Merge branch 'main' into patch-1

Author: Sharra-writes

content/README.md

@@ -290,11 +290,6 @@ journeyTracks:
 - Type: `String`, one of the `overview`, `quick_start`, `tutorial`, `how_to`, `reference`.
 - Optional.
 
-### `topics`
-- Purpose: Indicate the topics covered by the article. Refer to the content models for more details about adding topics. A full list of existing topics is located in the [allowed topics file](/data/allowed-topics.ts). If topics in article frontmatter and the allow-topics list become out of sync, the [topics CI test](/src/search/tests/topics.ts) will fail.
-- Type: Array of `String`s
-- Optional: Topics are preferred for each article, but, there may be cases where existing articles don't yet have topics, or adding a topic to a new article may not add value.
-
 ### `communityRedirect`
 - Purpose: Set a custom link and link name for `Ask the GitHub community` link in the footer.
 - Type: `Object`. Properties are `name` and `href`.

content/account-and-profile/how-tos/account-management/managing-multiple-accounts.md

@@ -101,6 +101,57 @@ For example, the following command sets the `GIT_SSH_COMMAND` environment variab
 GIT_SSH_COMMAND='ssh -i PATH/TO/KEY/FILE -o IdentitiesOnly=yes' git clone git@github.com:OWNER/REPOSITORY
 ```
 
+## Contributing to multiple accounts using SSH and multiple keys
+
+If you are a member of an {% data variables.enterprise.prodname_emu_enterprise %}, but also want to collaborate outside your enterprise using a personal account, you can use different SSH keys for each account. For more information about using SSH, see [AUTOTITLE](/authentication/connecting-to-github-with-ssh).
+> [!WARNING]
+> You cannot use the same SSH key to contribute to both repositories inside your {% data variables.enterprise.prodname_emu_org %} and outside the enterprise. 
+
+1. Generate a different SSH key for the repositories in your {% data variables.enterprise.prodname_emu_org %}. See [AUTOTITLE](/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent#generating-a-new-ssh-key). When you save the key, give it a different filename from your existing key (for instance, add -emu to the suggested name of the file).
+
+1. Add the new ssh key to your {% data variables.enterprise.prodname_managed_user %}. See [AUTOTITLE](/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account)
+
+1. Configure your SSH Config File `~/.ssh/config` to use the different keys. For example, if your personal SSH key is `~/.ssh/id_ed25519` and your {% data variables.enterprise.prodname_emu_enterprise %} SSH key is `~/.ssh/id_ed25519-emu`
+
+   ```text copy
+   Host github.com
+	   IdentityFile ~/.ssh/id_ed25519
+       IdentitiesOnly yes
+
+   Host github-emu.com
+	   Hostname github.com
+	   IdentityFile ~/.ssh/id_ed25519-emu
+       IdentitiesOnly yes
+   ```
+
+   > [!NOTE]
+   > The `IdentitiesOnly` line ensures that if the ssh-agent has loaded multiple keys, ssh uses the correct key when connecting.
+
+1. Test your SSH configuration by running the following command to connect using the SSH key associated with your personal account - see [AUTOTITLE](/authentication/connecting-to-github-with-ssh/testing-your-ssh-connection) for further details
+
+   ```shell copy
+   ssh -T git@github.com
+   ```
+
+   Test to see if you can connect to ({% data variables.product.github %}) using your {% data variables.enterprise.prodname_emu_enterprise %} SSH key
+
+   ```shell copy
+   ssh -T git@github-emu.com
+   ```
+
+1. Tell `git` to use the correct key when downloading or uploading a repository in an {% data variables.enterprise.prodname_emu_org %}. 
+   To list the organizations in your {% data variables.enterprise.prodname_emu_enterprise %},
+   {% data reusables.profile.access_org %}
+   1. For each organization listed tell `git` to use the `github-emu.com` host.
+
+   For example, if one of your organizations is called `octocat-emu` then to tell `git` to use the host `github-emu.com` for repositories in the `octocat-emu` organization, run the following command
+
+   ```shell copy
+   git config --global url."git@github-emu.com:octocat-emu/".insteadOf "git@github.com:octocat-emu/"
+   ```
+
+Now, when you clone a repository using SSH, in the `octocat-emu` organization, `git` will use the SSH key associated with your {% data variables.enterprise.prodname_emu_enterprise %} instead of your personal key.
+
 ## Next steps
 
 For reference information, see [AUTOTITLE](/account-and-profile/reference/personal-account-reference).

content/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens.md

@@ -144,7 +144,7 @@ Below are some example URLs that generate the tokens we see most often:
 * [GitHub Models access](https://github.com/settings/personal-access-tokens/new?name=GitHub+Models+token&description=Used%20to%20call%20GitHub%20Models%20APIs%20to%20easily%20run%20LLMs%3A%20https%3A%2F%2Fdocs.github.com%2Fgithub-models%2Fquickstart%23step-2-make-an-api-call&user_models=read)<!-- markdownlint-disable-line search-replace Custom rule -->
 * [Update code and open a PR](https://github.com/settings/personal-access-tokens/new?name=Core-loop+token&description=Write%20code%20and%20push%20it%20to%20main%21%20Includes%20permission%20to%20edit%20workflow%20files%20for%20Actions%20-%20remove%20%60workflows%3Awrite%60%20if%20you%20don%27t%20need%20to%20do%20that&contents=write&pull_requests=write&workflows=write)
 * [Manage Copilot licenses in an organization](https://github.com/settings/personal-access-tokens/new?name=Core-loop+token&description=Enable%20or%20disable%20copilot%20access%20for%20users%20with%20the%20Seat%20Management%20APIs%3A%20https%3A%2F%2Fdocs.github.com%2Frest%2Fcopilot%2Fcopilot-user-management%0ABe%20sure%20to%20select%20an%20organization%20for%20your%20resource%20owner%20below%21&organization_copilot_seat_management=write)<!-- markdownlint-disable-line search-replace Custom rule -->
-* [Make Copilot requests](https://github.com/settings/personal-access-tokens/new?name=Copilot+requests+token&description=Make%20Copilot%20API%20requests%20on%20behalf%20of%20the%20user%2C%20consuming%20premium%20requests%3A%20https%3A%2F%2Fdocs.github.com%2Fcopilot%2Fconcepts%2Fbilling%2Fcopilot-requests&copilot_requests=write)<!-- markdownlint-disable-line search-replace Custom rule -->
+* [Make Copilot requests](https://github.com/settings/personal-access-tokens/new?name=Copilot+requests+token&description=Make%20Copilot%20API%20requests%20on%20behalf%20of%20the%20user%2C%20consuming%20premium%20requests%3A%20https%3A%2F%2Fdocs.github.com%2Fcopilot%2Fconcepts%2Fbilling%2Fcopilot-requests&user_copilot_requests=read)<!-- markdownlint-disable-line search-replace Custom rule -->
 
 #### Supported Query Parameters
 

content/code-security/concepts/code-scanning/about-code-scanning-alerts.md

@@ -113,14 +113,6 @@ The severity level for a {% data variables.product.prodname_code_scanning %} ale
 
 When an alert has a security severity level, {% data variables.product.prodname_code_scanning %} displays and uses this level in preference to the `severity`. Security severity levels follow the industry-standard Common Vulnerability Scoring System (CVSS) that is also used for advisories in the {% data variables.product.prodname_advisory_database %}. For more information, see [CVSS: Qualitative Severity Rating Scale](https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale).
 
-### Pull request check failures for {% data variables.product.prodname_code_scanning %} alerts
-
-You can use rulesets to prevent pull requests from being merged when one of the following conditions is met:
-
-{% data reusables.code-scanning.merge-protection-rulesets-conditions %}
-
-For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/set-code-scanning-merge-protection). For more general information about rulesets, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets).
-
 ### Calculation of security severity levels
 
 When a security query is added to the {% data variables.product.prodname_codeql %} Default or Extended query suite, the {% data variables.product.prodname_codeql %} engineering team calculates the security severity as follows.
@@ -131,3 +123,14 @@ When a security query is added to the {% data variables.product.prodname_codeql
 1. When displaying alerts found by the query, translate the numerical scores to `Critical`, `High`, `Medium`, or `Low` using the CVSS definitions.
 
 For more information, see [{% data variables.product.prodname_codeql %} CWE coverage](https://codeql.github.com/codeql-query-help/codeql-cwe-coverage/) on the {% data variables.product.prodname_codeql %} documentation site.
+
+## About alerts in pull requests
+
+{% data variables.product.prodname_code_scanning_caps %} alerts can appear on pull requests as check results and annotations. This happens in repositories where {% data variables.product.prodname_code_scanning %} either:
+
+* Is configured as a pull request check (by default, this is limited to pull requests that target the default branch)
+* Is configured to scan each time code is pushed (the results are mapped to any open pull requests)
+
+You will only see an alert in a pull request if **all** the lines of code identified by the alert exist in the pull request diff.
+
+Depending on branch protection rules, the "{% data variables.product.prodname_code_scanning_caps %} results" check may be a required check that prevents pull requests from being merged until it passes.

content/code-security/concepts/vulnerability-reporting-and-management/about-your-exposure-to-vulnerabilities-in-your-code-and-in-dependencies.md

@@ -1,7 +1,7 @@
 ---
 title: About exposure to vulnerabilities in your code and in dependencies
 shortTitle: Vulnerability exposure
-intro: Understanding your organization’s exposure to vulnerabilities in first-party code and in all dependencies is essential for enabling you to efficiently assess, prioritize, and remediate vulnerabilities, reducing the likelihood of security breaches.
+intro: Understand how vulnerabilities in your own code and in third-party dependencies contribute to your organization’s overall security exposure, and how to measure and reduce that risk.
 allowTitleToDifferFromFilename: true
 product: '{% data reusables.gated-features.ghas-billing %}'
 versions:
@@ -17,9 +17,9 @@ redirect_from:
   - /code-security/securing-your-organization/understanding-your-organizations-exposure-to-vulnerabilities/about-your-exposure-to-vulnerable-dependencies
 ---
 
-## About exposure to vulnerable code
+## Risks of unaddressed vulnerabilities 
 
-Your organization has exposure to vulnerabilities in both the code you write and maintain, and in the open-source or third-party dependencies your code uses. Assessing your exposure to vulnerable dependencies is crucial if you want to prevent:
+Your organization has exposure to vulnerabilities in both the code you write and maintain, and in the open source or third-party dependencies your code uses. Assessing your exposure to vulnerabilities is crucial if you want to prevent:
 
 * **Unplanned downtime and operational disruption**. Exploitation of vulnerabilities can result in application outages, degraded service quality, or cascading failures in critical systems, disrupting your business operations.
 
@@ -31,7 +31,7 @@ Your organization has exposure to vulnerabilities in both the code you write and
 
 * **Regulatory and licensing issues**. Many regulations and industry standards require organizations to proactively address known vulnerabilities in their software supply chain. Failing to remediate vulnerable dependencies can result in non-compliance, audits, legal penalties, or breaches of open source license obligations.
 
-Regularly assessing your exposure to vulnerabilities is good practice to help identify risks early, implement effective remediation strategies, and maintain resilient, trustworthy software.
+Regularly assessing vulnerability exposure helps you identify risks early and prioritize remediation.
 
 ## Ways to monitor your repositories for vulnerable code
 
@@ -41,17 +41,19 @@ Regularly assessing your exposure to vulnerabilities is good practice to help id
 
 {% data variables.product.github %} provides a comprehensive set of {% data variables.product.prodname_dependabot %} metrics to help you monitor, prioritize, and remediate these risks across all repositories in your organization. See [AUTOTITLE](/code-security/concepts/supply-chain-security/about-metrics-for-dependabot-alerts).
 
-## Key tasks for AppSec managers
+## Reducing organizational vulnerability exposure
 
-### 1. Monitor vulnerability metrics for dependencies
+Reducing organizational vulnerability exposure requires ongoing visibility into risk, remediation progress, and policy enforcement across repositories. {% data variables.product.prodname_dependabot %} and {% data variables.product.prodname_code_scanning %} metrics provide this visibility. Use the following best practices to monitor and reduce your organization's vulnerability exposure:
+
+### Monitor vulnerability metrics for dependencies
 
 Use the metrics overview for {% data variables.product.prodname_dependabot %} to gain visibility into the current state of your organization's dependency vulnerabilities. See [AUTOTITLE](/code-security/security-overview/viewing-metrics-for-dependabot-alerts).
 
 * **Alert prioritization:** Review the number of open {% data variables.product.prodname_dependabot_alerts %} and use filters such as CVSS severity, EPSS exploit likelihood, patch availability, and whether a vulnerable dependency is actually used in deployed artifacts. {% data reusables.security-overview.dependabot-filters-link %}
 * **Repository-level breakdown:** Identify which repositories have the highest number of critical or exploitable vulnerabilities.
 * **Remediation tracking:** Track the number and percentage of alerts fixed over time to measure the effectiveness of your vulnerability management program.
 
-### 2. Monitor introduction of new {% data variables.product.prodname_code_scanning %} alerts
+### Monitor introduction of new {% data variables.product.prodname_code_scanning %} alerts
 
 Use the alert view for {% data variables.product.prodname_code_scanning %} to gain visibility into remediation activity in your organization's pull requests. See [AUTOTITLE](/code-security/security-overview/viewing-metrics-for-pull-request-alerts).
 
@@ -60,7 +62,7 @@ Use the alert view for {% data variables.product.prodname_code_scanning %} to ga
 * **Repository-level breakdown:** Identify which repositories have the highest number of alerts detected in pull requests but still merged into the default branch.
 * **Remediation tracking:** Track the number and percentage of alerts fixed over time to measure the effectiveness of your vulnerability management program.
 
-### 3. Prioritize remediation efforts
+### Prioritize remediation efforts
 
 Focus on vulnerabilities that present the highest risk to your organization.
 
@@ -69,20 +71,20 @@ Focus on vulnerabilities that present the highest risk to your organization.
 * Encourage development teams to address vulnerabilities that are actually used in deployed artifacts through repository custom properties and using production context. See [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-vulnerabilities/alerts-in-production-code).{% endif %}{% ifversion security-campaigns %}
 * Create security campaigns to encourage and track the remediation of high priority {% data variables.product.prodname_code_scanning %} alerts. See [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/creating-managing-security-campaigns).{% endif %}
 
-### 4. Communicate risk and progress
+### Communicate risk and progress
 
 * Use the metrics pages to communicate key risk factors and remediation progress to stakeholders.
 * Provide regular updates on trends, such as the reduction in open critical vulnerabilities or improvements in remediation rates.
 * Highlight repositories or teams that require additional support or attention.
 
-### 5. Establish and enforce policies
+### Establish and enforce policies
 
 * Set an organization-wide security configuration that enables {% data variables.product.prodname_dependabot %} and {% data variables.product.prodname_code_scanning %} on all existing and new repositories. See [AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale).
 * Enable dependency review to comment on pull requests in all repositories.
 * Create an organization-wide ruleset to protect the default branch and require critical {% data variables.product.prodname_code_scanning %} alerts to be fixed before a pull request can be merged. See [AUTOTITLE](/organizations/managing-organization-settings/managing-rulesets-for-repositories-in-your-organization).
 * Work with repository administrators to enable automated security updates where possible. See [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates).
 
-### 6. Assess the impact of alerts
+### Assess the impact of alerts
 
 * Regularly review how {% data variables.product.prodname_dependabot %} and {% data variables.product.prodname_code_scanning %} alerts are helping to block security vulnerabilities from entering your codebase.
 * Use historical data to demonstrate the value of proactive dependency management.