added ip reputation research information (#61233)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Joe Clark <31087804+jc-clark@users.noreply.github.com>

Author: 3 people

content/actions/how-tos/troubleshoot-workflows.md

@@ -142,6 +142,14 @@ If you use self-hosted runners, you can view their activity and diagnose common
 
 For more information, see [AUTOTITLE](/actions/how-tos/manage-runners/self-hosted-runners/monitor-and-troubleshoot).
 
+{% ifversion fpt or ghec %}
+
+### Runner IP addresses flagged by security scanners
+
+{% data reusables.actions.runner-ip-reputation %}
+
+{% endif %}
+
 ## Networking troubleshooting suggestions
 
 Our support is limited for network issues that involve:

content/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses.md

@@ -31,6 +31,12 @@ We make changes to our IP addresses from time to time. We do not recommend allow
 
 For applications to function, you must allow TCP ports 22, 80, and 443 via our IP ranges for `github.com` and `{% data variables.enterprise.data_residency_domain %}`.
 
+## {% data variables.product.prodname_actions %} runner IP addresses and third-party IP reputation services
+
+{% data reusables.actions.runner-ip-reputation %}
+
+For more information about {% data variables.product.prodname_actions %} runner IP ranges, see [AUTOTITLE](/actions/how-tos/troubleshoot-workflows#runner-ip-addresses-flagged-by-security-scanners).
+
 ## Further reading
 
 * [AUTOTITLE](/get-started/using-github/troubleshooting-connectivity-problems)

content/code-security/reference/security-incident-response/investigation-areas.md

@@ -128,6 +128,12 @@ You found suspicious code in your repository, a security researcher reported an
 
 * [Containment actions](/code-security/tutorials/secure-your-organization/responding-to-security-incidents#step-2-contain-the-threat)
 
+{% ifversion fpt or ghec %}
+
+{% data reusables.actions.runner-ip-reputation-note %}
+
+{% endif %}
+
 ## Malware and supply chain attacks
 
 This section may apply when:

content/code-security/tutorials/secure-your-organization/responding-to-security-incidents.md

@@ -47,6 +47,12 @@ Try to identify the nature of the signal you're seeing. For example, does the si
 
 For help identifying these threat signals across your organization or enterprise, consult [AUTOTITLE](/code-security/reference/security-incident-response/investigation-areas).
 
+{% ifversion fpt or ghec %}
+
+{% data reusables.actions.runner-ip-reputation-note %}
+
+{% endif %}
+
 We suggest you don't spend too much time on deep inspection in the earlier stages of your investigation, since the initial goal is to **identify** the threat signal in order to **validate** it and strategize your response.
 
 ### 2. Validate

data/reusables/actions/runner-ip-reputation-note.md

@@ -0,0 +1,2 @@
+> [!NOTE]
+> [!NOTE] Runner IP addresses are dynamically assigned from shared infrastructure and may be flagged due to unrelated activity. For more information, see [AUTOTITLE](/actions/how-tos/troubleshoot-workflows#runner-ip-addresses-flagged-by-security-scanners).

data/reusables/actions/runner-ip-reputation.md

@@ -0,0 +1,7 @@
+{% data variables.product.github %}-hosted runners use dynamically assigned IP addresses from shared infrastructure. These IP addresses are published via the Meta API (for example, the `actions` and `actions_macos` keys). For more information, see [AUTOTITLE](/rest/meta/meta#get-github-meta-information).
+
+Third-party threat intelligence services, IP reputation scanners, or firewall vendors may flag these IP addresses as "malicious" or "suspicious." Because the underlying infrastructure is shared, activity from other users of the same infrastructure can influence the reputation scores assigned to these addresses.
+
+{% data variables.product.github %} does not control third-party IP reputation lists and cannot comment on their accuracy or update frequency. To verify whether an IP address belongs to {% data variables.product.github %}-hosted runners, check the IP ranges returned by the Meta API.
+
+If you have a security concern about a Microsoft-owned IP address, report it to the [Microsoft Security Response Center (MSRC)](https://msrc.microsoft.com/report/).