зеркало из https://github.com/github/docs.git
Merge branch 'main' into ghe-ss-invoiced-renewal
This commit is contained in:
Rachael Rose Renk
GitHub
Коммит
52577cb9f4
Двоичный файл не отображается.
|
До Ширина: | Высота: | Размер: 125 KiB |
|
|
@ -28,11 +28,7 @@ Since an email address can only be associated with a single {% data variables.pr
|
|||
1. Navigate to [https://github.com/login](https://github.com/login).
|
||||
1. To prompt two-factor authentication, type your username and password, then click **Sign in**.
|
||||
1. Under "Unable to verify with your security key?", click **Use a recovery code or request a reset**.
|
||||
{% ifversion 2fa-reconfiguration-inline-update %}
|
||||
1. Under "Locked out?", click **Recover your account or unlink an email address**.
|
||||
{% else %}
|
||||
1. On the "Two-factor recovery" screen, click **Try recovering your account**.
|
||||
{% endif %}
|
||||
1. In the modal that appears, click **I understand, get started**.
|
||||
1. To send an email containing a one-time password to each email address associated with your account, click **Send one-time password**.
|
||||
1. To verify your identity, type the one-time password from your email in the "One-time password" text field, then click **Verify email address**.
|
||||
|
|
|
|||
|
|
@ -838,7 +838,7 @@ jobs:
|
|||
> The webhook payload available to GitHub Actions does not include the `added`, `removed`, and `modified` attributes in the `commit` object. You can retrieve the full commit object using the API. For information, see "[AUTOTITLE](/graphql/reference/objects#commit)" in the GraphQL API documentation or "[AUTOTITLE](/rest/commits#get-a-commit)."
|
||||
|
||||
> [!NOTE]
|
||||
> {% ifversion fpt or ghec or ghes > 3.13 %}Events will not be created if more than 5,000 branches are pushed at once. {% endif %}Events will not be created for tags when more than three tags are pushed at once.
|
||||
> {% ifversion fpt or ghec or ghes > 3.14 %}Events will not be created if more than 5,000 branches are pushed at once. {% endif %}Events will not be created for tags when more than three tags are pushed at once.
|
||||
|
||||
Runs your workflow when you push a commit or tag, or when you create a repository from a template.
|
||||
|
||||
|
|
|
|||
|
|
@ -36,21 +36,21 @@ You can enforce policies to control the security settings for organizations owne
|
|||
|
||||
{% ifversion ghes %}If {% data variables.location.product_location %} uses LDAP or built-in authentication, enterprise{% else %}Enterprise{% endif %} owners can require that organization members, billing managers, and outside collaborators in all organizations owned by an enterprise use two-factor authentication to secure their user accounts.{% ifversion ghec %} This policy is not available for enterprises with managed users.{% endif %}
|
||||
|
||||
Before you can require 2FA for all organizations owned by your enterprise, you must enable two-factor authentication for your own account. For more information, see "[AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa)."
|
||||
Before you can require two-factor authentication for all organizations owned by your enterprise, you must enable 2FA for your own account. For more information, see "[AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa)."
|
||||
|
||||
Before you require use of two-factor authentication, we recommend notifying organization members, outside collaborators, and billing managers and asking them to set up 2FA for their accounts. Organization owners can see if members and outside collaborators already use 2FA on each organization's People page. For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/viewing-whether-users-in-your-organization-have-2fa-enabled)."
|
||||
|
||||
{% data reusables.two_fa.ghes_ntp %}
|
||||
|
||||
> [!WARNING]
|
||||
> * When you require two-factor authentication for your enterprise, members, outside collaborators, and billing managers (including bot accounts) in all organizations owned by your enterprise who do not use 2FA will be removed from the organization and lose access to its repositories. They will also lose access to their forks of the organization's private repositories. You can reinstate their access privileges and settings if they enable two-factor authentication for their account within three months of their removal from your organization. For more information, see "[AUTOTITLE](/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization)."
|
||||
> * Any organization owner, member, billing manager, or outside collaborator in any of the organizations owned by your enterprise who disables 2FA for their account after you've enabled required two-factor authentication will automatically be removed from the organization.
|
||||
> * If you're the sole owner of an enterprise that requires two-factor authentication, you won't be able to disable 2FA for your user account without disabling required two-factor authentication for the enterprise.
|
||||
> * When you require two-factor authentication for your enterprise, outside collaborators (including bot accounts) in all organizations owned by your enterprise who do not use 2FA will be removed from the organization and lose access to its repositories. They will also lose access to their forks of the organization's private repositories. You can reinstate their access privileges and settings if they enable 2FA for their account within three months of their removal from your organization. For more information, see "[AUTOTITLE](/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization)."
|
||||
> * Any outside collaborator in any of the organizations owned by your enterprise who disables 2FA for their account after you've enabled required two-factor authentication will automatically be removed from the organization. Members and billing managers who disable 2FA will not be able to access organization resources until they re-enable it.
|
||||
> * If you're the sole owner of an enterprise that requires two-factor authentication, you won't be able to disable 2FA for your user account without disabling required 2FA for the enterprise.
|
||||
|
||||
{% ifversion mandatory-2fa-dotcom-contributors %}
|
||||
|
||||
> [!NOTE]
|
||||
> Some of the users in your organizations may have been selected for mandatory two-factor authentication enrollment by {% data variables.product.prodname_dotcom_the_website %}, but it has no impact on how you enable the 2FA requirement for the organizations in your enterprise. If you enable the 2FA requirement for organizations in your enterprise, all users without 2FA currently enabled will be removed from the organizations, including those that are required to enable it by {% data variables.product.prodname_dotcom_the_website %}.
|
||||
> Some of the users in your organizations may have been selected for mandatory two-factor authentication enrollment by {% data variables.product.prodname_dotcom_the_website %}, but it has no impact on how you enable the 2FA requirement for the organizations in your enterprise. If you enable the 2FA requirement for organizations in your enterprise, outside collaborators without 2FA currently enabled will be removed from the organizations, including those that are required to enable it by {% data variables.product.prodname_dotcom_the_website %}.
|
||||
|
||||
{% endif %}
|
||||
|
||||
|
|
@ -59,8 +59,8 @@ Before you require use of two-factor authentication, we recommend notifying orga
|
|||
{% data reusables.enterprise-accounts.security-tab %}
|
||||
1. Under "Two-factor authentication", review the information about changing the setting. {% data reusables.enterprise-accounts.view-current-policy-config-orgs %}
|
||||
1. Under "Two-factor authentication", select **Require two-factor authentication for all organizations in your business**, then click **Save**.
|
||||
1. If prompted, read the information about members and outside collaborators who will be removed from the organizations owned by your enterprise. To confirm the change, type your enterprise's name, then click **Remove members & require two-factor authentication**.
|
||||
1. Optionally, if any members or outside collaborators are removed from the organizations owned by your enterprise, we recommend sending them an invitation to reinstate their former privileges and access to your organization. Each person must enable two-factor authentication before they can accept your invitation.
|
||||
1. If prompted, read the information about how user access to organization resources will be affected by a 2FA requirement. To confirm the change, click **Confirm**.
|
||||
1. Optionally, if any outside collaborators are removed from the organizations owned by your enterprise, we recommend sending them an invitation to reinstate their former privileges and access to your organization. Each person must enable two-factor authentication before they can accept your invitation.
|
||||
|
||||
{% endif %}
|
||||
|
||||
|
|
|
|||
|
|
@ -31,9 +31,10 @@ Before you require use of two-factor authentication, we recommend notifying orga
|
|||
{% data reusables.two_fa.ghes_ntp %}
|
||||
|
||||
> [!WARNING]
|
||||
> * When your require two-factor authentication, members and outside collaborators (including bot accounts) who do not use 2FA will be removed from the organization and lose access to its repositories, including their forks of private repositories. If they enable 2FA for their personal account within three months of being removed from the organization, you can [reinstate their access privileges and settings](/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization).
|
||||
> * When 2FA is required, organization members or outside collaborators who disable 2FA will automatically be removed from the organization.
|
||||
> * If you're the sole owner of an organization that requires two-factor authentication, you won't be able to disable 2FA for your personal account without disabling required two-factor authentication for the organization.
|
||||
> * When you require two-factor authentication, members who do not use 2FA will not be able to access your enterprise resources until they enable 2FA on their account. They will retain membership even without 2FA, including occupying seats in your enterprise and organizations.
|
||||
> * When your require two-factor authentication, outside collaborators (including bot accounts) who do not use 2FA will be removed from the enterprise and its organization and lose access to repositories, including their forks of private repositories. If they enable 2FA for their personal account within three months of being removed from the organization, you can [reinstate their access privileges and settings](/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization).
|
||||
> * When two-factor authentication is required, outside collaborators who disable 2FA will automatically be removed from the enterprise and its organizations. {% ifversion fpt or ghec %}Members and billing managers{% else %}Members{% endif %} who disable 2FA will not be able to access your enterprise and organization resources until they re-enable it.
|
||||
> * If you're the sole owner of an organization that requires two-factor authentication, you won't be able to disable 2FA for your personal account without disabling required 2FA for the organization.
|
||||
|
||||
## Requiring two-factor authentication for an organization
|
||||
|
||||
|
|
@ -50,17 +51,17 @@ To view people who were automatically removed from your organization for non-com
|
|||
{% data reusables.audit_log.octicon_icon %}
|
||||
{% data reusables.enterprise_site_admin_settings.access-settings %}
|
||||
{% data reusables.audit_log.audit_log_sidebar_for_site_admins %}
|
||||
|
||||
1. Enter your search query using `reason:two_factor_requirement_non_compliance`. To narrow your search for:
|
||||
* Organizations members removed, enter `action:org.remove_member AND reason:two_factor_requirement_non_compliance`
|
||||
* Outside collaborators removed, enter `action:org.remove_outside_collaborator AND reason:two_factor_requirement_non_compliance`
|
||||
|
||||
You can also view people removed from a particular organization by using the organization name in your search:
|
||||
* `org:octo-org AND reason:two_factor_requirement_non_compliance`
|
||||
1. Click **Search**.
|
||||
|
||||
## Helping removed members and outside collaborators rejoin your organization
|
||||
## Helping removed outside collaborators rejoin your organization
|
||||
|
||||
If any members or outside collaborators are removed from the organization when you enable required use of two-factor authentication, they'll receive an email notifying them that they've been removed. They should then enable 2FA for their personal account, and contact an organization owner to request access to your organization.
|
||||
If any outside collaborators are removed from the organization when you enable required use of two-factor authentication, they'll receive an email notifying them that they've been removed. They should then enable 2FA for their personal account, and contact an organization owner to request access to your organization.
|
||||
|
||||
## Further reading
|
||||
|
||||
|
|
|
|||
|
|
@ -90,6 +90,12 @@ Root storage refers to the total size of your instance's root disk. The availabl
|
|||
ghe-upgrade PACKAGE-NAME.pkg -s -t /dev/xvdg1
|
||||
```
|
||||
|
||||
1. Run the command on the secondary partition of the newly added disk:
|
||||
|
||||
```shell
|
||||
sudo mkfs.ext4 -L fallback /dev/xvdg2
|
||||
```
|
||||
|
||||
1. Shut down the appliance:
|
||||
|
||||
```shell
|
||||
|
|
|
|||
|
|
@ -31,7 +31,7 @@ When you activate webhooks for your {% data variables.product.prodname_github_ap
|
|||
|
||||
### Choosing a webhook URL for development and testing
|
||||
|
||||
While you develop and test your app, you can use a webhook payload delivery service like [Smee](https://smee.io/) to capture and forward webhook payloads to your local development environment. Never use Smee for an application in production, because Smee channels are not authenticated or secure. Alternatively, you can use a tool like [ngrok](https://ngrok.com/docs/guides/getting-started/), [localtunnel](https://localtunnel.github.io/www/), or the [Hookdeck Console](https://console.hookdeck.com?provider=github) that exposes your local machine to the internet to receive the payloads.
|
||||
While you develop and test your app, you can use a webhook payload delivery service like [Smee](https://smee.io/) to capture and forward webhook payloads to your local development environment. Never use Smee for an application in production, because Smee channels are not authenticated or secure. Alternatively, you can use a tool like [ngrok](https://ngrok.com/docs/guides/developer-preview/getting-started/), [localtunnel](https://localtunnel.github.io/www/), or the [Hookdeck Console](https://console.hookdeck.com?provider=github) that exposes your local machine to the internet to receive the payloads.
|
||||
|
||||
#### Creating a webhook URL with Smee
|
||||
|
||||
|
|
|
|||
|
|
@ -9,7 +9,9 @@ redirect_from:
|
|||
- /authentication/securing-your-account-with-two-factor-authentication-2fa/changing-two-factor-authentication-delivery-methods-for-your-mobile-device
|
||||
- /authentication/securing-your-account-with-two-factor-authentication-2fa/changing-your-preferred-two-factor-authentication-method
|
||||
versions:
|
||||
feature: 2fa-reconfiguration-inline-update
|
||||
fpt: '*'
|
||||
ghes: '*'
|
||||
ghec: '*'
|
||||
topics:
|
||||
- 2FA
|
||||
shortTitle: Change 2FA method
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ In addition to securely storing your two-factor authentication (2FA) recovery co
|
|||
|
||||
To keep your account secure, don't share or distribute your recovery codes. We recommend saving them with a secure password manager.
|
||||
|
||||
If you generate new recovery codes or disable and re-enable 2FA, the recovery codes in your security settings automatically update.{% ifversion 2fa-reconfiguration-inline-update %} Reconfiguring your 2FA settings without disabling 2FA will not change your recovery codes.{% endif %}
|
||||
If you generate new recovery codes or disable and re-enable 2FA, the recovery codes in your security settings automatically update. Reconfiguring your 2FA settings without disabling 2FA will not change your recovery codes.
|
||||
|
||||
{% data reusables.user-settings.access_settings %}
|
||||
{% data reusables.user-settings.security %}
|
||||
|
|
|
|||
|
|
@ -37,8 +37,9 @@ If you're a member of an {% data variables.enterprise.prodname_emu_enterprise %}
|
|||
{% endif %}
|
||||
|
||||
> [!WARNING]
|
||||
> * If you're a member{% ifversion fpt or ghec %}, billing manager,{% endif %} or outside collaborator to a private repository of an organization that requires two-factor authentication, you must leave the organization before you can disable 2FA.
|
||||
> * If you disable 2FA, you will automatically lose access to the organization and any private forks you have of the organization's private repositories. To regain access to the organization and your forks, re-enable two-factor authentication and contact an organization owner.
|
||||
> * If you're an outside collaborator to a private repository of an organization that requires 2FA, you must leave the organization before you can disable 2FA.
|
||||
> * If you're a member{% ifversion fpt or ghec %} or billing manager{% endif %} of an organization that requires 2FA, you will be unable to access that organization's resources while you have 2FA disabled.
|
||||
> * If you disable 2FA, you will automatically lose access to the organization. To regain access to the organization, if you're a member{% ifversion fpt or ghec %} or billing manager{% endif %}, you must re-enable 2FA. If you're an outside collaborator, you will also lose access to any private forks you have of the organization's private repositories after disabling 2FA, and must re-enable 2FA and contact an organization owner to have access restored.
|
||||
|
||||
{% ifversion 2fa-reconfiguration-inline-update %}
|
||||
|
||||
|
|
|
|||
|
|
@ -37,15 +37,12 @@ To remove yourself from your organization:
|
|||
|
||||
{% data reusables.user-settings.access_settings %}
|
||||
{% data reusables.user-settings.security %}
|
||||
{% ifversion 2fa-reconfiguration-inline-update %}
|
||||
|
||||
1. Hover over **Enabled**, then click **Disable**.
|
||||
|
||||
|
||||
|
||||
1. If necessary, enter your password or perform 2FA once more to disable 2FA for your {% data variables.product.prodname_dotcom %} account.
|
||||
{% else %}
|
||||
1. Click **Disable**.
|
||||
{% endif %}
|
||||
|
||||
## Further reading
|
||||
|
||||
|
|
|
|||
|
|
@ -49,11 +49,8 @@ shortTitle: Upgrade Git LFS storage
|
|||
|
||||
{% data reusables.enterprise-accounts.billing-perms %}
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** If your enterprise account is invoiced, you may not be able to purchase Git LFS data packs on {% data variables.product.prodname_dotcom %}. Instead, contact {% data variables.contact.contact_enterprise_sales %}.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> If your enterprise account is invoiced, you may not be able to purchase Git LFS data packs on {% data variables.product.prodname_dotcom %}. Instead, contact {% data variables.contact.contact_enterprise_sales %}.
|
||||
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{% data reusables.enterprise-accounts.settings-tab %}
|
||||
|
|
|
|||
|
|
@ -36,11 +36,10 @@ shortTitle: View Git LFS usage
|
|||
## Viewing storage and bandwidth usage for an organization
|
||||
|
||||
{% ifversion billing-beta-enterprise %}
|
||||
{% note %}
|
||||
|
||||
**Note:** If your organization belongs to an enterprise enrolled in the Billing {% data variables.release-phases.private_preview %} for {% data variables.large_files.product_name_short %}, you will not see {% data variables.large_files.product_name_short %} usage on the existing billing pages.
|
||||
> [!NOTE]
|
||||
> If your organization belongs to an enterprise enrolled in the Billing {% data variables.release-phases.private_preview %} for {% data variables.large_files.product_name_short %}, you will not see {% data variables.large_files.product_name_short %} usage on the existing billing pages.
|
||||
|
||||
{% endnote %}
|
||||
{% endif %}
|
||||
|
||||
{% data reusables.dotcom_billing.org-billing-perms %}
|
||||
|
|
@ -53,11 +52,10 @@ shortTitle: View Git LFS usage
|
|||
## Viewing storage and bandwidth for an enterprise account
|
||||
|
||||
{% ifversion billing-beta-enterprise %}
|
||||
{% note %}
|
||||
|
||||
**Note:** If your enterprise is enrolled in the Billing {% data variables.release-phases.private_preview %} for {% data variables.large_files.product_name_short %}, you will not see {% data variables.large_files.product_name_short %} usage on the existing billing pages.
|
||||
> [!NOTE]
|
||||
> If your enterprise is enrolled in the Billing {% data variables.release-phases.private_preview %} for {% data variables.large_files.product_name_short %}, you will not see {% data variables.large_files.product_name_short %} usage on the existing billing pages.
|
||||
|
||||
{% endnote %}
|
||||
{% endif %}
|
||||
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
|
|
|
|||
|
|
@ -56,11 +56,9 @@ Organizations owners and billing managers can manage the spending limit for {% d
|
|||
{% data reusables.dotcom_billing.manage-spending-limit %}
|
||||
1. Under "Monthly spending limit", choose to limit spending or allow unlimited spending.
|
||||
|
||||
{% note %}
|
||||
> [!NOTE]
|
||||
> If {% data variables.product.prodname_github_codespaces %} is enabled for your organization, scroll to "Actions & Packages", then choose to limit spending or allow unlimited spending.
|
||||
|
||||
**Note:** If {% data variables.product.prodname_github_codespaces %} is enabled for your organization, scroll to "Actions & Packages", then choose to limit spending or allow unlimited spending.
|
||||
|
||||
{% endnote %}
|
||||
{% data reusables.dotcom_billing.update-spending-limit %}
|
||||
|
||||
{% ifversion ghec %}
|
||||
|
|
|
|||
|
|
@ -38,11 +38,10 @@ Anyone can view {% data variables.product.prodname_actions %} usage for their ow
|
|||
## Viewing {% data variables.product.prodname_actions %} usage for your organization
|
||||
|
||||
{% ifversion billing-beta-enterprise %}
|
||||
{% note %}
|
||||
|
||||
**Note:** If your organization belongs to an enterprise enrolled in the Billing {% data variables.release-phases.private_preview %} for {% data variables.product.prodname_actions %}, you will not see {% data variables.product.prodname_actions %} usage on the existing billing pages.
|
||||
> [!NOTE]
|
||||
> If your organization belongs to an enterprise enrolled in the Billing {% data variables.release-phases.private_preview %} for {% data variables.product.prodname_actions %}, you will not see {% data variables.product.prodname_actions %} usage on the existing billing pages.
|
||||
|
||||
{% endnote %}
|
||||
{% endif %}
|
||||
|
||||
Organization owners and billing managers can view {% data variables.product.prodname_actions %} usage for an organization. For organizations managed by an enterprise account, only the organization owners can view {% data variables.product.prodname_actions %} usage in the organization billing page.
|
||||
|
|
@ -57,20 +56,16 @@ Organization owners and billing managers can view {% data variables.product.prod
|
|||
## Viewing {% data variables.product.prodname_actions %} usage for your enterprise account
|
||||
|
||||
{% ifversion billing-beta-enterprise %}
|
||||
{% note %}
|
||||
|
||||
**Note:** If your enterprise is enrolled in the Billing {% data variables.release-phases.private_preview %} for {% data variables.product.prodname_actions %}, you will not see {% data variables.product.prodname_actions %} usage on the existing billing pages.
|
||||
> [!NOTE]
|
||||
> If your enterprise is enrolled in the Billing {% data variables.release-phases.private_preview %} for {% data variables.product.prodname_actions %}, you will not see {% data variables.product.prodname_actions %} usage on the existing billing pages.
|
||||
|
||||
{% endnote %}
|
||||
{% endif %}
|
||||
|
||||
Enterprise owners and billing managers can view {% data variables.product.prodname_actions %} usage for an enterprise account.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** Billing details for enterprise accounts don't summarize the usage minutes for each operating system. {% data reusables.actions.enterprise-billing-details %}
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> Billing details for enterprise accounts don't summarize the usage minutes for each operating system. {% data reusables.actions.enterprise-billing-details %}
|
||||
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{% data reusables.enterprise-accounts.settings-tab %}
|
||||
|
|
|
|||
|
|
@ -63,11 +63,8 @@ If you have further questions about using {% data variables.product.prodname_GH_
|
|||
|
||||
{% data reusables.advanced-security.ghas-license-info-for-fpt %}
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** If you change the visibility of a public repository to private then {% data variables.product.prodname_GH_advanced_security %} will be disabled for that repository.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> If you change the visibility of a public repository to private then {% data variables.product.prodname_GH_advanced_security %} will be disabled for that repository.
|
||||
|
||||
For pricing details for {% data variables.product.prodname_GH_advanced_security %}, see our [pricing information](https://github.com/enterprise/advanced-security#pricing).
|
||||
|
||||
|
|
|
|||
|
|
@ -51,11 +51,8 @@ You can set a spending limit for {% data variables.product.prodname_github_codes
|
|||
|
||||
Organizations owners and billing managers can manage the spending limit for {% data variables.product.prodname_github_codespaces %} for an organization.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note**: Organizations that are owned by an enterprise account cannot specify their own spending limit as this is specified in the enterprise settings.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> Organizations that are owned by an enterprise account cannot specify their own spending limit as this is specified in the enterprise settings.
|
||||
|
||||
{% data reusables.organizations.billing-settings %}
|
||||
{% data reusables.dotcom_billing.manage-spending-limit %}
|
||||
|
|
|
|||
|
|
@ -51,13 +51,9 @@ Organization owners and billing managers can view {% data variables.product.prod
|
|||
{% data reusables.organizations.billing-settings %}
|
||||
1. Under "Usage this month", under "{% data variables.product.prodname_codespaces %}", view the details of the compute hours and storage used so far this month.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Notes**:
|
||||
* The costs shown here are the cumulative costs within the current billing month. The usage-based costs for {% data variables.product.prodname_github_codespaces %} shown on this page are reset to zero at the start of each billing month. Outstanding costs from previous months are not shown.
|
||||
* The figures on this page are updated every hour.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> * The costs shown here are the cumulative costs within the current billing month. The usage-based costs for {% data variables.product.prodname_github_codespaces %} shown on this page are reset to zero at the start of each billing month. Outstanding costs from previous months are not shown.
|
||||
> * The figures on this page are updated every hour.
|
||||
|
||||
You can also see and update your current spending limit. See "[AUTOTITLE](/billing/managing-billing-for-your-products/managing-billing-for-github-codespaces/managing-the-spending-limit-for-github-codespaces)."
|
||||
|
||||
|
|
|
|||
|
|
@ -43,11 +43,8 @@ When you choose a paid plan with a free trial:
|
|||
|
||||
{% data reusables.user-settings.context_switcher %}
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** When you transfer an organization with paid {% data variables.product.prodname_marketplace %} apps into an enterprise account, you may receive a second receipt but you will not be charged twice.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> When you transfer an organization with paid {% data variables.product.prodname_marketplace %} apps into an enterprise account, you may receive a second receipt but you will not be charged twice.
|
||||
|
||||
## Unit plan limits
|
||||
|
||||
|
|
|
|||
|
|
@ -57,11 +57,8 @@ Organizations owners and billing managers can manage the spending limit for {% d
|
|||
{% data reusables.dotcom_billing.manage-spending-limit %}
|
||||
1. Under "Monthly spending limit", choose to limit spending or allow unlimited spending.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** If {% data variables.product.prodname_github_codespaces %} is enabled for your organization, scroll to "Actions & Packages", then choose to limit spending or allow unlimited spending.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> If {% data variables.product.prodname_github_codespaces %} is enabled for your organization, scroll to "Actions & Packages", then choose to limit spending or allow unlimited spending.
|
||||
|
||||
{% data reusables.dotcom_billing.update-spending-limit %}
|
||||
|
||||
|
|
|
|||
|
|
@ -49,11 +49,8 @@ Organization owners and billing managers can view {% data variables.product.prod
|
|||
|
||||
Enterprise owners and billing managers can view {% data variables.product.prodname_registry %} usage for an enterprise account.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** Billing details for enterprise accounts only summarize the storage data usage per organization. {% data reusables.actions.enterprise-billing-details %}
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> Billing details for enterprise accounts only summarize the storage data usage per organization. {% data reusables.actions.enterprise-billing-details %}
|
||||
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{% data reusables.enterprise-accounts.settings-tab %}
|
||||
|
|
|
|||
|
|
@ -52,15 +52,10 @@ One person may be able to complete the tasks because the person has all of the r
|
|||
|
||||
1. An organization owner must invite the subscriber to the organization on {% data variables.location.product_location %} from step 1. The subscriber can accept the invitation with an existing personal account or create a new account. After the subscriber joins the organization, the subscriber becomes an enterprise member. For more information, see "[AUTOTITLE](/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization)."
|
||||
|
||||
{% tip %}
|
||||
|
||||
**Tips**:
|
||||
|
||||
* While not required, we recommend that the organization owner sends an invitation to the same email address used for the subscriber's User Primary Name (UPN). When the email address on {% data variables.location.product_location %} matches the subscriber's UPN, you can ensure that another enterprise does not claim the subscriber's license.
|
||||
* If the subscriber accepts the invitation to the organization with an existing personal account on {% data variables.location.product_location %}, we recommend that the subscriber add the email address they use for {% data variables.product.prodname_vs %} to their personal account on {% data variables.location.product_location %}. For more information, see "[AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/adding-an-email-address-to-your-github-account)."
|
||||
* If the organization owner must invite a large number of subscribers, a script may make the process faster. For more information, see [the sample PowerShell script](https://github.com/github/platform-samples/blob/master/api/powershell/invite_members_to_org.ps1) in the `github/platform-samples` repository.
|
||||
|
||||
{% endtip %}
|
||||
> [!TIP]
|
||||
> * While not required, we recommend that the organization owner sends an invitation to the same email address used for the subscriber's User Primary Name (UPN). When the email address on {% data variables.location.product_location %} matches the subscriber's UPN, you can ensure that another enterprise does not claim the subscriber's license.
|
||||
> * If the subscriber accepts the invitation to the organization with an existing personal account on {% data variables.location.product_location %}, we recommend that the subscriber add the email address they use for {% data variables.product.prodname_vs %} to their personal account on {% data variables.location.product_location %}. For more information, see "[AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/adding-an-email-address-to-your-github-account)."
|
||||
> * If the organization owner must invite a large number of subscribers, a script may make the process faster. For more information, see [the sample PowerShell script](https://github.com/github/platform-samples/blob/master/api/powershell/invite_members_to_org.ps1) in the `github/platform-samples` repository.
|
||||
|
||||
After {% data variables.visual_studio.prodname_vss_ghe %} is set up for subscribers on your team, enterprise owners can review licensing information on {% data variables.location.product_location %}. For more information, see "[AUTOTITLE](/billing/managing-the-plan-for-your-github-account/viewing-the-subscription-and-usage-for-your-enterprise-account)."
|
||||
|
||||
|
|
|
|||
|
|
@ -39,8 +39,5 @@ You can purchase other subscriptions and usage-based billing with your existing
|
|||
|
||||
{% data reusables.user-settings.context_switcher %}
|
||||
|
||||
{% tip %}
|
||||
|
||||
**Tip:** {% data variables.product.prodname_dotcom %} has programs for verified students and academic faculty, which include academic discounts. For more information, visit [{% data variables.product.prodname_education %}](https://education.github.com/).
|
||||
|
||||
{% endtip %}
|
||||
> [!TIP]
|
||||
> {% data variables.product.prodname_dotcom %} has programs for verified students and academic faculty, which include academic discounts. For more information, visit [{% data variables.product.prodname_education %}](https://education.github.com/).
|
||||
|
|
|
|||
|
|
@ -62,14 +62,10 @@ If you currently pay for your {% data variables.product.prodname_enterprise %} l
|
|||
* Anyone with a pending invitation to become an outside collaborator on private or internal repositories owned by your organization, excluding forks
|
||||
* Dormant users
|
||||
|
||||
{% note %}
|
||||
|
||||
**Notes:**
|
||||
* {% data variables.product.company_short %} counts each outside collaborator once for billing purposes, even if the user account has access to multiple repositories owned by your organization.
|
||||
* {% data reusables.organizations.org-invite-scim %}
|
||||
* Inviting an outside collaborator to a repository using their email address temporarily uses an available seat, even if they already have access to other repositories. After they accept the invite, the seat will be freed up again. However, inviting them using their username does not temporarily use a seat.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> * {% data variables.product.company_short %} counts each outside collaborator once for billing purposes, even if the user account has access to multiple repositories owned by your organization.
|
||||
> * {% data reusables.organizations.org-invite-scim %}
|
||||
> * Inviting an outside collaborator to a repository using their email address temporarily uses an available seat, even if they already have access to other repositories. After they accept the invite, the seat will be freed up again. However, inviting them using their username does not temporarily use a seat.
|
||||
|
||||
{% data variables.product.company_short %} does not bill for the following people:
|
||||
|
||||
|
|
@ -95,14 +91,10 @@ If your enterprise does not use {% data variables.product.prodname_emus %}, you
|
|||
* Anyone with a pending invitation to become an organization owner or member
|
||||
* Anyone with a pending invitation to become an outside collaborator on private or internal repositories owned by your organization, excluding forks
|
||||
|
||||
{% note %}
|
||||
|
||||
**Notes:**
|
||||
* {% data variables.product.company_short %} counts each member or outside collaborator once for billing purposes, even if the user account has membership in multiple organizations in an enterprise or access to multiple repositories owned by your organization.
|
||||
* {% data reusables.organizations.org-invite-scim %}
|
||||
* Inviting an outside collaborator to a repository using their email address temporarily uses an available seat, even if they already have access to other repositories. After they accept the invite, the seat will be freed up again. However, inviting them using their username does not temporarily use a seat.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> * {% data variables.product.company_short %} counts each member or outside collaborator once for billing purposes, even if the user account has membership in multiple organizations in an enterprise or access to multiple repositories owned by your organization.
|
||||
> * {% data reusables.organizations.org-invite-scim %}
|
||||
> * Inviting an outside collaborator to a repository using their email address temporarily uses an available seat, even if they already have access to other repositories. After they accept the invite, the seat will be freed up again. However, inviting them using their username does not temporarily use a seat.
|
||||
|
||||
{% data variables.product.company_short %} does not bill for any of the following accounts:
|
||||
|
||||
|
|
|
|||
|
|
@ -92,11 +92,8 @@ To see a demo of the process from beginning to end, see [Billing GitHub consumpt
|
|||
|
||||
To connect your Azure subscription, you must have owner permissions to the Azure subscription and be an organization owner on {% data variables.product.prodname_dotcom %}.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note**: If your organization account on {% data variables.location.product_location %} belongs an enterprise account, you must connect your Azure subscription to the enterprise account instead of the organization account. See "[Connecting your Azure subscription to your enterprise account](/enterprise-cloud@latest/billing/managing-the-plan-for-your-github-account/connecting-an-azure-subscription#connecting-your-azure-subscription-to-your-enterprise-account)" in the {% data variables.product.prodname_ghe_cloud %} version of this article.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> If your organization account on {% data variables.location.product_location %} belongs an enterprise account, you must connect your Azure subscription to the enterprise account instead of the organization account. See "[Connecting your Azure subscription to your enterprise account](/enterprise-cloud@latest/billing/managing-the-plan-for-your-github-account/connecting-an-azure-subscription#connecting-your-azure-subscription-to-your-enterprise-account)" in the {% data variables.product.prodname_ghe_cloud %} version of this article.
|
||||
|
||||
{% data reusables.profile.access_org %}
|
||||
{% data reusables.profile.org_settings %}
|
||||
|
|
|
|||
|
|
@ -21,11 +21,9 @@ topics:
|
|||
- User account
|
||||
shortTitle: Discounted plans
|
||||
---
|
||||
{% tip %}
|
||||
|
||||
**Tip**: Discounts for an account's plan do not apply to other subscriptions or usage-based billing.
|
||||
|
||||
{% endtip %}
|
||||
> [!TIP]
|
||||
> Discounts for an account's plan do not apply to other subscriptions or usage-based billing.
|
||||
|
||||
## Discounts for personal accounts
|
||||
|
||||
|
|
|
|||
|
|
@ -54,11 +54,8 @@ After an organization's plan is downgraded, the organization will lose access to
|
|||
|
||||
Downgrading from {% data variables.product.prodname_ghe_cloud %} disables any SAML settings. If you later purchase {% data variables.product.prodname_enterprise %}, you will need to reconfigure SAML.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** If your organization is owned by an enterprise account, billing cannot be managed at the organization level. To downgrade, you must remove the organization from the enterprise account first. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/admin/user-management/managing-organizations-in-your-enterprise/removing-organizations-from-your-enterprise)."
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> If your organization is owned by an enterprise account, billing cannot be managed at the organization level. To downgrade, you must remove the organization from the enterprise account first. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/admin/user-management/managing-organizations-in-your-enterprise/removing-organizations-from-your-enterprise)."
|
||||
|
||||
{% data reusables.organizations.billing-settings %}
|
||||
1. Under "Current plan", use the **Edit** drop-down and click the downgrade option you want.
|
||||
|
|
@ -102,11 +99,8 @@ To downgrade the plan of an individual organization within the enterprise accoun
|
|||
|
||||
{% data reusables.enterprise-accounts.billing-perms %}
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** If your enterprise account is invoiced, you cannot remove seats on {% data variables.product.prodname_dotcom %}. Instead, contact {% data variables.contact.contact_enterprise_sales %}.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> If your enterprise account is invoiced, you cannot remove seats on {% data variables.product.prodname_dotcom %}. Instead, contact {% data variables.contact.contact_enterprise_sales %}.
|
||||
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{% data reusables.enterprise-accounts.settings-tab %}
|
||||
|
|
|
|||
|
|
@ -52,11 +52,8 @@ Existing sponsorships will remain in place during this period and maintainers wi
|
|||
|
||||
## Making a one-time payment for a GitHub subscription
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note**: Affected customers will receive an email notification with a link to their billing settings when payment is due. Two further reminder emails will be sent 7 and 14 days later if payment has not been made. After 14 days, paid features and services will be locked until payment is made.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> Affected customers will receive an email notification with a link to their billing settings when payment is due. Two further reminder emails will be sent 7 and 14 days later if payment has not been made. After 14 days, paid features and services will be locked until payment is made.
|
||||
|
||||
{% data reusables.user-settings.access_settings %}
|
||||
{% data reusables.user-settings.billing_plans_payment %}
|
||||
|
|
|
|||
|
|
@ -22,11 +22,8 @@ For privacy reasons, enterprise owners cannot directly access the details of use
|
|||
|
||||
## About the calculation of consumed licenses
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** For {% data variables.visual_studio.prodname_vs_subscriber %}s, see "[AUTOTITLE](/enterprise-cloud@latest/billing/managing-billing-for-your-products/managing-licenses-for-visual-studio-subscriptions-with-github-enterprise/about-visual-studio-subscriptions-with-github-enterprise)."
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> For {% data variables.visual_studio.prodname_vs_subscriber %}s, see "[AUTOTITLE](/enterprise-cloud@latest/billing/managing-billing-for-your-products/managing-licenses-for-visual-studio-subscriptions-with-github-enterprise/about-visual-studio-subscriptions-with-github-enterprise)."
|
||||
|
||||
A person consumes a license for {% data variables.product.prodname_enterprise %} depending on specific criteria. If a user has not yet accepted an invitation to join your enterprise, the user still consumes a license. For more information about the people in your enterprise who consume a license, see "[AUTOTITLE](/billing/managing-the-plan-for-your-github-account/about-per-user-pricing)."
|
||||
|
||||
|
|
@ -98,11 +95,8 @@ To ensure that the each user is only consuming a single seat for different deplo
|
|||
|
||||
1. To help identify users that are consuming multiple seats, if your enterprise uses verified domains for {% data variables.product.prodname_ghe_cloud %}, review the list of enterprise members who do not have an email address from a verified domain associated with their account on {% data variables.product.prodname_ghe_cloud %}. Often, these are the users who erroneously consume more than one licensed seat. For more information, see "[AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/viewing-people-in-your-enterprise#viewing-members-without-an-email-address-from-a-verified-domain)."
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** To make troubleshooting easier, we recommend using verified domains with your enterprise account on {% data variables.product.prodname_ghe_cloud %}. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise)."
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> To make troubleshooting easier, we recommend using verified domains with your enterprise account on {% data variables.product.prodname_ghe_cloud %}. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise)."
|
||||
|
||||
1. After you identify users who are consuming multiple seats, make sure that the same email address is associated with all of the user's accounts. For more information about which email addresses must match, see "[About the calculation of consumed licenses](#about-the-calculation-of-consumed-licenses)."
|
||||
1. If an email address was recently updated or verified to correct a mismatch, view the timestamp of the last license sync job. If a job hasn't run since the correction was made, manually trigger a new job. For more information, see "[AUTOTITLE](/billing/managing-your-license-for-github-enterprise/syncing-license-usage-between-github-enterprise-server-and-github-enterprise-cloud)."
|
||||
|
|
|
|||
|
|
@ -19,11 +19,10 @@ After you purchase or upgrade a license for {% data variables.product.prodname_e
|
|||
## Uploading your license from the {% data variables.enterprise.management_console %}
|
||||
|
||||
{% ifversion ghes < 3.13 %}
|
||||
{% warning %}
|
||||
|
||||
**Warning:** Updating your license causes a small amount of downtime for {% data variables.location.product_location %}.
|
||||
> [!WARNING]
|
||||
> Updating your license causes a small amount of downtime for {% data variables.location.product_location %}.
|
||||
|
||||
{% endwarning %}
|
||||
{% endif %}
|
||||
|
||||
1. Sign into {% data variables.location.product_location_enterprise %} as a site administrator.
|
||||
|
|
|
|||
|
|
@ -18,6 +18,7 @@ As a Microsoft Cloud Solution Provider (CSP) partner, you can create an enterpri
|
|||
|
||||
Before you start, make sure you know:
|
||||
* The {% data variables.product.prodname_dotcom %} username of the client who will become the owner of the enterprise account you create
|
||||
* The {% data variables.product.prodname_dotcom %} username for the CSP partner that must be assigned to the customer’s enterprise account to manage metered billing and access support
|
||||
* The name your client would like to use for the enterprise account
|
||||
* The email address where you would like receipts to be sent
|
||||
|
||||
|
|
|
|||
|
|
@ -17,11 +17,8 @@ shortTitle: Renewing paid organization
|
|||
---
|
||||
{% data reusables.organizations.reseller-ask-to-become-billing-manager %}
|
||||
|
||||
{% tip %}
|
||||
|
||||
**Tip**: Billing managers can also [change the organization's number of paid seats](/billing/setting-up-paid-organizations-for-procurement-companies/upgrading-or-downgrading-your-clients-paid-organization) anytime.
|
||||
|
||||
{% endtip %}
|
||||
> [!TIP]
|
||||
> Billing managers can also [change the organization's number of paid seats](/billing/setting-up-paid-organizations-for-procurement-companies/upgrading-or-downgrading-your-clients-paid-organization) anytime.
|
||||
|
||||
## Updating your organization's credit card
|
||||
|
||||
|
|
|
|||
|
|
@ -18,13 +18,9 @@ shortTitle: Upgrade or downgrade
|
|||
---
|
||||
{% data reusables.organizations.reseller-ask-to-become-billing-manager %}
|
||||
|
||||
{% tip %}
|
||||
|
||||
**Tips**:
|
||||
* Before you upgrade your client's organization, you can [view or update the payment method on file for the organization](/billing/managing-your-github-billing-settings/adding-or-editing-a-payment-method).
|
||||
* These instructions are for upgrading and downgrading organizations on the _per-seat subscription_. If your client pays for {% data variables.product.product_name %} using a _legacy per-repository_ plan, you can upgrade or [downgrade](/billing/managing-the-plan-for-your-github-account/downgrading-your-accounts-plan) their legacy plan, or [switch their organization to per-seat pricing](/billing/managing-the-plan-for-your-github-account/upgrading-your-accounts-plan).
|
||||
|
||||
{% endtip %}
|
||||
> [!TIP]
|
||||
> * Before you upgrade your client's organization, you can [view or update the payment method on file for the organization](/billing/managing-your-github-billing-settings/adding-or-editing-a-payment-method).
|
||||
> * These instructions are for upgrading and downgrading organizations on the _per-seat subscription_. If your client pays for {% data variables.product.product_name %} using a _legacy per-repository_ plan, you can upgrade or [downgrade](/billing/managing-the-plan-for-your-github-account/downgrading-your-accounts-plan) their legacy plan, or [switch their organization to per-seat pricing](/billing/managing-the-plan-for-your-github-account/upgrading-your-accounts-plan).
|
||||
|
||||
## Upgrading an organization's number of paid seats
|
||||
|
||||
|
|
|
|||
|
|
@ -27,11 +27,8 @@ shortTitle: Add to your receipts
|
|||
|
||||
Your receipts include your {% data variables.product.prodname_dotcom %} subscription as well as any subscriptions for other paid features and products. For more information, see "[AUTOTITLE](/billing/managing-your-github-billing-settings/about-billing-on-github)."
|
||||
|
||||
{% warning %}
|
||||
|
||||
**Warning**: For security reasons, we strongly recommend against including any confidential or financial information (such as credit card numbers) on your receipts.
|
||||
|
||||
{% endwarning %}
|
||||
> [!WARNING]
|
||||
> For security reasons, we strongly recommend against including any confidential or financial information (such as credit card numbers) on your receipts.
|
||||
|
||||
## Adding information to your personal account's receipts
|
||||
|
||||
|
|
@ -46,11 +43,8 @@ You can add information to your personal account's receipts, such as a VAT or GS
|
|||
|
||||
You can add information to your organization's receipts, such as a VAT or GST identification number, or your full business name or address of record.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note**: {% data reusables.dotcom_billing.org-billing-perms %}
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> {% data reusables.dotcom_billing.org-billing-perms %}
|
||||
|
||||
{% data reusables.organizations.billing-settings %}
|
||||
1. At the top of the page, click **Payment information**.
|
||||
|
|
|
|||
|
|
@ -72,11 +72,8 @@ You can update your enterprise account's credit card or PayPal details, or you c
|
|||
|
||||
### Updating your enterprise account's credit card or PayPal details
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** If your enterprise account is invoiced, you cannot change your payment method on {% data variables.product.prodname_dotcom %}. Instead, contact {% data variables.contact.contact_enterprise_sales %}.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> If your enterprise account is invoiced, you cannot change your payment method on {% data variables.product.prodname_dotcom %}. Instead, contact {% data variables.contact.contact_enterprise_sales %}.
|
||||
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{% data reusables.enterprise-accounts.settings-tab %}
|
||||
|
|
|
|||
|
|
@ -21,11 +21,8 @@ shortTitle: Billing cycle
|
|||
---
|
||||
When you change your billing cycle's duration, your {% data variables.product.prodname_dotcom %} subscription, along with any other paid features and products, will be moved to your new billing cycle on your next billing date.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** Certain products, such as {% data variables.product.prodname_copilot_for_business %} and {% data variables.product.prodname_copilot_enterprise %}, {% data variables.product.prodname_actions %}, and {% data variables.product.prodname_registry %}, only offer monthly billing.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> Certain products, such as {% data variables.product.prodname_copilot_for_business %} and {% data variables.product.prodname_copilot_enterprise %}, {% data variables.product.prodname_actions %}, and {% data variables.product.prodname_registry %}, only offer monthly billing.
|
||||
|
||||
## Changing the duration of your personal account's billing cycle
|
||||
|
||||
|
|
@ -58,11 +55,8 @@ When you change your billing cycle's duration, your {% data variables.product.pr
|
|||
|
||||
{% data reusables.enterprise-accounts.billing-perms %}
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** You cannot change the duration of your billing cycle if your enterprise account is invoiced.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> You cannot change the duration of your billing cycle if your enterprise account is invoiced.
|
||||
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{% data reusables.enterprise-accounts.settings-tab %}
|
||||
|
|
|
|||
|
|
@ -42,11 +42,8 @@ shortTitle: View history & receipts
|
|||
|
||||
{% data reusables.enterprise-accounts.billing-perms %}
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** You cannot view receipts if your enterprise account is invoiced.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> You cannot view receipts if your enterprise account is invoiced.
|
||||
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{% data reusables.enterprise-accounts.settings-tab %}
|
||||
|
|
|
|||
|
|
@ -39,11 +39,8 @@ shortTitle: Subscriptions & billing date
|
|||
|
||||
{% data reusables.enterprise-accounts.billing-perms %}
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** You cannot view your next billing date if your enterprise account is invoiced.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> You cannot view your next billing date if your enterprise account is invoiced.
|
||||
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{% data reusables.enterprise-accounts.settings-tab %}
|
||||
|
|
|
|||
|
|
@ -42,11 +42,8 @@ Your core focus should be preparing as many teams to use {% data variables.produ
|
|||
|
||||
You can programmatically gather information about the different programming languages used in your repositories and use that data to enable {% data variables.product.prodname_code_scanning %} on all repositories that use the same language, using {% data variables.product.product_name %}'s GraphQL API.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** To gather this data without manually running the GraphQL queries described in this article, you can use our publicly available tool. For more information, see the "[ghas-enablement tool](https://github.com/NickLiffen/ghas-enablement)" repository.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> To gather this data without manually running the GraphQL queries described in this article, you can use our publicly available tool. For more information, see the "[ghas-enablement tool](https://github.com/NickLiffen/ghas-enablement)" repository.
|
||||
|
||||
If you want to gather information from repositories belonging to multiple organizations in your enterprise, you can use the query below to obtain the names of your organizations and then feed those into repository query. Replace OCTO-ENTERPRISE with your enterprise name.
|
||||
|
||||
|
|
@ -128,13 +125,10 @@ Before you can proceed with pilot programs and rolling out {% data variables.pro
|
|||
|
||||
## Preparing to enable {% data variables.product.prodname_secret_scanning %}
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** When a secret is detected in a repository that has enabled {% data variables.product.prodname_secret_scanning %}, {% data variables.product.prodname_dotcom %} alerts all users with access to security alerts for the repository. {% ifversion ghec %}
|
||||
|
||||
Secrets found in public repositories using {% data variables.secret-scanning.partner_alerts %} are reported directly to the partner, without creating an alert on {% data variables.product.product_name %}. For details about the supported partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."{% endif %}
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> When a secret is detected in a repository that has enabled {% data variables.product.prodname_secret_scanning %}, {% data variables.product.prodname_dotcom %} alerts all users with access to security alerts for the repository. {% ifversion ghec %}
|
||||
>
|
||||
> Secrets found in public repositories using {% data variables.secret-scanning.partner_alerts %} are reported directly to the partner, without creating an alert on {% data variables.product.product_name %}. For details about the supported partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."{% endif %}
|
||||
|
||||
If a project communicates with an external service, it might use a token or private key for authentication. If you check a secret into a repository, anyone who has read access to the repository can use the secret to access the external service with your privileges. {% data variables.product.prodname_secret_scanning_caps %} will scan your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repositories for secrets and alert you or block the push containing the secret. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)."
|
||||
|
||||
|
|
|
|||
|
|
@ -36,11 +36,8 @@ Using the data you collated in [Phase 2](/code-security/adopting-github-advanced
|
|||
|
||||
There is a publicly available tool that completes the first two steps called the [ghas-enablement tool](https://github.com/NickLiffen/ghas-enablement). You can re-run the ghas-enablement tool in batches of languages where it makes sense. For example, JavaScript, TypeScript, Python, and Go likely have a similar build process and could therefore use a similar {% data variables.product.prodname_codeql %} analysis file. The ghas-enablement tool can also be used for languages such as Java, C, and C++, but due to the varied nature of how these languages build and compile you may need to create more targeted {% data variables.product.prodname_codeql %} analysis files.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** If you are intending to use {% data variables.product.prodname_actions %} to control {% data variables.product.prodname_code_scanning %} and you do not use the [ghas-enablement tool](https://github.com/NickLiffen/ghas-enablement), keep in mind that there is no API access to the `.github/workflow` directory. This means that you cannot create a script without a git client underlying the automation. The workaround is to leverage bash scripting on a machine or container which has a git client. The git client can push and pull files into the `.github/workflows` directory where the `codeql-analysis.yml` file is located.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> If you are intending to use {% data variables.product.prodname_actions %} to control {% data variables.product.prodname_code_scanning %} and you do not use the [ghas-enablement tool](https://github.com/NickLiffen/ghas-enablement), keep in mind that there is no API access to the `.github/workflow` directory. This means that you cannot create a script without a git client underlying the automation. The workaround is to leverage bash scripting on a machine or container which has a git client. The git client can push and pull files into the `.github/workflows` directory where the `codeql-analysis.yml` file is located.
|
||||
|
||||
It is important to not just push the `codeql-analysis.yml` file the repository's default branch. Using a pull request puts ownership on the development team to review and merge, allowing the development team to learn about {% data variables.product.prodname_code_scanning %} and involving the team in the process.
|
||||
|
||||
|
|
|
|||
|
|
@ -40,20 +40,15 @@ There are a few approaches for tackling newly committed credentials, but one exa
|
|||
1. **Notify**: Use webhooks to ensure that any new secret alerts are seen by the right teams as quickly as possible. A webhook fires when a secret alert is either created, resolved, or reopened. You can then parse the webhook payload, and integrate it into any tools you and your team use such Slack, Teams, Splunk, or email. For more information, see "[AUTOTITLE](/webhooks-and-events/webhooks/about-webhooks)" and "[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#secret_scanning_alert)."
|
||||
1. **Follow Up**: Create a high-level remediation process that works for all secret types. For example, you could contact the developer who committed the secret and their technical lead on that project, highlighting the dangers of committing secrets to {% data variables.product.prodname_dotcom %}, and asking the them to revoke, and update the detected secret.
|
||||
|
||||
{% note %}
|
||||
> [!NOTE]
|
||||
> You can automate this step. For large enterprises and organizations with hundreds of repositories, manually following up is unsustainable. You could incorporate automation into the webhook process defined in the first step. The webhook payload contains repository and organization information about the leaked secret. Using this information, you can contact the current maintainers on the repository and create an email/message to the responsible people or open an issue.
|
||||
|
||||
**Note:** You can automate this step. For large enterprises and organizations with hundreds of repositories, manually following up is unsustainable. You could incorporate automation into the webhook process defined in the first step. The webhook payload contains repository and organization information about the leaked secret. Using this information, you can contact the current maintainers on the repository and create an email/message to the responsible people or open an issue.
|
||||
|
||||
{% endnote %}
|
||||
1. **Educate**: Create an internal training document assigned to the developer who committed the secret. Within this training document, you can explain the risks created by committing secrets and direct them to your best practice information about using secrets securely in development. If a developer doesn't learn from the experience and continues to commit secrets, you could create an escalation process, but education usually works well.
|
||||
|
||||
Repeat the last two steps for any new secrets leaked. This process encourages developers to take responsibility for managing the secrets used in their code securely, and allows you to measure the reduction in newly committed secrets.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** More advanced organizations may want to perform auto-remediation of certain types of secrets. There is an open-source initiative called [GitHub Secret Scanner Auto Remediator](https://github.com/NickLiffen/GSSAR) which you can deploy into your AWS, Azure, or GCP environment and tailor to automatically revoke certain types of secrets based on what you define as the most critical. This is also an excellent way to react to new secrets being committed with a more automated approach.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> More advanced organizations may want to perform auto-remediation of certain types of secrets. There is an open-source initiative called [GitHub Secret Scanner Auto Remediator](https://github.com/NickLiffen/GSSAR) which you can deploy into your AWS, Azure, or GCP environment and tailor to automatically revoke certain types of secrets based on what you define as the most critical. This is also an excellent way to react to new secrets being committed with a more automated approach.
|
||||
|
||||
## 2. Enable push protection
|
||||
|
||||
|
|
@ -81,11 +76,8 @@ Once you have decided on the secret types, you can do the following:
|
|||
|
||||
1. Define a process for remediating each type of secret. The actual procedure for each secret type is often drastically different. Write down the process for each type of secret in a document or internal knowledge base.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** When you create the process for revoking secrets, try and give the responsibility for revoking secrets to the team maintaining the repository instead of a central team. One of the principles of GHAS is developers taking ownership of security and having the responsibility of fixing security issues, especially if they have created them.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> When you create the process for revoking secrets, try and give the responsibility for revoking secrets to the team maintaining the repository instead of a central team. One of the principles of GHAS is developers taking ownership of security and having the responsibility of fixing security issues, especially if they have created them.
|
||||
|
||||
1. When you have created the process that teams will follow for revoking credentials, you can collate information about the types of secrets and other metadata associated with the leaked secrets so you can discern who to communicate the new process to.
|
||||
|
||||
|
|
@ -99,11 +91,8 @@ Once you have decided on the secret types, you can do the following:
|
|||
* Secret value
|
||||
* Maintainers on repository to contact
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** Use the UI if you have few secrets leaked of that type. If you have hundreds of leaked secrets, use the API to collect information. For more information, see "[AUTOTITLE](/rest/secret-scanning)."
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> Use the UI if you have few secrets leaked of that type. If you have hundreds of leaked secrets, use the API to collect information. For more information, see "[AUTOTITLE](/rest/secret-scanning)."
|
||||
|
||||
1. After you collect information about leaked secrets, create a targeted communication plan for the users who maintain the repositories affected by each secret type. You could use email, messaging, or even create GitHub issues in the affected repositories. If you can use APIs provided by these tools to send out the communications in an automated manner, this will make it easier for you to scale across multiple secret types.
|
||||
|
||||
|
|
|
|||
|
|
@ -262,11 +262,8 @@ If you added manual build steps for compiled languages and {% data variables.pro
|
|||
* [Building Java and Kotlin](#building-java-and-kotlin)
|
||||
* [Building Swift](#building-swift)
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note**: If your workflow uses a `language` matrix, `autobuild` attempts to build each of the compiled languages listed in the matrix. Without a matrix `autobuild` attempts to build the supported compiled language that has the most source files in the repository. With the exception of Go, analysis of other compiled languages in your repository will fail unless you supply explicit build commands.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> If your workflow uses a `language` matrix, `autobuild` attempts to build each of the compiled languages listed in the matrix. Without a matrix `autobuild` attempts to build the supported compiled language that has the most source files in the repository. With the exception of Go, analysis of other compiled languages in your repository will fail unless you supply explicit build commands.
|
||||
|
||||
## Building C/C++
|
||||
|
||||
|
|
@ -431,11 +428,8 @@ The `autobuild` process attempts to autodetect a suitable way to install the dep
|
|||
1. Finally, if configurations files for these dependency managers are not found, rearrange the repository directory structure suitable for addition to `GOPATH`, and use `go get` to install dependencies. The directory structure reverts to normal after extraction completes.
|
||||
1. Extract all Go code in the repository, similar to running `go build ./...`.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** If you use default setup, it will look for a `go.mod` file to automatically install a compatible version of the Go language.{% ifversion code-scanning-default-setup-self-hosted-310 %} If you're using a self-hosted runner with default setup that doesn't have internet access, you can manually install a compatible version of Go.{% endif %}
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> If you use default setup, it will look for a `go.mod` file to automatically install a compatible version of the Go language.{% ifversion code-scanning-default-setup-self-hosted-310 %} If you're using a self-hosted runner with default setup that doesn't have internet access, you can manually install a compatible version of Go.{% endif %}
|
||||
|
||||
### Extractor options for Go
|
||||
|
||||
|
|
|
|||
|
|
@ -57,11 +57,10 @@ You can customize your {% data variables.product.prodname_codeql %} analysis by
|
|||
{% data reusables.code-scanning.billing %}
|
||||
|
||||
{% ifversion fpt %}
|
||||
{% note %}
|
||||
|
||||
**Note:** You can configure {% data variables.product.prodname_code_scanning %} for any public repository where you have write access.
|
||||
> [!NOTE]
|
||||
> You can configure {% data variables.product.prodname_code_scanning %} for any public repository where you have write access.
|
||||
|
||||
{% endnote %}
|
||||
{% endif %}
|
||||
|
||||
{% data reusables.repositories.navigate-to-repo %}
|
||||
|
|
@ -69,11 +68,8 @@ You can customize your {% data variables.product.prodname_codeql %} analysis by
|
|||
{% data reusables.user-settings.security-analysis %}
|
||||
1. Scroll down to the "{% data variables.product.prodname_code_scanning_caps %}" section, select **Set up** {% octicon "triangle-down" aria-hidden="true" %}, then click **Advanced**.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** If you are switching from default setup to advanced setup, in the "{% data variables.product.prodname_code_scanning_caps %}" section, select {% octicon "kebab-horizontal" aria-label="Menu" %}, then click {% octicon "workflow" aria-hidden="true" %} **Switch to advanced**. In the pop-up window that appears, click **Disable {% data variables.product.prodname_codeql %}**.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> If you are switching from default setup to advanced setup, in the "{% data variables.product.prodname_code_scanning_caps %}" section, select {% octicon "kebab-horizontal" aria-label="Menu" %}, then click {% octicon "workflow" aria-hidden="true" %} **Switch to advanced**. In the pop-up window that appears, click **Disable {% data variables.product.prodname_codeql %}**.
|
||||
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -76,11 +76,8 @@ Using the `pull_request` trigger, configured to scan the pull request's merge co
|
|||
|
||||
{% ifversion fpt or ghec %}
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** If your repository is configured with a merge queue, you need to include the `merge_group` event as an additional trigger for {% data variables.product.prodname_code_scanning %}. This will ensure that pull requests are also scanned when they are added to a merge queue. For more information, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-a-merge-queue)."
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> If your repository is configured with a merge queue, you need to include the `merge_group` event as an additional trigger for {% data variables.product.prodname_code_scanning %}. This will ensure that pull requests are also scanned when they are added to a merge queue. For more information, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-a-merge-queue)."
|
||||
|
||||
{% endif %}
|
||||
|
||||
|
|
@ -99,11 +96,8 @@ on:
|
|||
- '**/*.txt'
|
||||
```
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** `on:pull_request:paths-ignore` and `on:pull_request:paths` set conditions that determine whether the actions in the workflow will run on a pull request. They don't determine what files will be analyzed when the actions _are_ run. When a pull request contains any files that are not matched by `on:pull_request:paths-ignore` or `on:pull_request:paths`, the workflow runs the actions and scans all of the files changed in the pull request, including those matched by `on:pull_request:paths-ignore` or `on:pull_request:paths`, unless the files have been excluded. For information on how to exclude files from analysis, see "[Specifying directories to scan](#specifying-directories-to-scan)."
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> `on:pull_request:paths-ignore` and `on:pull_request:paths` set conditions that determine whether the actions in the workflow will run on a pull request. They don't determine what files will be analyzed when the actions _are_ run. When a pull request contains any files that are not matched by `on:pull_request:paths-ignore` or `on:pull_request:paths`, the workflow runs the actions and scans all of the files changed in the pull request, including those matched by `on:pull_request:paths-ignore` or `on:pull_request:paths`, unless the files have been excluded. For information on how to exclude files from analysis, see "[Specifying directories to scan](#specifying-directories-to-scan)."
|
||||
|
||||
For more information about using `on:pull_request:paths-ignore` and `on:pull_request:paths` to determine when a workflow will run for a pull request, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore)."
|
||||
|
||||
|
|
@ -111,11 +105,8 @@ For more information about using `on:pull_request:paths-ignore` and `on:pull_req
|
|||
|
||||
If you use the default {% data variables.code-scanning.codeql_workflow %}, the workflow will scan the code in your repository once a week, in addition to the scans triggered by events. To adjust this schedule, edit the `cron` value in the workflow. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onschedule)."
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note**: {% data variables.product.prodname_dotcom %} only runs scheduled jobs that are in workflows on the default branch. Changing the schedule in a workflow on any other branch has no effect until you merge the branch into the default branch.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> {% data variables.product.prodname_dotcom %} only runs scheduled jobs that are in workflows on the default branch. Changing the schedule in a workflow on any other branch has no effect until you merge the branch into the default branch.
|
||||
|
||||
### Example
|
||||
|
||||
|
|
@ -138,15 +129,10 @@ This workflow scans:
|
|||
|
||||
## Specifying an operating system
|
||||
|
||||
{% note %}
|
||||
|
||||
**Notes**:
|
||||
|
||||
* Code scanning of Swift code uses macOS runners by default. {% ifversion fpt or ghec %}{% data variables.product.company_short %}-hosted macOS runners are more expensive than Linux and Windows runners, so you should consider only scanning the build step. For more information about configuring code scanning for Swift, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#considerations-for-building-swift)." For more information about pricing for {% data variables.product.company_short %}-hosted runners, see "[AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions)."{% endif %}
|
||||
|
||||
* {% data reusables.code-scanning.default-setup-swift-self-hosted-runners %}
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> * Code scanning of Swift code uses macOS runners by default. {% ifversion fpt or ghec %}{% data variables.product.company_short %}-hosted macOS runners are more expensive than Linux and Windows runners, so you should consider only scanning the build step. For more information about configuring code scanning for Swift, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#considerations-for-building-swift)." For more information about pricing for {% data variables.product.company_short %}-hosted runners, see "[AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions)."{% endif %}
|
||||
>
|
||||
> * {% data reusables.code-scanning.default-setup-swift-self-hosted-runners %}
|
||||
|
||||
If your code requires a specific operating system to compile, you can configure the operating system in your {% data variables.code-scanning.codeql_workflow %}. Edit the value of `jobs.analyze.runs-on` to specify the operating system for the machine that runs your {% data variables.product.prodname_code_scanning %} actions. {% ifversion ghes %}You specify the operating system by using an appropriate label as the second element in a two-element array, after `self-hosted`.{% else %}
|
||||
|
||||
|
|
@ -299,11 +285,8 @@ In this example, the default queries will be run for Java, as well as the querie
|
|||
|
||||
To add one or more {% data variables.product.prodname_codeql %} query packs, add a `with: packs:` entry within the `uses: {% data reusables.actions.action-codeql-action-init %}` section of the workflow. Within `packs` you specify one or more packages to use and, optionally, which version to download. Where you don't specify a version, the latest version is downloaded. If you want to use packages that are not publicly available, you need to set the `GITHUB_TOKEN` environment variable to a secret that has access to the packages. For more information, see "[AUTOTITLE](/actions/security-guides/automatic-token-authentication)" and "[AUTOTITLE](/actions/security-guides/encrypted-secrets)."
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** For workflows that generate {% data variables.product.prodname_codeql %} databases for multiple languages, you must instead specify the {% data variables.product.prodname_codeql %} query packs in a configuration file. For more information, see "[Specifying {% data variables.product.prodname_codeql %} query packs](#specifying-codeql-query-packs)" below.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> For workflows that generate {% data variables.product.prodname_codeql %} databases for multiple languages, you must instead specify the {% data variables.product.prodname_codeql %} query packs in a configuration file. For more information, see "[Specifying {% data variables.product.prodname_codeql %} query packs](#specifying-codeql-query-packs)" below.
|
||||
|
||||
In the example below, `scope` is the organization or personal account that published the package. When the workflow runs, the four {% data variables.product.prodname_codeql %} query packs are downloaded from {% data variables.product.product_name %} and the default queries or query suite for each pack run:
|
||||
* The latest version of `pack1` is downloaded and all default queries are run.
|
||||
|
|
@ -318,18 +301,10 @@ In the example below, `scope` is the organization or personal account that publi
|
|||
packs: scope/pack1,scope/pack2@1.2.3,scope/pack3@~3.2.1,scope/pack4@4.5.6:path/to/queries
|
||||
```
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** If you specify a particular version of a query pack to use,
|
||||
beware that the version you specify may eventually become too old to
|
||||
be used efficiently by the default
|
||||
{% data variables.product.prodname_codeql %} engine used by the
|
||||
{% data variables.product.prodname_codeql %} action.
|
||||
To ensure optimal performance, if you need to specify exact query pack versions, you should consider reviewing periodically whether the pinned version of the query pack needs to be moved forward.
|
||||
|
||||
For more information about pack compatibility, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs#about-codeql-pack-compatibility)."
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> If you specify a particular version of a query pack to use, beware that the version you specify may eventually become too old to be used efficiently by the default {% data variables.product.prodname_codeql %} engine used by the {% data variables.product.prodname_codeql %} action. To ensure optimal performance, if you need to specify exact query pack versions, you should consider reviewing periodically whether the pinned version of the query pack needs to be moved forward.
|
||||
>
|
||||
> For more information about pack compatibility, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs#about-codeql-pack-compatibility)."
|
||||
|
||||
### Downloading {% data variables.product.prodname_codeql %} packs from {% data variables.product.prodname_ghe_server %}
|
||||
|
||||
|
|
@ -517,13 +492,9 @@ query-filters:
|
|||
|
||||
To find the id of a query, you can click the alert in the list of alerts in the **Security** tab. This opens the alert details page. The `Rule ID` field contains the query id. For more information about the alert details page, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#about-alert-details)."
|
||||
|
||||
{% tip %}
|
||||
|
||||
**Tips:**
|
||||
* The order of the filters is important. The first filter instruction that appears after the instructions about the queries and query packs determines whether the queries are included or excluded by default.
|
||||
* Subsequent instructions are executed in order and the instructions that appear later in the file take precedence over the earlier instructions.
|
||||
|
||||
{% endtip %}
|
||||
> [!TIP]
|
||||
> * The order of the filters is important. The first filter instruction that appears after the instructions about the queries and query packs determines whether the queries are included or excluded by default.
|
||||
> * Subsequent instructions are executed in order and the instructions that appear later in the file take precedence over the earlier instructions.
|
||||
|
||||
You can find another example illustrating the use of these filters in the "[Example configuration files](#example-configuration-files)" section.
|
||||
|
||||
|
|
@ -541,15 +512,10 @@ paths-ignore:
|
|||
- '**/*.test.js'
|
||||
```
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note**:
|
||||
|
||||
* The `paths` and `paths-ignore` keywords, used in the context of the {% data variables.product.prodname_code_scanning %} configuration file, should not be confused with the same keywords when used for `on.<push|pull_request>.paths` in a workflow. When they are used to modify `on.<push|pull_request>` in a workflow, they determine whether the actions will be run when someone modifies code in the specified directories. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore)."
|
||||
* The filter pattern characters `?`, `+`, `[`, `]`, and `!` are not supported and will be matched literally.
|
||||
* `**` characters can only be at the start or end of a line, or surrounded by slashes, and you can't mix `**` and other characters. For example, `foo/**`, `**/foo`, and `foo/**/bar` are all allowed syntax, but `**foo` isn't. However you can use single stars along with other characters, as shown in the example. You'll need to quote anything that contains a `*` character.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> * The `paths` and `paths-ignore` keywords, used in the context of the {% data variables.product.prodname_code_scanning %} configuration file, should not be confused with the same keywords when used for `on.<push|pull_request>.paths` in a workflow. When they are used to modify `on.<push|pull_request>` in a workflow, they determine whether the actions will be run when someone modifies code in the specified directories. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore)."
|
||||
> * The filter pattern characters `?`, `+`, `[`, `]`, and `!` are not supported and will be matched literally.
|
||||
> * `**` characters can only be at the start or end of a line, or surrounded by slashes, and you can't mix `**` and other characters. For example, `foo/**`, `**/foo`, and `foo/**/bar` are all allowed syntax, but `**foo` isn't. However you can use single stars along with other characters, as shown in the example. You'll need to quote anything that contains a `*` character.
|
||||
|
||||
For analysis where code is built, if you want to limit {% data variables.product.prodname_code_scanning %} to specific directories in your project, you must specify appropriate build steps in the workflow. The commands you need to use to exclude a directory from the build will depend on your build system. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#adding-build-steps-for-a-compiled-language)."
|
||||
|
||||
|
|
@ -582,22 +548,17 @@ This step in a {% data variables.product.prodname_actions %} workflow file uses
|
|||
|
||||
You can use the same approach to specify any valid configuration options in the workflow file.
|
||||
|
||||
{% tip %}
|
||||
|
||||
**Tip:**
|
||||
|
||||
You can share one configuration across multiple repositories using {% data variables.product.prodname_actions %} variables. One benefit of this approach is that you can update the configuration in a single place without editing the workflow file.
|
||||
|
||||
In the following example, `vars.CODEQL_CONF` is a {% data variables.product.prodname_actions %} variable. Its value can be the contents of any valid configuration file. For more information, see "[AUTOTITLE](/actions/learn-github-actions/variables#defining-configuration-variables-for-multiple-workflows)."
|
||||
|
||||
```yaml
|
||||
- uses: {% data reusables.actions.action-codeql-action-init %}
|
||||
with:
|
||||
languages: {% raw %}${{ matrix.language }}{% endraw %}
|
||||
config: {% raw %}${{ vars.CODEQL_CONF }}{% endraw %}
|
||||
```
|
||||
|
||||
{% endtip %}
|
||||
> [!TIP]
|
||||
> You can share one configuration across multiple repositories using {% data variables.product.prodname_actions %} variables. One benefit of this approach is that you can update the configuration in a single place without editing the workflow file.
|
||||
>
|
||||
> In the following example, `vars.CODEQL_CONF` is a {% data variables.product.prodname_actions %} variable. Its value can be the contents of any valid configuration file. For more information, see "[AUTOTITLE](/actions/learn-github-actions/variables#defining-configuration-variables-for-multiple-workflows)."
|
||||
>
|
||||
> ```yaml
|
||||
> - uses: {% data reusables.actions.action-codeql-action-init %}
|
||||
> with:
|
||||
> languages: {% raw %}${{ matrix.language }}{% endraw %}
|
||||
> config: {% raw %}${{ vars.CODEQL_CONF }}{% endraw %}
|
||||
> ```
|
||||
|
||||
## Configuring {% data variables.product.prodname_code_scanning %} for compiled languages
|
||||
|
||||
|
|
|
|||
|
|
@ -30,11 +30,8 @@ If you're configuring {% data variables.product.prodname_code_scanning %} for a
|
|||
|
||||
You must run {% data variables.product.prodname_codeql %} inside the container in which you build your code. This applies whether you are using the {% data variables.product.prodname_codeql_cli %} or {% data variables.product.prodname_actions %}. For the {% data variables.product.prodname_codeql_cli %}, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system)" for more information. If you're using {% data variables.product.prodname_actions %}, configure your workflow to run all the actions in the same container. For more information, see "[Example workflow](#example-workflow)."
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** {% data reusables.code-scanning.non-glibc-linux-support %}
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> {% data reusables.code-scanning.non-glibc-linux-support %}
|
||||
|
||||
## Dependencies for {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %}
|
||||
|
||||
|
|
|
|||
|
|
@ -59,11 +59,10 @@ A repository must meet all the following criteria to be eligible for default set
|
|||
{% data reusables.code-scanning.default-setup-pre-enablement-explanation %}
|
||||
{% endif %}
|
||||
{% ifversion code-security-multi-repo-enablement %}
|
||||
{% note %}
|
||||
|
||||
**Note:** Configuring default setup for all repositories in an organization through your organization's settings page _will not_ override existing configurations of default setup. However, configuring default setup on a subset of repositories in an organization through security overview _will_ override existing configurations of default setup on those repositories.
|
||||
> [!NOTE]
|
||||
> Configuring default setup for all repositories in an organization through your organization's settings page _will not_ override existing configurations of default setup. However, configuring default setup on a subset of repositories in an organization through security overview _will_ override existing configurations of default setup on those repositories.
|
||||
|
||||
{% endnote %}
|
||||
{% endif %}
|
||||
{% ifversion code-scanning-default-setup-automatic-311 %}
|
||||
|
||||
|
|
@ -90,14 +89,10 @@ Through the "Code security and analysis" page of your organization's settings, y
|
|||
1. Optionally, to recommend the "Extended" query suite throughout your organization when enabling default setup, select "Recommend the extended query suite for repositories enabling default setup."{% else %}
|
||||
1. In the "Enable {% data variables.product.prodname_code_scanning %} for eligible repositories" dialog box displayed, click **Enable for eligible repositories** to enable your configuration of default setup.{% endif %}
|
||||
|
||||
{% note %}
|
||||
|
||||
**Notes:**
|
||||
* {% data reusables.code-scanning.limitation-org-enable-all %}
|
||||
* Enabling {% data variables.product.prodname_code_scanning %} for all eligible repositories in an organization will not override existing {% data variables.product.prodname_code_scanning %} configurations. For information on configuring default setup with different settings for specific repositories, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning){% ifversion code-security-multi-repo-enablement %}" and "[Configuring default setup for a subset of repositories in an organization](#configuring-default-setup-for-a-subset-of-repositories-in-an-organization){% endif %}."{% ifversion default-setup-pre-enablement %}
|
||||
* Enabling default setup for all eligible repositories in an organization includes eligible repositories without {% data variables.product.prodname_codeql %}-supported languages. If a {% data variables.product.prodname_codeql %}-supported language is later added to one of these repositories, default setup will begin scanning that repository and consuming {% data variables.product.prodname_actions %} minutes.{% endif %}
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> * {% data reusables.code-scanning.limitation-org-enable-all %}
|
||||
> * Enabling {% data variables.product.prodname_code_scanning %} for all eligible repositories in an organization will not override existing {% data variables.product.prodname_code_scanning %} configurations. For information on configuring default setup with different settings for specific repositories, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning){% ifversion code-security-multi-repo-enablement %}" and "[Configuring default setup for a subset of repositories in an organization](#configuring-default-setup-for-a-subset-of-repositories-in-an-organization){% endif %}."{% ifversion default-setup-pre-enablement %}
|
||||
> * Enabling default setup for all eligible repositories in an organization includes eligible repositories without {% data variables.product.prodname_codeql %}-supported languages. If a {% data variables.product.prodname_codeql %}-supported language is later added to one of these repositories, default setup will begin scanning that repository and consuming {% data variables.product.prodname_actions %} minutes.{% endif %}
|
||||
|
||||
{% endif %}
|
||||
|
||||
|
|
@ -165,20 +160,12 @@ You can select all of the displayed repositories, or a subset of them, and enabl
|
|||
1. Optionally, to choose a different query suite than your organization's default query suite, select **Query suite: SUITE NAME**, then click the query suite your configuration of default setup should use. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites)."{% endif %}
|
||||
1. To confirm the enablement of {% data variables.product.prodname_code_scanning %} for the selected repositories, click **Apply changes NUMBER**. Alternatively, to select or deselect more repositories for {% data variables.product.prodname_code_scanning %} enablement, click {% octicon "x" aria-label="Close" %} to close the panel without applying your changes.
|
||||
|
||||
> [!NOTE]
|
||||
{% ifversion default-setup-pre-enablement %}
|
||||
{% note %}
|
||||
|
||||
**Notes:**
|
||||
* Enabling {% data variables.product.prodname_code_scanning %} for multiple repositories in an organization using security overview will override any existing {% data variables.product.prodname_code_scanning %} configurations for the selected repositories, including any previous query suite selections and workflows for advanced setups.
|
||||
* You can enable default setup for eligible repositories that do not contain {% data variables.product.prodname_codeql %}-supported languages. If a {% data variables.product.prodname_codeql %}-supported language is later added to one of these repositories, default setup will begin scanning that repository and consuming {% data variables.product.prodname_actions %} minutes.
|
||||
|
||||
{% endnote %}
|
||||
> * Enabling {% data variables.product.prodname_code_scanning %} for multiple repositories in an organization using security overview will override any existing {% data variables.product.prodname_code_scanning %} configurations for the selected repositories, including any previous query suite selections and workflows for advanced setups.
|
||||
> * You can enable default setup for eligible repositories that do not contain {% data variables.product.prodname_codeql %}-supported languages. If a {% data variables.product.prodname_codeql %}-supported language is later added to one of these repositories, default setup will begin scanning that repository and consuming {% data variables.product.prodname_actions %} minutes.
|
||||
{% else %}
|
||||
{% note %}
|
||||
|
||||
**Note:** Enabling {% data variables.product.prodname_code_scanning %} for multiple repositories in an organization using security overview will override any existing {% data variables.product.prodname_code_scanning %} configurations for the selected repositories, including any previous query suite selections and workflows for advanced setups.
|
||||
|
||||
{% endnote %}
|
||||
> Enabling {% data variables.product.prodname_code_scanning %} for multiple repositories in an organization using security overview will override any existing {% data variables.product.prodname_code_scanning %} configurations for the selected repositories, including any previous query suite selections and workflows for advanced setups.
|
||||
{% endif %}
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -34,11 +34,10 @@ Default setup for {% data variables.product.prodname_code_scanning %} is the qui
|
|||
* On a weekly schedule.
|
||||
|
||||
{% ifversion code-scanning-default-setup-exclude-dormant-repos %}
|
||||
{% note %}
|
||||
|
||||
**Note:** If no pushes and pull requests have occurred in a repository with default setup enabled for 6 months, the weekly schedule will be disabled to save your {% data variables.product.prodname_actions %} minutes.
|
||||
> [!NOTE]
|
||||
> If no pushes and pull requests have occurred in a repository with default setup enabled for 6 months, the weekly schedule will be disabled to save your {% data variables.product.prodname_actions %} minutes.
|
||||
|
||||
{% endnote %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
|
|
@ -89,22 +88,17 @@ Compiled languages are not automatically included in default setup configuration
|
|||
When you initially configure default setup for {% data variables.product.prodname_code_scanning %} for a repository, all {% data variables.product.prodname_codeql %}-supported languages in the repository will be analyzed automatically. The languages that are analyzed successfully will be retained in the new default setup configuration. Languages that are not analyzed successfully will be automatically deselected from the default setup configuration.
|
||||
{% endif %}
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** {% ifversion default-setup-pre-enablement %}If the analyses fail for all {% data variables.product.prodname_codeql %}-supported languages in a repository, default setup will still be enabled, but it will not run any scans or use any {% data variables.product.prodname_actions %} minutes until another {% data variables.product.prodname_codeql %}-supported language is added to the repository or default setup is manually reconfigured, and the analysis of a {% data variables.product.prodname_codeql %}-supported language succeeds.
|
||||
> [!NOTE]
|
||||
{% ifversion default-setup-pre-enablement %}
|
||||
> If the analyses fail for all {% data variables.product.prodname_codeql %}-supported languages in a repository, default setup will still be enabled, but it will not run any scans or use any {% data variables.product.prodname_actions %} minutes until another {% data variables.product.prodname_codeql %}-supported language is added to the repository or default setup is manually reconfigured, and the analysis of a {% data variables.product.prodname_codeql %}-supported language succeeds.
|
||||
{% else %}
|
||||
At least one {% data variables.product.prodname_codeql %}-supported language's analysis in a repository must succeed, or else default setup will not be successfully enabled in that repository.
|
||||
> At least one {% data variables.product.prodname_codeql %}-supported language's analysis in a repository must succeed, or else default setup will not be successfully enabled in that repository.
|
||||
{% endif %}
|
||||
|
||||
{% endnote %}
|
||||
|
||||
{% data reusables.repositories.navigate-to-repo %}
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** If you are configuring default setup on a fork, you must first enable {% data variables.product.prodname_actions %}. To enable {% data variables.product.prodname_actions %}, under your repository name, click {% octicon "play" aria-hidden="true" %} **Actions**, then click **I understand my workflows, go ahead and enable them**. Be aware that this will enable all existing workflows on your fork.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> If you are configuring default setup on a fork, you must first enable {% data variables.product.prodname_actions %}. To enable {% data variables.product.prodname_actions %}, under your repository name, click {% octicon "play" aria-hidden="true" %} **Actions**, then click **I understand my workflows, go ahead and enable them**. Be aware that this will enable all existing workflows on your fork.
|
||||
|
||||
{% data reusables.repositories.sidebar-settings %}
|
||||
{% data reusables.user-settings.security-analysis %}
|
||||
|
|
@ -116,11 +110,8 @@ At least one {% data variables.product.prodname_codeql %}-supported language's a
|
|||
|
||||
{% ifversion code-scanning-default-setup-recommended-languages %}
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** If your repository contains _only_ compiled {% data variables.product.prodname_codeql %}-supported languages (for example, Java), you will be taken to the settings page to select the languages you want to add to your default setup configuration.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> If your repository contains _only_ compiled {% data variables.product.prodname_codeql %}-supported languages (for example, Java), you will be taken to the settings page to select the languages you want to add to your default setup configuration.
|
||||
|
||||
1. Optionally, to customize your {% data variables.product.prodname_code_scanning %} setup, click {% octicon "pencil" aria-hidden="true" %} **Edit**.
|
||||
* To add or remove a language from the analysis performed by default setup, select or deselect that language in the "Languages" section. {% ifversion code-scanning-default-setup-recommended-languages %}If you would like to analyze a {% data variables.product.prodname_codeql %}-supported compiled language with default setup, select that language here.{% endif %}
|
||||
|
|
@ -134,20 +125,15 @@ At least one {% data variables.product.prodname_codeql %}-supported language's a
|
|||
|
||||
If you choose the **Extended** query suite, your {% data variables.product.prodname_code_scanning %} configuration will run lower severity and precision queries in addition to the queries included in the **Default** query suite. For more information on the available query suites, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites)."
|
||||
|
||||
{% note %}
|
||||
> [!NOTE]
|
||||
> If you configure {% data variables.product.prodname_code_scanning %} to use the **Extended** query suite, you may experience a higher rate of false positive alerts.
|
||||
|
||||
**Note:** If you configure {% data variables.product.prodname_code_scanning %} to use the **Extended** query suite, you may experience a higher rate of false positive alerts.
|
||||
|
||||
{% endnote %}
|
||||
{%- endif %}
|
||||
|
||||
1. Review the settings for default setup on your repository, then click **Enable {% data variables.product.prodname_codeql %}**. This will trigger a workflow that tests the new, automatically generated configuration.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** If you are switching to default setup from advanced setup, you will see a warning informing you that default setup will override existing {% data variables.product.prodname_code_scanning %} configurations. This warning means default setup will disable the existing workflow file and block any {% data variables.product.prodname_codeql %} analysis API uploads.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> If you are switching to default setup from advanced setup, you will see a warning informing you that default setup will override existing {% data variables.product.prodname_code_scanning %} configurations. This warning means default setup will disable the existing workflow file and block any {% data variables.product.prodname_codeql %} analysis API uploads.
|
||||
|
||||
1. Optionally, to view your default setup configuration after enablement, select {% octicon "kebab-horizontal" aria-label="Menu" %}, then click {% octicon "gear" aria-hidden="true" %} **View {% data variables.product.prodname_codeql %} configuration**.
|
||||
|
||||
|
|
|
|||
|
|
@ -129,11 +129,8 @@ If you upload a second SARIF file for a commit with the same category and from t
|
|||
|
||||
If you use a code analysis engine other than {% data variables.product.prodname_codeql %}, you can review the supported SARIF properties to optimize how your analysis results will appear on {% data variables.product.prodname_dotcom %}.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** You must supply an explicit value for any property marked as "required". The empty string is not supported for required properties.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> You must supply an explicit value for any property marked as "required". The empty string is not supported for required properties.
|
||||
|
||||
Any valid SARIF 2.1.0 output file can be uploaded, however, {% data variables.product.prodname_code_scanning %} will only use the following supported properties.
|
||||
|
||||
|
|
|
|||
|
|
@ -41,11 +41,10 @@ You can upload the results using {% data variables.product.prodname_actions %},
|
|||
* A tool that generates results as an artifact outside of your repository, you can use the {% data variables.product.prodname_code_scanning %} API to upload the file (for more information, see "[AUTOTITLE](/rest/code-scanning/code-scanning#upload-an-analysis-as-sarif-data)").
|
||||
|
||||
{% ifversion fpt or ghec %}
|
||||
{% note %}
|
||||
|
||||
**Note:** For private and internal repositories, {% data variables.product.prodname_code_scanning %} is available when {% data variables.product.prodname_GH_advanced_security %} features are enabled for the repository. If you see the error `Advanced Security must be enabled for this repository to use code scanning`, check that {% data variables.product.prodname_GH_advanced_security %} is enabled. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)."
|
||||
> [!NOTE]
|
||||
> For private and internal repositories, {% data variables.product.prodname_code_scanning %} is available when {% data variables.product.prodname_GH_advanced_security %} features are enabled for the repository. If you see the error `Advanced Security must be enabled for this repository to use code scanning`, check that {% data variables.product.prodname_GH_advanced_security %} is enabled. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)."
|
||||
|
||||
{% endnote %}
|
||||
{% endif %}
|
||||
|
||||
## Uploading a {% data variables.product.prodname_code_scanning %} analysis with {% data variables.product.prodname_actions %}
|
||||
|
|
|
|||
|
|
@ -85,11 +85,8 @@ When you click through to see details for the alert, you can see that the file p
|
|||
|
||||
{% ifversion codeql-ml-queries %}
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** Experimental alerts for {% data variables.product.prodname_code_scanning %} were available a {% data variables.release-phases.public_preview %} release for JavaScript using experimental technology in the {% data variables.product.prodname_codeql %} action. This feature was {% data variables.release-phases.retired %}. For more information, see [{% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} deprecates ML-powered alerts](https://github.blog/changelog/2023-09-29-codeql-code-scanning-deprecates-ml-powered-alerts/).
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> Experimental alerts for {% data variables.product.prodname_code_scanning %} were available a {% data variables.release-phases.public_preview %} release for JavaScript using experimental technology in the {% data variables.product.prodname_codeql %} action. This feature was {% data variables.release-phases.retired %}. For more information, see [{% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} deprecates ML-powered alerts](https://github.blog/changelog/2023-09-29-codeql-code-scanning-deprecates-ml-powered-alerts/).
|
||||
|
||||
{% endif %}
|
||||
|
||||
|
|
|
|||
|
|
@ -40,11 +40,8 @@ By default, the {% data variables.product.prodname_code_scanning %} alerts page
|
|||
|
||||
For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts)."
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** You can see information about when {% data variables.product.prodname_code_scanning %} analysis last ran on the tool status page. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page)."
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> You can see information about when {% data variables.product.prodname_code_scanning %} analysis last ran on the tool status page. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page)."
|
||||
|
||||
{% ifversion copilot-chat-ghas-alerts %}
|
||||
|
||||
|
|
@ -94,13 +91,9 @@ You can search the list of alerts. This is useful if there is a large number of
|
|||
| OR search | `sql OR injection` | Returns all the alerts containing `sql` or `injection` |
|
||||
| AND search | `sql AND injection` | Returns all the alerts containing both words `sql` and `injection` |
|
||||
|
||||
{% tip %}
|
||||
|
||||
**Tips:**
|
||||
* The multiple word search is equivalent to an OR search.
|
||||
* The AND search will return results where the search terms are found _anywhere_, in any order in the alert name or details.
|
||||
|
||||
{% endtip %}
|
||||
> [!TIP]
|
||||
> * The multiple word search is equivalent to an OR search.
|
||||
> * The AND search will return results where the search terms are found _anywhere_, in any order in the alert name or details.
|
||||
|
||||
{% data reusables.repositories.navigate-to-repo %}
|
||||
{% data reusables.repositories.sidebar-security %}
|
||||
|
|
|
|||
|
|
@ -64,13 +64,8 @@ Alerts may be fixed in one branch but not in another. You can use the "Branch" f
|
|||
|
||||
{% data reusables.code-scanning.filter-non-default-branches %}
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:**
|
||||
|
||||
If you run {% data variables.product.prodname_code_scanning %} using multiple configurations, the same alert will sometimes be generated by more than one configuration. Unless you run all configurations regularly, you may see alerts that are fixed in one configuration but not in another. These stale configurations and alerts can be removed from a branch. For more information, see "[Removing stale configurations and alerts from a branch](#removing-stale-configurations-and-alerts-from-a-branch)."
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> If you run {% data variables.product.prodname_code_scanning %} using multiple configurations, the same alert will sometimes be generated by more than one configuration. Unless you run all configurations regularly, you may see alerts that are fixed in one configuration but not in another. These stale configurations and alerts can be removed from a branch. For more information, see "[Removing stale configurations and alerts from a branch](#removing-stale-configurations-and-alerts-from-a-branch)."
|
||||
|
||||
## Dismissing alerts
|
||||
|
||||
|
|
@ -126,13 +121,9 @@ You may have multiple code scanning configurations on a single repository. When
|
|||
|
||||
If you save your changes after accidentally deleting a configuration, re-run the configuration to update the alert. For more information on re-running configurations that use {% data variables.product.prodname_actions %}, see "[AUTOTITLE](/actions/managing-workflow-runs/re-running-workflows-and-jobs#re-running-all-the-jobs-in-a-workflow)."
|
||||
|
||||
{% note %}
|
||||
|
||||
**Notes:**
|
||||
* If you remove all {% data variables.product.prodname_code_scanning %} configurations for the default branch of your repository, the default branch will remain in the "Affected branches" sidebar, but it will not be analyzed by any configurations.
|
||||
* If you remove all {% data variables.product.prodname_code_scanning %} configurations for any branch other than the default branch of your repository, that branch will be removed from the "Affected branches" sidebar.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> * If you remove all {% data variables.product.prodname_code_scanning %} configurations for the default branch of your repository, the default branch will remain in the "Affected branches" sidebar, but it will not be analyzed by any configurations.
|
||||
> * If you remove all {% data variables.product.prodname_code_scanning %} configurations for any branch other than the default branch of your repository, that branch will be removed from the "Affected branches" sidebar.
|
||||
|
||||
## Further reading
|
||||
|
||||
|
|
|
|||
|
|
@ -72,10 +72,9 @@ Instead of tracking a {% data variables.product.prodname_code_scanning %} alert
|
|||
* The title contains the name of the {% data variables.product.prodname_code_scanning %} alert.
|
||||
* The body contains the task list item with the full URL to the {% data variables.product.prodname_code_scanning %} alert.
|
||||
1. Optionally, edit the title and the body of the issue.
|
||||
{% warning %}
|
||||
|
||||
**Warning:** You may want to edit the title of the issue as it may expose security information. You can also edit the body of the issue. Make sure that you keep the task list item with a link to the alert otherwise the issue will no longer track the alert.
|
||||
{% endwarning %}
|
||||
> [!WARNING]
|
||||
> You may want to edit the title of the issue as it may expose security information. You can also edit the body of the issue. Make sure that you keep the task list item with a link to the alert otherwise the issue will no longer track the alert.
|
||||
|
||||
1. Click **Submit new issue**.
|
||||
|
||||
|
|
|
|||
|
|
@ -33,11 +33,8 @@ If the lines of code changed in the pull request generate {% data variables.prod
|
|||
* The **Conversation** tab of the pull request, as part of a pull request review
|
||||
* The **Files changed** tab of the pull request
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** {% data variables.product.prodname_code_scanning_caps %} displays alerts in pull requests only when all the lines of code identified by the alert exist in the pull request diff. For more information, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#specifying-the-location-for-source-files)."
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> {% data variables.product.prodname_code_scanning_caps %} displays alerts in pull requests only when all the lines of code identified by the alert exist in the pull request diff. For more information, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#specifying-the-location-for-source-files)."
|
||||
|
||||
{% ifversion code-scanning-autofix %}
|
||||
|
||||
|
|
@ -129,14 +126,10 @@ Anyone with push access to a pull request can fix a {% data variables.product.pr
|
|||
|
||||
When {% data variables.product.prodname_copilot_autofix_short %} is enabled for a repository, alerts are displayed in pull requests as normal and information from any alerts found by {% data variables.product.prodname_code_scanning %} is automatically sent to the LLM for processing. When LLM analysis is complete, any results are published as comments on relevant alerts. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning)."
|
||||
|
||||
{% note %}
|
||||
|
||||
**Notes:**
|
||||
* {% data variables.product.prodname_copilot_autofix_short %} supports a subset of {% data variables.product.prodname_codeql %} queries. For information about the availability of {% data variables.product.prodname_copilot_autofix_short %}, see the query tables linked from "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites#query-lists-for-the-default-query-suites)."
|
||||
* When analysis is complete, all relevant results are published to the pull request at once. If at least one alert in your pull request has an {% data variables.product.prodname_copilot_autofix_short %} suggestion, you should assume that the LLM has finished identifying potential fixes for your code.
|
||||
* On alerts generated from queries that are not supported by {% data variables.product.prodname_copilot_autofix_short %}, you will see a note telling you that the query is not supported. If a suggestion for a supported query fails to generate, you will see a note on the alert prompting you to try pushing another commit or to contact support.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> * {% data variables.product.prodname_copilot_autofix_short %} supports a subset of {% data variables.product.prodname_codeql %} queries. For information about the availability of {% data variables.product.prodname_copilot_autofix_short %}, see the query tables linked from "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites#query-lists-for-the-default-query-suites)."
|
||||
> * When analysis is complete, all relevant results are published to the pull request at once. If at least one alert in your pull request has an {% data variables.product.prodname_copilot_autofix_short %} suggestion, you should assume that the LLM has finished identifying potential fixes for your code.
|
||||
> * On alerts generated from queries that are not supported by {% data variables.product.prodname_copilot_autofix_short %}, you will see a note telling you that the query is not supported. If a suggestion for a supported query fails to generate, you will see a note on the alert prompting you to try pushing another commit or to contact support.
|
||||
|
||||
Usually, when you suggest changes to a pull request, your comment contains changes for a single file that is changed in the pull request. The following screenshot shows an {% data variables.product.prodname_copilot_autofix_short %} comment that suggests changes to the `index.js` file where the alert is displayed. Since the potential fix requires a new dependency on `escape-html`, the comment also suggests adding this dependency to the `package.json` file, even though the original pull request makes no changes to this file.
|
||||
|
||||
|
|
|
|||
|
|
@ -28,11 +28,8 @@ Using the {% data variables.code-scanning.tool_status_page %}, you can see how w
|
|||
|
||||
You can also see the rules your code was checked against by each configuration of a {% data variables.product.prodname_code_scanning %} tool and download a summary of the results.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** The {% data variables.code-scanning.tool_status_page %} shows how tools are working at the repository level, not the organization level. The tool status is only shown for the default branch of the repository for which that tool is configured.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> The {% data variables.code-scanning.tool_status_page %} shows how tools are working at the repository level, not the organization level. The tool status is only shown for the default branch of the repository for which that tool is configured.
|
||||
|
||||
## Viewing the {% data variables.code-scanning.tool_status_page %} for a repository
|
||||
|
||||
|
|
@ -100,11 +97,8 @@ You can remove stale, duplicate, or unwanted configurations for the default bran
|
|||
|
||||
To remove a configuration, select the configuration you want to delete. Then click **{% octicon "kebab-horizontal" aria-label="Configuration menu" %}** on the top right of the page, and select **{% octicon "trash" aria-hidden="true" %} Delete configuration**. Once you have read the warning about alerts, to confirm the deletion, click the **Delete** button.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** You can only use the {% data variables.code-scanning.tool_status_page %} to remove configurations for the default branch of a repository. For information about removing configurations from non-default branches, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/resolving-code-scanning-alerts#removing-stale-configurations-and-alerts-from-a-branch)."
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> You can only use the {% data variables.code-scanning.tool_status_page %} to remove configurations for the default branch of a repository. For information about removing configurations from non-default branches, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/resolving-code-scanning-alerts#removing-stale-configurations-and-alerts-from-a-branch)."
|
||||
|
||||
## Debugging using the {% data variables.code-scanning.tool_status_page %}
|
||||
|
||||
|
|
@ -116,10 +110,7 @@ For integrated tools such as {% data variables.product.prodname_codeql %}, you c
|
|||
* If the language has a low scanned percentage, you may wish to investigate diagnostic output produced by {% data variables.product.prodname_codeql %} for that language: for more information see "[AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning/codeql-scanned-fewer-lines-than-expected)."
|
||||
* If the language has a scanned percentage of zero, you may have source code in your repository written in languages supported by {% data variables.product.prodname_codeql %} but not currently being analyzed with {% data variables.product.prodname_codeql %}. In this case, you may wish to update your setup to start analyzing these additional languages. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#changing-the-languages-that-are-analyzed)."
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** If you have set up {% data variables.product.prodname_codeql %} using advanced setup and then set up default setup on the same repository, the {% data variables.code-scanning.tool_status_page %} will only show default setup.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> If you have set up {% data variables.product.prodname_codeql %} using advanced setup and then set up default setup on the same repository, the {% data variables.code-scanning.tool_status_page %} will only show default setup.
|
||||
|
||||
For more information, see "[AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning)" and "[AUTOTITLE](/code-security/code-scanning/troubleshooting-sarif-uploads)."
|
||||
|
|
|
|||
|
|
@ -22,13 +22,10 @@ Consider configuring {% data variables.actions.hosted_runners %} for default set
|
|||
* Your scans with standard {% data variables.product.prodname_dotcom %}-hosted runners are returning memory or disk errors.
|
||||
* You want to customize aspects of your {% data variables.product.prodname_code_scanning %} runner like the runner size, runner image, and job concurrency without using self-hosted runners.
|
||||
|
||||
{% warning %}
|
||||
|
||||
**Warning:** Currently, Swift analysis is not available on {% data variables.actions.hosted_runners %} for default setup. Additionally, if your repository has access to a runner with the `code-scanning` label, such as a {% data variables.actions.hosted_runner %} provisioned for default setup, default setup workflows will _only_ use runners labeled `code-scanning`. If you would like to configure default setup on {% data variables.actions.hosted_runners %} _and_ analyze Swift, you have two options:
|
||||
* Provision a self-hosted macOS runner with the `code-scanning` label in addition to your {% data variables.actions.hosted_runner %}. For more information, see {% ifversion ghec %}"[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-code-scanning-for-your-appliance)."{% else %}"[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository)."{% endif %}
|
||||
* Ensure any repositories containing Swift _do not_ have access to runners with the label `code-scanning`. Default setup workflows for that repository will only use standard runners.
|
||||
|
||||
{% endwarning %}
|
||||
> [!WARNING]
|
||||
> Currently, Swift analysis is not available on {% data variables.actions.hosted_runners %} for default setup. Additionally, if your repository has access to a runner with the `code-scanning` label, such as a {% data variables.actions.hosted_runner %} provisioned for default setup, default setup workflows will _only_ use runners labeled `code-scanning`. If you would like to configure default setup on {% data variables.actions.hosted_runners %} _and_ analyze Swift, you have two options:
|
||||
> * Provision a self-hosted macOS runner with the `code-scanning` label in addition to your {% data variables.actions.hosted_runner %}. For more information, see {% ifversion ghec %}"[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-code-scanning-for-your-appliance)."{% else %}"[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository)."{% endif %}
|
||||
> * Ensure any repositories containing Swift _do not_ have access to runners with the label `code-scanning`. Default setup workflows for that repository will only use standard runners.
|
||||
|
||||
{% ifversion ghec %}
|
||||
|
||||
|
|
|
|||
|
|
@ -14,15 +14,10 @@ topics:
|
|||
|
||||
## About using rulesets for {% data variables.product.prodname_code_scanning %} merge protection
|
||||
|
||||
{% note %}
|
||||
|
||||
**Notes:**
|
||||
|
||||
* This feature is currently in {% data variables.release-phases.public_preview %} and subject to change.
|
||||
* Merge protection with rulesets is not related to status checks. For more information about status checks, see "[AUTOTITLE](/pull-requests/collaborating-with-pull-requests/collaborating-on-repositories-with-code-quality-features/about-status-checks)."
|
||||
* Merge protection with rulesets will not apply to merge queue groups or {% data variables.product.prodname_dependabot %} pull requests analyzed by default setup.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> * This feature is currently in {% data variables.release-phases.public_preview %} and subject to change.
|
||||
> * Merge protection with rulesets is not related to status checks. For more information about status checks, see "[AUTOTITLE](/pull-requests/collaborating-with-pull-requests/collaborating-on-repositories-with-code-quality-features/about-status-checks)."
|
||||
> * Merge protection with rulesets will not apply to merge queue groups or {% data variables.product.prodname_dependabot %} pull requests analyzed by default setup.
|
||||
|
||||
You can use rulesets to prevent pull requests from being merged when one of the following conditions is met:
|
||||
|
||||
|
|
|
|||
|
|
@ -58,11 +58,8 @@ After configuring {% data variables.product.prodname_code_scanning %} for your r
|
|||
|
||||
1. Click the entry for the {% data variables.product.prodname_code_scanning %} workflow.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** If you are looking for the {% data variables.product.prodname_codeql %} workflow run triggered by enabling default setup, the text of the entry is "{% data variables.product.prodname_codeql %}."
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> If you are looking for the {% data variables.product.prodname_codeql %} workflow run triggered by enabling default setup, the text of the entry is "{% data variables.product.prodname_codeql %}."
|
||||
|
||||
1. Click the job name on the left. For example, **Analyze (LANGUAGE)**.
|
||||
|
||||
|
|
|
|||
|
|
@ -47,17 +47,14 @@ You can analyze a database by running the following command:
|
|||
codeql database analyze <database> --format=<format> --output=<output> <query-specifiers>...
|
||||
```
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** If you analyze more than one {% data variables.product.prodname_codeql %} database for a single commit, you must specify a SARIF category for each set of results generated by this command. When you upload the results to {% data variables.product.product_name %}, {% data variables.product.prodname_code_scanning %} uses this category to store the results for each language separately. If you forget to do this, each upload overwrites the previous results.
|
||||
|
||||
```shell
|
||||
codeql database analyze <database> --format=<format> \
|
||||
--sarif-category=<language-specifier> --output=<output> \
|
||||
<packs,queries>
|
||||
```
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> If you analyze more than one {% data variables.product.prodname_codeql %} database for a single commit, you must specify a SARIF category for each set of results generated by this command. When you upload the results to {% data variables.product.product_name %}, {% data variables.product.prodname_code_scanning %} uses this category to store the results for each language separately. If you forget to do this, each upload overwrites the previous results.
|
||||
>
|
||||
> ```shell
|
||||
> codeql database analyze <database> --format=<format> \
|
||||
> --sarif-category=<language-specifier> --output=<output> \
|
||||
> <packs,queries>
|
||||
> ```
|
||||
|
||||
You must specify `<database>`, `--format`, and `--output`. You can specify additional options depending on what analysis you want to do.
|
||||
|
||||
|
|
@ -168,17 +165,8 @@ You can run all the queries located in a directory by providing the directory
|
|||
path, rather than listing all the individual query files. Paths are searched
|
||||
recursively, so any queries contained in subfolders will also be executed.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Important**
|
||||
|
||||
You should avoid specifying the root of a core {% data variables.product.prodname_codeql %} query pack when executing `database analyze`
|
||||
as it might contain some special queries that aren’t designed to be used with
|
||||
the command. Rather, run the query pack to include the
|
||||
pack’s default queries in the analysis, or run one of the
|
||||
code scanning query suites.
|
||||
|
||||
{% endnote %}
|
||||
> [!IMPORTANT]
|
||||
> You should avoid specifying the root of a core {% data variables.product.prodname_codeql %} query pack when executing `database analyze` as it might contain some special queries that aren’t designed to be used with the command. Rather, run the query pack to include the pack’s default queries in the analysis, or run one of the code scanning query suites.
|
||||
|
||||
For example, to execute all Python queries contained in the `Functions` directory in the
|
||||
`codeql/python-queries` query pack you would run:
|
||||
|
|
|
|||
|
|
@ -58,13 +58,10 @@ Before you can use a {% data variables.product.prodname_codeql %} query pack to
|
|||
| <code><span style="white-space: nowrap;"><scope/name@version:path></span></code> | {% octicon "check" aria-label="Required" %} | Specify the scope and name of one or more {% data variables.product.prodname_codeql %} query packs to download using a comma-separated list. Optionally, include the version to download and unzip. By default the latest version of this pack is downloaded. Optionally, include a path to a query, directory, or query suite to run. If no path is included, then run the default queries of this pack. |
|
||||
| <code><span style="white-space: nowrap;">--github-auth-stdin</span></code> | {% octicon "x" aria-label="Optional" %} | Pass the CLI the {% data variables.product.prodname_github_app %} or {% data variables.product.pat_generic %} created for authentication with {% data variables.product.company_short %}'s REST API from your secret store via standard input. This is not needed if the command has access to a `GITHUB_TOKEN` environment variable set with this token.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** If you specify a particular version of a query pack to use, be aware that the version you specify may eventually become too old for the latest version of {% data variables.product.prodname_codeql %} to make efficient use of. To ensure optimal performance, if you need to specify exact query pack versions, you should reevaluate which versions you pin to whenever you upgrade the {% data variables.product.prodname_codeql_cli %} you're using.
|
||||
|
||||
For more information about pack compatibility, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs#about-codeql-pack-compatibility)."
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> If you specify a particular version of a query pack to use, be aware that the version you specify may eventually become too old for the latest version of {% data variables.product.prodname_codeql %} to make efficient use of. To ensure optimal performance, if you need to specify exact query pack versions, you should reevaluate which versions you pin to whenever you upgrade the {% data variables.product.prodname_codeql_cli %} you're using.
|
||||
>
|
||||
> For more information about pack compatibility, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs#about-codeql-pack-compatibility)."
|
||||
|
||||
### Basic example of downloading and using query packs
|
||||
|
||||
|
|
@ -148,21 +145,14 @@ pack.
|
|||
|
||||
* `suites/my-suite.qls` - All queries in the `suites/my-suite.qls` file relative to the current working directory.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Tip**
|
||||
|
||||
The default query suite of the standard {% data variables.product.prodname_codeql %} query packs are `codeql-suites/<lang>-code-scanning.qls`. Several other useful query suites can also be found in the `codeql-suites` directory of each pack. For example, the `codeql/cpp-queries` pack contains the following query suites:
|
||||
|
||||
* `cpp-code-scanning.qls` - Standard Code Scanning queries for C++. The default query suite for this pack.
|
||||
|
||||
* `cpp-security-extended.qls` - Queries from the default `cpp-code-scanning.qls` suite for C++, plus lower severity and precision queries.
|
||||
|
||||
* `cpp-security-and-quality.qls` - Queries from `cpp-security-extended.qls`, plus maintainability and reliability queries.
|
||||
|
||||
You can see the sources for these query suites in the [{% data variables.product.prodname_codeql %} repository](https://github.com/github/codeql/tree/main/cpp/ql/src/codeql-suites). Query suites for other languages are similar.
|
||||
|
||||
{% endnote %}
|
||||
> [!TIP]
|
||||
> The default query suite of the standard {% data variables.product.prodname_codeql %} query packs are `codeql-suites/<lang>-code-scanning.qls`. Several other useful query suites can also be found in the `codeql-suites` directory of each pack. For example, the `codeql/cpp-queries` pack contains the following query suites:
|
||||
>
|
||||
> * `cpp-code-scanning.qls` - Standard Code Scanning queries for C++. The default query suite for this pack.
|
||||
> * `cpp-security-extended.qls` - Queries from the default `cpp-code-scanning.qls` suite for C++, plus lower severity and precision queries.
|
||||
> * `cpp-security-and-quality.qls` - Queries from `cpp-security-extended.qls`, plus maintainability and reliability queries.
|
||||
>
|
||||
> You can see the sources for these query suites in the [{% data variables.product.prodname_codeql %} repository](https://github.com/github/codeql/tree/main/cpp/ql/src/codeql-suites). Query suites for other languages are similar.
|
||||
|
||||
{% ifversion codeql-model-packs %}
|
||||
|
||||
|
|
|
|||
|
|
@ -149,11 +149,8 @@ When the database is successfully created, you’ll find a new directory at the
|
|||
|
||||
The {% data variables.product.prodname_codeql_cli %} includes extractors to create databases for non-compiled languages—specifically, JavaScript (and TypeScript), Python, and Ruby. These extractors are automatically invoked when you specify JavaScript, Python, or Ruby as the `--language` option when executing `database create`. When creating databases for these languages you must ensure that all additional dependencies are available.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** When you run `database create` for JavaScript, TypeScript, Python, and Ruby, you should not specify a `--command` option. Otherwise this overrides the normal extractor invocation, which will create an empty database. If you create databases for multiple languages and one of them is a compiled language, use the `--no-run-unnecessary-builds` option to skip the command for the languages that don’t need to be compiled.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> When you run `database create` for JavaScript, TypeScript, Python, and Ruby, you should not specify a `--command` option. Otherwise this overrides the normal extractor invocation, which will create an empty database. If you create databases for multiple languages and one of them is a compiled language, use the `--no-run-unnecessary-builds` option to skip the command for the languages that don’t need to be compiled.
|
||||
|
||||
### JavaScript and TypeScript
|
||||
|
||||
|
|
@ -216,24 +213,16 @@ codeql database create --language=cpp <output-folder>/cpp-database
|
|||
|
||||
If a codebase uses a standard build system, relying on an autobuilder is often the simplest way to create a database. For sources that require non-standard build steps, you may need to explicitly define each step in the command line.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Notes:**
|
||||
|
||||
* If you are building a Go database, install the Go toolchain (version 1.11 or later) and, if there are dependencies, the appropriate dependency manager (such as [dep](https://golang.github.io/dep/)).
|
||||
* The Go autobuilder attempts to automatically detect code written in Go in a repository, and only runs build scripts in an attempt to fetch dependencies. To force {% data variables.product.prodname_codeql %} to limit extraction to the files compiled by your build script, set the environment variable `CODEQL_EXTRACTOR_GO_BUILD_TRACING=on` or use the `--command` option to specify a build command.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> * If you are building a Go database, install the Go toolchain (version 1.11 or later) and, if there are dependencies, the appropriate dependency manager (such as [dep](https://golang.github.io/dep/)).
|
||||
> * The Go autobuilder attempts to automatically detect code written in Go in a repository, and only runs build scripts in an attempt to fetch dependencies. To force {% data variables.product.prodname_codeql %} to limit extraction to the files compiled by your build script, set the environment variable `CODEQL_EXTRACTOR_GO_BUILD_TRACING=on` or use the `--command` option to specify a build command.
|
||||
|
||||
### Specifying build commands
|
||||
|
||||
The following examples are designed to give you an idea of some of the build commands that you can specify for compiled languages.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** The `--command` option accepts a single argument—if you need to use more than one command, specify `--command` multiple times. If you need to pass subcommands and options, the whole argument needs to be quoted to be interpreted correctly.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> The `--command` option accepts a single argument—if you need to use more than one command, specify `--command` multiple times. If you need to pass subcommands and options, the whole argument needs to be quoted to be interpreted correctly.
|
||||
|
||||
* C/C++ project built using `make`:
|
||||
|
||||
|
|
@ -362,11 +351,8 @@ You must specify:
|
|||
|
||||
You may specify other options for the `codeql database init` command as normal.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** If the build runs on Windows, you must set either `--trace-process-level <number>` or `--trace-process-name <parent process name>` so that the option points to a parent CI process that will observe all build steps for the code being analyzed.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> If the build runs on Windows, you must set either `--trace-process-level <number>` or `--trace-process-name <parent process name>` so that the option points to a parent CI process that will observe all build steps for the code being analyzed.
|
||||
|
||||
The `codeql database init` command will output a message:
|
||||
|
||||
|
|
@ -387,11 +373,8 @@ Once you have created a {% data variables.product.prodname_codeql %} database us
|
|||
|
||||
### Example of creating a {% data variables.product.prodname_codeql %} database using indirect build tracing
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** If you use Azure DevOps pipelines, the simplest way to create a {% data variables.product.prodname_codeql %} database is to use {% data variables.product.prodname_ghas_azdo %}. For documentation, see [Configure {% data variables.product.prodname_ghas_azdo %}](https://learn.microsoft.com/en-us/azure/devops/repos/security/configure-github-advanced-security-features) in Microsoft Learn.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> If you use Azure DevOps pipelines, the simplest way to create a {% data variables.product.prodname_codeql %} database is to use {% data variables.product.prodname_ghas_azdo %}. For documentation, see [Configure {% data variables.product.prodname_ghas_azdo %}](https://learn.microsoft.com/en-us/azure/devops/repos/security/configure-github-advanced-security-features) in Microsoft Learn.
|
||||
|
||||
The following example shows how you could use indirect build tracing in an Azure DevOps pipeline to create a {% data variables.product.prodname_codeql %} database:
|
||||
|
||||
|
|
|
|||
|
|
@ -35,11 +35,8 @@ If you are setting up the {% data variables.product.prodname_codeql_cli %} in yo
|
|||
If you are using macOS on Apple Silicon (for example, Apple M1), ensure that the [Xcode command-line developer
|
||||
tools](https://developer.apple.com/downloads/index.action) and [Rosetta 2](https://support.apple.com/en-us/HT211861) are installed.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** The {% data variables.product.prodname_codeql_cli %} is currently not compatible with non-glibc Linux distributions such as (muslc-based) Alpine Linux.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> The {% data variables.product.prodname_codeql_cli %} is currently not compatible with non-glibc Linux distributions such as (muslc-based) Alpine Linux.
|
||||
|
||||
### 1. Download the {% data variables.product.prodname_codeql_cli %} tar archive
|
||||
|
||||
|
|
@ -53,12 +50,8 @@ Extract the {% data variables.product.prodname_codeql_cli %} tar archive to a di
|
|||
|
||||
{% data reusables.codeql-cli.launch-codeql %}
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** If you add `codeql` to your `PATH`, it can be accessed by {% data variables.product.prodname_codeql %} for {% data variables.product.prodname_vscode %} to compile and run queries.
|
||||
For more information about configuring {% data variables.product.prodname_vscode_shortname %} to access the {% data variables.product.prodname_codeql_cli %}, see "[AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/configuring-access-to-the-codeql-cli)."
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> If you add `codeql` to your `PATH`, it can be accessed by {% data variables.product.prodname_codeql %} for {% data variables.product.prodname_vscode %} to compile and run queries. For more information about configuring {% data variables.product.prodname_vscode_shortname %} to access the {% data variables.product.prodname_codeql_cli %}, see "[AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/configuring-access-to-the-codeql-cli)."
|
||||
|
||||
## Testing the {% data variables.product.prodname_codeql_cli %} configuration
|
||||
|
||||
|
|
|
|||
|
|
@ -76,11 +76,8 @@ codeql github upload-results \
|
|||
|
||||
For more information, see "[AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/github-upload-results)."
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** If you analyzed more than one {% data variables.product.prodname_codeql %} database for a single commit, you must have specified a SARIF category for each set of results generated by this command. When you upload the results to {% data variables.product.product_name %}, {% data variables.product.prodname_code_scanning %} uses this category to store the results for each language separately. If you forget to do this, each upload overwrites the previous results. For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#running-codeql-database-analyze)."
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> If you analyzed more than one {% data variables.product.prodname_codeql %} database for a single commit, you must have specified a SARIF category for each set of results generated by this command. When you upload the results to {% data variables.product.product_name %}, {% data variables.product.prodname_code_scanning %} uses this category to store the results for each language separately. If you forget to do this, each upload overwrites the previous results. For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#running-codeql-database-analyze)."
|
||||
|
||||
### Basic example of uploading results to {% data variables.product.product_name %}
|
||||
|
||||
|
|
|
|||
|
|
@ -57,14 +57,11 @@ packs. Along with the queries themselves, {% data variables.product.prodname_cod
|
|||
that tells the {% data variables.product.prodname_codeql_cli %} how to process the query files. For more information,
|
||||
see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs)."
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** There are different versions of the {% data variables.product.prodname_codeql %} queries available for different users. Check out the correct version for your use case:
|
||||
|
||||
* For the queries that are intended to be used with the latest {% data variables.product.prodname_codeql_cli %} release, check out the branch tagged `codeql-cli/latest`. You should use this branch for databases you’ve built using the {% data variables.product.prodname_codeql_cli %} or recently downloaded from {% data variables.product.github %}.
|
||||
* For the most up to date {% data variables.product.prodname_codeql %} queries, check out the `main` branch. This branch represents the very latest version of {% data variables.product.prodname_codeql %}’s analysis.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> There are different versions of the {% data variables.product.prodname_codeql %} queries available for different users. Check out the correct version for your use case:
|
||||
>
|
||||
> * For the queries that are intended to be used with the latest {% data variables.product.prodname_codeql_cli %} release, check out the branch tagged `codeql-cli/latest`. You should use this branch for databases you’ve built using the {% data variables.product.prodname_codeql_cli %} or recently downloaded from {% data variables.product.github %}.
|
||||
> * For the most up to date {% data variables.product.prodname_codeql %} queries, check out the `main` branch. This branch represents the very latest version of {% data variables.product.prodname_codeql %}’s analysis.
|
||||
|
||||
### 4. Extract the {% data variables.product.prodname_codeql_cli %} tar archive
|
||||
|
||||
|
|
|
|||
|
|
@ -105,11 +105,8 @@ Once you've created a model pack, you can publish it in the same way as other {%
|
|||
|
||||
## Adding and installing dependencies on a {% data variables.product.prodname_codeql %} pack
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** This is only supported for {% data variables.product.prodname_codeql %} query and library packs.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> This is only supported for {% data variables.product.prodname_codeql %} query and library packs.
|
||||
|
||||
You can add dependencies on {% data variables.product.prodname_codeql %} packs using the command `codeql pack add`. You must specify the scope, name, and (optionally) a compatible version range.
|
||||
|
||||
|
|
@ -129,15 +126,9 @@ codeql pack install
|
|||
|
||||
This command downloads all dependencies to the shared cache on the local disk.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Notes:**
|
||||
|
||||
* Running the `codeql pack add` and `codeql pack install` commands will generate or update the `codeql-pack.lock.yml` file. This file should be checked-in to version control. The `codeql-pack.lock.yml` file contains the precise version numbers used by the pack. For more information, see "[About codeql-pack.lock.yml files](/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs##about-codeql-packlockyml-files)."
|
||||
|
||||
* By default `codeql pack install` will install dependencies from the {% data variables.product.prodname_container_registry %} on {% data variables.product.prodname_dotcom_the_website %}. You can install dependencies from a {% data variables.product.prodname_ghe_server %} {% data variables.product.prodname_container_registry %} by creating a `qlconfig.yml` file. For more information, see "[AUTOTITLE](/enterprise-server@latest/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs)" in the {% data variables.product.prodname_ghe_server %} documentation.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> * Running the `codeql pack add` and `codeql pack install` commands will generate or update the `codeql-pack.lock.yml` file. This file should be checked-in to version control. The `codeql-pack.lock.yml` file contains the precise version numbers used by the pack. For more information, see "[About codeql-pack.lock.yml files](/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs##about-codeql-packlockyml-files)."
|
||||
> * By default `codeql pack install` will install dependencies from the {% data variables.product.prodname_container_registry %} on {% data variables.product.prodname_dotcom_the_website %}. You can install dependencies from a {% data variables.product.prodname_ghe_server %} {% data variables.product.prodname_container_registry %} by creating a `qlconfig.yml` file. For more information, see "[AUTOTITLE](/enterprise-server@latest/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs)" in the {% data variables.product.prodname_ghe_server %} documentation.
|
||||
|
||||
## Customizing a downloaded {% data variables.product.prodname_codeql %} pack
|
||||
|
||||
|
|
|
|||
|
|
@ -29,11 +29,8 @@ mapping with (usually) a single key. The instructions are executed in the order
|
|||
they appear in the query suite definition. After all the instructions in the
|
||||
suite definition have been executed, the result is a set of selected queries.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** Any custom queries that you want to add to a query suite must be in a "[{% data variables.product.prodname_codeql %} pack](/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs)" and contain the correct query metadata. For more information, see "[Using custom queries with the {% data variables.product.prodname_codeql_cli %}](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/using-custom-queries-with-the-codeql-cli)."
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> Any custom queries that you want to add to a query suite must be in a "[{% data variables.product.prodname_codeql %} pack](/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs)" and contain the correct query metadata. For more information, see "[Using custom queries with the {% data variables.product.prodname_codeql_cli %}](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/using-custom-queries-with-the-codeql-cli)."
|
||||
|
||||
## Locating queries to add to a query suite
|
||||
|
||||
|
|
@ -85,11 +82,8 @@ named {% data variables.product.prodname_codeql %} pack:
|
|||
The `version` field is optional and specifies a range of compatible versions of this {% data variables.product.prodname_codeql %} pack.
|
||||
If you don’t specify a version, then the most recent version of the pack is used.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** When pathnames appear in query suite definitions, they must always be given with a forward slash, `/`, as a directory separator. This ensures that query suite definitions work on all operating systems.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> When pathnames appear in query suite definitions, they must always be given with a forward slash, `/`, as a directory separator. This ensures that query suite definitions work on all operating systems.
|
||||
|
||||
You must add at least one `query`, `queries`, or `qlpack` instruction to
|
||||
your suite definition, otherwise no queries will be selected. If the suite
|
||||
|
|
@ -244,12 +238,8 @@ use:
|
|||
- very-high
|
||||
```
|
||||
|
||||
<!--Changed this to a note to fit with style guide -->
|
||||
{% note %}
|
||||
|
||||
**Note:** You can use the `codeql resolve queries /path/to/suite.qls` command to see which queries are selected by a query suite definition. For more information, see "[AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/resolve-queries)."
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> You can use the `codeql resolve queries /path/to/suite.qls` command to see which queries are selected by a query suite definition. For more information, see "[AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/resolve-queries)."
|
||||
|
||||
## Reusing existing query suite definitions
|
||||
|
||||
|
|
|
|||
|
|
@ -115,11 +115,8 @@ codeql pack publish
|
|||
|
||||
The published package will be displayed in the packages section of {% data variables.product.prodname_dotcom %} organization specified by the scope in the `qlpack.yml` file.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** If you're publishing model packs to the {% data variables.product.prodname_dotcom %} {% data variables.product.prodname_container_registry %} in order to extend coverage to all repositories in an organization as part of a default setup configuration, then you need to ensure that repositories running code scanning can access those model packs. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup)" and "[AUTOTITLE](/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility)."
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> If you're publishing model packs to the {% data variables.product.prodname_dotcom %} {% data variables.product.prodname_container_registry %} in order to extend coverage to all repositories in an organization as part of a default setup configuration, then you need to ensure that repositories running code scanning can access those model packs. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup)" and "[AUTOTITLE](/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility)."
|
||||
|
||||
## Running `codeql pack download <scope>/<pack>`
|
||||
|
||||
|
|
@ -164,11 +161,8 @@ The `analyze` command will run the default suite of any specified {% data variab
|
|||
codeql <database> analyze <scope>/<pack> <scope>/<other-pack>
|
||||
```
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** The `codeql pack download` command stores the pack it downloads in an internal location that is not intended for local modification. Unexpected (and hard to troubleshoot) behavior may result if the pack is modified after downloading. For more information about customizing packs, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs)."
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> The `codeql pack download` command stores the pack it downloads in an internal location that is not intended for local modification. Unexpected (and hard to troubleshoot) behavior may result if the pack is modified after downloading. For more information about customizing packs, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs)."
|
||||
|
||||
## About {% data variables.product.prodname_codeql %} pack compatibility
|
||||
|
||||
|
|
|
|||
|
|
@ -41,14 +41,10 @@ To apply the same options to more than one command you can:
|
|||
* Omit the `<subcommand>`, which will specify the option for every `<subcommand>` to which it’s relevant.
|
||||
* Omit both `<command>` and `<subcommand>`, which will globally specify the option for every `<command>` and `<subcommand>` to which it’s relevant.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Notes:**
|
||||
* `config` files only accept spaces between option flags and values—{% data variables.product.prodname_codeql %} will throw an error if you use `=` to specify an option value.
|
||||
* If you specify an option in the command line, this overrides the `config` value defined for that option.
|
||||
* If you want to specify more than one option for a `<command>`, `<subcommand>` or globally, use one line per option.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> * `config` files only accept spaces between option flags and values—{% data variables.product.prodname_codeql %} will throw an error if you use `=` to specify an option value.
|
||||
> * If you specify an option in the command line, this overrides the `config` value defined for that option.
|
||||
> * If you want to specify more than one option for a `<command>`, `<subcommand>` or globally, use one line per option.
|
||||
|
||||
### Examples
|
||||
|
||||
|
|
|
|||
|
|
@ -75,17 +75,12 @@ the example code, by creating a file with the extension `.expected`. Alternative
|
|||
|
||||
For an example showing how to create and test a query, see the [example](#example) below.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** Your `.ql`, `.qlref`, and `.expected` files must have consistent names:
|
||||
|
||||
* If you want to directly specify the `.ql` file itself in the test command, it must have the same base name as the corresponding `.expected` file. For example, if the query is `MyJavaQuery.ql`, the expected results file must be `MyJavaQuery.expected`.
|
||||
|
||||
* If you want to specify a `.qlref` file in the command, it must have the same base name as the corresponding `.expected` file, but the query itself may have a different name.
|
||||
|
||||
* The names of the example code files don’t have to be consistent with the other test files. All example code files found next to the `.qlref` (or `.ql`) file and in any subdirectories will be used to create a test database. Therefore, for simplicity, we recommend you don’t save test files in directories that are ancestors of each other.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> Your `.ql`, `.qlref`, and `.expected` files must have consistent names:
|
||||
>
|
||||
> * If you want to directly specify the `.ql` file itself in the test command, it must have the same base name as the corresponding `.expected` file. For example, if the query is `MyJavaQuery.ql`, the expected results file must be `MyJavaQuery.expected`.
|
||||
> * If you want to specify a `.qlref` file in the command, it must have the same base name as the corresponding `.expected` file, but the query itself may have a different name.
|
||||
> * The names of the example code files don’t have to be consistent with the other test files. All example code files found next to the `.qlref` (or `.ql`) file and in any subdirectories will be used to create a test database. Therefore, for simplicity, we recommend you don’t save test files in directories that are ancestors of each other.
|
||||
|
||||
## Running `codeql test run`
|
||||
|
||||
|
|
|
|||
|
|
@ -43,11 +43,8 @@ When running queries with the `database analyze` command, you must include the f
|
|||
|
||||
For more information about these metadata properties, see "[Metadata for {% data variables.product.prodname_codeql %} queries](https://codeql.github.com/docs/writing-codeql-queries/metadata-for-codeql-queries/#metadata-for-codeql-queries)" and the [Query metadata style guide](https://github.com/github/codeql/blob/main/docs/query-metadata-style-guide.md).
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** Metadata requirements may differ if you want to use your query with other applications. For more information, see "[Metadata for {% data variables.product.prodname_codeql %} queries](https://codeql.github.com/docs/writing-codeql-queries/metadata-for-codeql-queries/#metadata-for-codeql-queries)."
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> Metadata requirements may differ if you want to use your query with other applications. For more information, see "[Metadata for {% data variables.product.prodname_codeql %} queries](https://codeql.github.com/docs/writing-codeql-queries/metadata-for-codeql-queries/#metadata-for-codeql-queries)."
|
||||
|
||||
## Packaging custom QL queries
|
||||
|
||||
|
|
|
|||
|
|
@ -31,11 +31,8 @@ You can check if a repository has any {% data variables.product.prodname_codeql
|
|||
|
||||
1. Once you've chosen a database, it will be displayed in the "Databases" view. To see the menu options for interacting with a database, right-click an entry in the list. You can select multiple databases at once.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** You can also analyze test databases. Test databases (folders with a `.testproj` extension) are generated when you run regression tests on custom queries using the {% data variables.product.prodname_codeql_cli %}. If a query fails a regression test, you may want to import the test database into {% data variables.product.prodname_vscode %} to debug the failure. For more information about running query tests, see "[AUTOTITLE](/code-security/codeql-cli/using-the-codeql-cli/testing-custom-queries)."
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> You can also analyze test databases. Test databases (folders with a `.testproj` extension) are generated when you run regression tests on custom queries using the {% data variables.product.prodname_codeql_cli %}. If a query fails a regression test, you may want to import the test database into {% data variables.product.prodname_vscode %} to debug the failure. For more information about running query tests, see "[AUTOTITLE](/code-security/codeql-cli/using-the-codeql-cli/testing-custom-queries)."
|
||||
|
||||
## Filtering databases and queries by language
|
||||
|
||||
|
|
|
|||
|
|
@ -124,11 +124,8 @@ You can export your results for further analysis or to discuss them with collabo
|
|||
|
||||
## Creating a custom list of repositories
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** {% data variables.product.prodname_codeql %} analysis always requires a {% data variables.product.prodname_codeql %} database to run queries against. When you run variant analysis against a list of repositories, your query will only be executed against the repositories that currently have a {% data variables.product.prodname_codeql %} database available to download. The best way to make a repository available for variant analysis is to enable {% data variables.product.prodname_code_scanning %} with {% data variables.product.prodname_codeql %}. For information about enabling {% data variables.product.prodname_code_scanning %} using {% data variables.product.prodname_codeql %}, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository#configuring-code-scanning-automatically)."
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> {% data variables.product.prodname_codeql %} analysis always requires a {% data variables.product.prodname_codeql %} database to run queries against. When you run variant analysis against a list of repositories, your query will only be executed against the repositories that currently have a {% data variables.product.prodname_codeql %} database available to download. The best way to make a repository available for variant analysis is to enable {% data variables.product.prodname_code_scanning %} with {% data variables.product.prodname_codeql %}. For information about enabling {% data variables.product.prodname_code_scanning %} using {% data variables.product.prodname_codeql %}, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository#configuring-code-scanning-automatically)."
|
||||
|
||||
1. In the "Variant Analysis Repositories" view, click the "Add list" icon.
|
||||
|
||||
|
|
@ -161,11 +158,8 @@ You can then insert the `new-repo-list` of repositories into `databases.json`for
|
|||
|
||||
### Using {% data variables.product.github %} code search to add repositories to a custom list
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** This feature uses the legacy code search via the {% data variables.product.github %} code search API. For more information on the syntax to use, see "[AUTOTITLE](/search-github/searching-on-github/searching-code)."
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> This feature uses the legacy code search via the {% data variables.product.github %} code search API. For more information on the syntax to use, see "[AUTOTITLE](/search-github/searching-on-github/searching-code)."
|
||||
|
||||
You can use code search directly in the {% data variables.product.prodname_codeql %} extension to add a subset of repositories from {% data variables.product.github %} to a custom list.
|
||||
|
||||
|
|
|
|||
|
|
@ -112,11 +112,8 @@ The "Query History" view contains information including the date and time when t
|
|||
|
||||
1. Click a query in the "Query History" view to display its results in the "Results" view.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** Depending on the query, you can also choose different views such as CSV, [AUTOTITLE](/code-security/codeql-cli/codeql-cli-reference/sarif-output), or [DIL format](https://codeql.github.com/docs/codeql-overview/codeql-glossary/#dil). For example, to view the DIL format, right-click a result and select **View DIL**. The available output views are determined by the format and the metadata of the query. For more information, see "[{% data variables.product.prodname_codeql %} queries](https://codeql.github.com/docs/writing-codeql-queries/codeql-queries/#codeql-queries)."
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> Depending on the query, you can also choose different views such as CSV, [AUTOTITLE](/code-security/codeql-cli/codeql-cli-reference/sarif-output), or [DIL format](https://codeql.github.com/docs/codeql-overview/codeql-glossary/#dil). For example, to view the DIL format, right-click a result and select **View DIL**. The available output views are determined by the format and the metadata of the query. For more information, see "[{% data variables.product.prodname_codeql %} queries](https://codeql.github.com/docs/writing-codeql-queries/codeql-queries/#codeql-queries)."
|
||||
|
||||
1. Use the dropdown menu in the "Results" view to choose which results to display, and in what form to display them, such as a formatted alert message or a table of raw results.
|
||||
|
||||
|
|
@ -126,12 +123,8 @@ If a result links to a source code element, you can click it to display it in th
|
|||
|
||||
To use standard code navigation features in the source code, you can right-click an element and use the commands **Go to Definition** or **Go to References**. This runs a {% data variables.product.prodname_codeql %} query over the active file, which may take a few seconds. This query needs to run once for every file, so any additional references from the same file will be fast.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** If you're using an older database, code navigation commands such as **Go to Definition** and **Go to References** may not work.
|
||||
To use code navigation, try unzipping the database and running `codeql database cleanup <database>` on the unzipped database using the {% data variables.product.prodname_codeql_cli %}. Then, re-add the database to {% data variables.product.prodname_vscode %}. For more information, see "[AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/database-cleanup)."
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> If you're using an older database, code navigation commands such as **Go to Definition** and **Go to References** may not work. To use code navigation, try unzipping the database and running `codeql database cleanup <database>` on the unzipped database using the {% data variables.product.prodname_codeql_cli %}. Then, re-add the database to {% data variables.product.prodname_vscode %}. For more information, see "[AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/database-cleanup)."
|
||||
|
||||
### Comparing query results
|
||||
|
||||
|
|
|
|||
|
|
@ -28,11 +28,8 @@ You can access the following logs:
|
|||
|
||||
* {% data variables.product.prodname_codeql %} Tests
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** The {% data variables.product.prodname_codeql %} Language Server log contains more advanced debug logs for {% data variables.product.prodname_codeql %} language maintainers. You should only need these to provide details in a bug report.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> The {% data variables.product.prodname_codeql %} Language Server log contains more advanced debug logs for {% data variables.product.prodname_codeql %} language maintainers. You should only need these to provide details in a bug report.
|
||||
|
||||
## Accessing logs
|
||||
|
||||
|
|
|
|||
|
|
@ -20,15 +20,9 @@ If you already have the {% data variables.product.prodname_codeql_cli %} install
|
|||
|
||||
Otherwise, the extension automatically manages access to the executable of the {% data variables.product.prodname_codeql_cli %} for you. This ensures that the {% data variables.product.prodname_codeql_cli %} is compatible with the {% data variables.product.prodname_codeql %} extension. You can also check for updates with the **{% data variables.product.prodname_codeql %}: Check for CLI Updates** command from the {% data variables.product.prodname_vscode_command_palette_shortname %}.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Notes:**
|
||||
|
||||
* The extension-managed {% data variables.product.prodname_codeql_cli %} is not accessible from the terminal. If you intend to use the CLI outside of the extension (for example to create databases), we recommend that you install your own copy of the {% data variables.product.prodname_codeql_cli %}."
|
||||
|
||||
* To override the default behavior and use a specific version of the {% data variables.product.prodname_codeql_cli %}, you can specify the {% data variables.product.prodname_codeql_cli %} **Executable Path** in the extension settings. For more information, see "[AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/customizing-settings)."
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> * The extension-managed {% data variables.product.prodname_codeql_cli %} is not accessible from the terminal. If you intend to use the CLI outside of the extension (for example to create databases), we recommend that you install your own copy of the {% data variables.product.prodname_codeql_cli %}."
|
||||
> * To override the default behavior and use a specific version of the {% data variables.product.prodname_codeql_cli %}, you can specify the {% data variables.product.prodname_codeql_cli %} **Executable Path** in the extension settings. For more information, see "[AUTOTITLE](/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/customizing-settings)."
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
|
|
|
|||
|
|
@ -15,11 +15,8 @@ intro: 'You can work from a template to write your own code to create a custom q
|
|||
|
||||
## About custom queries
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** Creating a custom query is optional, and the [`github/codeql`](https://github.com/github/codeql) repository contains a large number of example queries you can use instead.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> Creating a custom query is optional, and the [`github/codeql`](https://github.com/github/codeql) repository contains a large number of example queries you can use instead.
|
||||
|
||||
You create a new query file from a template for a given language, which imports the standard libraries for analyzing that language. For more information, see "[About {% data variables.product.prodname_codeql %} queries](https://codeql.github.com/docs/writing-codeql-queries/about-codeql-queries/)" in the {% data variables.product.prodname_codeql %} documentation.
|
||||
|
||||
|
|
|
|||
|
|
@ -23,11 +23,8 @@ The abstract syntax tree (AST) of a program represents the program's syntactic s
|
|||
|
||||
## Viewing the abstract syntax tree of a source file
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** If you don't have an appropriate query (usually `printAST.ql`) in your workspace, the **{% data variables.product.prodname_codeql %}: View AST** command in the following steps won't work. To fix this, you can update your copy of the [`github/codeql`](https://github.com/github/codeql) repository from the `main` branch. If you do this, query caches may be discarded, so your next query runs may be slower.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> If you don't have an appropriate query (usually `printAST.ql`) in your workspace, the **{% data variables.product.prodname_codeql %}: View AST** command in the following steps won't work. To fix this, you can update your copy of the [`github/codeql`](https://github.com/github/codeql) repository from the `main` branch. If you do this, query caches may be discarded, so your next query runs may be slower.
|
||||
|
||||
1. Open the "Databases" view in the extension, and right-click the database that you want to explore. Click **Add Database Source to Workspace**.
|
||||
|
||||
|
|
|
|||
|
|
@ -26,11 +26,8 @@ There are several different ways to give the extension access to the standard li
|
|||
|
||||
### Option 1: Using the starter workspace (recommended)
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** The {% data variables.product.prodname_codeql %} repository is included as a submodule in the starter workspace. You should use `git submodule update --remote` regularly to keep the submodules up to date, and ensure that they remain compatible with newer versions of the {% data variables.product.prodname_vscode_shortname %} extension and the {% data variables.product.prodname_codeql_cli %}.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> The {% data variables.product.prodname_codeql %} repository is included as a submodule in the starter workspace. You should use `git submodule update --remote` regularly to keep the submodules up to date, and ensure that they remain compatible with newer versions of the {% data variables.product.prodname_vscode_shortname %} extension and the {% data variables.product.prodname_codeql_cli %}.
|
||||
|
||||
1. Clone the [vscode-codeql-starter repository](https://github.com/github/vscode-codeql-starter/) to your computer. Make sure you include the submodules, either by using `git clone --recursive`, or by using `git submodule update --init --remote` after cloning.
|
||||
|
||||
|
|
@ -56,10 +53,7 @@ There are several different ways to give the extension access to the standard li
|
|||
|
||||
### Option 3: Open the directory containing the extracted {% data variables.product.prodname_codeql_cli %} archive
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** For this option, you need to set up the {% data variables.product.prodname_codeql_cli %}. For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/setting-up-the-codeql-cli)."
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> For this option, you need to set up the {% data variables.product.prodname_codeql_cli %}. For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/setting-up-the-codeql-cli)."
|
||||
|
||||
In {% data variables.product.prodname_vscode_shortname %}, open the directory where you extracted the {% data variables.product.prodname_codeql_cli %} .zip archive to create a {% data variables.product.prodname_codeql %} directory (for example `codeql-home`).
|
||||
|
|
|
|||
|
|
@ -18,11 +18,8 @@ redirect_from:
|
|||
|
||||
This data will not be shared with any parties outside of {% data variables.product.company_short %}. IP addresses and installation IDs will be retained for a maximum of 30 days. Anonymous data will be retained for a maximum of 180 days.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** Telemetry collection is disabled by default in {% data variables.product.prodname_codeql %} for {% data variables.product.prodname_vscode %}. When telemetry collection is disabled, no data will be sent to {% data variables.product.company_short %} servers.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> Telemetry collection is disabled by default in {% data variables.product.prodname_codeql %} for {% data variables.product.prodname_vscode %}. When telemetry collection is disabled, no data will be sent to {% data variables.product.company_short %} servers.
|
||||
|
||||
## Why we collect data
|
||||
|
||||
|
|
|
|||
|
|
@ -33,11 +33,8 @@ The rest of this article covers the practical aspects of modelling dependencies
|
|||
|
||||
## Displaying the {% data variables.product.prodname_codeql %} model editor
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** To use this {% data variables.release-phases.public_preview %} functionality, install the latest version of the {% data variables.product.prodname_codeql %} extension for {% data variables.product.prodname_vscode %}.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> To use this {% data variables.release-phases.public_preview %} functionality, install the latest version of the {% data variables.product.prodname_codeql %} extension for {% data variables.product.prodname_vscode %}.
|
||||
|
||||
1. Open your {% data variables.product.prodname_codeql %} workspace in {% data variables.product.prodname_vscode_shortname %}. For example, the [`vscode-codeql-starter` workspace](https://github.com/github/vscode-codeql-starter). If you are using the starter workspace, update the `ql` submodule from `main` to ensure that you have the queries used to gather data for the model editor.
|
||||
|
||||
|
|
@ -51,11 +48,8 @@ The rest of this article covers the practical aspects of modelling dependencies
|
|||
|
||||
1. When the telemetry queries are complete, the APIs that have been identified are shown in the editor.
|
||||
|
||||
{% tip %}
|
||||
|
||||
**Tip:** You can move the {% data variables.product.prodname_codeql %} "Method Modeling" view from the primary sidebar to the secondary sidebar, if you want more space while you are modeling calls or methods. If you close the view, you can reopen it from the "View" menu in {% data variables.product.prodname_vscode_shortname %} and clicking **Open View...**.
|
||||
|
||||
{% endtip %}
|
||||
> [!TIP]
|
||||
> You can move the {% data variables.product.prodname_codeql %} "Method Modeling" view from the primary sidebar to the secondary sidebar, if you want more space while you are modeling calls or methods. If you close the view, you can reopen it from the "View" menu in {% data variables.product.prodname_vscode_shortname %} and clicking **Open View...**.
|
||||
|
||||
## Modeling the calls your codebase makes to external APIs
|
||||
|
||||
|
|
|
|||
|
|
@ -40,28 +40,20 @@ If your code depends on a package with a security vulnerability, this can cause
|
|||
|
||||
* New advisory data is synchronized to {% data variables.product.prodname_dotcom %} each hour from {% data variables.product.prodname_dotcom_the_website %}. {% data reusables.security-advisory.link-browsing-advisory-db %}{% endif %}
|
||||
|
||||
{% note %}
|
||||
> [!NOTE]
|
||||
> Only advisories that have been reviewed by {% data variables.product.company_short %} will trigger {% data variables.product.prodname_dependabot_alerts %}.
|
||||
|
||||
**Note:** Only advisories that have been reviewed by {% data variables.product.company_short %} will trigger {% data variables.product.prodname_dependabot_alerts %}.
|
||||
|
||||
{% endnote %}
|
||||
* The dependency graph for a repository changes. For example, when a contributor pushes a commit to change the packages or versions it depends on{% ifversion fpt or ghec %}, or when the code of one of the dependencies changes{% endif %}. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)."
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** {% data variables.product.prodname_dependabot %} doesn't scan archived repositories.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> {% data variables.product.prodname_dependabot %} doesn't scan archived repositories.
|
||||
|
||||
{% data reusables.repositories.dependency-review %}
|
||||
|
||||
As {% data variables.product.prodname_dependabot_alerts %} rely on the dependency graph, the ecosystems that are supported by {% data variables.product.prodname_dependabot_alerts %} are the same as those supported by the dependency graph. For a list of these ecosystems, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems#supported-package-ecosystems)."
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** It is important to keep your manifest and lock files up to date. If the dependency graph doesn't accurately reflect your current dependencies and versions, then you could miss alerts for insecure dependencies that you use. You may also get alerts for dependencies that you no longer use.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> It is important to keep your manifest and lock files up to date. If the dependency graph doesn't accurately reflect your current dependencies and versions, then you could miss alerts for insecure dependencies that you use. You may also get alerts for dependencies that you no longer use.
|
||||
|
||||
{% data reusables.dependabot.dependabot-alert-actions-semver %}
|
||||
|
||||
|
|
@ -90,11 +82,8 @@ When {% data variables.product.product_name %} identifies a vulnerable dependenc
|
|||
|
||||
{% endif %}
|
||||
|
||||
{% warning %}
|
||||
|
||||
**Note**: {% data variables.product.product_name %}'s security features do not claim to catch all vulnerabilities. We actively maintain {% data variables.product.prodname_advisory_database %} and generate alerts with the most up-to-date information. However, we cannot catch everything or tell you about known vulnerabilities within a guaranteed time frame. These features are not substitutes for human review of each dependency for potential vulnerabilities or any other issues, and we recommend consulting with a security service or conducting a thorough dependency review when necessary.
|
||||
|
||||
{% endwarning %}
|
||||
> [!WARNING]
|
||||
> {% data variables.product.product_name %}'s security features do not claim to catch all vulnerabilities. We actively maintain {% data variables.product.prodname_advisory_database %} and generate alerts with the most up-to-date information. However, we cannot catch everything or tell you about known vulnerabilities within a guaranteed time frame. These features are not substitutes for human review of each dependency for potential vulnerabilities or any other issues, and we recommend consulting with a security service or conducting a thorough dependency review when necessary.
|
||||
|
||||
## Access to {% data variables.product.prodname_dependabot_alerts %}
|
||||
|
||||
|
|
|
|||
|
|
@ -121,11 +121,10 @@ You can enable or disable {% data variables.product.prodname_dependabot_alerts %
|
|||
{% endif %}
|
||||
|
||||
{% ifversion dependabot-alerts-enterprise-enablement %}
|
||||
{% note %}
|
||||
|
||||
**Note:** When {% data variables.product.prodname_dependabot_alerts %} are enabled or disabled at the enterprise level, it overrides the organization and repository level settings for {% data variables.product.prodname_dependabot_alerts %}.
|
||||
> [!NOTE]
|
||||
> When {% data variables.product.prodname_dependabot_alerts %} are enabled or disabled at the enterprise level, it overrides the organization and repository level settings for {% data variables.product.prodname_dependabot_alerts %}.
|
||||
|
||||
{% endnote %}
|
||||
{% endif %}
|
||||
|
||||
{% ifversion dependabot-alerts-enterprise-enablement or ghes %}
|
||||
|
|
|
|||
|
|
@ -51,11 +51,8 @@ You can configure notification settings for yourself or your organization from t
|
|||
{% endif %}{% ifversion ghes %}
|
||||
{% endif %}
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** You can filter your notifications on {% data variables.product.company_short %} to show {% data variables.product.prodname_dependabot_alerts %}. For more information, see "[AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/viewing-and-triaging-notifications/managing-notifications-from-your-inbox#dependabot-custom-filters)."
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> You can filter your notifications on {% data variables.product.company_short %} to show {% data variables.product.prodname_dependabot_alerts %}. For more information, see "[AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/viewing-and-triaging-notifications/managing-notifications-from-your-inbox#dependabot-custom-filters)."
|
||||
|
||||
{% data reusables.repositories.security-alerts-x-github-severity %} For more information, see "[AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications#filtering-email-notifications)."
|
||||
|
||||
|
|
|
|||
|
|
@ -77,11 +77,8 @@ When {% data variables.product.prodname_dependabot %} tells you that your reposi
|
|||
|
||||
For supported languages, {% data variables.product.prodname_dependabot %} automatically detects whether you use a vulnerable function and adds the label "Vulnerable call" to affected alerts. You can use this information in the {% data variables.product.prodname_dependabot_alerts %} view to triage and prioritize remediation work more effectively.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** During the {% data variables.release-phases.public_preview %} release, this feature is available only for new Python advisories created _after_ April 14, 2022, and for a subset of historical Python advisories. {% data variables.product.prodname_dotcom %} is working to backfill data across additional historical Python advisories, which are added on a rolling basis. Vulnerable calls are highlighted only on the {% data variables.product.prodname_dependabot_alerts %} pages.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> During the {% data variables.release-phases.public_preview %} release, this feature is available only for new Python advisories created _after_ April 14, 2022, and for a subset of historical Python advisories. {% data variables.product.prodname_dotcom %} is working to backfill data across additional historical Python advisories, which are added on a rolling basis. Vulnerable calls are highlighted only on the {% data variables.product.prodname_dependabot_alerts %} pages.
|
||||
|
||||
|
||||
|
||||
|
|
@ -149,10 +146,8 @@ With a {% data variables.product.prodname_copilot_enterprise %} license, you can
|
|||
|
||||
## Dismissing {% data variables.product.prodname_dependabot_alerts %}
|
||||
|
||||
{% tip %}
|
||||
|
||||
**Tip:** You can only dismiss open alerts.
|
||||
{% endtip %}
|
||||
> [!TIP]
|
||||
> You can only dismiss open alerts.
|
||||
|
||||
If you schedule extensive work to upgrade a dependency, or decide that an alert does not need to be fixed, you can dismiss the alert. Dismissing alerts that you have already assessed makes it easier to triage new alerts as they appear.
|
||||
|
||||
|
|
|
|||
|
|
@ -29,11 +29,8 @@ Organization owners and security managers can set {% data variables.dependabot.c
|
|||
* **Enforced**: If an organization-level rule is "enforced", repository administrators cannot edit, disable, or delete the rule.
|
||||
* **Enabled**: If an organization-level rule is "enabled", repository administrators can still disable the rule for their repository.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** In the event that an organization-level rule and a repository-level rule specify conflicting behaviors, the action set out by the organization-level rule takes precedence. Dismissal rules always act before rules which trigger {% data variables.product.prodname_dependabot %} pull requests.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> In the event that an organization-level rule and a repository-level rule specify conflicting behaviors, the action set out by the organization-level rule takes precedence. Dismissal rules always act before rules which trigger {% data variables.product.prodname_dependabot %} pull requests.
|
||||
|
||||
You can create rules to target alerts using the following metadata:
|
||||
|
||||
|
|
@ -57,11 +54,8 @@ For more information about enabling or disabling {% data variables.product.prodn
|
|||
|
||||
## Adding {% data variables.dependabot.custom_rules %} to your repository
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** During the {% data variables.release-phases.public_preview %}, you can create up to 10 {% data variables.dependabot.custom_rules %} for a repository.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> During the {% data variables.release-phases.public_preview %}, you can create up to 10 {% data variables.dependabot.custom_rules %} for a repository.
|
||||
|
||||
{% data reusables.repositories.navigate-to-repo %}
|
||||
{% data reusables.repositories.sidebar-settings %}
|
||||
|
|
@ -82,11 +76,8 @@ For more information about enabling or disabling {% data variables.product.prodn
|
|||
|
||||
{% else %}
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** During the {% data variables.release-phases.public_preview %}, you can create up to 25 {% data variables.dependabot.custom_rules %} for your organization.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> During the {% data variables.release-phases.public_preview %}, you can create up to 25 {% data variables.dependabot.custom_rules %} for your organization.
|
||||
|
||||
{% data reusables.profile.access_org %}
|
||||
{% data reusables.profile.org_settings %}
|
||||
|
|
|
|||
|
|
@ -19,11 +19,8 @@ redirect_from:
|
|||
|
||||
## Managing automatically dismissed alerts
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** The {% data variables.product.prodname_dependabot_alerts %} page defaults to showing open alerts. To filter and view auto-dismissed alerts, you must first clear the `is:open` default filter from the view.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> The {% data variables.product.prodname_dependabot_alerts %} page defaults to showing open alerts. To filter and view auto-dismissed alerts, you must first clear the `is:open` default filter from the view.
|
||||
|
||||
{% data reusables.repositories.navigate-to-repo %}
|
||||
{% data reusables.repositories.sidebar-security %}
|
||||
|
|
|
|||
|
|
@ -26,11 +26,8 @@ The `Dismiss low impact issues for development-scoped dependencies` rule is a {%
|
|||
* At worst, have limited effects like slow builds or long-running tests.
|
||||
* Are not indicative of issues in production.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** Automatic dismissal of low impact development alerts is currently only supported for npm.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> Automatic dismissal of low impact development alerts is currently only supported for npm.
|
||||
|
||||
The `Dismiss low impact issues for development-scoped dependencies` rule includes vulnerabilities relating to resource management, programming and logic, and information disclosure issues. For more information, see "[Publicly disclosed CWEs used by the `Dismiss low impact issues for development-scoped dependencies` rule](#publicly-disclosed-cwes-used-by-the-dismiss-low-impact-issues-for-development-scoped-dependencies-rule)."
|
||||
|
||||
|
|
|
|||
|
|
@ -47,11 +47,8 @@ If you enable {% data variables.product.prodname_dependabot_security_updates %},
|
|||
|
||||
The {% data variables.product.prodname_dependabot_security_updates %} feature is available for repositories where you have enabled the dependency graph and {% data variables.product.prodname_dependabot_alerts %}. You will see a {% data variables.product.prodname_dependabot %} alert for every vulnerable dependency identified in your full dependency graph. However, security updates are triggered only for dependencies that are specified in a manifest or lock file. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph#dependencies-included)."
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note**: For npm, {% data variables.product.prodname_dependabot %} will raise a pull request to update an explicitly defined dependency to a secure version, even if it means updating the parent dependency or dependencies, or even removing a sub-dependency that is no longer needed by the parent. For other ecosystems, {% data variables.product.prodname_dependabot %} is unable to update an indirect or transitive dependency if it would also require an update to the parent dependency. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors#dependabot-tries-to-update-dependencies-without-an-alert)."
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> For npm, {% data variables.product.prodname_dependabot %} will raise a pull request to update an explicitly defined dependency to a secure version, even if it means updating the parent dependency or dependencies, or even removing a sub-dependency that is no longer needed by the parent. For other ecosystems, {% data variables.product.prodname_dependabot %} is unable to update an indirect or transitive dependency if it would also require an update to the parent dependency. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors#dependabot-tries-to-update-dependencies-without-an-alert)."
|
||||
|
||||
You can enable a related feature, {% data variables.product.prodname_dependabot_version_updates %}, so that {% data variables.product.prodname_dependabot %} raises pull requests to update the manifest to the latest version of the dependency, whenever it detects an outdated dependency. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates)."
|
||||
|
||||
|
|
|
|||
|
|
@ -69,11 +69,8 @@ To reduce the number of pull requests you may be seeing, you can enable grouped
|
|||
* **{% data variables.product.prodname_dependabot_alerts %}**. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts)."
|
||||
* **{% data variables.product.prodname_dependabot_security_updates %}**. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates)."
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** When grouped security updates are first enabled, {% data variables.product.prodname_dependabot %} will immediately try to create grouped pull requests. You may notice {% data variables.product.prodname_dependabot %} closing old pull requests and opening new ones.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> When grouped security updates are first enabled, {% data variables.product.prodname_dependabot %} will immediately try to create grouped pull requests. You may notice {% data variables.product.prodname_dependabot %} closing old pull requests and opening new ones.
|
||||
|
||||
{% data reusables.dependabot.dependabot-grouped-security-updates-how-enable %}
|
||||
{% data reusables.dependabot.dependabot-grouped-security-updates-order %}
|
||||
|
|
@ -151,11 +148,8 @@ updates:
|
|||
- "golang.org*"{% endif %}
|
||||
```
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** In order for {% data variables.product.prodname_dependabot %} to use this configuration for security updates, the `directory` must be the path to the manifest files, and you should not specify a `target-branch`.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> In order for {% data variables.product.prodname_dependabot %} to use this configuration for security updates, the `directory` must be the path to the manifest files, and you should not specify a `target-branch`.
|
||||
|
||||
## Further reading
|
||||
|
||||
|
|
|
|||
|
|
@ -31,11 +31,8 @@ You must store this file in the `.github` directory of your repository in the de
|
|||
|
||||
Any options that also affect security updates are used the next time a security alert triggers a pull request for a security update. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates)."
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** You cannot configure {% data variables.product.prodname_dependabot_alerts %} using the `dependabot.yml` file.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> You cannot configure {% data variables.product.prodname_dependabot_alerts %} using the `dependabot.yml` file.
|
||||
|
||||
The `dependabot.yml` file has two mandatory top-level keys: `version`, and `updates`. You can, optionally, include a top-level `registries` key. The file must start with `version: 2`.
|
||||
|
||||
|
|
@ -61,15 +58,12 @@ These options fit broadly into the following categories.
|
|||
|
||||
In addition, the [`open-pull-requests-limit`](#open-pull-requests-limit) option changes the maximum number of pull requests for version updates that {% data variables.product.prodname_dependabot %} can open.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** Some of these configuration options may also affect pull requests raised for security updates of vulnerable package manifests.
|
||||
|
||||
Security updates are raised for vulnerable package manifests only on the default branch. When configuration options are set for the same branch (true unless you use `target-branch`), and specify a `package-ecosystem` and `directory` for the vulnerable manifest, then pull requests for security updates use relevant options.
|
||||
|
||||
In general, security updates use any configuration options that affect pull requests, for example, adding metadata or changing their behavior. For more information about security updates, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates)."
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> Some of these configuration options may also affect pull requests raised for security updates of vulnerable package manifests.
|
||||
>
|
||||
> Security updates are raised for vulnerable package manifests only on the default branch. When configuration options are set for the same branch (true unless you use `target-branch`), and specify a `package-ecosystem` and `directory` for the vulnerable manifest, then pull requests for security updates use relevant options.
|
||||
>
|
||||
> In general, security updates use any configuration options that affect pull requests, for example, adding metadata or changing their behavior. For more information about security updates, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates)."
|
||||
|
||||
### `package-ecosystem`
|
||||
|
||||
|
|
@ -79,11 +73,8 @@ If you want to enable vendoring for a package manager that supports it, the vend
|
|||
|
||||
If you want to allow {% data variables.product.prodname_dependabot %} to access a private package registry when performing a version update, you can include a `registries` setting in the configuration file. For more information, see [`registries`](#registries) below.{% ifversion ghes %}
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** Enterprise owners can download the most recent version of the [{% data variables.product.prodname_dependabot %} action](https://github.com/github/dependabot-action) to get the best ecosystem coverage. {% data reusables.actions.action-bundled-actions %}
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> Enterprise owners can download the most recent version of the [{% data variables.product.prodname_dependabot %} action](https://github.com/github/dependabot-action) to get the best ecosystem coverage. {% data reusables.actions.action-bundled-actions %}
|
||||
|
||||
{% endif %}
|
||||
|
||||
|
|
@ -247,11 +238,8 @@ updates:
|
|||
|
||||
**Required**. You must define how often to check for new versions for each package manager. By default, {% data variables.product.prodname_dependabot %} randomly assigns a time to apply all the updates in the configuration file. To set a specific time, you can use [`schedule.time`](#scheduletime) and [`schedule.timezone`](#scheduletimezone).
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** The `schedule.time` option is a best effort, and it may take some time before {% data variables.product.prodname_dependabot %} opens pull requests to update to newer dependency versions.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> The `schedule.time` option is a best effort, and it may take some time before {% data variables.product.prodname_dependabot %} opens pull requests to update to newer dependency versions.
|
||||
|
||||
| Interval types | Frequency |
|
||||
|----------------|-----------|
|
||||
|
|
@ -279,13 +267,10 @@ updates:
|
|||
interval: "weekly"
|
||||
```
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note**: `schedule` defines when {% data variables.product.prodname_dependabot %} attempts a new update. However, it's not the only time you may receive pull requests. Updates can be triggered based on changes to your `dependabot.yml` file, {% ifversion dependabot-updates-deprecate-rerun-failed-jobs %}{% else %}changes to your manifest file(s) after a failed update, {% endif %}or {% data variables.product.prodname_dependabot_security_updates %}. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#frequency-of-dependabot-pull-requests)" and "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates)."
|
||||
|
||||
{% data reusables.dependabot.version-updates-skip-scheduled-runs %}
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> `schedule` defines when {% data variables.product.prodname_dependabot %} attempts a new update. However, it's not the only time you may receive pull requests. Updates can be triggered based on changes to your `dependabot.yml` file, {% ifversion dependabot-updates-deprecate-rerun-failed-jobs %}{% else %}changes to your manifest file(s) after a failed update, {% endif %}or {% data variables.product.prodname_dependabot_security_updates %}. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#frequency-of-dependabot-pull-requests)" and "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates)."
|
||||
>
|
||||
> {% data reusables.dependabot.version-updates-skip-scheduled-runs %}
|
||||
|
||||
### `allow`
|
||||
|
||||
|
|
@ -372,11 +357,8 @@ We populate the titles of pull requests based on the commit messages, whether ex
|
|||
|
||||
Supported options
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** The `prefix` and the `prefix-development` options have a 50-character limit.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> The `prefix` and the `prefix-development` options have a 50-character limit.
|
||||
|
||||
* `prefix` specifies a prefix for all commit messages and it will also be added to the start of the PR title.
|
||||
When you specify a prefix for commit messages, {% data variables.product.prodname_dotcom %} will automatically add a colon between the defined prefix and the commit message provided the defined prefix ends with a letter, number, closing parenthesis, or closing bracket. This means that, for example, if you end the prefix with a whitespace, there will be no colon added between the prefix and the commit message.
|
||||
|
|
@ -476,14 +458,9 @@ You can also manage pull requests for grouped version updates and security updat
|
|||
|
||||
Dependencies can be ignored either by adding them to `ignore` or by using the `@dependabot ignore` command on a pull request opened by {% data variables.product.prodname_dependabot %}.
|
||||
|
||||
{% warning %}
|
||||
|
||||
**Warning**:
|
||||
* We recommend you do _not_ use `ignore` to prevent {% data variables.product.prodname_dependabot %} from accessing private registries. This may work for some ecosystems but we have no means of knowing whether package managers require access to all dependencies to be able to successfully perform updates, which makes this method unreliable. The supported way to handle private dependencies is to give {% data variables.product.prodname_dependabot %} access to private registries or private repositories. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot)."
|
||||
|
||||
* For {% data variables.product.prodname_actions %} and Docker, you may use `ignore` to prevent {% data variables.product.prodname_dependabot %} from accessing private registries.
|
||||
|
||||
{% endwarning %}
|
||||
> [!WARNING]
|
||||
> * We recommend you do _not_ use `ignore` to prevent {% data variables.product.prodname_dependabot %} from accessing private registries. This may work for some ecosystems but we have no means of knowing whether package managers require access to all dependencies to be able to successfully perform updates, which makes this method unreliable. The supported way to handle private dependencies is to give {% data variables.product.prodname_dependabot %} access to private registries or private repositories. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot)."
|
||||
> * For {% data variables.product.prodname_actions %} and Docker, you may use `ignore` to prevent {% data variables.product.prodname_dependabot %} from accessing private registries.
|
||||
|
||||
#### Creating `ignore` conditions from `@dependabot ignore`
|
||||
|
||||
|
|
@ -535,17 +512,11 @@ updates:
|
|||
versions: '>= 3'
|
||||
```
|
||||
|
||||
{% note %}
|
||||
> [!NOTE]
|
||||
> {% data variables.product.prodname_dependabot %} can only run version updates on manifest or lock files if it can access all of the dependencies in the file, even if you add inaccessible dependencies to the `ignore` option of your configuration file. For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-dependabot-to-access-private{% ifversion ghec or ghes %}-or-internal{% endif %}-dependencies)" and "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors#dependabot-cant-resolve-your-dependency-files)."
|
||||
|
||||
**Note**: {% data variables.product.prodname_dependabot %} can only run version updates on manifest or lock files if it can access all of the dependencies in the file, even if you add inaccessible dependencies to the `ignore` option of your configuration file. For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-dependabot-to-access-private{% ifversion ghec or ghes %}-or-internal{% endif %}-dependencies)" and "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors#dependabot-cant-resolve-your-dependency-files)."
|
||||
|
||||
{% endnote %}
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note**: For the `pub` ecosystem, {% data variables.product.prodname_dependabot %} won't perform an update when the version that it tries to update to is ignored, even if an earlier version is available.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> For the `pub` ecosystem, {% data variables.product.prodname_dependabot %} won't perform an update when the version that it tries to update to is ignored, even if an earlier version is available.
|
||||
|
||||
The following examples show how `ignore` can be used to customize which dependencies are updated.
|
||||
|
||||
|
|
@ -738,11 +709,8 @@ updates:
|
|||
|
||||
By default, {% data variables.product.prodname_dependabot %} automatically rebases open pull requests when it detects any changes to the pull request. Use `rebase-strategy` to disable this behavior.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** {% data reusables.dependabot.pull-requests-30-days-cutoff %}
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> {% data reusables.dependabot.pull-requests-30-days-cutoff %}
|
||||
|
||||
Available rebase strategies
|
||||
|
||||
|
|
@ -757,11 +725,8 @@ When `rebase-strategy` is set to `auto`, {% data variables.product.prodname_depe
|
|||
|
||||
When `rebase-strategy` is set to `disabled`, {% data variables.product.prodname_dependabot %} stops rebasing pull requests.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** This behavior only applies to pull requests that go into conflict with the target branch. {% data variables.product.prodname_dependabot %} will keep rebasing (until 30 days after opening) pull requests opened prior to the `rebase-strategy` setting being changed, and pull requests that are part of a scheduled run.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> This behavior only applies to pull requests that go into conflict with the target branch. {% data variables.product.prodname_dependabot %} will keep rebasing (until 30 days after opening) pull requests opened prior to the `rebase-strategy` setting being changed, and pull requests that are part of a scheduled run.
|
||||
|
||||
{% data reusables.dependabot.option-affects-security-updates %}
|
||||
|
||||
|
|
@ -1003,11 +968,8 @@ Available update strategies:
|
|||
| `pub` | `auto`, `increase`, `increase-if-necessary`, `widen` | `auto` |
|
||||
| `terraform` | N/A | N/A |
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** `N/A` indicates that the package manager does not yet support configuring the `versioning-strategy` parameter. The strategy code is open source, so if you'd like a particular ecosystem to support a new strategy, you are always welcome to submit a pull request in https://github.com/dependabot/dependabot-core/.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> `N/A` indicates that the package manager does not yet support configuring the `versioning-strategy` parameter. The strategy code is open source, so if you'd like a particular ecosystem to support a new strategy, you are always welcome to submit a pull request in https://github.com/dependabot/dependabot-core/.
|
||||
|
||||
```yaml
|
||||
# Example configuration for customizing the manifest version strategy
|
||||
|
|
@ -1055,22 +1017,21 @@ The top-level `registries` key is optional. It allows you to specify authenticat
|
|||
|
||||
You can give {% data variables.product.prodname_dependabot %} access to private package registries hosted by GitLab or Bitbucket by specifying a `type` of `git`. For more information, see [`git`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#git).
|
||||
{% ifversion ghes %}
|
||||
{% note %}
|
||||
|
||||
**Note:** Private registries behind firewalls on private networks are supported for the following ecosystems:
|
||||
> [!NOTE]
|
||||
> Private registries behind firewalls on private networks are supported for the following ecosystems:
|
||||
>
|
||||
> * Bundler{% ifversion dependabot-updates-cargo-private-registry-support %}
|
||||
> * Cargo{% endif %}
|
||||
> * Docker
|
||||
> * Gradle
|
||||
> * Maven
|
||||
> * Npm
|
||||
> * Nuget{% ifversion dependabot-updates-pub-private-registry %}
|
||||
> * Pub{% endif %}
|
||||
> * Python
|
||||
> * Yarn
|
||||
|
||||
* Bundler{% ifversion dependabot-updates-cargo-private-registry-support %}
|
||||
* Cargo{% endif %}
|
||||
* Docker
|
||||
* Gradle
|
||||
* Maven
|
||||
* Npm
|
||||
* Nuget{% ifversion dependabot-updates-pub-private-registry %}
|
||||
* Pub{% endif %}
|
||||
* Python
|
||||
* Yarn
|
||||
|
||||
{% endnote %}
|
||||
{% endif %}
|
||||
|
||||
The value of the `registries` key is an associative array, each element of which consists of a key that identifies a particular registry and a value which is an associative array that specifies the settings required to access that registry. The following `dependabot.yml` file configures a registry identified as `dockerhub` in the `registries` section of the file and then references this in the `updates` section of the file.
|
||||
|
|
@ -1255,11 +1216,8 @@ The `npm-registry` type supports username and password, or token. {% data reusab
|
|||
|
||||
When using username and password, your `.npmrc`'s auth token may contain a `base64` encoded `_password`; however, the password referenced in your {% data variables.product.prodname_dependabot %} configuration file must be the original (unencoded) password.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note**: When using `npm.pkg.github.com`, don't include a path. Instead use the `https://npm.pkg.github.com` URL without a path.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> When using `npm.pkg.github.com`, don't include a path. Instead use the `https://npm.pkg.github.com` URL without a path.
|
||||
|
||||
{% raw %}
|
||||
|
||||
|
|
|
|||
|
|
@ -45,11 +45,12 @@ If you customize the `dependabot.yml` file, you may notice some changes to the p
|
|||
|
||||
For an example, see "[Setting custom labels](#setting-custom-labels)" below.
|
||||
|
||||
{% ifversion dependabot-grouped-security-updates-config %}{% note %}
|
||||
{% ifversion dependabot-grouped-security-updates-config %}
|
||||
|
||||
**Note:** If you use grouped security updates, the grouped pull requests will also inherit non-group configuration settings from the `dependabot.yml` file, and any group rules specified with `applies-to: security-updates` will apply. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-grouped-security-updates)."
|
||||
> [!NOTE]
|
||||
> If you use grouped security updates, the grouped pull requests will also inherit non-group configuration settings from the `dependabot.yml` file, and any group rules specified with `applies-to: security-updates` will apply. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-grouped-security-updates)."
|
||||
|
||||
{% endnote %}{% endif %}
|
||||
{% endif %}
|
||||
|
||||
## Modifying scheduling
|
||||
|
||||
|
|
@ -108,11 +109,8 @@ You can use `labels` to override the default labels and specify alternative labe
|
|||
|
||||
The example `dependabot.yml` file below changes the npm configuration so that all pull requests opened with version and security updates for npm will have custom labels. It also changes the Docker configuration to check for version updates against a custom branch and to raise pull requests with custom labels against that custom branch. The changes to Docker will not affect security update pull requests because security updates are always made against the default branch.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** The new `target-branch` must contain a Dockerfile to update, otherwise this change will have the effect of disabling version updates for Docker.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> The new `target-branch` must contain a Dockerfile to update, otherwise this change will have the effect of disabling version updates for Docker.
|
||||
|
||||
```yaml
|
||||
# `dependabot.yml` file with
|
||||
|
|
@ -183,11 +181,10 @@ If you would like to un-ignore a dependency or ignore condition, you can delete
|
|||
* Un-ignore all ignore conditions for all dependencies in a {% data variables.product.prodname_dependabot %} pull request
|
||||
|
||||
{% ifversion dependabot-grouped-security-updates-config %}{% else %}
|
||||
{% note %}
|
||||
|
||||
**Note:** The `@dependabot unignore` comment commands only work on pull requests for grouped version updates.
|
||||
> [!NOTE]
|
||||
> The `@dependabot unignore` comment commands only work on pull requests for grouped version updates.
|
||||
|
||||
{% endnote %}
|
||||
{% endif %}
|
||||
|
||||
For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-for-grouped-{% ifversion dependabot-grouped-security-updates-config %}{% else %}version-{% endif %}updates-with-comment-commands)."{% endif %}
|
||||
|
|
|
|||
|
|
@ -223,11 +223,8 @@ If you want to allow maintainers to mark certain pull requests for auto-merge, y
|
|||
|
||||
{% ifversion repo-rules %}As an alternative to branch protection rules, you can create rulesets. For more information, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets)."{% endif %}
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** If you use status checks to test pull requests, you should enable **Require status checks to pass before merging** for the target branch for {% data variables.product.prodname_dependabot %} pull requests. This branch protection rule ensures that pull requests are not merged unless all the required status checks pass. For more information, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule)."
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> If you use status checks to test pull requests, you should enable **Require status checks to pass before merging** for the target branch for {% data variables.product.prodname_dependabot %} pull requests. This branch protection rule ensures that pull requests are not merged unless all the required status checks pass. For more information, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule)."
|
||||
|
||||
You can instead use {% data variables.product.prodname_actions %} and the {% data variables.product.prodname_cli %}. Here is an example that auto merges all patch updates to `my-dependency`:
|
||||
|
||||
|
|
|
|||
|
|
@ -33,11 +33,10 @@ If a more recent version of the action is available, {% data variables.product.p
|
|||
{% data variables.product.prodname_dependabot %} also checks workflow files for uses of reusable workflows, and updates the git reference for these called reusable workflows. For more information about reusable workflows, see "[AUTOTITLE](/actions/using-workflows/reusing-workflows)."
|
||||
|
||||
{% ifversion fpt or ghec %}
|
||||
{% note %}
|
||||
|
||||
**Note:** {% data reusables.actions.workflow-runs-dependabot-note %}
|
||||
> [!NOTE]
|
||||
> {% data reusables.actions.workflow-runs-dependabot-note %}
|
||||
|
||||
{% endnote %}
|
||||
{% endif %}
|
||||
|
||||
## Enabling {% data variables.product.prodname_dependabot_version_updates %} for actions
|
||||
|
|
|
|||
|
|
@ -32,11 +32,8 @@ When {% data variables.product.prodname_dependabot %} raises a pull request, you
|
|||
|
||||
If you have many dependencies to manage, you may want to customize the configuration for each package manager so that pull requests have specific reviewers, assignees, and labels. {% ifversion dependabot-version-updates-groups %} You may also want to group sets of dependencies together, so that multiple dependencies are updated in a single pull request.{% endif %} For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates){% ifversion dependabot-grouped-security-updates-config %}" and "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#grouping-dependabot-updates-into-a-single-pull-request)."{% else %}" and "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#grouping-dependabot-security-updates-into-a-single-pull-request)."{% endif %}
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note**: If you don't interact with {% data variables.product.prodname_dependabot %} pull requests for a repository during a 90-day time period, {% data variables.product.prodname_dependabot %} considers your repository as inactive, and will automatically pause {% data variables.product.prodname_dependabot_updates %}. For more information about inactivity criteria, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#about-automatic-deactivation-of-dependabot-updates)" and "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-automatic-deactivation-of-dependabot-updates)."
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> If you don't interact with {% data variables.product.prodname_dependabot %} pull requests for a repository during a 90-day time period, {% data variables.product.prodname_dependabot %} considers your repository as inactive, and will automatically pause {% data variables.product.prodname_dependabot_updates %}. For more information about inactivity criteria, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#about-automatic-deactivation-of-dependabot-updates)" and "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-automatic-deactivation-of-dependabot-updates)."
|
||||
|
||||
## Viewing {% data variables.product.prodname_dependabot %} pull requests
|
||||
|
||||
|
|
@ -93,11 +90,8 @@ In {% data variables.product.prodname_dependabot %} pull requests for grouped ve
|
|||
* `@dependabot unignore DEPENDENCY_NAME` closes the current pull request, clears all `ignore` conditions stored for the dependency, then opens a new pull request that includes available updates for the specified dependency. For example, `@dependabot unignore lodash` would open a new pull request that includes updates for the Lodash dependency.
|
||||
* `@dependabot unignore DEPENDENCY_NAME IGNORE_CONDITION` closes the current pull request, clears the stored `ignore` condition, then opens a new pull request that includes available updates for the specified ignore condition. For example, `@dependabot unignore express [< 1.9, > 1.8.0]` would open a new pull request that includes updates for Express between versions 1.8.0 and 1.9.0.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Tip:** When you want to un-ignore a specific ignore condition, use the `@dependabot show DEPENDENCY_NAME ignore conditions` command to quickly check what ignore conditions a dependency currently has.
|
||||
|
||||
{% endnote %}
|
||||
> [!TIP]
|
||||
> When you want to un-ignore a specific ignore condition, use the `@dependabot show DEPENDENCY_NAME ignore conditions` command to quickly check what ignore conditions a dependency currently has.
|
||||
|
||||
{% elsif dependabot-version-updates-groups %}
|
||||
|
||||
|
|
@ -105,11 +99,8 @@ In {% data variables.product.prodname_dependabot %} pull requests for grouped ve
|
|||
|
||||
In {% data variables.product.prodname_dependabot %} pull requests for grouped version updates, you can use comment commands to ignore and un-ignore updates for specific dependencies and versions. You can use any of the following commands to manage ignore conditions for grouped version updates.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** The following comment commands do not work for grouped {% data variables.product.prodname_dependabot_security_updates %}.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> The following comment commands do not work for grouped {% data variables.product.prodname_dependabot_security_updates %}.
|
||||
|
||||
* `@dependabot ignore DEPENDENCY_NAME` closes the pull request and prevents {% data variables.product.prodname_dependabot %} from updating this dependency.
|
||||
* `@dependabot ignore DEPENDENCY_NAME major version` closes the pull request and prevents {% data variables.product.prodname_dependabot %} from updating this dependency's major version.
|
||||
|
|
@ -119,9 +110,7 @@ In {% data variables.product.prodname_dependabot %} pull requests for grouped ve
|
|||
* `@dependabot unignore DEPENDENCY_NAME` closes the current pull request, clears all `ignore` conditions stored for the dependency, then opens a new pull request that includes available version updates for the specified dependency. For example, `@dependabot unignore lodash` would open a new pull request that includes version updates for the Lodash dependency.
|
||||
* `@dependabot unignore DEPENDENCY_NAME IGNORE_CONDITION` closes the current pull request, clears the stored `ignore` condition, then opens a new pull request that includes available version updates for the specified ignore condition. For example, `@dependabot unignore express [< 1.9, > 1.8.0]` would open a new pull request that includes version updates for Express between versions 1.8.0 and 1.9.0.
|
||||
|
||||
{% note %}
|
||||
> [!TIP]
|
||||
> When you want to un-ignore a specific ignore condition, use the `@dependabot show DEPENDENCY_NAME ignore conditions` command to quickly check what ignore conditions a dependency currently has.
|
||||
|
||||
**Tip:** When you want to un-ignore a specific ignore condition, use the `@dependabot show DEPENDENCY_NAME ignore conditions` command to quickly check what ignore conditions a dependency currently has.
|
||||
|
||||
{% endnote %}
|
||||
{% endif %}
|
||||
|
|
|
|||
|
|
@ -25,11 +25,8 @@ You can configure {% data variables.product.prodname_dependabot %} to access _on
|
|||
|
||||
{% ifversion dependabot-ghes-no-public-internet %}
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** Before you remove access to public registries from your configuration for {% data variables.product.prodname_dependabot_updates %}, check that your site administrator has set up the {% data variables.product.prodname_dependabot %} runners with access to the private registries you need. For more information, see "[AUTOTITLE](/admin/code-security/managing-supply-chain-security-for-your-enterprise/configuring-dependabot-to-work-with-limited-internet-access)."
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> Before you remove access to public registries from your configuration for {% data variables.product.prodname_dependabot_updates %}, check that your site administrator has set up the {% data variables.product.prodname_dependabot %} runners with access to the private registries you need. For more information, see "[AUTOTITLE](/admin/code-security/managing-supply-chain-security-for-your-enterprise/configuring-dependabot-to-work-with-limited-internet-access)."
|
||||
|
||||
{% endif %}
|
||||
|
||||
|
|
@ -53,11 +50,8 @@ To configure the Docker ecosystem to only access private registries, you can use
|
|||
|
||||
Define the private registry configuration in a `dependabot.yml` file without `replaces-base`. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#docker-registry)."
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** Remove `replaces-base: true` from the configuration file.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> Remove `replaces-base: true` from the configuration file.
|
||||
|
||||
```yaml
|
||||
version: 2
|
||||
|
|
@ -85,11 +79,8 @@ To configure the Gradle ecosystem to only access private registries, you can use
|
|||
|
||||
Define the private registry configuration in a `dependabot.yml` file. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#maven-repository)."
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note**: Remove replaces-base: true from the configuration file.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> Remove replaces-base: true from the configuration file.
|
||||
|
||||
Additionally, you also need to specify the private registry URL in the `repositories` section of the `build.gradle` file.
|
||||
|
||||
|
|
@ -138,11 +129,8 @@ To configure the npm ecosystem to only access private registries, you can use th
|
|||
|
||||
Define the private registry configuration in a `dependabot.yml` file. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry)."
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** Remove `replaces-base: true` from the configuration file.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> Remove `replaces-base: true` from the configuration file.
|
||||
|
||||
The npm ecosystem additionally requires a `.npmrc` file with the private registry URL to be checked into the repository.
|
||||
|
||||
|
|
@ -154,11 +142,8 @@ The npm ecosystem additionally requires a `.npmrc` file with the private registr
|
|||
|
||||
If there is no global registry defined in an `.npmrc` file, you can set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry)."
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** For scoped dependencies (`@my-org/my-dep`), {% data variables.product.prodname_dependabot %} requires that the private registry is defined in the project's `.npmrc` file. To define private registries for individual scopes, use `@myscope:registry=https://private_registry_url`.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> For scoped dependencies (`@my-org/my-dep`), {% data variables.product.prodname_dependabot %} requires that the private registry is defined in the project's `.npmrc` file. To define private registries for individual scopes, use `@myscope:registry=https://private_registry_url`.
|
||||
|
||||
### Yarn
|
||||
|
||||
|
|
@ -172,11 +157,8 @@ To configure the Yarn Classic ecosystem to only access private registries, you c
|
|||
|
||||
Define the private registry configuration in a `dependabot.yml` file. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry)."
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** Delete `replaces-base: true` from the configuration file.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> Delete `replaces-base: true` from the configuration file.
|
||||
|
||||
To ensure the private registry is listed as the dependency source in the project's `yarn.lock` file, run `yarn install` on a machine with private registry access. Yarn should update the `resolved` field to include the private registry URL.
|
||||
|
||||
|
|
@ -203,11 +185,8 @@ If the `yarn.lock` file doesn't list the private registry as the dependency sour
|
|||
|
||||
If there is no global registry defined in a `.yarnrc` file, you can set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry)."
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** For scoped dependencies (`@my-org/my-dep`), {% data variables.product.prodname_dependabot %} requires that the private registry is defined in the project's `.npmrc` file. To define private registries for individual scopes, use `@myscope:registry=https://private_registry_url`.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> For scoped dependencies (`@my-org/my-dep`), {% data variables.product.prodname_dependabot %} requires that the private registry is defined in the project's `.npmrc` file. To define private registries for individual scopes, use `@myscope:registry=https://private_registry_url`.
|
||||
|
||||
#### Yarn Berry
|
||||
|
||||
|
|
@ -217,11 +196,8 @@ To configure the Yarn Berry ecosystem to only access private registries, you can
|
|||
|
||||
Define the private registry configuration in a `dependabot.yml` file. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry)."
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** Delete `replaces-base: true` from the configuration file.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> Delete `replaces-base: true` from the configuration file.
|
||||
|
||||
To ensure the private registry is listed as the dependency source in the project's `yarn.lock` file, run `yarn install` on a machine with private registry access. Yarn should update the `resolved` field to include the private registry URL.
|
||||
|
||||
|
|
@ -247,11 +223,8 @@ If the `yarn.lock` file doesn't list the private registry as the dependency sour
|
|||
npmRegistryServer: "https://private_registry_url"
|
||||
```
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** For scoped dependencies (`@my-org/my-dep`), {% data variables.product.prodname_dependabot %} requires that the private registry is defined in the project's `.yarnrc` file. To define private registries for individual scopes, use `"@myscope:registry" "https://private_registry_url"`.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> For scoped dependencies (`@my-org/my-dep`), {% data variables.product.prodname_dependabot %} requires that the private registry is defined in the project's `.yarnrc` file. To define private registries for individual scopes, use `"@myscope:registry" "https://private_registry_url"`.
|
||||
|
||||
## Nuget
|
||||
|
||||
|
|
@ -318,11 +291,8 @@ To configure the Pip ecosystem to only access private registries, you can use th
|
|||
|
||||
Define the private registry configuration in a `dependabot.yml` file. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry)."
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** Delete `replaces-base: true` from the configuration file.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> Delete `replaces-base: true` from the configuration file.
|
||||
|
||||
Add the private registry URL to the `[global]` section of the `pip.conf` file and check the file into the repository.
|
||||
|
||||
|
|
@ -348,11 +318,8 @@ Set `replaces-base` as `true` in the `dependabot.yml` file. For more information
|
|||
|
||||
Define the private registry configuration in a `dependabot.yml` file. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry)."
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** Delete `replaces-base: true` from the configuration file.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> Delete `replaces-base: true` from the configuration file.
|
||||
|
||||
Add the private registry URL to the `requirements.txt` file and check the file into the repository.
|
||||
|
||||
|
|
@ -364,11 +331,8 @@ Add the private registry URL to the `requirements.txt` file and check the file i
|
|||
|
||||
To configure Pipenv to only access private registries, remove `replaces-base` from the `dependabot.yml` file. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#python-index)."
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** Delete `replaces-base: true` from the configuration file.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> Delete `replaces-base: true` from the configuration file.
|
||||
|
||||
Add the private registry URL to the `[[source]]` section of the `Pipfile` file and check the file into the repository.
|
||||
|
||||
|
|
|
|||
|
|
@ -31,11 +31,8 @@ topics:
|
|||
|
||||
If anything prevents {% data variables.product.prodname_dependabot %} from raising a pull request, this is reported as an error.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** {% data variables.product.prodname_dependabot %} doesn't create pull requests for inactive repositories. For information about inactivity criteria, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-automatic-deactivation-of-dependabot-updates)" and "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#about-automatic-deactivation-of-dependabot-updates)," for security and version updates, respectively.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> {% data variables.product.prodname_dependabot %} doesn't create pull requests for inactive repositories. For information about inactivity criteria, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-automatic-deactivation-of-dependabot-updates)" and "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#about-automatic-deactivation-of-dependabot-updates)," for security and version updates, respectively.
|
||||
|
||||
{% ifversion dependabot-on-actions-opt-in %}
|
||||
For more information about troubleshooting when running {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)."
|
||||
|
|
|
|||
|
|
@ -24,11 +24,8 @@ To give people instructions for reporting security vulnerabilities in your proje
|
|||
|
||||
You can create a default security policy for your organization or personal account. For more information, see "[AUTOTITLE](/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file)."
|
||||
|
||||
{% tip %}
|
||||
|
||||
**Tip:** To help people find your security policy, you can link to your `SECURITY.md` file from other places in your repository, such as your `README` file. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-readmes)."
|
||||
|
||||
{% endtip %}
|
||||
> [!TIP]
|
||||
> To help people find your security policy, you can link to your `SECURITY.md` file from other places in your repository, such as your `README` file. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-readmes)."
|
||||
|
||||
{% ifversion fpt or ghec %}
|
||||
After someone reports a security vulnerability in your project, you can use {% data variables.product.prodname_security_advisories %} to disclose, fix, and publish information about the vulnerability. For more information about the process of reporting and disclosing vulnerabilities in {% data variables.product.prodname_dotcom %}, see "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/about-coordinated-disclosure-of-security-vulnerabilities#about-reporting-and-disclosing-vulnerabilities-in-projects-on-github)." For more information about repository security advisories, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories)."
|
||||
|
|
|
|||
|
|
@ -111,13 +111,10 @@ At the organization level, if you're unable to coordinate with the user who push
|
|||
|
||||
If you're unable to coordinate directly with the repository owner to remove data that you're confident you own, you can fill out a DMCA takedown notice form and tell GitHub Support. For more information, see [DMCA takedown notice](https://support.github.com/contact/dmca-takedown).
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** If one of your repositories has been taken down due to a false claim, you should fill out a DMCA
|
||||
> [!NOTE]
|
||||
> If one of your repositories has been taken down due to a false claim, you should fill out a DMCA
|
||||
counter notice form and alert GitHub Support. For more information, see [DMCA counter notice](https://support.github.com/contact/dmca-counter-notice).
|
||||
|
||||
{% endnote %}
|
||||
|
||||
## Next steps
|
||||
|
||||
* "[AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/securing-code)"
|
||||
|
|
|
|||
|
|
@ -47,11 +47,8 @@ You need to follow the steps below on the repository you forked in "[Prerequisit
|
|||
1. Under "Code security and analysis", to the right of {% data variables.product.prodname_dependabot_alerts %}, click **Enable** for {% data variables.product.prodname_dependabot_alerts %}, {% data variables.product.prodname_dependabot_security_updates %}, and {% data variables.product.prodname_dependabot_version_updates %}.
|
||||
1. Optionally, if you are interested in experimenting with {% data variables.product.prodname_dependabot_version_updates %}, click **.github/dependabot.yml**. This will create a default `dependabot.yml` configuration file in the `/.github` directory of your repository. To enable {% data variables.product.prodname_dependabot_version_updates %} for your repository, you typically configure this file to suit your needs by editing the default file, and committing your changes. You can refer to the snippet provided in "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#example-dependabotyml-file)" for an example.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** If the dependency graph is not already enabled for the repository, {% data variables.product.prodname_dotcom %} will enable it automatically when you enable {% data variables.product.prodname_dependabot %}.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> If the dependency graph is not already enabled for the repository, {% data variables.product.prodname_dotcom %} will enable it automatically when you enable {% data variables.product.prodname_dependabot %}.
|
||||
|
||||
For more information about configuring each of these {% data variables.product.prodname_dependabot %} features, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts)," "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates)," and "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates)."
|
||||
|
||||
|
|
|
|||
|
|
@ -120,17 +120,11 @@ You can retrieve the {% data variables.product.prodname_dotcom %} secret scannin
|
|||
will provide several `key_identifier` and public keys. You can determine which public
|
||||
key to use based on the value of `Github-Public-Key-Identifier`.
|
||||
|
||||
{% note %}
|
||||
> [!NOTE]
|
||||
> When you send a request to the public key endpoint above, you may hit rate limits. To avoid hitting rate limits, you can use a {% data variables.product.pat_v1 %} (no scopes required) or a {% data variables.product.pat_v2 %} (only the automatic public repositories read access required) as suggested in the samples below, or use a conditional request. For more information, see "[AUTOTITLE](/rest/guides/getting-started-with-the-rest-api#conditional-requests)."
|
||||
|
||||
**Note**: When you send a request to the public key endpoint above, you may hit rate limits. To avoid hitting rate limits, you can use a {% data variables.product.pat_v1 %} (no scopes required) or a {% data variables.product.pat_v2 %} (only the automatic public repositories read access required) as suggested in the samples below, or use a conditional request. For more information, see "[AUTOTITLE](/rest/guides/getting-started-with-the-rest-api#conditional-requests)."
|
||||
|
||||
{% endnote %}
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note**: The signature was generated using the raw message body. So it's important you also use the raw message body for signature validation, instead of parsing and stringifying the JSON, to avoid rearranging the message or changing spacing.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> The signature was generated using the raw message body. So it's important you also use the raw message body for signature validation, instead of parsing and stringifying the JSON, to avoid rearranging the message or changing spacing.
|
||||
|
||||
**Sample HTTP POST sent to verify endpoint**
|
||||
|
||||
|
|
@ -403,8 +397,5 @@ A few important points:
|
|||
* For the hashed form of the raw token, you can only use SHA-256 to hash the token, not any other hashing algorithm.
|
||||
* The label indicates whether the token is a true ("true_positive") or a false positive ("false_positive"). Only these two lowercased literal strings are allowed.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** Our request timeout is set to be higher (that is, 30 seconds) for partners who provide data about false positives. If you require a timeout higher than 30 seconds, email us at <a href="mailto:secret-scanning@github.com">secret-scanning@github.com</a>.
|
||||
|
||||
{% endnote %}
|
||||
> [!NOTE]
|
||||
> Our request timeout is set to be higher (that is, 30 seconds) for partners who provide data about false positives. If you require a timeout higher than 30 seconds, email us at <a href="mailto:secret-scanning@github.com">secret-scanning@github.com</a>.
|
||||
|
|
|
|||
Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше
Загрузка…
Ссылка в новой задаче