Security coverage" view.
+    ![Screenshot of the "Security coverage" view.](/assets/images/help/security-overview/security-coverage-view-multi-repo.png)
+1. You can use the search bar to narrow down visible repositories in the "Security coverage" view based on name, or on the enablement status of security features.
+1. In the list of repositories, select each repository you want to modify the enablement of security features for. To select all repositories on the page, click the checkbox next to **NUMBER Active**. To select all repositories that match the current search, click the checkbox next to **NUMBER Active** and then click **Select all NUMBER repos**.
+1. Click **Security settings** next to **NUMBER selected**.
+1. In the side panel, next to all the security features you want to enable or disable, select **Enable** or **Disable**.
+1. As you make changes, the **Apply changes** button reports the number of security features you have edited. To confirm the changes, click **Apply changes NUMBER**. Alternatively, click {% octicon "x" aria-label="Close" %} to close the panel without making changes.
+
+![Screenshot of the "Security coverage" view with the side panel open. The "Apply changes" button is highlighted in a dark orange outline.](/assets/images/help/security-overview/security-coverage-view-multi-repo-side-panel.png)
+
+The security features that you can enable and disable in this view are:
+
+* Dependency graph
+* {% data variables.product.prodname_dependabot_alerts %}
+* {% data variables.product.prodname_dependabot_security_updates %} 
+* {% data variables.product.prodname_GH_advanced_security %} 
+* {% data variables.product.prodname_code_scanning_caps %} default setup
+* {% data variables.secret-scanning.alerts_caps %}
+* {% data variables.product.prodname_secret_scanning_caps %} as a push protection
+
+If you're blocked from enabling a security feature due to an enterprise policy, you will still be able to see the affected repository in the "Security Coverage" view and access the side panel from the **{% octicon "gear" aria-hidden="true" %} Security settings** button. However, you will see a message in the side panel indicating that the functionality is not available. For more information about enterprise policies, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise)."
+
+Organization owners and security managers can use security overview to enable or disable security features for all repositories belonging to their organization. There are no enterprise policies that restrict organization owners or security managers from enabling or disabling any security features. For more information about enterprise policies, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/about-enterprise-policies)."

content/code-security/security-overview/index.md

@@ -16,4 +16,5 @@ children:
   - /assessing-adoption-code-security
   - /assessing-code-security-risk
   - /filtering-alerts-in-security-overview
+  - /enabling-security-features-for-multiple-repositories
 ---

content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph.md

@@ -32,6 +32,10 @@ To generate a dependency graph, {% data variables.product.product_name %} needs
 {% data reusables.code-scanning.enterprise-enable-dependency-graph %}
 {% data reusables.dependabot.ghes-ghae-enabling-dependency-graph %}{% endif %}{% ifversion fpt or ghec %}
 
+{% ifversion code-security-multi-repo-enablement %}
+You can use security overview to find a set of repositories and enable or disable the dependency graph for them all at the same time. For more information, see "[AUTOTITLE](/code-security/security-overview/enabling-security-features-for-multiple-repositories)."
+{% endif %}
+
 ### Enabling and disabling the dependency graph for a private repository
 
 {% data reusables.dependabot.enabling-disabling-dependency-graph-private-repo %}

content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization.md

@@ -57,6 +57,10 @@ You can enable or disable features for all repositories.
 
 {% endif %}
 
+{% ifversion code-security-multi-repo-enablement %}
+You can use security overview to find a set of repositories and enable or disable security features for them all at the same time. For more information, see "[AUTOTITLE](/code-security/security-overview/enabling-security-features-for-multiple-repositories)."
+{% endif %}
+
 {% data reusables.advanced-security.note-org-enable-uses-seats %}
 
 {% ifversion ghes or ghec or ghae %}

data/features/code-security-multi-repo-enablement.yml

@@ -0,0 +1,5 @@
+# Reference: #9212
+
+versions:
+  ghec: '*'
+  ghes: '>= 3.10'

data/variables/secret-scanning.yml

@@ -7,3 +7,4 @@ user_alerts: >-
 user_alerts_caps: >-
   {% ifversion fpt or ghec %}Secret scanning alerts for users{% else %}Secret scanning{% endif %}
 alerts: 'secret scanning alerts'
+alerts_caps: 'Secret scanning alerts'