Update landing page, guides page, etc. for code security following addition of GHEC version (#26009)

2022-03-09 11:40:07 +00:00 · 2022-03-09 11:40:07 +00:00 · c51fa948a1
--- a/content/code-security/guides.md
+++ b/content/code-security/guides.md
@ -31,6 +31,7 @@ includeGuides:
  - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/tracking-code-scanning-alerts-in-issues-using-task-lists
  - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning
  - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-alerts
+  - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql
  - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning
  - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-the-codeql-workflow-for-compiled-languages
  - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository
@ -38,6 +39,7 @@ includeGuides:
  - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/setting-up-code-scanning-for-a-repository
  - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/triaging-code-scanning-alerts-in-pull-requests
  - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/troubleshooting-the-codeql-workflow
+  - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/viewing-code-scanning-logs
  - /code-security/code-scanning/integrating-with-code-scanning/about-integration-with-code-scanning
  - /code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning
  - /code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github
@ -45,6 +47,7 @@ includeGuides:
  - /code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/configuring-codeql-cli-in-your-ci-system
  - /code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/configuring-codeql-runner-in-your-ci-system
  - /code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/installing-codeql-cli-in-your-ci-system
+  - /code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/migrating-from-the-codeql-runner-to-codeql-cli
  - /code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/running-codeql-runner-in-your-ci-system
  - /code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/troubleshooting-codeql-runner-in-your-ci-system
  - /code-security/repository-security-advisories/about-coordinated-disclosure-of-security-vulnerabilities
@ -58,6 +61,8 @@ includeGuides:
  - /code-security/repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory
  - /code-security/repository-security-advisories/withdrawing-a-repository-security-advisory
  - /code-security/security-overview/about-the-security-overview
+  - /code-security/security-overview/filtering-alerts-in-the-security-overview
+  - /code-security/security-overview/viewing-the-security-overview
  - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/about-dependabot-version-updates
  - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/automating-dependabot-with-github-actions
  - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates
--- a/content/code-security/index.md
+++ b/content/code-security/index.md
@ -8,17 +8,17 @@ featuredLinks:
  guides:
    - /code-security/getting-started/securing-your-repository
    - /code-security/getting-started/securing-your-organization
-    - '{% ifversion fpt %}/code-security/repository-security-advisories/creating-a-repository-security-advisory{% endif %}'
-    - '{% ifversion ghes or ghae %}/code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/setting-up-code-scanning-for-a-repository{% endif%}'
+    - '{% ifversion fpt or ghec %}/code-security/repository-security-advisories/creating-a-repository-security-advisory{% endif %}'
+    - '{% ifversion ghes or ghae %}/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/setting-up-code-scanning-for-a-repository{% endif%}'
  guideCards:
-    - '{% ifversion fpt %}/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/configuring-dependabot-security-updates{% endif %}'
-    - '{% ifversion fpt %}/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/enabling-and-disabling-dependabot-version-updates{% endif %}'
-    - '{% ifversion fpt %}/code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/setting-up-code-scanning-for-a-repository{% endif %}'
-    - '{% ifversion ghes %}/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository{% endif %}'
-    - '{% ifversion ghes %}/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/configuring-notifications-for-vulnerable-dependencies{% endif %}'
-    - '{% ifversion ghes or ghae %}/code-security/secret-security/configuring-secret-scanning-for-your-repositories{% endif %}'
-    - '{% ifversion ghae %}/code-security/secure-coding/integrating-with-code-scanning/uploading-a-sarif-file-to-github{% endif %}'
-    - '{% ifversion ghae %}/code-security/secure-coding/using-codeql-code-scanning-with-your-existing-ci-system{% endif %}'
+    - '{% ifversion fpt or ghec or ghes > 3.2 %}/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/configuring-dependabot-security-updates{% endif %}'
+    - '{% ifversion fpt or ghec or ghes > 3.2 %}/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/enabling-and-disabling-dependabot-version-updates{% endif %}'
+    - '{% ifversion fpt or ghec or ghes > 3.2 %}/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/setting-up-code-scanning-for-a-repository{% endif %}'
+    - '{% ifversion ghes < 3.3 %}/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository{% endif %}'
+    - '{% ifversion ghes < 3.3 %}/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/configuring-notifications-for-vulnerable-dependencies{% endif %}'
+    - '{% ifversion ghes < 3.3 or ghae %}/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories{% endif %}'
+    - '{% ifversion ghae %}/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github{% endif %}'
+    - '{% ifversion ghae %}/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system{% endif %}'
  popular:
    - '{% ifversion ghes %}/admin/release-notes{% endif %}'
    - /code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-alerts-for-vulnerable-dependencies
@ -26,11 +26,11 @@ featuredLinks:
    - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/keeping-your-actions-up-to-date-with-dependabot
    - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates
    - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/managing-encrypted-secrets-for-dependabot
-    - '{% ifversion ghae %}/code-security/secret-security/about-secret-scanning{% endif %}'
+    - '{% ifversion ghae %}/code-security/secret-scanning/about-secret-scanning{% endif %}'
    - /code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/troubleshooting-the-detection-of-vulnerable-dependencies
-    - '{% ifversion ghes or ghae %}/code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-the-codeql-workflow-for-compiled-languages{% endif %}'
-    - '{% ifversion ghes or ghae %}/code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/troubleshooting-the-codeql-workflow{% endif %}'
-    - '{% ifversion ghes or ghae %}/code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/running-codeql-code-scanning-in-a-container{% endif %}'
+    - '{% ifversion ghes < 3.3 or ghae %}/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-the-codeql-workflow-for-compiled-languages{% endif %}'
+    - '{% ifversion ghes < 3.3 or ghae %}/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/troubleshooting-the-codeql-workflow{% endif %}'
+    - '{% ifversion ghes < 3.3 or ghae %}/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/running-codeql-code-scanning-in-a-container{% endif %}'
 changelog:
  label: security-and-compliance
  versions:
--- a/data/learning-tracks/code-security.yml
+++ b/data/learning-tracks/code-security.yml
@ -2,7 +2,7 @@
 security_advisories:
  title: 'Fix and disclose a security vulnerability'
  description: 'Using repository security advisories to privately fix a reported vulnerability and get a CVE.'
-  featured_track: '{% ifversion fpt %}true{% else %}false{% endif %}'
+  featured_track: '{% ifversion fpt or ghec %}true{% else %}false{% endif %}'
  guides:
    - /code-security/repository-security-advisories/about-coordinated-disclosure-of-security-vulnerabilities
    - /code-security/repository-security-advisories/creating-a-repository-security-advisory
@ -13,32 +13,32 @@ security_advisories:
    - /code-security/repository-security-advisories/withdrawing-a-repository-security-advisory
    - /code-security/repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory

-# Feature available on dotcom and GHES
+# Feature available on dotcom and GHES 3.3+, so articles available on GHAE and earlier GHES hidden to hide the learning track
 dependabot_alerts:
  title: 'Get notifications for vulnerable dependencies'
  description: 'Set up Dependabot to alert you to new vulnerabilities in your dependencies.'
  guides:
    - /code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-alerts-for-vulnerable-dependencies
-    - '{% ifversion not ghae %}/github/administering-a-repository/managing-repository-settings/managing-security-and-analysis-settings-for-your-repository{% endif %}'
+    - '{% ifversion fpt or ghec or ghes > 3.2 %}/github/administering-a-repository/managing-repository-settings/managing-security-and-analysis-settings-for-your-repository{% endif %}'
    - /code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/viewing-and-updating-vulnerable-dependencies-in-your-repository
    - /code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/configuring-notifications-for-vulnerable-dependencies
    - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/managing-pull-requests-for-dependency-updates
    - /code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/troubleshooting-the-detection-of-vulnerable-dependencies
    - /code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/troubleshooting-dependabot-errors

-# Feature available only on dotcom, so articles available hidden to hide the learning track in other versions
+# Feature available on dotcom and GHES 3.3+, so articles available on GHAE and earlier GHES hidden to hide the learning track
 dependabot_security_updates:
  title: 'Get pull requests to update your vulnerable dependencies'
  description: 'Set up Dependabot to create pull requests when new vulnerabilities are reported.'
  guides:
    - /code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-dependabot-security-updates
    - /code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/configuring-dependabot-security-updates
-    - '{% ifversion fpt %}/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/configuring-notifications-for-vulnerable-dependencies{% endif %}'
-    - '{% ifversion fpt %}/github/administering-a-repository/managing-repository-settings/managing-security-and-analysis-settings-for-your-repository{% endif %}'
+    - '{% ifversion fpt or ghec or ghes > 3.2 %}/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/configuring-notifications-for-vulnerable-dependencies{% endif %}'
+    - '{% ifversion fpt or ghec or ghes > 3.2 %}/github/administering-a-repository/managing-repository-settings/managing-security-and-analysis-settings-for-your-repository{% endif %}'
    - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/managing-pull-requests-for-dependency-updates
-    - '{% ifversion fpt %}/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/troubleshooting-the-detection-of-vulnerable-dependencies{% endif %}'
+    - '{% ifversion fpt or ghec or ghes > 3.2 %}/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/troubleshooting-the-detection-of-vulnerable-dependencies{% endif %}'

-# Feature available only on dotcom
+# Feature available only on dotcom and GHES 3.3+
 dependency_version_updates:
  title: 'Keep your dependencies up-to-date'
  description: 'Use Dependabot to check for new releases and create pull requests to update your dependencies.'
@ -54,32 +54,34 @@ dependency_version_updates:
    - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/managing-pull-requests-for-dependency-updates
    - /code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/troubleshooting-dependabot-errors

-# Feature available in all versions from GHES 3.0 up
+# Feature available in GHEC, GHES 3.0 up, and GHAE. Feature limited on FPT so hidden there.
 secret_scanning:
  title: 'Scan for secrets'
  description: 'Set up secret scanning to guard against accidental check-ins of tokens, passwords, and other secrets to your repository.'
  guides:
-    - /code-security/secret-scanning/about-secret-scanning
-    - /code-security/secret-scanning/configuring-secret-scanning-for-your-repositories
-    - /code-security/secret-scanning/defining-custom-patterns-for-secret-scanning
-    - /code-security/secret-scanning/managing-alerts-from-secret-scanning
+    - '{% ifversion not fpt %}/code-security/secret-scanning/about-secret-scanning{% endif %}'
+    - '{% ifversion not fpt %}/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories{% endif %}'
+    - '{% ifversion not fpt %}/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning{% endif %}'
+    - '{% ifversion not fpt %}/code-security/secret-scanning/managing-alerts-from-secret-scanning{% endif %}'
+    - '{% ifversion not fpt %}/code-security/secret-scanning/secret-scanning-patterns{% endif %}'

-# Security overview feature available only on dotcom currently, so other articles hidden to hide the learning path in other versions
+# Security overview feature available in GHEC and GHES 3.2+, so other articles hidden to hide the learning path in other versions
 security_alerts:
  title: 'Explore and manage security alerts'
  description: 'Learn where to find and resolve security alerts.'
  guides:
-    - /code-security/security-overview/about-the-security-overview
-    - '{% ifversion fpt %}/code-security/secret-scanning/managing-alerts-from-secret-scanning {% endif %}'
-    - '{% ifversion fpt %}/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository{% endif %}'
-    - '{% ifversion fpt %}/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/triaging-code-scanning-alerts-in-pull-requests{% endif %}'
-    - '{% ifversion fpt %}/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/viewing-and-updating-vulnerable-dependencies-in-your-repository{% endif %}'
+    - '{% ifversion ghec or ghes > 3.1 %}/code-security/security-overview/about-the-security-overview {% endif %}'
+    - '{% ifversion ghec or ghes > 3.1 %}/code-security/security-overview/viewing-the-security-overview {% endif %}'
+    - '{% ifversion ghec or ghes > 3.1 %}/code-security/secret-scanning/managing-alerts-from-secret-scanning {% endif %}'
+    - '{% ifversion ghec or ghes > 3.1 %}/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository{% endif %}'
+    - '{% ifversion ghec or ghes > 3.1 %}/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/triaging-code-scanning-alerts-in-pull-requests{% endif %}'
+    - '{% ifversion ghec or ghes > 3.1 %}/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/viewing-and-updating-vulnerable-dependencies-in-your-repository{% endif %}'

 # Feature available in all versions from GHES 2.22 up
 code_security_actions:
  title: 'Run code scanning with GitHub Actions'
  description: 'Check your default branch and every pull request to keep vulnerabilities and errors out of your repository.'
-  featured_track: '{% ifversion ghae or ghes > 2.22 %}true{% else %}false{% endif %}'
+  featured_track: '{% ifversion ghae or ghes %}true{% else %}false{% endif %}'
  guides:
    - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning
    - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/setting-up-code-scanning-for-a-repository
@ -106,6 +108,5 @@ code_security_ci:
    - /code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/about-codeql-code-scanning-in-your-ci-system
    - /code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/installing-codeql-cli-in-your-ci-system
    - /code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/configuring-codeql-cli-in-your-ci-system
-    - /code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/running-codeql-runner-in-your-ci-system
-    - /code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/configuring-codeql-runner-in-your-ci-system
+    - /code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/migrating-from-the-codeql-runner-to-codeql-cli
    - /code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/troubleshooting-codeql-runner-in-your-ci-system
--- a/data/product-examples/code-security/code-examples.yml
+++ b/data/product-examples/code-security/code-examples.yml
@ -19,9 +19,9 @@
    - GitHub Actions

 # Security policies
- title: Microsoft security policy
+- title: Microsoft security policy template
  description: Example security policy
-  href: /microsoft/microsoft.github.io/blob/master/SECURITY.MD
+  href: https://github.com/microsoft/repo-templates/blob/main/shared/SECURITY.md
  tags:
    - Security policy
 - title: Electron security policy
@ -50,8 +50,9 @@
  versions:
    fpt: '*'
    ghec: '*'
+    ghes: '>=3.3'

-# Dependabot configuration only relevant to GitHub.com
+# Dependabot configuration only relevant to GitHub.com and GHES 3.3+
 # Convert "languages" to "package-ecosystems" for Dependabot configurations
 - title: Super linter configuration
  description: Example Dependabot version updates configuration from the Super linter repository.
@ -69,6 +70,7 @@
  versions:
    fpt: '*'
    ghec: '*'
+    ghes: '>=3.3'

 - title: Dependabot version update PR
  description: Example pull request generated by the Dependabot version updates configuration in the Super linter repository.
@ -81,3 +83,4 @@
  versions:
    fpt: '*'
    ghec: '*'
+    ghes: '>=3.3'