Merge branch 'main' into patch-2

anhy999 · Oct 3, 2024 · 2a00fd9 · 2a00fd9
2 parents b71d10a + 3d238db
commit 2a00fd9
Show file tree

Hide file tree

Showing 7 changed files with 83 additions and 27 deletions.
diff --git a/...urity/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md b/...urity/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md
@@ -22,7 +22,7 @@ allowTitleToDifferFromFilename: true
 There are some additional features that can help you to evaluate alerts in order to better prioritize and manage them. You can:
 
 * Check the validity of a secret, to see if the secret is still active. {% ifversion fpt or ghes %}**Applies to {% data variables.product.company_short %} tokens only**.{% endif %} For more information, see "[Checking a secret's validity](#checking-a-secrets-validity)."{% ifversion secret-scanning-validity-check-partner-patterns %}
-* Perform an "on-demand" validity check, to get the most up to date validation status. For more information, see "[Performing an on-demand-validity-check](#performing-an-on-demand-validity-check)."{% endif %}
+* Perform an "on-demand" validity check, to get the most up to date validation status. For more information, see "[Performing an on-demand validity check](#performing-an-on-demand-validity-check)."{% endif %}
 * Review a token's metadata. **Applies to {% data variables.product.company_short %} tokens only**. For example, to see when the token was last used. For more information, see "[Reviewing {% data variables.product.company_short %} token metadata](#reviewing-github-token-metadata)."{% ifversion secret-scanning-multi-repo-public-leak %}
 * Review the labels assigned to the alert. For more information, see "[Reviewing alert labels](#reviewing-alert-labels)."{% endif %}
 

diff --git a/...curity/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md b/...curity/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md
@@ -19,18 +19,48 @@ allowTitleToDifferFromFilename: true
 
 ## Fixing alerts
 
-Once a secret has been committed to a repository, you should consider the secret compromised. {% data variables.product.prodname_dotcom %} recommends the following actions for compromised secrets:
+Once a secret has been committed to a repository, you should consider the secret compromised. {% data variables.product.github %} recommends the following actions for compromised secrets:
 
-* For a compromised {% data variables.product.prodname_dotcom %} {% data variables.product.pat_generic %}, delete the compromised token, create a new token, and update any services that use the old token. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)."
-{%- ifversion token-audit-log %}
-  * {% ifversion ghec %}If your organization is owned by an enterprise account, identify{% else %}Identify{% endif %} any actions taken by the compromised token on your enterprise's resources. For more information, see "[AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token)."
-{%- endif %}
-* For all other secrets, first verify that the secret committed to {% data variables.product.product_name %} is valid. If so, create a new secret, update any services that use the old secret, and then delete the old secret.
+* Verify that the secret committed to {% data variables.product.github %} is valid. {% ifversion fpt or ghes %}**Applies to {% data variables.product.github %} tokens only**. See "[Checking a secret's validity](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)."{% endif %}{% ifversion secret-scanning-validity-check-partner-patterns %}See "[Performing an on-demand validity check](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#performing-an-on-demand-validity-check)".{% endif %}{% ifversion secret-scanning-report-secret-github-pat %}
+* For secrets detected in private repositories, report the leaked secret to {% data variables.product.github %}, who will treat it like any publicly leaked secret and revoke it. **Applies to {% data variables.product.github %} {% data variables.product.pat_generic %}s only**. See "[Reporting a leaked secret](#reporting-a-leaked-secret)." {% endif %}
+* Review and update any services that use the old token. For {% data variables.product.github %} {% data variables.product.pat_generic %}s, delete the compromised token and create a new token. See "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)."
+* Depending on the secret provider, check your security logs for any unauthorized activity.
 
-{% ifversion fpt or ghec %}
+{% ifversion secret-scanning-report-secret-github-pat %}
+
+### Reporting a leaked secret
 
 > [!NOTE]
-> If a secret is detected in a public repository on {% data variables.product.prodname_dotcom %} and the secret also matches a partner pattern, an alert is generated and the potential secret is reported to the service provider. For details of partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."
+> {% data reusables.secret-scanning.report-secret-pat-beta-note %} The feature is currently only available for {% data variables.product.github %} {% data variables.product.pat_generic %}s (v1 and v2).
+
+{% endif %}
+
+{% ifversion fpt or ghec %}
+
+If a secret is detected in a **public** repository on {% data variables.product.github %} and the secret also matches a supported partner pattern, the potential secret is **automatically reported** to the service provider. For details of all supported partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."
+
+{% endif %}
+
+{% ifversion secret-scanning-report-secret-github-pat %}
+
+For secrets detected in **private** repositories, anyone who can view {% data variables.secret-scanning.alerts %} for a repository can choose to report the privately exposed secret directly to {% data variables.product.github %}.
+
+By reporting the secret, the token provider will treat the privately exposed secret as if it had been publicly leaked. This means the token provider may revoke the secret, so you should first consider reviewing and updating any services that use the secret. If possible, you should also consider notifying the token owner before reporting the token, so that the token owner is aware that the secret may get revoked.
+
+You will only see the option to report a privately exposed secret to {% data variables.product.github %} if the following conditions are met:
+
+* The secret is a {% data variables.product.github %} {% data variables.product.pat_generic %}.
+* The secret's validity has not been confirmed, or the secret's validity has been confirmed as `active`.
+
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.sidebar-security %}
+1. In the left sidebar, under "Vulnerability alerts", click **{% data variables.product.prodname_secret_scanning_caps %}**.
+1. From the alert list, click the alert you want to view.
+1. In the alert view for the leaked secret, click **Report leak**.
+
+   > [!NOTE] In order to prevent breaking workflows, consider first rotating the secret before continuing, as disclosing it could lead to the secret being revoked. If possible, you should also reach out to the token owner to let them know about the leak and coordinate a remediation plan.
+
+1. Review the information in the dialog box, then click **I understand the consequence, report this secret**.
 
 {% endif %}
 

diff --git a/data/features/secret-scanning-report-secret-github-pat.yml b/data/features/secret-scanning-report-secret-github-pat.yml
@@ -0,0 +1,4 @@
+# Reference: #15374
+# Secret scanning one-click report and revocation (for GitHub PATs only)
+versions:
+  ghec: '*'
diff --git a/data/reusables/copilot-business-for-non-ghe/assign-licenses.md b/data/reusables/copilot-business-for-non-ghe/assign-licenses.md
@@ -1,7 +1,7 @@
 When you have created a team in the enterprise, you can assign licenses to all members of the team.
 
-{% data reusables.enterprise-accounts.settings-tab %}
-1. Under {% octicon "gear" aria-hidden="true" %} **Settings**, click **Enterprise licensing**.
+{% data reusables.billing.enterprise-billing-menu %}
+1. Under {% octicon "credit-card" aria-hidden="true" %} **Billing & Licensing**, click **Licensing**.
 1. In the "{% data variables.product.prodname_copilot_business_short %}" section, click **Manage seats**.
 
    ![Screenshot of the "{% data variables.product.prodname_copilot_business_short %}" section. A button, labeled "Manage seats", is highlighted with an orange outline.](/assets/images/help/copilot/copilot-business-manage-seats.png)

diff --git a/data/reusables/secret-scanning/report-secret-pat-beta-note.md b/data/reusables/secret-scanning/report-secret-pat-beta-note.md
@@ -0,0 +1 @@
+Reporting a privately exposed secret to {% data variables.product.github %} is in {% data variables.release-phases.public_preview %} and subject to change.
diff --git a/src/secret-scanning/data/public-docs.yml b/src/secret-scanning/data/public-docs.yml
@@ -498,6 +498,17 @@
   hasPushProtection: true
   hasValidityCheck: false
   isduplicate: false
+- provider: Azure
+  supportedSecret: Azure OpenAI Key
+  secretType: azure_openai_key
+  versions:
+    fpt: '*'
+    ghec: '*'
+  isPublic: true
+  isPrivateWithGhas: true
+  hasPushProtection: true
+  hasValidityCheck: false
+  isduplicate: false
 - provider: Azure
   supportedSecret: Azure Relay Key Identifiable
   secretType: azure_relay_key_identifiable
@@ -719,6 +730,17 @@
   hasPushProtection: true
   hasValidityCheck: false
   isduplicate: false
+- provider: Cfx.re
+  supportedSecret: Cfx.re Server Key
+  secretType: cfxre_server_key
+  versions:
+    fpt: '*'
+    ghec: '*'
+  isPublic: true
+  isPrivateWithGhas: false
+  hasPushProtection: false
+  hasValidityCheck: false
+  isduplicate: false
 - provider: Checkout.com
   supportedSecret: Checkout.com Production Secret Key
   secretType: checkout_production_secret_key
@@ -821,7 +843,7 @@
     ghes: '*'
   isPublic: true
   isPrivateWithGhas: false
-  hasPushProtection: true
+  hasPushProtection: false
   hasValidityCheck: false
   isduplicate: false
 - provider: Contentful
@@ -833,7 +855,7 @@
     ghes: '*'
   isPublic: false
   isPrivateWithGhas: true
-  hasPushProtection: false
+  hasPushProtection: true
   hasValidityCheck: false
   isduplicate: false
 - provider: Contributed Systems
@@ -2154,6 +2176,17 @@
   hasPushProtection: false
   hasValidityCheck: false
   isduplicate: false
+- provider: Netflix
+  supportedSecret: Netflix NetKey
+  secretType: netflix_netkey
+  versions:
+    fpt: '*'
+    ghec: '*'
+  isPublic: true
+  isPrivateWithGhas: false
+  hasPushProtection: false
+  hasValidityCheck: false
+  isduplicate: false
 - provider: New Relic
   supportedSecret: New Relic Insights Query Key
   secretType: new_relic_insights_query_key
@@ -2588,18 +2621,6 @@
   hasPushProtection: true
   hasValidityCheck: false
   isduplicate: false
-- provider: Postman
-  supportedSecret: Postman API Key
-  secretType: postman_api_key
-  versions:
-    fpt: '*'
-    ghec: '*'
-    ghes: '>=3.5'
-  isPublic: true
-  isPrivateWithGhas: true
-  hasPushProtection: true
-  hasValidityCheck: false
-  isduplicate: false
 - provider: Postman
   supportedSecret: Postman Collection Key
   secretType: postman_collection_key

diff --git a/src/secret-scanning/lib/config.json b/src/secret-scanning/lib/config.json
@@ -1,5 +1,5 @@
 {
-  "sha": "e7e694827d5b0076e65765c704bd594485eee15b",
-  "blob-sha": "612e8fb3ccba3b0278376fc88e2b9e10e486714e",
+  "sha": "6ac440cc8b236597da752259f1d6644f226400bf",
+  "blob-sha": "98f5cf2265e2fe9f7be69217f2073fe6fc2b23bc",
   "targetFilename": "code-security/secret-scanning/introduction/supported-secret-scanning-patterns"
 }