Merge pull request #36353 from github/repo-sync

docs-bot · web-flow · commit e1318f1c297d · 2025-02-18T07:36:44.000-05:00
Repo sync
diff --git a/content/repositories/creating-and-managing-repositories/about-repositories.md b/content/repositories/creating-and-managing-repositories/about-repositories.md
@@ -80,6 +80,18 @@ When you create a repository, you can choose to make the repository public or pr
 * Internal repositories are accessible to all enterprise members. For more information, see [About internal repositories](#about-internal-repositories).
 {%- endif %}
 
+{% ifversion fpt or ghec %}
+
+### Security considerations for repository visibility
+
+Public repositories expose your codebase to everyone, increasing the risk that attackers might exploit vulnerabilities or access sensitive information. You can mitigate these risks by enabling {% data variables.product.github %} security features such as {% data variables.product.prodname_dependabot %}, {% data variables.product.prodname_secret_scanning %}, push protection, and {% data variables.product.prodname_code_scanning %} for the repository. Additionally, you should add a security policy (a `SECURITY.md` file) to your repository, that outlines how vulnerabilities should be reported, to ensure that potential threats are addressed efficiently.
+
+Although private repositories restrict access to authorized users, it's still essential to implement strong access controls, multi-factor authentication, and regular audits to mitigate risks.
+
+For more information, see [AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-repository).
+
+{% endif %}
+
 Organization owners always have access to every repository created in an organization. For more information, see [AUTOTITLE](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization).
 
 People with admin permissions for a repository can change an existing repository's visibility. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility).
diff --git a/content/repositories/creating-and-managing-repositories/best-practices-for-repositories.md b/content/repositories/creating-and-managing-repositories/best-practices-for-repositories.md
@@ -1,7 +1,7 @@
 ---
 title: Best practices for repositories
 shortTitle: Best practices
-intro: Learn how to use repositories most effectively.
+intro: Learn how to use repositories effectively and securely.
 versions:
   fpt: '*'
   ghes: '*'
@@ -16,6 +16,22 @@ To make it easier for people to understand and navigate your work, we recommend
 
 {% data reusables.repositories.about-READMEs %} For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-readmes).
 
+## Secure your repository
+
+You should secure your repository using {% data variables.product.github %}'s available security features to protect your code from vulnerabilities, unauthorized access, and other potential security threats. At a minimum, you should enable the following features{% ifversion fpt or ghec %}, which are available for **free for public repositories**{% endif %}:
+
+* **{% data variables.product.prodname_dependabot_alerts %}** notify you of security vulnerabilities in your project's dependency network, so that you can update the affected dependency to a more secure version.
+* **{% data variables.product.prodname_secret_scanning_caps %}** scans your repository for secrets (such as API keys and tokens) and alerts you if a secret is found, so that you can remove the secret from your repository.
+* **Push protection** prevents you (and your collaborators) from introducing secrets to the repository in the first place, by blocking pushes containing supported secrets.
+* **{% data variables.product.prodname_code_scanning_caps %}** identifies vulnerabilities and errors in your repository's code, so that you can fix these issues early and prevent a vulnerability or error being exploited by malicious actors.
+
+Additionally, you might also consider:
+
+* Adding a `SECURITY.md` file to your repository. The `SECURITY.md` file provides instructions to collaborators on how to report security vulnerabilities found in your project and encourages responsible disclosure.{% ifversion fpt or ghec %}
+* Enabling "Private vulnerability reporting" for the repository, which lets collaborators and security researchers privately disclose vulnerabilities found in your repository to you.{% endif %}
+
+For more information, see [AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-repository).
+
 ## Favor branching over forking
 
 To streamline collaboration, we recommend that regular collaborators work from a single repository, creating pull requests between branches instead of between repositories. Forking is best suited for accepting contributions from people that are unaffiliated with a project, such as open-source contributors.
diff --git a/content/repositories/creating-and-managing-repositories/creating-a-new-repository.md b/content/repositories/creating-and-managing-repositories/creating-a-new-repository.md
@@ -73,6 +73,7 @@ If you create an invalid URL using query parameters, or if you don’t have the
 
 ## Further reading
 
+* [AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-repository)
 * [AUTOTITLE](/organizations/managing-user-access-to-your-organizations-repositories)
 * [Open Source Guides](https://opensource.guide/){% ifversion fpt or ghec %}
 * [{% data variables.product.prodname_learning %}]({% data variables.product.prodname_learning_link %}){% endif %}
diff --git a/content/repositories/creating-and-managing-repositories/quickstart-for-repositories.md b/content/repositories/creating-and-managing-repositories/quickstart-for-repositories.md
@@ -122,6 +122,8 @@ You have now created a repository, including a _README_ file, and created your f
 
 {% endwebui %}
 
+* Secure your repository using {% data variables.product.github %}'s available security features. For more information, see [AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-repository).
+
 * You can find interesting projects and repositories on {% data variables.product.prodname_dotcom %} and make changes to them by creating a fork of the repository. {% data reusables.getting-started.fork-a-repository %}
 
 * {% data reusables.getting-started.being-social %}
diff --git a/content/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository.md b/content/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository.md
@@ -31,22 +31,38 @@ shortTitle: Security & analysis
 
 {% endif %}
 
+## About security and analysis settings for your repository
+
+{% data variables.product.github %} offers a number of different security features that you can enable for your repository to
+protect your code from vulnerabilities, unauthorized access, and other potential security threats. {% ifversion fpt or ghec %}Many of these features are available for **free for public repositories**.{% endif %}
+
 {% ifversion fpt or ghec %}
 
 ## Enabling or disabling security and analysis features for public repositories
 
-You can manage a subset of security and analysis features for public repositories. Other features are permanently enabled, including dependency graph and {% data variables.secret-scanning.partner_alerts %}.
+You can manage a subset of security and analysis features for public repositories.
+
+At a minimum, you should enable the following for your public repository:
+
+* **{% data variables.product.prodname_dependabot_alerts %}** notify you of security vulnerabilities in your project's dependency network, so that you can update the affected dependency to a more secure version.
+* **{% data variables.product.prodname_secret_scanning_caps %}** scans your repository for secrets (such as API keys and tokens) and alerts you if a secret is found, so that you can remove the secret from your repository.
+* **Push protection** prevents you (and your collaborators) from introducing secrets to the repository in the first place, by blocking pushes containing supported secrets.
+* **{% data variables.product.prodname_code_scanning_caps %}** identifies vulnerabilities and errors in your repository's code, so that you can fix these issues early and prevent a vulnerability or error being exploited by malicious actors.
+
+Other features are permanently enabled for public repositories, such as the dependency graph, which shows you all the libraries and packages that your repository depends upon.
 
 {% data reusables.repositories.navigate-to-repo %}
 {% data reusables.repositories.sidebar-settings %}
 {% data reusables.repositories.navigate-to-code-security-and-analysis %}
 1. Under {% ifversion code-security-wording-only %}"Code security"{% else %}"Code security and analysis"{% endif %}, to the right of the feature, click **Disable** or **Enable**.
+
 {% endif %}
 
 ## Enabling or disabling security and analysis features{% ifversion fpt or ghec %} for private repositories{% endif %}
 
 You can manage the security and analysis features for your {% ifversion fpt or ghec %}private or internal {% endif %}repository.{% ifversion ghes or ghec %} If your enterprise or organization has a license for {% data variables.product.prodname_GH_advanced_security %}, then extra options are available. {% data reusables.advanced-security.more-info-ghas %}
 {% elsif fpt %} Organizations that use {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_advanced_security %} have extra options available. For more information, see the [{% data variables.product.prodname_ghe_cloud %} documentation](/enterprise-cloud@latest//repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories).
+
 {% endif %}
 
 {% data reusables.security.security-and-analysis-features-enable-read-only %}
@@ -64,6 +80,10 @@ You can manage the security and analysis features for your {% ifversion fpt or g
 
 ## Granting access to security alerts
 
+{% data variables.product.github %} security alerts are automated notifications that inform you when vulnerabilities are found in your repository's dependencies or code. They prompt you to review and remediate these issues, helping to keep your project secure.
+
+You can find security alerts from {% data variables.product.prodname_dependabot %}, {% data variables.product.prodname_secret_scanning_caps %}, and {% data variables.product.prodname_code_scanning_caps %} under your repository's **Security** tab.
+
 Security alerts for a repository are visible to people with write, maintain, or admin access to the repository and, when the repository is owned by an organization, organization owners. You can give additional teams and people access to the alerts.
 
 > [!NOTE]
diff --git a/content/support/contacting-github-support/viewing-and-updating-support-tickets.md b/content/support/contacting-github-support/viewing-and-updating-support-tickets.md
@@ -65,7 +65,7 @@ You can also comment on tickets opened by someone else and associated with your
 
 ## Requesting a callback
 
-You can request a callback for urgent or high priority tickets{% ifversion ghec %} if your account includes {% data variables.contact.premium_support %}{% endif %}. From the ticket, click **Request a callback from GitHub Support**.
+If your account includes {% data variables.contact.premium_support %}, you can request a callback for urgent or high priority tickets. From the ticket, click **Request a callback from GitHub Support**.
 
 ## Requesting an escalation
 
