From 917f9fecc0c1387fcdc9d9bb7bb89da5d9f5785d Mon Sep 17 00:00:00 2001 From: Anne-Marie <102995847+am-stead@users.noreply.github.com> Date: Fri, 18 Oct 2024 21:17:35 +0100 Subject: [PATCH] Secret scanning: push protection delegated bypass settings are included in security configurations [Public Beta] #15892 (#52566) Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- ...ng-delegated-bypass-for-push-protection.md | 68 +++++++++++++------ .../index.md | 4 +- ...reating-a-custom-security-configuration.md | 12 ++-- ...ection-delegated-bypass-configurations.yml | 4 ++ ...sh-protection-delegate-bypass-beta-note.md | 4 ++ .../push-protection-delegated-bypass-intro.md | 7 +- 6 files changed, 70 insertions(+), 29 deletions(-) create mode 100644 data/features/push-protection-delegated-bypass-configurations.yml diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md index 08c92b4ebeea..e803924bb42d 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md @@ -17,16 +17,59 @@ shortTitle: Enable delegated bypass {% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} -{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." +{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} -When you enable this feature, you will create a bypass list of roles and teams who can manage requests to bypass push protection. If you don't already have appropriate teams or roles to use, you should create additional teams before you start. +For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." ->[!NOTE] You can't add secret teams to the bypass list. +When you enable this feature, you will create a bypass list of roles and teams who can manage requests to bypass push protection. If you don't already have appropriate teams or roles to use, you should create additional teams before you start. {% ifversion push-protection-bypass-fine-grained-permissions %}Alternatively, you can grant specific organization members the ability to review and manage bypass requests using fine-grained permissions, which give you more refined control over which individuals and teams can approve and deny bypass requests. For more information, see "[Using fine-grained permissions to control who can review and manage bypass requests](#using-fine-grained-permissions-to-control-who-can-review-and-manage-bypass-requests)."{% endif %} +## Configuring delegated bypass for a repository + +>[!NOTE] If an organization owner configures delegated bypass at the organization-level, the repository-level settings are disabled. + +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.sidebar-settings %} +{% data reusables.repositories.navigate-to-code-security-and-analysis %} +{% data reusables.repositories.navigate-to-ghas-settings %} +1. Under "Push protection", to the right of "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}", select the dropdown menu, then click **Specific roles or teams**. +1. Under "Bypass list", click **Add role or team**. + + > [!NOTE] + > When you add roles or teams to the "bypass list", these users will be granted the ability to bypass push protection, and they can also review and manage the requests from all other contributors to bypass push protection. + > + > You can't add secret teams to the bypass list. + +1. In the dialog box, select the roles and teams that you want to add to the bypass list, then click **Add selected**. + ## Configuring delegated bypass for an organization +{% ifversion push-protection-delegated-bypass-configurations %} + +You must configure delegated bypass for your organization using a custom security configuration. You can then apply the security configuration to all (or selected) repositories in your organization. + +1. Create a new custom security configuration, or edit an existing one. See "[AUTOTITLE](/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration#creating-a-custom-security-configuration)." +1. When creating the custom security configuration, under "{% data variables.product.prodname_secret_scanning_caps %}", ensure that the dropdown menus for "Alerts" and "Push protection" are set to **Enabled**. +1. Under "Push protection", to the right of "Bypass privileges", select the dropdown menu, then click **Specific actors**. + + > [!NOTE] + > When you assign bypass privileges to selected actors, these organization members are granted the ability to bypass push protection, and they also review and manage the requests from all other contributors to bypass push protection. + > + > You can't add secret teams to the bypass list. + +1. Click the "Select actors" dropdown menu, then select the roles and teams you want to assign bypass privileges to. + + > [!TIP] + > In addition to assigning bypass privileges to roles and teams, you can also grant _individual_ organization members the ability to review and manage bypass requests using fine-grained permissions. See "[Using fine-grained permissions to control who can review and manage bypass requests](#using-fine-grained-permissions-to-control-who-can-review-and-manage-bypass-requests)." + +1. Click **Save configuration**. +1. Apply the security configuration to all (or selected) repositories in your organization. See "[AUTOTITLE](/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/applying-a-custom-security-configuration)." + +To learn more about security configurations, see "[AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale)." + +{% else %} + {% data reusables.organizations.navigate-to-org %} {% data reusables.organizations.org_settings %} {% ifversion security-configurations %} @@ -39,28 +82,15 @@ When you enable this feature, you will create a bypass list of roles and teams w 1. Under "Bypass list", click **Add role or team**. 1. In the dialog box, select the roles and teams that you want to add to the bypass list, then click **Add selected**. -## Configuring delegated bypass for a repository - ->[!NOTE] If an organization owner configures delegated bypass at the organization-level, the repository-level settings are disabled. - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-settings %} -{% data reusables.repositories.navigate-to-code-security-and-analysis %} -{% data reusables.repositories.navigate-to-ghas-settings %} -1. Under "Push protection", to the right of "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}", select the dropdown menu, then click **Specific roles or teams**. -1. Under "Bypass list", click **Add role or team**. - - >[!NOTE] You can't add secret teams to the bypass list. - -1. In the dialog box, select the roles and teams that you want to add to the bypass list, then click **Add selected**. +{% endif %} {% ifversion push-protection-bypass-fine-grained-permissions %} ## Using fine-grained permissions to control who can review and manage bypass requests -You can grant specific individuals or teams the ability to review and manage bypass requests using fine-grained permissions. +You can grant specific individuals or teams in your organization the ability to review and manage bypass requests using fine-grained permissions. -1. Ensure that delegated bypass is enabled for the organization. For more information, follow steps 1-5 in "[Configuring delegated bypass for your organization](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection#configuring-delegated-bypass-for-an-organization)." +1. Ensure that delegated bypass is enabled for the organization. For more information, follow steps 1-3 in "[Configuring delegated bypass for your organization](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection#configuring-delegated-bypass-for-an-organization)" and ensure you have saved and applied the security configuration to your selected repositories. 1. Create (or edit) a custom organization role. For information on creating and editing custom roles, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/managing-custom-organization-roles#creating-a-custom-role)." 1. When choosing which permissions to add to the custom role, select the "Review and manage {% data variables.product.prodname_secret_scanning %} bypass requests" permission. 1. Assign the custom role to individual members or teams in your organization. For more information on assigning custom roles, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/using-organization-roles#assigning-an-organization-role)." diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md index 8736fdd06d6d..64524919b36b 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md @@ -5,9 +5,7 @@ allowTitleToDifferFromFilename: true intro: 'You can control the ability to bypass push protection by setting up a reviewers group to assess requests. When a contributor proposes bypassing protections, any member of the bypass list can approve or block the request.' product: '{% data reusables.gated-features.secret-scanning %}' versions: - fpt: '*' - ghes: '>=3.14' - ghec: '*' + feature: push-protection-delegated-bypass topics: - Secret scanning - Advanced Security diff --git a/content/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration.md b/content/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration.md index 0764d3055e45..2268adb79a5a 100644 --- a/content/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration.md +++ b/content/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration.md @@ -46,12 +46,12 @@ With {% data variables.product.prodname_custom_security_configurations %}, you c 1. In the "{% data variables.product.prodname_code_scanning_caps %}" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for {% data variables.product.prodname_code_scanning %} default setup. To learn about default setup, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#about-default-setup)." 1. In the "{% data variables.product.prodname_secret_scanning_caps %}" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for the following security features: * {% data variables.product.prodname_secret_scanning_caps %}. To learn about {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)."{% ifversion secret-scanning-validity-check-partner-patterns %} - * Validity check. To learn more about validity checks for partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)".{% endif %} - * Push protection. To learn about push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection)."{% ifversion org-npp-enablement-security-configurations %} - * Non-provider patterns. To learn more about scanning for non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#non-provider-patterns)" and "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)." - - {% data reusables.secret-scanning.non-provider-patterns-beta %}{% endif %} - + * Validity check. To learn more about validity checks for partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)".{% endif %}{% ifversion org-npp-enablement-security-configurations %} + * Non-provider patterns. To learn more about scanning for non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#non-provider-patterns)" and "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)."{% endif %} + * Push protection. To learn about push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection)." +{% ifversion push-protection-delegated-bypass-configurations %} +1. Optionally, under "Push protection", choose whether you want to assign bypass privileges to selected actors in your organization. By assigning bypass privileges, selected organization members can bypass push protection, and there is a review and approval process for all other contributors. For further guidance on how to configure this setting, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection#configuring-delegated-bypass-for-an-organization)." +{% endif %} {% ifversion fpt or ghec %} 1. In the "Private vulnerability reporting" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for private vulnerability reporting. To learn about private vulnerability reporting, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository)." {% endif %} diff --git a/data/features/push-protection-delegated-bypass-configurations.yml b/data/features/push-protection-delegated-bypass-configurations.yml new file mode 100644 index 000000000000..7e8962a2586e --- /dev/null +++ b/data/features/push-protection-delegated-bypass-configurations.yml @@ -0,0 +1,4 @@ +# Issue 15892 - Secret scanning push protection bypass moves from "Global Settings" to "Security configurations" +versions: + ghec: '*' + ghes: '>=3.16' diff --git a/data/reusables/secret-scanning/push-protection-delegate-bypass-beta-note.md b/data/reusables/secret-scanning/push-protection-delegate-bypass-beta-note.md index 3957758c1588..792ba9648bcc 100644 --- a/data/reusables/secret-scanning/push-protection-delegate-bypass-beta-note.md +++ b/data/reusables/secret-scanning/push-protection-delegate-bypass-beta-note.md @@ -1 +1,5 @@ +{% ifversion ghes > 3.13 and ghes < 3.16 %} + >[!NOTE] Delegated bypass for push protection is currently in {% data variables.release-phases.public_preview %} and subject to change. + +{% endif %} diff --git a/data/reusables/secret-scanning/push-protection-delegated-bypass-intro.md b/data/reusables/secret-scanning/push-protection-delegated-bypass-intro.md index 9a475326c40c..ccbcd395c6ee 100644 --- a/data/reusables/secret-scanning/push-protection-delegated-bypass-intro.md +++ b/data/reusables/secret-scanning/push-protection-delegated-bypass-intro.md @@ -1 +1,6 @@ -Delegated bypass for push protection lets you define contributors who can bypass push protection and adds an approval process for other contributors.{% ifversion push-protection-delegated-bypass-file-upload-support %} Delegated bypass applies to files created, edited, and uploaded on {% data variables.product.prodname_dotcom %}.{% endif %} +Delegated bypass for push protection lets you: + +* Define contributors who can bypass push protection. +* Adds an approval process for other contributors. + +{% ifversion push-protection-delegated-bypass-file-upload-support %} Delegated bypass applies to files created, edited, and uploaded on {% data variables.product.prodname_dotcom %}.{% endif %}