From c822f53d93aca14b5a9ddc23d8e852c605f28be3 Mon Sep 17 00:00:00 2001 From: Sophie <29382425+sophietheking@users.noreply.github.com> Date: Fri, 23 Jan 2026 13:40:09 +0100 Subject: [PATCH 1/5] [EDI] Privately reporting a security vulnerability (#59256) --- ...-disclosure-of-security-vulnerabilities.md | 12 ++++++++- ...tely-reporting-a-security-vulnerability.md | 25 ++++--------------- 2 files changed, 16 insertions(+), 21 deletions(-) diff --git a/content/code-security/concepts/vulnerability-reporting-and-management/about-coordinated-disclosure-of-security-vulnerabilities.md b/content/code-security/concepts/vulnerability-reporting-and-management/about-coordinated-disclosure-of-security-vulnerabilities.md index bf207bd74fc4..0643dc709ff4 100644 --- a/content/code-security/concepts/vulnerability-reporting-and-management/about-coordinated-disclosure-of-security-vulnerabilities.md +++ b/content/code-security/concepts/vulnerability-reporting-and-management/about-coordinated-disclosure-of-security-vulnerabilities.md @@ -80,7 +80,17 @@ The process for reporting and disclosing vulnerabilities for projects on {% data {% data reusables.security-advisory.private-vulnerability-reporting-enable %} - Private vulnerability reporting provides an easy way for vulnerability reporters to privately disclose security risks to repository maintainers, within {% data variables.product.prodname_dotcom %}, and in a way that immediately notifies the repository maintainers of the issue. For more information for security researchers and repository maintainers, see [AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability) and [AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/managing-privately-reported-security-vulnerabilities), respectively. +Private vulnerability reporting provides a secure, structured way for security researchers to privately disclose security risks to repository maintainers directly within {% data variables.product.prodname_dotcom %}. When a vulnerability is reported, repository maintainers are immediately notified, allowing them to review and respond without the risk of premature public disclosure. + +Without clear guidance on how to contact maintainers, security researchers may feel forced to disclose vulnerabilities publicly, such as by posting on social media, opening public issues, or contacting maintainers through informal channels, which can expose users to unnecessary risk. Private vulnerability reporting helps avoid these situations by offering a dedicated, private reporting workflow. + +For security researchers, private vulnerability reporting offers: + +* Less frustration, and less time spent trying to figure out how to contact the maintainer. +* A smoother process for disclosing and discussing vulnerability details. +* The opportunity to discuss vulnerability details privately with the repository maintainer. + +For more information for security researchers and repository maintainers, see [AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability) and [AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/managing-privately-reported-security-vulnerabilities), respectively. > [!NOTE] > If the repository containing the vulnerability doesn't have private vulnerability reporting enabled, both security researchers and repository maintainers need to follow the instructions described in the [Standard process](#standard-process) section above. diff --git a/content/code-security/how-tos/report-and-fix-vulnerabilities/report-a-vulnerability/privately-reporting-a-security-vulnerability.md b/content/code-security/how-tos/report-and-fix-vulnerabilities/report-a-vulnerability/privately-reporting-a-security-vulnerability.md index a6c27e6e046d..6f7a17d77546 100644 --- a/content/code-security/how-tos/report-and-fix-vulnerabilities/report-a-vulnerability/privately-reporting-a-security-vulnerability.md +++ b/content/code-security/how-tos/report-and-fix-vulnerabilities/report-a-vulnerability/privately-reporting-a-security-vulnerability.md @@ -18,28 +18,13 @@ redirect_from: {% data reusables.security-advisory.private-vulnerability-reporting-enable %} > [!NOTE] -> * If you have admin or security permissions for a public repository, you don't need to submit a vulnerability report. Instead, you can create a draft security advisory directly. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory). -> * The ability to privately report a vulnerability in a repository is not related to the presence of a `SECURITY.md` file in that repository's root or `docs` directory. -> * The `SECURITY.md` file contains the security policy for the repository. Repository administrators can add and use this file to provide _public_ instructions for how to report a security vulnerability in their repository. For more information, see [AUTOTITLE](/code-security/getting-started/adding-a-security-policy-to-your-repository). -> * You can only report a vulnerability privately for repositories where private vulnerability reporting is enabled, and you don't have to follow the instructions in the `SECURITY.md` file. This reporting process is fully private, and {% data variables.product.prodname_dotcom %} notifies the repository administrators directly about your submission. +> * If you have admin or security permissions for a public repository, you don’t need to submit a vulnerability report. Instead, create a draft security advisory directly. See [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory). +> * Private vulnerability reporting is separate from a repository’s `SECURITY.md` file. You can only report vulnerabilities privately for repositories where this feature is enabled, and you don’t need to follow the instructions in `SECURITY.md`. -## About privately reporting a security vulnerability +If a public repository has private vulnerability reporting enabled, anyone can submit a private vulnerability report to the repository maintainers. Users can also evaluate the general security of a public repository and suggest a security policy. See [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/evaluating-the-security-settings-of-a-repository). -Security researchers often feel responsible for alerting users to a vulnerability that could be exploited. If there are no clear instructions about contacting maintainers of the repository containing the vulnerability, security researchers may have no other choice but to post about the vulnerability on social media, send direct messages to the maintainer, or even create public issues. This situation can potentially lead to a public disclosure of the vulnerability details. - -Private vulnerability reporting makes it easy for security researchers to report vulnerabilities directly to the repository maintainer using a simple form. - -For security researchers, the benefits of using private vulnerability reporting are: -* Less frustration, and less time spent trying to figure out how to contact the maintainer. -* A smoother process for disclosing and discussing vulnerability details. -* The opportunity to discuss vulnerability details privately with the repository maintainer. - -{% data reusables.security-advisory.private-vulnerability-reporting-disabled %} - -## Privately reporting a security vulnerability - -If a public repository has private vulnerability reporting enabled, anyone can privately report a security vulnerability to repository maintainers. Users can also evaluate the general security of a public repository and suggest a security policy. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/evaluating-the-security-settings-of-a-repository). +If the repository doesn't have private vulnerability reporting enabled, you need to initiate the reporting process by following the instructions in the security policy for the repository, or by creating an issue asking the maintainers for a preferred security contact. See [AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/about-coordinated-disclosure-of-security-vulnerabilities#about-reporting-and-disclosing-vulnerabilities-in-projects-on-github). {% data reusables.security-advisory.reporting-a-vulnerability-non-admin %} -The next steps depend on the action taken by the repository maintainer. For more information, see [AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/managing-privately-reported-security-vulnerabilities). +The next steps depend on the action taken by the repository maintainer. See [AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/managing-privately-reported-security-vulnerabilities). From f1eda4a83469484815305691d828427aed4ba914 Mon Sep 17 00:00:00 2001 From: Sophie <29382425+sophietheking@users.noreply.github.com> Date: Fri, 23 Jan 2026 15:38:58 +0100 Subject: [PATCH 2/5] [EDI] Viewing and updating Dependabot alerts (#59257) Co-authored-by: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com> --- .../viewing-and-updating-dependabot-alerts.md | 75 ++++++++----------- .../dependabot-alerts-filters.md | 19 +++++ .../reference/supply-chain-security/index.md | 2 + ...tems-and-manifests-for-dependency-scope.md | 19 +++++ 4 files changed, 71 insertions(+), 44 deletions(-) create mode 100644 content/code-security/reference/supply-chain-security/dependabot-alerts-filters.md create mode 100644 content/code-security/reference/supply-chain-security/supported-ecosystems-and-manifests-for-dependency-scope.md diff --git a/content/code-security/how-tos/manage-security-alerts/manage-dependabot-alerts/viewing-and-updating-dependabot-alerts.md b/content/code-security/how-tos/manage-security-alerts/manage-dependabot-alerts/viewing-and-updating-dependabot-alerts.md index 312bea82236f..8e2ff09b316d 100644 --- a/content/code-security/how-tos/manage-security-alerts/manage-dependabot-alerts/viewing-and-updating-dependabot-alerts.md +++ b/content/code-security/how-tos/manage-security-alerts/manage-dependabot-alerts/viewing-and-updating-dependabot-alerts.md @@ -27,81 +27,68 @@ topics: Your repository's {% data variables.product.prodname_dependabot_alerts %} tab lists all open and closed {% data variables.product.prodname_dependabot_alerts %} and corresponding {% data variables.product.prodname_dependabot_security_updates %}. You can filter alerts by package, ecosystem, or manifest. You can sort the list of alerts, and you can click into specific alerts for more details. You can also dismiss or reopen alerts, either one by one or by selecting multiple alerts at once. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts). -You can enable automatic security updates for any repository that uses {% data variables.product.prodname_dependabot_alerts %} and the dependency graph. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates). - ## About updates for vulnerable dependencies in your repository -{% data variables.product.github %} generates {% data variables.product.prodname_dependabot_alerts %} when we detect that the default branch of your codebase is using dependencies with known security risks. For repositories where {% data variables.product.prodname_dependabot_security_updates %} are enabled, when {% data variables.product.github %} detects a vulnerable dependency in the default branch, {% data variables.product.prodname_dependabot %} creates a pull request to fix it. The pull request will upgrade the dependency to the minimum possible secure version needed to avoid the vulnerability. - -{% data reusables.dependabot.no-dependabot-alerts-for-malware %} - Each {% data variables.product.prodname_dependabot %} alert has a unique numeric identifier and the {% data variables.product.prodname_dependabot_alerts %} tab lists an alert for every detected vulnerability. Legacy {% data variables.product.prodname_dependabot_alerts %} grouped vulnerabilities by dependency and generated a single alert per dependency. If you navigate to a legacy {% data variables.product.prodname_dependabot %} alert, you will be redirected to a {% data variables.product.prodname_dependabot_alerts %} tab filtered for that package. -You can filter and sort {% data variables.product.prodname_dependabot_alerts %} using a variety of filters and sort options available on the user interface. For more information, see [Prioritizing {% data variables.product.prodname_dependabot_alerts %}](#prioritizing-dependabot-alerts) below. +You can filter and sort {% data variables.product.prodname_dependabot_alerts %} using a variety of filters and sort options available on the user interface. For more information, see [Viewing and prioritizing {% data variables.product.prodname_dependabot_alerts %}](#viewing-and-prioritizing-dependabot-alerts) below. You can also audit actions taken in response to {% data variables.product.prodname_dependabot %} alerts. For more information, see [AUTOTITLE](/code-security/getting-started/auditing-security-alerts). -## Prioritizing {% data variables.product.prodname_dependabot_alerts %} +## Viewing and prioritizing {% data variables.product.prodname_dependabot_alerts %} -{% data variables.product.company_short %} helps you prioritize fixing {% data variables.product.prodname_dependabot_alerts %}. By default, {% data variables.product.prodname_dependabot_alerts %} are sorted by importance. The "Most important" sort order helps you prioritize which {% data variables.product.prodname_dependabot_alerts %} to focus on first. Alerts are ranked based on their potential impact, actionability, and relevance. Our prioritization calculation is constantly being improved and includes factors like CVSS score, dependency scope, and whether vulnerable function calls are found for the alert. -You can also use {% data variables.dependabot.auto_triage_rules %} to prioritize {% data variables.product.prodname_dependabot_alerts %}. For more information, see “[AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/about-dependabot-auto-triage-rules).” +You can view, sort, and filter {% data variables.product.prodname_dependabot_alerts %} to focus on the alerts that matter most. -{% data reusables.dependabot.dependabot-alerts-filters %} +By default, alerts are sorted by **Most important**, which helps you prioritize fixes based on factors such as potential impact, actionability, and relevance. This prioritization is continuously improved and considers signals like CVSS score, dependency scope, and whether vulnerable function calls are detected. -In addition to the filters available via the search bar, you can sort and filter {% data variables.product.prodname_dependabot_alerts %} using the dropdown menus at the top of the alert list. Alternatively, to filter by label, click a label assigned to an alert to automatically apply that filter to the alert list. +{% data reusables.dependabot.where-to-view-dependabot-alerts %} -The search bar also allows for full text searching of alerts and related security advisories. You can search for part of a security advisory name or description to return the alerts in your repository that relate to that security advisory. For example, searching for `yaml.load() API could execute arbitrary code` will return {% data variables.product.prodname_dependabot_alerts %} linked to [PyYAML insecurely deserializes YAML strings leading to arbitrary code execution](https://github.com/advisories/GHSA-rprw-h62v-c2w7) as the search string appears in the advisory description. +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.sidebar-security %} +{% data reusables.repositories.sidebar-dependabot-alerts %} -![Screenshot of the filter and sort menus in the {% data variables.product.prodname_dependabot_alerts %} tab.](/assets/images/help/graphs/dependabot-alerts-filters-checkbox.png) +1. Optionally, refine the list of alerts: + * Use the dropdown menus at the top of the list to sort or filter alerts. -You can also use the REST API to get a list of {% data variables.product.prodname_dependabot_alerts %} sorted using your filter of choice, for your repository, organization, or enterprise. For more information about API endpoints, see [AUTOTITLE](/rest/dependabot/alerts). + ![Screenshot of the filter and sort menus in the {% data variables.product.prodname_dependabot_alerts %} tab.](/assets/images/help/graphs/dependabot-alerts-filters-checkbox.png) -## Supported ecosystems and manifests for dependency scope + * Type directly in the search bar to filter alerts, including full-text search across alert details and related security advisories. + * Click a label on an alert to automatically filter the list by that label. + * To identify alerts that affect development dependencies, filter by the `scope:development` filter or look for alerts labeled "Development". This can help you prioritize alerts that affect production dependencies first. -{% data reusables.dependabot.dependabot-alerts-dependency-scope %} + ![Screenshot showing the "Development" label assigned to an alert in the list of alerts.](/assets/images/help/repository/dependabot-alerts-development-label.png) -Alerts for packages listed as development dependencies are marked with the `Development` label on the {% data variables.product.prodname_dependabot_alerts %} page and are also available for filtering via the `scope` filter. +1. Click an alert to view its details. Alerts for development-scoped dependencies include a "Development" label in the "Tags" section on the alert details page. -![Screenshot showing the "Development" label assigned to an alert in the list of alerts. The label is highlighted with a dark orange outline.](/assets/images/help/repository/dependabot-alerts-development-label.png) + ![Screenshot showing the "Tags" section in the alert details page.](/assets/images/help/repository/dependabot-alerts-tags-section.png) -The alert details page of alerts on development-scoped packages shows a "Tags" section containing a `Development` label. +1. Optionally, to suggest an improvement to the related security advisory, on the right-hand side of the alert details page, click **Suggest improvements for this advisory on the {% data variables.product.prodname_advisory_database %}**. See [AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database). -![Screenshot showing the "Tags" section in the alert details page. The label is highlighted with a dark orange outline.](/assets/images/help/repository/dependabot-alerts-tags-section.png) +### Tips for prioritizing alerts -## Viewing {% data variables.product.prodname_dependabot_alerts %} +* Use the **Most important** sort order to focus on alerts with the highest potential impact. +* Prioritize alerts that affect production dependencies over development dependencies. +* Use {% data variables.dependabot.auto_triage_rules %} to automatically prioritize or manage alerts. See [AUTOTITLE](/code-security/concepts/supply-chain-security/about-dependabot-auto-triage-rules). -{% data reusables.dependabot.where-to-view-dependabot-alerts %} You can sort and filter {% data variables.product.prodname_dependabot_alerts %} by selecting a filter from the dropdown menu. +For more information about supported ecosystems and manifest files for dependency scope, see [AUTOTITLE](/code-security/reference/supply-chain-security/supported-ecosystems-and-manifests-for-dependency-scope). -To view summaries of alerts for all or a subset of repositories owned by your organization, use security overview. For more information, see [AUTOTITLE](/code-security/security-overview/about-security-overview#about-security-overview-for-organizations). +For a complete list of available filters, see [AUTOTITLE](/code-security/reference/supply-chain-security/dependabot-alerts-filters). -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-security %} -{% data reusables.repositories.sidebar-dependabot-alerts %} -1. Optionally, to filter alerts, select a filter in a dropdown menu then click the filter that you would like to apply. You can also type filters into the search bar. Alternatively, to filter by label, click a label assigned to an alert to automatically apply that filter to the alert list. For more information about filtering and sorting alerts, see [Prioritizing {% data variables.product.prodname_dependabot_alerts %}](#prioritizing-dependabot-alerts). - - ![Screenshot of the filter and sort menus in the {% data variables.product.prodname_dependabot_alerts %} tab.](/assets/images/help/graphs/dependabot-alerts-filters-checkbox.png) -1. Click the alert that you would like to view. -1. Optionally, to suggest an improvement to the related security advisory, on the right-hand side of the alert details page, click **Suggest improvements for this advisory on the {% data variables.product.prodname_advisory_database %}**. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database). - - ![Screenshot of the right sidebar of a {% data variables.product.prodname_dependabot %} alert. A link, titled "Suggest improvements for this advisory...", is outlined in orange.](/assets/images/help/dependabot/dependabot-improve-security-advisory.png) +To retrieve alerts programmatically, see the [AUTOTITLE](/rest/dependabot/alerts). ## Reviewing and fixing alerts -It’s important to ensure that all of your dependencies are clean of any security weaknesses. When {% data variables.product.prodname_dependabot %} discovers vulnerabilities in your dependencies, you should assess your project’s level of exposure and determine what remediation steps to take to secure your application. - -If a patched version of the dependency is available, you can generate a {% data variables.product.prodname_dependabot %} pull request to update this dependency directly from a {% data variables.product.prodname_dependabot %} alert. If you have {% data variables.product.prodname_dependabot_security_updates %} enabled, the pull request may be linked in the {% data variables.product.prodname_dependabot %} alert. - -In cases where a patched version is not available, or you can’t update to the secure version, {% data variables.product.prodname_dependabot %} shares additional information to help you determine next steps. When you click through to view a {% data variables.product.prodname_dependabot %} alert, you can see the full details of the security advisory for the dependency including the affected functions. You can then check whether your code calls the impacted functions. This information can help you further assess your risk level, and determine workarounds or if you’re able to accept the risk represented by the security advisory. - {% ifversion copilot-chat-ghas-alerts %} With a {% data variables.copilot.copilot_enterprise %} license, you can also ask {% data variables.copilot.copilot_chat %} for help to better understand {% data variables.product.prodname_dependabot_alerts %} in repositories in your organization. For more information, see [AUTOTITLE](/copilot/using-github-copilot/asking-github-copilot-questions-in-githubcom#asking-questions-about-alerts-from-github-advanced-security-features). {% endif %} +You can review the details of a {% data variables.product.prodname_dependabot %} alert to understand the vulnerability and how to fix it. + ### Fixing vulnerable dependencies -1. View the details for an alert. For more information, see [Viewing {% data variables.product.prodname_dependabot_alerts %}](#viewing-dependabot-alerts) (above). +1. View the details for an alert. For more information, see [Viewing and prioritizing {% data variables.product.prodname_dependabot_alerts %}](#viewing-and-prioritizing-dependabot-alerts) (above). 1. If you have {% data variables.product.prodname_dependabot_security_updates %} enabled, there may be a link to a pull request that will fix the dependency. Alternatively, you can click **Create {% data variables.product.prodname_dependabot %} security update** at the top of the alert details page to create a pull request. ![Screenshot of a {% data variables.product.prodname_dependabot %} alert with the "Create {% data variables.product.prodname_dependabot %} security update" button highlighted with a dark orange outline.](/assets/images/help/repository/create-dependabot-security-update-button-ungrouped.png) @@ -118,7 +105,7 @@ With a {% data variables.copilot.copilot_enterprise %} license, you can also ask If you schedule extensive work to upgrade a dependency, or decide that an alert does not need to be fixed, you can dismiss the alert. Dismissing alerts that you have already assessed makes it easier to triage new alerts as they appear. -1. View the details for an alert. For more information, see [Viewing vulnerable dependencies](#viewing-dependabot-alerts) (above). +1. [Viewing and prioritizing {% data variables.product.prodname_dependabot_alerts %}](#viewing-and-prioritizing-dependabot-alerts) (above). 1. Select the "Dismiss" dropdown, and click a reason for dismissing the alert. Unfixed dismissed alerts can be reopened later. 1. Optionally, add a dismissal comment. The dismissal comment will be added to the alert timeline and can be used as justification during auditing and reporting. You can retrieve or set a comment by using the GraphQL API. The comment is contained in the `dismissComment` field. For more information, see [AUTOTITLE](/graphql/reference/objects#repositoryvulnerabilityalert) in the GraphQL API documentation. @@ -128,7 +115,7 @@ If you schedule extensive work to upgrade a dependency, or decide that an alert ### Dismissing multiple alerts at once -1. View the open {% data variables.product.prodname_dependabot_alerts %}. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts#viewing-dependabot-alerts). +1. View the open {% data variables.product.prodname_dependabot_alerts %}. 1. Optionally, filter the list of alerts by selecting a dropdown menu, then clicking the filter that you would like to apply. You can also type filters into the search bar. 1. To the left of each alert title, select the alerts that you want to dismiss. ![Screenshot of the {% data variables.product.prodname_dependabot_alerts %} view. Two alerts are selected and these check boxes are highlighted with an orange outline.](/assets/images/help/graphs/select-multiple-alerts.png) @@ -155,7 +142,7 @@ You can view all open alerts, and you can reopen alerts that have been previousl ### Reopening multiple alerts at once -1. View the closed {% data variables.product.prodname_dependabot_alerts %}. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts#viewing-and-updating-closed-alerts) (above). +1. View the closed {% data variables.product.prodname_dependabot_alerts %}. 1. To the left of each alert title, select the alerts that you want to reopen by clicking the checkbox adjacent to each alert. 1. Optionally, at the top of the list of alerts, select all closed alerts on the page. ![Screenshot of alerts in the "Closed" tab. The "Select all" checkbox is highlighted with a dark orange outline.](/assets/images/help/graphs/select-all-closed-alerts.png) diff --git a/content/code-security/reference/supply-chain-security/dependabot-alerts-filters.md b/content/code-security/reference/supply-chain-security/dependabot-alerts-filters.md new file mode 100644 index 000000000000..243054efc3d0 --- /dev/null +++ b/content/code-security/reference/supply-chain-security/dependabot-alerts-filters.md @@ -0,0 +1,19 @@ +--- +title: Dependabot alert filters +intro: '{% data variables.product.prodname_dependabot_alerts %} filters help you prioritize and manage alerts for vulnerable dependencies in your repositories.' +allowTitleToDifferFromFilename: true +versions: + fpt: '*' + ghec: '*' + ghes: '*' +topics: + - Dependabot + - Version updates + - Repositories + - Dependencies + - Pull requests +shortTitle: Dependabot alerts filters +contentType: reference +--- + +{% data reusables.dependabot.dependabot-alerts-filters %} \ No newline at end of file diff --git a/content/code-security/reference/supply-chain-security/index.md b/content/code-security/reference/supply-chain-security/index.md index ae76a0c1db82..e22da354e832 100644 --- a/content/code-security/reference/supply-chain-security/index.md +++ b/content/code-security/reference/supply-chain-security/index.md @@ -18,6 +18,8 @@ topics: contentType: reference children: - /dependabot-options-reference + - /dependabot-alerts-filters + - /supported-ecosystems-and-manifests-for-dependency-scope - /dependabot-pull-request-comment-commands - /supported-ecosystems-and-repositories - /dependency-graph-supported-package-ecosystems diff --git a/content/code-security/reference/supply-chain-security/supported-ecosystems-and-manifests-for-dependency-scope.md b/content/code-security/reference/supply-chain-security/supported-ecosystems-and-manifests-for-dependency-scope.md new file mode 100644 index 000000000000..a58b4fa177b2 --- /dev/null +++ b/content/code-security/reference/supply-chain-security/supported-ecosystems-and-manifests-for-dependency-scope.md @@ -0,0 +1,19 @@ +--- +title: Supported ecosystems and manifests for dependency scope +intro: '{% data variables.product.prodname_dependabot_alerts %} supports a variety of ecosystems and manifests for dependency scope.' +allowTitleToDifferFromFilename: true +versions: + fpt: '*' + ghec: '*' + ghes: '*' +topics: + - Dependabot + - Version updates + - Repositories + - Dependencies + - Pull requests +shortTitle: Dependency scope +contentType: reference +--- + +{% data reusables.dependabot.dependabot-alerts-dependency-scope %} From 714525a3c13d6177c3ea9be0667671935e760548 Mon Sep 17 00:00:00 2001 From: Sophie <29382425+sophietheking@users.noreply.github.com> Date: Fri, 23 Jan 2026 15:52:42 +0100 Subject: [PATCH 3/5] [EDI] Setting up the CodeQL CLI (#59263) Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com> --- .../setting-up-the-codeql-cli.md | 20 +++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/setting-up-the-codeql-cli.md b/content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/setting-up-the-codeql-cli.md index 8b93cd1271e1..e467dd16343a 100644 --- a/content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/setting-up-the-codeql-cli.md +++ b/content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/setting-up-the-codeql-cli.md @@ -25,17 +25,16 @@ contentType: how-tos {% data reusables.code-scanning.codeql-cli-version-ghes %} -To run {% data variables.product.prodname_codeql %} commands, you need to set up the CLI so that it can access -the tools, queries, and libraries required to create and analyze databases. +To run {% data variables.product.prodname_codeql %} commands, you need to set up the {% data variables.product.prodname_codeql_cli %} so that it can access the tools, queries, and libraries required to create and analyze databases. -The {% data variables.product.prodname_codeql_cli %} can be set up to support many different use cases and directory structures. To get started quickly, we recommend adopting a relatively simple setup, as outlined in the steps below. +The {% data variables.product.prodname_codeql_cli %} supports a range of use cases and directory structures. This article walks through a simple setup that works for most users and environments. -If you plan to use the {% data variables.product.prodname_codeql_cli %} for security research or to test or contribute queries, you may want a more advanced setup of {% data variables.product.prodname_codeql_cli %}. For more information, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/advanced-setup-of-the-codeql-cli). +If you plan to use the {% data variables.product.prodname_codeql_cli %} for security research or to test or contribute queries, you may need a more advanced setup. For more information, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/advanced-setup-of-the-codeql-cli). -If you are setting up the {% data variables.product.prodname_codeql_cli %} in your CI system, you need to make the full contents of the {% data variables.product.prodname_codeql_cli %} bundle available to every CI server that you want to run {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} analysis on. For example, you might configure each server to copy the bundle from a central, internal location and extract it. Alternatively, you could use the REST API to get the bundle directly from {% data variables.product.prodname_dotcom %}, ensuring that you benefit from the latest improvements to queries. For more information, see [AUTOTITLE](/rest/releases) in the REST API documentation. +### Before you begin If you are using macOS on Apple Silicon (for example, Apple M1), ensure that the [Xcode command-line developer -tools](https://developer.apple.com/downloads/index.action) and [Rosetta 2](https://support.apple.com/en-us/HT211861) are installed. +tools](https://developer.apple.com/library/archive/technotes/tn2339/_index.html) and [Rosetta 2](https://support.apple.com/en-us/HT211861) are installed. > [!NOTE] > The {% data variables.product.prodname_codeql_cli %} is currently not compatible with non-glibc Linux distributions such as (muslc-based) Alpine Linux. @@ -48,6 +47,15 @@ tools](https://developer.apple.com/downloads/index.action) and [Rosetta 2](https Extract the {% data variables.product.prodname_codeql_cli %} tar archive to a directory of your choosing. +### Optional: Make the {% data variables.product.prodname_codeql_cli %} available in your CI system + +If you plan to run {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} analysis in a CI system, ensure that the full contents of the {% data variables.product.prodname_codeql_cli %} bundle are available to every CI server that will run analysis. + +For example, you can: + +* Copy the bundle from a central internal location and extract it on each server, or +* Use the REST API to download the bundle directly from {% data variables.product.prodname_dotcom %}, ensuring that you receive the latest improvements to queries. For more information, see [AUTOTITLE](/rest/releases). + ### 3. Launch `codeql` {% data reusables.codeql-cli.launch-codeql %} From 828f8088571b0e0530df04894454ef4dd08e9f3c Mon Sep 17 00:00:00 2001 From: Sam Browning <106113886+sabrowning1@users.noreply.github.com> Date: Fri, 23 Jan 2026 09:59:58 -0500 Subject: [PATCH 4/5] EDI-fy "Working with push protection from the command line" (#59216) --- ...ut-delegated-bypass-for-push-protection.md | 6 +-- .../concepts/secret-security/index.md | 1 + .../push-protection-from-the-command-line.md | 31 +++++++++++++ ...h-push-protection-from-the-command-line.md | 46 ++----------------- 4 files changed, 39 insertions(+), 45 deletions(-) create mode 100644 content/code-security/concepts/secret-security/push-protection-from-the-command-line.md diff --git a/content/code-security/concepts/secret-security/about-delegated-bypass-for-push-protection.md b/content/code-security/concepts/secret-security/about-delegated-bypass-for-push-protection.md index 6f138c5f0ccf..ca6af2750419 100644 --- a/content/code-security/concepts/secret-security/about-delegated-bypass-for-push-protection.md +++ b/content/code-security/concepts/secret-security/about-delegated-bypass-for-push-protection.md @@ -18,10 +18,10 @@ redirect_from: contentType: concepts --- -## About delegated bypass for push protection - {% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} +## About delegated bypass for push protection + When push protection is enabled for a repository, users with write access can bypass push protection and push a secret if they provide a reason and the bypass is approved. With delegated bypass for push protection, you can: @@ -33,7 +33,7 @@ With delegated bypass for push protection, you can: To set up delegated bypass, organization owners or repository administrators create a list of users with bypass privileges. This designated list of users can then: * Bypass push protection, by specifying a reason for bypassing the block. -* Manage (approve or deny) bypass requests coming from all other contributors. These requests are located in the "Push protection bypass" page in the **Security** tab of the repository. +* Manage (approve or deny) bypass requests coming from all other contributors. These requests are located in the "Push protection bypass" page in the **Security** tab of the repository, and will expire after 7 days. The following types of users can always bypass push protection without having to request bypass privileges: * Organization owners diff --git a/content/code-security/concepts/secret-security/index.md b/content/code-security/concepts/secret-security/index.md index 902f61dc8e0b..b10b39ae64eb 100644 --- a/content/code-security/concepts/secret-security/index.md +++ b/content/code-security/concepts/secret-security/index.md @@ -18,6 +18,7 @@ children: - /about-delegated-bypass-for-push-protection - /about-secret-scanning-for-partners - /github-secret-types + - /push-protection-from-the-command-line - /working-with-push-protection-and-the-github-mcp-server - /working-with-push-protection-from-the-rest-api redirect_from: diff --git a/content/code-security/concepts/secret-security/push-protection-from-the-command-line.md b/content/code-security/concepts/secret-security/push-protection-from-the-command-line.md new file mode 100644 index 000000000000..b236334068c3 --- /dev/null +++ b/content/code-security/concepts/secret-security/push-protection-from-the-command-line.md @@ -0,0 +1,31 @@ +--- +title: Push protection from the command line +shortTitle: Command line protection +intro: Understand how {% data variables.product.github %} uses push protection to prevent secret leaks from the command line. +permissions: '{% data reusables.permissions.push-protection-resolve-block %}' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +topics: + - Secret scanning + - Secret Protection + - Alerts + - Repositories +contentType: concepts +--- + +Push protection prevents you from accidentally committing secrets to a repository by blocking pushes containing supported secrets. + +When you attempt to push a supported secret from the command line to a repository secured by push protection, {% data variables.product.prodname_dotcom %} will block the push. + +You should either: + +* **Remove** the secret from your branch. For more information, see [Resolving a blocked push](/code-security/how-tos/secure-your-secrets/work-with-leak-prevention/working-with-push-protection-from-the-command-line#resolving-a-blocked-push). +* **Follow a provided URL** to see what options are available to you to allow the push. For more information, see [Bypassing push protection](/code-security/how-tos/secure-your-secrets/work-with-leak-prevention/working-with-push-protection-from-the-command-line#bypassing-push-protection) and [Requesting bypass privileges](/code-security/how-tos/secure-your-secrets/work-with-leak-prevention/working-with-push-protection-from-the-command-line#requesting-bypass-privileges). + +Up to five detected secrets will be displayed at a time on the command line. If a particular secret has already been detected in the repository and an alert already exists, {% data variables.product.prodname_dotcom %} will not block that secret. + +If you confirm a secret is real and that you intend to fix it later, you should aim to remediate the secret as soon as possible. For example, you might revoke the secret and remove the secret from the repository's commit history. Real secrets that have been exposed must be revoked to avoid unauthorized access. You might consider first rotating the secret before revoking it. For more information, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository). + +{% data reusables.secret-scanning.push-protection-multiple-branch-note %} diff --git a/content/code-security/how-tos/secure-your-secrets/work-with-leak-prevention/working-with-push-protection-from-the-command-line.md b/content/code-security/how-tos/secure-your-secrets/work-with-leak-prevention/working-with-push-protection-from-the-command-line.md index 672174ddf74c..0d0fabb82967 100644 --- a/content/code-security/how-tos/secure-your-secrets/work-with-leak-prevention/working-with-push-protection-from-the-command-line.md +++ b/content/code-security/how-tos/secure-your-secrets/work-with-leak-prevention/working-with-push-protection-from-the-command-line.md @@ -17,43 +17,20 @@ redirect_from: - /code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line --- -## About push protection from the command line - -Push protection prevents you from accidentally committing secrets to a repository by blocking pushes containing supported secrets. - -When you attempt to push a supported secret from the command line to a repository secured by push protection, {% data variables.product.prodname_dotcom %} will block the push. - -You should either: - -* **Remove** the secret from your branch. For more information, see [Resolving a blocked push](#resolving-a-blocked-push). -* **Follow a provided URL** to see what options are available to you to allow the push. For more information, see [Bypassing push protection](#bypassing-push-protection) and [Requesting bypass privileges](#requesting-bypass-privileges). - -Up to five detected secrets will be displayed at a time on the command line. If a particular secret has already been detected in the repository and an alert already exists, {% data variables.product.prodname_dotcom %} will not block that secret. - -If you confirm a secret is real and that you intend to fix it later, you should aim to remediate the secret as soon as possible. For example, you might revoke the secret and remove the secret from the repository's commit history. Real secrets that have been exposed must be revoked to avoid unauthorized access. You might consider first rotating the secret before revoking it. For more information, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository). - -{% data reusables.secret-scanning.push-protection-multiple-branch-note %} - ## Resolving a blocked push To resolve a blocked push, you must remove the secret from all of the commits it appears in. * If the secret was introduced by your latest commit, see [Removing a secret introduced by the latest commit on your branch](#removing-a-secret-introduced-by-the-latest-commit-on-your-branch). * If the secret appears in earlier commits, see [Removing a secret introduced by an earlier commit on your branch](#removing-a-secret-introduced-by-an-earlier-commit-on-your-branch). ->[!NOTE] To learn how to resolved a blocked commit in the {% data variables.product.prodname_dotcom %} UI, see [AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui#resolving-a-blocked-commit). - ### Removing a secret introduced by the latest commit on your branch -If the blocked secret was introduced by the latest commit on your branch, you can follow the guidance below. - 1. Remove the secret from your code. 1. To commit the changes, run `git commit --amend --all`. This updates the original commit that introduced the secret instead of creating a new commit. 1. Push your changes with `git push`. ### Removing a secret introduced by an earlier commit on your branch -You can also remove the secret if the secret appears in an earlier commit in the Git history. To do so, you will need to identify which commit first introduced the secret and modify the commit history with an interactive rebase. - 1. Examine the error message that displayed when you tried to push your branch, which lists all of the commits that contain the secret. ```text @@ -121,13 +98,7 @@ You can also remove the secret if the secret appears in an earlier commit in the ## Bypassing push protection -If {% data variables.product.prodname_dotcom %} blocks a secret that you believe is safe to push, you may be able to bypass the block by specifying a reason for allowing the secret to be pushed. - -{% data reusables.secret-scanning.push-protection-allow-secrets-alerts %} - -{% data reusables.secret-scanning.push-protection-allow-email %} - -If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to push the blocked secret. For more information, see [Requesting bypass privileges](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line#requesting-bypass-privileges). +> [!NOTE] If you don't see the option to bypass a block, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to push the blocked secret. See [Requesting bypass privileges](#requesting-bypass-privileges). {% data reusables.secret-scanning.push-protection-visit-URL %} {% data reusables.secret-scanning.push-protection-choose-allow-secret-options %} @@ -137,22 +108,13 @@ If you don't see the option to bypass the block, the repository administrator or ## Requesting bypass privileges -{% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} - -If your push has been blocked by push protection and you believe the secret is safe to push, you can request permission to bypass the block. Your request is sent to a designated group of reviewers, who will either approve or deny the request. - -Requests expire after 7 days. - {% data reusables.secret-scanning.push-protection-visit-URL %} {% data reusables.secret-scanning.push-protection-bypass-request-add-comment %} {% data reusables.secret-scanning.push-protection-submit-bypass-request %} -{% data reusables.secret-scanning.push-protection-bypass-request-check-email %} - -{% data reusables.secret-scanning.push-protection-bypass-request-decision-email %} - -If your request is approved, you can push the commit (or commits) containing the secret to the repository, as well as any future commits that contain the same secret. +{% data reusables.secret-scanning.push-protection-bypass-request-check-email %} {% data reusables.secret-scanning.push-protection-bypass-request-decision-email %} -If your request is denied, you will need to remove the secret from all commits containing the secret before pushing again. For information on how to remove a blocked secret, see [Resolving a blocked push](#resolving-a-blocked-push). + * If your request is **approved**, you can push the commit (or commits) containing the secret to the repository, as well as any future commits that contain the same secret. + * If your request is **denied**, you need to remove the secret from all commits before pushing again. For information on how to remove a blocked secret, see [Resolving a blocked push](#resolving-a-blocked-push). ## Further reading From 7809435a83dd3c1d31bfaf164b7c27150abd95b0 Mon Sep 17 00:00:00 2001 From: Sophie <29382425+sophietheking@users.noreply.github.com> Date: Fri, 23 Jan 2026 16:06:40 +0100 Subject: [PATCH 5/5] [EDI] Adding a security policy to your repository (#59264) Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- ...ng-a-security-policy-to-your-repository.md | 24 +------------------ ...reating-a-default-community-health-file.md | 15 +++++++++++- 2 files changed, 15 insertions(+), 24 deletions(-) diff --git a/content/code-security/how-tos/report-and-fix-vulnerabilities/configure-vulnerability-reporting/adding-a-security-policy-to-your-repository.md b/content/code-security/how-tos/report-and-fix-vulnerabilities/configure-vulnerability-reporting/adding-a-security-policy-to-your-repository.md index 4ca994c9b7c4..e6ba034338e3 100644 --- a/content/code-security/how-tos/report-and-fix-vulnerabilities/configure-vulnerability-reporting/adding-a-security-policy-to-your-repository.md +++ b/content/code-security/how-tos/report-and-fix-vulnerabilities/configure-vulnerability-reporting/adding-a-security-policy-to-your-repository.md @@ -20,29 +20,6 @@ topics: shortTitle: Add a security policy --- -## About security policies - -To give people instructions for reporting security vulnerabilities in your project, you can add a `SECURITY.md` file to your repository's root, `docs`, or `.github` folder. Adding this file to this part(s) of your repository automatically creates a row with a description where people can review it. When someone creates an issue in your repository, they will see a link to your project's security policy. - -You can create a default security policy for your organization or personal account. For more information, see [AUTOTITLE](/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file). - -> [!TIP] -> To help people find your security policy, you can link to your `SECURITY.md` file from other places in your repository, such as your `README` file. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-readmes). - -{% ifversion fpt or ghec %} -After someone reports a security vulnerability in your project, you can use {% data variables.product.prodname_security_advisories %} to disclose, fix, and publish information about the vulnerability. For more information about the process of reporting and disclosing vulnerabilities in {% data variables.product.prodname_dotcom %}, see [AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/about-coordinated-disclosure-of-security-vulnerabilities#about-reporting-and-disclosing-vulnerabilities-in-projects-on-github). For more information about repository security advisories, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories). - -{% data reusables.repositories.github-security-lab %} -{% endif %} -{% ifversion ghes %} - -By making security reporting instructions clearly available, you make it easy for your users to report any security vulnerabilities they find in your repository using your preferred communication channel. -{% endif %} - -For an example of a real `SECURITY.md` file, see [https://github.com/electron/electron/blob/main/SECURITY.md](https://github.com/electron/electron/blob/main/SECURITY.md). - -## Adding a security policy to your repository - {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-security %} 1. In the left sidebar, under "Reporting", click **{% octicon "law" aria-hidden="true" aria-label="law" %} Policy**. @@ -55,6 +32,7 @@ For an example of a real `SECURITY.md` file, see [https://github.com/electron/el ## Further reading +* [AUTOTITLE](/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file) * [AUTOTITLE](/code-security/getting-started/securing-your-repository) * [AUTOTITLE](/communities/setting-up-your-project-for-healthy-contributions){% ifversion fpt or ghec %} * [{% data variables.product.prodname_security %}]({% data variables.product.prodname_security_link %}){% endif %} diff --git a/content/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file.md b/content/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file.md index fec470812352..73364497072b 100644 --- a/content/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file.md +++ b/content/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file.md @@ -26,7 +26,7 @@ You can add default community health files to a **public**{% ifversion ghec or g If no corresponding file is found in the current repository, {% data variables.product.github %} will use the default file from the `.github` repository, following the same order of precedence. -**Note:** The `.github` repository must be **public**{% ifversion ghec or ghes %} or **internal**{% endif %} for templates to be applied organization-wide. Private `.github` repositories are not supported. +>[!NOTE] The `.github` repository must be **public**{% ifversion ghec or ghes %} or **internal**{% endif %} for templates to be applied organization-wide. Private `.github` repositories are not supported. For example, anyone who creates an issue or pull request in a repository that does not have its own `CONTRIBUTING.md` file will see a link to the default `CONTRIBUTING.md` from the `.github` repository. However, if a repository has any files in its own `.github/ISSUE_TEMPLATE` folder, such as issue templates or a `_config.yml` file, none of the contents of the default `.github/ISSUE_TEMPLATE` folder will be used. This allows repository maintainers to override the default files with specific templates or content on per-repository basis. @@ -38,6 +38,19 @@ As a repository maintainer, you can use the community standards checklist to see {% endif %} +## About security policies + +{% ifversion fpt or ghec %} +After someone reports a security vulnerability in your project, you can use {% data variables.product.prodname_security_advisories %} to disclose, fix, and publish information about the vulnerability. For more information about the process of reporting and disclosing vulnerabilities in {% data variables.product.prodname_dotcom %}, see [AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/about-coordinated-disclosure-of-security-vulnerabilities#about-reporting-and-disclosing-vulnerabilities-in-projects-on-github). For more information about repository security advisories, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories). +{% endif %} + +{% ifversion ghes %} + +By making security reporting instructions clearly available, you make it easy for your users to report any security vulnerabilities they find in your repository using your preferred communication channel. +{% endif %} + +For an example of a real `SECURITY.md` file, see [https://github.com/electron/electron/blob/main/SECURITY.md](https://github.com/electron/electron/blob/main/SECURITY.md). + ## Supported file types You can create defaults in your organization or personal account for the following community health files: