Merge pull request #43503 from github/repo-sync

Repo sync

Author: docs-bot

content/code-security/concepts/secret-security/about-secret-scanning.md

@@ -40,7 +40,7 @@ When credentials like API keys and passwords are committed to repositories, they
 
 When {% data variables.product.prodname_secret_scanning %} finds a potential secret, {% data variables.product.github %} generates an alert on your repository's **Security** tab with details about the exposed credential.
 
-Review the alert and rotate the affected credential immediately to ensure it can no longer be used. While you can also remove secrets from your Git history, this is time-intensive and often unnecessary if you've already revoked the credential.
+When you receive an alert, rotate the affected credential immediately to prevent unauthorized access. While you can also remove secrets from your Git history, this is time-intensive and often unnecessary if you've already revoked the credential.
 
 {% ifversion fpt or ghec %}
 
@@ -61,6 +61,16 @@ Beyond the default detection of partner and provider secrets, you can expand and
 * **{% data variables.secret-scanning.copilot-secret-scanning %}.** Use AI to detect unstructured secrets like passwords, or to generate regular expressions for custom patterns.
 {% endif %}
 
+{% ifversion secret-scanning-validity-check-partner-patterns %}
+
+### About validity checks
+
+Validity checks help you prioritize which secrets to remediate first by verifying whether a detected secret is still active. When you enable validity checks, {% data variables.product.prodname_secret_scanning %} may contact the secret's issuing service to determine if the credential has been revoked.
+
+Validity checks are separate from {% data variables.product.prodname_secret_scanning %}'s partner program. While partner secrets are automatically reported to service providers for revocation, validity checks verify the status of secrets you manage in your own alerts. For more information, see [AUTOTITLE](/code-security/concepts/secret-security/about-validity-checks).
+
+{% endif %}
+
 ## How can I access this feature?
 
 {% data reusables.gated-features.secret-scanning %}

content/code-security/concepts/secret-security/about-validity-checks.md

@@ -10,6 +10,7 @@ contentType: concepts
 versions:
   fpt: '*'
   ghec: '*'
+  ghes: '>=3.20'
 ---
 
 ## About validity checks

content/code-security/how-tos/secure-at-scale/configure-enterprise-security/configure-specific-tools/configuring-secret-scanning-for-your-appliance.md

@@ -53,9 +53,19 @@ The SSSE3 set of instructions is required because {% data variables.product.prod
 {% data reusables.enterprise_site_admin_settings.access-settings %}
 {% data reusables.enterprise_site_admin_settings.management-console %}
 {% data reusables.enterprise_management_console.advanced-security-tab %}
-1. Under "Security," select **{% data variables.product.prodname_secret_scanning_caps %}**.
+1. Under "Security," select **{% data variables.product.prodname_secret_scanning_caps %}**.{% ifversion secret-scanning-validity-check-partner-patterns %}
 {% data reusables.enterprise_management_console.save-settings %}
 
+    Optionally, to allow your users to enable validity checks at the enterprise, organization, or repository level, configure validity checks for {% data variables.product.prodname_secret_scanning %}.
+    
+1. Click **{% data variables.product.prodname_secret_scanning %} validity checks**. For information about validity checks, see [AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository#about-validity-checks).
+
+    >[!NOTE]
+    > Enabling validity checks will send outbound requests to partner services to verify detected secrets. This means secret metadata will leave your instance. You need to ensure that this aligns with your enterprise's security and compliance policies before enabling.
+
+1. To run a simple connection test to verify that outbound connections are possible, click **Validity checks connection test**.
+{% endif %}
+
 ## Disabling {% data variables.product.prodname_secret_scanning %}
 
 {% data reusables.enterprise_management_console.enable-disable-security-features %}

content/code-security/how-tos/secure-at-scale/configure-enterprise-security/establish-complete-coverage/creating-a-custom-security-configuration-for-your-enterprise.md

@@ -44,9 +44,9 @@ When creating a security configuration, keep in mind that:
 {% data reusables.enterprise-accounts.advanced-security-tab %}
 1. In the "{% data variables.product.prodname_security_configurations_caps %}" section, click **New configuration**.
 1. To help identify your {% data variables.product.prodname_custom_security_configuration %} and clarify its purpose on the "{% data variables.product.prodname_security_configurations_caps %}" page, name your configuration and create a description.
-1. Optionally, enable "{% data variables.product.prodname_secret_protection %}", a paid feature for private {% ifversion ghec %}and internal {% endif %} repositories. Enabling {% data variables.product.prodname_secret_protection %} enables alerts for {% data variables.product.prodname_secret_scanning %}. In addition, you can choose whether to enable, disable, or keep the existing settings for the following {% data variables.product.prodname_secret_scanning %} features:
-    {% ifversion secret-scanning-validity-check-partner-patterns %}
-    * **Validity checks**.  To learn more about validity checks for partner patterns, see [AUTOTITLE](/code-security/concepts/secret-security/about-validity-checks) and [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity).{% endif %}{% ifversion fpt or ghec %}
+1. Optionally, enable "{% data variables.product.prodname_secret_protection %}", a paid feature for private {% ifversion ghec %}and internal {% endif %} repositories. Enabling {% data variables.product.prodname_secret_protection %} enables alerts for {% data variables.product.prodname_secret_scanning %}. In addition, you can choose whether to enable, disable, or keep the existing settings for the following {% data variables.product.prodname_secret_scanning %} features:{% ifversion secret-scanning-validity-check-partner-patterns %}
+    * **Validity checks**. To learn more about validity checks for partner patterns, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity).{% ifversion ghes > 3.19 %}
+       Your site administrator must enable validity checks before you can use this feature. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/configure-specific-tools/configuring-secret-scanning-for-your-appliance).{% endif %}{% endif %}{% ifversion fpt or ghec %}
     * **Extended metadata**. To learn more about extended metadata checks, see [About extended metadata checks](/code-security/concepts/secret-security/about-validity-checks#about-extended-metadata-checks) and [AUTOTITLE](/code-security/tutorials/remediate-leaked-secrets/evaluating-alerts#reviewing-extended-metadata-for-a-token).
     > [!NOTE]
     > You can only enable extended metadata checks if validity checks are enabled.{% endif %}{% ifversion org-npp-enablement-security-configurations %}

content/code-security/how-tos/secure-at-scale/configure-enterprise-security/establish-complete-coverage/enabling-github-advanced-security-for-your-enterprise.md

@@ -75,6 +75,22 @@ For example, you can enable any {% data variables.product.prodname_AS %} feature
       ghe-config app.secret-scanning.enabled true
       ```
 
+{% ifversion secret-scanning-validity-check-partner-patterns %}
+
+    * Optionally, to enable validity checks for {% data variables.product.prodname_secret_scanning %}:
+        * Enter the following command:
+
+           ```shell copy
+           ghe-config app.secret-scanning.validity-checks-available-on-instance true`
+           ```
+
+         * To check whether outbound connection is possible, use:
+
+           ```shell copy
+           /usr/local/share/enterprise/ghe-secret-scanning-validity-checks-connection-test
+           ```
+{% endif %}
+
     * To enable the dependency graph, enter the following command.
 
       ```shell copy

content/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/creating-a-custom-security-configuration.md

@@ -50,9 +50,9 @@ When creating a security configuration, keep in mind that:
 1. In the "{% data variables.product.prodname_security_configurations_caps %}" section, click **New configuration**.
 1. To configure groups of security features for your repositories, click **Custom configuration**.
 1. To help identify your {% data variables.product.prodname_custom_security_configuration %} and clarify its purpose on the "{% data variables.product.prodname_security_configurations_caps %}" page, name your configuration and create a description.
-1. Optionally, enable "{% data variables.product.prodname_secret_protection %}", a paid feature for private {% ifversion ghec %}and internal {% endif %} repositories. Enabling {% data variables.product.prodname_secret_protection %} enables alerts for {% data variables.product.prodname_secret_scanning %}. In addition, you can choose whether to enable, disable, or keep the existing settings for the following {% data variables.product.prodname_secret_scanning %} features:
-    {% ifversion secret-scanning-validity-check-partner-patterns %}
-    * **Validity checks**. To learn more about validity checks for partner patterns, see [AUTOTITLE](/code-security/concepts/secret-security/about-validity-checks) and [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity).{% endif %}{% ifversion fpt or ghec %}
+1. Optionally, enable "{% data variables.product.prodname_secret_protection %}", a paid feature for private {% ifversion ghec %}and internal {% endif %} repositories. Enabling {% data variables.product.prodname_secret_protection %} enables alerts for {% data variables.product.prodname_secret_scanning %}. In addition, you can choose whether to enable, disable, or keep the existing settings for the following {% data variables.product.prodname_secret_scanning %} features:{% ifversion secret-scanning-validity-check-partner-patterns %}
+    * **Validity checks**. To learn more about validity checks for partner patterns, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity).{% ifversion ghes > 3.19 %}
+       Your site administrator must enable validity checks before you can use this feature. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/configure-specific-tools/configuring-secret-scanning-for-your-appliance).{% endif %}{% endif %}{% ifversion fpt or ghec %}
     * **Extended metadata**. To learn more about extended metadata checks, see [About extended metadata checks](/code-security/concepts/secret-security/about-validity-checks#about-extended-metadata-checks) and [AUTOTITLE](/code-security/tutorials/remediate-leaked-secrets/evaluating-alerts#reviewing-extended-metadata-for-a-token).
     > [!NOTE]
     > You can only enable extended metadata checks if validity checks are enabled.{% endif %}{% ifversion org-npp-enablement-security-configurations %}

content/code-security/how-tos/secure-your-secrets/customize-leak-detection/enabling-validity-checks-for-your-repository.md

@@ -12,15 +12,25 @@ redirect_from:
 
 You can enable validity checks for individual repositories through repository settings. Validity checks verify whether detected secrets are still active, helping you prioritize remediation efforts. For information about what validity checks are and how they work, see [AUTOTITLE](/code-security/concepts/secret-security/about-validity-checks).
 
+For a list of which secret patterns support validity checks, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns).
+
+{% ifversion ghes %}
+
+Before you can enable validity checks for your repository, your site administrator must enable the feature for the whole instance. See [AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-secret-scanning-for-your-appliance).
+
+{% endif %}
+
 ## Enabling validity checks
 
+To enable validity checks from the UI:
+
 {% data reusables.secret-scanning.validity-check-enablement %}
 1. Scroll to the bottom of the page and click **Save changes**.
 
->[!NOTE] You can also use the REST API to enable validity checks for partner patterns for your repository. For more information, see [AUTOTITLE](/rest/repos/repos#update-a-repository).
+> [!NOTE]
+> You can also use the REST API to enable validity checks for partner patterns for your repository. For more information, see [AUTOTITLE](/rest/repos/repos#update-a-repository).
 
-Alternatively, organization owners and enterprise administrators can enable the feature for all repositories in the organization or enterprise. For more information on enabling at the organization-level, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration).
-For more information on enabling at the enterprise-level, see [AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/creating-a-custom-security-configuration-for-your-enterprise).
+Alternatively, organization owners and enterprise administrators can enable the feature for all repositories in the organization or enterprise. For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration) and [AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/creating-a-custom-security-configuration-for-your-enterprise).
 
 ## Further reading
 

content/code-security/tutorials/remediate-leaked-secrets/evaluating-alerts.md

@@ -29,38 +29,38 @@ Validity checks help you prioritize alerts by telling you which secrets are `act
 
 By default, {% data variables.product.company_short %} checks the validity of {% data variables.product.company_short %} tokens and displays the validation status of the token in the alert view.
 
-Organizations using {% data variables.product.prodname_team %} or {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_secret_protection %} can also enable validity checks for partner patterns. For more information, see [Checking a secret's validity](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity).
+{% ifversion secret-scanning-validity-check-partner-patterns %}Organizations using {% data variables.product.prodname_team %}, {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_secret_protection %}, or {% data variables.product.prodname_ghe_server %} with a license for {% data variables.product.prodname_GH_secret_protection %} can also enable validity checks for partner patterns. For more information, see [Checking a secret's validity](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity).{% endif %}
 
 {% data reusables.secret-scanning.validity-check-table %}
 
 {% ifversion secret-scanning-validity-check-partner-patterns %}
 
-{% data reusables.gated-features.partner-pattern-validity-check-ghas %}
+{% data reusables.gated-features.partner-pattern-validity-check-ghas %}{% endif %}
 
-For information on how to enable validity checks for partner patterns, see [AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository), and for information on which partner patterns are currently supported, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns).
+{% ifversion secret-scanning-validity-check-partner-patterns %}
 
-{% endif %}
+For information on how to enable validity checks for partner patterns, see [AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository), and for information on which partner patterns are currently supported, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns).{% endif %}
 
-You can use the REST API to retrieve a list of the most recent validation status for each of your tokens. For more information, see [AUTOTITLE](/rest/secret-scanning) in the REST API documentation. You can also use webhooks to be notified of activity relating to a {% data variables.product.prodname_secret_scanning %} alert. For more information, see the `secret_scanning_alert` event in [AUTOTITLE](/webhooks/webhook-events-and-payloads?actionType=created#secret_scanning_alert).
+{% ifversion secret-scanning-validity-check-partner-patterns %}
 
-{% ifversion copilot-chat-ghas-alerts %}
+You can enable validity checks for partner patterns by using security configurations, either set at the enterprise or at the organization level. See [AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/creating-a-custom-security-configuration-for-your-enterprise) and [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration).{% endif %}
 
-## Asking {% data variables.copilot.copilot_chat %} about {% data variables.product.prodname_secret_scanning %} alerts
+For information on which partner patterns are currently supported, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns).
+
+{% ifversion copilot-chat-ghas-alerts %}
 
 With a {% data variables.copilot.copilot_enterprise %} license, you can ask {% data variables.copilot.copilot_chat_short %} for help to better understand security alerts, including {% data variables.product.prodname_secret_scanning %} alerts, in repositories in your organization. For more information, see [AUTOTITLE](/copilot/using-github-copilot/asking-github-copilot-questions-in-githubcom#asking-questions-about-alerts-from-github-advanced-security-features).
 
 {% endif %}
 
-{% ifversion secret-scanning-validity-check-partner-patterns %}
+You can use the REST API to retrieve a list of the most recent validation status for each of your tokens. For more information, see [AUTOTITLE](/rest/secret-scanning) in the REST API documentation. You can also use webhooks to be notified of activity relating to a {% data variables.product.prodname_secret_scanning %} alert. For more information, see the `secret_scanning_alert` event in [AUTOTITLE](/webhooks/webhook-events-and-payloads?actionType=created#secret_scanning_alert).
 
 ## Performing an on-demand validity check
 
 Once you have enabled validity checks for partner patterns for your repository, you can perform an "on-demand" validity check for any supported secret by clicking **{% octicon "sync" aria-hidden="true" aria-label="sync" %} Verify secret** in the alert view. {% data variables.product.company_short %} will send the pattern to the relevant partner and display the validation status of the secret in the alert view.
 
 ![Screenshot of the UI showing a {% data variables.product.prodname_secret_scanning %} alert. A button, labeled "Verify secret" is highlighted with an orange outline.](/assets/images/help/security/secret-scanning-verify-secret.png)
 
-{% endif %}
-
 ## Reviewing {% data variables.product.company_short %} token metadata
 
 > [!NOTE]
@@ -111,6 +111,14 @@ The following table shows **all the available metadata**. Note that metadata che
 
 {% ifversion secret-scanning-multi-repo-public-leak-deduped-alerts or secret-scanning-multi-repo-public-leak %}
 
+{% ifversion copilot-chat-ghas-alerts %}
+
+## Asking {% data variables.copilot.copilot_chat %} about {% data variables.product.prodname_secret_scanning %} alerts
+
+With a {% data variables.copilot.copilot_enterprise %} license, you can ask {% data variables.copilot.copilot_chat_short %} for help to better understand security alerts, including {% data variables.product.prodname_secret_scanning %} alerts, in repositories in your organization. For more information, see [AUTOTITLE](/copilot/using-github-copilot/asking-github-copilot-questions-in-githubcom#asking-questions-about-alerts-from-github-advanced-security-features).
+
+{% endif %}
+
 ## Reviewing alert labels
 
 In the alert view, you can review any labels assigned to the alert. The labels provide additional details about the alert, which can inform the approach you take for remediation.