[EDI] Editing a custom security configuration (#59842)

Author: sabrowning1

content/code-security/how-tos/secure-at-scale/configure-enterprise-security/establish-complete-coverage/applying-the-github-recommended-security-configuration-to-your-enterprise.md

@@ -41,6 +41,7 @@ The {% data variables.product.prodname_github_security_configuration %} includes
 {% data reusables.enterprise-accounts.advanced-security-tab %}
 1. In the "Configurations" section, select "{% data variables.product.company_short %} recommended".
 1. In the "Policy" section, next to "Enforce configuration", select **Enforce** from the dropdown menu.
-1. Click **Save configuration** to save your change to the {% data variables.product.prodname_github_security_configuration %}.
 
-{% data reusables.code-scanning.custom-security-configuration-enforcement-edge-cases-enterprise %}
+    {% data reusables.code-scanning.security-configuration-enforcement-edge-cases %}
+
+1. Click **Save configuration** to save your change to the {% data variables.product.prodname_github_security_configuration %}.

content/code-security/how-tos/secure-at-scale/configure-enterprise-security/establish-complete-coverage/creating-a-custom-security-configuration-for-your-enterprise.md

@@ -84,9 +84,9 @@ When creating a security configuration, keep in mind that:
         {% data reusables.security-configurations.default-configuration-exception-repo-transfers %}
    * **Enforce configuration**. Block repository owners from changing features that are enabled or disabled by the configuration (features that are not set aren't enforced). Select **Enforce** from the dropdown menu.
 
-1. To finish creating your {% data variables.product.prodname_custom_security_configuration %}, click **Save configuration**.
+    {% data reusables.code-scanning.security-configuration-enforcement-edge-cases %}
 
-{% data reusables.code-scanning.custom-security-configuration-enforcement-edge-cases-enterprise %}
+{% data reusables.code-scanning.save-custom-configuration %}
 
 ## Creating a {% data variables.product.prodname_GHAS %} configuration
 
@@ -124,9 +124,9 @@ When creating a security configuration, keep in mind that:
         {% data reusables.security-configurations.default-configuration-exception-repo-transfers %}
    * **Enforce configuration**. Block repository owners from changing features that are enabled or disabled by the configuration (features that are not set aren't enforced). Select **Enforce** from the dropdown menu.
 
-1. To finish creating your {% data variables.product.prodname_custom_security_configuration %}, click **Save configuration**.
+    {% data reusables.code-scanning.security-configuration-enforcement-edge-cases %}
 
-{% data reusables.code-scanning.custom-security-configuration-enforcement-edge-cases-enterprise %}
+{% data reusables.code-scanning.save-custom-configuration %}
 
 {% else %}
 
@@ -156,9 +156,9 @@ When creating a security configuration, keep in mind that:
 
 1. Optionally, in the "Policy" section, you can enforce the configuration and block repository owners from changing features that are enabled or disabled by the configuration (features that are not set aren't enforced). Next to "Enforce configuration", select **Enforce** from the dropdown menu.
 
-    {% data reusables.code-scanning.custom-security-configuration-enforcement-edge-cases-enterprise %}
+    {% data reusables.code-scanning.security-configuration-enforcement-edge-cases %}
 
-1. To finish creating your {% data variables.product.prodname_custom_security_configuration %}, click **Save configuration**.
+{% data reusables.code-scanning.save-custom-configuration %}
 
 {% endif %}
 

content/code-security/how-tos/secure-at-scale/configure-enterprise-security/manage-your-coverage/editing-a-custom-security-configuration.md

@@ -35,6 +35,6 @@ After creating and applying a {% data variables.product.prodname_custom_security
 1. Edit the enablement settings of your {% data variables.product.prodname_custom_security_configuration %} as desired.
 1. In the "Policy" section, you can modify the configuration's enforcement status. Enforcing a configuration will block repository owners from changing features that are enabled or disabled by the configuration, but features that are not set aren't enforced. Next to "Enforce configuration", select **Enforce** or **Don't enforce** from the dropdown menu.
 
-    {% data reusables.code-scanning.custom-security-configuration-enforcement-edge-cases-enterprise %}
+    {% data reusables.code-scanning.security-configuration-enforcement-edge-cases %}
 
 1. To apply your changes, click **Update configuration**.

content/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/applying-the-github-recommended-security-configuration-in-your-organization.md

@@ -54,7 +54,7 @@ The {% data variables.product.prodname_github_security_configuration %} is a col
 1. In the "Security configurations" section, select "{% data variables.product.company_short %} recommended".
 1. In the "Policy" section, next to "Enforce configuration", select **Enforce** from the dropdown menu.
 
-{% data reusables.code-scanning.custom-security-configuration-enforcement-edge-cases %}
+    {% data reusables.code-scanning.security-configuration-enforcement-edge-cases %}
 
 ## Next steps
 

content/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/creating-a-custom-security-configuration.md

@@ -73,9 +73,9 @@ With {% data variables.product.prodname_custom_security_configurations %}, you c
         {% data reusables.security-configurations.default-configuration-exception-repo-transfers %}
    * **Enforce configuration**. Block repository owners from changing features that are enabled or disabled by the configuration (features that are not set aren't enforced). Select **Enforce** from the dropdown menu.
 
-1. To finish creating your {% data variables.product.prodname_custom_security_configuration %}, click **Save configuration**.
+    {% data reusables.code-scanning.security-configuration-enforcement-edge-cases %}
 
-{% data reusables.code-scanning.custom-security-configuration-enforcement-edge-cases-enterprise %}
+{% data reusables.code-scanning.save-custom-configuration %}
 
 ## Creating a {% data variables.product.prodname_GHAS %} configuration
 
@@ -114,7 +114,7 @@ With {% data variables.product.prodname_custom_security_configurations %}, you c
         {% data reusables.security-configurations.default-configuration-exception-repo-transfers %}
    * **Enforce configuration**. Block repository owners from changing features that are enabled or disabled by the configuration (features that are not set aren't enforced). Select **Enforce** from the dropdown menu.
 
-1. To finish creating your {% data variables.product.prodname_custom_security_configuration %}, click **Save configuration**.
+{% data reusables.code-scanning.save-custom-configuration %}
 
 {% else %}
 
@@ -149,9 +149,9 @@ With {% data variables.product.prodname_custom_security_configurations %}, you c
     {% data reusables.security-configurations.default-configuration-exception-repo-transfers %}
 1. Optionally, in the "Policy" section, you can enforce the configuration and block repository owners from changing features that are enabled or disabled by the configuration (features that are not set aren't enforced). Next to "Enforce configuration", select **Enforce** from the dropdown menu.
 
-    {% data reusables.code-scanning.custom-security-configuration-enforcement-edge-cases %}
+    {% data reusables.code-scanning.security-configuration-enforcement-edge-cases %}
 
-1. To finish creating your {% data variables.product.prodname_custom_security_configuration %}, click **Save configuration**.
+{% data reusables.code-scanning.save-custom-configuration %}
 
 {% endif %}
 

content/code-security/how-tos/secure-at-scale/configure-organization-security/manage-your-coverage/editing-a-custom-security-configuration.md

@@ -1,7 +1,7 @@
 ---
 title: Editing a custom security configuration
 shortTitle: Edit custom configuration
-intro: Change the enablement settings in your {% data variables.product.prodname_custom_security_configuration %} to better meet the security needs of your repositories.
+intro: Meet the security needs of your repositories by editing your {% data variables.product.prodname_custom_security_configuration %}.
 permissions: '{% data reusables.permissions.security-org-enable %}'
 versions:
   feature: security-configurations
@@ -15,21 +15,6 @@ redirect_from:
 contentType: how-tos
 ---
 
-## About editing a {% data variables.product.prodname_custom_security_configuration %}
-
-After creating and applying a {% data variables.product.prodname_custom_security_configuration %}, you may need to edit the enablement settings for that configuration to better secure your repositories. Any changes you make to the enablement settings of a {% data variables.product.prodname_security_configuration %} will automatically populate to all linked repositories.
-
-To determine if your {% data variables.product.prodname_custom_security_configuration %} is meeting your security needs, see [AUTOTITLE](/code-security/securing-your-organization/managing-the-security-of-your-organization/interpreting-security-findings).
-
-{% ifversion security-configurations-cloud %}
-
-> [!NOTE]
-> The {% data variables.product.prodname_github_security_configuration %} is managed by {% data variables.product.company_short %} and cannot be edited. If you would like to customize your security enablement settings, you need to create a {% data variables.product.prodname_custom_security_configuration %}. For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration).
-
-{% endif %}
-
-## Modifying your {% data variables.product.prodname_custom_security_configuration %}
-
 {% data reusables.profile.access_org %}
 {% data reusables.organizations.org_settings %}
 {% data reusables.security-configurations.view-configurations-page %}
@@ -41,6 +26,6 @@ To determine if your {% data variables.product.prodname_custom_security_configur
 1. Edit the enablement settings of your {% data variables.product.prodname_custom_security_configuration %} as desired.
 1. In the "Policy" section, you can modify the configuration's enforcement status. Enforcing a configuration will block repository owners from changing features that are enabled or disabled by the configuration, but features that are not set aren't enforced. Next to "Enforce configuration", select **Enforce** or **Don't enforce** from the dropdown menu.
 
-    {% data reusables.code-scanning.custom-security-configuration-enforcement-edge-cases %}
+    {% data reusables.code-scanning.security-configuration-enforcement-edge-cases %}
 
 1. To apply your changes, click **Update configuration**.

content/code-security/reference/security-at-scale/index.md

@@ -16,5 +16,6 @@ topics:
 contentType: reference
 children:
   - /available-filters-for-security-overview
+  - /security-configuration-enforcement
   - /troubleshoot-security-configurations
 ---

content/code-security/reference/security-at-scale/security-configuration-enforcement.md

@@ -0,0 +1,26 @@
+---
+title: Security configuration enforcement
+intro: Understand the complexities of enforcing {% data variables.product.prodname_security_configurations %}.
+versions:
+  feature: security-configurations
+contentType: reference
+topics:
+  - Code Security
+  - Secret Protection
+  - Organizations
+  - Security
+---
+
+{% data variables.product.prodname_security_configurations_caps %} can be enforced, meaning repository owners cannot change the enablement status of features that are enabled or disabled by the configuration.
+
+## Situations that break enforcement
+
+Some situations can break the enforcement of {% data variables.product.prodname_security_configurations %}. For example, the enablement of {% data variables.product.prodname_code_scanning %} will not apply to a repository if:
+* {% data variables.product.prodname_actions %} is initially enabled on the repository, but is then disabled in the repository.
+* {% data variables.product.prodname_actions %} required by {% data variables.product.prodname_code_scanning %} configurations are not available in the repository.{% ifversion ghes %}
+* Self-hosted runners with the label `code-scanning` are not available.{% endif %}
+* The definition for which languages should not be analyzed using {% data variables.product.prodname_code_scanning %} default setup is changed.
+
+## Enforcement and the REST API
+
+If a user in your organization or enterprise attempts to change the enablement status of a feature in an enforced configuration using the REST API, the API call will appear to succeed, but no enablement statuses will change.

data/reusables/code-scanning/save-custom-configuration.md

@@ -0,0 +1 @@
+1. To finish creating your {% data variables.product.prodname_custom_security_configuration %}, click **Save configuration**.

data/reusables/code-scanning/security-configuration-enforcement-edge-cases.md

@@ -0,0 +1 @@
+> [!NOTE] Some situations can break the enforcement of {% data variables.product.prodname_security_configurations %}. See [AUTOTITLE](/code-security/reference/security-at-scale/security-configuration-enforcement).