Merge pull request github#24556 from github/repo-sync

repo sync

content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-at-scale.md

@@ -0,0 +1,75 @@
+---
+title: Configuring code scanning at scale using CodeQL
+shortTitle: Configure CodeQL at scale
+intro: 'You can configure {% data variables.product.prodname_code_scanning %} for eligible repositories in your organization using default setup for {% data variables.product.prodname_codeql %} or use a script to configure advanced setup for a specific group of repositories.'
+product: '{% data reusables.gated-features.code-scanning %}'
+versions:
+  feature: org-enable-code-scanning
+type: how_to
+topics:
+  - Advanced Security
+  - Code scanning
+allowTitleToDifferFromFilename: true
+---
+
+## About configuring {% data variables.product.prodname_code_scanning %} in multiple repositories
+
+There are two ways to configure {% data variables.product.prodname_code_scanning %} in multiple repositories at the same time. The best method to use depends on the analysis needs of the repositories.
+
+1. The repositories are eligible for default setup for {% data variables.product.prodname_codeql %} and owned by an organization.
+2. The group of repositories has similar configuration needs for {% data variables.product.prodname_codeql %} advanced setup.
+
+In addition, {% data variables.product.prodname_actions %} must be enabled for the {% ifversion fpt %}organization{% elsif ghec or ghae %}organization or enterprise{% elsif ghes %}site{% endif %}.
+
+<!-- Anchor to maintain the UI link to this heading -->
+<a name="eligible-repositories-default-setup"></a>
+
+## Eligible repositories for {% data variables.product.prodname_codeql %} default setup
+
+{% data reusables.code-scanning.beta-org-enable-all %}
+
+You can use the organization settings page for "Code security and analysis" to enable {% data variables.product.prodname_code_scanning %} for any repositories in the organization that are eligible for {% data variables.product.prodname_codeql %} default setup. 
+
+### Eligibility criteria for organization-level enablement
+
+A repository must meet all the following criteria to be eligible for default setup, otherwise you need to use advanced set up.
+
+- {% data variables.product.prodname_code_scanning_caps %} is not already enabled.
+- {% data variables.product.prodname_actions %} are enabled.
+- Uses JavaScript/TypeScript, Python, or Ruby.
+- Does not use any other languages supported by {% data variables.product.prodname_codeql %}, but may include other languages, such as R. For more information on {% data variables.product.prodname_codeql %}-supported languages, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql#about-codeql)."
+- {% ifversion fpt %}Publicly visible.
+   {%- elsif ghec %}Publicly visible, or {% data variables.product.prodname_GH_advanced_security %} is enabled.
+   {%- elsif ghes or ghae %}{% data variables.product.prodname_GH_advanced_security %} is enabled.{% endif %}
+
+For more information about default setup, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository#configuring-code-scanning-automatically)." For information on editing security and analysis settings for an organization, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)."
+
+{% ifversion security-overview-org-risk-coverage %}
+
+### Finding repositories that are eligible for default setup
+
+The security coverage page, part of security overview, makes it easy to filter the repositories in your organization to show repositories that are eligible for default setup.
+
+{%- ifversion ghec %}
+- `code-scanning-default-setup:eligible is:public` shows repositories that have languages suitable for default setup and are eligible because they are visible to the public.
+- `code-scanning-default-setup:eligible advanced-security:enabled` shows private or internal repositories that have languages suitable for default setup and are eligible because they have {% data variables.product.prodname_GH_advanced_security %} enabled.
+- `code-scanning-default-setup:eligible is:private,internal advanced-security:not-enabled` shows private or internal repositories that have languages suitable for default setup but do not have {% data variables.product.prodname_GH_advanced_security %} enabled. Once you enable {% data variables.product.prodname_GH_advanced_security %} for these repositories, they can also be added to default setup.
+{%- elsif ghes or ghae %}
+- `code-scanning-default-setup:eligible advanced-security:enabled` shows which repositories can be added to default setup immediately.
+- `code-scanning-default-setup:eligible advanced-security:not-enabled` shows which repositories have languages suitable for default setup but do not have {% data variables.product.prodname_GH_advanced_security %} enabled. Once you enable {% data variables.product.prodname_GH_advanced_security %} for these repositories, they can also be added to default setup.
+{%- endif %}
+- `code-scanning-default-setup:not-eligible` shows repositories that either have advanced setup configured already, or where the languages not are suitable for default setup.
+
+For more information about the security coverage page, see "[AUTOTITLE](/code-security/security-overview/about-the-security-overview#security-coverage-view)."
+
+{% endif %}
+
+## Using a script to configure advanced setup
+
+For repositories that are not eligible for default setup, you can use a bulk configuration script to configure advanced setup across multiple repositories. 
+
+1. Identify a group of repositories that can be analyzed using the same {% data variables.product.prodname_code_scanning %} configuration. For example, all repositories that build Java artifacts using the production environment.
+2. Create and test a {% data variables.product.prodname_actions %} workflow to call the {% data variables.product.prodname_codeql %} action with the appropriate configuration. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository#creating-an-advanced-setup)."
+3. Use one of the example scripts create a custom script to add the workflow to each repository in the group.
+   - PowerShell example: [`jhutchings1/Create-ActionsPRs`](https://github.com/jhutchings1/Create-ActionsPRs) repository
+   - NodeJS example: [`nickliffen/ghas-enablement`](https://github.com/NickLiffen/ghas-enablement) repository

content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository.md

@@ -53,7 +53,9 @@ Enterprise owners, organization and repository administrators can add self-hoste
 
 ## Configuring {% data variables.product.prodname_code_scanning %} automatically
 
-The default setup for {% data variables.product.prodname_code_scanning %} will automatically configure {% data variables.product.prodname_code_scanning %} with the best settings for your repository. Your repository is eligible for default setup if it uses {% data variables.product.prodname_actions %} and contains only the following {% data variables.product.prodname_codeql %}-supported languages: JavaScript/TypeScript, Python, or Ruby. While you can use default setup if your repository includes languages that aren't supported by CodeQL, such as R, you must use the advanced setup if you include {% data variables.product.prodname_codeql %}-supported languages other than those previously listed. For more information on {% data variables.product.prodname_codeql %}-supported languages, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql#about-codeql)."
+The default setup for {% data variables.product.prodname_code_scanning %} will automatically configure {% data variables.product.prodname_code_scanning %} with the best settings for your repository. Default setup uses {% data variables.product.prodname_actions %} to run {% data variables.product.prodname_codeql %} analysis without requiring you to commit a workflow file your repository.
+
+Your repository is eligible for default setup if it uses {% data variables.product.prodname_actions %} and contains only the following {% data variables.product.prodname_codeql %}-supported languages: JavaScript/TypeScript, Python, or Ruby. While you can use default setup if your repository includes languages that aren't supported by CodeQL, such as R, you must use the advanced setup if you include {% data variables.product.prodname_codeql %}-supported languages other than those previously listed. For more information on {% data variables.product.prodname_codeql %}-supported languages, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql#about-codeql)."{% ifversion org-enable-code-scanning %} For information on bulk enablement, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-at-scale)."{% endif %}
 
 Enabling default setup is the quickest way to configure {% data variables.product.prodname_code_scanning %} for your repository. Additionally, default setup requires none of the maintenance necessary with a {% data variables.product.prodname_codeql %} workflow file. Before you enable default setup, you'll see the languages it will analyze, the query suites it will run, and the events that will trigger a new scan.
 
@@ -171,10 +173,18 @@ The `on:pull_request` and `on:push` triggers for code scanning are each useful f
 
 {% endif %}
 
+{% ifversion org-enable-code-scanning %}
+
+For information on bulk enablement, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-at-scale)."
+
+{% else %}
+
 ## Bulk configuration of {% data variables.product.prodname_code_scanning %}
 
 You can configure {% data variables.product.prodname_code_scanning %} in many repositories at once using a script. If you'd like to use a script to raise pull requests that add a {% data variables.product.prodname_actions %} workflow to multiple repositories, see the [`jhutchings1/Create-ActionsPRs`](https://github.com/jhutchings1/Create-ActionsPRs) repository for an example using PowerShell, or [`nickliffen/ghas-enablement`](https://github.com/NickLiffen/ghas-enablement) for teams who do not have PowerShell and instead would like to use NodeJS.
 
+{% endif %}
+
 ## Viewing the logging output from {% data variables.product.prodname_code_scanning %}
 
 After configuring {% data variables.product.prodname_code_scanning %} for your repository, you can watch the output of the actions as they run.

content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/index.md

@@ -25,6 +25,7 @@ children:
   - /about-code-scanning-with-codeql
   - /recommended-hardware-resources-for-running-codeql
   - /configuring-the-codeql-workflow-for-compiled-languages
+  - /configuring-code-scanning-at-scale
   - /troubleshooting-your-default-setup-for-codeql
   - /troubleshooting-the-codeql-workflow
   - /running-codeql-code-scanning-in-a-container

content/code-security/getting-started/securing-your-organization.md

@@ -106,20 +106,44 @@ You can enable or disable {% data variables.product.prodname_secret_scanning %}
 1. Click **Settings** next to your organization.
 1. Click **Code security & analysis**.
 1. Click **Enable all** or **Disable all** next to {% data variables.product.prodname_secret_scanning_caps %}.
-{% ifversion fpt %}
-1. Optionally, select **Automatically enable for new public repositories**.{% elsif ghec %}
-1. Optionally, select **Automatically enable for new public repositories and repositories with {% data variables.product.prodname_advanced_security %} enabled**.{% else %}
-1. Optionally, select **Automatically enable for private repositories added to {% data variables.product.prodname_advanced_security %}.**{% endif %}
+1. In the dialog box displayed, optionally
+{%- ifversion fpt %} select **Automatically enable for new public repositories**.
+{%- elsif ghec %} select **Automatically enable for new public repositories and repositories with {% data variables.product.prodname_advanced_security %} enabled**.
+{%- else %} select **Automatically enable for repositories added to {% data variables.product.prodname_advanced_security %}.**
+{%- endif %}
+1. Click the enable or disable button in the dialog box to confirm the change.
 
 For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)."
 
 ## Configuring {% data variables.product.prodname_code_scanning %}
 
-{% data variables.product.prodname_code_scanning_caps %} is an {% data variables.product.prodname_advanced_security %} feature that scans code for security vulnerabilities and errors.
-
 {% ifversion fpt or ghec %}{% data variables.product.prodname_code_scanning_caps %} is available for all public repositories. Organizations that use {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_advanced_security %} can additionally use {% data variables.product.prodname_code_scanning %} for private and internal repositories.{% else %}{% data variables.product.prodname_code_scanning_caps %} is available if your enterprise uses {% data variables.product.prodname_advanced_security %}.{% endif %}
 
+{% ifversion org-enable-code-scanning %}
+
+You can enable or disable {% data variables.product.prodname_code_scanning %} default setup for all eligible repositories
+
+{%- ifversion fpt %} that are public across your organization.
+{%- elsif ghec %} that are public, and for all private and internal repositories
+{%- endif %}
+
+{%- ifversion ghec or ghes or ghae %} across your organization that have {% data variables.product.prodname_GH_advanced_security %} enabled.
+{%- endif %}
+{% data reusables.code-scanning.default-setup-info-link %}
+
+For repositories that are not eligible for default setup, you can configure advanced setup at the repository level. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository#creating-an-advanced-setup)."
+
+{% data reusables.code-scanning.beta-org-enable-all %}
+
+1. Click your profile photo, then click **Organizations**.
+1. Click **Settings** next to your organization.
+1. Click **Code security & analysis**.
+1. Click **Enable all** or **Disable all** next to {% data variables.product.prodname_code_scanning_caps %}.
+1. In the "Enable {% data variables.product.prodname_code_scanning %} for eligible repositories" or "Disable {% data variables.product.prodname_code_scanning %}" dialog box displayed, click **Enable for eligible repositories** or **Disable {% data variables.product.prodname_code_scanning %}** to confirm the change.
+
+{% else %}
 {% data variables.product.prodname_code_scanning_caps %} is configured at the repository level. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository)."
+{% endif %}
 
 ## Next steps
 You can view and manage alerts from security features to address dependencies and vulnerabilities in your code. For more information, see {% ifversion fpt or ghes or ghec %} "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts),"{% endif %} {% ifversion fpt or ghec or ghes %}"[AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates)," {% endif %}"[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository)," and "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)."

content/code-security/security-overview/about-the-security-overview.md

@@ -78,7 +78,6 @@ This view shows data about the repositories affected by different types of secur
 
 ![Screenshot of the "Security Risk" view on the "Security" tab for an organization. Illustrates information and filter options available in the view.](/assets/images/help/security-overview/security-risk-interactive-header.png)
 
-
 ### Security Coverage view
 
 This view shows data about which security features are used by repositories in the organization. You can filter the view to show the repositories of interest using links, a dropdown menu, and a search field.
@@ -92,6 +91,8 @@ In addition, you can click **{% octicon "gear" aria-hidden="true" %} Security se
 
 ![Screenshot of the "Security Coverage" view on the "Security" tab for an organization. Illustrates information and filter options available in view.](/assets/images/help/security-overview/security-coverage-view-single-repo-enablement.png)
 
+{% data reusables.code-scanning.beta-org-enable-all %}
+
 {% else %}
 
 ### Understanding the main security overview