Skip to content

Commit 6ecddef

Browse files
anandrayclaude
andcommitted
docs(security): cover Secret Scanning alert dismissal flow, not just push protection
CodeRabbit caught that the previous bullet only documented Push Protection (blocks new secrets at push time) and missed the separate flow for Secret Scanning *alerts* — i.e., secrets already detected in the repository. Those follow the same two-person Delegated Alert Dismissal flow as Code Scanning and Dependabot alerts. Adds a bullet noting the parity so the policy covers all three GitHub alert types the org has enabled. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent ed511da commit 6ecddef

1 file changed

Lines changed: 1 addition & 0 deletions

File tree

SECURITY.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -68,6 +68,7 @@ When closing an alert, choose one of:
6868
### Secret Scanning & Dependabot
6969

7070
- **Secret Scanning Push Protection** is enabled org-wide. Pushes containing detected secrets are blocked at push time; bypasses require committer justification and are recorded in the audit log.
71+
- **Secret Scanning alerts** for secrets already in the repository follow the same two-person Delegated Alert Dismissal flow (request, approval by a different authorized reviewer, auto-dismissal with audit trail).
7172
- **Dependabot alerts** follow the same two-person Delegated Alert Dismissal flow described above (request by any write-access maintainer; approval by a different organization owner, security manager, or holder of an explicitly delegated custom role). Dismissal reason and any SLA exception must be recorded in the dismissal comment. Fixes are tracked via Dependabot security update PRs against the SLAs above.
7273

7374
## Security Best Practices

0 commit comments

Comments
 (0)