github
diff --git a/‎content/admin/concepts/identity-and-access-management/setup-user.md‎
Lines changed: 9 additions & 4 deletions b/‎content/admin/concepts/identity-and-access-management/setup-user.md‎
Lines changed: 9 additions & 4 deletions
diff --git a/‎content/code-security/concepts/code-scanning/codeql/codeql-query-packs.md‎
Lines changed: 26 additions & 2 deletions b/‎content/code-security/concepts/code-scanning/codeql/codeql-query-packs.md‎
Lines changed: 26 additions & 2 deletions
diff --git a/‎content/code-security/concepts/code-scanning/codeql/custom-codeql-queries.md‎
Lines changed: 66 additions & 0 deletions b/‎content/code-security/concepts/code-scanning/codeql/custom-codeql-queries.md‎
Lines changed: 66 additions & 0 deletions
diff --git a/‎content/code-security/concepts/code-scanning/codeql/index.md‎
Lines changed: 1 addition & 0 deletions b/‎content/code-security/concepts/code-scanning/codeql/index.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎content/code-security/concepts/code-scanning/index.md‎
Lines changed: 1 addition & 0 deletions b/‎content/code-security/concepts/code-scanning/index.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎content/code-security/concepts/code-scanning/tool-status-page.md‎
Lines changed: 93 additions & 0 deletions b/‎content/code-security/concepts/code-scanning/tool-status-page.md‎
Lines changed: 93 additions & 0 deletions
diff --git a/‎content/code-security/concepts/secret-security/about-validity-checks.md‎
Lines changed: 56 additions & 0 deletions b/‎content/code-security/concepts/secret-security/about-validity-checks.md‎
Lines changed: 56 additions & 0 deletions
diff --git a/‎content/code-security/concepts/secret-security/index.md‎
Lines changed: 1 addition & 0 deletions b/‎content/code-security/concepts/secret-security/index.md‎
Lines changed: 1 addition & 0 deletions
@@ -15,16 +15,21 @@ The setup user is **only** intended to be used for:
 
 * Configuring authentication and provisioning
 * SCIM provisioning via its {% data variables.product.pat_generic %}
-* Regaining access to your enterprise in the event of an issue with your identity provider, by utilizing the enterprise's SAML recovery codes
+* Regaining access to your enterprise in the event of an issue with your identity provider, by utilizing the enterprise's recovery codes
 
 For other enterprise administration tasks, such as creating organizations, use a provisioned managed user account with the appropriate administrative role.
 
 ## How do I sign in as the setup user?
 
-After we create your enterprise, you will receive an **email** inviting you to choose a password for the setup user. 
+After we create your enterprise, you will receive an **email** inviting you to choose a password for the setup user.
 
-When you create the password, you should enable two-factor authentication (2FA) for the account. All subsequent login attempts for the setup user account will require a successful 2FA challenge response.
+When you create the password, you should enable two-factor authentication (2FA) for the account.
 
-If the enterprise account has enabled single sign-on and the setup user has **not** enabled 2FA, they must use an enterprise recovery code to authenticate. To avoid being locked out of your account, after enabling single sign-on, **save your enterprise recovery codes**. See [AUTOTITLE](/admin/managing-iam/managing-recovery-codes-for-your-enterprise/downloading-your-enterprise-accounts-single-sign-on-recovery-codes#downloading-codes-for-an-enterprise-with-enterprise-managed-users).
+Unlike provisioned managed users, the setup user cannot sign in via SSO. Instead, the following applies:
+
+* **With 2FA enabled**: All subsequent login attempts for the setup user account will require a successful 2FA challenge response. After completing the 2FA challenge, you will be prompted for a recovery code. You can skip this prompt and navigate directly to {% data variables.product.prodname_dotcom_the_website %} to access the setup user account. However, accessing your enterprise settings will always require a recovery code.
+* **Without 2FA enabled**: You must provide a recovery code every time you sign in.
+
+We strongly recommend enabling 2FA on the setup user to avoid needing a recovery code for every sign-in attempt. To avoid being locked out of your account, after enabling single sign-on, **save your recovery codes**. See [AUTOTITLE](/admin/managing-iam/managing-recovery-codes-for-your-enterprise/downloading-your-enterprise-accounts-single-sign-on-recovery-codes#downloading-codes-for-an-enterprise-with-enterprise-managed-users).
 
 {% data reusables.enterprise-accounts.emu-password-reset-session %}
@@ -16,7 +16,22 @@ contentType: concepts
 
 ## About {% data variables.product.prodname_codeql %} packs
 
-{% data variables.product.prodname_codeql %} packs are used to create, share, depend on, and run {% data variables.product.prodname_codeql %} queries and libraries. {% data variables.product.prodname_codeql %} packs contain queries, library files, query suites, and metadata. You can customize your {% data variables.product.prodname_codeql %} analysis by downloading packs created by others and running them on your codebase.
+{% data variables.product.prodname_codeql %} packs are used to create, share, depend on, and run {% data variables.product.prodname_codeql %} queries and libraries. You can customize your {% data variables.product.prodname_codeql %} analysis by downloading packs created by others and running them on your codebase.
+
+Each {% data variables.product.prodname_codeql %} pack requires a `qlpack.yml` file in its root directory that specifies:
+
+* How to compile the queries
+* Dependencies on other {% data variables.product.prodname_codeql %} packs and libraries
+* Query suite definitions
+
+For more information about `qlpack.yml` properties, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs#codeqlpack-yml-properties).
+
+Additionally, a {% data variables.product.prodname_codeql %} pack can contain:
+
+* Custom queries (`.ql` files)
+* Library files
+* Query suites
+* Metadata
 
 The {% data variables.product.prodname_codeql_cli %} bundle includes queries that are maintained by {% data variables.product.company_short %} experts, security researchers, and community contributors. If you want to run queries developed by other organizations, {% data variables.product.prodname_codeql %} query packs provide an efficient and reliable way to download and run queries, while model packs ({% data variables.release-phases.public_preview %}) can be used to expand {% data variables.product.prodname_code_scanning %} analysis to recognize libraries and frameworks that are not supported by default.
 
@@ -47,4 +62,13 @@ For more information about compatibility between published query packs and diffe
 
 You can also use the {% data variables.product.prodname_codeql_cli %} to create your own {% data variables.product.prodname_codeql %} packs, add dependencies to packs, and install or update dependencies.
 
-You can publish {% data variables.product.prodname_codeql %} packs that you have created, using the {% data variables.product.prodname_codeql_cli %}. For more information on publishing and downloading {% data variables.product.prodname_codeql %} packs, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs).
+## Publishing and sharing {% data variables.product.prodname_codeql %} packs
+
+You can share custom queries with the broader {% data variables.product.prodname_codeql %} community by:
+
+* Publishing to {% data variables.product.prodname_registry %}: Make your pack publicly available for other users to discover and use.
+* Contributing to the {% data variables.product.prodname_codeql %} repository: Submit queries that would benefit the wider community by opening a pull request to the official repository.
+
+For more information about publishing and downloading {% data variables.product.prodname_codeql %} packs, see [AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs).
+
+For information about contributing to {% data variables.product.prodname_codeql %}, see [Contributing to {% data variables.product.prodname_codeql %}](https://github.com/github/codeql/blob/main/CONTRIBUTING.md).
@@ -0,0 +1,66 @@
+---
+title: Custom CodeQL queries
+shortTitle: Custom queries
+intro: Custom queries extend {% data variables.product.prodname_codeql %}'s built-in security analysis to detect vulnerabilities and enforce coding standards specific to your codebase.
+product: '{% data reusables.gated-features.codeql %}'
+versions:
+  fpt: '*'
+  ghes: '*'
+  ghec: '*'
+topics:
+  - Code Security
+  - Code scanning
+  - CodeQL
+contentType: concepts
+---
+
+## What are custom {% data variables.product.prodname_codeql %} queries?
+
+Custom queries extend {% data variables.product.prodname_codeql %}'s built-in security analysis to detect vulnerabilities, coding standards, and patterns specific to your codebase.
+
+{% data reusables.codeql-cli.advanced-query-execution %}
+
+## When to use custom queries
+
+Use custom queries to:
+
+* Detect vulnerabilities specific to your application's architecture or frameworks
+* Enforce organization-specific coding standards or best practices
+* Find patterns not covered by standard {% data variables.product.prodname_codeql %} query packs
+* Analyze {% data variables.product.prodname_codeql %} databases with the `database analyze` command using the {% data variables.product.prodname_codeql_cli %} to produce interpreted results
+
+## Query structure
+
+Custom queries are written in query files, which are saved with the `.ql` extension. These files also contain important metadata that provides information about the query's purpose and tells the {% data variables.product.prodname_codeql_cli %} how to process results. Required properties include:
+
+* **Query identifier (`@id`)**: Lowercase letters or digits, delimited by `/` or `-`
+* **Query type (`@kind`)**: One of:
+  * `problem` - Simple alert
+  * `path-problem` - Alert with code location sequence
+  * `diagnostic` - Extractor troubleshooting
+  * `metric` - Summary metric (requires `@tags summary`)
+
+> [!NOTE]
+> Metadata requirements may differ if you want to use your query with other applications. For more information, see [Metadata for {% data variables.product.prodname_codeql %} queries](https://codeql.github.com/docs/writing-codeql-queries/metadata-for-codeql-queries/#metadata-for-codeql-queries).
+
+For more information about query metadata, see [Metadata for {% data variables.product.prodname_codeql %} queries](https://codeql.github.com/docs/writing-codeql-queries/metadata-for-codeql-queries/#metadata-for-codeql-queries) and the [Query metadata style guide](https://github.com/github/codeql/blob/main/docs/query-metadata-style-guide.md).
+
+## Query documentation
+
+Query documentation helps users understand what a query detects and how to address identified issues. You can include documentation for your custom queries in two formats:
+
+* **Markdown files**: Saved alongside the query, can be included in SARIF files and displayed in the {% data variables.product.prodname_code_scanning %} UI
+* **`.qhelp` files**: Consistent with standard {% data variables.product.prodname_codeql %} queries, but must be converted to Markdown for use with {% data variables.product.prodname_code_scanning %}
+
+When SARIF files containing query help are uploaded to {% data variables.product.prodname_dotcom %}, the documentation appears in the {% data variables.product.prodname_code_scanning %} UI for any alerts generated by the query.
+
+For more information, see [Query help files](https://codeql.github.com/docs/writing-codeql-queries/query-help-files/#query-help-files).
+
+## Sharing custom queries
+
+You can share custom queries with the community by publishing your own query packs. See [AUTOTITLE](/code-security/tutorials/customize-code-scanning/publishing-and-using-codeql-packs).
+
+## Further reading
+
+* [AUTOTITLE](/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/using-custom-queries-with-the-codeql-cli)
+* [{% data variables.product.prodname_codeql %} queries](https://codeql.github.com/docs/writing-codeql-queries/codeql-queries/#codeql-queries)
@@ -12,6 +12,7 @@ contentType: concepts
 children:
   - /about-code-scanning-with-codeql
   - /codeql-query-suites
+  - /custom-codeql-queries
   - /about-the-codeql-cli
   - /about-codeql-for-vs-code
   - /about-codeql-workspaces
 
@@ -20,4 +20,5 @@ children:
   - /sarif-files
   - /merge-protection
   - /codeql
+  - /tool-status-page
 ---
@@ -0,0 +1,93 @@
+---
+title: About the tool status page
+shortTitle: Tool status page
+intro: 'The {% data variables.code-scanning.tool_status_page %} provides visibility into the health and performance of {% data variables.product.prodname_code_scanning %} tools in your repository.'
+permissions: '{% data reusables.permissions.code-scanning-all-alerts %}'
+product: '{% data reusables.gated-features.code-scanning %}'
+versions:
+  fpt: '*'
+  ghes: '*'
+  ghec: '*'
+topics:
+  - Code Security
+  - Code scanning
+  - CodeQL
+contentType: concepts
+---
+
+{% data reusables.code-scanning.enterprise-enable-code-scanning %}
+
+## What is the {% data variables.code-scanning.tool_status_page %}?
+
+The {% data variables.code-scanning.tool_status_page %} shows information about all of your {% data variables.product.prodname_code_scanning %} tools and is a good starting point for debugging problems when {% data variables.product.prodname_code_scanning %} isn't working as expected.
+
+> [!NOTE]
+> The {% data variables.code-scanning.tool_status_page %} shows tool status at the repository level for the default branch only, not at the organization level.
+
+## Tool status indicators
+
+The {% data variables.code-scanning.tool_status_page %} displays one of three statuses:
+
+* **All configurations are working**: All tools are operating as expected
+* **Some configurations need attention**: Some tools have warnings or non-critical issues
+* **Some configurations are not working**: One or more tools have critical errors
+
+## What information is available
+
+### For all {% data variables.product.prodname_code_scanning %} tools
+
+* Configuration status and health
+* Scan scheduling
+* First and most recent scan times
+* Rules used in scans
+
+### For integrated tools like {% data variables.product.prodname_codeql %}
+
+In addition to the information listed above, the {% data variables.code-scanning.tool_status_page %} for integrated tools provides the following details:
+
+* File coverage percentages by programming language
+* Configuration details for each setup type
+* Specific error messages
+* Downloadable CSV reports of analyzed files
+* Downloadable lists of rules used and alert counts
+
+## How {% data variables.product.prodname_codeql %} defines scanned files
+
+{% data variables.product.prodname_codeql %} reports a file as scanned if some lines of code in that file were processed.
+
+### Interpreted languages
+
+* **Default setup**: Scanned files include all source code files for languages {% data variables.product.prodname_codeql %} can analyze
+* **Advanced setup**: You can use `paths` and `paths-ignore` to define which files to scan. See [AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql).
+
+### Compiled languages
+
+The {% data variables.code-scanning.tool_status_page %} reports files present before running autobuild or manual build steps. Files generated during the build process are not shown. See [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#about-autobuild-for-codeql).
+
+### Coverage calculation
+
+File coverage percentages respect any files excluded by `paths` and `paths-ignore` configuration properties.
+
+## Understanding file coverage percentages
+
+Use file coverage percentages to debug and improve your analysis:
+
+* **High percentage**: {% data variables.product.prodname_code_scanning_caps %} is working as expected for that language
+* **Low percentage**: Investigate diagnostic output. See [AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning/codeql-scanned-fewer-lines-than-expected)
+* **Zero percentage**: You may have code in languages not currently being analyzed. Update your setup to include these languages. See [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#changing-the-languages-that-are-analyzed)
+
+> [!NOTE]
+> If you set up both advanced setup and default setup, the {% data variables.code-scanning.tool_status_page %} only shows default setup.
+
+## Troubleshooting features
+
+The {% data variables.code-scanning.tool_status_page %} helps you troubleshoot issues through:
+
+* **Error messages**: Explains why tools aren't performing as expected with suggested actions
+* **File coverage data**: Shows which files and languages are being analyzed
+* **Configuration details**: Displays information about each analysis run
+* **Downloadable reports**: Provides CSV reports with detailed file and rule information
+
+## Further reading
+
+* [AUTOTITLE](/code-security/how-tos/scan-code-for-vulnerabilities/manage-your-configuration/use-the-tools-status-page-for-code-scanning)
@@ -0,0 +1,56 @@
+---
+title: About validity checks
+shortTitle: Validity checks
+intro: 'Validity checks and extended metadata checks help you prioritize remediation of exposed credentials that pose immediate security risks.'
+product: |
+  {% data reusables.gated-features.secret-scanning %}{% ifversion secret-risk-assessment %}
+
+  {% data variables.secret-scanning.secret-risk-assessment-cta-product %}{% endif %}
+contentType: concepts
+topics:
+  - Secret scanning
+  - Secret Protection
+versions:
+  fpt: '*'
+  ghec: '*'
+---
+
+## About validity checks
+
+Validity checks, a feature of {% data variables.product.prodname_secret_scanning %}, verify whether a detected secret is still active and could be exploited. This helps you prioritize remediation by focusing first on secrets that are confirmed to be active.
+
+You can enable automatic validity checks for detected secrets. Once enabled, {% data variables.product.company_short %} will periodically check the validity of a detected credential by sending the secret to the issuer and testing it against APIs provided by that service. Validity checks are available for secrets from many service providers, and support continues to expand as {% data variables.product.company_short %} partners with additional services.
+
+{% data variables.product.company_short %} prioritizes privacy when checking the validity of the credential. We typically make GET requests, pick the least intrusive endpoints, and select endpoints that don't return any personal information.
+
+{% data variables.product.github %} displays the validation status of the secret in the alert view, so you can see if the secret is `active`, `inactive`, or if the validation status is `unknown`. You can optionally perform an "on-demand" validity check for the secret in the alert view.
+
+## About extended metadata checks
+
+{% data reusables.security-configurations.extended-metadata-checks %}
+
+Extended metadata checks provide **additional contextual information** about detected secrets. They are often referred to as **analyzers** in other tools.
+
+You can enable extended metadata checks if validity checks are enabled. Then, you'll get information that helps you:
+
+* **Gain deeper insight into detected secrets**: Know who owns a secret.
+* **Prioritize remediation**: Understand the scope and impact of each exposed secret.
+* **Improve incident response**: Quickly identify responsible teams or individuals when a secret is leaked.
+* **Enhance compliance**: Ensure secrets align with your organization’s governance and security policies.
+* **Reduce false positives**: Use additional context to determine if a detection requires action.
+
+The specific metadata available depends on what the service provider shares with {% data variables.product.github %}. Not all secret types support extended metadata checks. For more information, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#verifying-token-metadata).
+
+## Getting started with validity and extended metadata checks
+
+{% data reusables.secret-scanning.extended-metadata-checks-note %}
+
+You can enable validity and extended metadata checks at the repository, organization, or enterprise level to help prioritize which exposed credentials pose the most immediate security risks.
+
+For large organizations, we recommend using **security configurations** to enable these features at the organization or enterprise level. Security configurations allow you to centrally manage  {% data variables.product.prodname_secret_scanning %} settings and apply them consistently across many repositories.
+
+To get started:
+
+* For repositories, see [AUTOTITLE](/code-security/how-tos/secure-your-secrets/customize-leak-detection/enabling-validity-checks-for-your-repository)
+* For an organization, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/creating-a-custom-security-configuration)
+* For an enterprise, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/establish-complete-coverage/creating-a-custom-security-configuration-for-your-enterprise)
@@ -15,6 +15,7 @@ children:
   - /about-push-protection
   - /about-secret-security-with-github
   - /about-alerts
+  - /about-validity-checks
   - /about-delegated-bypass-for-push-protection
   - /about-bypass-requests-for-push-protection
   - /about-secret-scanning-for-partners