Code security configurations available at the enterprise level (#53229)

Co-authored-by: Anne-Marie <[email protected]>
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Zack Fernandes <[email protected]>
Co-authored-by: Melanie Yarbrough <[email protected]>

Author: 5 people

content/admin/managing-code-security/index.md

@@ -11,7 +11,7 @@ topics:
 children:
   - /managing-github-advanced-security-for-your-enterprise
   - /managing-supply-chain-security-for-your-enterprise
+  - /securing-your-enterprise
 redirect_from:
   - /admin/code-security
 ---
-

content/admin/managing-code-security/securing-your-enterprise/about-security-configurations.md

@@ -0,0 +1,43 @@
+---
+title: About security configurations
+shortTitle: Security configurations
+intro: 'Security configurations are collections of security settings that you can apply across your enterprise.'
+product: '{% data reusables.gated-features.security-configurations-enterprise %}'
+versions:
+  feature: security-configuration-enterprise-level
+topics:
+  - Advanced Security
+  - Enterprise
+  - Security
+---
+
+## About {% data variables.product.prodname_security_configurations %}
+
+{% data variables.product.prodname_security_configurations_caps %} simplify the rollout of {% data variables.product.company_short %} security products at scale by helping you define collections of security settings and apply them across your enterprise.
+
+{% ifversion security-configurations-cloud %}
+
+We recommend securing your enterprise with the {% data variables.product.prodname_github_security_configuration %}, then evaluating the security findings on your repositories before configuring {% data variables.product.prodname_custom_security_configurations %}. For more information, see "[AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/applying-the-github-recommended-security-configuration-to-your-enterprise)."
+
+{% endif %}
+
+With {% data variables.product.prodname_custom_security_configurations %}, you can create collections of enablement settings for {% data variables.product.company_short %}'s security products to meet the specific security needs of your enterprise. For example, you can create a different {% data variables.product.prodname_custom_security_configuration %} for each organization or group of similar organizations to reflect their different levels of security requirements and compliance obligations. For more information, see "[AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/creating-a-custom-security-configuration-for-your-enterprise)."
+
+{% ifversion security-configurations-ghes-only %}
+
+When creating a security configuration, keep in mind that:
+* Only features installed by a site administrator on your {% data variables.product.prodname_ghe_server %} instance will appear in the UI.
+* {% data variables.product.prodname_GH_advanced_security %} features will only be visible if your enterprise or {% data variables.product.prodname_ghe_server %} instance holds a {% data variables.product.prodname_GH_advanced_security %} license.
+* Certain features, like {% data variables.product.prodname_dependabot_security_updates %} and {% data variables.product.prodname_code_scanning %} default setup, also require that {% data variables.product.prodname_actions %} is installed on the {% data variables.product.prodname_ghe_server %} instance.
+
+{% endif %}
+
+{% data reusables.security-configurations.emu-note %}
+
+{% data reusables.security-configurations.security-features-use-actions %}
+
+## Preserving default settings for new repositories
+
+If you had default security settings in place for newly created repositories, {% data variables.product.github %} will preserve these settings by automatically creating a "New repository default settings" security configuration for your enterprise. The configuration matches your previous enterprise-level default settings for new repositories as of December, 2024.
+
+The "New repository default settings" configuration will automatically get applied to any newly created repositories in your enterprise, if no organization-level defaults are set.

content/admin/managing-code-security/securing-your-enterprise/applying-a-custom-security-configuration-to-your-enterprise.md

@@ -0,0 +1,34 @@
+---
+title: Applying a custom security configuration to your enterprise
+shortTitle: Apply custom configuration
+intro: 'You can apply your {% data variables.product.prodname_custom_security_configuration %} to organizations and repositories in your organization to meet the specific security needs of your enterprise.'
+permissions: '{% data reusables.permissions.security-configuration-enterprise-enable %}'
+versions:
+  feature: security-configuration-enterprise-level
+topics:
+  - Advanced Security
+  - Organizations
+  - Security
+---
+
+## About applying a {% data variables.product.prodname_custom_security_configuration %}
+
+After you create a {% data variables.product.prodname_custom_security_configuration %}, you need to apply it to repositories in your enterprise to enable the configuration's settings on those repositories.
+
+{% data reusables.security-configurations.security-features-use-actions %}
+
+## Applying your {% data variables.product.prodname_custom_security_configuration %} to repositories in your enterprise
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+1. In the left sidebar, click **Code security**.
+1. To the right of the configuration you want to apply, select the **Apply to** {% octicon "triangle-down" aria-hidden="true" %} dropdown menu, then click **All repositories** or **All repositories without configurations**.
+{% data reusables.security-configurations.apply-configuration-by-default %}
+
+{% data reusables.security-configurations.apply-configuration %}
+
+{% data reusables.security-configurations.failure-handling-enterprise %}
+
+## Next steps
+
+To learn how to edit your {% data variables.product.prodname_custom_security_configuration %}, see "[AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/editing-a-custom-security-configuration)."

content/admin/managing-code-security/securing-your-enterprise/applying-the-github-recommended-security-configuration-to-your-enterprise.md

@@ -0,0 +1,40 @@
+---
+title: Applying the GitHub-recommended security configuration to your enterprise
+shortTitle: Apply recommended configuration
+intro: 'Secure your code with the security enablement settings created, managed, and recommended by {% data variables.product.github %}.'
+permissions: '{% data reusables.permissions.security-configuration-enterprise-enable %}'
+versions:
+  ghec: '*'
+topics:
+  - Advanced Security
+  - Enterprise
+  - Security
+---
+
+## About the {% data variables.product.prodname_github_security_configuration %}
+
+The {% data variables.product.prodname_github_security_configuration %} is a set of industry best practices and features that provide a robust, baseline security posture for enterprises. This configuration is created and maintained by subject matter experts at {% data variables.product.github %}, with the help of multiple industry leaders and experts. The {% data variables.product.prodname_github_security_configuration %} is designed to successfully reduce the security risks for low- and high-impact repositories. We recommend you apply this configuration to all the repositories in your enterprise.
+
+{% data reusables.security-configurations.github-recommended-warning-enterprise %}
+
+## Applying the {% data variables.product.prodname_github_security_configuration %} to  repositories in your enterprise
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+1. In the left sidebar, click **Code security**.
+1. In the "{% data variables.product.company_short %} recommended" row of the configurations table for your enterprise, select the **Apply to** {% octicon "triangle-down" aria-hidden="true" %} dropdown menu, then click **All repositories** or **All repositories without configurations**.
+{% data reusables.security-configurations.apply-configuration-by-default %}
+
+{% data reusables.security-configurations.apply-configuration %}
+
+{% data reusables.security-configurations.failure-handling-enterprise %}
+
+## Enforcing the {% data variables.product.prodname_github_security_configuration %}
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+1. In the left sidebar, click **Code security**.
+1. In the "Configurations" section, select "{% data variables.product.company_short %} recommended".
+1. In the "Policy" section, next to "Enforce configuration", select **Enforce** from the dropdown menu.
+
+{% data reusables.code-scanning.custom-security-configuration-enforcement-edge-cases-enterprise %}

content/admin/managing-code-security/securing-your-enterprise/configuring-additional-secret-scanning-settings-for-your-enterprise.md

@@ -0,0 +1,49 @@
+---
+title: Configuring additional secret scanning settings for your enterprise
+shortTitle: Configure additional settings
+intro: 'Learn how to configure additional {% data variables.product.prodname_secret_scanning %} settings for your enterprise.'
+permissions: '{% data reusables.permissions.security-configuration-enterprise-enable %}'
+versions:
+  feature: security-configuration-enterprise-level
+topics:
+  - Advanced Security
+  - Enterprise
+  - Security
+---
+
+## About additional settings for {% data variables.product.prodname_secret_scanning %}
+
+There are some additional {% data variables.product.prodname_secret_scanning %} settings that cannot be applied to repositories using {% data variables.product.prodname_security_configurations %}, so you must configure these settings separately:
+
+* [Configuring a resource link for push protection](/admin/managing-code-security/securing-your-enterprise/configuring-additional-secret-scanning-settings-for-your-enterprise#configuring-a-resource-link-for-push-protection){% ifversion secret-scanning-ai-generic-secret-detection %}
+* [Configuring AI detection to find additional secrets](/admin/managing-code-security/securing-your-enterprise/configuring-additional-secret-scanning-settings-for-your-enterprise#configuring-ai-detection-to-find-additional-secrets){% endif %}
+
+These additional settings only apply to repositories with both {% data variables.product.prodname_GH_advanced_security %} and {% data variables.product.prodname_secret_scanning %} enabled.
+
+## Accessing the additional settings for {% data variables.product.prodname_secret_scanning %}
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+1. In the left sidebar, click **Code security**.
+1. Scroll down the page to the "Additional settings" section.
+
+### Configuring a resource link for push protection
+
+To provide context for developers when {% data variables.product.prodname_secret_scanning %} blocks a commit, you can display a link with more information on why the commit was blocked.
+
+1. Under "Additional settings", to the right of "Resource link for push protection", click **{% octicon "pencil" aria-hidden="true" %}**.
+1. In the text box, type the link to the desired resource, then click **{% octicon "check" aria-label="Save" %}**.
+
+{% ifversion secret-scanning-ai-generic-secret-detection %}
+
+### Configuring AI detection to find additional secrets
+
+{% data variables.secret-scanning.copilot-secret-scanning %}'s {% data variables.secret-scanning.generic-secret-detection %} is an AI-powered expansion of {% data variables.product.prodname_secret_scanning %} that scans and creates alerts for unstructured secrets, such as passwords.
+
+1. Under "Additional settings", to the right of "Use AI detection to find additional secrets", ensure the setting is toggled to "On".
+
+{% data reusables.secret-scanning.copilot-secret-scanning-generic-secrets-subscription-note %}
+
+To learn more about generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets)."
+
+{% endif %}