From 46878759f4b8597caae97817cae167d046e702fe Mon Sep 17 00:00:00 2001 From: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com> Date: Thu, 10 Oct 2024 16:37:33 +0100 Subject: [PATCH 1/4] Revert "Repo deploy keys can now be disabled by default by enterprise policy [GA]" (#52616) --- ...-management-policies-in-your-enterprise.md | 18 ------------ .../managing-deploy-keys.md | 10 +------ ...venting-data-leaks-in-your-organization.md | 3 -- .../managing-organization-settings/index.md | 1 - ...icting-deploy-keys-in-your-organization.md | 28 ------------------- content/rest/deploy-keys/deploy-keys.md | 7 ----- .../deploy-keys-enterprise-org-policy.yml | 5 ---- 7 files changed, 1 insertion(+), 71 deletions(-) delete mode 100644 content/organizations/managing-organization-settings/restricting-deploy-keys-in-your-organization.md delete mode 100644 data/features/deploy-keys-enterprise-org-policy.yml diff --git a/content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise.md b/content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise.md index 2a082fba771c..c5d6ff418b76 100644 --- a/content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise.md +++ b/content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise.md @@ -151,24 +151,6 @@ Across all organizations owned by your enterprise, you can set the default branc 1. Optionally, to enforce the default branch name for all organizations in the enterprise, select **Enforce across this enterprise**. 1. Click **Update**. -{% ifversion deploy-keys-enterprise-org-policy %} - -## Enforcing a policy for deploy keys - -Across all organizations owned by your enterprise, you can allow members to create deploy keys in repositories, restrict deploy key creation, or allow owners to administer the setting on the organization level. - -For more information about using deploy keys, see "[AUTOTITLE](/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys)." If you want fine-grained control over permissions, consider using a {% data variables.product.prodname_github_app %} instead. See "[AUTOTITLE](/apps/overview)." - -> [!WARNING] -> Changing this setting to disabled will result in existing deploy keys being disabled in all repositories in your enterprise. - -{% data reusables.enterprise-accounts.access-enterprise %} -{% data reusables.enterprise-accounts.policies-tab %} -{% data reusables.enterprise-accounts.repositories-tab %} -1. Under "Deploy keys", review the information about changing the setting, then select a policy. -1. Click **Save**. -{% endif %} - ## Enforcing a policy for changes to repository visibility Across all organizations owned by your enterprise, you can allow members with admin access to change a repository's visibility, restrict repository visibility changes to organization owners, or allow owners to administer the setting on the organization level. When you prevent members from changing repository visibility, only enterprise owners can change the visibility of a repository. diff --git a/content/authentication/connecting-to-github-with-ssh/managing-deploy-keys.md b/content/authentication/connecting-to-github-with-ssh/managing-deploy-keys.md index d1f0d655d40d..5bb950a25284 100644 --- a/content/authentication/connecting-to-github-with-ssh/managing-deploy-keys.md +++ b/content/authentication/connecting-to-github-with-ssh/managing-deploy-keys.md @@ -69,8 +69,6 @@ See [our guide on creating a {% data variables.product.pat_generic %}](/authenti {% data reusables.repositories.deploy-keys-write-access %} -For enhanced security and fine-grained control over repository access and permissions, we recommend using a GitHub App instead. See "[AUTOTITLE](/apps/creating-github-apps/about-creating-github-apps/deciding-when-to-build-a-github-app#github-apps-offer-enhanced-security)." - ### Pros of deploy keys * Anyone with access to the repository and server has the ability to deploy the project. @@ -81,16 +79,10 @@ For enhanced security and fine-grained control over repository access and permis * Deploy keys only grant access to a single repository. More complex projects may have many repositories to pull to the same server. * Deploy keys are usually not protected by a passphrase, making the key easily accessible if the server is compromised. -* Deploy keys are credentials that don't have an expiry date. -* Deploy keys aren't linked directly to organization membership. If the user who created the deploy key is removed from the repository, the deploy key will still be active as it isn't tied to the specific user, but rather to the repository. +* If the user who created the deploy key is removed from the repository, the deploy key will still be active as it isn't tied to the specific user, but rather to the repository. ### Set up deploy keys -{% ifversion deploy-keys-enterprise-org-policy %} - -> [!NOTE] If your organization is owned by an enterprise, and your enterprise owner has restricted the use of deploy keys in repositories, then you cannot override the policy in your organization to create a deploy key. For more information, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-deploy-keys)." -{% endif %} - 1. [Run the `ssh-keygen` procedure][generating-ssh-keys] on your server, and remember where you save the generated public and private rsa key pair. {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-settings %} diff --git a/content/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization.md b/content/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization.md index abde5f9184fd..eb8b36f9bcf0 100644 --- a/content/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization.md +++ b/content/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization.md @@ -52,9 +52,6 @@ Disable the ability to fork repositories. | "[AUTOTITLE](/repositories/managing- Disable changing repository visibility. | "[AUTOTITLE](/organizations/managing-organization-settings/restricting-repository-visibility-changes-in-your-organization)" Restrict repository creation to private or internal. | "[AUTOTITLE](/organizations/managing-organization-settings/restricting-repository-creation-in-your-organization)" Disable repository deletion and transfer. | "[AUTOTITLE](/organizations/managing-organization-settings/setting-permissions-for-deleting-or-transferring-repositories)" -| {% ifversion deploy-keys-enterprise-org-policy %} | -Disable the ability to use deploy keys. | "[AUTOTITLE](/organizations/managing-organization-settings/restricting-deploy-keys-in-your-organization)" -| {% endif %} | Scope {% data variables.product.pat_generic %}s to the minimum permissions necessary. | None Secure your code by converting public repositories to private whenever appropriate. You can alert the repository owners of this change automatically using a {% data variables.product.prodname_github_app %}. | [Prevent-Public-Repos](https://github.com/apps/prevent-public-repos) in {% data variables.product.prodname_marketplace %} Confirm your organization’s identity by verifying your domain and restricting email notifications to only verified email domains. | "[AUTOTITLE](/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization){% ifversion ghec or ghes %}" and "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization){% endif %}"{% ifversion fpt or ghec %} diff --git a/content/organizations/managing-organization-settings/index.md b/content/organizations/managing-organization-settings/index.md index 7d9fa3c4cfa2..d67ff5289a25 100644 --- a/content/organizations/managing-organization-settings/index.md +++ b/content/organizations/managing-organization-settings/index.md @@ -31,7 +31,6 @@ children: - /enabling-or-disabling-github-discussions-for-an-organization - /managing-discussion-creation-for-repositories-in-your-organization - /managing-the-commit-signoff-policy-for-your-organization - - /restricting-deploy-keys-in-your-organization - /setting-team-creation-permissions-in-your-organization - /creating-an-announcement-banner-for-your-organization - /managing-scheduled-reminders-for-your-organization diff --git a/content/organizations/managing-organization-settings/restricting-deploy-keys-in-your-organization.md b/content/organizations/managing-organization-settings/restricting-deploy-keys-in-your-organization.md deleted file mode 100644 index c5b386770dc2..000000000000 --- a/content/organizations/managing-organization-settings/restricting-deploy-keys-in-your-organization.md +++ /dev/null @@ -1,28 +0,0 @@ ---- -title: Restricting deploy keys in your organization -intro: To protect your organization's data, you can configure permissions for creating deploy keys in your organization. -permissions: Organization owners. -versions: - feature: deploy-keys-enterprise-org-policy -topics: - - Organizations - - Policies -shortTitle: Restrict deploy keys ---- - -You can choose whether members can create deploy keys for repositories in your organization. - -By default, new organizations are configured to disallow the creation of deploy keys in repositories. - -Organization owners can restrict the creation of deploy keys to help prevent sensitive information from being exposed. For more information, see "[AUTOTITLE](/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization)" and "[AUTOTITLE](/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys)." If you want more fine-grained control over permissions, consider using a {% data variables.product.prodname_github_app %} instead. See "[AUTOTITLE](/apps/overview)." - -If your organization is owned by an enterprise account, you may not be able to configure this setting for your organization, if an enterprise owner has set a policy at the enterprise level. For more information, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-deploy-keys)." - -> [!WARNING] -> Changing this setting to disabled will result in existing deploy keys being disabled in all repositories in the organization. - -{% data reusables.profile.access_org %} -{% data reusables.profile.org_settings %} -{% data reusables.profile.org_member_privileges %} -1. Under "Deploy keys", review the information about changing the setting, click **Enabled** or **Disabled**. -1. Click **Save**. diff --git a/content/rest/deploy-keys/deploy-keys.md b/content/rest/deploy-keys/deploy-keys.md index f923a4cd6678..68d78c686190 100644 --- a/content/rest/deploy-keys/deploy-keys.md +++ b/content/rest/deploy-keys/deploy-keys.md @@ -20,11 +20,6 @@ autogenerated: rest Deploy keys can either be set up using the following API endpoints, or by using the {% data variables.product.company_short %} web interface. To learn how to set deploy keys up in the web interface, see "[AUTOTITLE](/authentication/connecting-to-github-with-ssh/managing-deploy-keys)." -{% ifversion deploy-keys-enterprise-org-policy %} - -You may be unable to create deploy keys if your organization or enterprise owner has set a policy to restrict their use. Furthermore, if this policy is enabled at the organization or enterprise level, existing deploy keys may be disabled. For more information, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-deploy-keys)" and "[AUTOTITLE](/organizations/managing-organization-settings/restricting-deploy-keys-in-your-organization)." -{% endif %} - There are a few cases when a deploy key will be deleted by other activity: * If the deploy key is created with a {% data variables.product.pat_generic %}, deleting the {% data variables.product.pat_generic %} will also delete the deploy key. Regenerating the {% data variables.product.pat_generic %} will not delete the deploy key. @@ -36,6 +31,4 @@ Conversely, these activities will not delete a deploy key: * If the deploy key is created with a {% data variables.product.prodname_github_app %} installation access token, uninstalling or deleting the app will not delete the deploy key. * If the deploy key is created with a {% data variables.product.pat_generic %}, regenerating the {% data variables.product.pat_generic %} will not delete the deploy key. -Changing this setting to disabled will result in existing deploy keys being disabled in all repositories in your enterprise. - diff --git a/data/features/deploy-keys-enterprise-org-policy.yml b/data/features/deploy-keys-enterprise-org-policy.yml deleted file mode 100644 index ae17bd902bf3..000000000000 --- a/data/features/deploy-keys-enterprise-org-policy.yml +++ /dev/null @@ -1,5 +0,0 @@ -# Reference: #15666 -# Repo deploy keys can now be disabled by default by enterprise policy [GA] -versions: - ghec: '*' - ghes: '>= 3.16' From c923b008ff5430ef40e67aea7e1705a316fcdab0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 10 Oct 2024 08:58:43 -0700 Subject: [PATCH 2/4] Bump the npm_and_yarn group with 3 updates (#52601) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- package-lock.json | 40 +++++++++++++++++++++------------------- package.json | 4 ++-- 2 files changed, 23 insertions(+), 21 deletions(-) diff --git a/package-lock.json b/package-lock.json index 04ac3c183a83..1ae70a209830 100644 --- a/package-lock.json +++ b/package-lock.json @@ -30,12 +30,12 @@ "classnames": "^2.5.1", "connect-datadog": "0.0.9", "connect-timeout": "1.9.0", - "cookie-parser": "^1.4.6", + "cookie-parser": "^1.4.7", "cuss": "2.2.0", "dayjs": "^1.11.3", "dotenv": "^16.4.5", "escape-string-regexp": "5.0.0", - "express": "4.21.0", + "express": "4.21.1", "express-rate-limit": "7.4.0", "fastest-levenshtein": "1.0.16", "file-type": "19.4.1", @@ -4922,31 +4922,25 @@ } }, "node_modules/cookie": { - "version": "0.6.0", - "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.6.0.tgz", - "integrity": "sha512-U71cyTamuh1CRNCfpGY6to28lxvNwPG4Guz/EVjgf3Jmzv0vlDp1atT9eS5dDjMYHucpHbWns6Lwf3BKz6svdw==", + "version": "0.7.2", + "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz", + "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==", "engines": { "node": ">= 0.6" } }, "node_modules/cookie-parser": { - "version": "1.4.6", - "license": "MIT", + "version": "1.4.7", + "resolved": "https://registry.npmjs.org/cookie-parser/-/cookie-parser-1.4.7.tgz", + "integrity": "sha512-nGUvgXnotP3BsjiLX2ypbQnWoGUPIIfHQNZkkC668ntrzGWEZVW70HDEB1qnNGMicPje6EttlIgzo51YSwNQGw==", "dependencies": { - "cookie": "0.4.1", + "cookie": "0.7.2", "cookie-signature": "1.0.6" }, "engines": { "node": ">= 0.8.0" } }, - "node_modules/cookie-parser/node_modules/cookie": { - "version": "0.4.1", - "license": "MIT", - "engines": { - "node": ">= 0.6" - } - }, "node_modules/cookie-signature": { "version": "1.0.6", "license": "MIT" @@ -6651,16 +6645,16 @@ } }, "node_modules/express": { - "version": "4.21.0", - "resolved": "https://registry.npmjs.org/express/-/express-4.21.0.tgz", - "integrity": "sha512-VqcNGcj/Id5ZT1LZ/cfihi3ttTn+NJmkli2eZADigjq29qTlWi/hAQ43t/VLPq8+UX06FCEx3ByOYet6ZFblng==", + "version": "4.21.1", + "resolved": "https://registry.npmjs.org/express/-/express-4.21.1.tgz", + "integrity": "sha512-YSFlK1Ee0/GC8QaO91tHcDxJiE/X4FbpAyQWkxAvG6AXCuR65YzK8ua6D9hvi/TzUfZMpc+BwuM1IPw8fmQBiQ==", "dependencies": { "accepts": "~1.3.8", "array-flatten": "1.1.1", "body-parser": "1.20.3", "content-disposition": "0.5.4", "content-type": "~1.0.4", - "cookie": "0.6.0", + "cookie": "0.7.1", "cookie-signature": "1.0.6", "debug": "2.6.9", "depd": "2.0.0", @@ -6705,6 +6699,14 @@ "express": "4 || 5 || ^5.0.0-beta.1" } }, + "node_modules/express/node_modules/cookie": { + "version": "0.7.1", + "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.1.tgz", + "integrity": "sha512-6DnInpx7SJ2AK3+CTUE/ZM0vWTUboZCegxhC2xiIydHR9jNuTAASBrfEpHhiGOZw/nX51bHt6YQl8jsGo4y/0w==", + "engines": { + "node": ">= 0.6" + } + }, "node_modules/express/node_modules/debug": { "version": "2.6.9", "license": "MIT", diff --git a/package.json b/package.json index d4bcfecc5465..19df82b77946 100644 --- a/package.json +++ b/package.json @@ -247,12 +247,12 @@ "classnames": "^2.5.1", "connect-datadog": "0.0.9", "connect-timeout": "1.9.0", - "cookie-parser": "^1.4.6", + "cookie-parser": "^1.4.7", "cuss": "2.2.0", "dayjs": "^1.11.3", "dotenv": "^16.4.5", "escape-string-regexp": "5.0.0", - "express": "4.21.0", + "express": "4.21.1", "express-rate-limit": "7.4.0", "fastest-levenshtein": "1.0.16", "file-type": "19.4.1", From 80c4d965dd8249a9e19a3e0094e4cbaf1e5d9cf9 Mon Sep 17 00:00:00 2001 From: docs-bot <77750099+docs-bot@users.noreply.github.com> Date: Thu, 10 Oct 2024 12:34:36 -0400 Subject: [PATCH 3/4] Update audit log event data (#52620) --- src/audit-logs/lib/config.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/audit-logs/lib/config.json b/src/audit-logs/lib/config.json index b72a11a21b17..83ccf857d396 100644 --- a/src/audit-logs/lib/config.json +++ b/src/audit-logs/lib/config.json @@ -3,5 +3,5 @@ "apiOnlyEvents": "This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "apiRequestEvent": "This event is only available via audit log streaming." }, - "sha": "42e6e74ccc55e35e6e7c24a497e36454c29663dc" + "sha": "d4847e69869467c8366f808de040e0ca1562906d" } \ No newline at end of file From 5c0c41f229fd5025095b36de6ad39478998c548f Mon Sep 17 00:00:00 2001 From: Brandyn Phelps Date: Thu, 10 Oct 2024 11:15:38 -0700 Subject: [PATCH 4/4] EPSS documentation updated for ADB (#52534) Co-authored-by: Chris Bloom Co-authored-by: Robert Thorpe II Co-authored-by: Ricardo Kreyhsig <2385700+rickreyhsig@users.noreply.github.com> Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> Co-authored-by: Caro Galvin --- .../about-the-github-advisory-database.md | 23 ++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database.md b/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database.md index e821762179b9..836dcb1d4aeb 100644 --- a/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database.md +++ b/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database.md @@ -68,9 +68,7 @@ Our malware advisories are mostly about substitution attacks. During this type o ## About information in security advisories -In this section, you can find more detailed information about security advisories in the {% data variables.product.prodname_advisory_database %}, such as: -* Advisory IDs and what format these identifiers use. -* The CVSS levels we used to assign severity levels. +In this section, you can find more detailed information about specific data attributes of the {% data variables.product.prodname_advisory_database %}. ### About GHSA IDs @@ -105,6 +103,25 @@ The {% data variables.product.prodname_advisory_database %} uses the CVSS levels {% data reusables.repositories.github-security-lab %} +### About EPSS scores + +The Exploit Prediction Scoring System, or EPSS, is a system devised by the global Forum of Incident Response and Security Teams (FIRST) for quantifying the likelihood of vulnerability exploit. The model produces a probability score between 0 and 1 (0 and 100%), where the higher the score, the greater the probability that a vulnerability will be exploited. For more information about FIRST, see https://www.first.org/. + +The {% data variables.product.prodname_advisory_database %} includes EPSS scores from FIRST for advisories containing CVEs with corresponding EPSS data. {% data variables.product.company_short %} also displays the EPSS score percentile, which is the proportion of all scored vulnerabilities with the same or a lower EPSS score. + +For example, if an advisory had an EPSS score that had a percentage of 90.534% at the 95th percentile, according to the [EPSS model](https://www.first.org/epss/model), this means that: + +* There is a 90.534% chance of this vulnerability being exploited in the wild in the next 30 days. +* 95% of the total modeled vulnerabilities are considered less likely to be exploited in the next 30 days than this vulnerability. + +Extended information about how to interpret this data can be found in FIRST's EPSS User Guide. This information helps you understand how both percentage and percentile can be used to interpret the likelihood that a vulnerability could be exploited in the wild according to FIRST's model. For more information, see the [FIRST's EPSS User Guide](https://www.first.org/epss/user-guide) on the FIRST website. + +FIRST also provides additional information around the distribution of their EPSS data. For more information, see [EPSS data and statistics documentation](https://www.first.org/epss/data_stats) on the FIRST website. + +>[!NOTE] {% data variables.product.company_short %} keeps EPSS data up to date with a daily synchronization action. While EPSS score percentages will always be fully synchronized, score percentiles will only be updated when significantly different. + +At {% data variables.product.company_short %}, we do not author this data, but rather source it from FIRST, which means that this data is not editable in community contributions. + ## Further reading * "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)"