Merge branch 'main' into gem-clarification-reusable

Author: Sharra-writes

content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-jfrog.md

@@ -55,6 +55,8 @@ In your {% data variables.product.prodname_actions %} workflow file, ensure you
 
 The following example uses the placeholders `YOUR_PROVIDER_NAME` and `YOUR_AUDIENCE`.
 
+{% raw %}
+
 ```yaml
 permissions:
   id-token: write
@@ -77,13 +79,17 @@ jobs:
 
 ```
 
+{% endraw %}
+
 > [!TIP]
 > When OIDC authentication is used, the `setup-jfrog-cli` action automatically provides `oidc-user` and `oidc-token` as step outputs.
 > These can be used for other integrations that require authentication with JFrog.
 > To reference these outputs, ensure the step has an explicit `id` defined (for example `id: setup-jfrog-cli`).
 
 ### Using OIDC Credentials in other steps
 
+{% raw %}
+
 ```yaml
       - name: Sign in to Artifactory Docker registry
         uses: docker/login-action@v3
@@ -93,6 +99,8 @@ jobs:
           password: ${{ steps.setup-jfrog-cli.outputs.oidc-token }}
 ```
 
+{% endraw %}
+
 ## Further reading
 
 * [OpenID Connect Integration](https://jfrog.com/help/r/jfrog-platform-administration-documentation/openid-connect-integration) in the JFrog documentation

content/authentication/keeping-your-account-and-data-secure/about-authentication-to-github.md

@@ -74,7 +74,7 @@ If you need to use multiple accounts on {% data variables.location.product_locat
 
 ### Session cookies
 
-{% data variables.product.company_short %} uses cookies to provide services and increase security. {% ifversion fpt or ghec %}You can review details about {% data variables.product.company_short %}'s cookies in the [privacy/cookies repository](https://github.com/privacy/cookies).{% endif %}
+{% data variables.product.company_short %} uses cookies to provide services and increase security. {% ifversion fpt or ghec %}You can review details about {% data variables.product.company_short %}'s cookies in [AUTOTITLE](/free-pro-team@latest/site-policy/privacy-policies/github-cookies).{% endif %}
 
 * The gist.{% ifversion fpt or ghec %}github.com{% elsif ghes %}HOSTNAME domain{% endif %} and {% ifversion fpt or ghec %}github.com domains{% elsif ghes %}base domain for your instance{% endif %} use separate cookies.
 * {% data variables.product.github %} typically marks a user session for deletion after two weeks of inactivity.

content/authentication/securing-your-account-with-two-factor-authentication-2fa/about-mandatory-two-factor-authentication.md

@@ -53,7 +53,7 @@ Currently, we don't support passkeys or security keys as primary 2FA methods sin
 * [About email verification and mandatory 2FA](#about-email-verification-and-mandatory-2fa)
 
 > [!NOTE]
-> We recommend retaining cookies on {% data variables.product.prodname_dotcom_the_website %}. If you set your browser to wipe your cookies every day, you'll never have a verified device for account recovery purposes, as the [`_device_id` cookie](https://github.com/privacy/cookies) is used to securely prove you've used that device previously. For more information, see [AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa/recovering-your-account-if-you-lose-your-2fa-credentials#authenticating-with-a-verified-device-ssh-token-or-personal-access-token).
+> We recommend retaining cookies on {% data variables.product.prodname_dotcom_the_website %}. If you set your browser to wipe your cookies every day, you'll never have a verified device for account recovery purposes, as the [`_device_id` cookie](/free-pro-team@latest/site-policy/privacy-policies/github-cookies) is used to securely prove you've used that device previously. For more information, see [AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa/recovering-your-account-if-you-lose-your-2fa-credentials#authenticating-with-a-verified-device-ssh-token-or-personal-access-token).
 
 ### About TOTP apps and mandatory 2FA
 

content/code-security/index.md

@@ -5,13 +5,13 @@ intro: 'Build security into your {% data variables.product.github %} workflow to
 redirect_from:
   - /code-security/guides
 introLinks:
-  overview: /code-security/getting-started/github-security-features
-  try_ghas_for_free: '{% ifversion ghec %}/billing/how-tos/products/trial-advanced-security{% endif %}'
-  generate_secret_risk_assessment_report_for_free: '{% ifversion secret-risk-assessment %}/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/viewing-the-secret-risk-assessment-report-for-your-organization{% endif %}'
+  overview: '{% ifversion ghes %}/code-security/getting-started/github-security-features{% endif %}'
+  generate_secret_risk_assessment_report_for_free: '{% ifversion secret-risk-assessment %}/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/viewing-the-secret-risk-assessment-report-for-your-organization#generating-an-initial-secret-risk-assessment{% endif %}'
 featuredLinks:
   startHere: # Links aimed at the builder audience
+    - '{% ifversion fpt or ghec %}/code-security/getting-started/github-security-features{% endif %}'
     - /code-security/getting-started/quickstart-for-securing-your-repository
-    - /code-security/secret-scanning/working-with-secret-scanning-and-push-protection
+    - '{% ifversion ghes %}/code-security/secret-scanning/working-with-secret-scanning-and-push-protection{% endif %}'
     - /code-security/getting-started/dependabot-quickstart-guide
     - /code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning
   guideCards:

content/code-security/secret-scanning/introduction/about-secret-scanning.md

@@ -1,7 +1,10 @@
 ---
 title: About secret scanning
 intro: '{% data variables.product.github %} scans repositories for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally.'
-product: '{% data reusables.gated-features.secret-scanning %}'
+product: |
+  {% data reusables.gated-features.secret-scanning %}{% ifversion secret-risk-assessment %}
+
+  {% data variables.secret-scanning.secret-risk-assessment-cta-product %}{% endif %}
 redirect_from:
   - /github/administering-a-repository/about-token-scanning
   - /articles/about-token-scanning
@@ -30,7 +33,9 @@ shortTitle: Secret scanning
 
 {% ifversion ghas-products %}{% ifversion secret-risk-assessment %}
 > [!TIP]
-> Regardless of the enablement status of {% data variables.product.prodname_AS %} features, organizations on {% data variables.product.prodname_team %} and {% data variables.product.prodname_enterprise %} can run a free report to scan the code in the organization for leaked secrets, see [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/about-secret-risk-assessment).{% endif %}{% else %}{% endif %}
+> Regardless of the enablement status of {% data variables.product.prodname_AS %} features, organizations on {% data variables.product.prodname_team %} and {% data variables.product.prodname_enterprise %} can run a free report to scan the code in the organization for leaked secrets.
+>
+> To generate a report, open {% data reusables.security-overview.navigate-to-risk-assessment %}.{% endif %}{% else %}{% endif %}
 
 When a supported secret is leaked, {% data variables.product.github %} generates a {% data variables.product.prodname_secret_scanning %} alert. Alerts are reported on the **Security** tab of repositories on {% data variables.product.github %}, where you can view, evaluate, and resolve them. For more information, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning).
 

content/code-security/securing-your-organization/index.md

@@ -1,7 +1,7 @@
 ---
 title: Securing your organization
 shortTitle: Secure your organization
-intro: 'Secure your organization at scale with {% data variables.product.company_short %}''s security products{% ifversion security-configurations %} through {% data variables.product.prodname_security_configurations %} and {% data variables.product.prodname_global_settings %}{% endif %}.'
+intro: 'Secure your organization at scale with {% data variables.product.company_short %}''s security products{% ifversion security-configurations %} through {% data variables.product.prodname_security_configurations %} and {% data variables.product.prodname_global_settings %}{% endif %}.{% ifversion secret-risk-assessment %}<br>{% data variables.secret-scanning.secret-risk-assessment-cta-product %}{% endif %}'
 versions:
   fpt: '*'
   ghec: '*'

content/code-security/securing-your-organization/troubleshooting-security-configurations/a-repository-is-using-advanced-setup-for-code-scanning.md

@@ -15,21 +15,21 @@ topics:
 
 ## About the problem
 
-You cannot successfully apply a {% data variables.product.prodname_security_configuration %} with {% data variables.product.prodname_code_scanning %} default setup set to "Enabled" to a target repository that uses advanced setup for {% data variables.product.prodname_code_scanning %}. Advanced setups are tailored to the specific security needs of their repositories, so they are not intended to be overridden at scale.
+You cannot successfully apply a {% data variables.product.prodname_security_configuration %} with {% data variables.product.prodname_code_scanning %} default setup set to "Enabled" to a target repository that has an active configuration of advanced setup for {% data variables.product.prodname_code_scanning %}. Advanced setups are tailored to the specific security needs of the repositories they are applied to, so they are not intended to be overridden at scale.
+
+### Active advanced setup
 
 If you try to attach a {% data variables.product.prodname_security_configuration %} with {% data variables.product.prodname_code_scanning %} set to "Enabled" to a repository that already uses advanced setup, security settings will be applied as follows:
 
 * **{% data variables.product.prodname_code_scanning_caps %} default setup will not be enabled**, and advanced setup will continue to run as normal.
 * **All other security features enabled in the configuration will be enabled.**
 * **The {% data variables.product.prodname_security_configuration %} will not be attached** to the repository, since only some features from the configuration are enabled.
 
-For all repositories without an active advanced setup, the {% data variables.product.prodname_security_configuration %} will be applied as expected, and {% data variables.product.prodname_code_scanning %} default setup will be enabled.
+### Inactive or absent advanced setup
+
+{% data reusables.code-scanning.inactive-advanced-setup %}
 
-> [!NOTE]
-> If advanced setup is considered inactive for a repository, default setup _will_ still be enabled for that repository. Advanced setup is considered inactive for a repository if the repository meets any of the following criteria:
-> * The latest {% data variables.product.prodname_codeql %} analysis is more than 90 days old
-> * All {% data variables.product.prodname_codeql %} configurations have been deleted
-> * The workflow file has been deleted or disabled (exclusively for YAML-based advanced setup)
+If there is no advanced setup or the advanced setup is inactive, then default setup is enabled and the {% data variables.product.prodname_security_configuration %} applied as expected.
 
 ## Solving the problem
 

content/code-security/securing-your-organization/troubleshooting-security-configurations/index.md

@@ -1,6 +1,6 @@
 ---
 title: Troubleshooting security configurations
-shortTitle: Troubleshooting configurations
+shortTitle: Troubleshoot configurations
 intro: 'To successfully apply a {% data variables.product.prodname_security_configuration %}, you may need to troubleshoot unexpected issues.'
 versions:
   feature: security-configurations
@@ -11,6 +11,7 @@ topics:
   - Security
 children:
   - /a-repository-is-using-advanced-setup-for-code-scanning
+  - /unexpected-default-setup
   - /not-enough-github-advanced-security-licenses
   - /feature-disappears
 ---

content/code-security/securing-your-organization/troubleshooting-security-configurations/unexpected-default-setup.md

@@ -0,0 +1,33 @@
+---
+title: Default setup for code scanning overrides advanced setup
+shortTitle: Unexpected default setup
+intro: 'You apply a {% data variables.product.prodname_security_configuration %} with "Enabled with advanced setup allowed" and the existing advanced setup for {% data variables.product.prodname_code_scanning %} is ignored in some repositories.'
+permissions: '{% data reusables.permissions.security-org-enable %}'
+versions:
+  feature: security-configurations
+topics:
+  - Code Security
+  - Organizations
+  - Security
+---
+
+## About the problem
+
+When you apply a {% data variables.product.prodname_security_configuration %} and {% data variables.product.prodname_code_scanning %} is defined as "Enabled with advanced setup allowed", each repository is checked to see if there is an existing, active, advanced setup.
+
+* **No change to {% data variables.product.prodname_code_scanning %}** if an **active** advanced setup configuration is detected.
+* **Default setup is enabled** for repositories where advanced setup is **inactive or absent**.
+
+### Inactive or absent advanced setup
+
+{% data reusables.code-scanning.inactive-advanced-setup %}
+
+## Solving the problem
+
+This solution has two parts:
+
+1. Any repositories where default setup for {% data variables.product.prodname_code_scanning %} was unexpectedly applied need to run {% data variables.product.prodname_codeql %} analysis at intervals of less than 90 days, for example, once a month.
+
+   Even if the repository is not under active development, new vulnerabilities may be identified by updates to {% data variables.product.prodname_codeql %} analysis.
+
+1. Once the affected repositories all have {% data variables.product.prodname_codeql %} analysis running, you can reapply the {% data variables.product.prodname_security_configuration %}.

content/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/about-secret-risk-assessment.md

@@ -2,7 +2,7 @@
 title: 'About the secret risk assessment'
 shortTitle: 'Secret risk assessment'
 intro: 'Learn why it''s so important to understand your organization''s exposure to data leaks and how the {% data variables.product.prodname_secret_risk_assessment %} report gives an overview of your organization’s secret leak footprint.'
-product: '{% data reusables.gated-features.secret-risk-assessment-report %}'
+product: '{% data reusables.gated-features.secret-risk-assessment-report %}<br>{% data variables.secret-scanning.secret-risk-assessment-cta-product %}'
 allowTitleToDifferFromFilename: true
 type: overview
 versions:
@@ -19,7 +19,7 @@ topics:
 
 Assessing your exposure to leaked secrets is crucial if you want to prevent:
 
-* **Exploitation by bad actors**. Malicious actors can use leaked secrets such as API keys, passwords, and tokens to gain unauthorized access to systems, databases, and sensitive information. Leaked secrets can lead to data breaches, compromising user data and potentially causing significant financial and reputational damage. See industry examples and in-depth discussion in [Understanding your organization's exposure to secret leaks](https://resources.github.com/enterprise/understanding-secret-leak-exposure) in {% data variables.product.github %} Executive Insights.
+* **Exploitation by bad actors**. Malicious actors can use leaked secrets such as API keys, passwords, and tokens to gain unauthorized access to systems, databases, and sensitive information. Leaked secrets can lead to data breaches, compromising user data and potentially causing significant financial and reputational damage.
 
 * **Regulatory problems**. Many industries have strict regulatory requirements for data protection, and leaked secrets can result in non-compliance with regulations, leading to legal penalties and fines.
 
@@ -29,7 +29,7 @@ Assessing your exposure to leaked secrets is crucial if you want to prevent:
 
 * **Costly fallout**. Addressing the fallout from leaked secrets can be costly, involving incident response efforts, security audits, and potential compensation for affected parties.
 
-Regularly assessing your exposure to leaked secrets is good practice to help identify vulnerabilities, implement necessary security measures, and ensure that any compromised secrets are promptly rotated and invalidated.
+Regularly assessing your exposure to leaked secrets is good practice to help identify vulnerabilities, implement necessary security measures, and ensure that any compromised secrets are promptly rotated and invalidated. See industry examples and in-depth discussion in [Understanding your organization's exposure to secret leaks](https://resources.github.com/enterprise/understanding-secret-leak-exposure) in {% data variables.product.github %} Executive Insights.
 
 ## About {% data variables.product.prodname_secret_risk_assessment %}
 
@@ -60,6 +60,6 @@ Because the {% data variables.product.prodname_secret_risk_assessment %} report
 
 Now that you know about the {% data variables.product.prodname_secret_risk_assessment %} report, you may want to learn how to:
 
-* Generate the report to see your organization risk. See [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/viewing-the-secret-risk-assessment-report-for-your-organization).
+* Generate the report to see your organization risk. Navigate to {% data reusables.security-overview.navigate-to-risk-assessment %}.
 * Interpret the results of the report. See [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/interpreting-secret-risk-assessment-results).
 * Enable {% data variables.product.prodname_GH_secret_protection %} to improve your secret leak footprint. See [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/choosing-github-secret-protection#enabling-secret-protection).