[2026-04-14] Virtual Registry: Deployment context in repository properties and security alert UI (#60695)

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: pararohan <pararohan@github.com>

Author: 3 people

content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-governance.md

@@ -29,7 +29,7 @@ Rulesets allow you to flexibly target the organizations, repositories, and branc
 
 * To target **organizations**, you can select all, choose from a list, define a dynamic pattern for organization names using `fnmatch` syntax, or use organization custom properties to dynamically target organizations based on metadata. For syntax details, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository#using-fnmatch-syntax). For information on custom properties, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/custom-properties).
 
-* Within those organizations, you can target all **repositories**, or target a dynamic list by custom property. See [AUTOTITLE](/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization).
+* Within those organizations, you can target all **repositories**, or target a dynamic list by custom property or deployment context.
 * Within the repositories, you can target certain **branches or tags**: all branches, the default branch, or a dynamic list using `fnmatch` syntax.
 
 When you create a ruleset that targets branches in a repository, repository administrators can no longer rename branches or change the default branch in the targeted repository. They can still create and delete branches if they have the appropriate permissions.
@@ -78,7 +78,12 @@ If you set a dynamic list, you'll add one or more naming patterns using `fnmatch
 
 ### Choosing which repositories to target in your enterprise
 
-Within the selected organizations, you can target all repositories or target a dynamic list by custom property. See [AUTOTITLE](/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization).
+Within the selected organizations, you can target all repositories or target a dynamic list based on a filter:
+
+* You can filter by custom property. See [AUTOTITLE](/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization).
+{%- ifversion virtual-registry %}
+* {% data reusables.security.deployable-rulesets %}
+{%- endif %}
 
 ### Choosing which branches or tags to target
 

content/code-security/concepts/supply-chain-security/linked-artifacts.md

@@ -13,11 +13,12 @@ The {% data variables.product.virtual_registry %} provides a unified view of sof
 
 The page shows you how an artifact was built, where it is stored or running, and which compliance and security metadata is associated with the artifact.
 
-Teams in your organization can use the {% data variables.product.virtual_registry %} to:
+Teams in your organization can use data from the {% data variables.product.virtual_registry %} to:
 
 * Prioritize alerts from {% data variables.product.prodname_GHAS %} features based on whether the detected vulnerabilities are running in production or exposed to the internet
 * Quickly connect artifacts to build details, storage locations, and owning teams
 * Meet compliance by exporting auditable proof of your artifacts' provenance and integrity
+* Find repositories that are associated with a deployed artifact, and target them in branch rulesets
 
 ## Which artifacts appear on the {% data variables.product.virtual_registry %}?
 
@@ -43,12 +44,20 @@ For more information about attestations and SLSA levels, see [AUTOTITLE](/action
 
 ### Deployment records
 
-Deployment records include the environment where the artifact is deployed and any runtime risks (such as "sensitive data" or "internet exposed") associated with the artifact. You can use this data to filter security alerts based on the level of threat posed to your organization and consumers.
+Deployment records include the environment where the artifact is deployed and any runtime risks (such as "sensitive data" or "internet exposed") associated with the artifact.
 
 ![Screenshot of an artifact page. Highlighted fields: the "Deployments" list, including tags for "Prod", "sensitive data", and "pacific-east".](/assets/images/help/security/virtual-registry-deployment-record.png)
 
 >[!NOTE] Deployment records do **not** include deployment activity from a repository's deployments dashboard, which comes from a different source. See [AUTOTITLE](/repositories/viewing-activity-and-data-for-your-repository/viewing-deployment-activity-for-your-repository).
 
+## Where is artifact data available?
+
+As well as being available on the {% data variables.product.virtual_registry %} itself, artifact metadata is integrated into policy and security surfaces on {% data variables.product.github %}. Teams can use this data to make policy decisions or prioritize security issues. For example, they can:
+
+* Use `deployed` or `deployable` filters to search for repositories or target repositories in organization and enterprise rulesets. See [AUTOTITLE](/search-github/searching-on-github/searching-for-repositories#search-based-on-deployment-context).
+* Filter security campaigns, {% data variables.product.prodname_code_scanning %} alerts, and {% data variables.product.prodname_dependabot %} alerts by runtime risk. See [AUTOTITLE](/code-security/tutorials/secure-your-organization/prioritize-alerts-in-production-code).
+* View runtime risks as attributes on individual {% data variables.product.prodname_code_scanning %} and {% data variables.product.prodname_dependabot %} alerts.
+
 ## How does the {% data variables.product.virtual_registry %} fit into my processes?
 
 This example workflow shows how the {% data variables.product.virtual_registry %} integrates with other {% data variables.product.github %} features and external systems.

content/code-security/tutorials/secure-your-organization/prioritize-alerts-in-production-code.md

@@ -25,7 +25,7 @@ To provide production context, you should configure your system to:
 * Update **storage records** in the {% data variables.product.virtual_registry %} whenever an artifact is promoted to a production-approved package repository.
 * Update **deployment records** when an artifact is deployed to a production environment.
 
-{% data variables.product.github %} processes this metadata and uses it to power alert filters, such as `artifact-registry-url` and `artifact-registry` from storage records, and `has:deployment` and `runtime-risk` from deployment records.
+{% data variables.product.github %} processes this metadata and uses it to power alert filters, such as `artifact-registry-url` and `artifact-registry` from storage records, and `has:deployment` and `runtime-risk` from deployment records. Runtime risks from deployment records are also visible as properties on individual {% data variables.product.prodname_code_scanning %} and {% data variables.product.prodname_dependabot %} alert pages.
 
 For more information on updating records, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/establish-provenance-and-integrity/upload-linked-artifacts).
 

content/search-github/searching-on-github/searching-for-repositories.md

@@ -216,6 +216,19 @@ You can search for repositories that have a funding file using the `has:funding-
 
 {% endif %}
 
+{% ifversion virtual-registry %}
+
+## Search based on deployment context
+
+If your organization has added records to the {% data variables.product.virtual_registry %}, you can use this data to filter lists of repositories, such as the organization's "Repositories" page. For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/linked-artifacts).
+
+| Qualifier | Description |
+| --------- | ----------- |
+| `deployable:true` | There is an active **storage record** for the repository in the {% data variables.product.virtual_registry %}. |
+| `deployed:true` | There is an active **deployment record** for the repository in the {% data variables.product.virtual_registry %}. |
+
+{% endif %}
+
 ## Further reading
 
 * [AUTOTITLE](/search-github/getting-started-with-searching-on-github/sorting-search-results)

data/reusables/organizations/organization-rulesets-targeting-repositories-step.md

@@ -1,4 +1,4 @@
-With your ruleset, you can choose to target all repositories in your organization, repositories in your organization that match a certain naming convention, repositories in your organization that have custom properties, or a list of manually selected repositories in your organization.
+With your ruleset, you can choose to target all repositories in your organization or a list of manually selected repositories. You can also filter by naming convention{% ifversion virtual-registry %}, deployment context,{% endif %} or custom properties.
 
 For more information about custom properties, see [AUTOTITLE](/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization).
 
@@ -32,3 +32,16 @@ To target all repositories in your organization, in the "Target repositories" se
    > You can add multiple targeting criteria to the same ruleset. For example, you could include any repositories matching the pattern `*cat*`, then specifically exclude a repository matching the pattern `not-a-cat`.
 
 1. Optionally, on the ruleset configuration page, select **Prevent renaming of target repositories**.
+
+{% ifversion virtual-registry %}
+
+#### Targeting repositories by deployment context
+
+{% data reusables.security.deployable-rulesets %}
+
+1. In the "Target repositories" section, next to "Repository targeting criteria" select **Repositories matching a filter**.
+1. Next to "Repositories matching a filter", click the {% octicon "pencil" aria-label="Open filter dialog" %} icon.
+1. Use the `deployed:true` or `deployable:true` filters to target repositories.
+1. Click **Apply**.
+
+{% endif %}

data/reusables/security/deployable-rulesets.md

@@ -0,0 +1 @@
+If your organization has added records to the {% data variables.product.virtual_registry %}, you can target repositories that are **deployable** (have an active storage record) or **deployed** (have an active deployment record). See [AUTOTITLE](/code-security/concepts/supply-chain-security/linked-artifacts).