From e8b9cebfdf0668f9c7cd4952f0847b0faaeeb2c2 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Mon, 23 Sep 2024 16:18:33 +0000 Subject: [PATCH 01/13] first edits --- .../evaluating-alerts.md | 2 +- .../resolving-alerts.md | 28 +++++++++++++++---- ...cret-scanning-report-secret-github-pat.yml | 5 ++++ .../report-secret-pat-beta-note.md | 1 + 4 files changed, 30 insertions(+), 6 deletions(-) create mode 100644 data/features/secret-scanning-report-secret-github-pat.yml create mode 100644 data/reusables/secret-scanning/report-secret-pat-beta-note.md diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md index ebd81acfb8..fa20c40fd3 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md @@ -22,7 +22,7 @@ allowTitleToDifferFromFilename: true There are some additional features that can help you to evaluate alerts in order to better prioritize and manage them. You can: * Check the validity of a secret, to see if the secret is still active. {% ifversion fpt or ghes %}**Applies to {% data variables.product.company_short %} tokens only**.{% endif %} For more information, see "[Checking a secret's validity](#checking-a-secrets-validity)."{% ifversion secret-scanning-validity-check-partner-patterns %} -* Perform an "on-demand" validity check, to get the most up to date validation status. For more information, see "[Performing an on-demand-validity-check](#performing-an-on-demand-validity-check)."{% endif %} +* Perform an "on-demand" validity check, to get the most up to date validation status. For more information, see "[Performing an on-demand validity check](#performing-an-on-demand-validity-check)."{% endif %} * Review a token's metadata. **Applies to {% data variables.product.company_short %} tokens only**. For example, to see when the token was last used. For more information, see "[Reviewing {% data variables.product.company_short %} token metadata](#reviewing-github-token-metadata)."{% ifversion secret-scanning-multi-repo-public-leak %} * Review the labels assigned to the alert. For more information, see "[Reviewing alert labels](#reviewing-alert-labels)."{% endif %} diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md index 695c708331..051ea20d55 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md @@ -19,18 +19,36 @@ allowTitleToDifferFromFilename: true ## Fixing alerts -Once a secret has been committed to a repository, you should consider the secret compromised. {% data variables.product.prodname_dotcom %} recommends the following actions for compromised secrets: +Once a secret has been committed to a repository, you should consider the secret compromised. {% data variables.product.github %} recommends the following actions for compromised secrets: -* For a compromised {% data variables.product.prodname_dotcom %} {% data variables.product.pat_generic %}, delete the compromised token, create a new token, and update any services that use the old token. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)." +* For a compromised {% data variables.product.github %} {% data variables.product.pat_generic %}: +{% ifversion secret-scanning-report-secret-github-pat %} + * Report the leaked token to {% data variables.product.github %}. {% data variables.product.github %} will then automatically revoke the token. For more information, see "[Reporting a leaked secret](#reporting-a-leaked-secret)." + * Update any services that use the old token.{% else %} + * Delete the compromised token, create a new token, and update any services that use the old token. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)."{% endif %} {%- ifversion token-audit-log %} * {% ifversion ghec %}If your organization is owned by an enterprise account, identify{% else %}Identify{% endif %} any actions taken by the compromised token on your enterprise's resources. For more information, see "[AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token)." {%- endif %} -* For all other secrets, first verify that the secret committed to {% data variables.product.product_name %} is valid. If so, create a new secret, update any services that use the old secret, and then delete the old secret. -{% ifversion fpt or ghec %} +* For all other secrets: + * First verify that the secret committed to {% data variables.product.product_name %} is valid. {% ifversion secret-scanning-validity-check-partner-patterns %}For more information, see "[Performing an on-demand validity check](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#performing-an-on-demand-validity-check).{% endif %} + * If the secret is valid, create a new secret, update any services that use the old secret, and then delete the old secret. + + {% ifversion fpt or ghec %} + + > [!NOTE] + > If a secret is detected in a public repository on {% data variables.product.github %} and the secret also matches a partner pattern, an alert is generated and the potential secret is reported to the service provider. For details of partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." + + {% endif %} + +{% ifversion secret-scanning-report-secret-github-pat %} + +### Reporting a leaked secret > [!NOTE] -> If a secret is detected in a public repository on {% data variables.product.prodname_dotcom %} and the secret also matches a partner pattern, an alert is generated and the potential secret is reported to the service provider. For details of partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." +> {% data reusables.secret-scanning.report-secret-pat-beta-note %} The feature is currently only available for {% data variables.product.github %} {% data variables.product.pat_generic %}s (v1 and v2). + +TODO {% endif %} diff --git a/data/features/secret-scanning-report-secret-github-pat.yml b/data/features/secret-scanning-report-secret-github-pat.yml new file mode 100644 index 0000000000..9bcefd7536 --- /dev/null +++ b/data/features/secret-scanning-report-secret-github-pat.yml @@ -0,0 +1,5 @@ +# Reference: #15374 +# Secret scanning one-click report and revocation (for GitHub PATs only) +versions: + ghec: '*' + ghes: '> 3.15' diff --git a/data/reusables/secret-scanning/report-secret-pat-beta-note.md b/data/reusables/secret-scanning/report-secret-pat-beta-note.md new file mode 100644 index 0000000000..4336617723 --- /dev/null +++ b/data/reusables/secret-scanning/report-secret-pat-beta-note.md @@ -0,0 +1 @@ +Reporting a leaked secret to {% data variables.product.github %} is in beta and subject to change. From 9bb8835411238ea4450ad41f8701382a7df95a92 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Tue, 24 Sep 2024 10:36:48 +0000 Subject: [PATCH 02/13] more edits --- .../resolving-alerts.md | 51 +++++++++++-------- ...cret-scanning-report-secret-github-pat.yml | 2 +- .../report-secret-pat-beta-note.md | 2 +- 3 files changed, 33 insertions(+), 22 deletions(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md index 051ea20d55..ae08c224f9 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md @@ -21,25 +21,10 @@ allowTitleToDifferFromFilename: true Once a secret has been committed to a repository, you should consider the secret compromised. {% data variables.product.github %} recommends the following actions for compromised secrets: -* For a compromised {% data variables.product.github %} {% data variables.product.pat_generic %}: -{% ifversion secret-scanning-report-secret-github-pat %} - * Report the leaked token to {% data variables.product.github %}. {% data variables.product.github %} will then automatically revoke the token. For more information, see "[Reporting a leaked secret](#reporting-a-leaked-secret)." - * Update any services that use the old token.{% else %} - * Delete the compromised token, create a new token, and update any services that use the old token. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)."{% endif %} -{%- ifversion token-audit-log %} - * {% ifversion ghec %}If your organization is owned by an enterprise account, identify{% else %}Identify{% endif %} any actions taken by the compromised token on your enterprise's resources. For more information, see "[AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token)." -{%- endif %} - -* For all other secrets: - * First verify that the secret committed to {% data variables.product.product_name %} is valid. {% ifversion secret-scanning-validity-check-partner-patterns %}For more information, see "[Performing an on-demand validity check](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#performing-an-on-demand-validity-check).{% endif %} - * If the secret is valid, create a new secret, update any services that use the old secret, and then delete the old secret. - - {% ifversion fpt or ghec %} - - > [!NOTE] - > If a secret is detected in a public repository on {% data variables.product.github %} and the secret also matches a partner pattern, an alert is generated and the potential secret is reported to the service provider. For details of partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." - - {% endif %} +* First verify that the secret committed to {% data variables.product.github %} is valid. {% ifversion fpt or ghes %}**Applies to {% data variables.product.company_short %} tokens only**. For more information, see "[Checking a secret's validity](#checking-a-secrets-validity)."{% endif %}{% ifversion secret-scanning-validity-check-partner-patterns %}For more information, see "[Performing an on-demand validity check](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#performing-an-on-demand-validity-check)".{% endif %}{% ifversion secret-scanning-report-secret-github-pat %} +* Report the leaked token to {% data variables.product.github %}. For more information, see "[Reporting a leaked secret](#reporting-a-leaked-secret)."{% endif %} +* Review and update any services that use the old token. If required, delete the compromised token and create a new token. +* Check your security logs for any unauthorized activity. [TODO - LINK?] {% ifversion secret-scanning-report-secret-github-pat %} @@ -48,7 +33,33 @@ Once a secret has been committed to a repository, you should consider the secret > [!NOTE] > {% data reusables.secret-scanning.report-secret-pat-beta-note %} The feature is currently only available for {% data variables.product.github %} {% data variables.product.pat_generic %}s (v1 and v2). -TODO +{% endif %} + +{% ifversion fpt or ghec %} + +If a secret is detected in a **public** repository on {% data variables.product.github %} and the secret also matches a partner pattern, an alert is generated and the potential secret is **automatically reported** to the service provider. For details of partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." + +{% endif %} + +{% ifversion secret-scanning-report-secret-github-pat %} + +For secrets detected in **private** repositories, anyone who can view {% data variables.secret-scanning.alerts %} for a repository can choose to report the privately exposed secret directly to {% data variables.product.github %}. + +By reporting the secret, the token provider will treat the privately exposed secret as if it had been publicly leaked. This means the token provider may revoke the secret, so you should first consider reviewing and updating any services that use the secret. If possible, you should also consider notifying the token owner before reporting the token, so that the token owner is aware that the secret may get revoked. + +You will only see the option to report the privately exposed secret to {% data variables.product.github %} if the following conditions are met: + +* The secret's validity has not been confirmed. +* The secret's validity has been confirmed as "active". +* The secret is a {% data variables.product.github %} {% data variables.product.pat_generic %}. + +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.sidebar-security %} +1. In the left sidebar, under "Vulnerability alerts", click **{% data variables.product.prodname_secret_scanning_caps %}**. +1. From the alert list, click the alert you want to view. +1. In the alert view for the leaked secret, click **Report leak**. +1. Review the information in the dialog box, then click **I understand the consequence, report this secret**. +1. Once you've reported the secret, you can close the alert. {% endif %} diff --git a/data/features/secret-scanning-report-secret-github-pat.yml b/data/features/secret-scanning-report-secret-github-pat.yml index 9bcefd7536..c8719fad13 100644 --- a/data/features/secret-scanning-report-secret-github-pat.yml +++ b/data/features/secret-scanning-report-secret-github-pat.yml @@ -2,4 +2,4 @@ # Secret scanning one-click report and revocation (for GitHub PATs only) versions: ghec: '*' - ghes: '> 3.15' + ghes: '> 3.13' diff --git a/data/reusables/secret-scanning/report-secret-pat-beta-note.md b/data/reusables/secret-scanning/report-secret-pat-beta-note.md index 4336617723..e95bcdfa4f 100644 --- a/data/reusables/secret-scanning/report-secret-pat-beta-note.md +++ b/data/reusables/secret-scanning/report-secret-pat-beta-note.md @@ -1 +1 @@ -Reporting a leaked secret to {% data variables.product.github %} is in beta and subject to change. +Reporting a privately exposed secret to {% data variables.product.github %} is in beta and subject to change. From 1cc229bd9a23f5c71819de51350b385d455878eb Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Tue, 24 Sep 2024 10:48:22 +0000 Subject: [PATCH 03/13] resetting versioning after testing --- data/features/secret-scanning-report-secret-github-pat.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/features/secret-scanning-report-secret-github-pat.yml b/data/features/secret-scanning-report-secret-github-pat.yml index c8719fad13..9bcefd7536 100644 --- a/data/features/secret-scanning-report-secret-github-pat.yml +++ b/data/features/secret-scanning-report-secret-github-pat.yml @@ -2,4 +2,4 @@ # Secret scanning one-click report and revocation (for GitHub PATs only) versions: ghec: '*' - ghes: '> 3.13' + ghes: '> 3.15' From 16e87096e579bf4adb35a7d2002624f53d26d03b Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Tue, 24 Sep 2024 10:51:35 +0000 Subject: [PATCH 04/13] fixing link --- .../managing-alerts-from-secret-scanning/resolving-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md index ae08c224f9..898fea1074 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md @@ -21,7 +21,7 @@ allowTitleToDifferFromFilename: true Once a secret has been committed to a repository, you should consider the secret compromised. {% data variables.product.github %} recommends the following actions for compromised secrets: -* First verify that the secret committed to {% data variables.product.github %} is valid. {% ifversion fpt or ghes %}**Applies to {% data variables.product.company_short %} tokens only**. For more information, see "[Checking a secret's validity](#checking-a-secrets-validity)."{% endif %}{% ifversion secret-scanning-validity-check-partner-patterns %}For more information, see "[Performing an on-demand validity check](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#performing-an-on-demand-validity-check)".{% endif %}{% ifversion secret-scanning-report-secret-github-pat %} +* First verify that the secret committed to {% data variables.product.github %} is valid. {% ifversion fpt or ghes %}**Applies to {% data variables.product.company_short %} tokens only**. For more information, see "[Checking a secret's validity](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)."{% endif %}{% ifversion secret-scanning-validity-check-partner-patterns %}For more information, see "[Performing an on-demand validity check](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#performing-an-on-demand-validity-check)".{% endif %}{% ifversion secret-scanning-report-secret-github-pat %} * Report the leaked token to {% data variables.product.github %}. For more information, see "[Reporting a leaked secret](#reporting-a-leaked-secret)."{% endif %} * Review and update any services that use the old token. If required, delete the compromised token and create a new token. * Check your security logs for any unauthorized activity. [TODO - LINK?] From 41d5f8029e6d3a54d5a10374259fd311c7944ae3 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Tue, 24 Sep 2024 11:53:03 +0000 Subject: [PATCH 05/13] final edits --- .../resolving-alerts.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md index 898fea1074..eaf7bde67b 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md @@ -21,9 +21,9 @@ allowTitleToDifferFromFilename: true Once a secret has been committed to a repository, you should consider the secret compromised. {% data variables.product.github %} recommends the following actions for compromised secrets: -* First verify that the secret committed to {% data variables.product.github %} is valid. {% ifversion fpt or ghes %}**Applies to {% data variables.product.company_short %} tokens only**. For more information, see "[Checking a secret's validity](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)."{% endif %}{% ifversion secret-scanning-validity-check-partner-patterns %}For more information, see "[Performing an on-demand validity check](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#performing-an-on-demand-validity-check)".{% endif %}{% ifversion secret-scanning-report-secret-github-pat %} -* Report the leaked token to {% data variables.product.github %}. For more information, see "[Reporting a leaked secret](#reporting-a-leaked-secret)."{% endif %} -* Review and update any services that use the old token. If required, delete the compromised token and create a new token. +* Verify that the secret committed to {% data variables.product.github %} is valid. {% ifversion fpt or ghes %}**Applies to {% data variables.product.company_short %} tokens only**. See "[Checking a secret's validity](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)."{% endif %}{% ifversion secret-scanning-validity-check-partner-patterns %}See "[Performing an on-demand validity check](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#performing-an-on-demand-validity-check)".{% endif %}{% ifversion secret-scanning-report-secret-github-pat %} +* {% ifversion ghec %}For secrets detected in private repositories, r{% else %}R{% endif %}eport the leaked secret to {% data variables.product.github %}. **Applies to {% data variables.product.company_short %} tokens only**. See "[Reporting a leaked secret](#reporting-a-leaked-secret)." {% endif %} +* Review and update any services that use the old token. For {% data variables.product.github %} {% data variables.product.pat_generic %}s, delete the compromised token and create a new token. See "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)." * Check your security logs for any unauthorized activity. [TODO - LINK?] {% ifversion secret-scanning-report-secret-github-pat %} @@ -47,11 +47,10 @@ For secrets detected in **private** repositories, anyone who can view {% data va By reporting the secret, the token provider will treat the privately exposed secret as if it had been publicly leaked. This means the token provider may revoke the secret, so you should first consider reviewing and updating any services that use the secret. If possible, you should also consider notifying the token owner before reporting the token, so that the token owner is aware that the secret may get revoked. -You will only see the option to report the privately exposed secret to {% data variables.product.github %} if the following conditions are met: +You will only see the option to report a privately exposed secret to {% data variables.product.github %} if the following conditions are met: -* The secret's validity has not been confirmed. -* The secret's validity has been confirmed as "active". * The secret is a {% data variables.product.github %} {% data variables.product.pat_generic %}. +* The secret's validity has not been confirmed, or the secret's validity has been confirmed as `active`. {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-security %} From c3958a3eb37780902676b48b8e24d6cccbaf6161 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Wed, 25 Sep 2024 10:46:44 +0100 Subject: [PATCH 06/13] Update content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md Co-authored-by: Erin Havens --- .../managing-alerts-from-secret-scanning/resolving-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md index eaf7bde67b..748c1a2964 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md @@ -22,7 +22,7 @@ allowTitleToDifferFromFilename: true Once a secret has been committed to a repository, you should consider the secret compromised. {% data variables.product.github %} recommends the following actions for compromised secrets: * Verify that the secret committed to {% data variables.product.github %} is valid. {% ifversion fpt or ghes %}**Applies to {% data variables.product.company_short %} tokens only**. See "[Checking a secret's validity](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)."{% endif %}{% ifversion secret-scanning-validity-check-partner-patterns %}See "[Performing an on-demand validity check](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#performing-an-on-demand-validity-check)".{% endif %}{% ifversion secret-scanning-report-secret-github-pat %} -* {% ifversion ghec %}For secrets detected in private repositories, r{% else %}R{% endif %}eport the leaked secret to {% data variables.product.github %}. **Applies to {% data variables.product.company_short %} tokens only**. See "[Reporting a leaked secret](#reporting-a-leaked-secret)." {% endif %} +* {% ifversion ghec %}For secrets detected in private repositories, r{% else %}R{% endif %}eport the leaked secret to {% data variables.product.github %}, who will treat it like any publicly leaked secret and revoke it. **Applies to {% data variables.product.company_short %} personal access tokens only**. See "[Reporting a leaked secret](#reporting-a-leaked-secret)." {% endif %} * Review and update any services that use the old token. For {% data variables.product.github %} {% data variables.product.pat_generic %}s, delete the compromised token and create a new token. See "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)." * Check your security logs for any unauthorized activity. [TODO - LINK?] From 651765468723a12333f9f1ddd0c446d7fda6f9a5 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Wed, 25 Sep 2024 10:47:02 +0100 Subject: [PATCH 07/13] Update content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md Co-authored-by: Erin Havens --- .../managing-alerts-from-secret-scanning/resolving-alerts.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md index 748c1a2964..93da8c5cf9 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md @@ -57,6 +57,7 @@ You will only see the option to report a privately exposed secret to {% data var 1. In the left sidebar, under "Vulnerability alerts", click **{% data variables.product.prodname_secret_scanning_caps %}**. 1. From the alert list, click the alert you want to view. 1. In the alert view for the leaked secret, click **Report leak**. +1. In order to prevent breaking workflows, consider first rotating the secret, as disclosing it could lead to the secret being revoked. If possible, you should also reach out to the token owner to let them know about the leak and coordinate a remediation plan. 1. Review the information in the dialog box, then click **I understand the consequence, report this secret**. 1. Once you've reported the secret, you can close the alert. From 800ec3e7e23c754ea3254d62a621f0aa83926f2b Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Wed, 25 Sep 2024 10:47:17 +0100 Subject: [PATCH 08/13] Update data/features/secret-scanning-report-secret-github-pat.yml Co-authored-by: Erin Havens --- data/features/secret-scanning-report-secret-github-pat.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/data/features/secret-scanning-report-secret-github-pat.yml b/data/features/secret-scanning-report-secret-github-pat.yml index 9bcefd7536..da35c7649c 100644 --- a/data/features/secret-scanning-report-secret-github-pat.yml +++ b/data/features/secret-scanning-report-secret-github-pat.yml @@ -2,4 +2,3 @@ # Secret scanning one-click report and revocation (for GitHub PATs only) versions: ghec: '*' - ghes: '> 3.15' From 8e458d722009511512dc679c8a48da56493143e1 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Wed, 25 Sep 2024 10:34:35 +0000 Subject: [PATCH 09/13] apply review feedback 2 --- .../resolving-alerts.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md index 93da8c5cf9..c9785c2691 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md @@ -21,10 +21,10 @@ allowTitleToDifferFromFilename: true Once a secret has been committed to a repository, you should consider the secret compromised. {% data variables.product.github %} recommends the following actions for compromised secrets: -* Verify that the secret committed to {% data variables.product.github %} is valid. {% ifversion fpt or ghes %}**Applies to {% data variables.product.company_short %} tokens only**. See "[Checking a secret's validity](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)."{% endif %}{% ifversion secret-scanning-validity-check-partner-patterns %}See "[Performing an on-demand validity check](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#performing-an-on-demand-validity-check)".{% endif %}{% ifversion secret-scanning-report-secret-github-pat %} -* {% ifversion ghec %}For secrets detected in private repositories, r{% else %}R{% endif %}eport the leaked secret to {% data variables.product.github %}, who will treat it like any publicly leaked secret and revoke it. **Applies to {% data variables.product.company_short %} personal access tokens only**. See "[Reporting a leaked secret](#reporting-a-leaked-secret)." {% endif %} +* Verify that the secret committed to {% data variables.product.github %} is valid. {% ifversion fpt or ghes %}**Applies to {% data variables.product.github %} tokens only**. See "[Checking a secret's validity](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)."{% endif %}{% ifversion secret-scanning-validity-check-partner-patterns %}See "[Performing an on-demand validity check](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#performing-an-on-demand-validity-check)".{% endif %}{% ifversion secret-scanning-report-secret-github-pat %} +* {% ifversion ghec %}For secrets detected in private repositories, r{% else %}R{% endif %}eport the leaked secret to {% data variables.product.github %}, who will treat it like any publicly leaked secret and revoke it. **Applies to {% data variables.product.github %} {% data variables.product.pat_generic %}s only**. See "[Reporting a leaked secret](#reporting-a-leaked-secret)." {% endif %} * Review and update any services that use the old token. For {% data variables.product.github %} {% data variables.product.pat_generic %}s, delete the compromised token and create a new token. See "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)." -* Check your security logs for any unauthorized activity. [TODO - LINK?] +* Depending on the secret provider, check your security logs for any unauthorized activity. {% ifversion secret-scanning-report-secret-github-pat %} @@ -37,7 +37,7 @@ Once a secret has been committed to a repository, you should consider the secret {% ifversion fpt or ghec %} -If a secret is detected in a **public** repository on {% data variables.product.github %} and the secret also matches a partner pattern, an alert is generated and the potential secret is **automatically reported** to the service provider. For details of partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." +If a secret is detected in a **public** repository on {% data variables.product.github %} and the secret also matches a partner pattern, the potential secret is **automatically reported** to the service provider. For details of all supported partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." {% endif %} @@ -57,9 +57,10 @@ You will only see the option to report a privately exposed secret to {% data var 1. In the left sidebar, under "Vulnerability alerts", click **{% data variables.product.prodname_secret_scanning_caps %}**. 1. From the alert list, click the alert you want to view. 1. In the alert view for the leaked secret, click **Report leak**. -1. In order to prevent breaking workflows, consider first rotating the secret, as disclosing it could lead to the secret being revoked. If possible, you should also reach out to the token owner to let them know about the leak and coordinate a remediation plan. + + * In order to prevent breaking workflows, consider first rotating the secret before continuing, as disclosing it could lead to the secret being revoked. If possible, you should also reach out to the token owner to let them know about the leak and coordinate a remediation plan. + 1. Review the information in the dialog box, then click **I understand the consequence, report this secret**. -1. Once you've reported the secret, you can close the alert. {% endif %} From 277727b4a378f7355744d97138980b8a5bf7a841 Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Thu, 26 Sep 2024 09:23:08 +0000 Subject: [PATCH 10/13] apply review feedback --- .../resolving-alerts.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md index c9785c2691..b0dc2237c5 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md @@ -22,7 +22,7 @@ allowTitleToDifferFromFilename: true Once a secret has been committed to a repository, you should consider the secret compromised. {% data variables.product.github %} recommends the following actions for compromised secrets: * Verify that the secret committed to {% data variables.product.github %} is valid. {% ifversion fpt or ghes %}**Applies to {% data variables.product.github %} tokens only**. See "[Checking a secret's validity](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)."{% endif %}{% ifversion secret-scanning-validity-check-partner-patterns %}See "[Performing an on-demand validity check](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#performing-an-on-demand-validity-check)".{% endif %}{% ifversion secret-scanning-report-secret-github-pat %} -* {% ifversion ghec %}For secrets detected in private repositories, r{% else %}R{% endif %}eport the leaked secret to {% data variables.product.github %}, who will treat it like any publicly leaked secret and revoke it. **Applies to {% data variables.product.github %} {% data variables.product.pat_generic %}s only**. See "[Reporting a leaked secret](#reporting-a-leaked-secret)." {% endif %} +* For secrets detected in private repositories, report the leaked secret to {% data variables.product.github %}, who will treat it like any publicly leaked secret and revoke it. **Applies to {% data variables.product.github %} {% data variables.product.pat_generic %}s only**. See "[Reporting a leaked secret](#reporting-a-leaked-secret)." {% endif %} * Review and update any services that use the old token. For {% data variables.product.github %} {% data variables.product.pat_generic %}s, delete the compromised token and create a new token. See "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)." * Depending on the secret provider, check your security logs for any unauthorized activity. @@ -37,7 +37,7 @@ Once a secret has been committed to a repository, you should consider the secret {% ifversion fpt or ghec %} -If a secret is detected in a **public** repository on {% data variables.product.github %} and the secret also matches a partner pattern, the potential secret is **automatically reported** to the service provider. For details of all supported partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." +If a secret is detected in a **public** repository on {% data variables.product.github %} and the secret also matches a supported partner pattern, the potential secret is **automatically reported** to the service provider. For details of all supported partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." {% endif %} @@ -58,7 +58,7 @@ You will only see the option to report a privately exposed secret to {% data var 1. From the alert list, click the alert you want to view. 1. In the alert view for the leaked secret, click **Report leak**. - * In order to prevent breaking workflows, consider first rotating the secret before continuing, as disclosing it could lead to the secret being revoked. If possible, you should also reach out to the token owner to let them know about the leak and coordinate a remediation plan. + > [!NOTE] In order to prevent breaking workflows, consider first rotating the secret before continuing, as disclosing it could lead to the secret being revoked. If possible, you should also reach out to the token owner to let them know about the leak and coordinate a remediation plan. 1. Review the information in the dialog box, then click **I understand the consequence, report this secret**. From ce60013076e86068bd51527fb876fc39b81e497b Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Tue, 1 Oct 2024 10:44:20 +0000 Subject: [PATCH 11/13] update beta to new variable --- data/reusables/secret-scanning/report-secret-pat-beta-note.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/reusables/secret-scanning/report-secret-pat-beta-note.md b/data/reusables/secret-scanning/report-secret-pat-beta-note.md index e95bcdfa4f..0560a71be1 100644 --- a/data/reusables/secret-scanning/report-secret-pat-beta-note.md +++ b/data/reusables/secret-scanning/report-secret-pat-beta-note.md @@ -1 +1 @@ -Reporting a privately exposed secret to {% data variables.product.github %} is in beta and subject to change. +Reporting a privately exposed secret to {% data variables.product.github %} is in {% data variables.release-phases.public_preview %} and subject to change. From fa3ccf053d9959c50262504689860dd63540bc85 Mon Sep 17 00:00:00 2001 From: docs-bot <77750099+docs-bot@users.noreply.github.com> Date: Wed, 2 Oct 2024 16:28:39 +0000 Subject: [PATCH 12/13] Add updated secret scanning data --- src/secret-scanning/data/public-docs.yml | 49 +++++++++++++++++------- src/secret-scanning/lib/config.json | 4 +- 2 files changed, 37 insertions(+), 16 deletions(-) diff --git a/src/secret-scanning/data/public-docs.yml b/src/secret-scanning/data/public-docs.yml index 78146f9174..d399de3ad8 100644 --- a/src/secret-scanning/data/public-docs.yml +++ b/src/secret-scanning/data/public-docs.yml @@ -498,6 +498,17 @@ hasPushProtection: true hasValidityCheck: false isduplicate: false +- provider: Azure + supportedSecret: Azure OpenAI Key + secretType: azure_openai_key + versions: + fpt: '*' + ghec: '*' + isPublic: true + isPrivateWithGhas: true + hasPushProtection: true + hasValidityCheck: false + isduplicate: false - provider: Azure supportedSecret: Azure Relay Key Identifiable secretType: azure_relay_key_identifiable @@ -719,6 +730,17 @@ hasPushProtection: true hasValidityCheck: false isduplicate: false +- provider: Cfx.re + supportedSecret: Cfx.re Server Key + secretType: cfxre_server_key + versions: + fpt: '*' + ghec: '*' + isPublic: true + isPrivateWithGhas: false + hasPushProtection: false + hasValidityCheck: false + isduplicate: false - provider: Checkout.com supportedSecret: Checkout.com Production Secret Key secretType: checkout_production_secret_key @@ -821,7 +843,7 @@ ghes: '*' isPublic: true isPrivateWithGhas: false - hasPushProtection: true + hasPushProtection: false hasValidityCheck: false isduplicate: false - provider: Contentful @@ -833,7 +855,7 @@ ghes: '*' isPublic: false isPrivateWithGhas: true - hasPushProtection: false + hasPushProtection: true hasValidityCheck: false isduplicate: false - provider: Contributed Systems @@ -2154,6 +2176,17 @@ hasPushProtection: false hasValidityCheck: false isduplicate: false +- provider: Netflix + supportedSecret: Netflix NetKey + secretType: netflix_netkey + versions: + fpt: '*' + ghec: '*' + isPublic: true + isPrivateWithGhas: false + hasPushProtection: false + hasValidityCheck: false + isduplicate: false - provider: New Relic supportedSecret: New Relic Insights Query Key secretType: new_relic_insights_query_key @@ -2588,18 +2621,6 @@ hasPushProtection: true hasValidityCheck: false isduplicate: false -- provider: Postman - supportedSecret: Postman API Key - secretType: postman_api_key - versions: - fpt: '*' - ghec: '*' - ghes: '>=3.5' - isPublic: true - isPrivateWithGhas: true - hasPushProtection: true - hasValidityCheck: false - isduplicate: false - provider: Postman supportedSecret: Postman Collection Key secretType: postman_collection_key diff --git a/src/secret-scanning/lib/config.json b/src/secret-scanning/lib/config.json index 07656cae2d..4771c7d5dd 100644 --- a/src/secret-scanning/lib/config.json +++ b/src/secret-scanning/lib/config.json @@ -1,5 +1,5 @@ { - "sha": "e7e694827d5b0076e65765c704bd594485eee15b", - "blob-sha": "612e8fb3ccba3b0278376fc88e2b9e10e486714e", + "sha": "6ac440cc8b236597da752259f1d6644f226400bf", + "blob-sha": "98f5cf2265e2fe9f7be69217f2073fe6fc2b23bc", "targetFilename": "code-security/secret-scanning/introduction/supported-secret-scanning-patterns" } \ No newline at end of file From 4d1d26e8b5a65d46ade371033bbc4708e042bfc4 Mon Sep 17 00:00:00 2001 From: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com> Date: Thu, 3 Oct 2024 09:36:21 +0100 Subject: [PATCH 13/13] Fix bug in Copilot Standalone docs (#52514) --- .../reusables/copilot-business-for-non-ghe/assign-licenses.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data/reusables/copilot-business-for-non-ghe/assign-licenses.md b/data/reusables/copilot-business-for-non-ghe/assign-licenses.md index 7515c6d411..3f73310610 100644 --- a/data/reusables/copilot-business-for-non-ghe/assign-licenses.md +++ b/data/reusables/copilot-business-for-non-ghe/assign-licenses.md @@ -1,7 +1,7 @@ When you have created a team in the enterprise, you can assign licenses to all members of the team. -{% data reusables.enterprise-accounts.settings-tab %} -1. Under {% octicon "gear" aria-hidden="true" %} **Settings**, click **Enterprise licensing**. +{% data reusables.billing.enterprise-billing-menu %} +1. Under {% octicon "credit-card" aria-hidden="true" %} **Billing & Licensing**, click **Licensing**. 1. In the "{% data variables.product.prodname_copilot_business_short %}" section, click **Manage seats**. ![Screenshot of the "{% data variables.product.prodname_copilot_business_short %}" section. A button, labeled "Manage seats", is highlighted with an orange outline.](/assets/images/help/copilot/copilot-business-manage-seats.png)