diff --git a/assets/images/enterprise/3.16/help/security/secret-scanning-default-alert-view.png b/assets/images/enterprise/3.16/help/security/secret-scanning-default-alert-view.png new file mode 100644 index 000000000000..1dc7f7f309ff Binary files /dev/null and b/assets/images/enterprise/3.16/help/security/secret-scanning-default-alert-view.png differ diff --git a/assets/images/help/security/secret-scanning-default-alert-view.png b/assets/images/help/security/secret-scanning-default-alert-view.png index 1dc7f7f309ff..2a271a550bea 100644 Binary files a/assets/images/help/security/secret-scanning-default-alert-view.png and b/assets/images/help/security/secret-scanning-default-alert-view.png differ diff --git a/config/moda/configuration/production/env.yaml b/config/moda/configuration/production/env.yaml index 5674bd9f5c2a..d34633f438f3 100644 --- a/config/moda/configuration/production/env.yaml +++ b/config/moda/configuration/production/env.yaml @@ -1,7 +1,12 @@ data: MODA_APP_NAME: docs-internal + # Identifies the service deployment environment as production + # Equivalent to HEAVEN_DEPLOYED_ENV === 'production' + MODA_PROD_SERVICE_ENV: 'true' NODE_ENV: production NODE_OPTIONS: '--max-old-space-size=4096' PORT: '4000' ENABLED_LANGUAGES: 'en,zh,es,pt,ru,ja,fr,de,ko' RATE_LIMIT_MAX: '21' + # Moda uses a non-default port for sending datadog metrics + DD_DOGSTATSD_PORT: '28125' diff --git a/content/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository.md b/content/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository.md index 0d16e2c5f9d2..30a16fc27d90 100644 --- a/content/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository.md +++ b/content/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository.md @@ -28,14 +28,14 @@ It is important to note that if the sensitive data you need to remove is a secre There are numerous side effects to rewriting history; these include: - * High risk of recontamination: It is unfortunately easy to re-push the sensitive data to the repository and make a bigger mess. If a fellow developer has a clone from before your rewrite, and after your rewrite simply runs `git pull` followed by `git push`, the sensitive data will return. They need to either discard their clone and re-clone, or carefully walk through multiple steps to clean up their clone first. - * Risk of losing other developers' work: If other developers continue updating branches which contain the sensitive data while you are trying to clean up, you will be forced to either redo the cleanup, or to discard their work. - * Changed commit hashes: Rewriting history will change the hashes of the commits that introduced the sensitive data _and_ all commits that came after. Any tooling or automation that depends on commit hashes not changing will be broken or have problems. - * Branch protection challenges: If you have any branch protections that prevent force pushes, those protections will have to be turned off (at least temporarily) for the sensitive data to be removed. - * Broken diff view for closed pull requests: Removing the sensitive data will require removing the internal references used for displaying the diff view in pull requests, so you will no longer be able to see these diffs. This is true not only for the PR that introduced the sensitive data, but any PR that builds on a version of history after the sensitive data PR was merged (even if those later PRs didn't add or modify any file with sensitive data). - * Poor interaction with open pull requests: Changed commit SHAs will result in a different PR diff, and comments on the old PR diff may become invalidated and lost, which may cause confusion for authors and reviewers. We recommend merging or closing all open pull requests before removing files from your repository. - * Lost signatures on commits and tags: Signatures for commits or tags depend on commit hashes; since commit hashes are modified by history rewrites, signatures would no longer be valid and many history rewriting tools (including `git filter-repo`) will simply remove the signatures. In fact, `git filter-repo` will remove commit signatures and tag signatures for commits that pre-date the sensitive data removal as well. (Technically one can workaround this with the `--refs` option to `git filter-repo` if needed, but then you will need to be careful to ensure you specify all refs that have sensitive data in their history and that include the commits that introduced the sensitive data in your range). - * Leading others directly to the sensitive data: Git was designed with cryptographic checks built into commit identifiers so that nefarious individuals could not break into a server and modify history without being noticed. That's helpful from a security perspective, but from a sensitive data perspective it means that expunging sensitive data is a very involved process of coordination; it further means that when you do modify history, clueful users with an existing clone will notice the history divergence and can use it to quickly and easily find the sensitive data still in their clone that you removed from the central repository. + * **High risk of recontamination**: It is unfortunately easy to re-push the sensitive data to the repository and make a bigger mess. If a fellow developer has a clone from before your rewrite, and after your rewrite simply runs `git pull` followed by `git push`, the sensitive data will return. They need to either discard their clone and re-clone, or carefully walk through multiple steps to clean up their clone first. + * **Risk of losing other developers' work**: If other developers continue updating branches which contain the sensitive data while you are trying to clean up, you will be forced to either redo the cleanup, or to discard their work. + * **Changed commit hashes**: Rewriting history will change the hashes of the commits that introduced the sensitive data _and_ all commits that came after. Any tooling or automation that depends on commit hashes not changing will be broken or have problems. + * **Branch protection challenges**: If you have any branch protections that prevent force pushes, those protections will have to be turned off (at least temporarily) for the sensitive data to be removed. + * **Broken diff view for closed pull requests**: Removing the sensitive data will require removing the internal references used for displaying the diff view in pull requests, so you will no longer be able to see these diffs. This is true not only for the PR that introduced the sensitive data, but any PR that builds on a version of history after the sensitive data PR was merged (even if those later PRs didn't add or modify any file with sensitive data). + * **Poor interaction with open pull requests**: Changed commit SHAs will result in a different PR diff, and comments on the old PR diff may become invalidated and lost, which may cause confusion for authors and reviewers. We recommend merging or closing all open pull requests before removing files from your repository. + * **Lost signatures on commits and tags**: Signatures for commits or tags depend on commit hashes; since commit hashes are modified by history rewrites, signatures would no longer be valid and many history rewriting tools (including `git filter-repo`) will simply remove the signatures. In fact, `git filter-repo` will remove commit signatures and tag signatures for commits that pre-date the sensitive data removal as well. (Technically one can workaround this with the `--refs` option to `git filter-repo` if needed, but then you will need to be careful to ensure you specify all refs that have sensitive data in their history and that include the commits that introduced the sensitive data in your range). + * **Leading others directly to the sensitive data**: Git was designed with cryptographic checks built into commit identifiers so that nefarious individuals could not break into a server and modify history without being noticed. That's helpful from a security perspective, but from a sensitive data perspective it means that expunging sensitive data is a very involved process of coordination; it further means that when you do modify history, clueful users with an existing clone will notice the history divergence and can use it to quickly and easily find the sensitive data still in their clone that you removed from the central repository. ## About sensitive data exposure @@ -52,7 +52,7 @@ If you only rewrite your history and force push it, the commits with sensitive d * Directly via their SHA-1 hashes in cached views on {% data variables.product.product_name %} * Through any pull requests that reference them -You cannot remove sensitive data from other users' clones of your repository, but you can permanently remove cached views and references to the sensitive data in pull requests on {% data variables.product.product_name %} by contacting {% data variables.contact.contact_support %}. +You cannot remove sensitive data from other users' clones of your repository; you will have to send them the instructions from [Make sure other copies are cleaned up: clones of colleagues](https://htmlpreview.github.io/?https://github.com/newren/git-filter-repo/blob/docs/html/git-filter-repo.html#_make_sure_other_copies_are_cleaned_up_clones_of_colleagues) in the `git filter-repo` manual to have them do so themselves. However, you can permanently remove cached views and references to the sensitive data in pull requests on {% data variables.product.product_name %} by contacting {% data variables.contact.contact_support %}. {% ifversion fpt or ghec %} @@ -64,13 +64,9 @@ If the commit that introduced the sensitive data exists in any forks, it will co Consider these limitations and challenges in your decision to rewrite your repository's history. -## Purging a file from your repository's history using git-filter-repo +## Purging a file from your local repository's history using git-filter-repo -> [!WARNING] If you run `git filter-repo` after stashing changes, you won't be able to retrieve your changes with other stash commands. Before running `git filter-repo`, we recommend unstashing any changes you've made. To unstash the last set of changes you've stashed, run `git stash show -p | git apply -R`. For more information, see [Git Tools - Stashing and Cleaning](https://git-scm.com/book/en/v2/Git-Tools-Stashing-and-Cleaning). - -To illustrate how `git filter-repo` works, we'll show you how to remove your file with sensitive data from the history of your repository and add it to `.gitignore` to ensure that it is not accidentally re-committed. - -1. Install the latest release of the [git filter-repo](https://github.com/newren/git-filter-repo) tool. You can install `git-filter-repo` manually or by using a package manager. For example, to install the tool with HomeBrew, use the `brew install` command. +1. Install the latest release of [the `git filter-repo` tool](https://github.com/newren/git-filter-repo). You need a version with the `--sensitive-data-removal` flag, meaning at least version 2.47. You can install `git filter-repo` manually or by using a package manager. For example, to install the tool with HomeBrew, use the `brew install` command. ```shell brew install git-filter-repo @@ -78,16 +74,10 @@ To illustrate how `git filter-repo` works, we'll show you how to remove your fil For more information, see [_INSTALL.md_](https://github.com/newren/git-filter-repo/blob/main/INSTALL.md) in the `newren/git-filter-repo` repository. -1. If you don't already have a local copy of your repository with sensitive data in its history, [clone the repository](/repositories/creating-and-managing-repositories/cloning-a-repository) to your local computer. +1. Clone the repository to your local computer. See [AUTOTITLE](/repositories/creating-and-managing-repositories/cloning-a-repository). ```shell - $ git clone https://{% data variables.product.product_url %}/YOUR-USERNAME/YOUR-REPOSITORY - > Initialized empty Git repository in /Users/YOUR-FILE-PATH/YOUR-REPOSITORY/.git/ - > remote: Counting objects: 1301, done. - > remote: Compressing objects: 100% (769/769), done. - > remote: Total 1301 (delta 724), reused 910 (delta 522) - > Receiving objects: 100% (1301/1301), 164.39 KiB, done. - > Resolving deltas: 100% (724/724), done. + git clone https://{% data variables.product.product_url %}/YOUR-USERNAME/YOUR-REPOSITORY ``` 1. Navigate into the repository's working directory. @@ -96,90 +86,73 @@ To illustrate how `git filter-repo` works, we'll show you how to remove your fil cd YOUR-REPOSITORY ``` -1. Run the following command, replacing `PATH-TO-YOUR-FILE-WITH-SENSITIVE-DATA` with the **path to the file you want to remove, not just its filename**. These arguments will: - * Force Git to process, but not check out, the entire history of every branch and tag - * Remove the specified file, as well as any empty commits generated as a result - * Remove some configurations, such as the remote URL, stored in the _.git/config_ file. You may want to back up this file in advance for restoration later. - * **Overwrite your existing tags** +1. Run a `git filter-repo` command to clean up the sensitive data. + + If you want to delete a specific file from all branches/tags/refs, run the following command replacing `PATH-TO-YOUR-FILE-WITH-SENSITIVE-DATA` with the **git path to the file you want to remove, not just its filename** (e.g. `src/module/phone-numbers.txt`): + + ```shell + git filter-repo --sensitive-data-removal --invert-paths --path PATH-TO-YOUR-FILE-WITH-SENSITIVE-DATA + ``` + + > [!IMPORTANT] If the file with sensitive data used to exist at any other paths (because it was moved or renamed), you must either add an extra `--path` argument for that file, or run this command a second time naming the alternative path. + + If you want to replace all text listed in `../passwords.txt` from any non-binary files found anywhere in your repository's history, run the following command: ```shell - $ git filter-repo --invert-paths --path PATH-TO-YOUR-FILE-WITH-SENSITIVE-DATA - Parsed 197 commits - New history written in 0.11 seconds; now repacking/cleaning... - Repacking your repo and cleaning out old unneeded objects - Enumerating objects: 210, done. - Counting objects: 100% (210/210), done. - Delta compression using up to 12 threads - Compressing objects: 100% (127/127), done. - Writing objects: 100% (210/210), done. - Building bitmaps: 100% (48/48), done. - Total 210 (delta 98), reused 144 (delta 75), pack-reused 0 - Completely finished after 0.64 seconds. - ``` - - > [!IMPORTANT] If the file with sensitive data used to exist at any other paths (because it was moved or renamed), you must run this command on those paths, as well. + git filter-repo --sensitive-data-removal --replace-text ../passwords.txt + ``` 1. Double-check that you've removed everything you wanted to from your repository's history. -1. The `git filter-repo` tool will automatically remove your configured remotes. Use the `git remote set-url` command to restore your remotes, replacing `OWNER` and `REPO` with your repository details. For more information, see [AUTOTITLE](/get-started/getting-started-with-git/managing-remote-repositories#adding-a-remote-repository). + +1. Find out how many pull requests will be adversely affected by this history rewrite. You will need this information below. ```shell - git remote add origin https://github.com/OWNER/REPOSITORY.git + $ grep -c '^refs/pull/.*/head$' .git/filter-repo/changed-refs + 4 ``` -1. Once you're happy with the state of your repository, and you have set the appropriate remote, force-push your local changes to overwrite your repository on {% data variables.location.product_location %}. A force push is required to remove sensitive data from your commit history. + You can drop the `-c` to see which pull requests are affected: ```shell - $ git push origin --force --all - > Counting objects: 1074, done. - > Delta compression using 2 threads. - > Compressing objects: 100% (677/677), done. - > Writing objects: 100% (1058/1058), 148.85 KiB, done. - > Total 1058 (delta 590), reused 602 (delta 378) - > To https://{% data variables.product.product_url %}/YOUR-USERNAME/YOUR-REPOSITORY.git - > + 48dc599...051452f main -> main (forced update) + $ grep '^refs/pull/.*/head$' .git/filter-repo/changed-refs + refs/pull/589/head + refs/pull/602/head + refs/pull/604/head + refs/pull/605/head ``` -1. In order to remove the sensitive file from [your tagged releases](/repositories/releasing-projects-on-github/about-releases), you'll also need to force-push against your Git tags: + This output includes the pull request number between the second and third slashes. If the [number of pull requests affected is larger than you expected](https://github.com/newren/git-filter-repo/blob/main/Documentation/FAQ.md#why-did-git-filter-repo-rewrite-more-commit-hashes-than-i-expected), you can discard this clone with no ill-effects and either redo the rewrite or abandon the sensitive data removal. Once you move on to the next step, the rewrite becomes irreversible. + +1. Once you're happy with the state of your repository, force-push your local changes to overwrite your repository on {% data variables.location.product_location %}. Even though `--force` is implied by `--mirror`, we include it below as a reminder that you are forcibly updating all branches, tags, and refs and you are discarding any changes others may have made to those refs while you were cleaning up the repository. ```shell - $ git push origin --force --tags - > Counting objects: 321, done. - > Delta compression using up to 8 threads. - > Compressing objects: 100% (166/166), done. - > Writing objects: 100% (321/321), 331.74 KiB | 0 bytes/s, done. - > Total 321 (delta 124), reused 269 (delta 108) - > To https://{% data variables.product.product_url %}/YOUR-USERNAME/YOUR-REPOSITORY.git - > + 48dc599...051452f main -> main (forced update) + git push --force --mirror origin ``` + This command will fail to push any refs starting with `refs/pull/`, since {% data variables.product.product_name %} marks those as read-only. Those push failures will be handled in the next section. If any other refs fail to push, you likely have branch protection turned on for that branch and will need to turn it off temporarily and redo the push. Repeat until the only failures to update are refs starting with `refs/pull/`. + ## Fully removing the data from {% data variables.product.prodname_dotcom %} After using `git filter-repo` to remove the sensitive data and pushing your changes to {% data variables.product.product_name %}, you must take a few more steps to fully remove the data from {% data variables.product.product_name %}. -{% ifversion ghec %} -1. If the repository was migrated using the {% data variables.product.prodname_importer_proper_name %}, there may be some non-standard Git references that follow the pattern `refs/github-services`, that neither the BFG tool or `git filter-repo` can remove. In this case, remove those references running the following commands in your local copy of the repository: +1. Contact {% data variables.contact.contact_support %}, and provide the following information: - ```shell - # fetch all refs - git ls-remote | grep refs/github-services | cut -f2 | sort -t'/' -k3,4n > github-services-refs.txt - - # inspect and validate refs to be deleted - cat github-services-refs.txt - - # delete refs in batches - export BATCH_SIZE=512 - cat github-services-refs.txt | xargs -n $BATCH_SIZE git push origin --delete - ``` - -{% endif %} + * The owner and repository name in question (e.g. YOUR-USERNAME/YOUR-REPOSITORY). + * The number of affected pull requests, found in the previous step. This is used by Support to verify you understand how much will be affected. + * The First Changed Commit(s) reported by `git filter-repo` (Look for `NOTE: First Changed Commit(s)` in its output.) + * If `NOTE: There were LFS Objects Orphaned by this rewrite` appears in the git-filter-repo output (right after the First Changed Commit), then mention you had LFS Objects Orphaned and upload the named file to the ticket as well. -1. Contact {% data variables.contact.contact_support %}, and ask to remove cached views and references to the sensitive data in pull requests on {% data variables.product.product_name %}. Please provide the name of the repository and/or a link to the commit you need removed.{% ifversion ghes %} For more information about how site administrators can remove unreachable Git objects, see [AUTOTITLE](/admin/configuration/configuring-your-enterprise/command-line-utilities#ghe-repo-gc). For more information about how site administrators can identify reachable commits, see [Identifying reachable commits](#identifying-reachable-commits).{% endif %}{% ifversion fpt or ghec %} + If you have successfully cleaned up all references other than PRs, and no forks have references to the sensitive data, Support will then: - > [!IMPORTANT] {% data variables.contact.github_support %} won't remove non-sensitive data, and will only assist in the removal of sensitive data in cases where we determine that the risk can't be mitigated by rotating affected credentials. + * Dereference or delete any affected PRs on {% data variables.product.product_name %}. + * Run a garbage collection on the server to expunge the sensitive data from storage. + * Remove cached views. + * If LFS Objects are involved, delete and/or purge the orphaned LFS objects. - {% endif %} + {% ifversion ghes %}For more information about how site administrators can remove unreachable Git objects, see "[AUTOTITLE](/admin/configuration/configuring-your-enterprise/command-line-utilities#ghe-repo-gc)." For more information about how site administrators can identify reachable commits, see "[Identifying reachable commits](#identifying-reachable-commits)."{% endif %}{% ifversion fpt or ghec %} + >[!IMPORTANT] {% data variables.contact.github_support %} won't remove non-sensitive data, and will only assist in the removal of sensitive data in cases where we determine that the risk can't be mitigated by rotating affected credentials.{% endif %} -1. Tell your collaborators to [rebase](https://git-scm.com/book/en/v2/Git-Branching-Rebasing), _not_ merge, any branches they created off of your old (tainted) repository history. One merge commit could reintroduce some or all of the tainted history that you just went to the trouble of purging. +1. Collaborators must [rebase](https://git-scm.com/book/en/v2/Git-Branching-Rebasing), _not_ merge, any branches they created off of your old (tainted) repository history. One merge commit could reintroduce some or all of the tainted history that you just went to the trouble of purging. They may need to take additional steps as well; see [Make sure other copies are cleaned up: clones of colleagues](https://htmlpreview.github.io/?https://github.com/newren/git-filter-repo/blob/docs/html/git-filter-repo.html#_make_sure_other_copies_are_cleaned_up_clones_of_colleagues) in the `git filter-repo` manual. {% ifversion ghes %} @@ -236,6 +209,6 @@ There are a few things you can do to avoid committing or pushing things that sho ## Further reading -* [`git filter-repo` man page](https://htmlpreview.github.io/?https://github.com/newren/git-filter-repo/blob/docs/html/git-filter-repo.html) +* [`git filter-repo` man page](https://htmlpreview.github.io/?https://github.com/newren/git-filter-repo/blob/docs/html/git-filter-repo.html), especially the "Sensitive Data Removal" subsection of the "DISCUSSION" section. * [Pro Git: Git Tools - Rewriting History](https://git-scm.com/book/en/v2/Git-Tools-Rewriting-History) * [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning) diff --git a/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages.md b/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages.md index 719f364dbaf6..8c9a9e0d59e3 100644 --- a/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages.md +++ b/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages.md @@ -360,14 +360,14 @@ When you enable default setup for a repository that contains C# code, the build {% data variables.product.prodname_codeql %} restores dependencies and generates a few additional source files, to give more accurate results, before creating a database from all the source files and dependencies. -Dependencies are restored using multiple heuristics and strategies. The following files are the primary source of information: `*.csproj`, `*.sln`, `nuget.config`, `packages.config`, `global.json`, and `project.assets.json`. +Dependencies are restored using multiple heuristics and strategies. The following files are the primary source of information: `*.csproj`, `*.sln`, `nuget.config`, `packages.config`, `global.json`, and `project.assets.json`. {% ifversion org-private-registry %}If a private NuGet feed is defined for the organization, this is also used, see [Code scanning default setup access to private registries](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries#code-scanning-default-setup-access-to-private-registries) and [Determining whether code scanning default setup used any private registries](/code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs#determining-whether-code-scanning-default-setup-used-any-private-registries).{% endif %} The following generated source files are optional, but significantly increase the correctness of the {% data variables.product.prodname_codeql %} database: * `global` generated `using` directives to handle the implicit `using` feature of MSbuild. * ASP.NET core view files, `.cshtml` files are converted to `.cs` files. -The information from the dependency assembly names, generated source files, and the source files in the repository is compiled and used to create a {% data variables.product.prodname_codeql %} database. +The information from the dependency assembly names, generated source files, {% ifversion org-private-registry %}dependencies stored in private feeds, {% endif %}and the source files in the repository is compiled and used to create a {% data variables.product.prodname_codeql %} database. #### Accuracy of no build analysis for C# @@ -375,7 +375,7 @@ Creating a {% data variables.product.prodname_codeql %} database without buildin You can ensure a more accurate analysis by taking the following steps: -* Provide access to the public internet or ensure that access to a private NuGet feed is available. +* Provide access to the public internet or ensure that access to a private NuGet feed is available{% ifversion org-private-registry %}, see [Code scanning default setup access to private registries](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries#code-scanning-default-setup-access-to-private-registries){% endif %}. * Check whether the repository requires multiple versions of the same NuGet dependency. {% data variables.product.prodname_codeql %} can use only one version and usually chooses the newer version where there are multiple versions. This approach may not work for all repositories. * Check whether multiple versions of .NET are referenced, for example, `net48`, `net5.0`, and `netstandard1.6`. {% data variables.product.prodname_codeql %} can use only one version and this may affect accuracy. * Avoid colliding class names, otherwise this may cause missing method call targets, which has an impact on dataflow analysis. @@ -387,27 +387,7 @@ You can ensure a more accurate analysis by taking the following steps: | Operating system | Windows, macOS, and Linux | | Build system | .NET and MSbuild, as well as build scripts | -### C# compiler flags injected by {% data variables.product.prodname_codeql %} - ->[!NOTE] The following compiler flags only apply if you're using build mode `manual`. - -The {% data variables.product.prodname_codeql %} tracer enables the extraction of all compiled languages by intercepting build processes and forwarding information to the relevant {% data variables.product.prodname_codeql %} language extractors. The tracer injects certain flags into the C# compiler invocation to ensure every component is built and included in the {% data variables.product.prodname_codeql %} database, which may cause your C# code to build in a different way to what you expect during {% data variables.product.prodname_codeql %} analysis. - -#### `/p:MvcBuildViews=true` - -When this option is set to `true`, the views in ASP.NET model-view-controller (MVC) projects are precompiled as part of the build process, which can help to catch errors and improve performance. The tracer injects this flag to make sure {% data variables.product.prodname_codeql %} finds and highlights security issues that may involve dataflow through the code generated from these views. For more information, see [Adding a View to an MVC Application](https://learn.microsoft.com/en-us/aspnet/mvc/overview/getting-started/introduction/adding-a-view) in Microsoft Learn. - -#### `/p:UseSharedCompilation=false` - -Setting this option to `false` disables the use of the shared compilation feature, which may result in slower build times. When `/p:UseSharedCompilation=false` is **not** specified, `msbuild` starts a compiler server process, and all the compilation will be done by that single process. However, the {% data variables.product.prodname_codeql %} tracer depends on inspecting the arguments of newly created processes. - -#### `/p:EmitCompilerGeneratedFiles=true` - -Setting this option to `true` will emit compiler-generated files during the build process. This option causes the compiler to generate additional source files that are used to support features such as improved regular expression support, serialization, and web application view generation. These generated artifacts are typically not written to disk by the compiler, but setting the option to `true` forces writing the files to disk, and so the extractor can process the files. - -For some legacy projects, and projects that use `.sqlproj` files, you may see that the injected `/p:EmitCompilerGeneratedFiles=true` property causes unexpected issues with `msbuild`. For information about troubleshooting this, see [AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning/c-sharp-compiler-unexpectedly-failing). - -### Windows autodetection +#### Windows autodetection The `autobuild` process attempts to autodetect a suitable build method for C# using the following approach: @@ -430,7 +410,7 @@ If you plan to create {% data variables.product.prodname_codeql %} databases usi {% endif %} -### Linux and macOS autodetection +#### Linux and macOS autodetection 1. Invoke `dotnet build` on the solution (`.sln`) or project (`.csproj`) file closest to the root. 1. Invoke `MSbuild` on the solution or project file closest to the root. @@ -449,6 +429,24 @@ If you plan to create {% data variables.product.prodname_codeql %} databases usi {% endif %} +### C# compiler flags injected by {% data variables.product.prodname_codeql %} for manual builds + +The {% data variables.product.prodname_codeql %} tracer enables the extraction of all compiled languages by intercepting build processes and forwarding information to the relevant {% data variables.product.prodname_codeql %} language extractors. The tracer injects certain flags into the C# compiler invocation to ensure every component is built and included in the {% data variables.product.prodname_codeql %} database, which may cause your C# code to build in a different way to what you expect during {% data variables.product.prodname_codeql %} analysis. + +#### `/p:MvcBuildViews=true` + +When this option is set to `true`, the views in ASP.NET model-view-controller (MVC) projects are precompiled as part of the build process, which can help to catch errors and improve performance. The tracer injects this flag to make sure {% data variables.product.prodname_codeql %} finds and highlights security issues that may involve dataflow through the code generated from these views. For more information, see [Adding a View to an MVC Application](https://learn.microsoft.com/en-us/aspnet/mvc/overview/getting-started/introduction/adding-a-view) in Microsoft Learn. + +#### `/p:UseSharedCompilation=false` + +Setting this option to `false` disables the use of the shared compilation feature, which may result in slower build times. When `/p:UseSharedCompilation=false` is **not** specified, `msbuild` starts a compiler server process, and all the compilation will be done by that single process. However, the {% data variables.product.prodname_codeql %} tracer depends on inspecting the arguments of newly created processes. + +#### `/p:EmitCompilerGeneratedFiles=true` + +Setting this option to `true` will emit compiler-generated files during the build process. This option causes the compiler to generate additional source files that are used to support features such as improved regular expression support, serialization, and web application view generation. These generated artifacts are typically not written to disk by the compiler, but setting the option to `true` forces writing the files to disk, and so the extractor can process the files. + +For some legacy projects, and projects that use `.sqlproj` files, you may see that the injected `/p:EmitCompilerGeneratedFiles=true` property causes unexpected issues with `msbuild`. For information about troubleshooting this, see [AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning/c-sharp-compiler-unexpectedly-failing). + ## Building Go {% ifversion codeql-no-build %}{% data variables.product.prodname_codeql %} supports build modes `autobuild` or `manual` for Go code. @@ -493,6 +491,8 @@ If you later add Kotlin code to a repository that uses the `none` build mode, {% {% data variables.product.prodname_codeql %} will attempt to run Gradle or Maven to extract accurate dependency information (but not to invoke a build), before creating a database from all Java files present. Every root Maven or Gradle project file (a build script without any build script present in an ancestor directory) is queried for dependency information, and more recent dependency versions are preferred if there is a clash. For information about the runner requirements to run Maven or Gradle, see [Runner requirements for Java](#runner-requirements-for-java). + {% ifversion org-private-registry %}If a private Maven registry is defined for the organization, this is also used, see [Code scanning default setup access to private registries](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries#code-scanning-default-setup-access-to-private-registries) and [Determining whether code scanning default setup used any private registries](/code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs#determining-whether-code-scanning-default-setup-used-any-private-registries).{% endif %} + #### Accuracy of no build analysis for Java Creating a {% data variables.product.prodname_codeql %} Java database without a build may produce less accurate results than using `autobuild` or manual build steps if: @@ -502,7 +502,7 @@ Creating a {% data variables.product.prodname_codeql %} Java database without a You can ensure a more accurate analysis by taking the following steps: -* Provide access to the public internet or ensure that access to a private artifact repository is available. +* Provide access to the public internet or ensure that access to a private artifact repository is available{% ifversion org-private-registry %}, see [Code scanning default setup access to private registries](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries#code-scanning-default-setup-access-to-private-registries){% endif %}. * Check whether the repository requires multiple versions of the same dependency. {% data variables.product.prodname_codeql %} can use only one version and usually chooses the newer version where there are multiple versions. This approach may not work for all repositories. * Check whether more than one version of the JDK API is required by different source Java files. When multiple versions are seen, {% data variables.product.prodname_codeql %} will use the highest version required by any build script. This may mean that some files that require a lower version of the JDK will be partially analyzed. For example, if some files require JDK 8 but a JDK 17 requirement is found in one or more build scripts, {% data variables.product.prodname_codeql %} will use JDK 17. Any files that require JDK 8 and could not be built using JDK 17 will be partially analyzed. * Avoid colliding class names (for example, multiple files defining `org.myproject.Test`), otherwise this may cause missing method call targets, which has an impact on dataflow analysis. diff --git a/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale.md b/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale.md index ea2eac01248e..1c692745aeaf 100644 --- a/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale.md +++ b/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale.md @@ -29,14 +29,12 @@ You can enable {% data variables.product.prodname_code_scanning %} for all repos For more information, see [Configuring default setup for all eligible repositories in an organization](#configuring-default-setup-for-all-eligible-repositories-in-an-organization). -{% ifversion code-security-multi-repo-enablement %} +{% ifversion pre-security-configurations %} You can also use security overview to find a set of repositories in your organization and enable or disable default setup for all of them at the same time. For more information, see [Configuring default setup for a subset of repositories in an organization](#configuring-default-setup-for-a-subset-of-repositories-in-an-organization). {% endif %} -You can also create different default setup configurations for individual repositories. For more information on configuring default setup at the repository level, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning). - For repositories that are not eligible for default setup, you can configure advanced setup at the repository level, or at the organization level using a script. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning-with-codeql-at-scale). @@ -58,12 +56,13 @@ A repository must meet all the following criteria to be eligible for default set {% ifversion default-setup-pre-enablement %} {% data reusables.code-scanning.default-setup-pre-enablement-explanation %} {% endif %} -{% ifversion code-security-multi-repo-enablement %} +{% ifversion pre-security-configurations %} > [!NOTE] > Configuring default setup for all repositories in an organization through your organization's settings page _will not_ override existing configurations of default setup. However, configuring default setup on a subset of repositories in an organization through security overview _will_ override existing configurations of default setup on those repositories. {% endif %} + {% ifversion code-scanning-default-setup-automatic-311 %} ### About adding languages to an existing default setup configuration @@ -72,6 +71,14 @@ If the code in a repository changes to include {% ifversion code-scanning-defaul {% endif %} +{% ifversion org-private-registry %} + +### Providing default setup access to private registries + +When a repository uses code stored in a private registry, default setup needs access to the registry to work effectively. For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries). + +{% endif %} + ## Configuring default setup for all eligible repositories in an organization {% ifversion security-configurations %} You can enable default setup for all eligible repositories in your organization. For more information, see [AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale). @@ -91,7 +98,7 @@ Through the "Code security and analysis" page of your organization's settings, y > [!NOTE] > * {% data reusables.code-scanning.limitation-org-enable-all %} -> * Enabling {% data variables.product.prodname_code_scanning %} for all eligible repositories in an organization will not override existing {% data variables.product.prodname_code_scanning %} configurations. For information on configuring default setup with different settings for specific repositories, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning){% ifversion code-security-multi-repo-enablement %} and [Configuring default setup for a subset of repositories in an organization](#configuring-default-setup-for-a-subset-of-repositories-in-an-organization){% endif %}.{% ifversion default-setup-pre-enablement %} +> * Enabling {% data variables.product.prodname_code_scanning %} for all eligible repositories in an organization will not override existing {% data variables.product.prodname_code_scanning %} configurations. For information on configuring default setup with different settings for specific repositories, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning).{% ifversion default-setup-pre-enablement %} > * Enabling default setup for all eligible repositories in an organization includes eligible repositories without {% data variables.product.prodname_codeql %}-supported languages. If a {% data variables.product.prodname_codeql %}-supported language is later added to one of these repositories, default setup will begin scanning that repository and consuming {% data variables.product.prodname_actions %} minutes.{% endif %} {% endif %} @@ -103,8 +110,6 @@ Through the "Code security and analysis" page of your organization's settings, y Through your organization's security settings page, you can extend coverage in default setup using model packs for all eligible repositories in your organization. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup#extending-coverage-for-all-repositories-in-an-organization). {% endif %} -{% ifversion code-security-multi-repo-enablement %} - ## Configuring default setup for a subset of repositories in an organization {% ifversion security-configurations %} @@ -113,6 +118,8 @@ You can filter for specific repositories you would like to configure default set {% endif %} +{% ifversion pre-security-configurations %} + Through security overview for your organization, you can find eligible repositories for default setup, then enable default setup across each of those repositories simultaneously. For more information on repository eligibility, see [Eligible repositories for {% data variables.product.prodname_codeql %} default setup at scale](#eligible-repositories-default-setup). ### Finding repositories that are eligible for default setup @@ -122,14 +129,7 @@ Through security overview for your organization, you can find eligible repositor {% data reusables.security-overview.security-overview-coverage-view %} 1. In the search bar, enter one of the following queries: -{%- ifversion ghec %} - - `code-scanning-default-setup:eligible is:public` shows repositories that are eligible for default setup because they are visible to the public and have {% data variables.product.prodname_actions %} enabled. - - `code-scanning-default-setup:eligible advanced-security:enabled` shows private or internal repositories that are eligible for default setup because they have both {% data variables.product.prodname_GH_advanced_security %} and {% data variables.product.prodname_actions %} enabled. - - `code-scanning-default-setup:not-eligible` shows repositories that are ineligible for default setup enablement at scale for any of the following reasons: - - The repositories already have existing configurations of advanced setup. - - The repositories do not have {% data variables.product.prodname_actions %} enabled. - - The repositories are private or internal and do not have {% data variables.product.prodname_GH_advanced_security %} enabled. -{%- elsif default-setup-pre-enablement-ghes %} +{%- ifversion ghes > 3.12 %} - `code-scanning-default-setup:eligible is:public` shows repositories that have languages suitable for default setup and are eligible because they are visible to the public. - `code-scanning-default-setup:eligible advanced-security:enabled` shows private or internal repositories that have languages suitable for default setup and are eligible because they have {% data variables.product.prodname_GH_advanced_security %} enabled. - `code-scanning-default-setup:eligible is:private,internal advanced-security:not-enabled` shows private or internal repositories that have languages suitable for default setup but do not have {% data variables.product.prodname_GH_advanced_security %} enabled. Once you enable {% data variables.product.prodname_GH_advanced_security %} for these repositories, they can also be added to default setup. @@ -142,8 +142,6 @@ Through security overview for your organization, you can find eligible repositor - The repositories do not have {% data variables.product.prodname_GH_advanced_security %} enabled. {%- endif %} -{% ifversion pre-security-configurations %} - You can select all of the displayed repositories, or a subset of them, and enable or disable default setup for {% data variables.product.prodname_code_scanning %} for them all at the same time. For more information, see step 5 of [Configuring default setup at scale for multiple repositories in an organization](#configuring-default-setup-at-scale-for-multiple-repositories-in-an-organization). ### Configuring default setup at scale for multiple repositories in an organization @@ -161,12 +159,12 @@ You can select all of the displayed repositories, or a subset of them, and enabl 1. To confirm the enablement of {% data variables.product.prodname_code_scanning %} for the selected repositories, click **Apply changes NUMBER**. Alternatively, to select or deselect more repositories for {% data variables.product.prodname_code_scanning %} enablement, click {% octicon "x" aria-label="Close" %} to close the panel without applying your changes. > [!NOTE] -{% ifversion default-setup-pre-enablement %} +{%- ifversion ghes > 3.12 %} > * Enabling {% data variables.product.prodname_code_scanning %} for multiple repositories in an organization using security overview will override any existing {% data variables.product.prodname_code_scanning %} configurations for the selected repositories, including any previous query suite selections and workflows for advanced setups. > * You can enable default setup for eligible repositories that do not contain {% data variables.product.prodname_codeql %}-supported languages. If a {% data variables.product.prodname_codeql %}-supported language is later added to one of these repositories, default setup will begin scanning that repository and consuming {% data variables.product.prodname_actions %} minutes. -{% else %} +{%- else %} > Enabling {% data variables.product.prodname_code_scanning %} for multiple repositories in an organization using security overview will override any existing {% data variables.product.prodname_code_scanning %} configurations for the selected repositories, including any previous query suite selections and workflows for advanced setups. -{% endif %} +{%- endif %} ![Screenshot of the "Security coverage" view with the side panel open. The "Apply changes" button is highlighted in a dark orange outline.](/assets/images/help/security-overview/security-coverage-view-multi-repo-side-panel.png) @@ -174,8 +172,6 @@ You can select all of the displayed repositories, or a subset of them, and enabl {% endif %} -{% endif %} - {% ifversion code-scanning-merge-protection-rulesets %} {% ifversion ghes or ghec %} diff --git a/content/code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs.md b/content/code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs.md index 9362ffa147a9..8b480bb91ae8 100644 --- a/content/code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs.md +++ b/content/code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs.md @@ -70,3 +70,20 @@ After configuring {% data variables.product.prodname_code_scanning %} for your r 1. Optionally, to see more detail about the commit that triggered the workflow run, click the short commit hash. The short commit hash is 7 lowercase characters immediately following the commit author's username. 1. Once all jobs are complete, you can view the details of any {% data variables.product.prodname_code_scanning %} alerts that were identified. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository). + +{% ifversion org-private-registry %} + +### Determining whether {% data variables.product.prodname_code_scanning %} default setup used any private registries + +{% data variables.product.prodname_code_scanning_caps %} default setup includes a `Setup proxy or registries` step. When you are looking at a log file for default setup, you can expand this step. If the step includes: + +* `Using registries_credentials input.` At least one private registry is configured for the organization. + +* `Credentials loaded for the following registries:` + * No further output in the step. Access was unsuccessful. + * `Type: nuget_feed;` Default set up accessed a private Nuget feed. + * `Type: maven_repository;` Default set up accessed a private Maven repository. + +For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries). + +{% endif %} diff --git a/content/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot.md b/content/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot.md index 7c58d1741a70..21ddf41cc653 100644 --- a/content/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot.md +++ b/content/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot.md @@ -94,7 +94,7 @@ When creating a secret in an organization, you can use a policy to limit which r {% data reusables.organizations.navigate-to-org %} {% data reusables.organizations.org_settings %} -{% data reusables.dependabot.sidebar-secret %} +{% data reusables.dependabot.sidebar-secret %} {% ifversion org-private-registry %}Ignore the "Private Registries" option, this is used only by {% data variables.product.prodname_code_scanning %} default setup.{% endif %} 1. Click **New organization secret**. 1. Type a name for your secret in the **Name** input box. 1. Enter the **Value** for your secret. diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md index 5e7534829c6d..3df609ef06c4 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md @@ -28,7 +28,11 @@ To help you triage alerts more effectively, {% data variables.product.company_sh * **Default** alerts * **Experimental** alerts -![Screenshot of the {% data variables.product.prodname_secret_scanning %} alert view. The button to toggle between "Default" and "Experimental" alerts is highlighted with an orange outline.](/assets/images/help/security/secret-scanning-default-alert-view.png) +{% ifversion secret-scanning-alert-experimental-list-toggle %} +![Screenshot of the {% data variables.product.prodname_secret_scanning %} alert view. The button to toggle between "Default" and "Experimental" alerts is highlighted with an orange outline.](/assets/images/enterprise/3.16/help/security/secret-scanning-default-alert-view.png) +{% else %} +![Screenshot of the {% data variables.product.prodname_secret_scanning %} alert view. The sidebar menu items for "Default" and "Experimental" alerts are highlighted with an orange outline.](/assets/images/help/security/secret-scanning-default-alert-view.png) +{% endif %} {% else %} * **High confidence** alerts. @@ -99,6 +103,10 @@ You can apply various filters to the alerts list to help you find the alerts you |---------|-----------| |`is:open`|Displays open alerts.| |`is:closed`|Displays closed alerts.| +| {% ifversion secret-scanning-alert-plaid-filters %} | +|`is:publicly-leaked`|Displays alerts for secrets that have been found in a public repository.| +|`is:multi-repository`|Displays alerts for secrets that have been found in more than one repository within the same organization or enterprise.| +| {% endif %} | | {% ifversion secret-scanning-bypass-filter %} | |`bypassed: true`|Displays alerts for secrets where push protection has been bypassed. For more information, see [AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection).| | {% endif %} | diff --git a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries.md b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries.md new file mode 100644 index 000000000000..06b84837ada6 --- /dev/null +++ b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries.md @@ -0,0 +1,68 @@ +--- +title: Giving security features access to private registries +shortTitle: Give access to private registries +intro: 'If your organization uses private registries, you can improve the results of {% data variables.product.prodname_code_scanning %} analysis and enable {% data variables.product.prodname_dependabot %} to maintain more dependencies by setting up access to these registries.' +allowTitleToDifferFromFilename: true +versions: + feature: org-private-registry +topics: + - Advanced Security + - Organizations + - Security +--- + +## About the importance of providing access to private registries + +When a repository uses code stored in a private registry, some security features need access to the registry to enable them to work effectively. Without access to all the dependencies of a repository, {% data variables.product.prodname_code_scanning %} default setup and {% data variables.product.prodname_dependabot %} are limited. + +## {% data variables.product.prodname_code_scanning_caps %} default setup access to private registries + +{% data reusables.code-scanning.preview-org-private-registry %} + +{% data variables.product.prodname_code_scanning_caps %} default setup analyzes {% data variables.code-scanning.no_build_support %} code without building it. If you do not define access to the private registries your organization uses, then {% data variables.product.prodname_code_scanning %} will only gather necessary data from dependencies available in public registries. Most times, this is enough for surfacing most of the vulnerabilities. However, in some cases the lack of access can lead to false negative results, that is, {% data variables.product.prodname_code_scanning %} is unable to detect a vulnerability in the code because it does not have all the information it needs to analyze the code. For example, some of the data flow paths may not be detected because steps are defined in dependencies that are not accessible and {% data variables.product.prodname_code_scanning %} does not know how to interpret them. + +When you configure access to the private registries used in your organization, {% data variables.product.prodname_code_scanning %} has access to all the information it needs and is much less likely to miss a vulnerability. + +> [!TIP] +> You can define one private Maven registry and one private NuGet feed for each organization. If the codebases in your organization use more than one registry or feed, you should define access to the most important registry for the codebases in that organization. + +### Defining registry access for {% data variables.product.prodname_code_scanning %} default setup + +You need to be an **organization owner** to set up access to private registries in the user interface. You can also use the REST API with organization owner or `{read,write}_org_private_registries` permission. + +1. On the **Settings** tab for the organization, scroll down to the "Security" section and select **Secrets and variables**. +1. In the expanded list of secrets and variables, select **Private registries** to display the "Private Registries" page. +1. Select **New private registry** to add access details for a private registry. +1. Use the **URL** and **Type** fields to define the location and type of the registry: + * **URL** is the location where you access the private registry. For example, to use the {% data variables.product.prodname_registry %} registry for NuGet: `https://nuget.pkg.github.com/`. + * **Type** is the type of registry. +1. Select either **Token** or **Username and password**, depending on the authentication method, then enter data into the appropriate fields. +1. Define which repositories in the organization can access the private registry using these details: all, private and internal, or selected repositories only. +1. When you have finished defining the private registry, select **Add Registry** to save the registry information. + +> [!TIP] +> When you add a private registry to an organization the token or password is stored as an encrypted secret. Once the registry is created, the token or password cannot be viewed again. + +### Enabling {% data variables.product.prodname_code_scanning %} default setup to use a registry definition + +When you enable {% data variables.product.prodname_code_scanning %} default setup for a repository or group of repositories, {% data variables.product.github %} checks whether the repositories have access to any existing private registries. If any private registries are available to a repository, {% data variables.product.prodname_code_scanning %} will use the relevant definitions during analysis. + +When configuring private registries for the first time, you need to disable and re-enable {% data variables.product.prodname_code_scanning %} default setup for any repositories that you want to use the new definition. New or modified configurations will be automatically picked up on subsequent runs. + +You can confirm whether private registries were used successfully by {% data variables.product.prodname_code_scanning %} analysis by looking in the Actions log files, see "[Determining whether code scanning default setup used any private registries](/code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs#determining-whether-code-scanning-default-setup-used-any-private-registries)." + +## {% data variables.product.prodname_code_scanning_caps %} advanced setup access to private registries + +{% data variables.product.prodname_code_scanning_caps %} advanced setup uses any private registries available to the workflow that runs the analysis using the `codeql-action`. It does not have access to the organization-level private registries used by default setup. + +For compiled languages, the `codeql-action` must observe a build of the code. You can either revise your existing build workflow to also run the `codeql-action` or create a new workflow that builds the production version of the code and also runs the `codeql-action`. + +Any private registries used by the build must also be accessible to the workflow that runs the `codeql-action`. For more information on advanced setup, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning#configuring-advanced-setup-for-code-scanning-with-codeql). + +## {% data variables.product.prodname_dependabot %} updates access to private registries + +{% data variables.product.prodname_dependabot %} uses any private registries defined in the `dependabot.yml` file. It does not have access to the organization-level private registries used by {% data variables.product.prodname_code_scanning %} default setup. + +{% data variables.product.prodname_dependabot %} cannot check for security or version updates for code stored in a private registry unless it can access the registry. If you do not configure access to the private registry, then {% data variables.product.prodname_dependabot %} cannot raise pull requests to update any of the dependencies stored in the registry. + +When you configure access to one or more private registries, {% data variables.product.prodname_dependabot %} can propose pull requests to upgrade a vulnerable dependency or to maintain a dependency, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot). diff --git a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/index.md b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/index.md index f8a4c8eeb244..ea4d2b3cb81a 100644 --- a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/index.md +++ b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/index.md @@ -13,7 +13,7 @@ children: - /creating-a-custom-security-configuration - /applying-a-custom-security-configuration - /configuring-global-security-settings-for-your-organization + - /giving-org-access-private-registries redirect_from: - /code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations --- - diff --git a/content/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale.md b/content/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale.md index f978eafc551c..0e85705d58a7 100644 --- a/content/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale.md +++ b/content/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale.md @@ -49,6 +49,14 @@ You can also create and manage security configurations using the REST API. For m While {% data variables.product.prodname_security_configurations %} determine repository-level security settings, {% data variables.product.prodname_global_settings %} determine your organization-level security settings, which are then inherited by all repositories. With {% data variables.product.prodname_global_settings %}, you can customize how security features analyze your organization{% ifversion ghes < 3.16 %}, as well as grant a team permission to manage security alerts and settings across your organization{% endif %}. +{% ifversion org-private-registry %} + +## About enabling secure access to private registries + +If your organization uses private registries, providing {% data variables.product.prodname_code_scanning %} and {% data variables.product.prodname_dependabot %} secure access to these registries will improve code analysis and allow {% data variables.product.prodname_dependabot %} to update a wider range of dependencies. For information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries). + +{% endif %} + ## Next steps {% ifversion security-configurations-cloud %} diff --git a/data/features/org-private-registry.yml b/data/features/org-private-registry.yml new file mode 100644 index 000000000000..0f16ea58e900 --- /dev/null +++ b/data/features/org-private-registry.yml @@ -0,0 +1,6 @@ +# Reference: #16102 +# Organization-level definition of private registries. This feature is not yet available for GitHub Enterprise Server. +# Limited to use with CodeQL code scanning default setup. +versions: + fpt: '*' + ghec: '*' diff --git a/data/features/secret-scanning-alert-experimental-list-toggle.yml b/data/features/secret-scanning-alert-experimental-list-toggle.yml new file mode 100644 index 000000000000..c9729245eca6 --- /dev/null +++ b/data/features/secret-scanning-alert-experimental-list-toggle.yml @@ -0,0 +1,3 @@ +# Documentation for secret scanning experimental alert list, the top-right toggle was removed in 3.17 in favor of the left sidebar item +versions: + ghes: '>=3.16 <3.17' diff --git a/data/features/secret-scanning-alert-plaid-filters.yml b/data/features/secret-scanning-alert-plaid-filters.yml new file mode 100644 index 000000000000..9ebcbf5d63ce --- /dev/null +++ b/data/features/secret-scanning-alert-plaid-filters.yml @@ -0,0 +1,5 @@ +# Documentation for secret scanning public leak and additional detection filters (PLAID) +versions: + fpt: '*' + ghec: '*' + ghes: '>=3.17' diff --git a/data/reusables/code-scanning/preview-org-private-registry.md b/data/reusables/code-scanning/preview-org-private-registry.md new file mode 100644 index 000000000000..07680142e7cd --- /dev/null +++ b/data/reusables/code-scanning/preview-org-private-registry.md @@ -0,0 +1,6 @@ +{% ifversion org-private-registry %} + +> [!NOTE] +> Configuring private registries for {% data variables.product.prodname_code_scanning %} default setup to use in an organization is currently in {% data variables.release-phases.public_preview %} and subject to change. Supported registries are: Maven repositories and NuGet feeds. + +{% endif %} diff --git a/src/frame/middleware/index.ts b/src/frame/middleware/index.ts index d93377e09ed4..42c34fc6dca9 100644 --- a/src/frame/middleware/index.ts +++ b/src/frame/middleware/index.ts @@ -113,7 +113,11 @@ export default function (app: Express) { } // *** Observability *** - if (process.env.DD_API_KEY) { + // This DD_API_KEY is only being used to determine if the target + // deployment environment is production. The key is not actually + // used for sending data. Afer migrating to Moda, we can remove + // the DD_API_KEY. + if (process.env.DD_API_KEY || process.env.MODA_PROD_SERVICE_ENV) { app.use(datadog) } diff --git a/src/observability/lib/statsd.js b/src/observability/lib/statsd.js index c557b0163cb6..64f0557c4f59 100644 --- a/src/observability/lib/statsd.js +++ b/src/observability/lib/statsd.js @@ -1,7 +1,22 @@ import StatsD from 'hot-shots' -const { HEROKU_APP_NAME, NODE_ENV, DD_API_KEY, MODA_APP_NAME } = process.env -const mock = Boolean(NODE_ENV === 'test' || !DD_API_KEY) +const { + HEROKU_APP_NAME, + NODE_ENV, + DD_API_KEY, + MODA_APP_NAME, + MODA_PROD_SERVICE_ENV, + KUBE_NODE_HOSTNAME, + DD_DOGSTATSD_PORT, + DD_AGENT_HOST, +} = process.env + +// This DD_API_KEY is only being used to determine if the target +// deployment environment is production. The key is not actually +// used for sending data. Afer migrating to Moda, we can remove +// the DD_API_KEY. +const isServiceEnvProduction = DD_API_KEY || MODA_PROD_SERVICE_ENV +const mock = NODE_ENV === 'test' || !isServiceEnvProduction // MODA_APP_NAME gets set when the deploy target is Moda const modaApp = MODA_APP_NAME ? `moda_app_name:${MODA_APP_NAME}` : false @@ -14,6 +29,16 @@ export const tags = ['app:docs', modaApp, herokuApp].filter(Boolean) * @type {import('hot-shots').StatsD} */ export default new StatsD({ + // When host and port are not set, hot-shots will default to the + // DD_AGENT_HOST and DD_DOGSTATSD_PORT environment variables. + // If undefined, the host will default to 'localhost' and the port + // will default to 8125. + // Azure docker templates configure DD_AGENT_HOST but not DD_DOGSTATSD_PORT. + // Moda configuration defines DD_DOGSTATSD_PORT but not DD_AGENT_HOST. + // For Moda, the host must be set to the Kubernetes node name, which is + // set in KUBE_NODE_HOSTNAME. + host: DD_AGENT_HOST || KUBE_NODE_HOSTNAME, + port: DD_DOGSTATSD_PORT, prefix: 'docs.', mock, globalTags: tags,