From 23bdfdebea3c973275f1bb52cbc65335addf40bf Mon Sep 17 00:00:00 2001 From: Courtney Claessens Date: Tue, 17 Jun 2025 05:43:41 -0400 Subject: [PATCH] Secret scanning alert dismissal doc updates (#55999) Co-authored-by: mchammer01 <42146119+mchammer01@users.noreply.github.com> --- ...ng-a-governance-framework-for-your-enterprise.md | 2 -- ...delegated-alert-dismissal-for-secret-scanning.md | 13 +++++++++++-- .../about-custom-organization-roles.md | 3 +++ .../roles-in-an-organization.md | 4 ++-- .../secret-scanning-alert-dismiss-custom-role.yml | 6 ++++++ .../security/delegated-alert-dismissal-intro.md | 2 +- 6 files changed, 23 insertions(+), 7 deletions(-) create mode 100644 data/features/secret-scanning-alert-dismiss-custom-role.yml diff --git a/content/admin/overview/establishing-a-governance-framework-for-your-enterprise.md b/content/admin/overview/establishing-a-governance-framework-for-your-enterprise.md index 4696d209c3aa..d9429996c2cb 100644 --- a/content/admin/overview/establishing-a-governance-framework-for-your-enterprise.md +++ b/content/admin/overview/establishing-a-governance-framework-for-your-enterprise.md @@ -106,8 +106,6 @@ Approval processes are available for: * Bypasses of push protection—You can choose who is allowed to bypass push protection, and add a review and approval cycle for pushes containing secrets from all other contributors. For more information about **delegated bypass for push protection**, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection).{% ifversion security-delegated-alert-dismissal %} * Dismissals of alerts for {% data variables.product.prodname_code_scanning %} and {% data variables.product.prodname_secret_scanning %}—You can provide additional control and visibility over alert assessment by ensuring that only designated individuals can dismiss (or close) alerts. For more information about **delegated alert dismissal**, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/enabling-delegated-alert-dismissal-for-code-scanning) and [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/enabling-delegated-alert-dismissal-for-code-scanning). - {% data reusables.advanced-security.delegated-alert-dismissal-beta %} - {% endif %} {% endif %} diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/enabling-delegated-alert-dismissal-for-secret-scanning.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/enabling-delegated-alert-dismissal-for-secret-scanning.md index 2a981362652d..4915169438c9 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/enabling-delegated-alert-dismissal-for-secret-scanning.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/enabling-delegated-alert-dismissal-for-secret-scanning.md @@ -15,8 +15,6 @@ shortTitle: Delegated alert dismissal ## About enabling delegated alert dismissal -{% data reusables.advanced-security.delegated-alert-dismissal-beta %} - {% data reusables.security.delegated-alert-dismissal-intro %} ## Configuring delegated dismissal for a repository @@ -38,3 +36,14 @@ You must configure delegated dismissal for your organization using a custom secu 1. Apply the security configuration to all (or selected) repositories in your organization. See [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-a-custom-security-configuration). To learn more about security configurations, see [AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale). + +{% ifversion secret-scanning-alert-dismiss-custom-role %} + +## Configuring delegated dismissal for an enterprise + +1. Create a new custom security configuration, or edit an existing one. See [AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/creating-a-custom-security-configuration-for-your-enterprise). +1. When defining the custom security configuration, under "{% data variables.product.prodname_secret_protection %}", ensure that the dropdown menu for "Prevent direct alert dismissals" is set to **Enabled**. +1. Click **Save configuration**. +1. Apply the security configuration to all (or selected) repositories in your enterprise. See [AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/applying-a-custom-security-configuration-to-your-enterprise). + +{% endif %} diff --git a/content/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles.md b/content/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles.md index cec6c64ad215..009c9a4b24b3 100644 --- a/content/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles.md +++ b/content/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles.md @@ -65,6 +65,9 @@ Manage organization OAuth app policies | Access to the "OAuth app policy" settin | {% ifversion push-protection-bypass-fine-grained-permissions %} | | Review and manage {% data variables.product.prodname_secret_scanning %} bypass requests | Review and manage {% data variables.product.prodname_secret_scanning %} bypass requests for your organization. | [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection) | | {% endif %} | +| {% ifversion secret-scanning-alert-dismiss-custom-role %} | +| Review and manage {% data variables.product.prodname_secret_scanning %} alert dismissal requests | Review and manage {% data variables.product.prodname_secret_scanning %} alert dismissal requests for your organization. | [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/enabling-delegated-alert-dismissal-for-secret-scanning) | +| {% endif %} | {% endrowheaders %} diff --git a/content/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization.md b/content/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization.md index 0bc2dde6d50e..9adeed2f6cab 100644 --- a/content/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization.md +++ b/content/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization.md @@ -200,10 +200,10 @@ Some of the features listed below are limited to organizations using {% data var | Review and manage {% data variables.product.prodname_secret_scanning %} bypass requests (see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection)) | {% octicon "check" aria-label="Yes" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} | | {% endif %} | | {% ifversion security-delegated-alert-dismissal %} | -| Review and manage {% data variables.product.prodname_secret_scanning %} dismissal requests | {% octicon "check" aria-label="Yes" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} | +| Review and manage {% data variables.product.prodname_secret_scanning %} dismissal requests (see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/enabling-delegated-alert-dismissal-for-secret-scanning)) | {% octicon "check" aria-label="Yes" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} | | {% endif %} | | {% ifversion security-delegated-alert-dismissal %} | -| Review and manage {% data variables.product.prodname_code_scanning %} dismissal requests | {% octicon "check" aria-label="Yes" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} | +| Review and manage {% data variables.product.prodname_code_scanning %} dismissal requests (see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/enabling-delegated-alert-dismissal-for-code-scanning)) | {% octicon "check" aria-label="Yes" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} | | {% endif %} | {% endrowheaders %} diff --git a/data/features/secret-scanning-alert-dismiss-custom-role.yml b/data/features/secret-scanning-alert-dismiss-custom-role.yml new file mode 100644 index 000000000000..3127fdd7ff79 --- /dev/null +++ b/data/features/secret-scanning-alert-dismiss-custom-role.yml @@ -0,0 +1,6 @@ +# Reference: #16320 +# Delegated alert closures for secret scanning [GA] +versions: + fpt: '*' + ghec: '*' + ghes: '>=3.18' diff --git a/data/reusables/security/delegated-alert-dismissal-intro.md b/data/reusables/security/delegated-alert-dismissal-intro.md index 760421ecb443..a8d3c60c4025 100644 --- a/data/reusables/security/delegated-alert-dismissal-intro.md +++ b/data/reusables/security/delegated-alert-dismissal-intro.md @@ -4,7 +4,7 @@ Enabling the feature automatically assigns organization owners and security mana * "Review and manage {% data variables.product.prodname_code_scanning %} alert dismissal requests" permission for {% data variables.product.prodname_code_scanning %}. -* "Review and manage {% data variables.product.prodname_secret_scanning %} alert dismissal requests" permission for {% data variables.product.prodname_secret_scanning %}' +* "Review and manage {% data variables.product.prodname_secret_scanning %} alert dismissal requests" permission for {% data variables.product.prodname_secret_scanning %}. This permission can also be applied to custom roles. For more information about these permissions, see [AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#permissions-for-organization-roles).