Push protection delegated bypass support at the enterprise level [GA] (#59509)

Author: jclement136

content/code-security/how-tos/manage-security-alerts/manage-code-scanning-alerts/enabling-delegated-alert-dismissal-for-code-scanning.md

@@ -33,7 +33,7 @@ redirect_from:
 
 You must configure delegated dismissal for your organization using a custom security configuration. You can then apply the security configuration to all (or selected) repositories in your organization.
 
-1. Create a new custom security configuration, or edit an existing one. See [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration#creating-a-custom-security-configuration).
+{% data reusables.security-configurations.custom-security-configurations-org %}
 1. When creating the custom security configuration, under "{% data variables.product.prodname_code_scanning_caps %}", set "Prevent direct alert dismissals" to **Enabled**.
 1. Click **Save configuration**.
 1. Apply the security configuration to all (or selected) repositories in your organization. See [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-a-custom-security-configuration).
@@ -42,7 +42,7 @@ You must configure delegated dismissal for your organization using a custom secu
 
 You must configure delegated dismissal for your enterprise using a custom security configuration. You can then apply the security configuration to all (or selected) repositories in your enterprise.
 
-1. Create a new custom security configuration, or edit an existing one. See [AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/creating-a-custom-security-configuration-for-your-enterprise).
+{% data reusables.security-configurations.custom-security-configurations-enterprise %}
 1. When creating the custom security configuration, under "{% data variables.product.prodname_code_scanning %}", ensure that the dropdown menu for "Prevent direct alert dismissals" is set to **Enabled**.
 1. Click **Save configuration**.
 1. Apply the security configuration to all (or selected) repositories in your enterprise. See [AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/applying-a-custom-security-configuration-to-your-enterprise).

content/code-security/how-tos/manage-security-alerts/manage-secret-scanning-alerts/enabling-delegated-alert-dismissal-for-secret-scanning.md

@@ -32,7 +32,7 @@ redirect_from:
 
 You must configure delegated dismissal for your organization using a custom security configuration. You can then apply the security configuration to all (or selected) repositories in your organization.
 
-1. Create a new custom security configuration, or edit an existing one. See [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration#creating-a-custom-security-configuration).
+{% data reusables.security-configurations.custom-security-configurations-org %}
 1. When defining the custom security configuration, under "{% data variables.product.prodname_secret_scanning_caps %}", ensure that the dropdown menu for "Prevent direct alert dismissals" is set to **Enabled**.
 1. Click **Save configuration**.
 1. Apply the security configuration to all (or selected) repositories in your organization. See [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-a-custom-security-configuration).
@@ -47,7 +47,7 @@ To learn more about security configurations, see [AUTOTITLE](/code-security/secu
 
 ## Configuring delegated dismissal for an enterprise
 
-1. Create a new custom security configuration, or edit an existing one. See [AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/creating-a-custom-security-configuration-for-your-enterprise).
+{% data reusables.security-configurations.custom-security-configurations-enterprise %}
 1. When defining the custom security configuration, under "{% data variables.product.prodname_secret_protection %}", ensure that the dropdown menu for "Prevent direct alert dismissals" is set to **Enabled**.
 1. Click **Save configuration**.
 1. Apply the security configuration to all (or selected) repositories in your enterprise. See [AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/applying-a-custom-security-configuration-to-your-enterprise).

content/code-security/how-tos/secure-at-scale/configure-enterprise-security/establish-complete-coverage/creating-a-custom-security-configuration-for-your-enterprise.md

@@ -59,7 +59,8 @@ When creating a security configuration, keep in mind that:
     * **Validity checks**. To learn more about validity checks for partner patterns, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity).{% endif %}{% ifversion org-npp-enablement-security-configurations %}
     * **Non-provider patterns**. To learn more about scanning for non-provider patterns, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#non-provider-patterns) and [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts).{% endif %}{% ifversion secret-scanning-ai-generic-secret-detection %}
     * **Scan for generic passwords**. To learn more, see [AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets).{% endif %}
-    * **Push protection**. To learn about push protection, see [AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection).{% ifversion security-delegated-alert-dismissal %}
+    * **Push protection**. To learn about push protection, see [AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection).{% ifversion push-protection-delegated-bypass-configurations-enterprise %}
+    * **Bypass privileges**. By assigning bypass privileges, selected repository, organization, and business members can bypass push protection. There is a review and approval process for all other contributors. See [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection).{% endif %}{% ifversion security-delegated-alert-dismissal %}
     * **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/enabling-delegated-alert-dismissal-for-secret-scanning).{% endif %}
 1. Optionally, enable "{% data variables.product.prodname_code_security %}", a paid feature for private {% ifversion ghec %}and internal {% endif %} repositories. You can choose whether to enable, disable, or keep the existing settings for the following {% data variables.product.prodname_code_scanning %} features:
    * **Default setup**. To learn more about default setup, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#about-default-setup).

content/code-security/how-tos/secure-your-secrets/manage-bypass-requests/enabling-delegated-bypass-for-push-protection.md

@@ -54,7 +54,10 @@ When you enable this feature, you will create a bypass list of roles and teams w
 
 You must configure delegated bypass for your organization using a custom security configuration. You can then apply the security configuration to all (or selected) repositories in your organization.
 
-1. Create a new custom security configuration, or edit an existing one. See [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration#creating-a-custom-security-configuration).
+{% data reusables.organizations.navigate-to-org %}
+{% data reusables.organizations.org_settings %}
+{% data reusables.security-configurations.view-configurations-page %}
+{% data reusables.security-configurations.custom-security-configurations-org %}
 1. When defining the custom security configuration, under "{% data variables.product.prodname_secret_scanning_caps %}," ensure that {% ifversion ghas-products %}"Push protection" is set to **Enabled**{% else %}the dropdown menus for "Alerts" and "Push protection" are set to **Enabled**{% endif %}.
 1. Under "Push protection," to the right of "Bypass privileges," select the dropdown menu, then click **Specific actors**.
 
@@ -91,6 +94,33 @@ To learn more about security configurations, see [AUTOTITLE](/code-security/secu
 
 {% ifversion push-protection-bypass-fine-grained-permissions %}
 
+{% ifversion push-protection-delegated-bypass-configurations-enterprise %}
+
+## Enabling delegated bypass for an enterprise
+
+You can configure delegated bypass for your enterprise using a custom security configuration. You can then apply the security configuration to all (or selected) repositories, organizations, or businesses in your enterprise.
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+{% data reusables.enterprise-accounts.advanced-security-tab %}
+{% data reusables.security-configurations.view-configurations-page %}
+{% data reusables.security-configurations.custom-security-configurations-enterprise %}
+1. Under **Secret scanning**, ensure **Push protection** is enabled.
+1. Under "Push protection," to the right of "Bypass privileges," select the dropdown menu, then click **Specific actors**.
+
+   > [!NOTE]
+   > When you assign bypass privileges to selected actors, these organizations' members are granted the ability to bypass push protection, and they also review and manage the requests from all other contributors to bypass push protection.
+   >
+   > You can't add secret teams to the bypass list.
+
+1. Click the "Select actors" dropdown menu, then select the roles and teams you want to assign bypass privileges to.
+1. Click **Save configuration**.
+1. Apply the security configuration to all (or selected) organizations and repositories in your enterprise. See [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-a-custom-security-configuration).
+
+When you apply the configuration, delegated bypass settings are enforced for the organizations and repositories in scope of that enterprise security configuration. Repositories outside the scope of the configuration aren’t affected.
+
+{% endif %}
+
 ## Using fine-grained permissions to control who can review and manage bypass requests
 
 You can grant specific individuals or teams in your organization the ability to review and manage bypass requests using fine-grained permissions.

data/features/push-protection-delegated-bypass-configurations-enterprise.yml

@@ -0,0 +1,5 @@
+# Issue 1518825892 - Secret scanning push protection bypass added to enterprises
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '>=3.20'

data/reusables/security-configurations/custom-security-configurations-enterprise.md

@@ -0,0 +1 @@
+1. Create a new custom security configuration, or edit an existing one. See [AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/creating-a-custom-security-configuration-for-your-enterprise).

data/reusables/security-configurations/custom-security-configurations-org.md

@@ -0,0 +1,2 @@
+1. Create a new custom security configuration, or edit an existing one. See [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration#creating-a-custom-security-configuration).
+