From 072f871ec13551a08e8c4326cef856a2a1015bc6 Mon Sep 17 00:00:00 2001 From: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com> Date: Thu, 8 Jan 2026 14:16:23 +0000 Subject: [PATCH 1/2] [Security EDI] Concepts / Supply chain security (#59054) --- content/code-security/concepts/index.md | 2 ++ .../about-dependabot-alerts.md | 2 ++ .../about-dependabot-auto-triage-rules.md | 4 +++- ...ut-dependabot-on-github-actions-runners.md | 5 ++++- .../about-dependabot-security-updates.md | 2 ++ .../about-dependabot-version-updates.md | 4 +++- .../about-dependency-review.md | 4 +++- .../about-supply-chain-security.md | 4 +++- .../about-the-dependency-graph.md | 2 ++ ...-practices-for-maintaining-dependencies.md | 7 +++++-- .../immutable-releases.md | 5 ++++- .../concepts/supply-chain-security/index.md | 21 +++++++++++++++++++ .../dependabot/dependabot-alerts/index.md | 2 +- .../dependabot-auto-triage-rules/index.md | 4 ++-- .../dependabot-security-updates/index.md | 2 +- .../dependabot-version-updates/index.md | 4 ++-- .../dependabot/maintain-dependencies/index.md | 4 ++-- .../working-with-dependabot/index.md | 4 ++-- content/code-security/index.md | 9 ++++---- .../index.md | 5 +---- data/learning-tracks/code-security.yml | 8 +++---- 21 files changed, 74 insertions(+), 30 deletions(-) rename content/code-security/{dependabot/dependabot-alerts => concepts/supply-chain-security}/about-dependabot-alerts.md (99%) rename content/code-security/{dependabot/dependabot-auto-triage-rules => concepts/supply-chain-security}/about-dependabot-auto-triage-rules.md (97%) rename content/code-security/{dependabot/working-with-dependabot => concepts/supply-chain-security}/about-dependabot-on-github-actions-runners.md (98%) rename content/code-security/{dependabot/dependabot-security-updates => concepts/supply-chain-security}/about-dependabot-security-updates.md (98%) rename content/code-security/{dependabot/dependabot-version-updates => concepts/supply-chain-security}/about-dependabot-version-updates.md (95%) rename content/code-security/{supply-chain-security/understanding-your-software-supply-chain => concepts/supply-chain-security}/about-dependency-review.md (96%) rename content/code-security/{supply-chain-security/understanding-your-software-supply-chain => concepts/supply-chain-security}/about-supply-chain-security.md (99%) rename content/code-security/{supply-chain-security/understanding-your-software-supply-chain => concepts/supply-chain-security}/about-the-dependency-graph.md (97%) rename content/code-security/{dependabot/maintain-dependencies => concepts/supply-chain-security}/best-practices-for-maintaining-dependencies.md (96%) rename content/code-security/{supply-chain-security/understanding-your-software-supply-chain => concepts/supply-chain-security}/immutable-releases.md (90%) create mode 100644 content/code-security/concepts/supply-chain-security/index.md diff --git a/content/code-security/concepts/index.md b/content/code-security/concepts/index.md index fa3d9c3036be..a484c4c66439 100644 --- a/content/code-security/concepts/index.md +++ b/content/code-security/concepts/index.md @@ -15,4 +15,6 @@ topics: - Dependencies - Dependabot contentType: concepts +children: + - supply-chain-security --- diff --git a/content/code-security/dependabot/dependabot-alerts/about-dependabot-alerts.md b/content/code-security/concepts/supply-chain-security/about-dependabot-alerts.md similarity index 99% rename from content/code-security/dependabot/dependabot-alerts/about-dependabot-alerts.md rename to content/code-security/concepts/supply-chain-security/about-dependabot-alerts.md index af2783255d32..2c01fdc18da7 100644 --- a/content/code-security/dependabot/dependabot-alerts/about-dependabot-alerts.md +++ b/content/code-security/concepts/supply-chain-security/about-dependabot-alerts.md @@ -8,6 +8,7 @@ redirect_from: - /github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies - /code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies - /code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-alerts-for-vulnerable-dependencies + - /code-security/dependabot/dependabot-alerts/about-dependabot-alerts versions: fpt: '*' ghes: '*' @@ -20,6 +21,7 @@ topics: - Repositories - Dependencies shortTitle: Dependabot alerts +contentType: concepts --- diff --git a/content/code-security/dependabot/dependabot-auto-triage-rules/about-dependabot-auto-triage-rules.md b/content/code-security/concepts/supply-chain-security/about-dependabot-auto-triage-rules.md similarity index 97% rename from content/code-security/dependabot/dependabot-auto-triage-rules/about-dependabot-auto-triage-rules.md rename to content/code-security/concepts/supply-chain-security/about-dependabot-auto-triage-rules.md index d71ae8559afb..89d3f4b9cc21 100644 --- a/content/code-security/dependabot/dependabot-auto-triage-rules/about-dependabot-auto-triage-rules.md +++ b/content/code-security/concepts/supply-chain-security/about-dependabot-auto-triage-rules.md @@ -13,10 +13,12 @@ topics: - Vulnerabilities - Repositories - Dependencies -shortTitle: About auto-triage rules +shortTitle: Dependabot auto-triage rules redirect_from: - /code-security/dependabot/dependabot-alerts/using-alert-rules-to-prioritize-dependabot-alerts - /code-security/dependabot/dependabot-alert-rules/about-dependabot-alert-rules + - /code-security/dependabot/dependabot-auto-triage-rules/about-dependabot-auto-triage-rules +contentType: concepts --- ## About {% data variables.dependabot.auto_triage_rules %} diff --git a/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md b/content/code-security/concepts/supply-chain-security/about-dependabot-on-github-actions-runners.md similarity index 98% rename from content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md rename to content/code-security/concepts/supply-chain-security/about-dependabot-on-github-actions-runners.md index 611dfdded5c2..33e4f1455383 100644 --- a/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md +++ b/content/code-security/concepts/supply-chain-security/about-dependabot-on-github-actions-runners.md @@ -1,7 +1,7 @@ --- title: About Dependabot on GitHub Actions runners intro: '{% data variables.product.prodname_dotcom %} automatically runs the jobs that generate {% data variables.product.prodname_dependabot %} pull requests on {% data variables.product.prodname_actions %} if you have {% data variables.product.prodname_actions %} enabled for the repository. When {% data variables.product.prodname_dependabot %} is enabled, these jobs will run by bypassing Actions policy checks and disablement at the repository or organization level.' -shortTitle: About Dependabot on Actions +shortTitle: Dependabot on Actions product: '{% data reusables.gated-features.dependabot-on-actions %}' versions: feature: dependabot-on-actions-opt-in @@ -13,6 +13,9 @@ topics: - Actions - Dependencies - Repositories +redirect_from: + - /code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners +contentType: concepts --- ## About {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners diff --git a/content/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates.md b/content/code-security/concepts/supply-chain-security/about-dependabot-security-updates.md similarity index 98% rename from content/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates.md rename to content/code-security/concepts/supply-chain-security/about-dependabot-security-updates.md index 641be85859d0..ca00c486dbae 100644 --- a/content/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates.md +++ b/content/code-security/concepts/supply-chain-security/about-dependabot-security-updates.md @@ -8,6 +8,7 @@ redirect_from: - /github/managing-security-vulnerabilities/about-dependabot-security-updates - /code-security/supply-chain-security/about-dependabot-security-updates - /code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-dependabot-security-updates + - /code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates versions: fpt: '*' ghec: '*' @@ -20,6 +21,7 @@ topics: - Repositories - Dependencies - Pull requests +contentType: concepts --- diff --git a/content/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates.md b/content/code-security/concepts/supply-chain-security/about-dependabot-version-updates.md similarity index 95% rename from content/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates.md rename to content/code-security/concepts/supply-chain-security/about-dependabot-version-updates.md index 32dc812632ee..f2efda113234 100644 --- a/content/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates.md +++ b/content/code-security/concepts/supply-chain-security/about-dependabot-version-updates.md @@ -1,6 +1,6 @@ --- title: About Dependabot version updates -intro: 'You can use {% data variables.product.prodname_dependabot %} to keep the packages you use updated to the latest versions.' +intro: You can use {% data variables.product.prodname_dependabot %} to keep the packages you use updated to the latest versions. product: '{% data reusables.gated-features.dependabot-version-updates %}' redirect_from: - /github/administering-a-repository/about-dependabot @@ -10,6 +10,7 @@ redirect_from: - /code-security/supply-chain-security/about-dependabot-version-updates - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/upgrading-from-dependabotcom-to-github-native-dependabot - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/about-dependabot-version-updates + - /code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates versions: fpt: '*' ghec: '*' @@ -22,6 +23,7 @@ topics: - Dependencies - Pull requests shortTitle: Dependabot version updates +contentType: concepts --- {% data reusables.dependabot.enterprise-enable-dependabot %} diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review.md b/content/code-security/concepts/supply-chain-security/about-dependency-review.md similarity index 96% rename from content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review.md rename to content/code-security/concepts/supply-chain-security/about-dependency-review.md index e850217b2203..e8a72c1b9a65 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review.md +++ b/content/code-security/concepts/supply-chain-security/about-dependency-review.md @@ -1,6 +1,6 @@ --- title: About dependency review -intro: 'Dependency review lets you catch insecure dependencies before you introduce them to your environment, and provides information on license, dependents, and age of dependencies.' +intro: Dependency review lets you catch insecure dependencies before you introduce them to your environment, and provides information on license, dependents, and age of dependencies. product: '{% data reusables.gated-features.dependency-review %}' shortTitle: Dependency review versions: @@ -16,6 +16,8 @@ topics: - Pull requests redirect_from: - /code-security/supply-chain-security/about-dependency-review + - /code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review +contentType: concepts --- ## About dependency review diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security.md b/content/code-security/concepts/supply-chain-security/about-supply-chain-security.md similarity index 99% rename from content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security.md rename to content/code-security/concepts/supply-chain-security/about-supply-chain-security.md index 4d2990608701..c50c80472b4e 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security.md +++ b/content/code-security/concepts/supply-chain-security/about-supply-chain-security.md @@ -1,9 +1,10 @@ --- title: About supply chain security intro: '{% data variables.product.github %} helps you secure your supply chain, from understanding the dependencies in your environment, to knowing about vulnerabilities in those dependencies, and patching them.' -shortTitle: Supply chain security +shortTitle: Supply chain features redirect_from: - /code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies + - /code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security versions: fpt: '*' ghes: '*' @@ -17,6 +18,7 @@ topics: - Dependencies - Pull requests - Repositories +contentType: concepts --- ## About supply chain security at GitHub diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md b/content/code-security/concepts/supply-chain-security/about-the-dependency-graph.md similarity index 97% rename from content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md rename to content/code-security/concepts/supply-chain-security/about-the-dependency-graph.md index cd928cdf98f6..ba6c102169cd 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md +++ b/content/code-security/concepts/supply-chain-security/about-the-dependency-graph.md @@ -5,6 +5,7 @@ product: '{% data reusables.gated-features.dependency-graph %}' redirect_from: - /github/visualizing-repository-data-with-graphs/about-the-dependency-graph - /code-security/supply-chain-security/about-the-dependency-graph + - /code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph versions: fpt: '*' ghes: '*' @@ -15,6 +16,7 @@ topics: - Dependencies - Repositories shortTitle: Dependency graph +contentType: concepts --- diff --git a/content/code-security/dependabot/maintain-dependencies/best-practices-for-maintaining-dependencies.md b/content/code-security/concepts/supply-chain-security/best-practices-for-maintaining-dependencies.md similarity index 96% rename from content/code-security/dependabot/maintain-dependencies/best-practices-for-maintaining-dependencies.md rename to content/code-security/concepts/supply-chain-security/best-practices-for-maintaining-dependencies.md index 8283cef2a3d9..a1926f5486c0 100644 --- a/content/code-security/dependabot/maintain-dependencies/best-practices-for-maintaining-dependencies.md +++ b/content/code-security/concepts/supply-chain-security/best-practices-for-maintaining-dependencies.md @@ -1,6 +1,6 @@ --- title: Best practices for maintaining dependencies -intro: 'Guidance and recommendations for maintaining the dependencies you use, including {% data variables.product.github %}''s security products that can help.' +intro: Guidance and recommendations for maintaining the dependencies you use, including {% data variables.product.github %}'s security products that can help. allowTitleToDifferFromFilename: true versions: fpt: '*' @@ -14,7 +14,10 @@ topics: - Repositories - Dependencies - Pull requests -shortTitle: Dependency management best practices +shortTitle: Dependency best practices +redirect_from: + - /code-security/dependabot/maintain-dependencies/best-practices-for-maintaining-dependencies +contentType: concepts --- ## Best practices for maintaining dependencies diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/immutable-releases.md b/content/code-security/concepts/supply-chain-security/immutable-releases.md similarity index 90% rename from content/code-security/supply-chain-security/understanding-your-software-supply-chain/immutable-releases.md rename to content/code-security/concepts/supply-chain-security/immutable-releases.md index 9237a2f5bff0..62ac68903d60 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/immutable-releases.md +++ b/content/code-security/concepts/supply-chain-security/immutable-releases.md @@ -1,6 +1,6 @@ --- title: Immutable releases -intro: 'Learn about immutable releases and how they can help you maintain the integrity of your software supply chain.' +intro: Learn about immutable releases and how they can help you maintain the integrity of your software supply chain. versions: fpt: '*' ghec: '*' @@ -9,6 +9,9 @@ topics: - Code Security - Vulnerabilities - Dependencies +redirect_from: + - /code-security/supply-chain-security/understanding-your-software-supply-chain/immutable-releases +contentType: concepts --- **Immutable releases** are releases where the assets and associated Git tag cannot be changed after publication. The use of this type of release increases security by blocking supply chain attacks. Attackers cannot: diff --git a/content/code-security/concepts/supply-chain-security/index.md b/content/code-security/concepts/supply-chain-security/index.md new file mode 100644 index 000000000000..a500bbdcd359 --- /dev/null +++ b/content/code-security/concepts/supply-chain-security/index.md @@ -0,0 +1,21 @@ +--- +title: Supply chain security +intro: '{% data variables.product.github %}''s security features help you keep track of your projects'' dependencies and built artifacts.' +versions: + fpt: '*' + ghes: '*' + ghec: '*' +contentType: concepts +children: + - about-supply-chain-security + - best-practices-for-maintaining-dependencies + - about-the-dependency-graph + - about-dependency-review + - about-dependabot-alerts + - about-dependabot-security-updates + - about-dependabot-version-updates + - about-dependabot-auto-triage-rules + - about-dependabot-on-github-actions-runners + - immutable-releases +--- + diff --git a/content/code-security/dependabot/dependabot-alerts/index.md b/content/code-security/dependabot/dependabot-alerts/index.md index ddccbfa0b753..b5c9e31410c9 100644 --- a/content/code-security/dependabot/dependabot-alerts/index.md +++ b/content/code-security/dependabot/dependabot-alerts/index.md @@ -14,9 +14,9 @@ topics: - Repositories - Dependencies children: - - /about-dependabot-alerts - /configuring-dependabot-alerts - /viewing-and-updating-dependabot-alerts - /enable-delegated-alert-dismissal - /configuring-notifications-for-dependabot-alerts --- + diff --git a/content/code-security/dependabot/dependabot-auto-triage-rules/index.md b/content/code-security/dependabot/dependabot-auto-triage-rules/index.md index 8a7200672013..aa7021bcf797 100644 --- a/content/code-security/dependabot/dependabot-auto-triage-rules/index.md +++ b/content/code-security/dependabot/dependabot-auto-triage-rules/index.md @@ -1,7 +1,7 @@ --- title: Prioritizing Dependabot alerts with Dependabot auto-triage rules shortTitle: Dependabot auto-triage rules -intro: 'You can use {% data variables.dependabot.auto_triage_rules %} to prioritize {% data variables.product.prodname_dependabot_alerts %}.' +intro: You can use {% data variables.dependabot.auto_triage_rules %} to prioritize {% data variables.product.prodname_dependabot_alerts %}. allowTitleToDifferFromFilename: true versions: feature: dependabot-auto-triage-rules @@ -12,10 +12,10 @@ topics: - Repositories - Dependencies children: - - /about-dependabot-auto-triage-rules - /using-github-preset-rules-to-prioritize-dependabot-alerts - /customizing-auto-triage-rules-to-prioritize-dependabot-alerts - /managing-automatically-dismissed-alerts redirect_from: - /code-security/dependabot/dependabot-alert-rules --- + diff --git a/content/code-security/dependabot/dependabot-security-updates/index.md b/content/code-security/dependabot/dependabot-security-updates/index.md index 3877a1c866f8..a4eb13af82c7 100644 --- a/content/code-security/dependabot/dependabot-security-updates/index.md +++ b/content/code-security/dependabot/dependabot-security-updates/index.md @@ -14,7 +14,7 @@ topics: - Pull requests shortTitle: Dependabot security updates children: - - /about-dependabot-security-updates - /configuring-dependabot-security-updates - /customizing-dependabot-security-prs --- + diff --git a/content/code-security/dependabot/dependabot-version-updates/index.md b/content/code-security/dependabot/dependabot-version-updates/index.md index 366ec0da3382..89a7c27dbfa4 100644 --- a/content/code-security/dependabot/dependabot-version-updates/index.md +++ b/content/code-security/dependabot/dependabot-version-updates/index.md @@ -1,6 +1,6 @@ --- title: Keeping your dependencies updated automatically with Dependabot version updates -intro: 'You can use {% data variables.product.prodname_dependabot %} to automatically keep the dependencies and packages used in your repository updated to the latest version, even when they don’t have any known vulnerabilities.' +intro: You can use {% data variables.product.prodname_dependabot %} to automatically keep the dependencies and packages used in your repository updated to the latest version, even when they don’t have any known vulnerabilities. allowTitleToDifferFromFilename: true redirect_from: - /github/administering-a-repository/keeping-your-dependencies-updated-automatically @@ -20,10 +20,10 @@ topics: - Dependencies - Pull requests children: - - /about-dependabot-version-updates - /configuring-dependabot-version-updates - /optimizing-pr-creation-version-updates - /customizing-dependabot-prs - /controlling-dependencies-updated shortTitle: Dependabot version updates --- + diff --git a/content/code-security/dependabot/maintain-dependencies/index.md b/content/code-security/dependabot/maintain-dependencies/index.md index 7d4d9152d503..42dd72a2b9f7 100644 --- a/content/code-security/dependabot/maintain-dependencies/index.md +++ b/content/code-security/dependabot/maintain-dependencies/index.md @@ -1,7 +1,7 @@ --- title: Maintaining dependencies at scale shortTitle: Maintain dependencies at scale -intro: 'You can use {% data variables.product.prodname_dependabot %} to automatically update your dependencies for your repositories and organizations.' +intro: You can use {% data variables.product.prodname_dependabot %} to automatically update your dependencies for your repositories and organizations. versions: fpt: '*' ghec: '*' @@ -12,7 +12,7 @@ topics: - Security - Dependencies children: - - /best-practices-for-maintaining-dependencies - /managing-dependabot-on-self-hosted-runners - /removing-dependabot-access-to-public-registries --- + diff --git a/content/code-security/dependabot/working-with-dependabot/index.md b/content/code-security/dependabot/working-with-dependabot/index.md index d2439e60ec4b..e0c37e892793 100644 --- a/content/code-security/dependabot/working-with-dependabot/index.md +++ b/content/code-security/dependabot/working-with-dependabot/index.md @@ -1,7 +1,7 @@ --- title: Working with Dependabot shortTitle: Work with Dependabot -intro: 'Guidance and recommendations for working with {% data variables.product.prodname_dependabot %}, such as managing pull requests raised by {% data variables.product.prodname_dependabot %}, using {% data variables.product.prodname_actions %} with {% data variables.product.prodname_dependabot %}, and troubleshooting {% data variables.product.prodname_dependabot %} errors.' +intro: Guidance and recommendations for working with {% data variables.product.prodname_dependabot %}, such as managing pull requests raised by {% data variables.product.prodname_dependabot %}, using {% data variables.product.prodname_actions %} with {% data variables.product.prodname_dependabot %}, and troubleshooting {% data variables.product.prodname_dependabot %} errors. versions: fpt: '*' ghec: '*' @@ -15,7 +15,6 @@ topics: - Pull requests children: - /managing-pull-requests-for-dependency-updates - - /about-dependabot-on-github-actions-runners - /automating-dependabot-with-github-actions - /keeping-your-actions-up-to-date-with-dependabot - /configuring-access-to-private-registries-for-dependabot @@ -25,3 +24,4 @@ children: - /setting-dependabot-to-run-on-self-hosted-runners-using-arc - /setting-dependabot-to-run-on-github-hosted-runners-using-vnet --- + diff --git a/content/code-security/index.md b/content/code-security/index.md index 19cb0735e01f..b46ad68c258a 100644 --- a/content/code-security/index.md +++ b/content/code-security/index.md @@ -1,14 +1,14 @@ --- title: Security and code quality documentation shortTitle: Security and code quality -intro: 'Build security and code quality into your {% data variables.product.github %} workflow to secure your software supply chain, prevent data leaks, and automatically find and fix vulnerabilities and code health issues in your codebase.' +intro: Build security and code quality into your {% data variables.product.github %} workflow to secure your software supply chain, prevent data leaks, and automatically find and fix vulnerabilities and code health issues in your codebase. redirect_from: - /code-security/guides introLinks: overview: '{% ifversion ghes %}/code-security/getting-started/github-security-features{% endif %}' generate_secret_risk_assessment_report_for_free: '{% ifversion secret-risk-assessment %}/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/assess-your-secret-risk{% endif %}' featuredLinks: - startHere: # Links aimed at the builder audience + startHere: - '{% ifversion fpt or ghec %}/code-security/getting-started/github-security-features{% endif %}' - /code-security/getting-started/quickstart-for-securing-your-repository - '{% ifversion ghes %}/code-security/secret-scanning/working-with-secret-scanning-and-push-protection{% endif %}' @@ -20,13 +20,13 @@ featuredLinks: - /code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning - /code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates - /code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates - popular: # Links aimed at the driver audience + popular: - '{% ifversion secret-risk-assessment %}/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/about-secret-risk-assessment{% endif %}' - '{% ifversion ghes %}/admin/release-notes{% endif %}' - /code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/about-coordinated-disclosure-of-security-vulnerabilities - /code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization - /code-security/securing-your-organization/fixing-security-alerts-at-scale/best-practice-fix-alerts-at-scale - - /code-security/dependabot/maintain-dependencies/best-practices-for-maintaining-dependencies + - /code-security/concepts/supply-chain-security/best-practices-for-maintaining-dependencies changelog: label: security-and-compliance versions: @@ -61,3 +61,4 @@ children: - /tutorials - /responsible-use --- + diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/index.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/index.md index 10402c12f2aa..8fea54ad486f 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/index.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/index.md @@ -10,20 +10,17 @@ topics: - Repositories shortTitle: Understand your supply chain children: - - /about-supply-chain-security - - /about-the-dependency-graph - /dependency-graph-supported-package-ecosystems - /configuring-the-dependency-graph - /configuring-automatic-dependency-submission-for-your-repository - /exporting-a-software-bill-of-materials-for-your-repository - /using-the-dependency-submission-api - - /about-dependency-review - /configuring-the-dependency-review-action - /customizing-your-dependency-review-action-configuration - /enforcing-dependency-review-across-an-organization - /exploring-the-dependencies-of-a-repository - /troubleshooting-the-dependency-graph - - /immutable-releases - /preventing-changes-to-your-releases - /verifying-the-integrity-of-a-release --- + diff --git a/data/learning-tracks/code-security.yml b/data/learning-tracks/code-security.yml index fbe340ca1d74..ca2091477b18 100644 --- a/data/learning-tracks/code-security.yml +++ b/data/learning-tracks/code-security.yml @@ -42,13 +42,13 @@ dependabot_alerts: Set up Dependabot to alert you to new vulnerabilities or malware in your dependencies. guides: - - /code-security/dependabot/dependabot-alerts/about-dependabot-alerts + - /code-security/concepts/supply-chain-security/about-dependabot-alerts - >- /repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository - >- /code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts - >- - /code-security/dependabot/dependabot-auto-triage-rules/about-dependabot-auto-triage-rules + /code-security/concepts/supply-chain-security/about-dependabot-auto-triage-rules - >- /code-security/dependabot/dependabot-alerts/configuring-notifications-for-dependabot-alerts - >- @@ -64,7 +64,7 @@ dependabot_security_updates: reported. guides: - >- - /code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates + /code-security/concepts/supply-chain-security/about-dependabot-security-updates - >- /code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates - >- @@ -82,7 +82,7 @@ dependency_version_updates: your dependencies. guides: - >- - /code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates + /code-security/concepts/supply-chain-security/about-dependabot-version-updates - >- /code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates - >- From 200ce2a3286a9562d2914cedbe5c740b7c0058bd Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 8 Jan 2026 14:54:25 +0000 Subject: [PATCH 2/2] [EDI] Create a new "Vulnerability reporting and management" map topic within "Concepts" (#59057) Co-authored-by: Sophie <29382425+sophietheking@users.noreply.github.com> --- content/code-security/concepts/index.md | 2 +- ...d-disclosure-of-security-vulnerabilities.md | 3 ++- .../about-global-security-advisories.md | 6 ++++-- .../about-repository-security-advisories.md | 7 ++++--- .../about-the-github-advisory-database.md | 4 +++- ...lities-in-your-code-and-in-dependencies.md} | 3 ++- .../index.md | 18 ++++++++++++++++++ content/code-security/index.md | 2 +- .../index.md | 6 +++--- .../index.md | 2 +- .../index.md | 5 ++--- .../index.md | 4 ++-- data/learning-tracks/code-security.yml | 8 ++++---- 13 files changed, 47 insertions(+), 23 deletions(-) rename content/code-security/{security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities => concepts/vulnerability-reporting-and-management}/about-coordinated-disclosure-of-security-vulnerabilities.md (98%) rename content/code-security/{security-advisories/working-with-global-security-advisories-from-the-github-advisory-database => concepts/vulnerability-reporting-and-management}/about-global-security-advisories.md (83%) rename content/code-security/{security-advisories/working-with-repository-security-advisories => concepts/vulnerability-reporting-and-management}/about-repository-security-advisories.md (93%) rename content/code-security/{security-advisories/working-with-global-security-advisories-from-the-github-advisory-database => concepts/vulnerability-reporting-and-management}/about-the-github-advisory-database.md (97%) rename content/code-security/{securing-your-organization/understanding-your-organizations-exposure-to-vulnerabilities/about-your-exposure-to-vulnerable-dependencies.md => concepts/vulnerability-reporting-and-management/about-your-exposure-to-vulnerabilities-in-your-code-and-in-dependencies.md} (95%) create mode 100644 content/code-security/concepts/vulnerability-reporting-and-management/index.md diff --git a/content/code-security/concepts/index.md b/content/code-security/concepts/index.md index a484c4c66439..e363dc85f881 100644 --- a/content/code-security/concepts/index.md +++ b/content/code-security/concepts/index.md @@ -16,5 +16,5 @@ topics: - Dependabot contentType: concepts children: + - /vulnerability-reporting-and-management - supply-chain-security ---- diff --git a/content/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/about-coordinated-disclosure-of-security-vulnerabilities.md b/content/code-security/concepts/vulnerability-reporting-and-management/about-coordinated-disclosure-of-security-vulnerabilities.md similarity index 98% rename from content/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/about-coordinated-disclosure-of-security-vulnerabilities.md rename to content/code-security/concepts/vulnerability-reporting-and-management/about-coordinated-disclosure-of-security-vulnerabilities.md index e81845badbaa..bf207bd74fc4 100644 --- a/content/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/about-coordinated-disclosure-of-security-vulnerabilities.md +++ b/content/code-security/concepts/vulnerability-reporting-and-management/about-coordinated-disclosure-of-security-vulnerabilities.md @@ -6,10 +6,11 @@ redirect_from: - /code-security/repository-security-advisories/about-coordinated-disclosure-of-security-vulnerabilities - /code-security/security-advisories/repository-security-advisories/about-coordinated-disclosure-of-security-vulnerabilities - /code-security/security-advisories/guidance-on-reporting-and-writing/about-coordinated-disclosure-of-security-vulnerabilities + - /code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/about-coordinated-disclosure-of-security-vulnerabilities versions: fpt: '*' ghec: '*' -type: overview +contentType: concepts topics: - Security advisories - Vulnerabilities diff --git a/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-global-security-advisories.md b/content/code-security/concepts/vulnerability-reporting-and-management/about-global-security-advisories.md similarity index 83% rename from content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-global-security-advisories.md rename to content/code-security/concepts/vulnerability-reporting-and-management/about-global-security-advisories.md index ca1bd0286f7b..f8eb2afc3773 100644 --- a/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-global-security-advisories.md +++ b/content/code-security/concepts/vulnerability-reporting-and-management/about-global-security-advisories.md @@ -1,11 +1,12 @@ --- title: About global security advisories -intro: 'Global security advisories live in the {% data variables.product.prodname_advisory_database %}, a collection of CVEs and {% data variables.product.company_short %}-originated advisories affecting the open source world. You can contribute to improving global security advisories.' +shortTitle: Global security advisories +intro: Global security advisories live in the {% data variables.product.prodname_advisory_database %}, a collection of CVEs and {% data variables.product.company_short %}-originated advisories affecting the open source world. You can contribute to improving global security advisories. versions: fpt: '*' ghec: '*' ghes: '*' -type: overview +contentType: concepts topics: - Security advisories - Alerts @@ -13,6 +14,7 @@ topics: - CVEs redirect_from: - /code-security/security-advisories/global-security-advisories/about-global-security-advisories + - /code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-global-security-advisories --- ## About global security advisories diff --git a/content/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories.md b/content/code-security/concepts/vulnerability-reporting-and-management/about-repository-security-advisories.md similarity index 93% rename from content/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories.md rename to content/code-security/concepts/vulnerability-reporting-and-management/about-repository-security-advisories.md index 2a841ae8058c..4cc4b288de64 100644 --- a/content/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories.md +++ b/content/code-security/concepts/vulnerability-reporting-and-management/about-repository-security-advisories.md @@ -1,7 +1,7 @@ --- title: About repository security advisories -intro: 'You can use repository security advisories to privately discuss, fix, and publish information about security vulnerabilities in your public repository.' -shortTitle: About repository security advisories +intro: You can use repository security advisories to privately discuss, fix, and publish information about security vulnerabilities in your public repository. +shortTitle: Repository security advisories redirect_from: - /articles/about-maintainer-security-advisories - /github/managing-security-vulnerabilities/about-maintainer-security-advisories @@ -9,10 +9,11 @@ redirect_from: - /code-security/security-advisories/about-github-security-advisories - /code-security/repository-security-advisories/about-github-security-advisories-for-repositories - /code-security/security-advisories/repository-security-advisories/about-repository-security-advisories + - /code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories versions: fpt: '*' ghec: '*' -type: overview +contentType: concepts product: '{% data reusables.gated-features.private-vulnerability-reporting %}' topics: - Security advisories diff --git a/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database.md b/content/code-security/concepts/vulnerability-reporting-and-management/about-the-github-advisory-database.md similarity index 97% rename from content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database.md rename to content/code-security/concepts/vulnerability-reporting-and-management/about-the-github-advisory-database.md index f0bc22d06690..24cf0c5fdd59 100644 --- a/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database.md +++ b/content/code-security/concepts/vulnerability-reporting-and-management/about-the-github-advisory-database.md @@ -5,7 +5,8 @@ versions: fpt: '*' ghec: '*' ghes: '*' -type: overview +contentType: concepts +shortTitle: GitHub Advisory database topics: - Security advisories - Alerts @@ -13,6 +14,7 @@ topics: - CVEs redirect_from: - /code-security/security-advisories/global-security-advisories/about-the-github-advisory-database + - /code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database --- ## About the {% data variables.product.prodname_advisory_database %} diff --git a/content/code-security/securing-your-organization/understanding-your-organizations-exposure-to-vulnerabilities/about-your-exposure-to-vulnerable-dependencies.md b/content/code-security/concepts/vulnerability-reporting-and-management/about-your-exposure-to-vulnerabilities-in-your-code-and-in-dependencies.md similarity index 95% rename from content/code-security/securing-your-organization/understanding-your-organizations-exposure-to-vulnerabilities/about-your-exposure-to-vulnerable-dependencies.md rename to content/code-security/concepts/vulnerability-reporting-and-management/about-your-exposure-to-vulnerabilities-in-your-code-and-in-dependencies.md index 4333e57f5c62..695424c126c2 100644 --- a/content/code-security/securing-your-organization/understanding-your-organizations-exposure-to-vulnerabilities/about-your-exposure-to-vulnerable-dependencies.md +++ b/content/code-security/concepts/vulnerability-reporting-and-management/about-your-exposure-to-vulnerabilities-in-your-code-and-in-dependencies.md @@ -1,7 +1,7 @@ --- title: About exposure to vulnerabilities in your code and in dependencies shortTitle: Vulnerability exposure -intro: 'Understanding your organization’s exposure to vulnerabilities in first-party code and in all dependencies is essential for enabling you to efficiently assess, prioritize, and remediate vulnerabilities, reducing the likelihood of security breaches.' +intro: Understanding your organization’s exposure to vulnerabilities in first-party code and in all dependencies is essential for enabling you to efficiently assess, prioritize, and remediate vulnerabilities, reducing the likelihood of security breaches. allowTitleToDifferFromFilename: true product: '{% data reusables.gated-features.ghas-billing %}' versions: @@ -14,6 +14,7 @@ topics: - Security redirect_from: - /code-security/securing-your-organization/understanding-your-organizations-exposure-to-vulnerabilites/about-your-exposure-to-vulnerable-dependencies + - /code-security/securing-your-organization/understanding-your-organizations-exposure-to-vulnerabilities/about-your-exposure-to-vulnerable-dependencies --- ## About exposure to vulnerable code diff --git a/content/code-security/concepts/vulnerability-reporting-and-management/index.md b/content/code-security/concepts/vulnerability-reporting-and-management/index.md new file mode 100644 index 000000000000..569b4054157a --- /dev/null +++ b/content/code-security/concepts/vulnerability-reporting-and-management/index.md @@ -0,0 +1,18 @@ +--- +title: Concepts for vulnerability reporting and management +shortTitle: Vulnerability reporting +intro: Learn core concepts relating to vulnerability reporting and management on {% data variables.product.github %}. +versions: + fpt: '*' + ghec: '*' +topics: + - Security advisories + - Vulnerabilities +contentType: concepts +children: + - /about-the-github-advisory-database + - /about-repository-security-advisories + - /about-global-security-advisories + - /about-coordinated-disclosure-of-security-vulnerabilities + - /about-your-exposure-to-vulnerabilities-in-your-code-and-in-dependencies +--- diff --git a/content/code-security/index.md b/content/code-security/index.md index b46ad68c258a..4b81e45b83b1 100644 --- a/content/code-security/index.md +++ b/content/code-security/index.md @@ -23,7 +23,7 @@ featuredLinks: popular: - '{% ifversion secret-risk-assessment %}/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/about-secret-risk-assessment{% endif %}' - '{% ifversion ghes %}/admin/release-notes{% endif %}' - - /code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/about-coordinated-disclosure-of-security-vulnerabilities + - /code-security/concepts/vulnerability-reporting-and-management/about-coordinated-disclosure-of-security-vulnerabilities - /code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization - /code-security/securing-your-organization/fixing-security-alerts-at-scale/best-practice-fix-alerts-at-scale - /code-security/concepts/supply-chain-security/best-practices-for-maintaining-dependencies diff --git a/content/code-security/securing-your-organization/understanding-your-organizations-exposure-to-vulnerabilities/index.md b/content/code-security/securing-your-organization/understanding-your-organizations-exposure-to-vulnerabilities/index.md index a43170bef68a..cf2ac0403622 100644 --- a/content/code-security/securing-your-organization/understanding-your-organizations-exposure-to-vulnerabilities/index.md +++ b/content/code-security/securing-your-organization/understanding-your-organizations-exposure-to-vulnerabilities/index.md @@ -1,7 +1,7 @@ --- -title: 'Understanding your organization''s exposure to vulnerabilities' +title: Understanding your organization's exposure to vulnerabilities shortTitle: Exposure to vulnerabilities -intro: 'Understanding your organization''s exposure to vulnerable code and dependencies is crucial for identifying and prioritizing security risks. This awareness allows you to prioritize remediation efforts, reduce the likelihood of security breaches, protect sensitive data, and maintain the overall integrity and reputation of the organization.' +intro: Understanding your organization's exposure to vulnerable code and dependencies is crucial for identifying and prioritizing security risks. This awareness allows you to prioritize remediation efforts, reduce the likelihood of security breaches, protect sensitive data, and maintain the overall integrity and reputation of the organization. versions: feature: dependabot-metrics topics: @@ -11,9 +11,9 @@ topics: - Organizations - Security children: - - /about-your-exposure-to-vulnerable-dependencies - /prioritizing-dependabot-alerts-using-metrics - /alerts-in-production-code redirect_from: - /code-security/securing-your-organization/understanding-your-organizations-exposure-to-vulnerabilites --- + diff --git a/content/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/index.md b/content/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/index.md index 5bfb16d09c67..1447cfd59c54 100644 --- a/content/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/index.md +++ b/content/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/index.md @@ -13,8 +13,8 @@ topics: - Repositories - CVEs children: - - /about-coordinated-disclosure-of-security-vulnerabilities - /best-practices-for-writing-repository-security-advisories - /privately-reporting-a-security-vulnerability - /managing-privately-reported-security-vulnerabilities --- + diff --git a/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/index.md b/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/index.md index 3212095636ff..ac887a141458 100644 --- a/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/index.md +++ b/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/index.md @@ -1,7 +1,7 @@ --- title: Working with global security advisories from the GitHub Advisory Database shortTitle: Global security advisories -intro: 'Browse the {% data variables.product.prodname_advisory_database %} and submit improvements to any global security advisory.' +intro: Browse the {% data variables.product.prodname_advisory_database %} and submit improvements to any global security advisory. redirect_from: - /code-security/security-advisories/global-security-advisories versions: @@ -14,8 +14,7 @@ topics: - Repositories - CVEs children: - - /about-the-github-advisory-database - - /about-global-security-advisories - /browsing-security-advisories-in-the-github-advisory-database - /editing-security-advisories-in-the-github-advisory-database --- + diff --git a/content/code-security/security-advisories/working-with-repository-security-advisories/index.md b/content/code-security/security-advisories/working-with-repository-security-advisories/index.md index b391f0fa8f54..c6963dff9d2d 100644 --- a/content/code-security/security-advisories/working-with-repository-security-advisories/index.md +++ b/content/code-security/security-advisories/working-with-repository-security-advisories/index.md @@ -1,7 +1,7 @@ --- title: Working with repository security advisories shortTitle: Repository security advisories -intro: 'Discuss, fix, and disclose security vulnerabilities in your public repositories using repository security advisories.' +intro: Discuss, fix, and disclose security vulnerabilities in your public repositories using repository security advisories. redirect_from: - /articles/managing-security-vulnerabilities-in-your-project - /github/managing-security-vulnerabilities/managing-security-vulnerabilities-in-your-project @@ -16,7 +16,6 @@ topics: - Repositories - CVEs children: - - /about-repository-security-advisories - /permission-levels-for-repository-security-advisories - /configuring-private-vulnerability-reporting-for-a-repository - /configuring-private-vulnerability-reporting-for-an-organization @@ -29,3 +28,4 @@ children: - /removing-a-collaborator-from-a-repository-security-advisory - /deleting-a-repository-security-advisory --- + diff --git a/data/learning-tracks/code-security.yml b/data/learning-tracks/code-security.yml index ca2091477b18..d5b604c62db8 100644 --- a/data/learning-tracks/code-security.yml +++ b/data/learning-tracks/code-security.yml @@ -5,13 +5,13 @@ security_advisories: vulnerability and get a CVE. guides: - >- - /code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/about-coordinated-disclosure-of-security-vulnerabilities + /code-security/concepts/vulnerability-reporting-and-management/about-coordinated-disclosure-of-security-vulnerabilities - >- - /code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database + /code-security/concepts/vulnerability-reporting-and-management/about-the-github-advisory-database - >- - /code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-global-security-advisories + /code-security/concepts/vulnerability-reporting-and-management/about-global-security-advisories - >- - /code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories + /code-security/concepts/vulnerability-reporting-and-management/about-repository-security-advisories - >- /code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/best-practices-for-writing-repository-security-advisories - >-