diff --git a/CHANGELOG.md b/CHANGELOG.md index 746e17df9b4e..4f1fd0187a32 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,15 @@ # Docs changelog +**20 January 2026** + +We published the first iteration of the [GitHub Copilot feature matrix](https://docs.github.com/en/copilot/reference/copilot-feature-matrix) to provide customers with the latest information about which Copilot features are available by which IDE/version. + +Historically, keeping Copilot feature and IDE availability up to date has required manual coordination with the Docs team, which does not scale well with the increasing number of features. The goal of this document and its process is to enable product owners to directly maintain the Copilot feature and IDE availability information as part of their normal release workflow. The feature matrix provides a single, easy to update source of truth. + +The feature matrix is in public preview so that customers have time to gather and submit feedback to us. + +
+ **16 January 2026** The following new articles support the public preview release of Copilot Memory: diff --git a/content/billing/concepts/product-billing/github-copilot-licenses.md b/content/billing/concepts/product-billing/github-copilot-licenses.md index 21d8bc691652..401115bd1b36 100644 --- a/content/billing/concepts/product-billing/github-copilot-licenses.md +++ b/content/billing/concepts/product-billing/github-copilot-licenses.md @@ -47,6 +47,7 @@ There are several ways to use {% data variables.product.prodname_copilot_short % * You must choose a monthly or yearly billing cycle and provide a payment method. * If you do not cancel before the end of the trial, it automatically converts to a paid plan. * You can cancel any time during the 30 days. If you cancel, you will not be charged and will keep access until the trial ends. +* Free trials are limited to three per payment method. Additional trials will continue as paid subscriptions. ### Educational and open source benefits diff --git a/content/billing/how-tos/index.md b/content/billing/how-tos/index.md index d50f3156300c..d5993f36b042 100644 --- a/content/billing/how-tos/index.md +++ b/content/billing/how-tos/index.md @@ -11,6 +11,7 @@ topics: children: - /set-up-payment - /manage-plan-and-licenses + - /set-up-budgets - /products - /manage-server-licenses - /pay-third-parties diff --git a/content/billing/tutorials/set-up-budgets.md b/content/billing/how-tos/set-up-budgets.md similarity index 96% rename from content/billing/tutorials/set-up-budgets.md rename to content/billing/how-tos/set-up-budgets.md index 2522688bd8ec..0e35e75aa98b 100644 --- a/content/billing/tutorials/set-up-budgets.md +++ b/content/billing/how-tos/set-up-budgets.md @@ -19,6 +19,7 @@ redirect_from: - /billing/managing-billing-for-github-packages/managing-your-spending-limit-for-github-packages - /billing/managing-billing-for-your-products/managing-billing-for-github-packages/managing-your-spending-limit-for-github-packages - /billing/managing-your-billing/using-budgets-control-spending + - /billing/tutorials/set-up-budgets topics: - Billing - Enterprise @@ -27,14 +28,14 @@ topics: - User account permissions: '{% data reusables.permissions.enhanced-billing-platform %}' shortTitle: Set up budgets -contentType: tutorials +contentType: how-tos --- Budgets help you track and control spending on different products. To learn more, see [AUTOTITLE](/billing/concepts/budgets-and-alerts). -## Deciding on the type and scope for a budget +## Plan your budget type and scope -When deciding on the type and scope for a budget, remember that the use of metered products is applied towards **all applicable** budgets. If any applicable budget with "Stop usage when budget limit is reached" enabled is exhausted, additional usage is blocked. +Before you create a budget, it’s important to understand how budget types and scopes interact. Usage of metered products can count toward multiple applicable budgets at the same time, and if any budget with **Stop usage when budget limit is reached** enabled is exhausted, additional usage is blocked. ![Screenshot of budgets for "octo-org": "Actions" budget is $50 and "Actions Linux 96-core" budget is $100. All the "Actions" budget has been used.](/assets/images/help/billing/org-budget-example.png) diff --git a/content/billing/tutorials/index.md b/content/billing/tutorials/index.md index 41d0660f0ed7..5258361ed4c1 100644 --- a/content/billing/tutorials/index.md +++ b/content/billing/tutorials/index.md @@ -11,10 +11,10 @@ topics: children: - /automate-usage-reporting - /soft-budgets - - /set-up-budgets - /control-costs-at-scale - /gather-insights contentType: tutorials redirect_from: - /billing/tutorials/estimate-actions-costs --- + diff --git a/content/code-security/concepts/code-scanning/about-code-scanning.md b/content/code-security/concepts/code-scanning/about-code-scanning.md index 5689db53cc42..96cd5cbc74da 100644 --- a/content/code-security/concepts/code-scanning/about-code-scanning.md +++ b/content/code-security/concepts/code-scanning/about-code-scanning.md @@ -36,7 +36,7 @@ If {% data variables.product.prodname_code_scanning %} finds a potential vulnera {% endif %} To monitor results from {% data variables.product.prodname_code_scanning %} across your repositories or your organization, you can use webhooks and the {% data variables.product.prodname_code_scanning %} API. For information about the webhooks for {% data variables.product.prodname_code_scanning %}, see -[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#code_scanning_alert). For information about API endpoints, see [AUTOTITLE](/rest/code-scanning). +[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#code_scanning_alert). For information about API endpoints, see [AUTOTITLE](/rest/code-scanning/code-scanning). {% ifversion fpt or ghec %} diff --git a/content/code-security/concepts/security-at-scale/about-security-overview.md b/content/code-security/concepts/security-at-scale/about-security-overview.md index 69d0d9af7264..b884eb39f4ff 100644 --- a/content/code-security/concepts/security-at-scale/about-security-overview.md +++ b/content/code-security/concepts/security-at-scale/about-security-overview.md @@ -73,7 +73,7 @@ There are dedicated views for each type of security alert. You can limit your an The application security team at your company can use the different views for both broad and specific analyses of your organization's security status. For example, the team can use the "Overview" dashboard view to track your organization's security landscape and progression. {% ifversion pre-security-configurations %}You can also use security overview to find a set of repositories and enable or disable security features for them all at the same time. For more information, see [AUTOTITLE](/code-security/security-overview/enabling-security-features-for-multiple-repositories).{% endif %} -You can find security overview on the **Security** tab for any organization. Each view shows a summary of the data that you have access to. As you add filters, all data and metrics across the view change to reflect the repositories or alerts that you've selected. For information about permissions, see [Permission to view data in security overview](#permission-to-view-data-in-security-overview). +You can find security overview on the **Security** tab for any organization. Each view shows a summary of the data that you have access to. As you add filters, all data and metrics across the view change to reflect the repositories or alerts that you've selected. Security overview has multiple views that provide different ways to explore enablement and alert data. @@ -97,49 +97,19 @@ You can find security overview on the **Security** tab for your enterprise. Each As with security overview for organizations, security overview for enterprises has multiple views that provide different ways to explore data. -For information about permissions, see [Permission to view data in security overview](#permission-to-view-data-in-security-overview). +## Access to data in security overview -## Permission to view data in security overview +What you can see in security overview depends on your role and permissions in the organization or enterprise. -### Organization-level overview +In general: -If you are an **owner or security manager** for an organization, you can see data for all the repositories in the organization in all views. +* **Organization owners and security managers** can view security data across all repositories in their organization. +* **Organization members** can view data only for repositories where they have access to security alerts. +* **Enterprise owners** can view aggregated security data in the enterprise-level security overview for organizations where they are an organization owner or security manager. To see repository-level details, they must have the appropriate role within the organization. -If you are an **organization or team member**, you can view security overview for the organization and see data for repositories where you have an appropriate level of access. +Security overview displays data only for repositories you have permission to view, and some views or actions may be limited based on your role. -{% ifversion secret-risk-assessment %} - -> [!TIP] The Assessments view, which is not shown in the table below, is only available to organization owners and security managers. - -{% endif %} - -{% rowheaders %} - -| Organization or team member with | Overview dashboard view | Risk and alerts views | Coverage view | -|--------------------|-------------|---------------------|---------| -| `admin` access for one or more repositories | View data for those repositories | View data for those repositories | View data for those repositories{% ifversion pre-security-configurations %}, and enable and disable security features{% endif %} | -| `write` access for one or more repositories | View {% data variables.product.prodname_code_scanning %} and {% data variables.product.prodname_dependabot %} data for those repositories | View {% data variables.product.prodname_code_scanning %} and {% data variables.product.prodname_dependabot %} data for those repositories | No access | -| `read` or `triage` access for one or more repositories | No access | No access | No access | -| Security alert access for one or more repositories | View all security alert data for those repositories | View all security alert data for those repositories | No access | -| Custom organization role with permission to view one or more types of security alert | View allowed alert data for all repositories | View allowed alert data for all repositories in all views | No access | - -{% endrowheaders %} - -> [!NOTE] -> To ensure a consistent and responsive experience, for organization members, the organization-level security overview pages will only display results from the most recently updated 3,000 repositories. If your results have been restricted, a notification will appear at the top of the page. Organization owners and security managers will see results from all repositories. - -For more information about access to security alerts and related views, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts) and [AUTOTITLE](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/about-custom-repository-roles#security). - -### Enterprise-level overview - -> [!NOTE] -> If you are an **enterprise owner**, you will need to join an organization as an organization owner to view data for the organization's repositories in both the organization-level and enterprise-level overview.{% ifversion secret-scanning-user-owned-repos %} {% data reusables.secret-scanning.secret-scanning-user-owned-repo-access %}{% endif %} For more information, see [AUTOTITLE](/admin/user-management/managing-organizations-in-your-enterprise/managing-your-role-in-an-organization-owned-by-your-enterprise). - -In the enterprise-level security overview, you can see data for all organizations where you are an **organization owner or security manager**. - -{% ifversion ghec %} -If you're an owner of an {% data variables.enterprise.prodname_emu_enterprise %}, you can view data from user-owned repositories in security overview and filter by repository owner type. For more information on {% data variables.enterprise.prodname_managed_users %}, see [AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users). -{% endif %} +For detailed, role-by-role permission information, including which views are available and how repository access affects visibility, see [AUTOTITLE](/code-security/reference/permissions/security-overview-permissions). ## Further reading diff --git a/content/code-security/concepts/security-at-scale/auditing-security-alerts.md b/content/code-security/concepts/security-at-scale/auditing-security-alerts.md index 76ed72fece18..68757be5180a 100644 --- a/content/code-security/concepts/security-at-scale/auditing-security-alerts.md +++ b/content/code-security/concepts/security-at-scale/auditing-security-alerts.md @@ -70,7 +70,7 @@ You can use the API to list and interact with security alerts, for example, gett You can list all {% data variables.product.prodname_dependabot %} alerts for a repository, organization, or enterprise, or use path parameters to list only alerts that meet a specific set of criteria. For example, you might only want to list {% data variables.product.prodname_dependabot %} alerts for Maven that were dismissed. Alternatively, you can get full details for an alert or update the alert. -For more information, see [{% data variables.product.prodname_dependabot %} alerts](/rest/dependabot/alerts#about-dependabot-alerts). +For more information, see [AUTOTITLE](/rest/dependabot/alerts#about-dependabot-alerts). ### {% data variables.product.prodname_secret_scanning_caps %} alerts API @@ -78,13 +78,13 @@ You can list all {% data variables.product.prodname_secret_scanning %} alerts fo To see which {% data variables.product.prodname_secret_scanning %} alerts were the result of a push protection bypass, filter the results for `"push_protection_bypassed": true`. -For more information, see [{% data variables.product.prodname_secret_scanning_caps %}](/rest/secret-scanning). +For more information, see [AUTOTITLE](/rest/secret-scanning). ### {% data variables.product.prodname_code_scanning_caps %} alerts API You can list all {% data variables.product.prodname_code_scanning %} alerts for a repository, organization, or enterprise, or use path parameters to list only alerts that meet a specific set of criteria. Alternatively, you can get full details for an alert or update the alert. -For more information, see [{% data variables.product.prodname_code_scanning_caps %}](/rest/code-scanning). +For more information, see [AUTOTITLE](/rest/code-scanning/code-scanning). ## Further reading diff --git a/content/code-security/concepts/security-at-scale/choosing-a-security-configuration-for-your-repositories.md b/content/code-security/concepts/security-at-scale/choosing-a-security-configuration-for-your-repositories.md index b2cf2064d4b6..08114bce29c4 100644 --- a/content/code-security/concepts/security-at-scale/choosing-a-security-configuration-for-your-repositories.md +++ b/content/code-security/concepts/security-at-scale/choosing-a-security-configuration-for-your-repositories.md @@ -43,7 +43,8 @@ To start securing repositories in your organization with the {% data variables.p If you are familiar with {% data variables.product.company_short %}'s security products, and you have specific security needs that the {% data variables.product.prodname_github_security_configuration %} can't meet, you can create and apply {% data variables.product.prodname_custom_security_configurations %}. With {% data variables.product.prodname_custom_security_configurations %}, you can: * Edit the enablement settings for different security features -* Create several configurations for repositories with different security needs -* Control your usage and costs by including or excluding {% data variables.product.prodname_GH_code_security %} or {% data variables.product.prodname_GH_secret_protection %} features for a particular configuration +* Create several configurations for repositories to reflect their different levels of visibility, risk tolerance, and impact + +You can also choose whether or not you want to include {% data variables.product.prodname_GH_code_security %} or {% data variables.product.prodname_GH_secret_protection %} features in a configuration. If you do, keep in mind that these features incur usage costs (or require {% data variables.product.prodname_GHAS %} licenses) when applied to private and internal repositories. To start securing repositories in your organization with {% data variables.product.prodname_custom_security_configurations %}, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration). diff --git a/content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/advanced-setup-of-the-codeql-cli.md b/content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/advanced-setup-of-the-codeql-cli.md index 89197bdf9849..7f52ab472748 100644 --- a/content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/advanced-setup-of-the-codeql-cli.md +++ b/content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/advanced-setup-of-the-codeql-cli.md @@ -112,6 +112,6 @@ When you have confirmed that a {% data variables.product.prodname_codeql %} data gh api /repos///code-scanning/codeql/databases/ -H 'Accept: application/zip' > path/to/local/database.zip ``` -For more information, see the documentation for the [Get {% data variables.product.prodname_codeql %} database endpoint](/rest/code-scanning?apiVersion=2022-11-28#get-a-codeql-database-for-a-repository). +For more information, see the documentation for the [Get {% data variables.product.prodname_codeql %} database endpoint](/rest/code-scanning/code-scanning#get-a-codeql-database-for-a-repository). Before running an analysis with the {% data variables.product.prodname_codeql_cli %}, you must unzip the databases. diff --git a/content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/creating-database-bundle-for-troubleshooting.md b/content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/creating-database-bundle-for-troubleshooting.md index bf18a811578b..48cb24da1497 100644 --- a/content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/creating-database-bundle-for-troubleshooting.md +++ b/content/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/creating-database-bundle-for-troubleshooting.md @@ -1,6 +1,6 @@ --- title: Creating CodeQL CLI database bundles -shortTitle: Createting CodeQL CLI database bundles +shortTitle: Creating CodeQL CLI database bundles intro: You can create a database bundle with {% data variables.product.prodname_codeql %} troubleshooting information. allowTitleToDifferFromFilename: true product: '{% data reusables.gated-features.codeql %}' diff --git a/content/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/creating-a-custom-security-configuration.md b/content/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/creating-a-custom-security-configuration.md index 863851a1e187..272312a743db 100644 --- a/content/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/creating-a-custom-security-configuration.md +++ b/content/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/creating-a-custom-security-configuration.md @@ -16,29 +16,19 @@ redirect_from: contentType: how-tos --- -## About {% data variables.product.prodname_custom_security_configurations %} +{% ifversion security-configurations-cloud %} -{% ifversion fpt or ghec %} +If you are familiar with {% data variables.product.company_short %}'s security products, and you have specific security needs that the {% data variables.product.prodname_github_security_configuration %} can't meet, you can create and apply {% data variables.product.prodname_custom_security_configurations %}. For more information, see [AUTOTITLE](/code-security/concepts/security-at-scale/choosing-a-security-configuration-for-your-repositories). -We recommend securing your organization with the {% data variables.product.prodname_github_security_configuration %}, then evaluating the security findings on your repositories before configuring {% data variables.product.prodname_custom_security_configurations %}. For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization). - -{% endif %} +{% else %} With {% data variables.product.prodname_custom_security_configurations %}, you can create collections of enablement settings for {% data variables.product.company_short %}'s security products to meet the specific security needs of your organization. For example, you can create a different {% data variables.product.prodname_custom_security_configuration %} for each group of repositories to reflect their different levels of visibility, risk tolerance, and impact. -{% ifversion ghas-products %} - -You can also choose whether or not you want to include {% data variables.product.prodname_GH_code_security %} or {% data variables.product.prodname_GH_secret_protection %} features in a configuration. - -{%- ifversion fpt or ghec %} If you do, keep in mind that these features incur usage costs (or require {% data variables.product.prodname_GHAS %} licenses) when applied to private and internal repositories.{% endif %} For more information, see [AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security). - -{% endif %} - -{% ifversion ghes %} - * Only features installed by a site administrator on your {% data variables.product.prodname_ghe_server %} instance will appear in the UI. * {% ifversion ghas-products %}Some features will only be visible if your organization or {% data variables.product.prodname_ghe_server %} instance has purchased the relevant {% data variables.product.prodname_GHAS %} product ({% data variables.product.prodname_GH_code_security %} or {% data variables.product.prodname_GH_secret_protection %}){% else %}{% data variables.product.prodname_GHAS %} features will only be visible if your organization or {% data variables.product.prodname_ghe_server %} instance holds a {% data variables.product.prodname_GHAS %} license{% endif %}. -* Certain features, like {% data variables.product.prodname_dependabot_security_updates %} and {% data variables.product.prodname_code_scanning %} default setup, also require that {% data variables.product.prodname_actions %} is installed on the {% data variables.product.prodname_ghe_server %} instance.{% endif %} +* Certain features, like {% data variables.product.prodname_dependabot_security_updates %} and {% data variables.product.prodname_code_scanning %} default setup, also require that {% data variables.product.prodname_actions %} is installed on the {% data variables.product.prodname_ghe_server %} instance. + +{% endif %} {% ifversion ghas-products %} diff --git a/content/code-security/how-tos/secure-your-secrets/customize-leak-detection/excluding-folders-and-files-from-secret-scanning.md b/content/code-security/how-tos/secure-your-secrets/customize-leak-detection/excluding-folders-and-files-from-secret-scanning.md index f9873a3a51a9..fd6507c6a153 100644 --- a/content/code-security/how-tos/secure-your-secrets/customize-leak-detection/excluding-folders-and-files-from-secret-scanning.md +++ b/content/code-security/how-tos/secure-your-secrets/customize-leak-detection/excluding-folders-and-files-from-secret-scanning.md @@ -16,12 +16,6 @@ redirect_from: - /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning --- -## About {% data variables.product.prodname_secret_scanning %} - -{% data variables.product.prodname_secret_scanning_caps %} automatically detects tokens or credentials that have been checked into a repository. You can view {% ifversion fpt or ghec %}{% data variables.secret-scanning.user_alerts %}{% else %}alerts{% endif %} for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised.{% data reusables.secret-scanning.alert-type-links %} - -## About excluding directories from {% data variables.secret-scanning.user_alerts %} - You may have a reason to commit a secret to a repository, such as when you want to provide a fake secret in documentation, or in an example application. In these scenarios, you can quickly dismiss the alert and document the reasons. However, there may be cases where you want to ignore a directory entirely to avoid creating false positive alerts at scale. For example, you might have a monolithic application with several integrations containing a file of dummy keys that could set off numerous false alerts to triage. You can configure a `secret_scanning.yml` file to automatically close alerts found in specific directories from {% data variables.product.prodname_secret_scanning %}, and exclude these directories included in push protection. These alerts are closed as "ignored by configuration". diff --git a/content/code-security/how-tos/secure-your-supply-chain/troubleshoot-dependency-security/troubleshooting-dependabot-errors.md b/content/code-security/how-tos/secure-your-supply-chain/troubleshoot-dependency-security/troubleshooting-dependabot-errors.md index 5d328a71e207..17cbd2f5e394 100644 --- a/content/code-security/how-tos/secure-your-supply-chain/troubleshoot-dependency-security/troubleshooting-dependabot-errors.md +++ b/content/code-security/how-tos/secure-your-supply-chain/troubleshoot-dependency-security/troubleshooting-dependabot-errors.md @@ -25,21 +25,7 @@ topics: contentType: how-tos --- -{% data reusables.dependabot.enterprise-enable-dependabot %} - -## About {% data variables.product.prodname_dependabot %} errors - -{% data reusables.dependabot.pull-request-introduction %} - -If anything prevents {% data variables.product.prodname_dependabot %} from raising a pull request, this is reported as an error. - -> [!NOTE] -> {% data variables.product.prodname_dependabot %} doesn't create pull requests for inactive repositories. For information about inactivity criteria, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-automatic-deactivation-of-dependabot-updates) and [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#about-automatic-deactivation-of-dependabot-updates), for security and version updates, respectively. - -{% ifversion dependabot-on-actions-opt-in %} -For more information about troubleshooting when running {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners). - -{% endif %} +This article provides troubleshooting information to help you resolve issues when {% data variables.product.prodname_dependabot %} doesn't work as expected. If you encounter errors when {% data variables.product.prodname_dependabot %} tries to update your dependencies, you can use this guidance to diagnose and fix common problems. ## Investigating errors with {% data variables.product.prodname_dependabot_security_updates %} diff --git a/content/code-security/reference/index.md b/content/code-security/reference/index.md index 3d9de9cbfacd..f925be0650ba 100644 --- a/content/code-security/reference/index.md +++ b/content/code-security/reference/index.md @@ -20,5 +20,5 @@ children: - /code-scanning - /supply-chain-security - /code-quality - - /permission-levels-for-repository-security-advisories + - /permissions --- diff --git a/content/code-security/reference/permissions/index.md b/content/code-security/reference/permissions/index.md new file mode 100644 index 000000000000..642485a6b1da --- /dev/null +++ b/content/code-security/reference/permissions/index.md @@ -0,0 +1,12 @@ +--- +title: Permissions for security features +intro: Find information about permissions related to {% data variables.product.github %}'s security features. +versions: + fpt: '*' + ghes: '*' + ghec: '*' +contentType: reference +children: + - /permission-levels-for-repository-security-advisories + - /security-overview-permissions +--- \ No newline at end of file diff --git a/content/code-security/reference/permission-levels-for-repository-security-advisories.md b/content/code-security/reference/permissions/permission-levels-for-repository-security-advisories.md similarity index 97% rename from content/code-security/reference/permission-levels-for-repository-security-advisories.md rename to content/code-security/reference/permissions/permission-levels-for-repository-security-advisories.md index 6e109806df3c..5c003b97180a 100644 --- a/content/code-security/reference/permission-levels-for-repository-security-advisories.md +++ b/content/code-security/reference/permissions/permission-levels-for-repository-security-advisories.md @@ -1,6 +1,7 @@ --- -title: Permission levels for repository security advisories +title: Repository security advisories intro: The actions you can take in a repository security advisory depend on whether you have admin or write permissions to the security advisory. +allowTitleToDifferFromFilename: true redirect_from: - /articles/permission-levels-for-maintainer-security-advisories - /github/managing-security-vulnerabilities/permission-levels-for-maintainer-security-advisories @@ -9,6 +10,7 @@ redirect_from: - /code-security/repository-security-advisories/permission-levels-for-repository-security-advisories - /code-security/security-advisories/repository-security-advisories/permission-levels-for-repository-security-advisories - /code-security/security-advisories/working-with-repository-security-advisories/permission-levels-for-repository-security-advisories + - /code-security/reference/permission-levels-for-repository-security-advisories versions: fpt: '*' ghec: '*' @@ -16,7 +18,6 @@ topics: - Security advisories - Vulnerabilities - Permissions -shortTitle: Permission levels contentType: reference --- diff --git a/content/code-security/reference/permissions/security-overview-permissions.md b/content/code-security/reference/permissions/security-overview-permissions.md new file mode 100644 index 000000000000..9d8100d4ea58 --- /dev/null +++ b/content/code-security/reference/permissions/security-overview-permissions.md @@ -0,0 +1,56 @@ +--- +title: Security overview permissions +shortTitle: Security overview +intro: The actions you can take in security overview depend on your permissions for the repositories in your organization or enterprise. +versions: + fpt: '*' + ghes: '*' + ghec: '*' +topics: + - Security advisories + - Vulnerabilities + - Permissions +contentType: reference +--- + +The actions you can take in the security overview depend on your permissions for the repositories in your organization or enterprise. + +## Organization-level overview + +If you are an **owner or security manager** for an organization, you can see data for all the repositories in the organization in all views. + +If you are an **organization or team member**, you can view security overview for the organization and see data for repositories where you have an appropriate level of access. + +{% ifversion secret-risk-assessment %} + +> [!TIP] The Assessments view, which is not shown in the table below, is only available to organization owners and security managers. + +{% endif %} + +{% rowheaders %} + +| Organization or team member with | Overview dashboard view | Risk and alerts views | Coverage view | +|--------------------|-------------|---------------------|---------| +| `admin` access for one or more repositories | View data for those repositories | View data for those repositories | View data for those repositories{% ifversion pre-security-configurations %}, and enable and disable security features{% endif %} | +| `write` access for one or more repositories | View {% data variables.product.prodname_code_scanning %} and {% data variables.product.prodname_dependabot %} data for those repositories | View {% data variables.product.prodname_code_scanning %} and {% data variables.product.prodname_dependabot %} data for those repositories | No access | +| `read` or `triage` access for one or more repositories | No access | No access | No access | +| Security alert access for one or more repositories | View all security alert data for those repositories | View all security alert data for those repositories | No access | +| Custom organization role with permission to view one or more types of security alert | View allowed alert data for all repositories | View allowed alert data for all repositories in all views | No access | + +{% endrowheaders %} + +> [!NOTE] +> To ensure a consistent and responsive experience, for organization members, the organization-level security overview pages will only display results from the most recently updated 3,000 repositories. If your results have been restricted, a notification will appear at the top of the page. Organization owners and security managers will see results from all repositories. + +For more information about access to security alerts and related views, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts) and [AUTOTITLE](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/about-custom-repository-roles#security). + +## Enterprise-level overview + +> [!NOTE] +> If you are an **enterprise owner**, you will need to join an organization as an organization owner to view data for the organization's repositories in both the organization-level and enterprise-level overview.{% ifversion secret-scanning-user-owned-repos %} {% data reusables.secret-scanning.secret-scanning-user-owned-repo-access %}{% endif %} For more information, see [AUTOTITLE](/admin/user-management/managing-organizations-in-your-enterprise/managing-your-role-in-an-organization-owned-by-your-enterprise). + +In the enterprise-level security overview, you can see data for all organizations where you are an **organization owner or security manager**. + +{% ifversion ghec %} +If you're an owner of an {% data variables.enterprise.prodname_emu_enterprise %}, you can view data from user-owned repositories in security overview and filter by repository owner type. For more information on {% data variables.enterprise.prodname_managed_users %}, see [AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users). +{% endif %} diff --git a/content/code-security/tutorials/customize-code-scanning/analyzing-your-code-with-codeql-queries.md b/content/code-security/tutorials/customize-code-scanning/analyzing-your-code-with-codeql-queries.md index 8df772412566..f1c4f1c8211e 100644 --- a/content/code-security/tutorials/customize-code-scanning/analyzing-your-code-with-codeql-queries.md +++ b/content/code-security/tutorials/customize-code-scanning/analyzing-your-code-with-codeql-queries.md @@ -252,7 +252,7 @@ codeql database analyze codeql/cpp-queries:codeql-suites/cpp-code This command downloads the `codeql/cpp-queries` {% data variables.product.prodname_codeql %} query pack, runs the analysis, and generates a file in the SARIF version 2.1.0 format that is supported by all versions of {% data variables.product.prodname_dotcom %}. This file can be uploaded to {% data variables.product.prodname_dotcom %} by executing `codeql github upload-results` or the code scanning API. For more information, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/uploading-codeql-analysis-results-to-github) -or [AUTOTITLE](/rest/code-scanning). +or [AUTOTITLE](/rest/code-scanning/code-scanning). {% data variables.product.prodname_codeql %} query suites are `.qls` files that use directives to select queries to run based on certain metadata properties. The standard {% data variables.product.prodname_codeql %} packs have metadata that specify diff --git a/data/reusables/code-scanning/choose-alert-dismissal-reason.md b/data/reusables/code-scanning/choose-alert-dismissal-reason.md index b09bebf5b144..36ddfc3964eb 100644 --- a/data/reusables/code-scanning/choose-alert-dismissal-reason.md +++ b/data/reusables/code-scanning/choose-alert-dismissal-reason.md @@ -1 +1 @@ -It's important to choose the appropriate reason from the drop-down menu as this may affect whether a query continues to be included in future analysis. Optionally, you can comment on a dismissal to record the context of an alert dismissal. The dismissal comment is added to the alert timeline and can be used as justification during auditing and reporting. You can retrieve or set a comment by using the code scanning REST API. The comment is contained in `dismissed_comment` for the `alerts/{alert_number}` endpoint. For more information, see [AUTOTITLE](/rest/code-scanning#update-a-code-scanning-alert). +It's important to choose the appropriate reason from the drop-down menu as this may affect whether a query continues to be included in future analysis. Optionally, you can comment on a dismissal to record the context of an alert dismissal. The dismissal comment is added to the alert timeline and can be used as justification during auditing and reporting. You can retrieve or set a comment by using the code scanning REST API. The comment is contained in `dismissed_comment` for the `alerts/{alert_number}` endpoint. For more information, see [AUTOTITLE](/rest/code-scanning/code-scanning#update-a-code-scanning-alert). diff --git a/src/graphql/data/fpt/changelog.json b/src/graphql/data/fpt/changelog.json index e499d9623b49..cc48673762b5 100644 --- a/src/graphql/data/fpt/changelog.json +++ b/src/graphql/data/fpt/changelog.json @@ -1,4 +1,18 @@ [ + { + "schemaChanges": [ + { + "title": "The GraphQL schema includes these changes:", + "changes": [ + "

Input field actorLogins of type '[String!]was added to input object typeReplaceActorsForAssignableInput'

", + "

Input field ReplaceActorsForAssignableInput.actorIds changed type from '[ID!]!to[ID!]'

" + ] + } + ], + "previewChanges": [], + "upcomingChanges": [], + "date": "2026-01-23" + }, { "schemaChanges": [ { diff --git a/src/graphql/data/fpt/schema.docs.graphql b/src/graphql/data/fpt/schema.docs.graphql index d1c7d2509627..da6f5937b3f5 100644 --- a/src/graphql/data/fpt/schema.docs.graphql +++ b/src/graphql/data/fpt/schema.docs.graphql @@ -46635,14 +46635,22 @@ Autogenerated input type of ReplaceActorsForAssignable """ input ReplaceActorsForAssignableInput { """ - The ids of the actors to replace the existing assignees. + The ids of the actors to replace the existing assignees. May be used as an + alternative to or in conjunction with actorLogins. """ - actorIds: [ID!]! + actorIds: [ID!] @possibleTypes( concreteTypes: ["Bot", "EnterpriseUserAccount", "Mannequin", "Organization", "User"] abstractType: "Actor" ) + """ + The usernames of the actors to replace the existing assignees. May be used as + an alternative to or in conjunction with actorIds. For bots, use the login + format with [bot] suffix (e.g., 'my-app[bot]'). + """ + actorLogins: [String!] + """ The id of the assignable object to replace the assignees for. """ diff --git a/src/graphql/data/fpt/schema.json b/src/graphql/data/fpt/schema.json index 089b89cb87e0..255c280fb59a 100644 --- a/src/graphql/data/fpt/schema.json +++ b/src/graphql/data/fpt/schema.json @@ -106498,13 +106498,21 @@ "inputFields": [ { "name": "actorIds", - "description": "

The ids of the actors to replace the existing assignees.

", - "type": "[ID!]!", + "description": "

The ids of the actors to replace the existing assignees. May be used as an\nalternative to or in conjunction with actorLogins.

", + "type": "[ID!]", "id": "id", "kind": "scalars", "href": "/graphql/reference/scalars#id", "isDeprecated": false }, + { + "name": "actorLogins", + "description": "

The usernames of the actors to replace the existing assignees. May be used as\nan alternative to or in conjunction with actorIds. For bots, use the login\nformat with [bot] suffix (e.g., 'my-app[bot]').

", + "type": "[String!]", + "id": "string", + "kind": "scalars", + "href": "/graphql/reference/scalars#string" + }, { "name": "assignableId", "description": "

The id of the assignable object to replace the assignees for.

", diff --git a/src/graphql/data/ghec/schema.docs.graphql b/src/graphql/data/ghec/schema.docs.graphql index d1c7d2509627..da6f5937b3f5 100644 --- a/src/graphql/data/ghec/schema.docs.graphql +++ b/src/graphql/data/ghec/schema.docs.graphql @@ -46635,14 +46635,22 @@ Autogenerated input type of ReplaceActorsForAssignable """ input ReplaceActorsForAssignableInput { """ - The ids of the actors to replace the existing assignees. + The ids of the actors to replace the existing assignees. May be used as an + alternative to or in conjunction with actorLogins. """ - actorIds: [ID!]! + actorIds: [ID!] @possibleTypes( concreteTypes: ["Bot", "EnterpriseUserAccount", "Mannequin", "Organization", "User"] abstractType: "Actor" ) + """ + The usernames of the actors to replace the existing assignees. May be used as + an alternative to or in conjunction with actorIds. For bots, use the login + format with [bot] suffix (e.g., 'my-app[bot]'). + """ + actorLogins: [String!] + """ The id of the assignable object to replace the assignees for. """ diff --git a/src/graphql/data/ghec/schema.json b/src/graphql/data/ghec/schema.json index 089b89cb87e0..255c280fb59a 100644 --- a/src/graphql/data/ghec/schema.json +++ b/src/graphql/data/ghec/schema.json @@ -106498,13 +106498,21 @@ "inputFields": [ { "name": "actorIds", - "description": "

The ids of the actors to replace the existing assignees.

", - "type": "[ID!]!", + "description": "

The ids of the actors to replace the existing assignees. May be used as an\nalternative to or in conjunction with actorLogins.

", + "type": "[ID!]", "id": "id", "kind": "scalars", "href": "/graphql/reference/scalars#id", "isDeprecated": false }, + { + "name": "actorLogins", + "description": "

The usernames of the actors to replace the existing assignees. May be used as\nan alternative to or in conjunction with actorIds. For bots, use the login\nformat with [bot] suffix (e.g., 'my-app[bot]').

", + "type": "[String!]", + "id": "string", + "kind": "scalars", + "href": "/graphql/reference/scalars#string" + }, { "name": "assignableId", "description": "

The id of the assignable object to replace the assignees for.

", diff --git a/src/languages/lib/render-with-fallback.ts b/src/languages/lib/render-with-fallback.ts index 30c3686e5439..fe9d53bc5ffe 100644 --- a/src/languages/lib/render-with-fallback.ts +++ b/src/languages/lib/render-with-fallback.ts @@ -5,14 +5,27 @@ import type { Context } from '@/types' export class EmptyTitleError extends Error {} -interface LiquidToken { +export interface LiquidToken { file?: string getPosition?: () => [number, number] } -interface LiquidError extends Error { +/** + * Custom error class for Liquid rendering errors with proper type safety. + * Use this instead of creating Error objects and mutating them with type assertions. + * + * @example + * const error = new LiquidError('Unknown tag', 'ParseError') + * error.token = { file: '/content/test.md', getPosition: () => [1, 5] } + */ +export class LiquidError extends Error { token?: LiquidToken originalError?: Error + + constructor(message: string, name: 'ParseError' | 'RenderError' | 'TokenizationError') { + super(message) + this.name = name + } } interface RenderOptions { diff --git a/src/languages/scripts/count-translation-corruptions.ts b/src/languages/scripts/count-translation-corruptions.ts index a46a1bc2ed5f..bc8e89007e18 100644 --- a/src/languages/scripts/count-translation-corruptions.ts +++ b/src/languages/scripts/count-translation-corruptions.ts @@ -77,11 +77,19 @@ function run(languageCode: string, site: Site, englishReusables: Reusables) { const illegalTags = new Map() function countError(error: TokenizationError, where: string) { - const originalError = (error as { originalError?: Error }).originalError + // TokenizationError from liquidjs may have originalError and token.content + // but these aren't in the public type definitions + const errorWithExtras = error as TokenizationError & { + originalError?: Error + token?: { content?: string } + } + const originalError = errorWithExtras.originalError const errorString = originalError ? originalError.message : error.message - if (errorString.includes('illegal tag syntax')) { - const illegalTag = (error as unknown as { token: { content: string } }).token.content - illegalTags.set(illegalTag, (illegalTags.get(illegalTag) || 0) + 1) + if (errorString.includes('illegal tag syntax') && errorWithExtras.token?.content) { + illegalTags.set( + errorWithExtras.token.content, + (illegalTags.get(errorWithExtras.token.content) || 0) + 1, + ) } errors.set(errorString, (errors.get(errorString) || 0) + 1) wheres.set(where, (wheres.get(where) || 0) + 1) diff --git a/src/languages/tests/translation-error-comments.ts b/src/languages/tests/translation-error-comments.ts index 7052e8023f42..af5986944f66 100644 --- a/src/languages/tests/translation-error-comments.ts +++ b/src/languages/tests/translation-error-comments.ts @@ -4,19 +4,11 @@ import { EmptyTitleError, renderContentWithFallback, executeWithFallback, + LiquidError, } from '../lib/render-with-fallback' import { TitleFromAutotitleError } from '@/content-render/unified/rewrite-local-links' import Page from '@/frame/lib/page' -// Type aliases for error objects with token information -type ErrorWithToken = Error & { token: { file: string; getPosition: () => number[] } } -type ErrorWithTokenNoFile = Error & { token: { getPosition: () => number[] } } -type ErrorWithTokenNoPosition = Error & { token: { file: string } } -type ErrorWithTokenAndOriginal = Error & { - token: { file: string; getPosition: () => number[] } - originalError: Error -} - describe('Translation Error Comments', () => { // Mock renderContent for integration tests let mockRenderContent: MockedFunction< @@ -35,9 +27,8 @@ describe('Translation Error Comments', () => { describe('createTranslationFallbackComment', () => { describe('Liquid ParseError', () => { test('includes all fields when token information is available', () => { - const error = new Error("Unknown tag 'badtag', line:1, col:3") - error.name = 'ParseError' - ;(error as unknown as ErrorWithToken).token = { + const error = new LiquidError("Unknown tag 'badtag', line:1, col:3", 'ParseError') + error.token = { file: '/content/test/article.md', getPosition: () => [1, 3], } @@ -57,15 +48,15 @@ describe('Translation Error Comments', () => { describe('Liquid RenderError', () => { test('includes original error message when available', () => { - const error = new Error("Unknown variable 'variables.nonexistent.value'") - error.name = 'RenderError' - ;(error as unknown as ErrorWithToken).token = { + const error = new LiquidError( + "Unknown variable 'variables.nonexistent.value'", + 'RenderError', + ) + error.token = { file: '/content/test/intro.md', getPosition: () => [3, 15], } - ;(error as unknown as ErrorWithTokenAndOriginal).originalError = new Error( - 'Variable not found: variables.nonexistent.value', - ) + error.originalError = new Error('Variable not found: variables.nonexistent.value') const result = createTranslationFallbackComment(error, 'rawIntro') @@ -78,9 +69,8 @@ describe('Translation Error Comments', () => { }) test('falls back to main error message when no originalError', () => { - const error = new Error('Main error message') - error.name = 'RenderError' - ;(error as unknown as ErrorWithToken).token = { + const error = new LiquidError('Main error message', 'RenderError') + error.token = { file: '/content/test.md', getPosition: () => [1, 1], } @@ -93,9 +83,8 @@ describe('Translation Error Comments', () => { describe('Liquid TokenizationError', () => { test('includes tokenization error details', () => { - const error = new Error('Unexpected token, line:1, col:10') - error.name = 'TokenizationError' - ;(error as unknown as ErrorWithToken).token = { + const error = new LiquidError('Unexpected token, line:1, col:10', 'TokenizationError') + error.token = { file: '/content/test/page.md', getPosition: () => [1, 10], } @@ -147,9 +136,8 @@ describe('Translation Error Comments', () => { describe('Error handling edge cases', () => { test('handles error with no token information gracefully', () => { - const error = new Error('Generic liquid error without token info') - error.name = 'RenderError' - // No token property + const error = new LiquidError('Generic liquid error without token info', 'RenderError') + // No token property set const result = createTranslationFallbackComment(error, 'rawIntro') @@ -163,9 +151,8 @@ describe('Translation Error Comments', () => { }) test('handles error with token but no file', () => { - const error = new Error('Error message') - error.name = 'ParseError' - ;(error as unknown as ErrorWithTokenNoFile).token = { + const error = new LiquidError('Error message', 'ParseError') + error.token = { // No file property getPosition: () => [5, 10], } @@ -178,9 +165,8 @@ describe('Translation Error Comments', () => { }) test('handles error with token but no getPosition method', () => { - const error = new Error('Error message') - error.name = 'ParseError' - ;(error as unknown as ErrorWithTokenNoPosition).token = { + const error = new LiquidError('Error message', 'ParseError') + error.token = { file: '/content/test.md', // No getPosition method } @@ -194,8 +180,7 @@ describe('Translation Error Comments', () => { test('truncates very long error messages', () => { const longMessage = 'A'.repeat(300) // Very long error message - const error = new Error(longMessage) - error.name = 'ParseError' + const error = new LiquidError(longMessage, 'ParseError') const result = createTranslationFallbackComment(error, 'rawTitle') @@ -211,8 +196,7 @@ describe('Translation Error Comments', () => { }) test('properly escapes quotes in error messages', () => { - const error = new Error('Error with "double quotes" and more') - error.name = 'RenderError' + const error = new LiquidError('Error with "double quotes" and more', 'RenderError') const result = createTranslationFallbackComment(error, 'rawTitle') @@ -233,9 +217,7 @@ describe('Translation Error Comments', () => { }) test('handles error with no message', () => { - const error = new Error() - error.name = 'ParseError' - // Message will be empty string by default + const error = new LiquidError('', 'ParseError') const result = createTranslationFallbackComment(error, 'title') @@ -245,8 +227,7 @@ describe('Translation Error Comments', () => { }) test('cleans up multiline messages', () => { - const error = new Error('Line 1\nLine 2\n Line 3 \n\nLine 5') - error.name = 'RenderError' + const error = new LiquidError('Line 1\nLine 2\n Line 3 \n\nLine 5', 'RenderError') const result = createTranslationFallbackComment(error, 'content') @@ -257,9 +238,8 @@ describe('Translation Error Comments', () => { describe('Comment format validation', () => { test('comment format is valid HTML', () => { - const error = new Error('Test error') - error.name = 'ParseError' - ;(error as unknown as ErrorWithToken).token = { + const error = new LiquidError('Test error', 'ParseError') + error.token = { file: '/content/test.md', getPosition: () => [1, 1], } @@ -275,9 +255,8 @@ describe('Translation Error Comments', () => { }) test('contains all required fields when available', () => { - const error = new Error('Detailed error message') - error.name = 'RenderError' - ;(error as unknown as ErrorWithToken).token = { + const error = new LiquidError('Detailed error message', 'RenderError') + error.token = { file: '/content/detailed-test.md', getPosition: () => [42, 15], } @@ -294,9 +273,8 @@ describe('Translation Error Comments', () => { }) test('maintains consistent field order', () => { - const error = new Error('Test message') - error.name = 'ParseError' - ;(error as unknown as ErrorWithToken).token = { + const error = new LiquidError('Test message', 'ParseError') + error.token = { file: '/content/test.md', getPosition: () => [1, 1], } @@ -336,9 +314,8 @@ describe('Translation Error Comments', () => { mockRenderContent.mockImplementation( (template: string, innerContext: Record) => { if (innerContext.currentLanguage !== 'en' && template.includes('badtag')) { - const error = new Error("Unknown tag 'badtag'") - error.name = 'ParseError' - ;(error as unknown as ErrorWithToken).token = { + const error = new LiquidError("Unknown tag 'badtag'", 'ParseError') + error.token = { file: '/content/test.md', getPosition: () => [1, 5], } @@ -375,8 +352,7 @@ describe('Translation Error Comments', () => { mockRenderContent.mockImplementation( (template: string, innerContext: Record) => { if (innerContext.currentLanguage !== 'en' && template.includes('badtag')) { - const error = new Error("Unknown tag 'badtag'") - error.name = 'ParseError' + const error = new LiquidError("Unknown tag 'badtag'", 'ParseError') throw error } return 'English Title' @@ -399,9 +375,8 @@ describe('Translation Error Comments', () => { } const failingCallable = async () => { - const error = new Error("Unknown variable 'variables.bad'") - error.name = 'RenderError' - ;(error as unknown as ErrorWithToken).token = { + const error = new LiquidError("Unknown variable 'variables.bad'", 'RenderError') + error.token = { file: '/content/article.md', getPosition: () => [10, 20], } @@ -427,8 +402,7 @@ describe('Translation Error Comments', () => { } const failingCallable = async () => { - const error = new Error('Test error') - error.name = 'RenderError' + const error = new LiquidError('Test error', 'RenderError') throw error }